Computer and Network
Security Threats
Chapter 18
Computer Security Concepts
• The NIST Computer Security Handbook [NIST95] defines the term
computer security as:
“The protection afforded to an automated information
system in order to attain the applicable objectives of
preserving the integrity, availability, and confidentiality
of information system resources (includes hardware,
software, firmware, information/data, and
telecommunications).”
Database
The IT asset to protect
( For example: Customer Database )
5
5
The IT asset to protect
( Customer Database )
BH-Hackers
6
6
FIRE WALL
Database
ID control
The IT asset to
protect
Hackers
FIRE WALL
7
7
FIRE WALL
Employees
Database
1
External
Attacks
FIRE WALL
8
FIRE WALL
Employees
Database
1
External
Attacks
WALL
9
9
FIRE WALL
Training
Database
HW& SW To defend the Database
WALL
1
External
Attacks
1
0
10
FIRE WALL
Training
Database
HW& SW To defend the Database
WALL
2
Internal
Attacks
1
1
11
FIRE WALL
Limited Access
Training
Database
HW& SW To defend the Database
1
External
Attacks
WALL
2
Internal
Attacks
1
2
12
3
Regional
FIRE WALL
Limited Access
Training
Database
HW& SW To defend the Database
1
External
Attacks
WALL
1
3
2
Internal
Attacks
3
Regional
2
Internal
Attacks
1
External
Attacks
1
4
The counter
measures
The Business Enterprise
Mission / Goal
Today
TIME
Future
Business
Objective to
support the
mission
Business Continuity To Reach
The Strategic Gola Within
Predetermined Time Frame
Today
TIME
Strategi
c Goal
Business
Objective to
support the
mission of the
Entity
- $$$$
- Status
- Market Share
- Etc.
Business Continuity To Reach The Strategic
Goal Within Predetermined Time Frame
Strategi
c Goal
Operations
Tactical
Objective
Operations
Today
TIME
Business
Objective to
support the
mission of the
Entity
- $$$$
- Status
- Market Share
- Etc.
Business Continuity To Reach The Strategic
Gola Within Predetermined Time Frame
- Disclosure
- Alternation
- Destruction
Today
TIME
Strategi
c Goal
Business
Objective to
support the
mission of the
Entity
- $$$$
- Status
- Market Share
- Etc.
Server
Database Databa
se
Databa
se
Serv
er
Business
Continuity !
Owner is worrying about
- Disclosure
- Alternation
- Destruction
Business
Continuity !
Owner is worrying about
- Disclosure
- Alternation
- Destruction
Server
Server
Database
Database
Database
My IT System/ MY IT
Assets
My datacenter !
My IT System/ MY IT
Assets
Server
Server
Database
Database
Database
Owner is worrying about
- Disclosure
- Alternation
- Destruction
My IT System/ MY IT
Assets
Server
Server
DATACENTER
IT
Assets
Database
Database
Database
Owner is worrying about
- Disclosure
- Alternation
- Destruction
My IT System/ MY IT
Assets
Server
Server
Database
Database
Database
Owner is worrying about
- Disclosure
- Alternation
- Destruction
Server
Server
Solution
Database
Database
Database
Access
Control
NOT worrying about
- Disclosure Confidentially
- Alternation Integrity
- Destruction Availability
Server
Server
Access
Control
Database
Database
Database
NOT worrying about
- Confidentially
- Integrity
- Availability
IT ASSETS
Computers, Databases, Software,
Servers, Workstations, Routers, Hubs,
Switches, Circuits, Networks, Data
Communications Lines and All Other
Information Technology Equipment.
Access
Control
Computer Security Objectives
Confidentiality
Integrity
Data confidentiality assures that
private or confidential
information is not made
available or disclosed to
unauthorized individuals
Data integrity assures that
information and programs are
changed only in a specified and
authorized manner
Privacy assures that individuals
control or influence what
information related to them may
be collected and stored and by
whom and to whom that
information may be disclosed
System integrity assures that a
system performs its intended
function in an unimpaired
manner, free from deliberate or
inadvertent unauthorized
manipulation of the system
Availability
Assures that systems work
promptly and service is not
denied to authorized users
DATA
CENTER/ ROOM
DATA
CENTER/ ROOM
Security
Security
Destructio
Security
Alternation
Destructio
Security
Alternation
Disclosure
Destructio
Security
Integrity
Alternation
Confidentiality
Availability
Disclosure
Destructio
Security
Integrity
Confidentiality
Availability
The Security Requirements Triad | The Goals
IT System Security
Integrity
Confidentiality
Availability
Table 18.1
Threat
Consequences,
and the Types
of Threat
Actions That
Cause Each
Consequence
(Based on RFC
2828)
Scope of System Security
Table 18.2
Computer and Network Assets, with Examples of Threats
Communication Lines and Networks
• Passive attacks
• Attempts to learn or make use of information from the system
but does not affect system resources
