8/27/18
ITSS 4V95
IT Cybersecurity
Prithi Narasimhan
UT-Dallas
Introduction to IT Security
1
Computer Security Concepts
u
The NIST Computer Security Handbook [NIST95] defines the term computer
security as:
“The protection afforded to an automated information system in order to
attain the applicable objectives of preserving the integrity, availability, and
confidentiality of information system resources (includes hardware,
software, firmware, information/data, and telecommunications).”
2
Introduction
u
u
u
Security has always been a major business concern
u Physical assets are protected with locks, barriers,
guards.
u Information assets are protected with passwords,
coding, certificates, encryption.
Computers and Internet have redefined the nature of
information security
Laws and enforcement in cyber crime
u Slow to catch-up
u Breaking into a computer is now a federal crime in the
U.S.
u New laws against cyberborder crimes, yet difficult to
enforce, sentences are typically very light
3
1
8/27/18
Computer Security Incidents
u
Computer security increasingly important
u More sophisticated tools for breaking in
u Viruses,
u
u
u
worms, credit card theft, identity theft leave
firms with liabilities to customers
Incidents are escalating at increasing rate
Computer Emergency Response Team (CERT) was formed
at Carnegie Mellon University with US DoD support
u responds and raises awareness of computer security
issues, www.cert.org
Worldwide annual information security losses may be $2
trillion
4
Financial Impact of Security
u Security issues can impact consumer
confidence
u 70% of all email sent worldwide was spam
in 2006. Today ???
u New laws on data privacy and financial
information include Sarbanes-Oxley Act
(SOX) and Health Insurance Portability
and Accountability Act (HIPPA)
5
Why Networks Need Security
u Organizations vulnerable due to dependency on computing
and widely available Internet access to its computers and
networks
u Business loss potential due to security breaches
u $350,000 average loss per incident
u Reduced consumer confidence as a result of publicity
u Loss of income if systems offline
u Costs associated with strong laws against unauthorized disclosures
(California: $250K for each such incident)
u Protecting organizations’ data and application software
u Value of data and applications far exceeds cost of networks
u Firms may spend about $1,250/employee on network security
6
2
8/27/18
7 37Z_ _w__ /us2017 Cyber Secur it y St udy, r et r ieved fr om ht t ps://www.accent ur e.com/t 201709 26T 0728
en/_acnmedia/PDF -61/ Acce nt ur e- 2017 - Cost Cyb er Cr im eSt ud y. pdf
8 37Z_ _w__ /us2017 Cyber Secur it y St udy, r et r ieved fr om ht t ps://www.accent ur e.com/t 201709 26T 0728
en/_acnmedia/PDF -61/ Acce nt ur e- 2017 - Cost Cyb er Cr im eSt ud y. pdf
9 37Z_ _w__ /us2017 Cyber Secur it y St udy, r et r ieved fr om ht t ps://www.accent ur e.com/t 201709 26T 0728
en/_acnmedia/PDF -61/ Acce nt ur e- 2017 - Cost Cyb er Cr im eSt ud y. pdf
3
8/27/18
Q1: What Is the Goal of
Information Systems
Security?
Copyrigh t © 2 0 1 5 Pearson E du cat ion , Inc.
10
Examples of Threat/ Loss
Copyrigh t © 2 0 1 5 Pearson E du cat ion , Inc.
11
What Are the Sources of Threats?
Copyrigh t © 2 0 1 5 Pearson E du cat ion , Inc.
12
4
8/27/18
Goal of Information Information Security
u
Find an appropriate trade-off between the risk of loss
and the cost of implementing safeguards.
u
Get in front of the security problem by making
appropriate trade-offs for your life and your business.
Copyrigh t © 2 0 1 5 Pearson E du cat ion , Inc.
13
Average Computer Crime Cost and Percent
of Attacks by Type (5 Most Expensive
Types)
Copyrigh t © 2 0 1 5 Pearson E du cat ion , Inc.
