Cybercrimes and Cybersecurity Overview of Network Components • • A network can be as simple as a single cable connecting two computers or as complex as a collection of networks that span the globe. Network infrastructure contains 3broad categories of network components: – Devices: End Users (Clients and Servers) and Intermediate (Switches, Routers, Gateways,…) – Media (Guided (wire) and not guided (wireless) – Services or applications Definitions of CyberSpace/CyberWorld Cyberspace: is the space that combine human with machines. This includes all business and life use of the human with computer based devices including hardware, software, and networks of military, government, commercial, general purpose, imbedded systems,….. Definitions of Cybercrime 1. Cybercrime: is the crime that prevent human from using his machine. 2. It is the crime that is committed or facilitated via the internet and its protocol. 3. Cybercrime is any criminal activity involving computers (hardware and software) and networks. 4. It can range from fraud to unsolicited emails (spam). 5. It can include distant theft of government or corporate secrets through criminal trespass into remote systems around the globe. 6. Cyber crime incorporate anything from downloading illegal music files to stealing millions of dollars from online bank accounts. 7. Cybercrime also includes non-money offenses, such as creating viruses on other computers or posting confidential business information on the internet Definition of Cybersecurity Cyber –security This concept refers to the discipline of ensuring that ICT systems are protected by attacks and incidents, whether malicious or accidental, threatening the integrity of data, their availability or confidentiality, including attempts to illegally 'ex filtrate' sensitive data or information out of the boundaries of an organization. Cybersecurity combines people, processes, and technology to continually monitor vulnerabilities and respond proactively to secure the system. Cybersecurity is a highly technical, specialized field. The confidential nature of data stored in accounting systems puts increasing pressure on accounting professionals to understand IT security. 10 Domains of Cybersecurity (ISC)2 International Information Systems Security 10 Domains of Cybersecurity (ISC)2 International Information Systems Security Definition of Cybercrimes Cybercrimes: crimes connected to information assets and IT. Cyberlaws: laws and regulations to prevent, investigate, and prosecute cybercrimes. Cyber forensics: involves collecting, examining, and preserving evidence of cybercrimes. Cybercrime 93% of electronic records threats were in the financial services industry. 90% of threats were tied to organized crime. Successful threats/breaches/breaks typically involve an attacker exploiting a mistake made by the victim organization Definitions of Cybersecurity and Data Protection Data protection This notion refers to the tools and processes used to store data relevant to a certain ICT system or environment, as well as recover lost data in case of an incident - be it fraudulent, accidental or caused by a natural disaster. Threat Agent Give rise to the types of attackers and attacks companies face. Threats, Vulnerability, and Risks Exploits Threat Leads to Vulnerability Risk Asset Can damage Exposure IT Security Can be countermeasured by And Cause 65% success • Network attack vectors include: • Internal threats • External threats • The attacks can be structured or 75% success unstructured. 100% success What Makes it Worse? “ Over 75% of hacking is done by insiders and it’s easy to see why. The person on the inside is on the right side of the firewall—they know the computer systems and they have access to the passwords ” System Penetration Probability of Success Internet 65% succeed 1-From inside system 2-Through telephone line 75% succeed 4-WALN Radio Transmission WAP 100% succeed Evolution of Security Threats • The early users of the Internet did not spend much time thinking about whether or not their online activities presented a threat to the network or to their own data. • More people rely on the network for their personal, financial, and business needs. Cyberattacks • Many types of attacks can be made on computer systems – Viruses – Identity theft – Theft of personal information – Unauthorized use of your computer Cyberattacks Evolution Target and Scope of Damage Seconds Global Infrastructur e Impact Next Gen Minutes Regional Networks Multiple Networks Individual Networks Days Weeks 1st Gen • Boot viruses Individual Computer 1980s 2nd Gen • • • • Macro viruses E-mail DoS Limited hacking 1990s 3rd Gen • Network DoS • Blended threat (worm + virus+ trojan) • Turbo worms • Widespread system hacking • Sites defacing Today • Cyber Attacks • Infrastructure hacking • Flash threats • Massive worm driven • DDoS • Damaging payload viruses and worms • Cyber Terrorism • Information war Future Attacks Keep Getting Easier www.test.com Connected to www.test.com Examples of Threats to CyberSecurity Attacks: Hackers, Crackers, Intruders, and Attackers Cybersecurity Attackers Under Ground Community Intruder Cracker Hacker Eavesdroppers Viruses Maker Sneaking Cyberpunks Cybersecurity Attackers • Defining the word “Hacker” • General term that has historically been used to describe a computer programming expert. • Internet programmers who try to gain unauthorized access to devices on the Internet. • Individuals who run programs to prevent or slow network access to a large number of users, or corrupt or wipe out data on servers. Cybersecurity Attackers • White hat (Ethical Hacking) –Term used to describe individuals that use their abilities to find vulnerabilities in systems or networks, and then report these vulnerabilities to the owners of the system so that they can be fixed. • Black hat –Term for individuals that use their knowledge of computer systems to break into systems or networks that they are not authorized to use. • Hacker –General term that has historically been used to describe a computer programming expert. • Cracker –Term that describes someone which attempts to gain unauthorized access with malicious intent. Cybersecurity Attackers ▪ Phreaker • An individual that manipulates the phone network cause it to perform a function that is normally not allowed, such as to make free, long distance calls. • Spammer • Individual that sends large quantities of unsolicited email messages. • Spammers often use viruses to take control of home computers to send out their bulk messages. • Phisher • Individual uses email or other means in an attempt to trick others into providing sensitive information, such as credit card numbers or passwords. Security Vulnerabilities for Sale • Anyone can buy attack tools to take over computers View hacking tools by category: http://sectools.org/wireless.html Application-Specific Scanners | Password Crackers | Encryption Tools | Disassemblers | Firewalls | Intrusion Detection Systems | Netcats | OS Detection Tools | Packet Crafting Tools | Port Scanners | Rootkit Detectors | Security-Oriented Operating Systems | Packet Sniffers | Vulnerability Exploitation Tools | Traceroute Tools | Traffic Monitoring Tools | Vulnerability Scanners | Web Vulnerability Scanners | Wireless Tools Threats Are More Dangerous; Easier to Use Packet Forging/ Spoofing High Stealth Diagnostics DDOS Sweepers Back Doors Sniffers Exploiting Known Hijacking Vulnerabilities Sessions Technical Knowledge Required Password Cracking Password Guessing 1980 Sophistication of Hacker Tools Disabling Audits Self Replicating Code Low Internet Worms and Snacks 1990 2000 2010 Code Red Worm Attack What is “Code Red”? –The Code Red worm was a DoS attack and was released on July 19, 2001 and attacked web servers globally, infecting over 350,000 hosts and in turn affected millions of users. “Code Red” • Code Red: • Defaced web pages. • Disrupted access to the infected servers and local networks hosting the servers, making them very slow or unusable. • Network professionals responded slowly to system patches which only made the problem worse. What Did It Do? • The Code Red worm attempted to connect to TCP port 80 on a randomly chosen host, assuming that a web server will be found. • Upon a successful connection to port 80, the attacking host sends a crafted HTTP GET request to the victim, attempting to exploit a buffer overflow in the Indexing Service. • The same exploit (HTTP GET request) is sent to other randomly chosen hosts due to the self-propagating nature of the worm. • However, depending on the host’s configuration that receives this request, there are varied consequences. How is the Code Red worm stopped? • The worm resides entirely in memory; therefore, a reboot of the machine purges it from the system. • However, patching the system for the underlying vulnerability remains imperative because the likelihood of re-infection is quite high due to the rapid propagation of the worm. • Network security professionals should develop and implement security policies that include a process to continually review security advisories and patches. Code Red–A good thing? • Code Red was a wake-up call for network administrators. It made it very apparent that network security administrators must patch their systems regularly. • If security patches had been