Transcript Chapter 15: Security

Security
Chapter 15
Computer Security Concepts
Computer Security: The protection afforded to an automated information system in
order to attain the applicable objectives of preserving the integrity, availability and
confidentiality of information system resources (i.e. hardware, software, firmware,
information/data, and telecommunications)
• Integrity - Assets can be modified by authorized parties only
• Availability - Assets be available to authorized parties
• Confidentiality - Requires information in a computer system
only be accessible by authorized parties. Individuals set their
own privacy requirements.
Addl. requirements:
• Authenticity - Requires that a computer system be able to
verify the identity of a user
• Accountability - Requires the detection and tracing of a
security breach to a responsible party.
Threats and Assets
System Access Threats
System
access threats
fall into two
general
categories:
Intruders
Malicious
software
Intruders
Masquerader
Misfeasor
Clandestine
user
an individual who is
not authorized to use
the computer and
who penetrates a
system’s access
controls to exploit a
legitimate user’s
account
a legitimate user
who accesses data,
programs, or
resources for which
such access is not
authorized, or who
is authorized for
such access but
misuses his or her
privileges
an individual who
seizes supervisory
control of the
system and uses this
control to evade
auditing and access
controls or to
suppress audit
collection
Intruder Behavior Patterns
Hackers
Criminals
Insider attacks
Malicious Software
• Programs that exploit vulnerabilities in computing systems
• Also referred to as malware
• Can be divided into two categories:
• parasitic
» fragments of programs that cannot exist independently of
some actual application program, utility, or system program
» viruses, logic bombs, and backdoors are examples
• independent
» self-contained programs that can be scheduled and run by the
operating system
» worms and bot programs are examples
Malicious Software (malware)
Backdoor (Trapdoor)
• Entry point into a program that allows someone who is aware of trapdoor to gain access
• used by programmers to be able to debug and test programs while skipping a lengthy
setup/authentication process during development
– Avoids necessary setup and authentication
Logic Bomb
• Code embedded in a legitimate program that is set to “explode” when certain conditions are met
• Presence or absence of certain files, particular day of the week, particular user running application
• One of the oldest types of program threats, predating viruses and worms
Trojan Horse
• Useful program that contains hidden code; when invoked performs some harmful function
–
Can be installed through software downloads, bundling, email attachments, websites with executable content,
etc. Trojan-type malware is on the rise, accounting for a very high percentage of the global malware.
Viruses
Program that can “infect” other programs by modifying them in such a way that the infected program
can infect other programs
E-mail Virus
• Activated when recipient opens the e-mail attachment (e.g. Melissa virus).
• Sends itself to everyone on the mailing list of the infected user
A SIMPLE VIRUS
A COMPRESSION VIRUS
Malware Defense
Antivirus Approaches –
(1) Detection (2) Identification (3) Removal
As virus arms race has evolved, antivirus software have grown more complex.
Two sophisticated ones are: Generic Decryption and Digital Immune System
Generic Decryption (GD)
Contains three essential parts:
• CPU emulator
– Instructions in an executable file are interpreted by the emulator rather than the
processor in a controlled environment. If the code includes a decryption routine, it is
also interpreted and the virus is exposed. Virus itself does the decryption for the
antivirus program (GD)
• Virus signature scanner
– Scan target code looking for known virus signatures
• Emulation control module
– Controls the execution of the target code. Periodically, it interrupts the interpretation to
scan the target code for virus signatures
Digital Immune System
• Developed by IBM (refined by Symantec) – general purpose emulation and virus
detection system
• Motivation: rising threat of Internet-based virus propagation
– Integrated mail systems (e.g. MS Outlook, Lotus Notes)
– Mobile-program system (e.g. Java and ActiveX allow programs to move on their own)
1. Each PC runs a
monitoring program to
detect unusual behavior
2. Encrypt the sample and
forward to VAM
3. Analyze the sample in a
safe environment via
emulation
4. Prescription is sent back
to Adm.Machine
5.-6. Forwarded to the
infected client as well as
the other PCs on the
same network
7. All subscribers receive
regular antivirus updates
Malicious Software (cont.)
