Uploaded by Tay Wen Jie

Legendary EE8084 Summary Sheet

advertisement
Cyber Security:
CIA – Confidentiality, Integrity, Availability (to
protect data & services)
Tools:
Confidentiality
1. Encryption (encrypt & decrypt with secret
key)
2. Authentication (determination of identity,
more effective when combined with other
methods)
3. Authorization (access control policies)
4. Physical security (limit access & protect
resources physically)
Integrity
1. Checksums (mapping contents of a file to a
numerical value)
2. Backups
3. Data correcting codes (detection of small
changes)
Availability
1. Physical protections
2. Computational redundancies (computers &
storage devices as fallbacks)
Types of security attacks:
Any action that compromises the security of
information. May be active or passive,
targeting at the confidentiality, integrity or
availability of data.
Active
1. Eavesdropping (interception of info)
2. Alteration / Modification (unauthorized
modification to data)
3. Denial of service (interruption of data
service)
4. Masquerading (pretending to be someone
else)
5. Repudiation (denial of a commitment)
Passive
1. Release of message content
2. Traffic analysis
Security service:
A service that enhances the security of data
processing systems and information transfers.
A security service makes use of one or more
security mechanisms, which are designed to
detect, prevent, or recover from a security
attack.
Internet servers:
1. SMTP (email)
2. ICQ (chat)
3. FTP (file)
4. NNTP (news)
5. HTTPS (secured)
How it works
User queries server, server searches for data,
server receives data, then server responses to
user.
Multiple layers of security:
1. Physical security – server protection (early
times)
2. Personal security
3. Operations security
4. Communications security
5. Network security
6. Information security
7. Cyber security (policies, practices, and
technology put in place to transit data via
networks with reasonable assurance of
safety)
* Balanced security allows reasonable access
and still protect against threats.
Process | People | Technology:
Process: Development of policies (AUP/SUP)
and enforce them.
People: Need to know their responsibilities
regarding polices.
Technology: Employ systems to help in the
adherence to policies.
* All need to work hand in hand.
Computer crimes:
One would require the knowledge of
computers in order to commit a computer
crime.
Hackers / Attackers:
An outsider who breaks in and uses a
computer illegally.
Traditional hackers
1. Traditional hackers:
- Driven by curiosity
- Desire for power/recognition
2. Malware writers (programmers):
- Usually not a crime to write malwares but
a crime to release malwares
3. Script kiddies (malware user):
- Use attack scripts written by experienced
hackers (easy to use)
- Limited knowledge and ability
- Large in numbers
4. Disgruntled employees/ex-employees:
- Steal confidential info
- Sabotage systems (logic bomb)
- Extensive access to restricted areas
- Knowledge on how system works and to
avoid detection
Criminal hackers (ALL ABOUT $$$)
- Shrinking numbers of hackers with
traditional motives
- Increase sophistication of attacks to
generate funds via attacks
On the horizon hackers
1. Cyber attacks by cyber terrorists
2. Cyber war by nations
3. Potential for massive attacks
1.
2.
3.
4.
5.
Harassment / Discrimination
Privacy invasion
Disclosure of confidential information
Copyright infringement
Investment fraud
Liability exposure
Unnecessary risk exposed to clients due to
failure of taking actions to prevent harm. Risks
cannot be eliminated but they can be
minimized.
Why response to cyber threats isn’t that strong
1. Don’t realize the value of assets.
2. Don’t understand the components of cyber
risk.
3. Rely too much on technology.
4. Not educated to make smart investments
in technology.
5. Don’t realize that people and their
behaviours must be controlled to control
exposure to risk.
Threats & Responses
Plan – Protect – Respond cycle
Plan
Hacker profile:
Traditional
13 – 18 years old, male with limited parental
supervision, spends all time at computer.
Modern
12 – 60 years old, male/female, unknown
background, varying skill levels, may be
internal/external to an organization.
Patch
Pros
1. Best way to counter worms instead of antivirus.
Cons
1. Cannot be installed without first verifying
that it won’t cause more damage than
hackers.
2. May destroy important computer
applications.
Legal actions:
These are possible legal actions but they are
not taken against hackers:
Respond
Protect
Plan: Risk analysis, comprehensive security,
defensive in depth.
Protect: Ongoing protection by access control.
Respond: Compromises / Breaches
3rd party audits & assessments
• ‘White’ hackers
• Complete scan during security audit
• Assessment on ability to IDENTIFY,
RESIST & RESPOND to attacks
• Data from assessment presented with
recommendations to improve policies &