applied in a timely manner, the Code Red worm would only merit a footnote in network security history. Worms Worms Characteristics • Worms are a particularly dangerous type of hostile code. • They replicate themselves by independently exploiting vulnerabilities in networks. • Worms usually slow down networks. • Worms do not require user intervention, and can spread extremely fast over the network. Data Theft and Identity Theft • Preventing data theft – The theft of data is one of the largest causes of financial loss due to an attack • Thwarting identity theft – Identity theft involves using someone’s personal information to establish bank or credit card accounts • Cards are then left unpaid, leaving the victim with the debts and ruining their credit rating CREDIT CARDS Theft ATM Passwords In 2008, these men used default passwords to reprogram ATM machines to hand out $20 bills like they were $1 bills ATM Theft Phishing Attacks • Phishing refers to the process of “fishing” for accounts and passwords by setting up a fake user interface such as a website that appears to be real and sending an e-mail message to trigger people to log on. • For example, you may receive an e-mail message stating that your eBay account needs to be updated for some reason. You click the embedded link in the message and what appears to be the eBay logon page appears. You enter your account name and password and receive an error message that you typed your password incorrectly. When you click the link to try again, you get in and update the information as requested. • What really happened is that a hacker sent you an e-mail containing a link to a web page that they created to mimic exactly the appearance of the eBay site. When you typed in your user account and password, they were recorded and then you were redirected to the legitimate web page, so the second time you entered your password, it worked. PHISHING Web Defacements 41 Decomposing A Web Site Defacement • A web site defacement consist of four key elements: 1) A system with a vulnerability is identified and exploited, allowing unauthorized access by a malicious third party 2) Existing web pages are modified or replaced with new text or graphics, or a web server and content of the attacker’s choice is installed (if the system didn’t already have a web server on it) 3) The modified site is publicized/confirmed by an independent third party 4) Something happens (or not). What is it that an attacker might hope to accomplish as a result of a web site defacement? CYBER SECURITY DEMOS 1- TCP/IP PROTOCOL 2- KEVIN MENTEC HACKER Overview of Network Components • • A network can be as simple as a single cable connecting two computers or as complex as a collection of networks that span the globe. Network infrastructure contains 3broad categories of network components: – Devices: End Users (Clients and Servers) and Intermediate (Switches, Routers, Gateways,…) – Media (Guided (wire) and not guided (wireless) – Services or applications Characteristics of the IP Protocol: IP – Best Effort Delivery IP is a Best Effort Delivery protocol: IP is considered “unreliable” because it does not guarantee that all packets that are sent will be received. Unreliable means that IP does not have the capability to manage and recover from undelivered, corrupt, or out of sequence packets. If packets are missing or not in the correct order at the destination, upper layer protocols/services must resolve these issues. Network Segmentation • • Reduces overall network traffic and improves network performance. Enables an administrator to implement security policies such as which subnets are allowed or not allowed to communicate together. Communicating between Networks Subnetting by Location Subnetting by Device Type CYBER-SECURITY THREATS Viruses Hackers Viruses infect computers through email attachments and file sharing. They delete files, attack other computers, and make your computer run slowly. One infected computer can cause problems for all computers on a network. Hackers are people who “trespass” into your computer from a remote location. They may use your computer to send spam or viruses, host a Web site, or do other activities that cause computer malfunctions. Identity Thieves Spyware People who obtain unauthorized access to your personal information, such as Social Security and financial account numbers. They then use this information to commit crimes such as fraud or theft. Spyware is software that “piggybacks” on programs you download, gathers information about your online habits, and transmits personal information without your knowledge. It may also cause a wide range of other computer malfunctions. 