attacks

advertisement
The Need for Security
Principles of Information Security
Chapter 2
Chapter Objectives




Explain the business need for security.
Describe the responsibility of an organization's general
management and IT management for a successful information
security program.
Identify threats to information security and common attacks
associated with those threats.
Differentiate between threats to information systems and
attacks against the information systems.
2
Introduction

The primary mission of information
security is to ensure that systems and
their contents remain the same.
3
4 Important Functions of Information
Security
Protect the ability to function.
 Enable the safe operation of
applications.
 Protect data.
 Safeguard technology assets.

4
Protecting the Functionality of the
Organization

Shared responsibility between general
management and IT managment
◦ Set security policy in compliance with legal
requirements.
◦ Not really a technology issue

Address information security in terms of
◦ Business impact
◦ Cost of business interruption
5
Enabling Safe Operation

Organization requires integrated, efficient, and capable
applications.
◦ Technologically complex.
◦ Must protect critical applications
 Operating system platforms
 Electronic mail
 Instant messaging
◦ Infrastructure developed by
 outsourcing to a service provider
 develop internally
◦ Protection of the infrastructure must be overseen by
management.
6
Protecting Data

Data provides
◦ Record of transactions (e.g., banking)
◦ Ability to deliver value to customers
◦ Enable creation and movement of goods and
services.
 Data in motion (online transactions)
 Data at rest (not online transaction)

Information systems must support these
transactions.
7
Safeguarding Technology Assets

Must have secure infrastructure
services based on the size and scope of
the enterprise.
◦ Smaller businesses may require less
protection.
 Email and personal encryption.
◦ Additional services required for larger
businesses.
 Public Key Infrastructure (PKI) - more complex
◦ Needs change as network grows.
8
Threats

Requirements to protect information
◦ Be familiar with
 The information to be protected
 The systems that store, transport and process it
◦ Know the threats you face

An object, person, or entity that
represents a constant danger to an
asset.
9
12 General Categories of Threat
Acts of human error or failure – mistakes, sloppiness
Compromises to intellectual property - piracy, licensing
Deliberate acts of espionage or trespass
1.
2.
3.
◦
shoulder surfing, hacking, script kiddies, cracker, phreaker
Deliberate acts of information extortion - demanding a ransom
Deliberate acts of sabotage or vandalism
4.
5.
◦
damage reputation, cyberactivist, cyberterrorism
Deliberate acts of theft - difficult to detect
Deliberate software attacks
6.
7.
◦
malware, virus, worm, trojan horses, back door, hoaxes
Forces of nature - fire, flood, earthquake, lightning, storms, etc.
9.
Deviations in quality or service - service disruptions
10. Technical hardware failures or errors - hardware defects
11. Technical software failures or errors - accidental or intentional
flaws
12. Technological obsolescence - unreliable and untrustworthy
8.
10
The Endless Game of Cat and Mouse:
Meet the Cast
Hackers versus crackers
 White hats, black hats, all the shades of
gray, and mysterious color changing
 Conferences?
 Web sites?
 Drills?


http://www.safepatrolsolutions.com/paper
s/Crackers.pdf
11
Meet the Players
Top 10
 And the others

◦ From
http://www.pbs.org/wgbh/pages/frontline/sho
ws/hackers/

And where they congregate – do NOT go
there unless you want to risk catching something
http://phrack.com, ….
12
Attacks


At act or action that takes advantage of a vulnerability
to compromise a controlled system. Accomplished by a
threat agent that damages or steals information or
physical assets.
Vulnerability
◦ an identified weakness in a controlled system, where controls
are not present or no longer effective.

Attacks exist when a specific action occurs that may cause
a potential loss.

Question: how will the attacker “identify weakness”
and/or know what to attack?
13
Well-Known Types of Attack Against
Controlled Systems
Malicious Code
 Hoaxes
 Back Doors
 Password Crack
 Brute Force
 Dictionary
 Denial-of-Service (DoS)
 Distributed Denial-ofService (DDoS)

Spoofing
 Man-in-the-Middle
 Spam
 Mail Bombing
 Sniffers
 Social Engineering
 Buffer Overflow
 Timing Attack

Of course, any of these attacks can be distributed, and/or coming
from a botnet.
14
Malicious Code


Viruses, worms, Trojan horses, active web scripts.
State-of-the-art
◦ Polymorphic or multivector worm
◦ CERT, Symantec, etc. warnings

Known attack vectors
◦
◦
◦
◦
◦
◦
IP scan and attack
web browsing
Virus
unprotected shares
mass mail
SNMP
15
Hoaxes

Transmit a virus hoax with a real virus
attached.
◦ More readily transmitted by trusting users!
16
Back Doors

Use known or previously discovered
access mechanism to gain access to a
system or network resource.
◦ May be left by system designers or maintenance
staff.
◦ Referred to as trap doors.