• Are in the nature of eavesdropping on, or monitoring of,
transmissions
• Goal of attacker is to obtain information that is being transmitted
• Difficult to detect because they do not involve any alteration of
the data
• Emphasis is on prevention rather than detection
• Two types:
• Release of message contents
• Prevent an opponent from learning the contents of a transmission
• Traffic analysis
• Encrypting the contents of a message so even if an
captures the message, they cannot extract
opponent
the information
Communication Lines and Networks
•Active attacks
• Involve some modification
of the data stream or the
creation of a false stream
• Goal is to detect them and
to recover from any
disruption or delays
Four categories:
• Replay
• Masquerade
• Modification of messages
• Denial of service
Replay
• Involves the passive capture of a data unit
and its subsequent re-transmission to
produce an unauthorized effect
Masquerade
• Takes place when one entity pretends to
be a different entity
• Usually includes one of the other forms of
active attack
Modification of messages
• Some portion of a legitimate message is
altered, or that messages are delayed or
reordered, to produce an unauthorized
effect
Denial of service
• Prevents or inhibits the normal use or
management of communications facilities
• Disruption of an entire network, either by
disabling the network or by overloading it
with messages so as to degrade
performance
Intrusion Examples
• Performing a remote root compromise of an e-mail server
• Defacing a Web server
• Guessing and cracking passwords
• Copying a database containing credit card numbers
• Viewing sensitive data without authorization
• Running a packet sniffer on a workstation to capture usernames and
passwords
• Using a permission error on an anonymous FTP server to distribute
pirated software and music files
• Dialing into an unsecured modem and gaining internal network
access
• Posing as an executive, calling the help desk, resetting the executive’s
e-mail password, and learning the new password
• Using an unattended, logged-in workstation without permission
Intruder Behavior Patterns
• BH Hackers
• Organized group of intruders who hack into a computer for
the thrill or for status
• Criminals
• Usually have specific targets or classes of targets in mind
• Frequently Eastern European or Southeast Asian groups who
do business on the Web
• Once a site is penetrated, the attacker acts quickly, scooping
up as much valuable information as possible and exiting
• Insider Attacks
• Difficult to detect and prevent
• Employees have access to and knowledge of the structure and
content of databases
• Can be motivated by revenge or a feeling of
entitlement
Malicious Software
• Malware
• Malicious software that exploits system vulnerabilities
• Designed to cause damage to or use up the resources of a
target computer
• Frequently concealed within or masquerades as legitimate
software
• Two categories
• Those that need a host program
• Those that are independent (parasitic)
• May or may not replicate
Table 18.4
Terminology of
Malicious
Programs
(This table can be found in the
textbook on page 523)
Malicious Programs
•Back door (also known as a trap door)
• Secret entry point into a program that allows
someone who is aware of the back door to gain
access without going through the usual security
access procedures
• A maintenance hook is a backdoor inserted by a
programmer to aid in testing and debugging
•Logic Bomb
• One of the oldest types of program threats
• Code embedded in some legitimate program that
is set to “explode” when certain
conditions are
met
Company Network
( illegal for outsiders)
Databas
e
Company Network
( illegal for outsiders)
Databas
e
Company Network
Databas
e
Company Network
Question
What's the Worst
That Could Happen?
Databas
e
PRIVILEGE ESCALATION attacks occur when a threat actor
gains access to an employee’s account, bypasses the proper
authorization channel, and successfully grants themselves
access to data they are not supposed to have.
When deploying these attacks threat actors are typically
attempting to exfiltrate data, disrupt business functions, or
create backdoors.
Company Network
Admin
Backdoor
Malicious Programs
• Trojan Horse
• A useful, or apparently useful, program or command
procedure containing hidden code that, when invoked,
performs some unwanted or harmful function
• Can be used to accomplish functions indirectly that an
unauthorized user could not accomplish directly
Trojan horses fit into one of three models:
• Continuing to perform the function of the original program
and additionally performing a separate malicious activity
• Continuing to perform the function of the original program
but modifying the function to perform malicious activity or to