1. Technological weakness Weakness TCP/IP weaknesses Description protocol Weakness, threats, security problems related to the insecure structure of TCP/IP protocol: • SYN floods SYN-FIN flood, IP spoofing, Denial of services, session hijacking, RIP spoofing,… • ICMP is source of most hacking tools • HTTP, FTP, Simple Network Management Protocol (SNMP), Simple Mail Transfer Protocol (SMTP), .. Are not secured applications Operating weaknesses system UNIX, Linux, Macintosh, Windows, and OS/2 operating systems all have security problems that must be addressed and covered by service backs. Network weaknesses equipment Network equipment, e.g. routers, firewalls, and switches, have security weaknesses that must be recognized and protected against. These weaknesses include: • Password protection • Lack of authentication • Routing protocols • Firewall holes • Configuration Weaknesses 1. Configuration weakness Weakness Un secured user accounts Description User accounts information might be transmitted insecurely across the network, exposing usernames and passwords to snoopers System accounts with easily This common problem is the results of poorly selected and easily guessed user passwords passwords. Misconfigured services internet A common problem is to turn on JavaScript in web browsers, enabling attacks by way of hostile Java script when accessing untrusted sites. IIS, Apache, FTP, and terminal services also pose problems Unsecured default settings Many services and products have default settings that enable security holes within products 1.2 Viruses, Worms, and Trojan Horses Malware Malware (malicious software) is spread throughout an enterprise system by email, fake advertisements, Internet downloads, and shared drives. Malware includes: Viruses Bots Worms Logic bombs Trojan horses Spam Malware Bots: (short for robots) a tiny piece of programming code which installs itself on a Zombie (infected computer). Bots monitor the Zombie computer and transmit information back to the Master (hacker’s computer). Malware Viruses: a small computer program that infects other application software by attaching to and disrupting the application’s function. Antivirus software can detect and remove viruses. Logic bombs: malware that executes when a specified event happens within the computer, as for example, when the user logs into his or her bank account. Trojan horses: malware disguised as a legitimate program that may be downloaded and installed by users without realizing it is a virus. Spam: malware sent by email. Spam can be a virus, bot, logic bomb, worm, or Trojan horse. Viruses: Primary Vulnerabilities for End User Devices • A virus is malicious software that is attached to another program to execute a particular unwanted function on a user’s workstation. • A worm executes arbitrary code and installs copies of itself in the infected computer’s memory, which infects other hosts. • A Trojan horse is different only in that the entire application was written to look like something else, when, in fact, it is an attack tool. Viruses Comparison of a Human Virus and a Computer Virus Worm Components • Enabling vulnerability • A worm installs itself using an exploit vector on a vulnerable system. • Propagation mechanism • After gaining access to devices, a worm replicates and selects new targets. • Payload • When the device is infected with a worm, the attacker has access to the host, often as a privileged user. • Attackers could use a local exploit to escalate their privilege level to administrator. Worm and Virus Exploit and Comparison • Probe phase: • Vulnerable targets are identified using ping scans. • Application scans are used to identify operating systems and vulnerable software. • Hackers obtain passwords using social engineering, dictionary attack, brute-force, or network sniffing. • Penetrate phase: • Exploit code is transferred to the vulnerable target. • Goal is to get the target to execute the exploit code through an attack vector, such as a buffer overflow, ActiveX or Common Gateway Interface (CGI) vulnerabilities, or an email virus. • Persist phase: • After the attack is successfully launched in the memory, the code tries to persist on the target system. • The goal is to ensure that the attacker code is running and available to the attacker even if the system reboots. • Achieved by modifying system files, making registry changes, and installing new code. Worm and Virus Exploit and Comparison • Propagate phase: • The attacker attempts to extend the attack to other targets by looking for vulnerable neighboring machines. • Propagation vectors include emailing copies of the attack to other systems, uploading