Cyber Security: CIA – Confidentiality, Integrity, Availability (to protect data & services) Tools: Confidentiality 1. Encryption (encrypt & decrypt with secret key) 2. Authentication (determination of identity, more effective when combined with other methods) 3. Authorization (access control policies) 4. Physical security (limit access & protect resources physically) Integrity 1. Checksums (mapping contents of a file to a numerical value) 2. Backups 3. Data correcting codes (detection of small changes) Availability 1. Physical protections 2. Computational redundancies (computers & storage devices as fallbacks) Types of security attacks: Any action that compromises the security of information. May be active or passive, targeting at the confidentiality, integrity or availability of data. Active 1. Eavesdropping (interception of info) 2. Alteration / Modification (unauthorized modification to data) 3. Denial of service (interruption of data service) 4. Masquerading (pretending to be someone else) 5. Repudiation (denial of a commitment) Passive 1. Release of message content 2. Traffic analysis Security service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms, which are designed to detect, prevent, or recover from a security attack. Internet servers: 1. SMTP (email) 2. ICQ (chat) 3. FTP (file) 4. NNTP (news) 5. HTTPS (secured) How it works User queries server, server searches for data, server receives data, then server responses to user. Multiple layers of security: 1. Physical security – server protection (early times) 2. Personal security 3. Operations security 4. Communications security 5. Network security 6. Information security 7. Cyber security (policies, practices, and technology put in place to transit data via networks with reasonable assurance of safety) * Balanced security allows reasonable access and still protect against threats. Process | People | Technology: Process: Development of policies (AUP/SUP) and enforce them. People: Need to know their responsibilities regarding polices. Technology: Employ systems to help in the adherence to policies. * All need to work hand in hand. Computer crimes: One would require the knowledge of computers in order to commit a computer crime. Hackers / Attackers: An outsider who breaks in and uses a computer illegally. Traditional hackers 1. Traditional hackers: - Driven by curiosity - Desire for power/recognition 2. Malware writers (programmers): - Usually not a crime to write malwares but a crime to release malwares 3. Script kiddies (malware user): - Use attack scripts written by experienced hackers (easy to use) - Limited knowledge and ability - Large in numbers 4. Disgruntled employees/ex-employees: - Steal confidential info - Sabotage systems (logic bomb) - Extensive access to restricted areas - Knowledge on how system works and to avoid detection Criminal hackers (ALL ABOUT $$$) - Shrinking numbers of hackers with traditional motives - Increase sophistication of attacks to generate funds via attacks On the horizon hackers 1. Cyber attacks by cyber terrorists 2. Cyber war by nations 3. Potential for massive attacks 1. 2. 3. 4. 5. Harassment / Discrimination Privacy invasion Disclosure of confidential information Copyright infringement Investment fraud Liability exposure Unnecessary risk exposed to clients due to failure of taking actions to prevent harm. Risks cannot be eliminated but they can be minimized. Why response to cyber threats isn’t that strong 1. Don’t realize the value of assets. 2. Don’t understand the components of cyber risk. 3. Rely too much on technology. 4. Not educated to make smart investments in technology. 5. Don’t realize that people and their behaviours must be controlled to control exposure to risk. Threats & Responses Plan – Protect – Respond cycle Plan Hacker profile: Traditional 13 – 18 years old, male with limited parental supervision, spends all time at computer. Modern 12 – 60 years old, male/female, unknown background, varying skill levels, may be internal/external to an organization. Patch Pros 1. Best way to counter worms instead of antivirus. Cons 1. Cannot be installed without first verifying that it won’t cause more damage than hackers. 