Академический Документы
Профессиональный Документы
Культура Документы
Instructor: N. Vlajic,
Fall 2010
Learning Objectives
Upon completion of this material, you should be able to:
Define key terms and critical concepts of information security. List the key challenges of information security, and key protection layers. Describe the CNSS security model (McCumber Cube). Be able to differentiate between threats and attacks to information. Identify todays most common threats and attacks against information.
Introduction
In the last 20 years, technology has permeated every facet of the business environment. The business place is no longer static it moves whenever employees travel from office to office, from office to home, from city to city. Since business have become more fluid, , information security is no longer the sole responsibility of a small dedicated group of professionals, , it is now the responsibility of every employee, especially managers.
Information Technology
Information Technology enables storage and transportation of information from one business unit to another
in many organizations, information is seen as the most valuable asset
Information System entire set of data, software, hardware, networks, people, procedures and policies necessary to use information as a resource in an organization
each of 7 components has its own strengths, weaknesses, and its own security requirements
Information Security
Security = state of being secure, free from danger.
Information Security protection of information and its critical characteristics
achieved through appropriate deployment of products, people, procedures and policies
C.I.A triangle 3 key characteristics of information that must be protected by information security:
confidentiality - only authorized parties can view information integrity - information is correct and not altered availability - data is accessible to authorized users
establishment of strategies that prevent any form of illegitimate activity and potential misuse of information
http://www.saintcorporation.com/images/SAINTmanager-diagram1.jpg
Information states:
Are all 27 aspects of security worth examining at every company? Where/how do we start building or evaluating a security system?
Threats
Security threat action or event that represents a danger to organizations asset(s)
has the potential to breach security and cause harm
Threats (cont.)
To make sound decisions about information security, organization (its management) must be informed about various security threats. Each organization must prioritize its threats based on: particular situation in which it operates
e.g. what are the companys main assets: (a) web servers (e-commerce company), or (b) data (software company)?
Threats (cont.)
Example: Companies and their threats Which of the three threats is most critical for which of the three companies?
Amazon IBM TD Bank
http://www.eicepower.com/NetworkSecurity.htm
Threat Events
shoulder surfing
hacker profiles
examples:
Code Red (2001) each copy of the worm scanned the
Internet for Windows NT / 2000 servers that did not have the Microsoft Security patch installed; once infecting a system, worm would start scanning random IP addresses at port 80 looking for other servers to infect
http://www.witiger.com/ecommerce/viruses.htm
http://www.smartcomputing.com/editorial/article.asp?article=articles/archive/l0902/03l02/03l02.asp
organization must ensure that minimum service level, as defined by Service Level Agreement (SLA) with the ISP will still satisfy its needs
if the ISP fails to meet the SLA, the ISP may accrue fines to cover losses incurred by the client
9) Forces of Nature
fire, flood, earthquake, hurricane, tsunami, electrostatic discharge, dust contamination organization must implement controls to limit damage as well as develop incident response plans and business continuity plans
Attacks
Security attack a deliberate action aimed to violate / compromise a systems security
(just) subgroup of threat events! types of attacks:
Use of Spyware and Adware Password Cracking (Brute Force and Dictionary) Denial and Distributed Denial of Service (DoS and DDoS) Spoofing Man-in-the-Middle Sniffing Social Engineering Phishing Pharming
Attacks (cont.)
Attacks (cont.)
1) Use of Malicious Code
includes execution of viruses, worms, Trojan horses, as well as the use of spyware, bots, adware
spyware software that aids in gathering information about a person or organization without their knowledge
frequently downloaded with freeware programs e.g. keyloggers, such as SpyAnytime, 007SpySoftware secretly monitor and record user activity (web-site visited, applications used)
adware software intended for marketing purposes automatically delivers and displays advertising banners or popups to the users screen
Eudora email client example of adware within a legitimate program; once the trial version expires, a pop-up keeps prompting the user to obtain full/paid version
Attacks (cont.)