practices
Malware
- Viruses, worms, Trojans, logic bombs etc.
- Specific / Universal
Specific
Requires a specific vulnerability to be effective
Universal
Always effective
File destruction & infection technique
1. Overwrite original file or
2. Append to original file (cluster tip)
File creation
- Entry made into FAT
- Directory entry made (link to FAT)
* Data written to Data Area
File deletion
- FAT entry removed and space on hard drive
becomes available
- First character of directory entry changed to
special character
* Nothing done to data area
File restoration
- FAT entry linked again
- First character of directory entry changed to
legal character
* Nothing done to data area
Virus
- Programme that piggybacks on other
executable programmes
- Not structured to exist by itself
- Executes when host programme is executed
•
•
•
•
•
Characteristics
Propagation / Migration:
Replication of the virus over a network.
Payload:
Damage-causing mechanism; may be
harmless or cause severe file system
corruption.
Signature:
Identifier of a virus detected by AV software.
Trigger:
Action that activates the virus.
Detection avoidance:
Method to conceal and disguise.
Types of virus
1. Armored (covered with protective code)
2. Companion (attaches to legitimate
programme, different filename extension)
3. Macro (attaches to macro and spread)
4. Multipartite (attacks in multiple ways)
5. Phage (modifies other programmes, requires
reinstallation to remove)
6. Polymorphic (changes form to avoid
detection)
7. Retrovirus (bypasses and may directly attack
AV programme)
8. Stealth (masks itself to avoid detection,
redirects commands and may move around
from file to file during virus scan)
Virus transmission might:
1. Destroy target system completely or
2. Use victim system as carrier to infect other
sources, eventually infecting victim system
and destroy it completely.
Worm
- Crawls from system to system (WITHOUT
ANY ASSISTANCE)
- Spreads and replicates on its own
- Creators seek out system’s vulnerabilities
Trojan horse
- Hides malicious nature behind the façade of
something useful
- Self-contained programme designed to
perform malicious acts
- Disguises itself as a new capability
- May contain mechanism to spread
Logic bomb
- Done by expert programmers who know the
system well
Hoax & Scam
- Aim to create widespread panic
- Annoying, unwanted, comes in large volumes
Malware damage
1. Deletion of files (virus & worm)
2. Corruption of files (virus & worm)
3. System unusable (virus & worm)
4. Overconsumption of resources (worm)
5. Denial of services (Trojan)
6. Network overload (worm)
7. Passing on & accessing privilege info (Trojan)
Denial of service vs. Distributed Denial of
service
D.O.S.
Distributed D.O.S.
- Attack on
- Dozens/Hundreds of
network/server by
computers are
flooding it with
compromised
requests resulting in a (zombies).
response, which is not - Zombies loaded with
capable at matching
DoS softwares.
all requests.
- Overloaded server.
- Remotely activated
by hacker to conduct
coordinated attack.
Social engineering
* Attacks on individuals
- Network intrusion technique based on
trickery
- Fraudulently obtaining info to gain access
- Effective when two parties don’t know each
other (easier to trick)
Prevention
- Educate users and staffs on password
security.
Identity theft
- Assuming identity of another person
Prevention
- Safeguard info
- Monitor financial statements and accounts
Phishing
- Attempt to acquire sensitive info by deceiving
users
- Typically carried out by email spoofing
- Directs user to enter details at fake websites
- Social networking sites are prime targets
Recognizing phishing attacks
1. Deceiving web links
2. Emails that look like websites
3. Fake sender’s address
4. Generic greeting
5. Popup boxes and attachments
6. Urgent requests
AV software
- Primary method of preventing propagation of
malwares
- Keep AV softwares updated as definition
database of virus is constantly updated
- Install AV software at gateways, servers and
desktops
*LAYERED PROTECTION & EDUCATION
Digital Liability Management (DLM)
Approach
- Protect against occurrence of intrusion
- Provide good defense when attacks occur
- Technology-centric strategies are weak
without policies & practices; Policy-centric
strategies are weak without technology to
monitor & enforce -> 4-tier approach
Why 4-tier approach?
1. Business is about managing risk
2. Necessary defense in event of litigation
3. Serious consequences for organizations that
operate with negligent security controls
4-tier approach (TOP-DOWN approach***)
1. Senior management commitment &
support + Security awareness
- Make sure everyone knows the importance
of security.
- Show that cyber security is a core value.
- Cyber security is usually not of high priority
at board level and security concerns are often
disregarded when employing new systems.
2. AUP (Acceptable use policies) & other
