Transcript 23-Network Security

Data and Computer
Communications
Chapter 23 – Computer and Network
Security Threats
Ninth Edition
by William Stallings
Data and Computer Communications, Ninth
Edition by William Stallings, (c) Pearson
Education - Prentice Hall, 2011
Computer and Network
Security Threats
The art of war teaches us to rely not on the
likelihood of the enemy’s not coming, but on our
own readiness to receive him; not on the change of
his not attacking, but rather on the fact that we have
made our position unassailable.
—The Art of War.
Sun Tzu
Real Life Cases:
 Syria,
and Pro-Government Hackers,
Are Back on the Internet:
http://bits.blogs.nytimes.com/2013/05/08/s
yria-and-its-hacker-activists-are-back-onthe-internet/
 In A.T.M. Robbery Case, a Splashy Trail
of Big Spending:
http://www.nytimes.com/2013/05/11/nyregi
on/atm-robbery-suspects-may-havecaused-ownundoing.html?pagewanted=all&_r=0
Computer Security
 Key



objectives:
confidentiality
integrity
availability
Confidentiality
 term

covers two related concepts:
Data
• assures that private or confidential information is
not made available or disclosed to unauthorized
individuals

Privacy
• assures that individuals control or influence what
information related to them may be collected and
stored and by whom and to whom that information
may be disclosed
Integrity
 term

covers two related concepts:
Data integrity
• assures that information and programs are
changed only in a specified and authorized
manner

System integrity
• assures that a system performs its intended
function in an unimpaired manner, free from
deliberate or inadvertent unauthorized
manipulation of the system
Availability
assures that
systems work
promptly and
service is not
denied to
authorized users
Loss of Security
 FIPS
PUB 199 identifies the loss of
security in each category:

Confidentiality
• unauthorized disclosure of information

Integrity
• unauthorized modification or destruction of
information

Availability
• disruption of access to or use of information or an
information system
Additional Security Objectives
 Some
information security professionals
feel that two more objectives need to be
added:
Authenticity
• being genuine and able to be verified and trusted
Accountability
• actions of an entity can be traced uniquely to that
entity
• non-repudiation
Threat Consequence
Threat Action (attack)
Unauthorized
Disclosure
A circumstance or
event whereby an
entity gains access to
data for which the
entity is not
authorized.
Exposure: Sensitive data are directly released to an
unauthorized entity.
Interception: An unauthorized entity directly accesses
sensitive data traveling between authorized sources and
destinations.
Inference: A threat action whereby an unauthorized entity
indirectly accesses sensitive data (but not necessarily the
data contained in the communication) by reasoning from
characteristics or byproducts of communications.
Intrusion: An unauthorized entity gains access to sensitive
data by circumventing a system's security protections.
Deception
A circumstance or
event that may result
in an authorized entity
receiving false data
and believing it to be
true.
Masquerade: An unauthorized entity gains access to a
system or performs a malicious act by posing as an
authorized entity.
Falsification: False data deceive an authorized entity.
Repudiation: An entity deceives another by falsely denying
responsibility for an act.
Disruption
A circumstance or
event that interrupts
or prevents the correct
operation of system
services and
functions.
Usurpation
A circumstance or
event that results in
control of system
services or functions
by an unauthorized
entity.
Incapacitation: Prevents or interrupts system operation by
disabling a system component.
Corruption: Undesirably alters system operation by
adversely modifying system functions or data.
Obstruction: A threat action that interrupts delivery of
system services by hindering system operation.
Misappropriation: An entity assumes unauthorized logical
or physical control of a system resource.
Misuse: Causes a system component to perform a function
or service that is detrimental to system security.
Threats
and
Attacks
Computer and Network Assets,
with Examples of Threats
Availability
Hardware
Confidentiality
Integrity
Equipment is stolen or
disabled, thus denying
service.
Programs are deleted,
denying access to users.
An unauthorized copy
of software is made.
A working program is
modified, either to
cause it to fail during
execution or to cause it
to do some unintended
task.
Data
Files are deleted,
denying access to users.
An unauthorized read
of data is performed.
An analysis of
statistical data reveals
underlying data.
Existing files are
modified or new files
are fabricated.
Communication
Lines
Messages are destroyed
or deleted.
Communication lines
or networks are
rendered unavailable.
Messages are read. The
traffic pattern of
messages is observed.
Messages are modified,
delayed, reordered, or
duplicated. False
messages are
fabricated.
Software
Scope of System Security
Hardware
 most
vulnerable to attack
 least susceptible to automated controls
 threats



