Transcript Basic Concepts - Raymond R. Panko

Security
Chapter 9
Revised January 2007
Panko’s
Business Data Networks and Telecommunications, 6th edition
Copyright 2007 Prentice-Hall
The Threat
Environment
Figure 9-1: CSI/FBI Survey
• Companies Face Many Attacks
–
–
–
–
–
–
–
–
–
–
There are many
types of attacks
Viruses (and other malware)
In Order of
Insider abuse of net access
Decreasing Frequency
Laptop theft
Unauthorized access by insiders
Denial-of-service attacks
System penetration
Sabotage
Theft of proprietary information
Fraud
Telecoms eavesdropping and active wiretaps
3
Figure 9-1: CSI/FBI Survey
• Very Common Successful Incidents
– Viruses and other malware
– Insider abuse of net access
– Laptop theft
• Low-Frequency / High-Damage Attacks
– Theft of proprietary information ($2.7 M per incident)
– Denial-of-service attacks ($1.4 M per incident)
4
Figure 9-2: Malware
• Malware
– A general name for evil software
• Viruses
– Pieces of code that attach to other programs
– When infected programs execute, the virus executes
– Infect other programs on the computer
– Spread to other computers by e-mail attachments, IM,
peer-to-peer file transfers, etc.
– Antivirus programs are needed to scan arriving files
• Also scans for other malware
5
Figure 9-2: Malware
• Worms
– Stand-alone programs that do not need to attach to other
programs
– Can propagate like viruses through e-mail, etc.
• But this require human gullibility, which is slow
– In addition, vulnerability-enabled worms jump to victim
hosts directly
• Can do this because hosts have vulnerabilities
• Vulnerability-enabled worms can spread with amazing
speed
• Vendors develop patches for vulnerabilities but
companies often fail or are slow to apply them
6
Figure 9-2: Malware
• Payloads
– After propagation, viruses and worms execute their
payloads (damage code)
– Payloads erase hard disks, send users to pornography
sites if they mistype URLs
– Trojan horses are exploitation programs that disguise
themselves as system files
7
Figure 9-2: Malware
• Attacks on Individuals
– Social engineering is tricking the victim into doing
something against his or her interests
– Spam is unsolicited commercial e-mail
– Credit card number theft is performed by carders
– Identity theft is collecting enough data to impersonate
the victim in large financial transactions
– Fraud involves get-rich-quick schemes, medical scams
8
Figure 9-2: Malware
• Attacks on Individuals
– Adware pops up advertisements
– Spyware collects sensitive data and sends it to an
attacker
– Phishing: sophisticated social engineering attack in
which an authentic-looking e-mail or website entices the
user to enter his or her username, password, or other
sensitive information
9
Figure 9-3: Human Break-Ins (Hacking)
• Human Break-Ins
– Viruses and worms rely on one main attack method
– Humans can keep trying different approaches until they
succeed
• Hacking
– Hacking is breaking into a computer
– Hacking is intentionally using a computer resource
without authorization or in excess of authorization
10
Figure 9-3: Human Break-Ins (Hacking)
• Scanning Phase
– Send attack probes to map the network
and identify possible victim hosts
– Nmap programming is a popular program for scanning
attacks (Figure 9-4)
11
Figure 9-4: Nmap
IP Range
to Scan
Type of
Scan
Identified
Host and
Open
Ports
12
Figure 9-3: Human Break-Ins (Hacking)
• The Term “Exploit” is Used in Different Ways
– Noun: The actual break-in
– Noun: Exploit is the program used to
make the break-in
– Verb: Attackers exploit the computer
13
Figure 9-3: Human Break-Ins (Hacking)
• After the Break-In, the Hacker
– Becomes invisible by deleting log files
– Creates a backdoor (way to get back into the computer)
• Backdoor account—account with a known password
and super user privileges
• Backdoor program—program to allow reentry; usually
Trojanized
• Rootkit—stealthy backdoor that cannot be detected by
New
the operating system
– Does damage at leisure
14
Figure 9-5: Distributed Flooding Denial-of-Service
Attack
Attack
Command
Attacker
1.34.150.37
Attack
Command
Handler
Zombie
Attack
Command
Attack Packet
Attack Packet
Victim
60.168.47.47
Attack
Command
Attack
Command
Zombie
Attack Packet
Handler
Zombie
The attacker installs handler and zombie programs on victims
The attacker sends an attack command to handlers.