statements of practice
- Prevent misuse of emails.
- Defines responsibilities of every user by
specifying both acceptable and unacceptable
actions of employees.
- More about AUP:
About
Essentials
Benefits
* Duty of care
->
- Company
cannot create
unreasonable
risk to
others;
- Create a
non-hostile
working
environment;
- Protection
of civil rights.
- Well-written,
comprehensive,
up to date.
- Provide
evidence of
AUP in force.
- Acknowledge
understanding
of the AUP.
- Informs employees
what they can and
cannot dominimizes damage
to company’s
competitive
position.
- Clarifies
employees’
expectations about
personal use of
company
equipment.
- Warn employees
about the
monitoring of their
activities.
- Outline
consequences of
non-compliance.
3. SUP (Secure use procedures)
- Providing detailed examples of practices to
be encouraged.
- Hardening networks:
1. Shut down unnecessary services.
2. Maintain permissions securely.
3. Background checks.
4. Enforce strong passwords- no default
passwords, min. 10 characters, use
different symbols, password ageing.
5. Review partner contracts.
6. Audit and update software & licenses.
4. Hardware, software & network security
tools
- Support the implementation and
enforcement of AUPs and other policies.
*Implementing tier 4 only – bottom up
approach is NOT FEASIBLE.
Remote access
Virtual Private Network (VPN)
- Private and secure network connection using
unsecured and public network.
- Must accomplish: encryption of data (within
IP packet) and authentication of user.
Intrusion
- Attacker attempts to gain entry into or
disrupt normal operations of a system.
- Intrusion detection: Detection of intruder.
- Intrusion prevention: Deter intrusion.
- Intrusion reaction: Actions during intrusion.
- Intrusion correction: Restoration of
operations.
Intrusion Detection and Prevention Systems
(IDPS)
- Detect violation and activate alarm.
•
•
•
•
•
•
•
•
•
Terminology
Alert/Alarm: system has been attacked / still
under attack.
False negative: failed to react to actual attack.
False positive: alert/alarm but no actual
attack.
Confidence value: IDPS’s ability to detect and
identify attacks correctly.
Noise: noteworthy activities (but not attacks).
Site policy: rules governing implementation
and operation of IDPS.
Site policy awareness: IDPS’s ability to modify
site policies in response to environmental
activity.
False attack stimulus: trigger alarm -> false
positive (testing of IDPS)
True attack stimulus: replay of real attack
(indistinguishable for IDPS)
•
•
Alarm filtering: classifying alerts to sort false
positives from actual attacks more efficiently.
Alarm clustering (compaction): grouping
almost identical alarms into a single higherlevel alarm.
Types
- Network-based IDPS (NIDPs) & Host-based
IDPS (HIDPs)
NIDPs
HIDPs
Focused on protecting
Focused on
network information
monitoring
assets. Wireless version
activities on a
available.
system.
Advantages
- Few devices to monitor - Can access
a large network.
encrypted
- Passive; can be
information.
deployed into existing
- More confirmation
networks with little
if attack is
disruption.
successful.
- Not usually susceptible
to direct attack.
- May not be detectable
by attackers.
Disadvantages
- Overwhelmed by
- Management
network volume and fail issues.
to recognize attacks.
- Use large amount
- Requires access to all
of disk space.
traffic monitored.
- Inflict
- Cannot analyze
performance
encrypted info.
overhead charges.
- Cannot confirm if
- Vulnerable to both
attack is successful.
direct attacks and
- Cannot discern some
attacks against host
forms of attacks easily.
system.
- Susceptible to DoS
attacks.
Detection
Signature-based
- Match known
signatures (widely
used as many
attacks have clear
and distinct
signatures).
- Database of
signatures must be
continually
updated due to
Statistical anomaly-based
- Compare statistics with
normal traffic.
- Triggers alert when
measured activity is
outside baseline
parameters.
- Detect new types of
attacks.
- Requires much more
overhead and processing
new attack
strategies.
capacity.
- Generate many false
positives.
Response
Active
- Collecting
additional info.
- Modify network
environment.
- Take action
against intrusion.
Passive
- Setting off alarms.
- Collective passive data.
Strengths & Limitations of IDPS
Strengths
- Monitor & analyze
system events and
user behaviours.
- Recognize system
event patterns and
matching with known
attacks.
- Alerting appropriate
staff during attacks.
- Allow non-security
experts to perform
security-monitoring
functions.
Limitations
- Cannot compensate
for weak security
mechanisms.
- Cannot detect and
respond to attacks
during heavy network
or processing load.
- Cannot effectively
respond to
sophisticated attacks.
- Cannot investigate
attack without human
intervention.
Implementation
Centralized
Fully
distributed
Partially
distributed
All control functions are
