Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Chapter 9 Revised January 2007

Similar presentations


Presentation on theme: "Security Chapter 9 Revised January 2007"— Presentation transcript:

1 Security Chapter 9 Revised January 2007
Panko’s Business Data Networks and Telecommunications, 6th edition Copyright 2007 Prentice-Hall

2 The Threat Environment

3 Figure 9-1: CSI/FBI Survey
There are many types of attacks Companies Face Many Attacks Viruses (and other malware) Insider abuse of net access Laptop theft Unauthorized access by insiders Denial-of-service attacks System penetration Sabotage Theft of proprietary information Fraud Telecoms eavesdropping and active wiretaps In Order of Decreasing Frequency

4 Figure 9-1: CSI/FBI Survey
Very Common Successful Incidents Viruses and other malware Insider abuse of net access Laptop theft Low-Frequency / High-Damage Attacks Theft of proprietary information ($2.7 M per incident) Denial-of-service attacks ($1.4 M per incident)

5 Figure 9-2: Malware Malware Viruses A general name for evil software
Pieces of code that attach to other programs When infected programs execute, the virus executes Infect other programs on the computer Spread to other computers by attachments, IM, peer-to-peer file transfers, etc. Antivirus programs are needed to scan arriving files Also scans for other malware

6 Figure 9-2: Malware Worms
Stand-alone programs that do not need to attach to other programs Can propagate like viruses through , etc. But this require human gullibility, which is slow In addition, vulnerability-enabled worms jump to victim hosts directly Can do this because hosts have vulnerabilities Vulnerability-enabled worms can spread with amazing speed Vendors develop patches for vulnerabilities but companies often fail or are slow to apply them

7 Figure 9-2: Malware Payloads
After propagation, viruses and worms execute their payloads (damage code) Payloads erase hard disks, send users to pornography sites if they mistype URLs Trojan horses are exploitation programs that disguise themselves as system files

8 Figure 9-2: Malware Attacks on Individuals
Social engineering is tricking the victim into doing something against his or her interests Spam is unsolicited commercial Credit card number theft is performed by carders Identity theft is collecting enough data to impersonate the victim in large financial transactions Fraud involves get-rich-quick schemes, medical scams

9 Figure 9-2: Malware Attacks on Individuals
Adware pops up advertisements Spyware collects sensitive data and sends it to an attacker Phishing: sophisticated social engineering attack in which an authentic-looking or website entices the user to enter his or her username, password, or other sensitive information

10 Figure 9-3: Human Break-Ins (Hacking)
Viruses and worms rely on one main attack method Humans can keep trying different approaches until they succeed Hacking Hacking is breaking into a computer Hacking is intentionally using a computer resource without authorization or in excess of authorization

11 Figure 9-3: Human Break-Ins (Hacking)
Scanning Phase Send attack probes to map the network and identify possible victim hosts Nmap programming is a popular program for scanning attacks (Figure 9-4)

12 Identified Host and Open Ports
Figure 9-4: Nmap IP Range to Scan Type of Scan Identified Host and Open Ports

13 Figure 9-3: Human Break-Ins (Hacking)
The Term “Exploit” is Used in Different Ways Noun: The actual break-in Noun: Exploit is the program used to make the break-in Verb: Attackers exploit the computer

14 Figure 9-3: Human Break-Ins (Hacking)
After the Break-In, the Hacker Becomes invisible by deleting log files Creates a backdoor (way to get back into the computer) Backdoor account—account with a known password and super user privileges Backdoor program—program to allow reentry; usually Trojanized Rootkit—stealthy backdoor that cannot be detected by the operating system Does damage at leisure New

15 Figure 9-5: Distributed Flooding Denial-of-Service Attack
The attacker installs handler and zombie programs on victims The attacker sends an attack command to handlers. Handlers send attack commands to zombies. The zombies overwhelm the victim with attack packets.

16 to give new functionality.
Figure 9-6: Bots Bots are like zombies, but they can be updated by the human master to give new functionality.

17 Figure 9-7: Types of Attackers
Traditional Attackers: Traditional Hackers Hackers break into computers Driven by curiosity, a feeling of power, and peer reputation Virus writers Vandals Amoral

18 Figure 9-7: Types of Attackers
Traditional Attackers: Script kiddies use scripts written by experienced hackers and virus writers Have limited knowledge and abilities But the large numbers of script kiddies makes them very dangerous collectively

19 Figure 9-7: Types of Attackers
Traditional Attackers: Disgruntled employees and ex-employees Dangerous because they have knowledge of and access to systems Too often ignored, they can do extensive damage The most dangerous employee attackers are IT and security staff members

20 Figure 9-7: Types of Attackers
Criminal Attackers Most attacks are now made by criminals rather than amateurs Crime generates funds that criminal attackers need to increase attack sophistication

