Transcript Document
Computer and Network Security
Introduction
Dr. Ron Rymon
Efi Arazi School of Computer Science
IDC, Herzliya. 2010/11
Today’s Lecture
Introduction
A Few Nightmare Scenarios
Statistics and Impact
Course Plan and Administrativia
Models of Computer Security
What do we mean by
“Computer Security”?
Examples
Threats
Attacks
Security
Mechanisms
Security Needs
and Services
Our Security Needs/Threats
Confidentiality of information stored on computers
Confidentiality of information communications
Control of our computers and networks
Ensuring the integrity of information
Identifying/authenticating communication partners
Protecting information services (enterprise, www)
Protecting information and people privacy
Protecting digital rights and property
Protecting computer-operated physical infrastructure
… and more as computers take greater role in our lives
– hand-held devices, electronic voting, electronic payment, border
control, job entry, etc.
The Adversaries
For Profit
– Organized crime
– Fraudsters
– Information thieves
– Marketers
– Spies (military, commercial)
– Enemy states & terrorists
Vandals
– Commercial and political reasons
– Mostly, nut cases and irresponsible kids (“script kiddies”)
Joy riders
– Technically skilled
– Psychologically challenged
– Again, mostly kids
Insiders!
Good hackers vs. Bad hackers (Crackers)
Their Tools of the Trade
Viruses, worms, etc.
Password cracking
Intrusion and penetration attacks
Eavesdropping attacks (esp. wireless)
Communication hijacking attacks
Denial of service attacks
OS/Application vulnerability attacks
Trojan horses, viruses/worms, spyware, keyloggers
Server and access point impersonation
Phishing and phraud
Clickjacking
Social Engineering
More….
Our Tools of the Trade
Encryption
Anti-virus software
Spam filters
Firewalls
Intrusion detection/prevention software
Strong authentication
Access control
Authorization management
Application security gateways and filters
Patch management systems
Electronic signatures
Disaster Recovery
… and more…
EDUCATION!!
Security and People
People, not technology, are often the weakest link
– Create awareness and educate people that security matters
– Create business processes that enhance security
• accurate provisioning, password mgmt, stronger authentication,
segregation of duty
Security solutions shall be tied to business processes
– “Treat security as an important part of doing business. It is not less
important than features and performance” (Bill Gates)
– “The missing component in most security products is what Global 5000
buyers most want, the ability to manage business risk, innovation, and
agility. Despite this, security suppliers continue to focus their efforts on
honing technical access controls “ (Aberdeen, Mar 2004)
Corporate governance: Security is as enterprise management issue
– New executives: Chief Security Officer & Chief Compliance Officer
– Business managers in all ranks are asked to assume security responsibility
A Few Nightmare Scenarios
Nightmare Scenario #1:
Information stolen from our systems
2000 – hacker breaks CDUniverse, steals 300,000 credit card numbers
2002 – hacker steals 1MM credit cards from merchants that didn’t patch
2007 – hacker steals millions of credit cards & personal info from TJMaxx
2001 – hacker pre-announces JDS earnings
1/2002, hacker penetrates financial software maker Online Resources; then uses
this to hack into a NY bank and steal account data; then extorts the bank
2004 – Code of Win2K and NT stolen from Microsoft partner
2004 – Code of Cisco IOS stolen
2006 - 25% of companies reported attempted penetration (really, close to 100%)
2006 – 25% of computers believed infected
2007 - Theft of laptops and PDAs is top security concern for CIOs
2008 – Identity theft is top concern for individuals (1 in 6 Americans last year!)
2009 – Data Leakage is a key concern for security and compliance officers
2010 – Where are our (virtualized) systems? Who has access to them?