accidental damage
intentional damage
theft
Software
 includes
operating system, utilities and
application programs
 key threats:
easy to delete
can be altered or damaged
can be modified
license can be compromised or misused
piracy
Data
 security
concerns with respect to data are
broad, encompassing:



availability
secrecy
integrity
 major
concerns with data have to do with:
destruction of
files
theft of files
unauthorized
reading of files
incorrect but
intentional
analysis of data
Communication Lines &
Networks
 Network
Security attack classification:
Passive
• goal of attacker is to gather
information without being noticed.
• does not affect system resources
• two types are: release of message
contents and traffic analysis
Active
• involves some modification of data
stream
• attempts to alter system resources
or affect their operation
Active Attacks
Replay
• passive capture of data for later retransmission – usually after
being modified
Masquerade
• pretending to be someone else – usually to obtain
unauthorized access to data
Modification of Messages
• some portion of legitimate message is altered
Denial of Service (DoS)
• prevents or inhibits normal use of service
Classes of Intruders
 Masquerader

penetrates a real users account by pretending
to be them
 Misfeasor

– usually insider
legitimate user who accesses unauthorized
areas
 Clandestine

– usually outsider
User – outsider or insider
user who seizes supervisory control of a
system in order to avoid prevention, access
and detection controls
Behavior Patterns of Intruders:
Hackers and Criminals
 Hackers



usually high level of competence
share their findings
look for targets of opportunity
 Criminals



organized groups of hackers are a common
modern threat
typically young
usually have specific targets
Behavior Patterns of Intruders:
Insiders
Insider Attacks
• have access to and knowledge of
internal systems and processes
• often motivated by revenge or a feeling
of entitlement
• usually been with company for a fairly
long time
• often times trusted
Intrusion Techniques
System or Software Vulnerabilities
Back Doors
Buffer Overflow
Password Compromise
Root Kits
Social Engineering
Malicious Software
Malware comes in many
disguises:
• application programs
• utility programs (editors, compilers)
• attachments
• links
Categories of Malicious
Software
 parasitic

fragments of programs that cannot exist
independently of some actual application
program, utility, or system program
• viruses, logic bombs, backdoors
 independent

self-contained programs that can be
scheduled and run by the operating system
• worms, bots
Name
Description
Virus
Malware that, when executed, tries to replicate itself into other
executable code; when it succeeds the code is said to be infected. When
the infected code is executed, the virus also executes.
Worm
A computer program that can run independently and can propagate a
complete working version of itself onto other hosts on a network.
Logic bomb
A program inserted into software by an intruder. A logic bomb lies
dormant until a predefined condition is met; the program then triggers
an unauthorized act.
Trojan horse
A computer program that appears to have a useful function, but also has
a hidden and potentially malicious function that evades security
mechanisms, sometimes by exploiting legitimate authorizations of a
system entity that invokes the Trojan horse program.
Backdoor (trapdoor)
Any mechanisms that bypasses a normal security check; it may allow
unauthorized access to functionality.
Mobile code
Software (e.g., script, macro, or other portable instruction) that can be
shipped unchanged to a heterogeneous collection of platforms and
execute with identical semantics.
Exploits
Code specific to a single vulnerability or set of vulnerabilities.
Downloaders
Program that installs other items on a machine that is under attack.
Usually, a downloader is sent in an e-mail.
Auto-rooter
Malicious hacker tools used to break into new machines remotely.
Kit (virus generator)
Set of tools for generating new viruses automatically.
Spammer programs
Used to send large volumes of unwanted e-mail.
Flooders
Used to attack networked computer systems with a large volume of
traffic to carry out a denial-of-service (DoS) attack.
Keyloggers
Captures keystrokes on a compromised system.
Rootkit
Set of hacker tools used after attacker has broken into a computer
system and gained root-level access.
Zombie, bot
Program activated on an infected machine that is activated to launch
attacks on other machines.
Spyware
Software that collects information from a computer and transmits it to
another system.
Adware
Advertising that is integrated into software. It can result in pop-up ads or
redirection of a browser to a commercial site.
Terminology
of
Malicious
Programs
Backdoor

trapdoor
 is a secret entry point into a program that can
allow unauthorized access to the data
 backdoors are common among the
programming community and are used for a
variety of maintenance tasks (maintenance
hook)
 it is important to not allow backdoors into
production environments
Logic Bomb
 predates
BOOM
viruses and worms
 code embedded in a legitimate program
that will “explode” at a given time or when
certain conditions are met