14
5 37Z_ _w__ /us2017 Cyber Secur it y St udy, r et r ieved fr om ht t ps://www.accent ur e.com/t 201709 26T10728
en/_acnmedia/PDF -61/ Acce nt ur e- 2017 - Cost Cyb er Cr im eSt ud y. pdf
5
8/27/18
Ponemon Study Findings
(2012)
u
It is difficult to estimate the exact cost of a computer
crime.
u
Cost of computer crime is usually based on surveys.
u
Data loss is the single most expensive consequence of
computer crime, accounting for 44% of costs in 2012.
u
80% of respondents believe data on mobile devices
poses significant risks.
Copyrigh t © 2 0 1 5 Pearson E du cat ion , Inc.
16
2017 Cyber Secur it y St udy, r et r ieved fr om ht t ps://www.accent ur e.com/t 201709 26T 0728 37Z_ _w__ /usen/_acnmedia/PDF -61/ Acce nt ur e- 2017 - Cost Cyb er Cr im eSt ud y. pdf
17
Top Attacks Experienced
2017 Cyber Secur it y St udy, r et r ieved fr om ht t ps://www.accent ur e.com/t 20 1709 26T 0728 37Z_ _w__ /usen/_acnmedia/PDF -61/ Acce nt ur e- 2017 - Cost Cyb er Cr im eSt udy .pd f
18
6
8/27/18
Summary Findings
u
Median cost of computer crime increasing.
u
Malicious insiders increasingly serious security threat.
u
Data loss is principal cost of computer crime.
u
Survey respondents believe mobile device data a
significant security threat.
u
Security safeguards work
Copyrigh t © 2 0 1 5 Pearson E du cat ion , Inc.
19
2017 Statistics
2017 Cyber Secur it y St udy, r et r ieved fr om ht t ps://www.accent ur e.com/t 20 1709 26T 0728 37Z_ _w__ /usen/_acnmedia/PDF -61/ Acce nt ur e- 2017 - Cost Cyb er Cr im eSt udy .pd f
20
Information Security?
What is information security?
• Information security (also called computer security)
is the act of protecting data and information from
unauthorized access, unlawful modification and
disruption, disclosure, corruption, and destruction
or theft.
• It typically includes an in-depth plan on how to
secure data, computers, and networks.
21
7
8/27/18
y
Data
and
services
t
gri
e
Int
Co
nfi
den
tia
lity
The Security Requirements
Triad
Availability
22
Figure 18.1 The Security Requirements Triad
Protec ting Data at Res t
Protec ting Data In Trans it
/ Motion
(Network Sec urity )
23
Computer Security Objectives
Confidentiality
Integrity
Da ta co n fid e n tia lity a ssu re s
th a t p riva te o r co n fid e n tia l
in fo rma tio n is n o t ma d e
a va ila b le o r d isclo se d to
u n a u th o rize d in d ivid u a ls
Da ta in te g rity a ssu re s th a t
in fo rma tio n a n d p ro g ra ms a re
ch a n g e d o n ly in a sp e cifie d
a n d a u th o rize d ma n n e r
P riva cy a ssu re s th a t
in d ivid u a ls co n tro l o r
in flu e n ce wh a t in fo rma tio n
re la te d to th e m ma y b e
co lle cte d a n d sto re d a n d b y
wh o m a n d to wh o m th a t
in fo rma tio n ma y b e d isclo se d
Syste m in te g rity a ssu re s th a t
a syste m p e rfo rms its
in te n d e d fu n ctio n in a n
u n imp a ire d ma n n e r, fre e
fro m d e lib e ra te o r
in a d ve rte n t u n a u th o rize d
ma n ip u la tio n o f th e syste m
Disclosure
Alteration
Availability
Assu re s th a t syste ms wo rk
p ro mp tly a n d se rvice is n o t
d e n ie d to a u th o rize d u se rs
Destruction
24
8
8/27/18
Q4: How Should Organizations
Respond to Security Threats?
Copyrigh t © 2 0 1 5 Pearson E du cat ion , Inc.
25
Q5: How Can Technical
Safeguards Protect Against
Security Threats?