2. May destroy important computer applications. Legal actions: These are possible legal actions but they are not taken against hackers: Respond Protect Plan: Risk analysis, comprehensive security, defensive in depth. Protect: Ongoing protection by access control. Respond: Compromises / Breaches 3rd party audits & assessments • ‘White’ hackers • Complete scan during security audit • Assessment on ability to IDENTIFY, RESIST & RESPOND to attacks • Data from assessment presented with recommendations to improve policies & practices Malware - Viruses, worms, Trojans, logic bombs etc. - Specific / Universal Specific Requires a specific vulnerability to be effective Universal Always effective File destruction & infection technique 1. Overwrite original file or 2. Append to original file (cluster tip) File creation - Entry made into FAT - Directory entry made (link to FAT) * Data written to Data Area File deletion - FAT entry removed and space on hard drive becomes available - First character of directory entry changed to special character * Nothing done to data area File restoration - FAT entry linked again - First character of directory entry changed to legal character * Nothing done to data area Virus - Programme that piggybacks on other executable programmes - Not structured to exist by itself - Executes when host programme is executed • • • • • Characteristics Propagation / Migration: Replication of the virus over a network. Payload: Damage-causing mechanism; may be harmless or cause severe file system corruption. Signature: Identifier of a virus detected by AV software. Trigger: Action that activates the virus. Detection avoidance: Method to conceal and disguise. Types of virus 1. Armored (covered with protective code) 2. Companion (attaches to legitimate programme, different filename extension) 3. Macro (attaches to macro and spread) 4. Multipartite (attacks in multiple ways) 5. Phage (modifies other programmes, requires reinstallation to remove) 6. Polymorphic (changes form to avoid detection) 7. Retrovirus (bypasses and may directly attack AV programme) 8. Stealth (masks itself to avoid detection, redirects commands and may move around from file to file during virus scan) Virus transmission might: 1. Destroy target system completely or 2. Use victim system as carrier to infect other sources, eventually infecting victim system and destroy it completely. Worm - Crawls from system to system (WITHOUT ANY ASSISTANCE) - Spreads and replicates on its own - Creators seek out system’s vulnerabilities Trojan horse - Hides malicious nature behind the façade of something useful - Self-contained programme designed to perform malicious acts - Disguises itself as a new capability - May contain mechanism to spread Logic bomb - Done by expert programmers who know the system well Hoax & Scam - Aim to create widespread panic - Annoying, unwanted, comes in large volumes Malware damage 1. Deletion of files (virus & worm) 2. Corruption of files (virus & worm) 3. System unusable (virus & worm) 4. Overconsumption of resources (worm) 5. Denial of services (Trojan) 6. Network overload (worm) 7. Passing on & accessing privilege info (Trojan) Denial of service vs. Distributed Denial of service D.O.S. Distributed D.O.S. - Attack on - Dozens/Hundreds of network/server by computers are flooding it with compromised requests resulting in a (zombies). response, which is not - Zombies loaded with capable at matching DoS softwares. all requests. - Overloaded server. - Remotely activated by hacker to conduct coordinated attack. Social engineering * Attacks on individuals - Network intrusion technique based on trickery - Fraudulently obtaining info to gain access - Effective when two parties don’t know each other (easier to trick) Prevention - Educate users and staffs on password security. Identity theft - Assuming identity of another person Prevention - Safeguard info - Monitor financial statements and accounts Phishing - Attempt to acquire sensitive info by deceiving users - Typically carried out by email spoofing - Directs user to enter details at fake websites - Social networking sites are prime targets Recognizing phishing attacks 1. Deceiving web links 2. Emails that look like websites 3. Fake sender’s address 4. Generic greeting 5. Popup boxes and attachments 6. Urgent requests AV software - Primary method of preventing propagation of malwares - Keep AV softwares updated as definition database of virus is constantly updated - Install AV software at gateways, servers and desktops *LAYERED PROTECTION & EDUCATION Digital Liability Management (DLM) Approach - Protect against occurrence of intrusion - Provide good defense when attacks occur - Technology-centric strategies are weak without policies & practices; Policy-centric strategies are weak without technology to monitor & enforce -> 4-tier approach Why 4-tier approach? 1. Business is about managing risk 2. Necessary defense in event of litigation 3. Serious consequences for organizations that operate with negligent security controls 4-tier approach (TOP-DOWN approach***) 1. Senior management commitment & support + Security awareness - Make sure everyone knows the importance of security. - Show that cyber security is a core value. - Cyber security is usually not of high priority at board level and security concerns are often disregarded when employing new systems. 