21 Figure 9-7: Types of Attackers
On the Horizon Cyberterror: Attacks by terrorists Cyberwar: Attacks by nations Potential for massive attacks

22 Figure 9-8: Planning Principles
Security Is a Management Issue, Not a Technical Issue Without good management, technology cannot be effective Comprehensive Security An attacker only has to find one weakness A firm needs comprehensive security to close all avenues of attack This requires centralized security planning and management

23 Figure 9-8: Planning Principles
Defense in Depth Every protection breaks down sometimes Attacker should have to break through several lines of defense to succeed Providing this protection is called defense in depth Countermeasure 1 (fails) Countermeasure 2 Stops the Attack

24 Figure 9-9: Access Control
Enumerating and Prioritizing Assets Firms must enumerate and prioritize the assets they have to protect Otherwise, security planning is impossible Risk Analysis Must balance threat risks against the cost of protection Don’t overpay for security Don’t fail to protect sensitive assets

25 Figure 9-9: Access Control
Companies Must Then Develop an Access Control Plan for Each Asset The plan includes the AAA protections Authentication is proving the identity of the person wishing access Authorization is determining what the person may do if they are authenticated Auditing is logging data on user actions for later appraisal. May send an alarm if certain conditions are found.

26 Figure 9-10: Authentication
The applicant is the person who wishes to prove his or her identity. The verifier is the person who wants to authenticate the applicant. The applicant sends credentials (passwords, etc.). Usually a central authentication server judges the credentials. This provides consistency in authentication.

27 Figure 9-11: Password Authentication
Passwords Strings of characters Typed to authenticate someone wanting to use a username (account) on a computer Benefits Ease of use for users (familiar) Inexpensive because built in to operating systems

28 Figure 9-11: Password Authentication
Problems Passwords that are common words or names are widespread Can be cracked quickly with dictionary attack Variations of common words (capitalizing the first character, adding a digit at the end, etc.), can be broken almost as quickly by hybrid dictionary attack that looks for these tricks

29 Figure 9-11: Password Authentication
Passwords should be complex Mix case (A and a), digits (6), and other keyboard characters ($, #, etc.) Can only be cracked with brute force attacks (trying all possibilities) Passwords should be long Eight characters minimum Each added character increases the brute force search time by a factor of about 70

30 Figure 9-11: Password Authentication
Other Concerns If people are forced to use long and complex passwords, they tend to write them down People should use different passwords for different sites Otherwise, compromising a password will give access to multiple sites. But many people use the same password at multiple sites

31 Figure 9-11: Password Authentication
Critique each of the following passwords, tell what attack can break it, and tell how difficult it will be for the attack to guess the password. swordfish Processing1 SeAtTLe R7%t& 4h*6tU9$^l

32 Figure 9-12: Digital Certificate Authentication
Public and Private Keys Each party will have both a public key and a private key Each party makes its public key available to everybody Each party keeps its private key secret Digital Certificate Tamper-proof file that gives a named party’s public key

33 Figure 9-12: Digital Certificate Authentication
Calculation Digital Certificate Applicant does a calculation with his or her Private key Public key of the person the applicant claims to be Authentication Verifier tests the calculation with the public key of the claimed party. If the test succeeds, the applicant must know the secret private key of the claimed party, which only the claimed party should know.

34 Figure 9-12: Digital Certificate Authentication
Appraisal Digital signature authentication gives extremely strong authentication Very expensive: must set up infrastructure for distributing public-private key pairs The firm must do the labor of creating, distributing, and installing private keys.

35 Figure 9-13: Biometric Authentication
Authentication based on bodily measurements Promises to eliminate passwords Fingerprint Scanning Dominates biometrics use today Simple and inexpensive Substantial error rate (misidentification) Often can be fooled fairly easily by determined impostors Not a problem for low-risk situations like home computers

36 Figure 9-13: Biometric Authentication
Iris Scanners Scan the iris (colored part of the eye) with a camera (not a laser beam) Irises are complex, so very strong authentication Expensive Face Recognition Camera allows analysis of facial structure Can be done surreptitiously—without the knowledge or consent of person being scanned Very high error rate and easy to deceive

37 Figure 9-13: Biometric Authentication
Error Rates and Deception Error rates (the frequency of identification errors when there is no deception) typically are higher than vendors claim Vendors test under idealized conditions Deception (deliberately trying to fool the system) is easier than vendors claim Especially for fingerprint recognition The in-the-field accuracy of biometrics is uncertain

38 Figure 9-14: Firewall Operation
Firewalls inspect each packet. Legitimate packets are allowed through. Provable attack packets are dropped and logged.