Copyrigh t © 2 0 1 5 Pearson E du cat ion , Inc.
26
Threat Consequence
Table 18.1
Threat
Consequences, and
t he Types of Threat
A ct ions That Cause
Each Consequence
(Based on RFC 2828)
Threat Action (attack)
Unauthorized Disclosure Exposure: Sensitive data are directly released to an unauthorized
A circumstance or
entity.
event whereby an entity Interception: An unauthorized entity directly accesses sensitive
gains access to data for
data traveling between authorized sources and destinations.
which the entity is not
Inference: A threat action whereby an unauthorized entity
authorized.
indirectly accesses sensitive data (but not necessarily the data
contained in the communication) by reasoning from
characteristics or byproducts of communications.
Intrusion: An unauthorized entity gains access to sensitive data by
circumventing a system's security protections.
Deception
Masquerade: An unauthorized entity gains access to a system or
A circumstance or event that may performs
result in an
a malicious
authorizedact
entity
by posing
receiving
as anfalse
authorized
data andentity.
believing it to be true.
Falsification: False data deceive an authorized entity.
Repudiation: An entity deceives another by falsely denying
responsibility for an act.
Disruption
A circumstance or
event that interrupts or
prevents the correct
operation of system
services and functions.
Incapacitation: Prevents or interrupts system operation by
disabling a system component.
Corruption: Undesirably alters system operation by adversely
modifying system functions or data.
Obstruction: A threat action that interrupts delivery of system
services by hindering system operation.
Usurpation
Misappropriation: An entity assumes unauthorized logical or
A circumstance or event that results
physical
in control
control
of system
of a system
services
resource.
or functions by an unauthorized entity.
2 7 to perform a function or
Misuse: Causes a system component
service that is detrimental to system security.
9
8/27/18
Scope of System Security
Computer System
Data
Computer System
4 Sensitive files
must be secure
(file security)
1 Access to the data
must be controlled
(protection)
Data
3 Data must be
securely transmitted
through networks
(network security)
Processes representing users
Guard
Processes representing users
Guard
2 Access to the computer
facility must be controlled
(user authentication)
Users making requests
28
Figure 18.2 Scope of System Security
Classroom Activity
u
The following examples affect which TRIAD of IT Security?
• Equipment Stolen of Disabled thus affecting
users from using the system.
– Availability
• Programs Deleted denying access to users.
– Availability
• A program was modified to cause it to fail or
do unintentional actions
– Integrity
• An unauthorized copy of the software is
made
29
– Confidentiality
Classroom Activity
• A program was modified to cause it bring the
systems down. What has been compromised?
– Integrity
• An unauthorized data read is performed and
data is being analyzed.
– Confidentiality
• Messages are passively interpreted and
directed to a remote location
– Confidentiality
30
10
8/27/18
Availability
Confidentiality
Integrity
Equipment is stolen or
Hardware disabled, thus denying
service.
A working program is
modified, either to
cause it to fail during
execution or to cause it
to do some unintended
task.
Programs are deleted,
An unauthorized copy
Software
denying access to users. of software is made.
Data
An unauthorized read
of data is performed.
Files are deleted,
An analysis of
denying access to users.
statistical data reveals
underlying data.
Messages are destroyed
or deleted.
Communication
Lines Communication lines
or networks are
rendered unavailable.
Existing files are
modified or new files
are fabricated.
Messages are read. The
traffic pattern of
messages is observed.
Messages are modified,
delayed, reordered, or
duplicated. False
messages are
fabricated.
31
Table 18.2
Computer and Network Assets, with Examples of Threats
The AAA of Computer Security
Authentication
u Authentication
When a person’s identity is established with proof
u When
a per son’s ident it
y isa
estsystem
ablished wit h pr oof and
and
confirmed
by
confir med by a syst em
Authorization
u Authorization
When a user is given access to certain data or
u When a user is given access t o cer t ain dat a or ar eas of a
areas
buildingof a building
Accounting
u Ac c ounting
The
tracking of data, computer usage, and
u The t r acking of dat a, comput er usage, and net wor k r esour ces
network resources
32
Categories of Attacks
u
Passive attacks
u Attempts to learn or make use of information from the system but does not affect
system resources.
u Are in the nature of eavesdropping on, or monitoring of, transmissions.
u Goal of attacker is to obtain information that is being transmitted.
u Difficult to detect because they do not involve any alteration of the data.
u Emphasis is on prevention rather than detection.
u
Two types:
u Release of message contents
u
u
Pr event an opponent fr om lear ning t he cont ent s of a t r ansmission.