Worms
Exhibits similar characteristics as an e-mail virus, but worm does not need a host
program and it is not passive, it actively seeks out more machines to infect via
• Electronic mail facility: A worm mails a copy of itself to other systems
• Remote execution: A worm executes a copy of itself on another system
• Remote log-in: A worm logs on to a remote system as a user and then copies itself from
one system to the other
Some worms are used to create bots (zombies)
Bots (Zombie or drone)
• Program that secretly takes over another Internet-attached computer and uses it to launch
attacks that are difficult to trace to the bot’s creator
• planted on hundreds of computers belonging to unsuspecting third parties and then used to
overwhelm a target Web site by launching an overwhelming onslaught of Internet traffic
• The collection of bots acting in a coordinated manner is called botnet
Uses of Bots
• DDoS (Distributed Denial of Service attacks), spamming, sniffing traffic on a
compromised machine, keylogging, spreading new malware, manipulating online
polls/games/clicks for ads (every bot has a distinct IP address), etc.
BOTS
Bots (Zombie or drone)
• Program that secretly takes over another Internet-attached computer and uses it to launch attacks
that are difficult to trace to the bot’s creator
Remote Control Facility
• A worm propagates and activates itself, whereas a bot is controlled from a central facility
• Once a communication path is established, the control module can activate the bots in host
machines (which are taken hostage). For greater flexibility, the control module can instruct the
bots to download a file from an internet site and execute it. This way, a bot can be used for
different kinds of attacks.
Constructing the Attack Network
3 things needed:
(1) attack software (2) a large number of vulnerable machines
(3) locating these machines (scanning or fingerprinting).
Scanning is generally done in a nested (or recursive) manner.
Scanning strategies:
• Random – check random IP addresses for vulnerability (generates suspicious internet traffic)
• Hit list – a long list is compiled a priori. Each infected machine is given a partial list to infect
generates less internet traffic and therefore makes it more difficult to detect.
• Topological – uses information contained on an infected machine to find more hosts to scan
• Local subnet – if a host could be infected behind a firewall, that host could be used to infect
others on the same subnet (all behind the same firewall).
ROOTKITS
Rootkit
• Malware which consists of a set of programs designed to take fundamental control of a
computer system and hide the fact that a system has been compromised
e.g. Poison Ivy Remote Access Tool (RAT)
• Typically, rootkits act to obscure their presence on the system through subversion or evasion
of standard OS security mechanisms.
• Techniques used to accomplish this can include concealing running processes from
monitoring programs, or hiding files or system data from the OS
• Rootkits may also install a "back door" in a system by replacing the login mechanism (such
as /bin/login) with an executable that steals a login combination, which is used to access the
system illegally.
• With root access, an attacker has complete control of the system to do anything
Rootkit Installation
• Usually via a Trojan horse. A user is induced to load a Trojan horse which then installs the
rootkit.
• Another means of rootkit installation is by hacker activity which is a rather lengthy process.
Rootkit Countermeasures
• Rootkits can be extraordinarily difficult to detect and neutralize, particularly
so for kernel-level rootkits.
• Many of the administrative tools that could be used to detect a rootkit can be
compromised by the rootkit itself
• There are always new rootkits and modified versions of existing rootkits that
display novel signatures. For these cases, a system needs to look for behaviors
that could indicate the presence of a rootkit, such as the interception of system
calls or a keylogger interacting with a keyboard driver. Such behavior
detection is far from straightforward. For example, antivirus software typically
intercepts system calls.
• Another approach is to conduct a file integrity check e.g. RootkitRevealer.
This package compares the results of a system scan using APIs with the
actual view of storage using instructions that do not go through an API.
Because a rootkit conceals itself by modifying the view of storage seen by
admin. calls, RootkitRevealer catches the discrepancy.
• If a kernel-level rootkit is detected, an entire new OS install is needed.
Buffer Overflow Attacks
• Also known as a buffer overrun
• Defined in the NIST (National Institute of Standards and
Technology) Glossary of Key Information Security Terms as:
“A condition at an interface under which more input can be placed
into a buffer or data-holding area than the capacity allocated, overwriting
other information.
Attackers exploit such a condition to crash a system or
to insert specially crafted code that allows them to gain control of the
system”
•
•
One of the most prevalent and dangerous types of security attacks
Modern Languages provide bounds checking at run time to prevent buffer
overflow. Therefore, more robust against such attacks.