2. AUP (Acceptable use policies) & other statements of practice - Prevent misuse of emails. - Defines responsibilities of every user by specifying both acceptable and unacceptable actions of employees. - More about AUP: About Essentials Benefits * Duty of care -> - Company cannot create unreasonable risk to others; - Create a non-hostile working environment; - Protection of civil rights. - Well-written, comprehensive, up to date. - Provide evidence of AUP in force. - Acknowledge understanding of the AUP. - Informs employees what they can and cannot dominimizes damage to company’s competitive position. - Clarifies employees’ expectations about personal use of company equipment. - Warn employees about the monitoring of their activities. - Outline consequences of non-compliance. 3. SUP (Secure use procedures) - Providing detailed examples of practices to be encouraged. - Hardening networks: 1. Shut down unnecessary services. 2. Maintain permissions securely. 3. Background checks. 4. Enforce strong passwords- no default passwords, min. 10 characters, use different symbols, password ageing. 5. Review partner contracts. 6. Audit and update software & licenses. 4. Hardware, software & network security tools - Support the implementation and enforcement of AUPs and other policies. *Implementing tier 4 only – bottom up approach is NOT FEASIBLE. Remote access Virtual Private Network (VPN) - Private and secure network connection using unsecured and public network. - Must accomplish: encryption of data (within IP packet) and authentication of user. Intrusion - Attacker attempts to gain entry into or disrupt normal operations of a system. - Intrusion detection: Detection of intruder. - Intrusion prevention: Deter intrusion. - Intrusion reaction: Actions during intrusion. - Intrusion correction: Restoration of operations. Intrusion Detection and Prevention Systems (IDPS) - Detect violation and activate alarm. • • • • • • • • • Terminology Alert/Alarm: system has been attacked / still under attack. False negative: failed to react to actual attack. False positive: alert/alarm but no actual attack. Confidence value: IDPS’s ability to detect and identify attacks correctly. Noise: noteworthy activities (but not attacks). Site policy: rules governing implementation and operation of IDPS. Site policy awareness: IDPS’s ability to modify site policies in response to environmental activity. False attack stimulus: trigger alarm -> false positive (testing of IDPS) True attack stimulus: replay of real attack (indistinguishable for IDPS) • • Alarm filtering: classifying alerts to sort false positives from actual attacks more efficiently. Alarm clustering (compaction): grouping almost identical alarms into a single higherlevel alarm. Types - Network-based IDPS (NIDPs) & Host-based IDPS (HIDPs) NIDPs HIDPs Focused on protecting Focused on network information monitoring assets. Wireless version activities on a available. system. Advantages - Few devices to monitor - Can access a large network. encrypted - Passive; can be information. deployed into existing - More confirmation networks with little if attack is disruption. successful. - Not usually susceptible to direct attack. - May not be detectable by attackers. Disadvantages - Overwhelmed by - Management network volume and fail issues. to recognize attacks. - Use large amount - Requires access to all of disk space. traffic monitored. - Inflict - Cannot analyze performance encrypted info. overhead charges. - Cannot confirm if - Vulnerable to both attack is successful. direct attacks and - Cannot discern some attacks against host forms of attacks easily. system. - Susceptible to DoS attacks. Detection Signature-based - Match known signatures (widely used as many attacks have clear and distinct signatures). - Database of signatures must be continually updated due to Statistical anomaly-based - Compare statistics with normal traffic. - Triggers alert when measured activity is outside baseline parameters. - Detect new types of attacks. - Requires much more overhead and processing new attack strategies. capacity. - Generate many false positives. Response Active - Collecting additional info. - Modify network environment. - Take action against intrusion. Passive - Setting off alarms. - Collective passive data. Strengths & Limitations of IDPS Strengths - Monitor & analyze system events and user behaviours. - Recognize system event patterns and matching with known attacks. - Alerting appropriate staff during attacks. - Allow non-security experts to perform security-monitoring functions. Limitations - Cannot compensate for weak security mechanisms. - Cannot detect and respond to attacks during heavy network or processing load. - Cannot effectively respond to sophisticated attacks. - Cannot investigate attack without human intervention. Implementation Centralized Fully distributed Partially