Traffic analysis
u
Encr ypt ing t he cont ent s of a message so even if an
opponent capt ur es t he
message, t hey cannot ext r act
t he infor mat ion.
33
11
8/27/18
Categories of Attacks
u
Active attacks
u Involve some modification
of the data stream or the
creation of a false stream
u Goal is to detect them and
to recover from any
disruption or delays
Four categories:
u Replay
u Masquerade
u
u
Modification of messages
Denial of service
Replay
• Involves the passive capture of a data
unit and its subsequent retransmission to produce an
unauthorized effect
Masquerade
• Takes place when one entity pretends
to be a different entity
• Usually includes one of the other
forms of active attack
Modification of messages
• Some portion of a legitimate message
is altered, or that messages are
delayed or reordered, to produce an
unauthorized effect
Denial of service
• Prevents or inhibits the normal use or
management of communications
facilities
• Disruption of an entire network,
either by disabling the network or by
overloading it with messages so as to
degrade performance
34
Q &A
u
A software script that listens to changes in an LDAP directory and writes the
changes into another directory is an example of what kind of attack (active or
passive)?
u
A software script that listens to changes in an LDAP directory and modifies entries
in the same directory rending applications faulty is a kind of ?
35
Types of Controls/
Countermeasures
u Mechanisms that reduce or eliminate the threats to
network security
u Types of controls:
u Preventative controls
u
Mit igat e or st op a per son fr om act ing or an event fr om occur r ing (e.g., locks,
passwor ds, backup cir cuit s)
u
Act as a det er r ent by discour aging or r est r aining
u Detective controls
u
Reveal or discover unwant ed event s (e.g., audit ing)
u
Document ing event s for pot ent ial evidence
u Corrective controls
u
Remedy an unwant ed event or a t r espass (e.g., r einit iat ing a net wor k cir cuit )
36
12
8/27/18
Types of Controls/ Countermeasures
- Deterrent controls
u
Det er user s fr om per for ming act ions on a syst em. Ex: Fence ar ound a building; Huge fines for
speeding; The r isks or implicat ions of a failed at t ack is not wor t h pur suing t he at t ack.
uDirective controls
u
Cont r ols designed t o specify accept able r ules of behavior wit hin an or ganizat ion. Ex> U ser
Accept ance Policy
uRecovery
u
Aft er a secur it y incident , r ecover y cont r ols may have t o be t aken in or der t o r est or e funct ionalit y
of t he syst em and or ganizat ion.
Ex: Reinst all OS fr om a disc or image, dat a r est or ed
fr om backup.
- Compensating
u
An addit ional cont r ol in place t o compensat e for weakness in syst em. Ex: Wat ching non-wor k
r elat ed mult imedia movies at wor k can be a cause for losing a job. This is an administ r at ive
cont r ol.
u
37
Security Implementation
u Securing the Assets or infrastructure elements
requires personnel designated to be accountable
for controls:
u
Develop controls
Ensure that controls are operating effectively
u
Update or replace controls when necessary
u
u Need to be reviewed periodically for usefulness,
verification and testing:
u
Ensure that the control is still present (verification)
u
Determine if the control is working as specified
(testing)
u
Is the control still working as it was specified?
