Computer and Network Security
Introduction
Dr. Ron Rymon
Efi Arazi School of Computer Science
IDC, Herzliya. 2010/11
Today’s Lecture
 Introduction
 A Few Nightmare Scenarios
 Statistics and Impact
 Course Plan and Administrativia
 Models of Computer Security
What do we mean by
“Computer Security”?
Examples
Threats
Attacks
Security
Mechanisms
Security Needs
and Services
Our Security Needs/Threats









Confidentiality of information stored on computers
Confidentiality of information communications
Control of our computers and networks
Ensuring the integrity of information
Identifying/authenticating communication partners
Protecting information services (enterprise, www)
Protecting information and people privacy
Protecting digital rights and property
Protecting computer-operated physical infrastructure
 … and more as computers take greater role in our lives
– hand-held devices, electronic voting, electronic payment, border
control, job entry, etc.
The Adversaries
 For Profit
– Organized crime
– Fraudsters
– Information thieves
– Marketers
– Spies (military, commercial)
– Enemy states & terrorists
 Vandals
– Commercial and political reasons
– Mostly, nut cases and irresponsible kids (“script kiddies”)
 Joy riders
– Technically skilled
– Psychologically challenged
– Again, mostly kids
 Insiders!
 Good hackers vs. Bad hackers (Crackers)
Their Tools of the Trade













Viruses, worms, etc.
Password cracking
Intrusion and penetration attacks
Eavesdropping attacks (esp. wireless)
Communication hijacking attacks
Denial of service attacks
OS/Application vulnerability attacks
Trojan horses, viruses/worms, spyware, keyloggers
Server and access point impersonation
Phishing and phraud
Clickjacking
Social Engineering
More….
Our Tools of the Trade













Encryption
Anti-virus software
Spam filters
Firewalls
Intrusion detection/prevention software
Strong authentication
Access control
Authorization management
Application security gateways and filters
Patch management systems
Electronic signatures
Disaster Recovery
… and more…
 EDUCATION!!
Security and People
 People, not technology, are often the weakest link
– Create awareness and educate people that security matters
– Create business processes that enhance security
• accurate provisioning, password mgmt, stronger authentication,
segregation of duty
 Security solutions shall be tied to business processes
– “Treat security as an important part of doing business. It is not less
important than features and performance” (Bill Gates)
– “The missing component in most security products is what Global 5000
buyers most want, the ability to manage business risk, innovation, and
agility. Despite this, security suppliers continue to focus their efforts on
honing technical access controls “ (Aberdeen, Mar 2004)
 Corporate governance: Security is as enterprise management issue
– New executives: Chief Security Officer & Chief Compliance Officer
– Business managers in all ranks are asked to assume security responsibility
A Few Nightmare Scenarios
Nightmare Scenario #1:
Information stolen from our systems
 2000 – hacker breaks CDUniverse, steals 300,000 credit card numbers
 2002 – hacker steals 1MM credit cards from merchants that didn’t patch
 2007 – hacker steals millions of credit cards & personal info from TJMaxx
 2001 – hacker pre-announces JDS earnings
 1/2002, hacker penetrates financial software maker Online Resources; then uses
this to hack into a NY bank and steal account data; then extorts the bank
 2004 – Code of Win2K and NT stolen from Microsoft partner
 2004 – Code of Cisco IOS stolen
 2006 - 25% of companies reported attempted penetration (really, close to 100%)
 2006 – 25% of computers believed infected




