The Need for Security Principles of Information Security Chapter 2 Chapter Objectives Explain the business need for security. Describe the responsibility of an organization's general management and IT management for a successful information security program. Identify threats to information security and common attacks associated with those threats. Differentiate between threats to information systems and attacks against the information systems. 2 Introduction The primary mission of information security is to ensure that systems and their contents remain the same. 3 4 Important Functions of Information Security Protect the ability to function. Enable the safe operation of applications. Protect data. Safeguard technology assets. 4 Protecting the Functionality of the Organization Shared responsibility between general management and IT managment ◦ Set security policy in compliance with legal requirements. ◦ Not really a technology issue Address information security in terms of ◦ Business impact ◦ Cost of business interruption 5 Enabling Safe Operation Organization requires integrated, efficient, and capable applications. ◦ Technologically complex. ◦ Must protect critical applications Operating system platforms Electronic mail Instant messaging ◦ Infrastructure developed by outsourcing to a service provider develop internally ◦ Protection of the infrastructure must be overseen by management. 6 Protecting Data Data provides ◦ Record of transactions (e.g., banking) ◦ Ability to deliver value to customers ◦ Enable creation and movement of goods and services. Data in motion (online transactions) Data at rest (not online transaction) Information systems must support these transactions. 7 Safeguarding Technology Assets Must have secure infrastructure services based on the size and scope of the enterprise. ◦ Smaller businesses may require less protection. Email and personal encryption. ◦ Additional services required for larger businesses. Public Key Infrastructure (PKI) - more complex ◦ Needs change as network grows. 8 Threats Requirements to protect information ◦ Be familiar with The information to be protected The systems that store, transport and process it ◦ Know the threats you face An object, person, or entity that represents a constant danger to an asset. 9 12 General Categories of Threat Acts of human error or failure – mistakes, sloppiness Compromises to intellectual property - piracy, licensing Deliberate acts of espionage or trespass 1. 2. 3. ◦ shoulder surfing, hacking, script kiddies, cracker, phreaker Deliberate acts of information extortion - demanding a ransom Deliberate acts of sabotage or vandalism 4. 5. ◦ damage reputation, cyberactivist, cyberterrorism Deliberate acts of theft - difficult to detect Deliberate software attacks 6. 7. ◦ malware, virus, worm, trojan horses, back door, hoaxes Forces of nature - fire, flood, earthquake, lightning, storms, etc. 9. Deviations in quality or service - service disruptions 10. Technical hardware failures or errors - hardware defects 11. Technical software failures or errors - accidental or intentional flaws 12. Technological obsolescence - unreliable and untrustworthy 8. 10 The Endless Game of Cat and Mouse: Meet the Cast Hackers versus crackers White hats, black hats, all the shades of gray, and mysterious color changing Conferences? Web sites? Drills? http://www.safepatrolsolutions.com/paper s/Crackers.pdf 11 Meet the Players Top 10 And the others ◦ From http://www.pbs.org/wgbh/pages/frontline/sho ws/hackers/ And where they congregate – do NOT go there unless you want to risk catching something http://phrack.com, …. 12 Attacks At act or action that takes advantage of a vulnerability to compromise a controlled system. Accomplished by a threat agent that damages or steals information or physical assets. Vulnerability ◦ an identified weakness in a controlled system, where controls are not present or no longer effective. Attacks exist when a specific action occurs that may cause a potential loss. Question: how will the attacker “identify weakness” and/or know what to attack? 13 Well-Known Types of Attack Against Controlled Systems Malicious Code Hoaxes Back Doors Password Crack Brute Force Dictionary Denial-of-Service (DoS) Distributed Denial-ofService (DDoS) Spoofing Man-in-the-Middle Spam Mail Bombing Sniffers Social Engineering Buffer Overflow Timing Attack Of course, any of these attacks can be distributed, and/or coming from a botnet. 14 Malicious Code Viruses, worms, Trojan horses, active web scripts. State-of-the-art ◦ Polymorphic or multivector worm ◦ CERT, Symantec, etc. warnings Known attack vectors ◦ ◦ ◦ ◦ ◦ ◦ IP scan and attack web browsing Virus unprotected shares mass mail SNMP 15 Hoaxes Transmit a virus hoax with a real virus attached. ◦ More readily transmitted by trusting users! 16 Back Doors Use known or previously discovered access mechanism to gain access to a system or network resource. ◦ May be left by system designers or maintenance staff. ◦ Referred to as trap doors. Hard to detect --- may be exempt from usual audit logging procedures. 