Exploiting Buffer Overflow
• To exploit any type of
buffer overflow the
attacker needs:
• To identify a buffer overflow
vulnerability in some program
that can be triggered using
externally sourced data under
the attackers control
• To understand how that buffer
will be stored in the processes
memory, and hence the potential
for corrupting adjacent memory
locations and potentially altering
the flow of execution of the
program
Countermeasures
• An Intrusion Detection System (IDS) is a security service that
monitors and analyzes system events for the purpose of finding, and
providing real-time warning of, attempts to access system resources
in an unauthorized manner
• Intrusion detection systems (IDSs) can be classified as:
• host-based IDS
» monitors the characteristics of a single host and the events
occurring within that host for suspicious activity
• network-based IDS
» monitors network traffic for particular network segments or
devices and analyzes network, transport, and application
protocols to identify suspicious activity
Intrusion Detection
• Assumption: the behavior of the intruder differs from the legitimate user.
• But, there is overlap. A loose interpretation of intruder may lead to false positives ; on
the other hand, a tight interpretation may lead to false negatives (risky!)
IDS Components
Sensors
responsible for
collecting data
Analyzers
receive input from
one or more sensors
or from other
analyzer
User
interface
enables a user
To view output from
the system
or
the input for a sensor
may be any part of a
system that could
contain evidence of
an intrusion
responsible for
determining if an
intrusion has occurred
types of input to a
sensor include
network packets, log
files, and system call
traces
may provide
guidance about what
actions to take as a
result of the
intrusion
To control the behavior
of the system
Firewalls
Design goals:
•
Can be an effective means of
protecting a network of systems
from network-based security
threats while affording access to
the outside world via the Internet
•
Traditionally, a firewall is a dedicated
computer that interfaces with computers
outside a network and has special
security precautions built into it in order
to protect sensitive files on computers
within the network
•
Today, Personal Firewalls on PCs are
also common
1) The firewall acts as a choke
point, so that all incoming
traffic and all outgoing traffic
must pass through the firewall
2) Only authorized traffic, as
defined by the local security
policy, will be allowed to pass.
3) The firewall is secure against
attacks
Authentication
• Basis for most type of access control and accountability
Identification & Verification:
presenting an id to the security system and generating authentication info
Means of authentication
Something the individual knows – password, PIN, answers to a set of questions
Something the individual possesses – electronic keycards, smart cards, keys
Something the individual is (static biometrics) – fingerprint, retina, face
Something the individual does (dynamic biometrics) – voice pattern, handwriting,
typing rhythm, etc.
Cost
•
•
•
•
Accuracy
Password Selection
• Computer generated passwords
– Users have difficulty remembering them; Need to write it down
– Have history of poor acceptance
• Reactive password checking strategy
– System periodically runs its own password cracker to find guessable
passwords. It cancels passwords that are guessed and notifies user
• Proactive password checker
– The system checks at the time of selection if the password is allowable
– With guidance from the system, users can select memorable passwords
that are difficult to guess
Password Protection via Salt and Hashing
(UNIX/Linux)
• Salt is random and different for each password. Advantages are:
• duplicates appear differently in password file; hence it is impossible to guess if a user has used
the same password on different systems.
• Increases the difficulty of guessing the passwords by using an offline dictionary attack that
uses Rainbow Tables. To crack passwords offline, each dictionary password must be paired
with each salt in the file, hashed, and then checked against the password file.
• It has been shown to be secure against a variety of cryptanalytic attacks
Access Control
•
Implements a security policy that specifies who or what may have access to each
specific system resource and the type of access that is permitted in each instance
•
Mediates between a user and system resources, such as applications, operating
systems, firewalls, routers, files, and databases
•
A security administrator maintains an authorization database that specifies what
type of access to which resources is allowed for this user
– the access control function consults this database to determine whether to grant access
•
An auditing function monitors and keeps a record (logs) of user accesses to system
resources
Access Control
• Discretionary access control (DAC)
– based on the ID of the requestor. Traditional.
• Mandatory access control (MAC)
– compares security labels (of critical system resources)
with security clearances. Used in the military. Unlike
with DAC, an entity that has clearance to access a
resource may not enable another entity to access that
resource.
• Role-based access control (RBAC)
– based on the roles that users have within the system.
