1. CSCE 727 Cyber Attacks and Risk Management

2. CSCE 727 - Farkas2 Attack Sophistication vs. Intruder’s Technical Knowledge High Low 1980198519901995 2000 password guessing self-replicating code password cracking exploiting known vulnerabilities disabling audits back doors hijacking sessions sweepers sniffers packet spoofing GUI automated probes/scans denial of service www attacks Tools Attackers Intruder Knowledge Attack Sophistication “stealth” / advanced scanning techniques burglaries network mgmt. diagnostics distributed attack tools Cross site scripting Staged attack Copyright: CERT, 2000

3. CSCE 727 - Farkas3 Attack Sophistication vs. Intruder’s Technical Knowledge From: http://people.ubuntu.com/~duanedesign/SurvivabilityandInformationAssuranceCurriculum/01survive/01survive.htmlhttp://people.ubuntu.com/~duanedesign/SurvivabilityandInformationAssuranceCurriculum/01survive/01survive.html

4. Attack Trend CSCE 727 - Farkas4

5. 5 Reading Required: Denning Chapter 8, 9, 14 Hutchins et al, Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, White paper,http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/d ocuments/LM-White-Paper-Intel-Driven-Defense.pdfhttp://www.lockheedmartin.com/content/dam/lockheed/data/corporate/d ocuments/LM-White-Paper-Intel-Driven-Defense.pdf Interesting Reading: DHS repairing internal security operations, Homeland Security News Wire, April 9, 2014, http://www.homelandsecuritynewswire.com/seworld20140409- dhs-repairing-internal-security-operationshttp://www.homelandsecuritynewswire.com/seworld20140409- dhs-repairing-internal-security-operations Student develops new way to detect hackers, Homeland Security News Wire, April 9, 2014, http://www.homelandsecuritynewswire.com/dr20140409- student-develops-new-way-to-detect-hackershttp://www.homelandsecuritynewswire.com/dr20140409- student-develops-new-way-to-detect-hackers Measuring smartphone malware infection rates, Homeland Security News Wire, April 9, 2014, http://www.homelandsecuritynewswire.com/dr20140409- measuring-smartphone-malware-infection-rateshttp://www.homelandsecuritynewswire.com/dr20140409- measuring-smartphone-malware-infection-rates

6. CSCE 727 - Farkas6 Attack Internet Engineering Task Force: RFC 2828: “ An assault on system security that derives from an intelligent threat, i.e., an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of the system.”

7. CSCE 727 - Farkas7 Normal Flow Information source Information destination

8. CSCE 727 - Farkas8 Interruption Information source Information destination Asset is destroyed of becomes unavailable - Availability Example: destruction of hardware, cutting communication line, disabling file management system, etc.

9. CSCE 727 - Farkas9 Interception Information source Information destination Unauthorized party gains access to the asset – Confidentiality Example: wiretapping, unauthorized copying of files

10. CSCE 727 - Farkas10 Modification Information source Information destination Unauthorized party tampers with the asset – Integrity Example: changing values of data, altering programs, modify content of a message, etc.

11. CSCE 727 - Farkas11 Fabrication Information source Information destination Unauthorized party insets counterfeit object into the system – Authenticity Example: insertion of offending messages, addition of records to a file, etc.

12. CSCE 727 - Farkas12 Phases of Attack Improve detection by examining which “phase” an intruder’s behavior is identified Attack phases: – Intelligence gathering: attacker observes the system to determine vulnerabilities – Planning: attacker decide what resource to attack (usually least defended component) – Attack: attacker carries out the plan – Inside the system: Hiding: attacker covers tracks of attack Future attacks: attacker installs backdoors for future entry points

13. CSCE 727 - Farkas13 Passive Attack “Attempts to learn or make use of information from the system but does not affect system resources” (RFC 2828) Sniffer

14. CSCE 727 - Farkas14 Sniffers All machines on a network can “hear” ongoing traffic A machine will respond only to data addressed specifically to it Network interface: “promiscuous mode” – able to capture all frames transmitted on the local area network segment

15. CSCE 727 - Farkas15 Risks of Sniffers Serious security threat Capture confidential information – Authentication information – Private data Capture network traffic information