2007 - Theft of laptops and PDAs is top security concern for CIOs
2008 – Identity theft is top concern for individuals (1 in 6 Americans last year!)
2009 – Data Leakage is a key concern for security and compliance officers
2010 – Where are our (virtualized) systems? Who has access to them?
 70% of all cases are “internal work” – profit, revenge, and ignorance
Nightmare Scenario #2:
Our communication can be exposed
 In 16th century, Mary Queen of Scots loses her head when her coded
messages are deciphered
 In WWII, many German U-boats were destroyed once the British were
able to decipher their Enigma messages
 Today, encryption mechanisms (VPNs, SSL, etc.) are very strong,
usually rendering eavesdropping ineffective
 Still, some cases surface from time to time
– Wi-Fi networks originally unsecured and being targeted
– US Carnivore/Echelon sift through millions of emails/phone calls
– Al-Qaeda members caught using Swisscom GSM chips
– Tempest attacks, capturing electromagnetic radiation
– Cloning encryption cards for satellite-based entertainment systems
– Chinese using supercomputers to break American satellite communication
Nightmare Scenario #3:
Control of our computers is taken
 First viruses (e.g., Jerusalem) were spreading slowly
 Code Red (2001) leaves back door on infected machines
– infected 359,000 IIS servers in 14 hours, 2000 per minute at the peak
 SQL Slammer (2003) generated huge traffic from infected network
 In 2004, there were 112,000 known viruses
 Today, most malware is commercially motivated
– Professional and uses multiple infection mechanisms (“time to infection”
is down to FIVE minutes in 2008)
– Soldiers in the botnets army… (~25% of all computers are infected)
– Steal information, e.g., identity, passwords, credit cards…
– Serve for commercial spam
 Many recent attacks aimed at virtualization platforms
 Next, significant risk to mobile devices, VOIP systems
Nightmare Scenario #4:
Website defacing
 Some are political protests
– 2000 - Pro-Israeli and Pro-Palestinian (e-Jihad) hackers deface sites
– 2000 - Hamas site and Al Qaeda site visitors diverted to porn sites
– 2001 - Chinese posted picture of downed pilot on US Govt sites
– 2003 - web sites defaced by anti/pro war in Iraq
– 2008 – CERN site was defaced after the big bang experiment
 Businesses are also affected
– 1999 - NASDAQ and AMEX sites are defaced
– 2001 - British Telecom defaced by hackers complaining about service
– 2002 – RIAA site is defaced and provides pirated music for download
 Massive defacing
– 2001- hacker group defaces 679 sites in 1 minute
– 2003 - Blackhat defacing competition: winner must deface 6000 sites asap
 2007 – US government sites pointing to Viagra and porn sites
Nightmare Scenario #5:
Service interruptions