files to other systems using file shares or FTP services, active web connections, and file transfers through Internet Relay Chat. • Damage/Paralyze phase: • Actual damage is done to the system. • Files can be erased, systems can crash, information can be stolen, and distributed DDoS attacks can be launched. Trojan Horse Concept ▪ A Trojan horse is a program that appears, to the user, to perform a desirable function but, in fact, facilitates unauthorized access to the user's computer system. ▪ Trojan horses can appear to be useful or interesting programs, or at the very least harmless to an unsuspecting user, but are actually harmful when executed. ▪ Trojan horses are not self-replicating which distinguishes them from viruses and worms. Trojan Horse Classification ▪ Remote-access Trojan Horse - Enables unauthorized remote access ▪ Data sending Trojan Horse - Provides the attacker with sensitive data, such as passwords ▪ Destructive Trojan Horse - Corrupts or deletes files ▪ Proxy Trojan Horse - User’s computer functions as a proxy server ▪ FTP Trojan Horse (opens port 21) - Security software disabler Trojan Horse (stops antivirus programs or firewalls from functioning) ▪ Security software disabler Trojan horse - Stops antivirus programs or firewalls from functioning. ▪ DoS Trojan Horse - Slows or halts network activity Spoofing Definition: An attacker alters his identity so that some one thinks he is some one else – Email, User ID, IP Address, … – Attacker exploits trust relation between user and networked machines to gain access to machines Types of Spoofing: 1. IP Spoofing: 2. Email Spoofing 3. Web Spoofing IP Spoofing – Flying-Blind Attack Definition: Attacker uses IP address of another computer to acquire information or gain access Replies sent back to 10.10.20.30 Spoofed Address 10.10.20.30 ALY 10.10.5.5 From Address: 10.10.20.30 To Address: 10.10.5.5 Attacker changes his own IP address to spoofed address Attacker can send messages to a machine masquerading as spoofed machine Attacker Attacker can not receive messages from that 10.10.50.50 machine IP Spoofing – Source Routing Definition: Attacker spoofs the address of another machine and inserts itself between the attacked machine and the spoofed machine to intercept replies Attacker intercepts packets as they go to 10.10.20.30 From Address: 10.10.20.30 To Address: 10.10.5.5 Replies sent back to 10.10.20.30 Spoofed Address 10.10.20.30 • • Attacker 10.10.50.50 ALY 10.10.5.5 The path a packet may change can vary over time To ensure that he stays in the loop the attacker uses source routing to ensure that the packet passes through certain nodes on the network Email Spoofing Definition: Attacker sends messages masquerading as some one else What can be the repercussions? Types of Email Spoofing: 1. Create an account with similar email address – Samy@yahoo.com: A message from this account can spoof the users 2. Modify a mail client – Attacker can put in any return address he wants to in the mail he sends 3. Telnet to port 25 – Most mail servers use port 25 for SMTP. Attacker logs on to this port and composes a message for the user. Web Spoofing • • • • Basic – Attacker registers a web address matching an entity e.g. egygovern.com Man-in-the-Middle Attack – Attacker acts as a proxy between the web server and the client – Attacker has to compromise the router or a node through which the relevant traffic flows URL Rewriting – Attacker redirects web traffic to another site that is controlled by the attacker – Attacker writes his own web site address before the legitimate link Tracking State – When a user logs on to a site a persistent authentication is maintained – This authentication can be stolen for masquerading as the user Web Spoofing – Tracking State • • Web Site maintains authentication so that the user does not have to authenticate repeatedly Three types of tracking methods are used: 1. Cookies: Line of text with ID on the users cookie file – Attacker can read the ID from users cookie file 2. URL Session Tracking: An id is appended to all the links in the website web pages. – Attacker can guess or read this id and masquerade as user 3. Hidden Form Elements – ID is hidden in form elements which are not visible to user – Hacker can modify these to masquerade as another user Session Hijacking Definition: Process of taking over an existing active session Attack Method: 1. User makes a connection to the server by authenticating using his user ID and password. 2. After the users authenticate, they have access to the server as long as the session lasts. 