39 Figure 9-15: Stateful Firewall Filtering
There are several types of firewall filtering Stateful inspection is the dominant methodology today Stateful firewalls often use other filtering mechanisms as secondary mechanisms

40 Figure 9-15: Stateful Firewall Filtering
Connection Initiation Attempts Some Packets Attempt to Open a Connection Example: packets with TCP segments whose SYN bits are set Stateful firewalls have default rules for connection-opening attempts Internally Initiated Connections Are Allowed by default Externally Initiated Connections are Rejected By Default Stateful Border Firewall Site

41 Figure 9-15: Stateful Firewall Filtering
Stateful Inspection Access Control Lists (ACLs) ACLs modify the default behavior for ingress or egress Ingress ACL rules: allow access to selected internal servers Egress ACL rules: prevent access to certain external servers

42 Figure 9-15: Stateful Firewall Filtering
Packets that Do Not Attempt to Open a Connection Most packets do not attempt to open a connection Very simple behavior If the packet is part of an established connection, it is passed without further inspection. (However, these packets can be filtered if desired) If the packet is not part of an established connection, it is dropped and logged This simplicity makes the cost of processing most packets minimal

43 Stateful Firewalls: Recap
All Packets Connection-Opening Attempts Other Packets Not Part of Previously Permitted Connection Part of Previously Permitted Connection Default Behavior ACL Exceptions Accept Packet Drop Packet

44 Figure 9-15: Stateful Firewall Filtering
Perspective Stateful firewalls’ simple operation leads to inexpensive stateful firewall operation However, stateful inspection firewall operation is highly secure

45 Figure 9-17: Ingress Access Control List (ACL) for a Stateful Inspection Firewall
1. If packet’s source and destination sockets are in the connection table, PASS. If the packet is part of an previously established connection, pass it without further filtering. 2. If the packet’s source and destination sockets are not in the connection table and the packet is not a connection-opening attempt, DROP and LOG. Drop any packet that is not a connection-opening attempt and that is not part of an established connection.

46 Figure 9-17: Ingress Access Control List (ACL) for a Stateful Inspection Firewall
3. If protocol = TCP AND destination port number = 25, PASS and add connection to connection table. This rule permits external access to all internal mail servers. 4. If IP address = AND protocol = TCP AND destination port number = 80, PASS and add connection to connection table. This rule permits access to a particular webserver ( )

47 Figure 9-17: Ingress Access Control List (ACL) for a Stateful Inspection Firewall
5. Deny All AND LOG If earlier rules do not result in a pass or deny decision, this last rule enforces the default rule of banning all externally initiated connection-opening attempts.

48 Intrusion Detection Systems (IDSs)
Figure 9-18: Firewalls, Intrusion Detection Systems (IDSs), and Intrusion Prevention Systems (IPSs) Firewalls Drop provable attack packets Intrusion Detection Systems (IDSs) Very sophisticated filtering—better than firewalls Identify suspicious packets Do not drop--suspicious packets may be legitimate Intrusion Prevention Systems (IPSs) Use IDS filtering mechanisms Drop suspicious packets highly likely to be attacks Ignore other suspicious packets

49 Figure 9-18: Firewalls, Intrusion Detection Systems, and Intrusion Prevention Systems
IDS and IPS filtering Stream Analysis Analyze streams of packets to identify suspicious patterns Deep packet inspection Inspect headers and messages at the internet, transport, and application layers

50 Figure 9-18: Firewalls, Intrusion Detection Systems, and Intrusion Prevention Systems
IDSs IPSs Processing Power Required Modest Heavy Maturity Fairly Mature Still immature. Too many false positives Tuning reduces false positives but is labor- intensive New. Only used to stop attacks that can be identified fairly accurately.

51 Figure 9-19: Cryptographic Systems
Provide security to multi-message dialogues At the Beginning of Each Communication Session The two parties usually mutually authenticate each other A’s Credentials To B B’s Credentials To A Party B Party A Initial Authentication

52 Figure 9-19: Cryptographic Systems
Message-by-Message Protection After this initial authentication, cryptographic systems provide protection to every message Encrypt each message for confidentiality so that eavesdroppers cannot read it Messages Encrypted for Confidentiality Party B Party A Eavesdropper Cannot Read Messages

53 Figure 9-19: Cryptographic Systems
Message-by-Message Protection Adds an electronic signature to each message The electronic signature authenticates the sender It also provides message integrity: receiver can tell if a message has been changed in transit Electronic Signature Party B Party A

54 Figure 9-20: Symmetric and Public Key Encryption
Symmetric Key Encryption for Confidentiality Symmetric Key Message “Hello” Cipher & Key Encrypted Message Network Party A Party B Encryption uses a non-secret cipher (encryption method ) and a secret key

