Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Network Security

advertisement 
Network Security
CPSC6128 - Lecture 1
Jianhua Yang
Yang_jianhua@ColumbusState.edu
Introduction and
Overview
2
Network Security
Most topics in Computer Science are focused on
achieving a desired behavior
Computer and Network Security is focused on
preventing undesired behavior
 So
Need to think differently
Paranoia is actually a good thing!
Enemy is going to try and find an input or state in your system
which allows for a circumvention of protection measures.
CPSC6128 - Network Security
3
Think Differently
Security Mindset
What is the system designed to do?
What is the proper operation?
The system is typically larger than just the computer or
network. However for the purposes of this course we will
focus on these parts. (Others, physical, human behavior)
What are the vulnerabilities in the system?
How can this system be attacked?
How can the system be defended?
Is the cost of the defense worth it? -Important concept!
CPSC6128 - Network Security
4
CIA - You will see this in many textbooks
Confidentiality
keeping information secret
Integrity
insuring that the information is genuine and hasn’t been tampered with.
Availability
insuring that the system is always available.
Also add Authenticity
determining the origin of data
Type of Integrity
Good way to frame the problem. But security is far more complex.
Confidentiality
Availability
Security
Objectives
Integrity
CPSC6128 - Network Security
5
Simplistic View on Password Authentication
Password
CPSC6128 - Network Security
6
Reality – Larger System in Play
Password Recovery:
Prompt for High School
Password
Social Networks
Social Engineering
Attacker
CPSC6128 - Network Security
7
Another Example – Attack on Wired Magazine Writer 2012
 Attacker’s goal was to take the targets twitter handle @mat
 Could directly attacker Twitter’s authentication but…
 Attacker found from the Twitter page the personal home page of the
account holder
 There he found his gmail address
 Went to Google’s account recovery page
 The recovery page showed that he had an alternate email ending in
@me.com
 Attacker knew he could recover a @me.com email with just the billing
address and last four digits of the associated credit card
CPSC6128 - Network Security
8
Cont.
 Attacker could get credit card info from a “loophole” in Amazon
 Call Amazon and tell them you are the account holder and want
to add a credit card. To do this the attacker just needs the email
and billing address of the account holder.
 Got billing address since the victim registerd a domain name for
his website.
 Call back Amazon and indicate you lost access to your email
account. Provide name, address and the new cc#
 Amazon sends account info to new email address held by
attacker
CPSC6128 - Network Security
9
Cont.
Attacker then could login and see last four digits of
original cc#.
Went back to Apple and took over @me and iCould
account (which are linked)
Since @me was recovery email from Google and Twitter
the attacker now took over those accounts as well.
Wiped victims computer remotely using iCloud “feature”
What are the bounds of this security system?
CPSC6128 - Network Security
10
When some says “Their Network is Secure”
 What does this mean?
 Definition of Security – “Freedom from Risk or Danger”
Random House Unabridged Dictionary
 Is it 100% protected against every conceivable threat?
No
 Is it impossible to attack and compromise
No
 Most of the time it means:
 The network has been designed so as to maintain an acceptable level of risk.
CPSC6128 - Network Security
11
Security is an Engineering Trade-off
The objective is
typically not to make the system secure against every threat.
Instead the goal is to
optimize the security of the system given certain constraints
 (cost, end user usability, information sensitivity)
CPSC6128 - Network Security
12
Security is an Ongoing Process - not a product
If a vendor comes to you and says that their “box” will
secure your network - run!
Security requires not only technical countermeasures and
tools but processes and procedures.
Once a tool, process or procedure is put in place, it must
be continuously revisited.
SECURITY IS
PRIMARILY ABOUT RISK MANAGEMENT
CPSC6128 - Network Security
13
Some Important Definitions
Vulnerability
a weakness or “hole” in software, hardware or system
which would allow an attacker to gain unauthorized access.
Threat
Threats typically take advantage of vulnerabilities, such as
Attacker accessing a SQL database without proper authorization.
A user deleting data by mistake.
Attack
An attempt to exploit a vulnerability
Risk
the probability of the threat taking advantage of the vulnerability
((Threat x Vulnerability)/Countermeasures)) x Value = Risk)
Countermeasure
a process, procedure, product, software which mitigates the risk.