disguise other malicious activity
• Performing a malicious function that completely replaces the
function of the original program
Malicious Programs
Mobile code
Multiple-threat malware
• Refers to programs that can
be shipped unchanged to a
heterogeneous collection of
platforms and execute with
identical semantics
• Is transmitted from a
remote system to a local
system and then executed
on the local system without
the user’s explicit
instruction
• Multipartite
• Infects in multiple ways
• Blended attack
• Uses multiple methods of
infection or transmission
to maximize the speed of
contagion and the severity
of the attack
Viruses
• Software that can “infect” other programs by modifying them
• The modification includes injecting the original program with a routine to make
copies of the virus program, which can then go on to infect other programs
• Virus has three parts:
• Infection mechanism
• The means by which a virus spreads, enabling it to replicate
• Also referred to as the infection vector
• Trigger
• The event or condition that determines when the payload is activated or delivered
• Payload
• What the virus does, besides spreading
• May involve damage or may involve benign but
noticeable activity
Virus Phases
Execution Phase
Triggering Phase
Propagation Phase
Dormant Phase
• Virus is idle
• Will eventually
be activated by
some event
• Not all viruses
have this stage
• Virus places an identical
copy of itself into other
programs
• Each infected program will
now contain a clone of the
virus, which will itself
enter a propagation phase
• Virus is activated to
perform the function
for which it was
intended
• The function is
performed
Virus Classifications by Target
• Boot sector infector
• Infects a master boot record and spreads when a system is booted from the disk
containing the virus
• File infector
• Infects files that the operating system or shell considers to be executable
• Macro virus
• Infects files with macro code that is interpreted by an application
Virus Classification by Concealment Strategy
Encrypted
virus
• A portion of
the virus
creates a
random
encryption
key and
encrypts the
remainder of
the virus
• The key is
stored with
the virus
Stealth virus
• A form of
virus
explicitly
designed to
hide itself
from
detection by
antivirus
software
• The entire
virus, not just
the payload,
is hidden
Polymorphic
virus
Metamorphic
virus
• A virus that
mutates with
every
infection,
making
detection by
the
“signature”
of the virus
impossible
• Mutates with
every
infection
• Rewrites
itself
completely at
each
iteration,
increasing
the difficulty
of detection
Macro Viruses
• In the mid 1990’s became by far the most prevalent type of virus
• Threatening because:
• A macro virus is platform independent
• Macro viruses infect documents, not executable portions of code
• Macro viruses are easily spread
• Traditional file system access controls are of limited use in preventing their spread
• Is an executable program embedded in a word processing document or
other type of file
E-Mail Viruses
The first rapidly spreading e-mail viruses made use of a Microsoft Word macro embedded in
an attachment
If the recipient opens the e-mail
attachment the Word macro is
activated
The virus sends itself to everyone
on the mailing list in the user’s
e-mail package
The virus does local damage on the
user’s system
In 1999 a virus appeared that could be activated merely by opening an e-mail that contains
the virus rather than opening an attachment
The virus uses the Visual Basic scripting language supported by the e-mail package
Malware arrives via e-mail and uses e-mail software features to replicate itself across the
Internet
The virus propagates itself as soon as it is activated to all of the e-mail addresses known by the infected host
Worms
• Programs that can replicate themselves and send copies from computer
to computer across network connections
• In addition to propagation the worm usually performs some unwanted
function
• Actively seek out more machines to infect and each machine that is
infected serves as an automated launching pad for attacks on other
machines
• A network worm:
• Exhibits the same characteristics as a computer virus
• May attempt to determine if a system has previously been infected before copying
itself
Bots
• Also know as a zombie or drone
• Program that secretly takes another
Internet-attached computer, then uses
it to launch attacks that are difficult to
trace to the bot’s creator
• A botnet is a collection of bots capable
of coordinating attacks
Characteristics:
• The bot functionality
• A remote control facility
• A spreading mechanism
to propagate the bots
and construct the botnet
Uses of Bots
• Distributed denial-of-service
