Introduction - Northern Kentucky University

Download Report

Transcript Introduction - Northern Kentucky University

DSC 101: Security
Topics
1.
2.
3.
4.
5.
6.
Components of Security
States of Information
Threats
Attacks
Malware
Vulnerabilities
What is Security?
Security is the prevention of certain types of
intentional actions from occurring in a
system.
– The actors who might attack a system are
threats.
– Threats carry out attacks to compromise a
system.
– Objects of attacks are assets.
Components of Security
Integrity
Confidentiality
Availability
Confidentiality
Confidentiality is the avoidance of the
unauthorized disclosure of information.
Examples where confidentiality is critical:
– Personal information
– Trade secrets
– Military plans
Security Controls for Confidentiality
Access Control: rules and policies that limit
access to certain people and/or systems.
– File permissions (which users can access)
– Firewall settings (which IP addresses can access)
Encryption: transforming information so that it
can only be read using a secret key.
– AES
– SSL
Integrity
Integrity is the property that information has
not be altered in an unauthorized way.
Examples where integrity is critical:
– Operating system files
– Software updates and downloads
– Bank account records
Security Controls for Integrity
• Backups: periodic archiving of data.
• Checksums: the computation of a function
that maps the contents of a file to a numerical
value.
• Data correcting codes: methods for storing
data in such a way that small changes can be
easily detected and automatically corrected.
Availability
Availability is the property that information is
accessible and modifiable in a timely fashion by
those authorized to do so.
Examples where availability is critical:
– E-commerce site
– Authentication server for your network
– Current stock quotes
Security Controls for Availability
Physical protections: infrastructure meant to keep
information available even in the event of physical
challenges.
– Backup generators
– Disaster recovery site
Computational redundancies: computers and
storage devices that serve as fallbacks in the case of
failures.
– Backup tapes
– RAID
States of Information
1. Storage: information in memory or disk
that is not currently being accessed.
2. Processing: information currently being
used by processor.
3. Transmission: information in transit
between one node and another on a
network.
Is your information protected in all three states?
Threats, Attacks, and Vulnerabilities
Threats are people who are able to take advantage of security
vulnerabilities to attack systems.
– Criminals, hacktivists, spies, disgruntled employees.
Attacks are tools, programs, and methods used by threats to
obtain assets from systems in violation of the security policy.
– Stuxnet, Dark Comet, AirCrack, John the Ripper
Vulnerabilities are weaknesses in a system that allow a threat
to obtain access to information assets in violation of a
system’s security policy.
(2719662)
Vulnerabilities in Gadgets
Could Allow Remote Code
Execution
How are Digital Threats Different?
Automation
– Salami Attack from Office Space.
Action at a Distance
– Volodya Levin, from St. Petersburg, Russia, stole
over $10million from US Citibank. Arrested in
London.
Technique Propagation
– Criminals share attacks rapidly and globally.
Who are the threats?
IBM X-Force 2012 Trend and Risk Report
Threat Model
A threat model describes which threats exist
to a system, their capabilities, history,
intentions, and likely targets.
– Are you worried about broad or targeted
threats?
– Are your threats able to develop their own tools
or just use off the shelf tools?
– Do you keep enough data about historical
incidents to know what your threats are?
Threat Model Examples
Example 1: Disgruntled Insider
– Targeted attack on organization
– Knows systems and information assets already
– Attacks more likely to focus on DoS than theft
Example 2: Outsider, broad attack
– Broad attack, looking for any vulnerable system.
– Looking for one particular type of asset, which
your organization may or may not have.
Attacks and Exploits
An attack is an action taken by a threat to gain
unauthorized access or to create unauthorized
modification of assets.
–
–
–
–
Spam
Phishing
Malware
Denial of Service
An exploit is a piece of software or a scripted set of
actions that carry out an attack. Threats often turn
attacks into exploits to automate compromising of
systems.
Spam
Spam is the use of electronic messaging
systems to send unsolicited bulk messages,
especially advertising, indiscriminately.
–
–
–
–
Mostly e-mail, but also
Blog and webforum comment spam,
Wiki spam,
IM spam, etc.
Over 90% of e-mail is spam!
Phishing E-mail
Phishing Site
Denial of Service
Malware
Malware, short for malicious software, is software designed
to gain access to confidential information, disrupt computer
operations, and/or gain access to private computer systems.
Malware can be classified by how it infects systems:
– Trojan Horses
– Viruses
– Worms
Or by what assets it targets:
–
–
–
–
–
Ransomware
Spyware and adware
Backdoors
Rootkits
Botnets
How much malware is out there?
Trojan Horses
Trojan Horse Examples
Viruses
A computer virus is a type of malware that,
when executed, replicates by inserting copies
of itself (possibly modified) into other files.
This process is called infecting.
Worms
A worm is a type of
malware that
spreads itself to
other computers.
Ransomware
Spyware and Adware
Backdoors
Backdoor Example: Dark Comet
Rootkits
•
•
•
•
•
Execution Redirection
File Hiding
Process Hiding
Network Hiding
Backdoor
User Program
Rootkit
Operating System
Botnets
Vulnerabilities
Vulnerabilities can be found in any software:
– PC: Office, Adobe Reader, web browsers
– Server: Databases, DNS, mail server software,
web servers, web applications, etc.
– Mobile: Mobile phone OS, mobile applications
– Embedded: printers, routers, switches, VoIP
phones, cars, medical devices, TVs, etc.
– Third party software: Web browser plugins, Ad
affiliate network JavaScript include files, Mobile
ad libraries
Document Format Vulnerabilities
IBM X-Force 2012 Trend and Risk Report
Web Browser Vulnerabilities
IBM X-Force 2012 Trend and Risk Report
Embedded Vulnerabilities
Patches
A patch is a piece of data or software designed
to fix a security vulnerability or bug.
– Administrator may have to apply manually.
– Some vendors specify certain days to patch,
such as “Patch Tuesday,” the 2nd Tuesday of the
month when MS releases updates.
– Increasingly software auto updates itself with
current patches.
Vulnerability Timeline
Vulnerability Markets
Vulnerability Databases
Key Points
1.
2.
3.
4.
5.
Components: confidentiality, integrity, availability
States of Info: storage, communication, processing
Definitions: threat, attack, and vulnerability
Attacks: spam, phishing, DoS, and malware
Vulnerabilities affect all software
– Not just PC or mobile software
– Lifecycle: 0day, exploit, then patch and signatures
References
1. Nate Anderson, Meet the men who spy on women through their webcams: The Remote
Administration Tool is the revolver of the Internet's Wild West. Ars Technica,
http://arstechnica.com/tech-policy/2013/03/rat-breeders-meet-the-men-who-spy-onwomen-through-their-webcams/, 2013.
2. Honeynet Project, Know Your Enemy, 2nd edition, Addison-Wesley, 2004.
3. IBM, X-Force 2012 Risk and Trends Report, 2013.
4. Stuart McClure, Joel Scambray, and George Kurtz, Hacking Exposed, 5th edition, McGrawHill, 2005.
5. Norton, Fake Antivirus, http://www.nortonantiviruscenter.com/security-resourcecenter/fake-antivirus.html
6. Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006.
7. Stuart Staniford, Vern Paxson, and Nicholas Weaver, "How to 0wn the Internet in Your
Spare Time," Proceedings of the 11th USENIX Security Symposium, 2002.