Are there procedures for temporary overrides on
control?
u
11 - 38
Intrusion Examples
u
u
u
u
u
u
u
u
u
u
Performing a remote root compromise of an e-mail server
Defacing a Web server
Guessing and cracking passwords
Copying a database containing credit card numbers
Viewing sensitive data without authorization
Running a packet sniffer on a workstation to capture usernames
and passwords
Using a permission error on an anonymous FTP server to
distribute pirated software and music files
Dialing into an unsecured modem and gaining internal network
access
Posing as an executive, calling the help desk, resetting the
executive’s e-mail password, and learning the new password
Using an unattended, logged-in workstation without
39
permission
13
8/27/18
Intruder Behavior Patterns
u
Hackers
u
Criminals
u
u
Organized group of intruders who hack into a computer for the thrill or for status
u
Usually have specific targets or classes of targets in mind
u
Once a site is penetrated, the attacker acts quickly, scooping up as much valuable
information as possible and exiting
Insider Attacks
u
Difficult to detect and prevent
u
Employees have access to and knowledge of the structure and content of databases
u
Can be motivated by revenge or a feeling of
entitlement
40
Types of Hackers
White hats
These people are non-malicious; for example, an IT person
who attempts to hack into a computer system before it
goes live to test the system.
Black hats
These are malicious individuals who attempt to break into
computers and computer networks without authorization.
Black hats are the hackers who attempt identity theft,
piracy, credit card fraud, and so on. Penalties for this type
of activity are severe.
Gray hats
These are individuals who do not have any affiliation with a
company, but risk breaking the law by attempting to hack a
system.
41
Types of Hackers (cont.)
Blue hats
These are individuals who are asked to attempt to
hack into a system by an organization, but the
organization does not employ them.
Elite
These hackers are the ones who first find out
about vulnerabilities.
Only 1 out of an estimated 10,000 hackers wears
the Elite hat.
42
14
8/27/18
Other Types of Attackers
Script kiddies
These are individuals with little or no technology skills. They
typically use code that was written by others and is freely
accessible on the Internet.
Hacktivists
The name of hacktivist is often applied to different kinds of
activities; from hacking for social change, to hacking to
promote political agendas, to full-blown cyberterrorism.
Organized crime groups
Individuals who are part of an organized crime group are
often well-funded and can have a high level of
sophistication.
Advanced persistent threats (APTs)
Often, an APT entity has the highest level of resources,
including open-source intelligence (OSINT) and covert
sources of intelligence.
43
Malicious Software
u
u
u
Malware
u
Malicious software that exploits system vulnerabilities
u
Designed to cause damage to or use up the resources of a target computer
u
Frequently concealed within or masquerades as legitimate software
Two categories
u
Those that need a host program
u
Those that are independent (parasitic)
May or may not replicate
44
Malicious Software
What is malware?
Malware is software designed to infiltrate a
u What
is malware?
computer
system and possibly damage it without
Malwar e is soft war e designed t o infilt r at e a comput er syst em
the uuser’s
knowledge
or t he
consent.
and possibly
damage it wit hout
user ’s knowledge or
consent .
Types of malware
u Types
of malware
Viruses
u Vir uses
Worms
u Wor ms
Trojan horses
u Tr ojan hor ses
Ransomware
u Ransomwar e
Spyware
u Spywar e
Rootkits
u Root kit s
u Spam
Spam
45
15
8/27/18
Malicious Programs
u Back door (also known as a trap door)
u
Secret entry point into a program that allows someone who is aware of the back door to
gain access without going through the usual security access procedures.
u
A maintenance hook is a backdoor inserted by a programmer to aid in testing and
debugging.
u Logic Bomb
u
One of the oldest types of program threats
u
Code embedded in some legitimate program that is set to “explode” when certain
conditions are met.
46
Malicious Programs
u
Trojan Horse
u A useful, or apparently useful, program or command
procedure containing hidden code that, when
invoked, performs some unwanted or harmful
function
u Can be used to accomplish functions indirectly that
an unauthorized user could not accomplish directly
Trojan horses fit into one of three models:
• Continuing to perform the function of the original
program and additionally performing a separate
malicious activity
• Continuing to perform the function of the original
program but modifying the function to perform
malicious activity or to disguise other malicious
activity
• Performing a malicious function that completely
47
replaces the function of the original program
Ransomware
u
What is ransomware?
u
Ransomwar e is a t ype of malwar e t hat r est r ict s access t o a comput er syst em and demands t hat
a r ansom be paid.
u
Per sonal files ar e encr ypt ed and t he user is locked out .
u
The malwar e t hen infor ms t he user t hat in or der t o decr ypt t he files, or unlock t he comput er
t o r egain access t o t he files, a payment would have t o be made t o one of sever al banking
ser vices, oft en over seas.
u
An example of r ansomwar e is Cr ypt oLocker.
u
Cr ypt oLocker encr ypts cert ain files on the comput er’s drives using a public key.