2) Password Cracking
attempt to reverse-calculate a password requires that a copy of Security Account Manager (SAM) - a registry data file - be obtained
SAM file (c:\windows\system32\config\SAM) contains the hashed representation of the users password LM or NTLM hash algorithms are used cracking procedure: hash any random password using the same algorithm, and then compare to the SAM files entries SAM file is locked when Windows is running: cannot be opened, copied or removed (unless pwdump is run by the administrator) off-line copy of SAMs content can be obtained (e.g.) by booting the machine on an alternate OS such as NTFSDOS or Linux
Attacks (cont.)
Attacks (cont.)
3) Denial of Service (DoS)
attacker sends a large number of connection or information requests to a target
target gets overloaded and cannot respond to legitimate requests
in case of distributed DoS - DDoS, a coordinated stream of requests is launched from many locations (zombies) at the same time
zombie: a compromised machine that can be commanded remotely by the master machine
defence against DDoS requires coordinated actions by ISPs, organizations, software providers, etc.
e.g. prevent spoofing, block (broadcast) requests, patch computers, user latest antivirus tools, etc.
http://www.sans.org/dosstep/roadmap.php
Attacks (cont.)
zombie zombie
target
zombie zombie
master
Attacks (cont.)
Example: Mafiaboy story - DDoS
In 2000, a number of major firms were subjected to devastatingly effective distributed denial-of-service (DDoS) attack that blocked each of their e-commerce systems for hours at a time. Victims of this series of attacks included: CNN.com, eBay, Yahoo.com, Amazon.com, Dell.com, ZDNet, and other firms. The Yankee Group estimated that these attacks cost $1.2 billion in 48 hours: $100 million from lost revenue $100 million from the need to create tighter security $1 billion in combined market capitalization loss. At first, the attack was thought to be the work of an elite hacker, but it turned to be orchestrated by a 15-year-old hacker in Canada. He was sentenced to eight months detention plus one year probation and $250 fine.
http://journal.fibreculture.org/issue9/issue9_genosko.html
Attacks (cont.)
4) Spoofing insertion of forged (but trusted) IP addresses into IP packets in order to gain access to networks/computers new routers and firewalls can offer protection against IP spoofing
ingress filtering upstream ISP discards any packet coming into a network from outside, if the source address is not valid i.e. IP does not belong to any of the networks connected to the ISP egress filtering organizations firewall discards any outgoing packet with a source addr. that does not belong to that organization
http://www.usenix.org/event/lisa05/tech/full_papers/kim/kim_html/fig1.gif
Attacks (cont.)
Attacks (cont.)
5) Man-in-the-Middle (aka TCP Hijacking)
attacker monitors/sniffs packets from the network, modifies them, and inserts them back into the network
IP spoofing involved to enable the attacker to impersonate another entity
Attacks (cont.)
6) Sniffing
use of a program or device that can monitor data traveling over a network
unauthorized sniffers can be very dangerous they cannot be detected, yet they can sniff/extract critical information from the packets traveling over the network wireless sniffing is particularly simple, due to the open nature of the wireless medium
Attacks (cont.)
7) Social Engineering
process of using social skills to manipulate people into revealing vulnerable information
example: perpetrator posing as a higher-up in the organization hierarchy than the victim to obtain some critical data
7.1) Phishing
attempt to gain sensitive personal information (e.g. username, password, credit card number) by posing as a legitimate entity
phishing is typically carried out by an email, and it directs users to enter sensitive information at a fake Web site whose look and feel is very much like the legitimate one example: AOL phishing of the late 1990s individuals posing as AOL technicians attempted to get logon info from AOL subscribers
Attacks (cont.)
Attacks (cont.)
8) Pharming
redirection of legitimate Web sites traffic to another illegitimate Web site
ultimate goal: obtain users personal information or damage reputation of victim company performed either by changing the victims hosts file or through DNS poisoning
http://www.technicalinfo.net/papers/images/pharming030.jpg
Attacks (cont.)
Example: ISP Panix story - pharming
In 2005, the Domain Name for a large New York ISP Panix was hijacked to point the users to a site in Australia. Once the original address was moved to the new address, the genuine site was impossible to reach. It is believed that this attack was result of social engineering the attacker duped the personnel into entering the false IP address into their DNS records.