Handlers send attack commands to zombies.
The zombies overwhelm the victim with attack packets.
15
Figure 9-6: Bots
Human Master
Command
Bot
Sof tware
Update
Bot
Bots are like zombies,
but they can be updated
by the human master
to give new functionality.
16
Figure 9-7: Types of Attackers
• Traditional Attackers:
– Traditional Hackers
• Hackers break into computers
• Driven by curiosity, a feeling of power, and peer
reputation
– Virus writers
• Vandals
• Amoral
17
Figure 9-7: Types of Attackers
• Traditional Attackers:
– Script kiddies use scripts written by experienced hackers
and virus writers
• Have limited knowledge and abilities
• But the large numbers of script kiddies makes them
very dangerous collectively
18
Figure 9-7: Types of Attackers
• Traditional Attackers:
– Disgruntled employees and
ex-employees
• Dangerous because
they have knowledge of
and access to systems
• Too often ignored, they can do extensive damage
• The most dangerous employee attackers are IT and
security staff members
19
Figure 9-7: Types of Attackers
• Criminal Attackers
– Most attacks are now made by criminals rather than
amateurs
– Crime generates funds that criminal attackers need to
increase attack sophistication
20
Figure 9-7: Types of Attackers
• On the Horizon
– Cyberterror: Attacks by terrorists
– Cyberwar: Attacks by nations
– Potential for massive attacks
21
Figure 9-8: Planning Principles
• Security Is a Management Issue, Not a Technical
Issue
– Without good management, technology cannot be
effective
• Comprehensive Security
– An attacker only has to find one weakness
– A firm needs comprehensive security to close all
avenues of attack
– This requires centralized security planning and
management
22
Figure 9-8: Planning Principles
• Defense in Depth
– Every protection breaks down sometimes
– Attacker should have to break through several lines of
defense to succeed
– Providing this protection is called defense in depth
Countermeasure
1
(fails)
Countermeasure
2
Stops the Attack
23
Figure 9-9: Access Control
• Enumerating and Prioritizing Assets
– Firms must enumerate and prioritize the assets they
have to protect
– Otherwise, security planning is impossible
• Risk Analysis
– Must balance threat risks against the cost of protection
– Don’t overpay for security
– Don’t fail to protect sensitive assets
24
Figure 9-9: Access Control
• Companies Must Then Develop an Access Control
Plan for Each Asset
– The plan includes the AAA protections
– Authentication is proving the identity of the person
wishing access
– Authorization is determining what the person may do if
they are authenticated
– Auditing is logging data on user actions for later
appraisal. May send an alarm if certain conditions are
found.
25
Figure 9-10: Authentication
Authentication
Verif ier
Serv er
2. OK?
3. OK and
Authorizations
1.
Credentials
(Password, etc.)
4. Welcome
Applicant
Verif ier
Applicant
The applicant is the person who wishes to prove his or her identity.
The verifier is the person who wants to authenticate the applicant.
The applicant sends credentials (passwords, etc.).
Usually a central authentication server judges the credentials.
This provides consistency in authentication.
26
Figure 9-11: Password Authentication
• Passwords
– Strings of characters
– Typed to authenticate someone wanting to use a
username (account) on a computer
• Benefits
– Ease of use for users (familiar)
– Inexpensive because built in to operating systems
27
Figure 9-11: Password Authentication
• Problems
– Passwords that are common words or names are
widespread
• Can be cracked quickly with dictionary attack
– Variations of common words (capitalizing the first
character, adding a digit at the end, etc.), can be
broken almost as quickly by hybrid dictionary attack that
looks for these tricks
28
Figure 9-11: Password Authentication
• Passwords should be complex
– Mix case (A and a), digits (6), and other keyboard
characters ($, #, etc.)
– Can only be cracked with brute force attacks (trying all
possibilities)
• Passwords should be long
– Eight characters minimum
– Each added character increases the brute force search
time by a factor of about 70
29
Figure 9-11: Password Authentication
• Other Concerns
– If people are forced to use long and complex
passwords, they tend to write them down
– People should use different passwords for different
sites
• Otherwise, compromising a password will give
access to multiple sites.
• But many people use the same password at
multiple sites
30
Figure 9-11: Password Authentication
• Critique each of the following passwords, tell
what attack can break it, and tell how difficult it
will be for the attack to guess the password.