55 Figure 9-20: Symmetric and Public Key Encryption
Symmetric Key Encryption for Confidentiality Symmetric Key Encrypted Message Interceptor Network Party A Encrypted Message Interceptor cannot read encrypted messages en route Party B

56 Figure 9-20: Symmetric and Public Key Encryption
Symmetric Key Encryption for Confidentiality Symmetric Key Interceptor Same Symmetric Key Network Party A Encrypted Message Cipher & Key Message “Hello” Receiver decrypts the message using the same cipher and the same symmetric key Party B

57 Figure 9-20: Symmetric and Public Key Encryption
Public Key Encryption for Confidentiality Encrypt with Party B’s Public Key Decrypt with Party B’s Private Key Encrypted Message Note: Four keys are used to encrypt and decrypt in both directions Party A Party B Decrypt with Party A’s Private Key Encrypted Message Encrypt with Party A’s Public Key

58 Figure 9-21: Other Aspects of Protection
Symmetric Key Dominates Encryption for Confidentiality Accounts for 99% of all encryption for confidentiality Dominates because it is computationally simple and therefore inexpensive Public Key Encryption for Confidentiality is Only Used Rarely and for Very Short Messages Computationally, 100 to 1,000 times slower than symmetric key encryption However, public key encryption for authentication is more common

59 Figure 9-21: Other Aspects of Protection
Attacks Hardening Servers and Client PCs Some attack packets inevitably reach hosts Hardening is setting up computers to protect themselves Server Hardening Back up so that restoration is possible Patch security vulnerabilities Use host firewalls Host

60 Figure 9-21: Other Aspects of Protection
Hardening Servers and Client PCs Client PC Hardening As with servers, patching vulnerabilities, having a firewall, and implementing backup Also, a good antivirus program that is updated regularly Client PC users often make errors or sabotage hardening techniques In corporations, group policy objects (GPOs) can be used to centrally manage security on Windows clients

61 Figure 9-21: Other Aspects of Protection
Vulnerability Testing Protections are difficult to set up correctly Vulnerability testing is attacking your system yourself or through a consultant There must be follow-up to fix vulnerabilities that are discovered

62 Figure 9-22: Incident Response
Even with the best security, successful attacks sometimes happen 2. Stop the Attack 1. Detect the Attack 3. Repair the Damage 4. Punish the Attacker

63 Figure 9-22: Incident Response
Major Attacks and CSIRTs Major Incidents Must be handled by the computer security incident response team (CSIRT) Must include members of senior management, the firm’s security staff, members of the IT staff, members of functional departments, and the firm’s public relations and legal departments

64 Figure 9-22: Incident Response
Disasters and Disaster Recovery Natural and humanly made disasters Need a disaster recovery plan ahead of time Need a backup site and procedures to shift work there Need rehearsals to iron out difficulties and develop speed

65 Topics Covered

66 Topics Covered The Threat Environment Many threats
Malware: viruses versus worms, payloads, etc. Social engineering Spam, credit card theft, identity theft, adware, spyware Human Break-Ins Definition of hacking—authorization Scanning phase; the exploit After the Break-in: deleting log files, backdoors, damage at leisure

67 Topics Covered The Threat Environment Human attacks
Denial-of-Service (DoS) Attack with zombies Bots Traditional attackers Hackers, virus writers, script kiddies Disgruntled employees and ex-employees Criminal attackers now dominate on the Internet Cybercrime and cyberwar

68 Topics Covered Security Management
Security is a management issue, not a technical issue Comprehensive security and centralized management Defense in depth Enumerating and prioritizing assets Asset control plans: authentication, authorization, and auditing

69 Topics Covered Security Management Authentication
Applicant and verifier Central authentication server for consistency Password authentication Poor password discipline is common Passwords need to be long and complex Biometrics Fingerprint, iris, face, etc. Error rates and deception

70 Topics Covered Security Management Authentication
Digital certificate authentication Public key / private key pairs, digital certificates The strongest form of authentication Need both an applicant calculation and a digital certificate for authorization

71 Topics Covered Firewalls
Filter, drop, or pass incoming and outgoing packets Stateful inspection firewalls Default rules for connection-opening attempts ACLs to modify the default rules Other packets—accept if part of connection Firewalls, IDSs and IPSs IPSs have the strongest filtering ability

72 Topics Covered Cryptographic Systems To protect streams of messages
Initial authentication Message-by-message protections: encryption for confidentiality, digital signature for authentication and message integrity Symmetric key encryption Public key encryption

73 Topics Covered Hardening Clients and Servers Vulnerability Testing
Incident Response Detecting the attack, stopping the attack, repairing the damage, punishing the attacker Major attacks and CSIRTs Disasters and disaster recovery


Download ppt "Security Chapter 9 Revised January 2007"

Similar presentations


Ads by Google