Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Computer Security 101

advertisement 
computer security 101
Eric Pancer
Computer Security Response Team
http://security.depaul.edu/
welcome!
 Why Are You Here?
 Why Am I Here?
2
april, 2004
sponsors
Information Services
Computer Security
Response Team
3
april, 2004
incidents and trends
what defines an incident?
 A computer security incident
covers a large range of violations,
including:
 Harassment,
 Denial/Interruption of Service,
 Malware Infection (worm, virus),
 Unauthorized Access,
 Misuse of Data or Services,
 Copyright Infringement,
 Spam?
5
april, 2004
general statistics
CERT/CC: Incidents Reported







6
1991
1993
1995
1997
1999
2001
2003
–
406
–
1,334
–
2,412
–
2,134
–
9,859
– 52,658
– 137,529
april, 2004
in our backyard
 W32.Blaster Worm
 Exploited a vulnerability
patched in July, 2003.
 Unleashed August, 2003.
 900+ Infections from
August 11, 2003 to
October 11, 2003.
 Persists at approximately
8-10 infections weekly.
7
 ‘Bots
 Exploits common




vulnerabilities.
Variants released
weekly.
Centrally controlled.
Growing more and more
malicious.
700+ unique hosts since
January, 2004.
april, 2004
even more alarming
 W32.Slammer Worm
 January, 2003.
 Attacked…
 …unpatched MS-SQL 2000 servers…
 …unpatched desktops with Microsoft Desktop Engine…
 Interrupted Bank of America ATM Services.
 Caused a “meltdown” of University network
services due to other “bugs” on the network.
 Vulnerability was announced June, 2002!
8
april, 2004
how do we find violations?
 Intelligence gathering is performed in
many ways – though human interaction
and communication is still the best
method.
 Reports to abuse@depaul.edu.
 Internal reports.
 Monitoring network flows.
 Searching for attack patterns.
 Hearsay, rumors, gossip.
9
april, 2004
sample e-mail report
Date: Fri, 9 Apr 2004 12:57:16 -0400
From: Abuse@example.gov
To: abuse@depaul.edu
Cc: cert@cert.org, Abuse@example.gov
Subject: Abuse! Suspicious Activity!!!
140.192.21.254
Hello,
You are being contacted regarding suspicious activity logged from a host on
your network. We found that the address 140.192.21.254 was attempting to
connect to the VPN port 500 (TCP) on Apr 8 at 18:15:41 (EST).
Log Entries (All times are EDT):
*Apr
*Apr
8 18:15:41
8 18:15:43
140.192.21.254
140.192.21.254
500
500
x.123.208.2
x.123.208.2
500
500
1
1
Please review the log information included below. The data reflected in the
log could be interpreted as a user from your domain attempting to probe a
federal government network. Please investigate this immediately and take
action to prevent further probing of the network.
10
april, 2004
network flows
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
19
11
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
04
04
04
04
04
04
04
04
04
04
04
04
04
04
04
04
04
04
04
04
04
04
04
04
04
04
10:49:33.61177
10:49:33.62319
10:49:33.63790
10:49:33.62713
10:49:33.63408
10:49:33.64504
10:49:33.64507
10:49:33.65468
10:49:33.66201
10:49:33.66328
10:49:33.66709
10:49:33.66836
10:49:39.36782
10:50:06.11342
10:51:27.93013
10:50:55.77691
10:51:28.05120
10:50:54.13063
10:51:28.07679
10:51:27.81926
10:51:27.93307
10:50:51.29740
10:51:28.08786
10:51:28.08839
10:50:54.13644
10:51:28.09423
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
udp
tcp
udp
tcp
udp
udp
udp
tcp
udp
udp
tcp
udp
140.192.27.47.3076
140.192.83.97.1302
192.77.161.22.44274
140.192.55.29.4462
140.192.131.188.4726
140.192.110.86.3986
140.192.132.134.4947
140.192.132.67.3357
140.192.15.106.4881
140.192.15.106.4882
140.192.227.36.1106
140.192.132.134.4948
140.192.151.158.4632
140.192.196.6.3649
24.186.52.241.1620
140.192.196.6.4670
128.175.131.52.3964
140.192.196.6.4671
209.6.25.71.2021
140.192.175.192.1343
140.192.231.133.1612
200.87.50.62.10547
209.6.25.71.2021
149.159.97.73.1576
140.192.196.6.4686
62.163.81.124.11480
->
->
?>
->
->
->
->
->
->
->
->
->
->
->
<->
<?>
<->
->
<->
<->
<->
->
<->
<->
->
<->
66.18.100.2.80
63.123.232.243.80
140.192.220.21.80
12.130.91.26.80
216.73.87.20.80
64.40.102.42.80
216.120.60.144.80
207.68.173.254.80
207.68.162.24.80
207.68.162.24.80
205.158.62.54.80
216.120.60.175.80
216.239.41.104.80
1.0.0.1.80
140.192.170.146.3845
207.44.246.72.80
140.192.177.213.1480
207.44.246.72.80
140.192.176.87.3068
62.143.31.15.1870
142.179.17.60.1053
140.192.175.183.139
140.192.176.87.3068
140.192.172.92.1495
207.44.246.72.80
140.192.171.165.11895
RS
FIN
EST
EST
FIN
FIN
FIN
FIN
FIN
FIN
FIN
FIN
RST
TIM
ACC
CON
ACC
RST
ACC
ACC
ACC
EST
ACC
ACC
RST
ACC
april, 2004
known signatures
alert tcp $HOME_NET any -> $EXTERNAL_NET 135 \
(msg:"SCAN - Microsoft Directory and File Services"; \
stateless; flags:S,12; threshold: type threshold, track by_src, \
count 520, seconds 600; classtype:network-scan;
priority:7; sid:6010001; rev:1;)
[**] [1:6010001:1] <em0> SCAN - Microsoft Directory and File
Services [**] [Classification: Detection of a Network Scan]
[Priority: 7] 04/19/04-01:54:42.622054 140.192.21.254:2460
-> 10.203.54.114:135 TCP TTL:126 TOS:0x0 ID:49784 IpLen:20
DgmLen:48 DF ******S* Seq: 0xC6D0AB86 Ack: 0x0
Win: 0x4000 TcpLen: 28 TCP Options (4)
=> MSS: 1460 NOP NOP SackOK
12
april, 2004
is it 1984?
 Are you Big Brother?
 Why do you care?
 Do you read my email?
 Isn’t the network secure?
 I don’t do anything
malicious, so don’t look at
what I do please.
13
april, 2004
general concepts
common myths
 “Why should I care, I have nothing to hide.”
 “Why does anyone care about my computer?”
 “It’s too difficult to get access to my computer or
personal information…”
 “If someone tries to [insert malicious activity here], I
will notice!”
 “Ignorance is bliss!”
15
april, 2004
are you at risk?
Using the following puts you at risk:
 Computers
 Credit Cards
 Banks
 Airlines
 Automobiles
 …many more…
16
april, 2004
CIA – the building blocks
Confidentiality
Integrity
17
Authenticity
april, 2004
confidentiality
 Ensures privacy.
 Applies to both data on
Confidentiality
disks and network
communication.
 Accomplished through
encryption:




18
https://
s/mime
pgp
ssh and ipsec
april, 2004
integrity
 Develops trust of the
Integrity
19
network and computer
systems.
 Applies to both data on
disks and network
communication.
 Integrity is increased by
proper data and system
management.
april, 2004
authenticity
 Another catalyst for
trust.
 Required for data on
disk and network
communication.
 Prevents ID theft, “man
in the middle” attacks,
etc.
20
Authenticity
april, 2004
vulnerability life cycle
research
automation
exploit
21
vulnerability
discussion
concept code
april, 2004
assumptions
 Researchers will continue to find new
bugs and vulnerabilities.
 Active exploitation of these vulnerabilities
will continue through worms, viruses, etc.
 Technology will continue to progress
and the quality of code will continue
to fall.
 Santa Claus is real!
22
april, 2004
terminology
denial of service
 The overload of a system preventing the
normal use of that system.
 A denial of service (DoS) attack is a
common method to prevent users from
accessing websites.
24
april, 2004
scanning
 Enumerating the security of a computer
system and/or the service(s) they provide.
 A “portscan” commonly occurs to check
the type of computer operating system being
used.
 Thousands of portscans against the
University have taken place in the time you
have read this slide!
25
april, 2004
exploit
 A piece of malicious code or action against
a computer system to elevate privileges or
gain further access.
 Exploits mostly act on bugs found in
software or hardware. These bugs are
usually due to human error coding or system
misconfiguration.
26
april, 2004
virus
 A virus is a piece of code that modifies
existing applications or data to change the
behavior of that application or of data.
 Viruses rely on human interaction to ensure
their survival and propagation.
27
april, 2004
worm
 A worm is a program that propagates itself
over a network, reproducing itself and
changing as needed, to survive and adapt.
 The term worm is derived from tapeworm as
coined in John Brunner’s book “Shockwave
Rider.”
28
april, 2004
(ro)bot
 A software program or computer that
performance repetetive functions; usually
commanded as part of a botnet (see next
slide).
 Although robots were first introduced to
spider the world wide web, the term bot has
come to represent an increasing threat
against computer users.
29
april, 2004
botnet
 A collection of computers acting in
conjunction with one another to perform
automated tasks.
 Botnets can be built using viruses, worms or
other attacks. These botnets (sometimes
thousands of computers) can then carry out
“scan and ‘sploit” actions automatically.
30
april, 2004
feeling overwhelmed yet?
31
april, 2004
defending with technology
start with the basics
 Basic computer security is
through technology is easy;
use…
 A firewall,
 Anti-Virus Software,
 Patch your computer
quickly, when required,
 Strong passwords!
33
april, 2004
firewalls
 The most useful tool in your bag of