48
16
8/27/18
Malicious Programs
u Spyware and Adware are types of Trojans.
u Spyware monitors what happens on a target computer.
u
An example of spyware is the Internet Optimizer.The Internet Optimizer redirects
Internet Explorer error pages out to other websites’ advertising pages.
u Adware monitors user actions and displays pop-up ads on the
user’s screen.
u Grayware
u Grayware is another general term that describes
applications that are behaving improperly but without
serious consequences.
49
Copyright 2011 John Wiley & Sons , Inc
Rootkit
u A rootkit is a type of software designed to gain administrator-level
control
over a computer system without being detected.
u It is used to perform malicious operations on a target computer at a
later date without the knowledge of the administrators or users of
that computer.
u Rootkits can target the UEFI/BIOS, boot loader, kernel, and more.
u Rootkits are difficult to detect because they are activated before
the operating system has fully booted.
u Sony spyware rootkit example.
u To track users who might be illegally copying and distributing copies
of CDs.
u Used a rootkit on audio CDs sold in 2005 that can conceal its
existence to users.
u The Federal Trade Commission ruled in 2007 that Sony had violated
Federal laws and had to reimburse consumers upto $150.
50
Viruses
u
Software that can “infect” other programs by
modifying them
u
u
The modification includes injecting the original program
with a routine to make copies of the virus program, which
can then go on to infect other programs
Virus has three parts:
u
Infection mechanism
u The means by which a virus spreads, enabling it to replicate
u Also referred to as the infection vector
u
Trigger
u
Payload
u The event or condition that determines when the payload is
activated or delivered
u What the virus does, besides spreading
u May involve damage or may involve benign but
activity
noticeable
51
17
8/27/18
Viruses
u
Typical hosts for viruses in a computer are:
u EXE files in Windows Machine
u Book sectors of disk partitions.
u Script files for system administrators
u
u
BAT files in Windows and SH files in Unix.
Documents that are allowed to contain macros
u
Word, Excel, Access database, etc.
52
Virus Phases
• Dormant Phase
• Virus is idle
• Will eventually be activated by some event
• Not all viruses have this stage.
• Propagation Phase
• Virus places an identical copy of itself into other
programs
• Each infected program will now contain a clone of the
virus, which will itself enter a propagation phase
• Triggering Phase
• Virus is activated to perform the function for which it was
intended
• Execution Phase
• The function is performed
53
Virus Classifications by Target
u
Boot sector infector
u
Infects a master boot record and spreads when a system is booted from the disk
containing the virus
u
File infector
u
Macro virus
u
u
Infects files that the operating system or shell considers to be executable
Infects files with macro code that is interpreted by an application
54
18
8/27/18
Virus Classification by Concealment
Strategy
Encrypted
virus
• A portion of
the virus
creates a
random
encryption
key and
encrypts
the
remainder
of the virus
• The key is
stored with
the virus
Stealth virus
• A form of
virus
explicitly
designed to
hide itself
from
detection
by antivirus
software
• The entire
virus, not
just the
payload, is
hidden
Polymorphic
virus
Metamorphic
virus
• A virus that
mutates
with every
infection,
making
detection
by the
“signature”
of the virus
impossible
• Mutates
with every
infection
• Rewrites
itself
completely
at each
iteration,
increasing
the
difficulty of
detection
55
Macro Viruses
u
In the mid 1990’s became by far the most prevalent type of virus
u
Threatening because:
u
u
A macro virus is platform independent
u
Macro viruses infect documents, not executable portions of code
u
Macro viruses are easily spread
u
Traditional file system access controls are of limited use in preventing their
spread
Is an executable program embedded in a word processing document or
other type of file
56
E-Mail Viruses
The first rapidly spreading e-mail viruses made use of a Microsoft Word macro
embedded in an attachment
If t he r ecipient opens t he email at t achment t he Wor d
macr o is act ivat ed
The vir us sends it self t o
ever yone on t he mailing list in
t he user ’s
e-mail package
The vir us does local damage on
t he user ’s syst em
In 1999 a virus appeared that could be activated merely by opening an e-mail
that contains the virus rather than opening an attachment
The vir us uses t he Visual Basic scr ipt ing language suppor t ed by t he e-mail package
Malware arrives via e-mail and uses e-mail software features to replicate itself
across the Internet
The vir us pr opagat es it self as soon as it is act ivat ed t o all of t he e-mail addr
5 7 esses known by t he
infect ed host
19
8/27/18
Worms
u
A wor m is much like a vir us, except t hat it self-r eplicat es, wher eas a vir us does not . It does t his in an
at t empt t o spr ead t o ot her comput er s.