distributed All control functions are implemented and managed in a central location. Control functions applied at physical location of EACH IDPS component. Combines both; A hierarchical central control. Deployment - Balance between requirements and impacts. - NIDPS & HIDPS in tandem. Honey pots - Encourage attack to stay long enough for administrators to respond. - Divert attacker from accessing critical systems. - Honey nets: A collection of honey pots. - Padded cell: Protected honey pot, which is not easily compromised. Attackers do not cause harm here. Pros - Divert attackers to areas where damage can’t be done. - Allow time to brainstorm on respond methods. - Attacker’s actions can be easily monitored to improve system’s protections. - Effective in catching insiders snooping around a network. Cons - Legal implications are not well defined. - High level of expertise to run system. - May lead to a more hostile attack by the same attacker. Trap & Trace system - Combine detection & tracing back to source. - Honey pot / Padded cell + Alarm *Legal to entice attackers by attracting attention by placing info in key locations but illegal to luring an individual to commit a crime. Scanning & Analysis tools - Used to collect the info the attacker needs to launch an attack. Attack Protocol Footprinting - Organized research of Internet addresses owned or controlled by target organization. Fingerprinting - Systematic survey of all active systems collected during footprinting. Firewall Analysis tools - Close up open/poorly configured firewall and help network defender minimize risk from attacks. Vulnerability scanners Active Scan network and initiate traffic to determine holes. Passive Listen in a network and determine vulnerable softwares. Packet sniffers - Collect and analyze copies of packets from network - Useful to diagnose and resolve network issues. - In wrong hands, it is used for eavesdropping on network traffic. - Legally, administrator must be under direct authorization of network owners. Biometric Access Control - Recognition of some human trait as authentication of identity. - Trait must be truly unique. E.g. retina, iris, fingerprint, voice, and facial geometry etc. - Work factor (hrs): amount of effort required to perform cryptanalysis on an encrypted message. Substitution cipher - Substitute one value for another. - Monoalphabetic- uses one alphabet. - Polyalphabetic- uses 2 or more alphabets. - Vigenère cipher- advanced cipher that uses simple polyalphabetic code (Invented by Giovan Battista Bellaso, 1553). Effectiveness - False reject rate: rejection of legitimate access - False accept rate: acceptance of unknown users - Crossover error rate (CER): the intersection point when rates are graphed. Transposition cipher - Easy to understand. - Difficult to decipher if properly used. - Rearrange values to create ciphertext. - Vernam cipher- character converted to number and converted back (reinvented by Vernam in 1917). Acceptability - Balance between acceptability and effectiveness. Book / Running key cipher - Uses text in book (dictionary / thesaurus) as key Cryptography Hash(ing) functions - Mathematical algorithms that generate message summary to confirm no content has changed. Definitions - Encrypt: unreadable from without algorithm. - Decrypt: convert ciphertext back to plaintext with algorithm. - Cryptanalysis: obtain original message from encryption without algorithms. - Algorithms: formula used to convert unencrypted and encrypted messages. Key / Cryptovariable: information used in conjunction with algorithm to create ciphertext. Cryptosystem / Cipher: method to convert unencrypted to encrypted messages. Code: transformation of larger components of unencrypted message into encrypted components. - Link encryption: series of encryptions and decryptions until final destination. Symmetric encryption - Uses same key to encipher and decipher message. - Efficient encryption. - Minimal processing. - Both sender and receiver must process key. * Data Encryption Standard (DES): 64-bit block size / 56-bit key * Triple DES (3DES): more security *Advanced encryption standard (AES): replace both DES and 3DES. Asymmetric encryption - A.k.a. public-key encryption. - Uses 2 different but related keys- private (decrypts) and public (encrypts). * RSA algorithm (developed by Rivest, Shamir, Adleman, 1977) Encryption key size - Strength of encryption measured by key size. - Cryptosystem security depends on keeping keys secret. Public-key infrastructure (PKI) - Integrated system of softwares to enable secured communications. - Based on public-key cryptosystems. Digital signatures - Verification of info transferred using electronic system. - Nonrepudiation: verifies that message was sent by the sender and thus cannot be refuted. - Digital signature standard (DSS) - Can be prevented with digital signatures. 