34
defenses.
Prevents intruders from accessing
services on your computer.
Validates/normalizes network
traffic.
May provide reports and trend
analysis.
Available for all major operating
systems – usually for free!
april, 2004
anti-virus software
 Stops viruses and worms sent by
email, attachments, downloads,
etc.
 Detects malicious software
through intelligent heuristics.
 Available for all major desktop
and server operating systems.
 A requirement; not an option.
35
april, 2004
patches
 (Usually) free updates to your computer;




36
can be downloaded
from the Internet.
Available before most
exploits surface.
Automated, usually.
Critical to overall security.
Chant: “We Must Patch, We Must Patch…”
april, 2004
strong passwords
 Keeps you on-target with best
practices.
 Is composed of 8 or more
characters and includes letters,
numbers and 2 special characters,
including !@#$%^&.-+-=|]{}:”.
 Not based on any dictionary word
from any language.
 Changes regularly; not shared.
37
april, 2004
coordinated efforts result in success!
20
18
16
14
12
10
Worm
Virus
8
6
Goal
4
2
0
F
38
F+A
F+A+P
F+A+(P)2
april, 2004
behavioral changes
what technology doesn’t solve
 Security technologies adapt as
threats appear. They are not
able to (easily) combat:
 Threats,
 Hoaxes,
 Scams,
 The behavior of others.
40
april, 2004
the clue factor
41
april, 2004
education and awareness
 Education and awareness are key
to increasing the security posture
of the University, and global
Internet.
 Dispells the FUD (fear, uncertainty,
doubt).
 Addresses problems before they exist.
 Extends the radius of clue.
 Creates inclusion in the entire
infosecurity effort.
42
april, 2004
self-education
 You can increase your own
awareness of security related
issues.
 Subscribe to mailing lists for
security notifications.
 Visit security related websites.
 Contact us, we’re always willing
to help.
 Voice your concern on security
related issues, helping raise
awareness in others.
43
april, 2004
test your efforts
 Contact us and we can schedule a
vulnerability scan for your
department or network.
 Register your network with us; we
can send you reports of suspicious
behavior.
 Help us tailor an awareness
program for your department.
 Remember: security is about
sharing knowledge and contacts, not
technology.
44
april, 2004
thank you!
 Questions?
 Contact CSRT:
Computer Security Response Team
abuse@depaul.edu
security@depaul.edu
http://security.depaul.edu/
or…
Eric Pancer
epancer@security.depaul.edu
pgp: C022 4991 41E5 51E7 683C F765
45
62F7 7F8E 7ACB CFF3
april, 2004
Related documents
ELI BIO 142 Exam 1 Preparation Sheet
ELI BIO 142 Exam 1 Preparation Sheet
HB HELOC 199 ad3_LAKENEWS
HB HELOC 199 ad3_LAKENEWS
Book Reports - Junction Hill School
Book Reports - Junction Hill School
Q13 Why do manufacturers of network hardware and software follow
Q13 Why do manufacturers of network hardware and software follow
Download
advertisement