u
Pr ogr ams t hat can r eplicat e t hemselves and send copies fr om comput er t o comput er acr oss net wor k
connect ions
u In addition to propagation the worm usually performs some unwanted
function
u
Wor ms t ake advant age of secur it y holes in oper at ing syst ems and applicat ions, including backdoor s.
u
Act ively seek out mor e machines t o infect and each machine t hat is infect ed ser ves as an aut omat ed
launching pad for at t acks on ot her machines
u A network worm:
u Exhibits the same characteristics as a computer virus
u May attempt to determine if a system has previously been infected
before copying itself
58
Example – Morris Worm
u
A 23 year old Doctoral student from Cornell, Robert Morris, wrote a small program
in November 1988 and it brought the entire internet down.
u Reads
Passwords from Unix etc/passwords
location.
u Used dictionary words to decipher the passwords.
u Tries to crack passwords of hosts it knows about
and uses services available within a host it gained
access into to attack other hosts.
59
Example – Code Red worm
u
Observed in the internet in 2001.
u
Attacked computers running Microsoft IIS Web servers.
u
u
Exploited a vulnerability known as “buffer overflow” by using a large string of repeated
N to overflow the buffer.
Affected the whitehouse.
60
20
8/27/18
Example: ILoveYou worm
u
ILoveYou worm
u
Damages estimated at $10 billion in 2000.
u
Created by two Filipino programers, Reonel Ramones and Onel de Guzman
u
Used social engineering to make people to click on the attachment, in this case a
confession.
u
The attachment was a TXT file.
u
Once clicked the worm broadcasted itself to everyone on the mailing list and made
the host computer unbootable.
u
This led to the enactment of E-Commerce law
61
Ways to Deliver Malicious
Software
Malware
can be delivered in several ways:
•
•
•
•
•
•
Via software, messaging, and media
Botnets and zombies
Active interception
Privilege escalation
Backdoors
Logic bombs
62
Bots
u
Also know as a zombie or drone
u
Program that secretly takes another
Internet-attached computer, then uses it
to launch attacks that are difficult to
trace to the bot’s creator
u
A botnet is a collection of bots capable
of coordinating attacks
Characteristics:
• The bot functionality
• A remote control facility
• A spreading mechanism
to propagate the bots
and construct the botnet
63
21
8/27/18
Uses of Bots
u
Distributed denial-of-service
attacks
u
Installing advertisement add-ons
and browser helper objects (BHOs)
u
Spamming
u
Manipulating online polls/games
u
Sniffing traffic
u
Keylogging
u
Spreading new malware
64
Remote Control Facility
u
Is what distinguishes a bot from a worm
u
A typical means of implementation
u
u
A worm propagates itself and activates itself, whereas a bot is controlled from
some central facility
is on an IRC server
All bots join a specific channel on this server and treat incoming messages as
commands
Once a communications path is established between a control module and
the bots, the control module can activate the bots
u
65
Example: Bot
u
Mariposa bot:
u
Observed in 2008. Involved in cyberspamming and DOS attacks.
u
Monitored activity for password, bank credentials and credit cards.