CPSC6128 - Network Security
14
Gives Rise to a
Threat Agent
Exploits
Threat
Vulnerability
Leads to
Affects behavior of
Risk
can be
mitigated by
Safeguard
Can Damage
Causes an
Exposure
Asset
Reference: ISC2
CPSC6128 - Network Security
15
THREAT
MODELING
16
Threat Modeling
Understand what the attack goals are
Understand who the attackers are




What is their motivation?
How much funding?
Skill Level?
Adversity to Risk?
Understand what attacks are likely to occur
Understand the security assumptions of a system
Understand where to best spend a security budget
CPSC6128 - Network Security
17
STRIDE Model
 Threats are classified into six classes based on their effect :
 Spoofing
 Using someone else’s credentials to gain access to otherwise inaccessible assets.
 Tampering
 Changing data to mount an attack.
 Repudiation
 Occurs when a user denies performing an action, but the target of the action has no way to
prove otherwise.
 Information disclosure
 The disclosure of information to a user who does not have permission to see it.
 Denial of service
 Reducing the ability of valid users to access resources.
 Elevation of privilege
 Occurs when an unprivileged user gains privileged status.
CPSC6128 - Network Security
Threat Trees
 Start with each abstract threat and then iteratively refine description
carefully and gradually
 Collection of threat trees gives you threat forest
Threat
Sub-threat
CPSC6128 - Network Security
Example
Hospital Computer System Threats
Patient Medical Information
Life Threatening
Disclosure Integrity DOS
Non-Patient Medical Information
Non Life
Threatening
D
I
DOS
Billing
Malicious Non-Malicious MD
Developer Developer
CPSC6128 - Network Security
Non-Billing
NMD
Using Threat Trees For Risk Calculation
 Relationship between threats can be
 Conjunctive (AND) or
 Disjunctive (OR).
 Nodes
 can be labeled with level of effort, risk, criticality etc.
 Labels
 can be propagated from leaves to root in obvious manner.
Effort = Moderate
OR
Effort = Moderate
Effort = High
CPSC6128 - Network Security
Ranking Threats – Threat Matrix
Threat
Existence
Capability History
Intensions Targeting
Severe
X
X
X
X
High
X
X
X
X
Elevated
X
X
X
Guarded
X
X
Low
X
CPSC6128 - Network Security
X
22
RISK ASSESSMENT
CPSC6128 - Network Security
23
Risk Assessment
 Assessment
 measures the impact of an event, and the probability of an event
(threat agent exploiting a vulnerability)
 Quantitative (objective) and Qualitative (subjective) approaches
 Quantitative approach:
 Compute expected monetary value (impact) of loss for all “events”
 Compute the probability of each type of expected loss
 Qualitative approach
 use Low, Medium, High; ratings, or
 other categorical scales
CPSC6128 - Network Security
Risk Management
 Accept the risk
 Risk is low but costly to mitigate - worth accepting. Monitor.
 Transfer the risk
 Transfer to somebody else via insurance, warnings etc.
 Remove the risk
 Remove the system component or feature associated with the risk if the
feature is not worth the risk.
 Mitigate the risk
 Reduce the risk with countermeasures.
 The understanding of risks
 leads to policies, specifications and requirements
 Appropriate security mechanisms are then developed and implemented
CPSC6128 - Network Security
Quantitative - Security Cost Risk Assessment
Exposure Factor (EF)
Percentage of asset loss caused by identified threat
Single Loss Expectancy (SLE)
Asset Value * Exposure Factor
Annualized Rate of Occurrence (ARO)
Estimated frequency a threat will occur within a year
Annualized Loss Expectancy (ALE)
Single Loss Expectancy * Annualized Rate of Occurrence
CPSC6128 - Network Security
26
Example:
Fire Damage to a building:
Asset Value: value of the building - $750,000
Single Loss Expectancy (SLE: Asset Value x Exposure Factor)
- $250,000 (damage caused by the fire)
Annualized Rate of Occurrence (ARO) - .05 (5% change every
year that there will be a fire)
Annualized Loss Expectancy (ALE: $250,000 x .05) = $12,500
So does a fire alarm system which costs $5000 to install
and maintain yearly worth it?
YES - Fire Alarm Cost < ALE
CPSC6128 - Network Security
27
Network Security Example:
Credit Card database stolen from online retailer via SQL
injection:
Asset Value
Here the asset value is a bit nebulous so it sometimes is better to focus on the SLE
Single Loss Expectancy (SLE)
If the database is stolen and/or damaged, how much is it going to cost the company in PCI fines, lost
business, consulting fees for security, etc. $1M is not unreasonable for a medium sized retailer.