3. Hacker takes the user offline by denial of service 4. Hacker gains access to the user by impersonating the user Session Hijacking Bob telnets to Server Bob authenticates to Server Server Bob Die! Hi! I am Bob Attacker • Attacker can – monitor the session – periodically inject commands into session – launch passive and active attacks from the session Session Hijacking – How Does it Work? • • • • • Attackers exploit sequence numbers to hijack sessions Sequence numbers are 32-bit counters used to: – tell receiving machines the correct order of packets – Tell sender which packets are received and which are lost Receiver and Sender have their own sequence numbers When two parties communicate the following are needed: – IP addresses – Port Numbers – Sequence Number IP addresses and port numbers are easily available so once the attacker gets the server to accept his guesses sequence number he can hijack the session. DoS Attack • A DoS attack is a network attack that results in some sort of interruption of service to users, devices, or applications. • There are two major reasons a DoS attack occurs: • A host or application fails to handle an unexpected condition, such as maliciously formatted input data, an unexpected interaction of system components, or simple resource exhaustion. • A network, host, or application is unable to handle an enormous quantity of data, causing the system to crash or become extremely slow. Denial of Service (DOS) Attack Definition: Attack through which a person can render a system unusable or significantly slow down the system for legitimate users by overloading the system so that no one else can use it. Types: 1. Crashing the system or network – Send the victim data or packets which will cause system to crash or reboot. 2. Exhausting the resources by flooding the system or network with information – Since all resources are exhausted others are denied access to the resources 3. Distributed DOS attacks are coordinated denial of service attacks involving several people and/or machines to launch attacks Denial of Service (DOS) Attack Types: 1. Ping of Death 2. SSPing 3. Smurf 4. SYN Flood 5. Microsoft Incomplete TCP/IP Packet Vulnerability 6. HP Openview Node Manager SNMP DOS Vulneability 7. Netscreen Firewall DOS Vulnerability 8. Checkpoint Firewall DOS Vulnerability Buffer Overflows • Buffer: An allocated area of memory used by processes to store data temporarily. • Buffer overflow: Occurs when a fixed-length buffer reaches its capacity and a process attempts to store data beyond that maximum limit. • This can result in extra data overwriting adjacent memory locations, as well as causing other unexpected behaviors. • A majority of the software vulnerabilities that are discovered relate to buffer overflows. • Buffer overflows are usually the primary conduit through which viruses, worms, and Trojan Horses do their damage. Buffer Overflow Attacks • This attack takes advantage of the way in which information is stored by computer programs • An attacker tries to store more information on the stack than the size of the buffer How does it work? Bottom of Memory • Buffer 2 Local Variable 2 Buffer 1 Local Variable 1 Fill Direction Bottom of Memory Return Pointer Function Call Arguments Top of Memory • Normal Stack Top of Memory Fill Direction • Buffer 2 Local Variable 2 Machine Code: execve(/bin/sh) New Pointer to Exec Code Function Call Arguments Buffer 1 Space Overwritten Return Pointer Overwritten • Smashed Stack Buffer Overflow Attacks • Programs which do not do not have a rigorous memory check in the code are vulnerable to this attack • Simple weaknesses can be exploited – If memory allocated for name is 50 characters, someone can break the system by sending a fictitious name of more than 50 characters • Can be used for espionage, denial of service or compromising the integrity of the data Examples – NetMeeting Buffer Overflow – Outlook Buffer Overflow – AOL Instant Messenger Buffer Overflow – SQL Server 2000 Extended Stored Procedure Buffer Overflow Password Attacks • • A hacker can exploit a weak passwords & uncontrolled network modems easily Steps – Hacker gets the phone number of a company – Hacker runs war dialer program ▪ If original number is 555-5532 he runs all numbers in the 555-55xx range ▪ When modem answers he records the phone number of modem – Hacker now needs a user id and password to enter company network ▪ Companies often have default accounts e.g. temp, anonymous with no password ▪ Often the root account uses company name as the password ▪ For strong passwords password cracking techniques exist Password Security Client Hash Function Server Hashed Password Compare Password Password Salt Stored Password Allow/Deny Access • Password hashed and stored – Salt added to