There are rules stating what accesses are allowed to
users in given roles. Widely used
Discretionary
access control
(DAC)
Role-Based Access Control (RBAC)
•
•
•
•
Widespread commercial use
A user may be assigned multiple roles
Each role has certain access rights
A role can also be treated as an object,
hence it allows role hierarchies
Access Control
• A separate access control
module is associated with
each type of object
• An access attempt triggers
the following steps:
• S0 issues a request a for X
• A message (S0, a, X) is sent
to the controller for X
• Controller checks if a is in
A[S0, X]. If so, allows access,
otherwise a warning is issued
Terminology of Malicious Programs
Terminology of Malicious Programs
Operating System Installation:
Initial Setup and Patching
System security begins with the installation of the operating system
Ideally new systems should be constructed on a protected network
The initial installation should comprise the minimum necessary
for the desired system, with additional software packages
included only if they are required for the function of the system
The overall boot process must also be secured
Care is also required with the selection and installation of any
additional device driver code, since this executes with full
kernel level privileges, but is often supplied by a third party
Remove Unnecessary Services,
Applications, and Protocols
•
To improve security, identify what is actually required for a given system so that a
suitable level of functionality is provided. Eliminate software that is not required.
•
When performing the initial installation the supplied defaults should not be used, but
rather the installation should be customized so that only the required packages are
installed
•
Follow the security-hardening guides which provide lists of services, applications, and
protocols that should not be installed if not required
•
Since many uninstall scripts fail to completely remove all components of a package,
strong preference is stated for not installing unwanted software (rather than installing and
then later removing or disabling it)
• should an attacker succeed in gaining some access to a system, disabled
software could be re-enabled and used to further compromise a system
• it is better for security if unwanted software is not installed, and thus not
available for use at all
Configure Users, Groups, and
Authentication
• The system planning process should consider:
the categories
of users on
the system
the privileges
they have
the types of
information
they can
access
how and
where they
are defined
and
authenticated
• Restrict elevated privileges to only those users that require them
• At this stage any default accounts included as part of the system installation should be secured
• Those accounts which are not required should be either removed or at least disabled
• System accounts that manage services on the system should be set so they cannot be used for
interactive logins
• Any passwords installed by default should be changed to new values with appropriate security
• Any policy that applies to authentication credentials and to password security is configured
Configure Resource Controls
•
Once the users and their associated groups are defined, appropriate permissions can
be set on data and resources to match the specified policy
•
This may be to limit which users can execute some programs or to limit which users
can read or write data in certain directory trees
•
Many of the security-hardening guides provide lists of recommended changes to the
default access configuration to improve security
Install Additional Security Controls
•
•
Further security improvement may
be possible by installing and
configuring additional security tools
such as antivirus software, hostbased firewall, IDS or IPS
software.
Some of these may be supplied as
part of the operating systems
installation, but not configured and
enabled by default
•
Given the wide-spread prevalence
of malware, appropriate antivirus is
a critical security component
•
IDS and IPS software may include
additional mechanisms such as
traffic monitoring or file integrity
checking to identify and even
respond to some types of attack
Test the System Security
•
The final step:
•
The goal is to ensure that the previous security configuration steps are correctly
implemented and to identify any possible vulnerabilities that must be corrected or
managed
•
Suitable checklists are included in many security-hardening guides
•
There are also programs specifically designed to review a system to ensure that a
system meets the basic security requirements and to scan for known vulnerabilities
and poor configuration practices
•
This should be done following the initial hardening of the system and then
repeated periodically as part of the security maintenance process
security testing
Logging
•
Logging information can be generated
by the system, network, and
applications
•
Effective logging helps ensure that in
the event of a system breach or
failure, system administrators can
more quickly and accurately identify
what happened and more effectively
focus their remediation and recovery
efforts
•
The range of logging data acquired
should be determined during the
system planning stage
•
Logging can generate significant
volumes of information so it is
important that sufficient space is
allocated for them
•
manual analysis of logs is tedious and
unreliable therefore some form of
automated analysis is preferred as it
is more likely to identify abnormal
activity
Data Backup and Archive
•
Performing periodic backups of data on a system is important and critical
•
The policy relating to backup and archive should be determined during the system
planning stage
– Key decisions:
• should the copies be kept online or offline?
• Should the copies be stored locally or transported to a remote site?
• Archive: retaining copies over extended periods of time (months/years) in order to
meet legal and operational requirements to access past data
Security Maintenance
•
The process of security
maintenance includes the
following steps:
Testing system
security regularly
performing
regular
backups
recovering
from security
compromises
monitoring and
analyzing logging
information
Patching and updating all
critical software
Monitoring and Revising
configuration as needed