16. CSCE 727 - Farkas16 Passive attacks Interception (confidentiality) Disclosure of message contentsTraffic analysis

17. CSCE 727 - Farkas17 Disclosure of message content Intruder is able to interpret and extract information being transmitted Highest risk:authentication information – Can be used to compromise additional system resources

18. CSCE 727 - Farkas18 Traffic Analysis Intruder is not able to interpret and extract the transmitted information Intruder is able to derive (infer) information from the traffic characteristics

19. CSCE 727 - Farkas19 Protection Against Passive Attacks Shield confidential data from sniffers: cryptography Disturb traffic pattern: – Traffic padding – Onion routing Detect and eliminate sniffers

20. CSCE 727 - Farkas20 Detection of Sniffer Tools Difficult to detect: passive programs Tools: – Promisc – Linux – cmp – SunOS 4.x: detects promiscuous mode – AntiSniff (L0pht Heavy Industries, Inc. ): remotely detects computers that are packet sniffing, regardless of the OS Interesting read: S. Truth, How to Test for Sniffing Vulnerabilities, http://web.securityinnovation.com/appsec- weekly/blog/bid/63274/How-to-Test-for-Sniffing- Vulnerabilitieshttp://web.securityinnovation.com/appsec- weekly/blog/bid/63274/How-to-Test-for-Sniffing- Vulnerabilities

21. CSCE 727 - Farkas21 Active attacks “Attempts to alter system resources of affect their operation” (Internet Enginering Task Force, RFC 2828)

22. CSCE 727 - Farkas22 Active attacks InterruptionModificationFabrication DOS, DDOS(integrity) (integrity) (availability) ReplayMasquarade(Authentication)

23. CSCE 727 - Farkas23 Protection against DoS, DDoS Hard to provide full protection Some of the attacks can be prevented – Filter out incoming traffic with local IP address as source – Avoid established state until confirmation of client’s identity Internet trace back: determine the source of an attack

24. CSCE 727 - Farkas24 Degradation of Service Do not completely block service just reduce the quality of service

25. CSCE 727 - Farkas25 Intrusion Control It is better to prevent something than to plan for loss. Problem: Misuse happens!

26. CSCE 727 - Farkas26 Need: Intrusion Prevention: protect system resources Intrusion Detection: (second line of defense) identify misuse Intrusion Recovery: cost effective recovery models

27. CSCE 727 - Farkas27 Intrusion Prevention First line of defense Techniques: cryptography, identification, authentication, authorization, access control, security filters, etc. Not good enough (prevention, reconstructions)

28. CSCE 727 - Farkas28 Intrusion Detection System (IDS) Looks for specific patterns (attack signatures or abnormal usage) that indicate malicious or suspicious intent Second line of defense against both internal and external threats See recommended reading!

29. CSCE 727 - Farkas29 Intrusion Detection Systems Deter intruders Catch intruders Prevent threats to fully occur (real-time IDS) Improve prevention techniques IDS deployment, customisation and management is generally not trivial See required reading!

30. CSCE 727 - Farkas30 Audit-Based Intrusion Detection Intrusion Detection System Audit Data Profiles, Rules, etc. Decision Need: Audit data Ability to characterize behavior

31. CSCE 727 - Farkas31 Audit Data Format, granularity and completeness depend on the collecting tool Examples – System tools collect data (login, mail) – Additional collection of low system level – “Sniffers” as network probes – Application auditing Honey Net Needed for – Establishing guilt of attackers – Detecting suspicious user activities

32. CSCE 727 - Farkas32 Audit Data Accuracy Collection method – System architecture and collection point – Software and hardware used for collection Storage method – Protection of audit data Sharing – Transmission protection and correctness – Availability

33. CSCE 727 - Farkas33 IDS Categories 1.Time of data analysis Real-time v.s. off-the-line IDS 2.Location where audit data was gathered Host-based v.s. network-based v.s. hybrid 3.Technique used for analysis Rule-based v.s. statistic-based 4.Location of analysis Centralized, distributed, network-based 5.Pattern IDS looking for Misuse v.s. anomaly-based v.s. hybrid

34. CSCE 727 - Farkas34 Intrusion Recovery Actions to avoid further loss from intrusion Terminate intrusion and protect against reoccurrence Law enforcement Enhance defensive security Reconstructive methods based on: – Time period of intrusion – Changes made by legitimate users during the effected period – Regular backups, audit trail based detection of effected components, semantic based recovery, minimal roll- back for recovery.