Hard to detect --- may be exempt from
usual audit logging procedures.
17
Password Crack
Reverse calculate a password.
 Component of many dictionary attacks.
 Security Account Manager (SAM) file is
accessible

◦ contains hashed representation of the user's
password.
◦ a guessed password can be hashed using the
same algorithm and compared to the stored
hash version of the real password.
18
Brute Force Attack
AKA, password attack
 Try every possible combination of options for a
password.
 Easier, if passwords are easy to guess or default
passwords.
 Avoid using easy to guess passwords --- and don't use
default passwords.
 Rarely used, if basic security precautions have been
implemented (e.g., complex passwords)

19
Dictionary Attack



Use a list of commonly used passwords (i.e., a dictionary)
instead of random combinations.
Takes less time to crack than a brute force attack.
Use electronic dictionaries to enforce use of (more)
complex passwords.
20
Denial of Service (DoS)
Distributed Denial of Service (DDoS)


Overload target with requests
Many different flavors:
◦ TCP SYN flood attack: send many TCP connection requests.
◦ Send million emails or faxes and clog the server

DDoS
◦ Often uses compromised machines (called zombies, from a
botnet) to attack the target system.
◦ The most difficult to defend against.
◦ No controls that any single organization can apply.
◦ Some cooperative efforts among service providers.
◦ MyDoom worm attack.
21
Spoofing

Technique of sending messages to a computer using a
source IP address that indicates the messages are
coming from a trusted host.
◦ Must find an IP address for a trusted host.
◦ Must modify packet headers for the attack messages.

Routers and firewalls can protect against spoofing
attacks.
22
Man-in-the-Middle Attack


AKA, TCP hijacking attack
Attacker "sniffs" packets from the network, modifies
them, then inserts them back into the network.
◦ Uses IP spoofing to impersonate another entity on the network.

Allows the attacker to:
◦ eavesdrop, change, delete, reroute, add, forge, or divert data.

Spoofing involves the interception of an encryption key
exchange, which enables the hijacker to act as an
eavesdropper (transparent to the network).
23
Spam

Unsolicited commercial email.
◦ Has been used as a vector for malicious code attacks.
◦ Wastes computer and human resources i.e. it is a DOS attack

Methods to counteract spam
◦ Delete offending messages
◦ Use filtering technologies to stem the flow
24
Mail Bombing

Email denial-of-service attack.
◦ Send large emails with forged headers

Mechanisms
◦ Social engineering
◦ SMTP flaws
25
Sniffers
AKA, packet sniffers.
 A program or device that can monitor data
traveling over a network.

◦ Use for legitimate network management
functions or maliciously.

Unauthorized sniffers are dangerous to
security.
◦ Virtually impossible to detect.
◦ Can be inserted anywhere.
26
Social Engineering

The process of using social skills to persuade people to
reveal access credentials or other valuable information.
◦ Over the phone: “Hey, Joe, this is Andy from department C. Aaron
(the boss) told me to ask you to give me the XYZ plans, the
customers is demanding we fix the bugs by tomorrow. “
◦ Over the phone or in person, to the secretarial support: “…”

May involve impersonating someone higher in the
organizational hierarchy (requesting information).
◦ “Hey, Joe, this is Aaron (the boss). What was the …. “


Tailgating, shoulder surfing, etc.
May be a scam --- Nigerian banking, etc.
27
Physical (illegal) access

War Driving: driving around trying to
catch a signal
◦ Wireless without encryption
◦ Non-wireless el.magn. radiation
Garbage Diving: looking through disposed
documents
 Tapping: any cable that is not optical. Or,
at exposed locations (switches, control
panels, etc.)

28
Buffer Overflow
“Buffer” is a term for data storage, on logical level (often
called “queue” in networking)
 Buffers are used for many different reasons: for example,
to temporarily store networking data when waiting to be
processed, etc.
 Buffers are often implemented as “arrays” in code
 Arrays typically have fixed size
 A buffer overflow is a programming error that
occurs when more data is sent to a buffer than it can
handle AND the programmer did not specify what
happens in that special case

◦ Attacker can take advantage of this programming error to cause
unintended side effects.
29
Timing Attack
Something bad happens when a certain
time is reached
 Many different flavors. Examples:

◦ Explores web browser's cache.
 Allows web designer to develop malicious cookie to
be stored on user's system.
 Could allow designer to collect information on how
to access password-protected sites.
30
Port Scanning
http://www.pctopsecurity.com/types-ofattacks/port-scan-attack Port scan sees
which ports are available, which OS you
are using, …
 http://www.softpanorama.org/Security/ID
S/port_scan_detectors.shtml A view
from the trenches
 http://www.cipherdyne.org/psad/ A tool
to detect port scans

31

Review
http://www.scribd.com/doc/20138373/CC
NA-Security-Chapter-1-assessment

Challenge: go through the PCWeek Hack
on p.47 and try to understand each step
the attacker took.
32
Download