70% of all cases are “internal work” – profit, revenge, and ignorance
Nightmare Scenario #2:
Our communication can be exposed
In 16th century, Mary Queen of Scots loses her head when her coded
messages are deciphered
In WWII, many German U-boats were destroyed once the British were
able to decipher their Enigma messages
Today, encryption mechanisms (VPNs, SSL, etc.) are very strong,
usually rendering eavesdropping ineffective
Still, some cases surface from time to time
– Wi-Fi networks originally unsecured and being targeted
– US Carnivore/Echelon sift through millions of emails/phone calls
– Al-Qaeda members caught using Swisscom GSM chips
– Tempest attacks, capturing electromagnetic radiation
– Cloning encryption cards for satellite-based entertainment systems
– Chinese using supercomputers to break American satellite communication
Nightmare Scenario #3:
Control of our computers is taken
First viruses (e.g., Jerusalem) were spreading slowly
Code Red (2001) leaves back door on infected machines
– infected 359,000 IIS servers in 14 hours, 2000 per minute at the peak
SQL Slammer (2003) generated huge traffic from infected network
In 2004, there were 112,000 known viruses
Today, most malware is commercially motivated
– Professional and uses multiple infection mechanisms (“time to infection”
is down to FIVE minutes in 2008)
– Soldiers in the botnets army… (~25% of all computers are infected)
– Steal information, e.g., identity, passwords, credit cards…
– Serve for commercial spam
Many recent attacks aimed at virtualization platforms
Next, significant risk to mobile devices, VOIP systems
Nightmare Scenario #4:
Website defacing
Some are political protests
– 2000 - Pro-Israeli and Pro-Palestinian (e-Jihad) hackers deface sites
– 2000 - Hamas site and Al Qaeda site visitors diverted to porn sites
– 2001 - Chinese posted picture of downed pilot on US Govt sites
– 2003 - web sites defaced by anti/pro war in Iraq
– 2008 – CERN site was defaced after the big bang experiment
Businesses are also affected
– 1999 - NASDAQ and AMEX sites are defaced
– 2001 - British Telecom defaced by hackers complaining about service
– 2002 – RIAA site is defaced and provides pirated music for download
Massive defacing
– 2001- hacker group defaces 679 sites in 1 minute
– 2003 - Blackhat defacing competition: winner must deface 6000 sites asap
2007 – US government sites pointing to Viagra and porn sites
Nightmare Scenario #5:
Service interruptions
1996 - Panix (ISP) suffers a DoS SYN attack
1999 - Melissa crashes e-mail servers (replicates to Outlook contacts)
2000 - Mafiaboy attack crashes Yahoo, CNN, Amazon for 3 hours
2003 - RIAA site is attacked
2004 - MyDoom (email virus) attacks Microsoft, SCO sites
2007 - Estonia infrastructure attacked by Russian hackers
27% of companies running web services reported DoS attacks
The Knesset, Israeli PM and other ministries are constantly attacked
Today, the main concern is around VoIP, wireless infrastructure.
What is next? Power plants? Other forms of Cyber-Terrorism?
Nightmare Scenario #6:
Fraud and Identity Theft
FTC Survey (2003)
– 4.6% of consumers defrauded in 2003 (12.7% in past 5 years)
– Mostly credit cards, but also bank accounts, loans, mortgage apps...
– Total ID Fraud estimated at $50B a year
Internet payment fraud is rampant
– 20 times the “normal” rate; typically identity theft
– Used to be easy to change fields (e.g. price) in web forms
Fraudulent merchants and con-artists defraud users
– Phishing rampant everywhere
– Fraudulent porn services “re-used” credit card numbers
Identity theft becomes one of biggest problems (2007)
– Fraudsters and mafia stealing “whole identities”
– Use to buy, take loans, sell houses, etc., ruining victim’s credit history
Who is that merchant I am going to to buy from? difficult to
authenticate…
Nightmare Scenario #7:
E-Mail Blues
It used to be many forms of Viruses. Worms, Trojans spread via mail
– Attract download software/applet (some pretend to help against a virus)
– Phishing grows quickly
– Spoof sender address and identity
– Huge economic cost due to destruction, traffic, cleanup costs
– At its peak, 8% of emails were MyDoom
Today, Spam makes up >80% of email traffic
– Started with Internet – economic model of direct marketing fails
– Spoofing mail address, headers, names, etc
– Cause significant economic damage
Unprotected e-mail became almost unusable for simple e-mail users
Proposed solutions are both technological and legal
– New comprehensive email solutions include: anti-virus/worms, fraud,
spam, content policy, privacy, and confidentiality
– Microsoft initiative, Challenge-response mechanisms, Caller-ID
Current Statistics and Impact
Security Incidents and Reporting
9000
8000
7000
6000
5000
4000
3000
2000
1000
0
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006
# of incidents and # reported (CERT)
Vulnerability disclosures (IBM)
Security Threats (2008)
What?