attacks
• Spamming
• Sniffing traffic
• Keylogging
• Spreading new malware
• Installing advertisement add-ons
and browser helper objects
(BHOs)
• Attacking IRC chat networks
• Manipulating online polls/games
Remote Control Facility
• Is what distinguishes a bot from a worm
• A worm propagates itself and activates itself, whereas a bot is controlled from
some central facility
• A typical means of implementation is on an IRC server
• All bots join a specific channel on this server and treat incoming messages as
commands
• Once a communications path is established between a control module
and the bots, the control module can activate the bots
Constructing a Network Attack
• Software to carry out the attack must be able to run on a large number of
machines and remain concealed
• The attack must be aware of a vulnerability that many system
administrators have failed to notice
• A strategy for locating vulnerable machines must be implemented
• This is known as scanning or fingerprinting
Intrusion
Countermeasures
• Intrusion detection as a security service that monitors and
analyzes system events for the purpose of finding, and providing
real-time or near real-time warning of, attempts to access system
resources in an unauthorized manner
• Intrusion Detection Systems (IDSs) can be classified as:
• Host-based IDS
• monitors the characteristics of a single host and the events
occurring within that host for suspicious activity
• Network-based IDS
• monitors network traffic for particular network segments or devices
and analyzes network, transport, and application protocols to
identify suspicious activity
Intrusion Detection System (IDS)
© 2018 Cengage. All Rights Reserved. May not be copied,
scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or
service or otherwise on a password-protected website for
classroom use.
© 2018 Cengage. All Rights Reserved. May not be copied,
scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or
service or otherwise on a password-protected website for
classroom use.
• Intrusion detection system (IDS)
• Can detect attack as it occurs
• Inline IDS
• Connected directly to the network and monitors the flow of data as it occurs
• Passive IDS
• Connected to a port on a switch, which receives a copy of network traffic
• IDS systems can be managed:
• In-band – through the network itself by using network protocols and tools
• Out-of-band – using an independent and dedicated channel to reach the
device
© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or
duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a
password-protected website for classroom use.
© 2018 Cengage. All Rights Reserved. May not be copied,
scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or
service or otherwise on a password-protected website for
classroom use.
© 2018 Cengage. All Rights Reserved. May not be copied,
scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or
service or otherwise on a password-protected website for
classroom use.
Intrusion Prevention Systems (IPSs)
• Intrusion Prevention System (IPS)
• Monitors network traffic to immediately block a malicious attack
• Similar to NIDS
• NIPS is located “in line” on the firewall
• Allows the NIPS to more quickly take action to block an attack
• Application-aware IPS
• Knows which applications are running as well as the underlying OS
© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or
duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a
password-protected website for classroom use.
IPS
IDS
© 2018 Cengage. All Rights Reserved. May not be copied,
scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or
service or otherwise on a password-protected website for
classroom use.
Security
Technologies Used
Authentication
Authentication
• In most computer security contexts, user authentication
is the fundamental building block and the primary line
of defense
• the process of verifying an identity claimed by or for a
system entity
• An authentication process consists of two steps:
• identification step
• presenting an identifier to the security system
• verification step
• presenting or generating authentication information that corroborates the binding
between the entity and the identifier
Intrusion Prevention
•User Authentication
• User profiles are used to manage access to resources
• Types of authentication
• Something you know
• e.g., passwords, passphrases, and pin numbers
• Something you have
• e.g., access cards, smart cards, tokens, phones
• Something you are
• Biometrics like fingerprints, handprints, retina
• Using multiple types of authentication provides
increased security (multi-factor authentication)
• Most organizations moving to centralized
authentication
• 1 Factor Authentication