– swordfish
– Processing1
– SeAtTLe
– R7%t&
– 4h*6tU9$^l
31
Figure 9-12: Digital Certificate
Authentication
• Public and Private Keys
– Each party will have both a public key and a private key
– Each party makes its public key available to everybody
– Each party keeps its private key secret
• Digital Certificate
– Tamper-proof file that gives a
named party’s public key
32
Figure 9-12: Digital Certificate
Authentication
Calculation
Digital Certificate
Applicant
does a calculation
with his or her
Private key
Public key of
the person
the applicant
claims to be
Authentication
Verifier tests the calculation with the public key of the
claimed party. If the test succeeds, the applicant must
know the secret private key of the claimed party, which
only the claimed party should know.
33
Figure 9-12: Digital Certificate
Authentication
• Appraisal
– Digital signature authentication gives extremely strong
authentication
– Very expensive: must set up infrastructure for distributing
public-private key pairs
– The firm must do the labor of creating, distributing, and
installing private keys.
34
Figure 9-13: Biometric Authentication
• Biometric Authentication
– Authentication based on bodily measurements
– Promises to eliminate passwords
• Fingerprint Scanning
– Dominates biometrics use today
– Simple and inexpensive
– Substantial error rate (misidentification)
– Often can be fooled fairly easily by determined impostors
– Not a problem for low-risk situations like home computers
35
Figure 9-13: Biometric Authentication
• Iris Scanners
– Scan the iris (colored part of the eye)
with a camera (not a laser beam)
– Irises are complex, so very strong
authentication
– Expensive
• Face Recognition
– Camera allows analysis of facial structure
– Can be done surreptitiously—without the knowledge or
consent of person being scanned
– Very high error rate and easy to deceive
36
Figure 9-13: Biometric Authentication
• Error Rates and Deception
– Error rates (the frequency of identification errors when
there is no deception) typically are higher than vendors
claim
• Vendors test under idealized conditions
– Deception (deliberately trying to fool
the system) is easier than vendors claim
• Especially for fingerprint recognition
– The in-the-field accuracy of biometrics is uncertain
37
Figure 9-14: Firewall Operation
Allowed
Legitimate Packet
Hardened Serv er
Internet
Firewall
Attack
Packet
Internet
Attacker
Hardened
Client PC
Ingress Filtering
Denied
Legitimate
Attack Egress Filtering Packet
Packet
Log File
Internal
Corporate
Network
Legitimate
Host
Firewalls inspect each packet.
Legitimate packets are allowed through.
Provable attack packets are dropped and logged.
38
Figure 9-15: Stateful Firewall Filtering
• Stateful Firewall Filtering
– There are several types of firewall filtering
– Stateful inspection is the dominant methodology today
– Stateful firewalls often use other filtering mechanisms as
secondary mechanisms
39
Figure 9-15: Stateful Firewall Filtering
• Connection Initiation Attempts
– Some Packets Attempt to Open a Connection
– Example: packets with TCP segments whose SYN bits
are set
– Stateful firewalls have default rules for connectionopening attempts
Internally Initiated Connections
Are Allowed by default
Site
Stateful
Border
Firewall
Externally
Initiated
Connections are
Rejected
By Default
40
Figure 9-15: Stateful Firewall Filtering
• Stateful Inspection Access Control Lists (ACLs)
– ACLs modify the default behavior for ingress or egress
– Ingress ACL rules: allow access to selected internal
servers
– Egress ACL rules: prevent access to certain external
servers
41
Figure 9-15: Stateful Firewall Filtering
• Packets that Do Not Attempt to Open a Connection
– Most packets do not attempt to open a connection
– Very simple behavior
• If the packet is part of an established connection, it is
passed without further inspection. (However, these
packets can be filtered if desired)
• If the packet is not part of an established connection,
it is dropped and logged
– This simplicity makes the cost of processing most
packets minimal
42
Stateful Firewalls: Recap
All Packets
Connection-Opening
Attempts
Default Behavior
ACL Exceptions
Other Packets
Part of
Previously
Permitted
Connection
Not Part of
Previously
Permitted
Connection
Accept Packet
Drop Packet
43
Figure 9-15: Stateful Firewall Filtering
• Perspective
– Stateful firewalls’ simple operation leads to inexpensive
stateful firewall operation
– However, stateful inspection firewall operation is highly
secure
44
Figure 9-17: Ingress Access Control List
(ACL) for a Stateful Inspection Firewall
• 1. If packet’s source and destination sockets are in
the connection table, PASS.