randomize password & stored on system • Password attacks launched to crack encrypted password Hashed Password Password Attacks - Process • • • • • • Find a valid user ID Create a list of possible passwords Rank the passwords from high probability to low Type in each password If the system allows you in – success ! If not, try again, being careful not to exceed password lockout (the number of times you can guess a wrong password before the system shuts down and won’t let you try any more) Password Attacks - Types • Dictionary Attack – – • Brute Force Attack – • People write passwords in different places People disclose passwords naively to others Shoulder Surfing – • Words from dictionary and their variations used in attack Social Engineering – – • Try all permutations of the letters & symbols in the alphabet Hybrid Attack – • Hacker tries all words in dictionary to crack password 70% of the people use dictionary words as passwords Hackers slyly watch over peoples shoulders to steal passwords Dumpster Diving – People dump their trash papers in garbage which may contain information to crack passwords Difficulties in Defending against Attacks Worm Mitigation ▪ Worm attack mitigation requires diligence on the part of system and network administration staff. ▪ There is a four phase process to mitigate an active worm attacks. Worm Mitigation ▪ Containment Phase • Limits the spread of a worm infection to areas of the network that are already affected. • Compartmentalizes and segments the network to slow down or stop the worm to prevent currently infected hosts from targeting and infecting other systems. • Uses both outgoing and incoming ACLs on routers and firewalls at control points within the network. ▪ Inoculation Phase • Runs parallel to or subsequent to the containment phase. • All uninfected systems are patched with the appropriate vendor patch for the vulnerability. • The inoculation process further deprives the worm of any available targets. Worm Mitigation Cont. ▪ Quarantine Phase • Tracks down and identifies infected machines within the contained areas and disconnects, blocks, or removes them. • This isolates these systems appropriately for the Treatment Phase. ▪ Treatment Phase • Actively infected systems are disinfected of the worm. • Terminates the worm process, removes modified files or system settings that the worm introduced, and patches the vulnerability the worm used to exploit the system. • In more severe cases, completely reinstalling the system to ensure that the worm and its by products are removed. Prediction, Prevention, Detection, and Response IS Defense In Depth Security Strategy • Data loss prevention and encryption • Vulnerability management • ID and access management • IDS/IPS • Firewalls • End point and mobile security • • • • • • Database Security Network Access Control Content management Perimeter management Risk Management Firewalls Security: Defense in Depth • Security technology • Human Security • Security Policy Technologies: 1. Anti-malicious 2. Access control 3. Cryptography 4. Firewall 5. IDS 6. IPS IS Security – CIA Confidentiality-Integrity-Authentication Network Security Protecting Network equipment. Network servers and transmissions. Eavesdropping. Data Integrity System Security User access Authentication controls Assignment of privilege Maintaining file and file system integrity Monitoring processes Log-keeping Backups Defense In Depth DiD Firewalls VPN DMZ NAT IDS/IPS Network and Host Security Consulting Management & Administration Anti-virus, anti spam, anti worm, anti Trojan Access Control: authentication and authorization Cryptography IPSEC SSL DS Security Monitoring and Assessment Logging, Reporting, & Alerting and Auditing Event Correlation Certification Hardening Clients and servers Personnel Security and Security Policy Physical Security 1- Access Control ❑ Is the ability to limit and control the access to the systems and application. ❑ Tools: ✓Physical access control Finger Prints. Eyes Recognition. Voice Identification. Smart Card. ✓ Logical access control: ✓ Password. ✓ Firewalls. Access Control Smart Cards Access Control Password Access Control Finger Prints. Token Ring Encryption and Cryptography Cryptography is the study and practice of hiding information, and is used pervasively in modern network security. Secure Communication System Message Exchange Client PC Server Attacker Taps into the Conversation: Tries to Read Messages, Alter Messages, Add New Messages Attack Prevention System Hardened Client PC Attack Message Hardened Server With Permissions Attack Message Firewall X Internet Stops Most Attack Messages Corporate Network Attacker Security at