35. CSCE 727 - Farkas35 What is “Survivability”? To decide whether a computer system is “survivable”, you must first decide what “survivable” means.

36. 36 Risk Assessment RISK Threats VulnerabilitiesConsequences

37. 37 Real Cost of Cyber Attack Damage of the target may not reflect the real amount of damage Services may rely on the attacked service, causing a cascading and escalating damage Need: support for decision makers to – Evaluate risk and consequences of cyber attacks – Support methods to prevent, deter, and mitigate consequences of attacks

38. 38 Risk Management Framework (Business Context) Understand Business Context Identify Business and Technical Risks Synthesize and Rank Risks Define Risk Mitigation Strategy Carry Out Fixes and Validate Measurement and Reporting

39. 39 Understand the Business Context “Who cares?” Identify business goals, priorities and circumstances, e.g., – Increasing revenue – Meeting service-level agreements – Reducing development cost – Generating high return investment Identify software risk to consider

40. 40 Identify Business and Technical Risks “Why should business care?” Business risk – Direct threat – Indirect threat Consequences – Financial loss – Loss of reputation – Violation of customer or regulatory constraints – Liability Tying technical risks to the business context in a meaningful way

41. 41 Synthesize and Rank the Risks “What should be done first?” Prioritization of identified risks based on business goals Allocating resources Risk metrics: – Risk likelihood – Risk impact – Risk severity – Number of emerging risks

42. 42 Define the Risk Mitigation Strategy “How to mitigate risks?” Available technology and resources Constrained by the business context: what can the organization afford, integrate, and understand Need validation techniques

43. 43 Carry Out Fixes and Validate Perform actions defined in the previous stage Measure “completeness” against the risk mitigation strategy – Progress against risk – Remaining risks – Assurance of mechanisms Testing

44. 44 Measuring and Reporting Continuous and consistent identification and storage of risk information over time Maintain risk information at all stages of risk management Establish measurements, e.g., – Number of risks, severity of risks, cost of mitigation, etc.

45. 45 Assets-Threat Model (1) Threats compromise assets Threats have a probability of occurrence and severity of effect Assets have values Assets are vulnerable to threats ThreatsAssets

46. 46 Assets-Threat Model (2) Risk: expected loss from the threat against an asset R=V*P*S R risk V value of asset P probability of occurrence of threat V vulnerability of the asset to the threat

47. 47 Risk Acceptance Certification How well the system meet the security requirements (technical) Accreditation Management’s approval of automated system (administrative)

48. Readings for the Student Presentations 04/14/2014 Yinyan He – Zahid H. Qureshi. 2007. A review of accident modelling approaches for complex socio- technical systems. In Proceedings of the twelfth Australian workshop on Safety critical systems and software and safety-related programmable systems - Volume 86 (SCS '07), Tony Cant (Ed.), Vol. 86. Australian Computer Society, Inc., Darlinghurst, Australia, Australia, 47-59. http://dl.acm.org/citation.cfm?id=1387046http://dl.acm.org/citation.cfm?id=1387046 Frank Peloquin Robert D. Larkin, Juan Lopez, Jr., Jonathan W. Butts, and Michael R. Grimaila. 2014. Evaluation of security solutions in the SCADA environment. SIGMIS Database 45, 1 (March 2014), 38-53., http://dl.acm.org/citation.cfm?id=2591060http://dl.acm.org/citation.cfm?id=2591060 David Rodriquez – Yakkala V. Naga Manikanta and Anjali Sardana. 2012. Protecting web applications from SQL injection attacks by using framework and database firewall. In Proceedings of the International Conference on Advances in Computing, Communications and Informatics (ICACCI '12). ACM, New York, NY, USA, 609-613., http://dl.acm.org/citation.cfm?id=2345495 http://dl.acm.org/citation.cfm?id=2345495 CSCE 727 - Farkas48