66
22
8/27/18
u
Constructing a Network
Attack
Software to carry out the attack must be able to run on a large number of
machines and remain concealed
u
The attack must be aware of a vulnerability that many system
administrators have failed to notice
u
A strategy for locating vulnerable machines must be implemented
u
This is known as scanning or fingerprinting
67
Scanning Strategies
Random
Hit List
• Each compromised host probes
random addresses in the IP
address space, using a different
seed
• The attacker first compiles a long
list of potential vulnerable
machines
• Once the list is compiled the
attacker begins infecting
machines on the list
Topological
Local subnet
• Uses information contained on an
infected victim machine to find
more hosts to scan
• If a host can be infected behind a
firewall, that host then looks for
target in its own local network
• Host uses the subnet address
structure to find other hosts that
would otherwise be protected by
68
the firewall
Spam (Unsolicited Bulk Email) and SPIM
The extremely low
cost required to
send large volumes
of e-mail has led to
the rise of
unsolicited bulk email, commonly
known as spam
A number of recent
estimates suggest
that spam may
account for 90% or
more of all e-mail
sent
• This imposes significant
cost s bot h on t he
net work infrast ruct ure
needed t o relay t his
t raffic and on users who
need t o filt er out t heir
legit imat e e-mails
Is a significant
carrier of malware
May be used in a
phishing attack,
typically directing
the user to a fake
Web site that
mirrors some
legitimate service
and capturing the
user’s personal
information or
logins and
passwords
Spim (s pam ov er ins tant mes s aging) is a deriv ativ e of s pam.
Spim is the abus e of ins tant mes s aging s y s tems , c hat rooms , and c hat
func tions in games s pec ific ally .
69
It is als o k nown as mes s aging s pam, or IM s pam.
23
8/27/18
Credential Theft, Keyloggers, and
Spyware
u
Keylogger
u
Captures keystrokes on the infected machine to allow an attacker to monitor
this sensitive information
Spyware
u
Subverts the compromised machine to allow monitoring of a wide range of
activity on the system
u
May include monit or ing t he hist or y and cont ent of br owsing act ivit y
u
Redir ect ing cer t ain Web page r equest t o fake sit es cont r olled by t he at t acker
u
Dynamically
int er est
modifying dat a exchanged bet ween t he br owser and cer t ain Web sit es of
70
Phishing and Identity Theft
u
Phishing
u
u
u
Exploits social engineering to leverage user’s trust by
masquerading as communications from a trusted source
Spam e-mail may direct a user to a fake Web site
controlled by the attacker, or to complete some enclosed
form and return to an e-mail accessible to the attacker,
which is used to gather a range of private, personal
information on the user
Spear-phishing
u
E-mail claiming to be from a trusted source, however, the
recipients are carefully researched by the attacker and
each e-mail is carefully crafted to suit its recipient
specifically, often quoting a range of information to
convince them of its authenticity
71
Security
Technologies Used
Anti-virus software
Firewall
Anti-spyware software
Virtual private network (VPN)
Vulnerability/Patch Management
Encryption of data in transit
Intrusion detection system (IDS)
Encryption of data at rest
(in storage)
Web/URL filtering
Application firewall
Intrusion prevention system (IPS)
Log management software
Endpoint security software
Data loss prevention/
content monitoring
Server-based access control list
Forensic tool
Static account logins/passwords
Public key infrastructure (PKI)
Smart cards and other
one-time tokens
Specialized wireless security
Virtualization-specific tools
Biometrics
Other
0%
20%
40%
60%
Percent of respondents
80%
100%
Source: Computer Security Institute 2010/2011 Computer Crime and Security Survey
72
Figure 18.6 Security Technologies Used
24
8/27/18
2017
73
http://www.himss.org/sites /him ssor g/file s/2 016 -cyb ers ecu rity- rep ort .pdf
25