Multiple Layers Layer Example Application Application-specific (for instance, passwords for a database program); Application (Proxy) Firewalls Transport SSL (TLS), Packet Filter Firewalls Internet IPsec, Packet Filter Firewalls Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP) Physical locks on computers, Notebook Encryption Data Link Physical حدود جدران الحماية محاوله اختراق الشبكة المتداخل الجدار النارى النظام المؤمن DMZ حدود جدران الحماية Attack Packet Attacker 4. Dropped Packet (Ingress) 4. Log File +اختبار ترشيح حدود جدران الحماية رسالة صحيحة مستخدم الجدار النارى النظام المؤمن DMZ امرار الرسالة بد الفحص جدران الحماية Firewalls الختبار باقات البيانات ودوائر الربط جدران الحماية Firewalls الختبار حاله النظام ككل جدران الحماية Firewalls الختبار التطبيقات Network Address Translation (NAT) From 172.47.9.6, Port 59789 From 60.168.34.2, 1 Port 63472 2 Internet Client NAT Firewall Translation Table Server Host Internal IP Addr Port 172.47.9.6 59789 … … External IP Addr Port 60.168.34.2 63472 … … Network Address Translation (NAT) Internet Client NAT 4 Firewall To 172.47.9.6, Port 59789 Translation Table 3 To 60.168.34.2, Port 63472 Internal IP Addr Port 172.47.9.6 59789 … … Server Host External IP Addr Port 60.168.34.2 63472 … … مهام اكتشاف التداخالت )Intrusion Detection System (IDS • • • • • تحقق وسائل اكثر فعالية الكتشاف التداخالت تختبر ”دفعة من رسائل“ للبحث نثن ومنثل الثدفعات التث ال يمكثن التعرف نل رسائلها مفردة (حماية ضد منل المصادر) تختبر ”دفعة من رسائل“ للبحث نثن ومنثل الثدفعات التث ال يمكثن التعرف نل رسائلها النها ليست جزء من تطبيق جارى يتضثثمن االختبثثار مكونثثات رئثثول الرسثثائل نل ث كافثثة مسثثتويات االتصال. يتم التخلص من اول رسالة مشكوك فيها وما يليها مهام اكتشاف التداخالت )Intrusion Detection System (IDS • • • • • • مراقبةةةة نشةةةاط النظةةةام والحادةةةبات الخادمةةةة HIDSالشةةةبكة NIDSالمدتخدمين . مراجعة التهيئة المؤمنة للنظام واالنتهاكات لتلك التهيئة المداهمه فى تحقيق تكامل بيانات النظام التعةةرف ىلةةى االنشةةطة هات الهيكةةل التخريبةةى واىطةةا تقةةارير ىنها. ال مدةةاىدع ىلةةى اختبةةارات الديادةةة االمنيةةة للنظةةام وانتهةةةاك االفراد لها اصدار التقارير. Intrusion Detection 4. Analysis of Dump Dump 2. All Packets 1. Attack Packet Attacker Internal Host 3. Notification of Possible Attack Network Administrator Intrusion Detection System 1. Legitimate Packet Legitimate Host Secure Communication System 1. Initial Negotiation of Security Parameters 2. Mutual Authentication Client PC 3. Key Exchange or Key Agreement 4. Subsequent Communication with Message-by-Message Confidentiality, Authentication, and Message Integrity Server Symmetric Key Encryption for Confidentiality Symmetric Key Plaintext “Hello” Encryption Ciphertext “11011101” Method & Key Network Interceptor Party A Same Symmetric Key Party B Symmetric Key Encryption for Confidentiality Symmetric Key Ciphertext “11011101” ??? Network Party A Interceptor Same Symmetric Key Ciphertext “11011101” Party B Symmetric Key Encryption for Confidentiality Symmetric Key Same Symmetric Key Network Party A Interceptor Ciphertext “11011101” Decryption Plaintext Method & “Hello” Key Party B Symmetric Key Encryption for Confidentiality Shared Symmetric Key Party A In Symmetric Key Encryption, Both sides Encrypt and Decrypt with The Same Symmetric Key Shared Symmetric Key Party B Public Key Encryption for Confidentiality Encrypt with Party B’s Public Key Party A Decrypt with Party B’s Private Key Party B Public Key Encryption for Confidentiality Party A Decrypt with Party A’s Private Key Party B Encrypt with Party A’s Public Key Public Key Distribution for Symmetric Keys 1. Create Symmetric Session Key Party A 2. Encrypt Session Key with Party B’s Public Key Party B 3. Send the Symmetric Session Key Encrypted With Party B’s Public Key 4. Decrypt Session Key with Party B’s Private Key Public Key Distribution for Symmetric Keys Party A Party B 5. Subsequent Encryption For Confidentiality with Symmetric Session Key For All Messages MS-CHAP Challenge-Response Authentication Protocol Note: Both the Client and the Server Know the Client’s Password 1. Creates Challenge Message Challenge 2. Sends Challenge Message Client Applicant Server Verifier MS-CHAP Challenge-Response Authentication Protocol 3. Applicant Creates the Response Message: a) Adds Password to Challenge Message b) Hashes the Resultant Bit String c) This Gives the Response Message Password Challenge Hashing Response MS-CHAP Challenge-Response Authentication Protocol 4. Applicant Sends Response Message Transmitted Response Password Challenge Hashing Expected Response 5. Verifier Adds password to the challenge message it sent. Hashes the combination. This should be the expected response message.