– If the packet is part of an previously established
connection, pass it without further filtering.
• 2. If the packet’s source and destination sockets
are not in the connection table and the packet is
not a connection-opening attempt, DROP and
LOG.
– Drop any packet that is not a connection-opening
attempt and that is not part of an established connection.
45
Figure 9-17: Ingress Access Control List
(ACL) for a Stateful Inspection Firewall
• 3. If protocol = TCP AND destination port number =
25, PASS and add connection to connection table.
– This rule permits external access to all internal mail
servers.
• 4. If IP address = 10.47.122.79 AND protocol =
TCP AND destination port number = 80, PASS and
add connection to connection table.
– This rule permits access to a particular webserver
(10.47.122.79)
46
Figure 9-17: Ingress Access Control List
(ACL) for a Stateful Inspection Firewall
• 5. Deny All AND LOG
– If earlier rules do not result in a pass or deny decision,
this last rule enforces the default rule of banning all
externally initiated connection-opening attempts.
47
Figure 9-18: Firewalls, Intrusion Detection
Systems (IDSs), and Intrusion Prevention Systems
(IPSs)
• Firewalls
– Drop provable attack packets
• Intrusion Detection Systems (IDSs)
– Very sophisticated filtering—better than firewalls
– Identify suspicious packets
– Do not drop--suspicious packets may be legitimate
• Intrusion Prevention Systems (IPSs)
– Use IDS filtering mechanisms
– Drop suspicious packets highly likely to be attacks
– Ignore other suspicious packets
48
Figure 9-18: Firewalls, Intrusion Detection
Systems, and Intrusion Prevention Systems
• IDS and IPS filtering
– Stream Analysis
• Analyze streams of packets to identify suspicious
patterns
– Deep packet inspection
• Inspect headers and messages at the internet,
transport, and application layers
49
Figure 9-18: Firewalls, Intrusion Detection
Systems, and Intrusion Prevention Systems
Firewalls
IDSs
IPSs
Processing
Power Required
Modest
Heavy
Heavy
Maturity
Fairly Mature
Still immature.
Too many false
positives
New.
Tuning reduces
false positives
but is laborintensive
Only used to stop
attacks that can
be identified fairly
accurately.
50
Figure 9-19: Cryptographic Systems
• Cryptographic Systems
– Provide security to multi-message dialogues
• At the Beginning of Each Communication Session
– The two parties usually mutually authenticate each other
Party A
A’s Credentials
To B
B’s Credentials
To A
Party B
Initial Authentication
51
Figure 9-19: Cryptographic Systems
• Message-by-Message Protection
– After this initial authentication, cryptographic systems
provide protection to every message
– Encrypt each message for confidentiality so that
eavesdroppers cannot read it
Messages Encrypted for Confidentiality
Party B
Party A
Eavesdropper
Cannot Read Messages
52
Figure 9-19: Cryptographic Systems
• Message-by-Message Protection
– Adds an electronic signature to each message
• The electronic signature authenticates the sender
• It also provides message integrity: receiver can tell if a
message has been changed in transit
Party A
Electronic Signature
Party B
53
Figure 9-20: Symmetric and Public Key Encryption
Symmetric Key Encryption for Confidentiality
Symmetric
Key
Message
“Hello”
Cipher &
Key
Encrypted Message
Network
Party A
Encryption uses a
non-secret cipher
(encryption method )
and a secret key
Party B
54
Figure 9-20: Symmetric and Public Key Encryption
Symmetric Key Encryption for Confidentiality
Symmetric
Key
Encrypted Message
Network
Interceptor
Party A
Encrypted Message
Interceptor cannot read
encrypted messages en route
Party B
55
Figure 9-20: Symmetric and Public Key Encryption
Symmetric Key Encryption for Confidentiality
Symmetric
Key
Interceptor
Network
Same
Symmetric
Key
Party A
Encrypted Message
Receiver decrypts the message
using the same cipher
and the same symmetric key
Cipher &
Key
Message
“Hello”
Party B
56
Figure 9-20: Symmetric and Public Key Encryption
Public Key Encryption for Confidentiality
Encrypt with
Party B’s Public Key
Party A
Encrypted
Message
Decrypt with
Party B’s Private Key
Note:
Four keys are used to encrypt
and decrypt in both directions
Decrypt with
Party A’s Private Key
Encrypted
Message
Party B
Encrypt with
Party A’s Public Key
57
Figure 9-21: Other Aspects of
Protection
• Symmetric Key Dominates Encryption for
Confidentiality
– Accounts for 99% of all encryption for confidentiality