• User identification : Login name
• User information needed for Authentication
• Something you know
• e.g., passwords, passphrases, and pin numbers
• 2 Factor Authentication
• User identification : Login name
• User information needed for Authentication
• Something you know
• e.g., passwords, passphrases, and pin numbers
• Something you have
• e.g., access cards, smart cards, tokens, phones
Multi Factor Authentication
•User identification : Login name
•User information needed for Authentication
• Something you know
• e.g., passwords, passphrases, and pin numbers
• Something you have
• e.g., access cards, smart cards, tokens, phones
• Something you are
• Biometrics like fingerprints, handprints, retina
Example
Authentication Control
What kind of User information ?
Authentication Control (User information )
Something you know ?
Something you have?
Something you are ?
Multi Factor Authentication
Something you know : School/Univ Name
Something you have : Passport/ ID card
Something you are : Finger Print / Face Scan
File System Access Control
File system access control is implemented
using a combination of permissions and
ownership.
• Permissions define what actions users can
perform on a file or folder, such as read, write,
or execute.
• Ownership defines who owns a file or folder
and has the most permissions on it.
File System Access Control
• Identifies a user to the system
• Associated with each user there can be a profile that
specifies permissible operations and file accesses
• The operating system can then enforce rules based on the
user profile
• The database management system, however, must control
access to specific records or even portions of records
• The database management system decision for access
depends not only on the user’s identity but also on the
specific parts of the data being accessed and even on the
information already divulged to the user
Discretionary
access control
policy
M andatory
access control
policy
Role-based
access control
policy
Figure 15.4 Access Control Policies
DISCRETIONARY ACCESS CONTROL
Leaves a certain amount of access control to the discretion of the object's owner, or anyone
else who is authorized to control the object's access.
Discretionary access control (DAC) is a type of security access control that grants or restricts
object access via an access policy determined by an object's owner group and/or subjects.
DAC mechanism controls are defined by user identification with supplied credentials during
authentication, such as username and password.
DACs are discretionary because the subject (owner) can transfer authenticated objects or
information access to other users. In other words, the owner determines object access
privileges
MANDATORY ACCESS CONTROL (MAC) is a method of limiting access
to resources based on the sensitivity of the information that the resource
contains and the authorization of the user to access information with that
level of sensitivity
An example of MAC occurs in military security, where an individual data
owner does not decide who has a top-secret clearance, nor can the owner
change the classification of an object from top-secret to secret.
ROLE-BASED ACCESS CONTROL (RBAC) restricts
network access based on a person's role within an
organization and has become one of the main methods for
advanced access control.
The roles in RBAC refer to the levels of access that employees
have to the network.
• Software Engineering role
• Marketing Personnel role
• Human Resources role
Control Spreadsheet ( example)
Control Spreadsheet ( example)
Control Spreadsheet ( example)
The counter
measures
CONTROL MEASURES
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Disaster Recovery plan and education / training
Halon fire system & sprinklers ( fire)
Not on or below ground level ( flood)
UPS (uninterruptible power source)
Virus checking software present and updated
Extensive user training about viruses
Strong password policy
Extensive user training about password security
Application-layer firewall
Firewall for data communication in &out of the system
Control Spreadsheet ( example)
REGIONAL
DESTRUCTION, DAMAGE
IT ASSETS
Server
Database
Financial Software
Personal office
computers
Fire
Flood
Power loss
COMPANY SPECIFIC
INTRUSION
Internal
Intruder / Hacker
External
Intruder / Hacker
Summary


Computer security concepts

Threats and attacks

Malicious software

Back door

Logic bomb
Threats and assets

Trojan horse

Intruder behavior patterns

Mobile code

Intrusion techniques

Multiple-threat malware

Viruses

Worms

Bots

Spam

Computer security trends

Credential theft,
keyloggers, and spyware

Phishing and identity
theft

Reconnaissance and
espionage
Chapter 18: Computer and Network Security Threats