17 Password Crack Reverse calculate a password. Component of many dictionary attacks. Security Account Manager (SAM) file is accessible ◦ contains hashed representation of the user's password. ◦ a guessed password can be hashed using the same algorithm and compared to the stored hash version of the real password. 18 Brute Force Attack AKA, password attack Try every possible combination of options for a password. Easier, if passwords are easy to guess or default passwords. Avoid using easy to guess passwords --- and don't use default passwords. Rarely used, if basic security precautions have been implemented (e.g., complex passwords) 19 Dictionary Attack Use a list of commonly used passwords (i.e., a dictionary) instead of random combinations. Takes less time to crack than a brute force attack. Use electronic dictionaries to enforce use of (more) complex passwords. 20 Denial of Service (DoS) Distributed Denial of Service (DDoS) Overload target with requests Many different flavors: ◦ TCP SYN flood attack: send many TCP connection requests. ◦ Send million emails or faxes and clog the server DDoS ◦ Often uses compromised machines (called zombies, from a botnet) to attack the target system. ◦ The most difficult to defend against. ◦ No controls that any single organization can apply. ◦ Some cooperative efforts among service providers. ◦ MyDoom worm attack. 21 Spoofing Technique of sending messages to a computer using a source IP address that indicates the messages are coming from a trusted host. ◦ Must find an IP address for a trusted host. ◦ Must modify packet headers for the attack messages. Routers and firewalls can protect against spoofing attacks. 22 Man-in-the-Middle Attack AKA, TCP hijacking attack Attacker "sniffs" packets from the network, modifies them, then inserts them back into the network. ◦ Uses IP spoofing to impersonate another entity on the network. Allows the attacker to: ◦ eavesdrop, change, delete, reroute, add, forge, or divert data. Spoofing involves the interception of an encryption key exchange, which enables the hijacker to act as an eavesdropper (transparent to the network). 23 Spam Unsolicited commercial email. ◦ Has been used as a vector for malicious code attacks. ◦ Wastes computer and human resources i.e. it is a DOS attack Methods to counteract spam ◦ Delete offending messages ◦ Use filtering technologies to stem the flow 24 Mail Bombing Email denial-of-service attack. ◦ Send large emails with forged headers Mechanisms ◦ Social engineering ◦ SMTP flaws 25 Sniffers AKA, packet sniffers. A program or device that can monitor data traveling over a network. ◦ Use for legitimate network management functions or maliciously. Unauthorized sniffers are dangerous to security. ◦ Virtually impossible to detect. ◦ Can be inserted anywhere. 26 Social Engineering The process of using social skills to persuade people to reveal access credentials or other valuable information. ◦ Over the phone: “Hey, Joe, this is Andy from department C. Aaron (the boss) told me to ask you to give me the XYZ plans, the customers is demanding we fix the bugs by tomorrow. “ ◦ Over the phone or in person, to the secretarial support: “…” May involve impersonating someone higher in the organizational hierarchy (requesting information). ◦ “Hey, Joe, this is Aaron (the boss). What was the …. “ Tailgating, shoulder surfing, etc. May be a scam --- Nigerian banking, etc. 27 Physical (illegal) access War Driving: driving around trying to catch a signal ◦ Wireless without encryption ◦ Non-wireless el.magn. radiation Garbage Diving: looking through disposed documents Tapping: any cable that is not optical. Or, at exposed locations (switches, control panels, etc.) 28 Buffer Overflow “Buffer” is a term for data storage, on logical level (often called “queue” in networking) Buffers are used for many different reasons: for example, to temporarily store networking data when waiting to be processed, etc. Buffers are often implemented as “arrays” in code Arrays typically have fixed size A buffer overflow is a programming error that occurs when more data is sent to a buffer than it can handle AND the programmer did not specify what happens in that special case ◦ Attacker can take advantage of this programming error to cause unintended side effects. 29 Timing Attack Something bad happens when a certain time is reached Many different flavors. Examples: ◦ Explores web browser's cache. Allows web designer to develop malicious cookie to be stored on user's system. Could allow designer to collect information on how to access password-protected sites. 30 Port Scanning http://www.pctopsecurity.com/types-ofattacks/port-scan-attack Port scan sees which ports are available, which OS you are using, … http://www.softpanorama.org/Security/ID S/port_scan_detectors.shtml A view from the trenches http://www.cipherdyne.org/psad/ A tool to detect port scans 31 Review http://www.scribd.com/doc/20138373/CC NA-Security-Chapter-1-assessment Challenge: go through the PCWeek Hack on p.47 and try to understand each step the attacker took. 32