– Dominates because it is computationally simple and
therefore inexpensive
• Public Key Encryption for Confidentiality is Only
Used Rarely and for Very Short Messages
– Computationally, 100 to 1,000 times slower than
symmetric key encryption
– However, public key encryption for authentication is
more common
58
Figure 9-21: Other Aspects of
Protection
Attacks
• Hardening Servers and Client PCs
Host
– Some attack packets inevitably reach hosts
– Hardening is setting up computers to protect themselves
– Server Hardening
• Back up so that restoration is possible
• Patch security vulnerabilities
• Use host firewalls
•…
59
Figure 9-21: Other Aspects of
Protection
• Hardening Servers and Client PCs
– Client PC Hardening
• As with servers, patching vulnerabilities, having a
firewall, and implementing backup
• Also, a good antivirus program that is updated
regularly
• Client PC users often make errors or sabotage
hardening techniques
• In corporations, group policy objects (GPOs) can be
used to centrally manage security on Windows clients
60
Figure 9-21: Other Aspects of
Protection
• Vulnerability Testing
– Protections are difficult to set up correctly
– Vulnerability testing is attacking your system yourself or
through a consultant
– There must be follow-up to fix vulnerabilities that are
discovered
61
Figure 9-22: Incident Response
• Even with the best security, successful attacks
sometimes happen
2. Stop the Attack
1. Detect the Attack
3. Repair the Damage
4. Punish the Attacker
62
Figure 9-22: Incident Response
• Major Attacks and CSIRTs
– Major Incidents
– Must be handled by the computer security incident
response team (CSIRT)
• Must include members of senior management, the
firm’s security staff, members of the IT staff, members
of functional departments, and the firm’s public
relations and legal departments
63
Figure 9-22: Incident Response
• Disasters and Disaster Recovery
– Natural and humanly made disasters
– Need a disaster recovery plan ahead of time
– Need a backup site and procedures to shift work there
– Need rehearsals to iron out difficulties and develop
speed
64
Topics Covered
Topics Covered
• The Threat Environment
– Many threats
– Malware: viruses versus worms, payloads, etc.
– Social engineering
– Spam, credit card theft, identity theft, adware, spyware
– Human Break-Ins
• Definition of hacking—authorization
• Scanning phase; the exploit
• After the Break-in: deleting log files, backdoors,
damage at leisure
66
Topics Covered
• The Threat Environment
– Human attacks
• Denial-of-Service (DoS) Attack with zombies
• Bots
– Traditional attackers
• Hackers, virus writers, script kiddies
• Disgruntled employees and ex-employees
– Criminal attackers now dominate on the Internet
– Cybercrime and cyberwar
67
Topics Covered
• Security Management
– Security is a management issue, not a technical issue
– Comprehensive security and centralized management
– Defense in depth
– Enumerating and prioritizing assets
• Asset control plans: authentication, authorization, and
auditing
68
Topics Covered
• Security Management
– Authentication
• Applicant and verifier
– Central authentication server for consistency
• Password authentication
– Poor password discipline is common
– Passwords need to be long and complex
• Biometrics
– Fingerprint, iris, face, etc.
– Error rates and deception
69
Topics Covered
• Security Management
– Authentication
• Digital certificate authentication
– Public key / private key pairs, digital certificates
– The strongest form of authentication
– Need both an applicant calculation and a digital
certificate for authorization
70
Topics Covered
• Firewalls
– Filter, drop, or pass incoming and outgoing packets
– Stateful inspection firewalls
• Default rules for connection-opening attempts
• ACLs to modify the default rules
• Other packets—accept if part of connection
– Firewalls, IDSs and IPSs
– IPSs have the strongest filtering ability
71
Topics Covered
• Cryptographic Systems
– To protect streams of messages
– Initial authentication
– Message-by-message protections: encryption for
confidentiality, digital signature for authentication and
message integrity
– Symmetric key encryption
– Public key encryption
72
Topics Covered
• Hardening Clients and Servers
• Vulnerability Testing
• Incident Response
– Detecting the attack, stopping the attack, repairing the
damage, punishing the attacker
– Major attacks and CSIRTs
– Disasters and disaster recovery
73