Annualized Rate of Occurrence (ARO)
Can get this information from network consulting organizations or your insurance company. 5%
CPSC6128 - Network Security
28
Network Security Example (Cont.)
Annualized Loss Expectancy (ALE)= $1Mx.05=$50,000
So does a web firewall which costs $24K make sense?
Most likely, YES
CPSC6128 - Network Security
29
Quantitative: Useful or Not?
 Pro:

Objective, independent process

Credibility for audit, management (especially corporate management)

Solid basis for evaluating cost/benefit of countermeasures

Quantitative risk assessment is the basis for insurance, risk managed portfolios, etc.
CPSC6128 - Network Security
Quantitative: Useful or Not?
 Cons
 In most cases, it is difficult to enumerate all types of events
and get meaningful data on probability and impact
 Very time consuming, costly to do right
 Many unknowns may give a false sense of control
 Not reliable for “rare” events or “unthinkable” impacts
CPSC6128 - Network Security
Qualitative Approach
 Establish classes of loss values (“impact”), such as
 Low, medium, high
 Under $10K
 between $10K and $1M
 over $1M (used by at least one company)
 Type of loss
 compromise of credit card #
 compromise of SSN
 compromise of highly personal data)
 Minor injury
 Significant injuries
 Loss of life
 Large scale loss of life
 Rank ordering
CPSC6128 - Network Security
Qualitative Approach (Cont.)
 Establish classes of likelihood of compromise
 Low, medium, high likelihood
 Decide on a risk management approach to
 each combination of (class of loss, likelihood of loss)
 Focus on
 medium to high loss and/or medium to high likelihood items
CPSC6128 - Network Security
Qualitative Approach
DoD classified information:
 CONFIDENTIAL
 “shall be applied to information, the unauthorized disclosure of which reasonably could be expected
to cause damage to the national security”
 SECRET
 “shall be applied to information, the unauthorized disclosure of which reasonably could be expected
to cause serious damage to the national security”
 TOP SECRET
 “shall be applied to information, the unauthorized disclosure of which reasonably could be expected
to cause exceptionally grave damage to the national security”
CPSC6128 - Network Security
THINK LIKE AN
ATTACKER
CPSC6128 - Network Security
35
Attack Tree
Another way
 to visualize the current security posture of a system
Helps to identify
 the most vulnerable areas of the system and where to apply resources.
A method of
 building a database which describes the security state of the system
CPSC6128 - Network Security
36
Attack Tree – How does it Work?
Represents
 the attacks and countermeasures as part of a tree structure
Root node
 is the goal of the attack.
 In a complex system there is probably many root nodes or goals.
Leaf nodes
 are the attacks
CPSC6128 - Network Security
37
Basic Attack Tree - Example
CPSC6128 - Network Security
38
AND Nodes OR Nodes
“OR” nodes
 Represent different ways of achieving the same goal
 Example: to break into a house you can pick the lock or break the window
“AND” nodes
 Represent different steps in achieving a single outcome
 Example: to enter a window you need to break the windows AND climb through the
opening.
CPSC6128 - Network Security
39
Boolean Node Values
Once the tree is created
 Boolean values can be assigned to each node.