implemented and managed in
a central location.
Control functions applied at
physical location of EACH
IDPS component.
Combines both; A
hierarchical central control.
Deployment
- Balance between requirements and impacts.
- NIDPS & HIDPS in tandem.
Honey pots
- Encourage attack to stay long enough for
administrators to respond.
- Divert attacker from accessing critical
systems.
- Honey nets: A collection of honey pots.
- Padded cell: Protected honey pot, which is not
easily compromised. Attackers do not cause
harm here.
Pros
- Divert attackers to areas
where damage can’t be done.
- Allow time to brainstorm
on respond methods.
- Attacker’s actions can be
easily monitored to improve
system’s protections.
- Effective in catching
insiders snooping around a
network.
Cons
- Legal
implications
are not well
defined.
- High level of
expertise to run
system.
- May lead to a
more hostile
attack by the
same attacker.
Trap & Trace system
- Combine detection & tracing back to source.
- Honey pot / Padded cell + Alarm
*Legal to entice attackers by attracting
attention by placing info in key locations but
illegal to luring an individual to commit a
crime.
Scanning & Analysis tools
- Used to collect the info the attacker needs to
launch an attack.
Attack Protocol
Footprinting
- Organized research of Internet addresses
owned or controlled by target organization.
Fingerprinting
- Systematic survey of all active systems
collected during footprinting.
Firewall Analysis tools
- Close up open/poorly configured firewall and
help network defender minimize risk from
attacks.
Vulnerability scanners
Active
Scan network and
initiate traffic to
determine holes.
Passive
Listen in a network
and determine
vulnerable softwares.
Packet sniffers
- Collect and analyze copies of packets from
network
- Useful to diagnose and resolve network
issues.
- In wrong hands, it is used for eavesdropping
on network traffic.
- Legally, administrator must be under direct
authorization of network owners.
Biometric Access Control
- Recognition of some human trait as
authentication of identity.
- Trait must be truly unique. E.g. retina, iris,
fingerprint, voice, and facial geometry etc.
- Work factor (hrs): amount of effort required
to perform cryptanalysis on an encrypted
message.
Substitution cipher
- Substitute one value for another.
- Monoalphabetic- uses one alphabet.
- Polyalphabetic- uses 2 or more alphabets.
- Vigenère cipher- advanced cipher that uses
simple polyalphabetic code (Invented by
Giovan Battista Bellaso, 1553).
Effectiveness
- False reject rate: rejection of legitimate access
- False accept rate: acceptance of unknown
users
- Crossover error rate (CER): the intersection
point when rates are graphed.
Transposition cipher
- Easy to understand.
- Difficult to decipher if properly used.
- Rearrange values to create ciphertext.
- Vernam cipher- character converted to
number and converted back (reinvented by
Vernam in 1917).
Acceptability
- Balance between acceptability and
effectiveness.
Book / Running key cipher
- Uses text in book (dictionary / thesaurus) as
key
Cryptography
Hash(ing) functions
- Mathematical algorithms that generate
message summary to confirm no content has
changed.
Definitions
- Encrypt: unreadable from without algorithm.
- Decrypt: convert ciphertext back to plaintext
with algorithm.
- Cryptanalysis: obtain original message from
encryption without algorithms.
- Algorithms: formula used to convert
unencrypted and encrypted messages.
Key / Cryptovariable: information used in
conjunction with algorithm to create
ciphertext.
Cryptosystem / Cipher: method to convert
unencrypted to encrypted messages.
Code: transformation of larger components of
unencrypted message into encrypted
components.
- Link encryption: series of encryptions and
decryptions until final destination.
Symmetric encryption
- Uses same key to encipher and decipher
message.
- Efficient encryption.
- Minimal processing.
- Both sender and receiver must process key.
* Data Encryption Standard (DES): 64-bit block
size / 56-bit key
* Triple DES (3DES): more security
*Advanced encryption standard (AES): replace
both DES and 3DES.
Asymmetric encryption
- A.k.a. public-key encryption.
- Uses 2 different but related keys- private
(decrypts) and public (encrypts).
* RSA algorithm (developed by Rivest, Shamir,
Adleman, 1977)
Encryption key size
- Strength of encryption measured by key size.
- Cryptosystem security depends on keeping
keys secret.
Public-key infrastructure (PKI)
- Integrated system of softwares to enable
secured communications.
- Based on public-key cryptosystems.
Digital signatures
- Verification of info transferred using
electronic system.
- Nonrepudiation: verifies that message was
sent by the sender and thus cannot be refuted.
- Digital signature standard (DSS)
- Can be prevented with digital signatures.
3. Correlation attack:
- Collection of brute force attacks to deduce