presence or absence of certain files
particular day of the week or date
particular user using the application
BOOM
Trojan Horse

program that contains hidden code that, when invoked,
causes harm to the system or system infrastructure it
was launched from
3 models of Trojan horses are typical
• continuing original program
functions while in parallel doing the
malicious activity
• continuing original program
functions but modifying it to perform
malicious activity
• replacing original program functions
with the malicious activity
Mobile Code
 script,
macro, or other portable instruction
that can be shipped unchanged to a
collection of platforms
 transmitted from a remote system to a
local system and then executed on the
local system without the user’s explicit
instruction


mechanism for a virus, worm, or Trojan horse
vulnerabilities such as unauthorized data
access
Multiple Threat Malware
– capable of infecting multiple
types of files
 blended attack – uses multiple methods of
infection or transmission to maximize
infection speed
 multipartite

Nimda
• erroneously referred to as simply a worm
• uses a combination of items like email, web
servers, web clients, etc. to propagate and infect
Viruses
 can


do anything other programs can do
attaches itself to a program and executes
secretly
once running it can perform any function
allowed by the current users rights
has
three
parts
• infection
mechanism
• trigger
• payload
Virus Lifecycle
• The
virus is
idle and
waiting
Dormant
Propagation
• The virus
places a
copy of
itself into
other
programs
• Virus is
activated
to perform
function
for which
it was
intended
Trigger
Execution
• Virus
function is
performed
Virus Classification
 by
target
 by
concealment strategy
Target
 boot

infects a master boot record or boot record
and spreads when a system is booted from
the disk containing the virus
 file

sector infector
infector
infects files that the operating system or shell
consider to be executable
 macro

virus
infects files with macro code that is
interpreted by an application
Concealment Strategy
Encrypted virus
• portion of the virus
creates a random
encryption key and
encrypts the remainder
of the virus and stores
the key with the virus
Stealth virus
• explicitly designed to
hide itself from detection
by antivirus software
Polymorphic virus
• virus that mutates with
every infection making
detection by the
“signature” of the virus
impossible
Metamorphic virus
• mutates with every
infection and rewrites
itself completely at each
iteration
E-Mail Viruses
a
more recent development in malicious
software

Melissa
• E-mail virus sends itself to everyone on the mailing
list in the user’s e-mail package
• virus does local damage on the user’s system
 another
virus appeared that
activates by merely opening the
e-mail that contains the virus
rather than the attachment
Worms
replicating – usually very quickly
 usually performs some unwanted function
 actively seeks out more machines to infect
 self
Self Replicating
Vehicles
• Email
• Remote Execution
• Remote Login
Worms
In the propagation
phase the Worm will
search for other
systems to infect
Phases
Dormant
Propagation
establish remote
connections
copy itself to the
remote system and
cause the copy to
run
Trigger
Execution
Worm Technology
Multiplatform – variety of platforms
 Multi-Exploit – variety of penetration schemes
 Ultrafast Spreading – accelerated distribution
 Polymorphic – evades set signatures
 Metamorphic – evades anomaly detectors
 Transport Vehicles – used to spread other
distributed attack tools
 Zero Day – exploits a yet unknown vulnerability

Worm
Propagation
Bots

AKA – Zombie or Drone



secretly takes over an internet connected
computer
launches attacks from that computer that are hard
to trace back to the creator
Botnet


collection of Bots that act in a coordinated
manner
has 3 characteristics
• bot functionality
• remote control facility
• spreading mechanism
Bot Usage
 Distributed
Denial of Service Attack
 Spamming
 Sniffing
Traffic
 Keylogging
 Spreading of new malware
 Installing Ads (Adware and SpyWare)
 Attacking IRC Chat networks
 Manipulation of online polls / games
Remote Control Facility
 distinguishes

worm propagates itself, bot is controlled from
some central facility (initially)
 IRC


a bot from a worm
server
all bots join a specific channel on this server
and treat incoming messages as commands
control module activates the bots
Constructing the Attack
Network
 first
step in a botnet attack is for the
attacker to infect a number of machines
with bot software that will be used to carry
out the attack
 essential ingredients



software that can carry out the attack
vulnerability in a large number of systems
strategy for locating and identifying vulnerable
machines
• scanning / fingerprinting
Summary
 computer
security concepts
 threats, attacks, and assets

hardware, software, data
 intruders

hackers, criminals, insiders
 malicious

software
Trojan horse, malware
 viruses,
worms, and bots