Example: probable vs. improbable
 Possible vs. impossible
CPSC6128 - Network Security
40
Possible vs. Impossible Node Values
CPSC6128 - Network Security
41
Other Possible Boolean Node Values
Easy vs. Not Easy
Expensive vs. Not Expensive
Intrusive vs. Non-Intrusive
Legal vs. Illegal
CPSC6128 - Network Security
42
Special Equipment Needed
CPSC6128 - Network Security
43
Continuous Node Values
Cost in $ to attack or defend
Time cost to achieve goal
Cost in resources to attack or defend
CPSC6128 - Network Security
44
Cost of an Attack
CPSC6128 - Network Security
45
Cheapest Attack
CPSC6128 - Network Security
46
Attacks Less than $100K
CPSC6128 - Network Security
47
Cheapest Attack Requiring No Special Equipment
CPSC6128 - Network Security
48
Applying a Countermeasure – Cheapest NSE now $60K? (20K)
CPSC6128 - Network Security
49
Tree Construction
1) Identify Attack Goals
 Each Goal is a separate Attack Tree
2) Identify attacks against these goals
3) A database of attack trees
 can be developed and reused (plugged in)
CPSC6128 - Network Security
50
Example – ACME Enterprises
CPSC6128 - Network Security
51
ACME High Level Attack Tree
CPSC6128 - Network Security
52
ACME – Expansion of Node
CPSC6128 - Network Security
53
CURRENT STATE
OF NETWORK
SECURITY
54
Malicious Code Evolution
Probe
Morris
1988
Love Bug
2000
Code Red
2001
Slammer
2003
MyDoom
2004
Zotob
2005
RPC DNS
2007
MS08-067
2008
Scan for
Fingerd
N/A
Scan
for IIS
N/A
N/A
Scan for
MS Directory
Services
Scan or
Endpoint
Mapper
Scan for
MS Directory
Services
Buffer
Overflow in
SQL and MSDE
Arrive
as Email
Attachment
Buffer
Overflow
in UPNP
Service
Buffer
Overflow
in RPC
Service
Buffer Overflow
in Server
Service
Mapped and
Removable
Drives
Create Files,
Edit Registry,
Download
Code
Execute
Payload to
Download
Code
Create Files
Modify Registry
Download Code
DNS Hooking
Kill Processes
Hot Patch
Penetrate
Buffer
Overflow
in Fingerd
Arrive as
Email
Attachment
Buffer
Overflow
in IIS
Persist
Execute
Script to
Download
Code
Create
Executables
and Edit
Registry
Execute
Script
to Download
Code
N/A
Create
Executables
and Edit
Registry
Look for
Addresses and
Spread to
New Victim
Open
Address Book
and Email
Copies
Pick New
Addresses
and Spread to
New Victim
Pick New
Addresses
and Spread to
New Victim
Open Address
Book and
Email Copies
FTP and TFTP
Services, Search
for Addresses
and Spread to
New Victim
Look for
Addresses
and Spread
to New Victim
Peer-to-Peer
C&C
HTTP C&C
Network Share
Web Listener
Worm
Spreads
Lots of
Threads
Slow System
Lots of
Packets
Slow Network
Worm
Spreads
Delete
Registry Keys
and Files,
Terminate
Processes
Worm/Trojan
Spreads
Worm
Spreads
Propagate
Paralyze
Lots of
Processes
Slow System
CPSC6128 - Network Security
55
Changing Motivation
2002
2003
2004
2005
2006
2007
2008
2009
2013
Notoriety
SQL Slammer
Netsky, Bagle,
Fame
MyDoom
Zotob
Money/Organized Crime
Conficker
Nation States
Stuxnet
CPSC6128 - Network Security
56
CPSC6128 - Network Security
57
Bots for Sale$$$
CPSC6128 - Network Security
58
CyberWarfare/Hacktivism
2008
2007
2009
2010
Unclassified emails
exfiltrated through servers
in Russia and China
Terabytes of JSF design and
electronics systems stolen
JSF Breach
Estonian Cyberwar
Estonian government,
banking, and media
websites attacked
US Power Grid
Penetrated
Whitehouse
Attacks
RussianGeorgian
Conflict
Georgian government
websites defaced or shut
down. Attacks sourced from
US and Russia
Kyrgyzstan
ISPs Hit By
DDoS Attack
Google Attack
•Future conflicts more likely to include Internet component
•Botnet activity likely to increase during conflicts
•Cyber-commands forming to counter threat
CPSC6128 - Network Security
59
Need to Stay Current!
Infragard
 http://www.nym-infragard.us
High Technology Crime Investigation Association
 http://www.htcia.org/
NY/NJ Electronic Crimes Task Force
 http://www.secretservice.gov/ectf_newyork.shtml
IEEE – Security and Privacy Magazine
CPSC6128 - Network Security
60
Next Class
Attack Methods Part 1
CPSC6128 - Network Security
61
Related documents
The foremost goal of the information security function should be to
The foremost goal of the information security function should be to
ex_buisness_expansion
ex_buisness_expansion
Stress Management - Dr. Fayose
Stress Management - Dr. Fayose
The Threat from Within
The Threat from Within
A. Explain the nature of marketing plans. B. Explain the role of
A. Explain the nature of marketing plans. B. Explain the role of
Review Questions
Review Questions
Chapter 11 Lab Manual Review Questions and Answers
Chapter 11 Lab Manual Review Questions and Answers
strategic audit worksheet
strategic audit worksheet
Threats to internal and external validity
Threats to internal and external validity
Project Approval Criteria / Application Form
Project Approval Criteria / Application Form
Download
advertisement