statistical relationship between key and
ciphertext.
4. Timing attacks: (not very effective)
- Analyze typing patterns and inter-keystroke
timings to discern sensitive info.
Protection
- Focus more on management of people than
technology.
- Encryption software.
Steganography
- Hiding info in image / audio files.
Secured network
Internet
• Secure socket layer (SSL): public key
encryption.
• Secure hypertext transfer (S-HTTP): extended
version of hypertext transfer. S-HTTP is the
application of SSL over HTTP.
Email
• Secure multipurpose Internet mail extensions
(S/M/ME).
• Pretty good privacy (PGP):
- Designed in 1991 by Phil Zimmermann.
- Chooses best available algorithms.
- Freeware & low cost commercial versions
are available.
•
•
Wireless networks
Wired Equivalent Privacy (WEP)
Wi-Fi Protected Access (WPA)- upgrade of
WEP
Internet protocol security (IPSec)
• Open source protocol to secure
communications using encryption across any
IP-based network.
• Protect data integrity at IP packet level.
Attacks
Types of attacks
1. Brute force attack:
- Dictionary attacks- tries all words in the
dictionary.
2. Man-in-the-middle attack:
- Attacker decrypts and encrypts original
message.
Physical security
1. ID cards & badges
- Info access control
- Simple form of biometrics
- Tailgating (typical problem)
2. Mantrap
- Entry point & different exit point
- Denied entry is not allowed to exit till
security official overrides locks
3. Electronic monitoring
- CCTVs
- Does not prevent access / prohibit activity
- Often not monitored in real time
4. Alarms / Alarm systems
- Notify when event occurs
•
Fire
Fire suppression systems: Detect & Respond
to fires
•
Flame point: Temperature of ignition
•
Fire extinguishers: Class A to D, depending on
type of fire
A Fires of ordinary combustible fuels.
B Fires fueled by combustible liquids or
gases.
C Fires with energized electrical equipment
of appliances.
D Fires fueled by combustible metals.
* Can be combined with sprinkler / gaseous
systems.
Power
- Avoid overloading, which can cause circuit
tripping.
- Ground fault circuit interrupter (GFCI),
capable of quickly interrupting circuits to save
lives.
- Uninterruptible power supply (UPS):
• Online: Primary power source, with
batteries constantly recharged.
• Offline/Standby: Offline battery backup
that detects power interruption.
Mobile & Portable systems
- Requires more security (for laptops/PDAs).
- Control and support security and retrieval of
lost/stolen laptops.
Info security
Info security project planning:
• Financial considerations:
- CBA (cost benefit analysis)
- Benchmark expenses of similar
organizations.
•
Priority considerations:
- Implement important steps first.
•
Time & scheduling:
- Configuration of training time.
•
Staffing:
- Qualified, trained personnel required.
•
Scope:
- Time/effort needed.
- Should not attempt to implement entire
security system at once.
•
Procurement:
- Product, Price, Vendor reputation.
•
Training:
- Training programmes or pilot approach.
* Choice to outsource or not to on information
security programmes.
Security & Personnel
Staffing the information security function:
• Selection of personnel based on criteria.
• High demand for info security.
• Qualifications & requirements- source for
technically qualified and info security
professionals as technical skills are required
when working on security applications and
processes.
Things to do
• Avoid revealing access privileges to
prospective employees- advise HR to limit
info provided on responsibilities & access
rights.
• Background checks:
- Identity check- validation of identity.
- Educational & credential checks- validation
of institutions and degrees/certifications.
- Previous employment.
- Reference check- validate integrity of
reference sources.
- Civil court history.
- Criminal court history.
Termination
Hostile
- All access terminated before
employee is aware.
- Surrenders all company
properties.
- Escorted out of the building.
Friendly - Employee notified well in
advance of departure date.
- Access with new expiration date.
- Come and go at will.
* Offices and info used by employee must be
inventoried.
Non-employees
- Temporary employees
- Contract employees
- Consultants
- Business partners
Internal control strategies
- Separation of duties: stipulates that
completion of significant tasks requires at
least two people.
- Collusion: unscrupulous workers conspiring
to commit unauthorized tasks.
- Two-man control: two individuals review
and approve each other’s work before
submission.
- Job rotation: employees know each other’s
job scope.
- Least privilege: ensures that no unnecessary
access to data exists and only individuals who
must access have.
Download
Random flashcards
State Flags

50 Cards Education

Countries of Europe

44 Cards Education

Art History

20 Cards StudyJedi

Sign language alphabet

26 Cards StudyJedi

Create flashcards