1996 - Panix (ISP) suffers a DoS SYN attack
1999 - Melissa crashes e-mail servers (replicates to Outlook contacts)
2000 - Mafiaboy attack crashes Yahoo, CNN, Amazon for 3 hours
2003 - RIAA site is attacked
2004 - MyDoom (email virus) attacks Microsoft, SCO sites
2007 - Estonia infrastructure attacked by Russian hackers
 27% of companies running web services reported DoS attacks
 The Knesset, Israeli PM and other ministries are constantly attacked
 Today, the main concern is around VoIP, wireless infrastructure.
 What is next? Power plants? Other forms of Cyber-Terrorism?
Nightmare Scenario #6:
Fraud and Identity Theft
 FTC Survey (2003)
– 4.6% of consumers defrauded in 2003 (12.7% in past 5 years)
– Mostly credit cards, but also bank accounts, loans, mortgage apps...
– Total ID Fraud estimated at $50B a year
 Internet payment fraud is rampant
– 20 times the “normal” rate; typically identity theft
– Used to be easy to change fields (e.g. price) in web forms
 Fraudulent merchants and con-artists defraud users
– Phishing rampant everywhere
– Fraudulent porn services “re-used” credit card numbers
 Identity theft becomes one of biggest problems (2007)
– Fraudsters and mafia stealing “whole identities”
– Use to buy, take loans, sell houses, etc., ruining victim’s credit history
 Who is that merchant I am going to to buy from? difficult to
authenticate…
Nightmare Scenario #7:
E-Mail Blues
 It used to be many forms of Viruses. Worms, Trojans spread via mail
– Attract download software/applet (some pretend to help against a virus)
– Phishing grows quickly
– Spoof sender address and identity
– Huge economic cost due to destruction, traffic, cleanup costs
– At its peak, 8% of emails were MyDoom
 Today, Spam makes up >80% of email traffic
– Started with Internet – economic model of direct marketing fails
– Spoofing mail address, headers, names, etc
– Cause significant economic damage
 Unprotected e-mail became almost unusable for simple e-mail users
 Proposed solutions are both technological and legal
– New comprehensive email solutions include: anti-virus/worms, fraud,
spam, content policy, privacy, and confidentiality
– Microsoft initiative, Challenge-response mechanisms, Caller-ID
Current Statistics and Impact
Security Incidents and Reporting
9000
8000
7000
6000
5000
4000
3000
2000
1000
0
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006
# of incidents and # reported (CERT)
Vulnerability disclosures (IBM)
Security Threats (2008)
What?
How?
Who?
2008 Baseline Mag Security Survey
How Important Is IT Security?
Source: IBM Market Monitor, 2004
Course Plan and
Administrativia
Course Plan
 Cryptography
– history, conventional, public-key, key dist/mgmt
 Identity Authentication
– Signatures, challenge-response, identity authentication
 Securing Communications Protocols
– IPSec, VPNs, Web security (SSL), WiFi Security
 Access Control
– Kerberos, Firewalls, PKI
 Malicious Code and Intruders
– Viruses, Worms, Intrusion detection, Spyware
 Application Security
– Email security, Spam, VoIP, Cellphones
 Market Trends: Guest Presentations
Course Materials
 Course site
– http://www1.idc.ac.il/compsec
 Most course material is from current sources
– News, Industry (analysts, conferences, vendors), Academic
– Subject-specific books
 Main Textbook
– “Network Security Essentials: Applications and Standards” /
William Stallings (old edition OK)
 Highly recommended
– Applied Cryptography / Bruce Schneier
Administrativia
 Lecturer: Dr. Ron Rymon
 Teaching Assistant: Ilan Atias
 Lectures: Sunday 9:15-11:45am, C109
 Secondary slot: Tue evening, 6pm (if needed)
 Office Hours: by appointment
 Credits: 3
 Open to CS MSc, and BSc (2nd and 3rd year) students
 Grade: 70% exam, 30% other (project, in-class quizes, homework)
– Must pass the exam
– Must turn in all work, in time
Models of Computer Security
Secured Communication Model
Alice
Bob
Example
Trusted Server
Alice
Bob
Sign/
Encrypt
PrivK(Alice)
Decrypt
Gen Sess Key
Encrypt
Encrypt
SignPrivK(Alice) (“Alice”)
SignPrivK(Bob) (“Bob”)
EncPubK(Bob) (SessK)
EncSessK(Message)
Decrypt
PrivK(Bob)
Sign/
Encrypt
Decrypt
Decrypt
Secured Access Model
 Identify and filter requests for information
Access Control Model
 Authentication
– Must provide credentials to access a resource
• E.g., password, fingerprint, identification card
 Authorization
– Must be authorized to gain access to specific data, other
computing resources.
• E.g., file systems, firewalls, application authorization model
• Various levels of granularity
ITU/IETF X.800: Security Threats,
Attacks, Services, and Mechanisms
 Security Threat: A potential attack on systems or on information
security needs
 Security Attack: An attempt to compromise the security of systems or
information
– Example: Eavesdropping on communication
 Security Service: Use of one or more mechanisms to enhance the
security of a system or application
– Example: Confidentiality of communications
 Security Mechanism: A specific method to detect, prevent, or recover
from an attack, and to provide the required service
– Example: Encryption software
Attacks: The X.800 Threat Model
Security Attacks (Stallings)
Examples of Attacks
 Attacks can be Active, e.g., intrusion, or Passive, e.g,
eavesdropping
 Examples of attacks:
–
–
–
–
–
–
–
–
–
–
–
–
Intrusion
Eavesdropping
Impersonation
Viruses / Worms
Denial of service
Man-in-the-middle
Reflection attack
Replay attack
Password cracking
Data/code modification
Fraudulent attribution
Repudiation
X.800 Security Services
 Authentication
– Identify peers, Source authentication for data
 Access Control
– Who can access to what
 Data Confidentiality
– Connection, Connectionless (system), Traffic, Privacy
 Data Integrity
– With or without recovery
 Non-repudiation
– Origin, Destination, Both
 Availability
– A service on its own, or a property of other services
Security Mechanisms
 Specific use of certain algorithms, protocols, and
procedures to provide one or more security services
 Examples
– Authentication – use password, fingerprint, magnetic card
– Access Control – specify access rights based on the user id,
role/group to specific transactions and/or specific content
– Data Confidentiality – encrypt information using a specific
algorithm
– Data Integrity – detect and prevent unauthorized change to content
– Non-Repudiation – use electronic signature to ensure authenticity
– Availability – increase resiliency, filter malicious traffic
 Many security mechanisms use Cryptography as an
underlying technology
Next Class:
Steganography and History of
Cryptography