3. Correlation attack: - Collection of brute force attacks to deduce statistical relationship between key and ciphertext. 4. Timing attacks: (not very effective) - Analyze typing patterns and inter-keystroke timings to discern sensitive info. Protection - Focus more on management of people than technology. - Encryption software. Steganography - Hiding info in image / audio files. Secured network Internet • Secure socket layer (SSL): public key encryption. • Secure hypertext transfer (S-HTTP): extended version of hypertext transfer. S-HTTP is the application of SSL over HTTP. Email • Secure multipurpose Internet mail extensions (S/M/ME). • Pretty good privacy (PGP): - Designed in 1991 by Phil Zimmermann. - Chooses best available algorithms. - Freeware & low cost commercial versions are available. • • Wireless networks Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA)- upgrade of WEP Internet protocol security (IPSec) • Open source protocol to secure communications using encryption across any IP-based network. • Protect data integrity at IP packet level. Attacks Types of attacks 1. Brute force attack: - Dictionary attacks- tries all words in the dictionary. 2. Man-in-the-middle attack: - Attacker decrypts and encrypts original message. Physical security 1. ID cards & badges - Info access control - Simple form of biometrics - Tailgating (typical problem) 2. Mantrap - Entry point & different exit point - Denied entry is not allowed to exit till security official overrides locks 3. Electronic monitoring - CCTVs - Does not prevent access / prohibit activity - Often not monitored in real time 4. Alarms / Alarm systems - Notify when event occurs • Fire Fire suppression systems: Detect & Respond to fires • Flame point: Temperature of ignition • Fire extinguishers: Class A to D, depending on type of fire A Fires of ordinary combustible fuels. B Fires fueled by combustible liquids or gases. C Fires with energized electrical equipment of appliances. D Fires fueled by combustible metals. * Can be combined with sprinkler / gaseous systems. Power - Avoid overloading, which can cause circuit tripping. - Ground fault circuit interrupter (GFCI), capable of quickly interrupting circuits to save lives. - Uninterruptible power supply (UPS): • Online: Primary power source, with batteries constantly recharged. • Offline/Standby: Offline battery backup that detects power interruption. Mobile & Portable systems - Requires more security (for laptops/PDAs). - Control and support security and retrieval of lost/stolen laptops. Info security Info security project planning: • Financial considerations: - CBA (cost benefit analysis) - Benchmark expenses of similar organizations. • Priority considerations: - Implement important steps first. • Time & scheduling: - Configuration of training time. • Staffing: - Qualified, trained personnel required. • Scope: - Time/effort needed. - Should not attempt to implement entire security system at once. • Procurement: - Product, Price, Vendor reputation. • Training: - Training programmes or pilot approach. * Choice to outsource or not to on information security programmes. Security & Personnel Staffing the information security function: • Selection of personnel based on criteria. • High demand for info security. • Qualifications & requirements- source for technically qualified and info security professionals as technical skills are required when working on security applications and processes. Things to do • Avoid revealing access privileges to prospective employees- advise HR to limit info provided on responsibilities & access rights. • Background checks: - Identity check- validation of identity. - Educational & credential checks- validation of institutions and degrees/certifications. - Previous employment. - Reference check- validate integrity of reference sources. - Civil court history. - Criminal court history. Termination Hostile - All access terminated before employee is aware. - Surrenders all company properties. - Escorted out of the building. Friendly - Employee notified well in advance of departure date. - Access with new expiration date. - Come and go at will. * Offices and info used by employee must be inventoried. Non-employees - Temporary employees - Contract employees - Consultants - Business partners Internal control strategies - Separation of duties: stipulates that completion of significant tasks requires at least two people. - Collusion: unscrupulous workers conspiring to commit unauthorized tasks. - Two-man control: two individuals review and approve each other’s work before submission. - Job rotation: employees know each other’s job scope. - Least privilege: ensures that no unnecessary access to data exists and only individuals who must access have.