How?
Who?
2008 Baseline Mag Security Survey
How Important Is IT Security?
Source: IBM Market Monitor, 2004
Course Plan and
Administrativia
Course Plan
Cryptography
– history, conventional, public-key, key dist/mgmt
Identity Authentication
– Signatures, challenge-response, identity authentication
Securing Communications Protocols
– IPSec, VPNs, Web security (SSL), WiFi Security
Access Control
– Kerberos, Firewalls, PKI
Malicious Code and Intruders
– Viruses, Worms, Intrusion detection, Spyware
Application Security
– Email security, Spam, VoIP, Cellphones
Market Trends: Guest Presentations
Course Materials
Course site
– http://www1.idc.ac.il/compsec
Most course material is from current sources
– News, Industry (analysts, conferences, vendors), Academic
– Subject-specific books
Main Textbook
– “Network Security Essentials: Applications and Standards” /
William Stallings (old edition OK)
Highly recommended
– Applied Cryptography / Bruce Schneier
Administrativia
Lecturer: Dr. Ron Rymon
Teaching Assistant: Ilan Atias
Lectures: Sunday 9:15-11:45am, C109
Secondary slot: Tue evening, 6pm (if needed)
Office Hours: by appointment
Credits: 3
Open to CS MSc, and BSc (2nd and 3rd year) students
Grade: 70% exam, 30% other (project, in-class quizes, homework)
– Must pass the exam
– Must turn in all work, in time
Models of Computer Security
Secured Communication Model
Alice
Bob
Example
Trusted Server
Alice
Bob
Sign/
Encrypt
PrivK(Alice)
Decrypt
Gen Sess Key
Encrypt
Encrypt
SignPrivK(Alice) (“Alice”)
SignPrivK(Bob) (“Bob”)
EncPubK(Bob) (SessK)
EncSessK(Message)
Decrypt
PrivK(Bob)
Sign/
Encrypt
Decrypt
Decrypt
Secured Access Model
Identify and filter requests for information
Access Control Model
Authentication
– Must provide credentials to access a resource
• E.g., password, fingerprint, identification card
Authorization
– Must be authorized to gain access to specific data, other
computing resources.
• E.g., file systems, firewalls, application authorization model
• Various levels of granularity
ITU/IETF X.800: Security Threats,
Attacks, Services, and Mechanisms
Security Threat: A potential attack on systems or on information
security needs
Security Attack: An attempt to compromise the security of systems or
information
– Example: Eavesdropping on communication
Security Service: Use of one or more mechanisms to enhance the
security of a system or application
– Example: Confidentiality of communications
Security Mechanism: A specific method to detect, prevent, or recover
from an attack, and to provide the required service
– Example: Encryption software
Attacks: The X.800 Threat Model
Security Attacks (Stallings)
Examples of Attacks
Attacks can be Active, e.g., intrusion, or Passive, e.g,
eavesdropping
Examples of attacks:
–
–
–
–
–
–
–
–
–
–
–
–
Intrusion
Eavesdropping
Impersonation
Viruses / Worms
Denial of service
Man-in-the-middle
Reflection attack
Replay attack
Password cracking
Data/code modification
Fraudulent attribution
Repudiation
X.800 Security Services
Authentication
– Identify peers, Source authentication for data
Access Control
– Who can access to what
Data Confidentiality
– Connection, Connectionless (system), Traffic, Privacy
Data Integrity
– With or without recovery
Non-repudiation
– Origin, Destination, Both
Availability
– A service on its own, or a property of other services
Security Mechanisms
Specific use of certain algorithms, protocols, and
procedures to provide one or more security services
Examples
– Authentication – use password, fingerprint, magnetic card
– Access Control – specify access rights based on the user id,
role/group to specific transactions and/or specific content
– Data Confidentiality – encrypt information using a specific
algorithm
– Data Integrity – detect and prevent unauthorized change to content
– Non-Repudiation – use electronic signature to ensure authenticity
– Availability – increase resiliency, filter malicious traffic
Many security mechanisms use Cryptography as an
underlying technology
Next Class:
Steganography and History of
Cryptography