Transcript PPT - pantherFILE

Information Security
Xiangming Mu
What is Information Security
• About information policy, information privacy, information
ownership
• About information integrity, accuracy, verifiability and
qualities
• About encryption, data assurance, practices in
organizations
• About techniques for assessing information value, risk
assessment, scenarios
• About the Denial of a system service (so that its
legitimate users are not able to use it)
Evolution of information security
• Ancient times (before 1990)
– Networking is limited
– Systems are trusting and open
– “Hack” only as engineers’ hobby
• Middle times (1990s)
– Growing network
– Many incidents of varying severity, but few that actually affected the
"real" world
• Modern times (2000 after)
– Well-publicized security incidents that actually affected individuals
– “Hacker” becomes professional
– Support and recognition of security analyst as a separate professional
category
– professional security certifications
Trust and Security
• Without trust, information systems cannot be built—too
complex
• Trust abuse
– security holes come from what you trust
– Trust in a system could be defined as the level of confidence in
its integrity.
– Nevertheless, just like it is hard to provide computer security with
reasonable guarantees, it is hard to have a system that can be
trusted with a high level of confidence under all circumstances.
• Insiders are the most dangerous threats to systems.
Security threats
• Not all damages are related to security
– Incidental damage--happens "by itself" during
legitimate use, could be a result of
•
•
•
•
human error
hardware or software bugs encountered
power failure
hardware failure
– Caused by natural disasters
• such as earthquakes, floods, hurricanes, rain,
snow, storms, tornadoes, etc
What in the digital world?
•
•
•
•
•
Viruses
Worms
Bacteria
Trojan Horses
Others
Other malicious programs and
mechanisms
•
•
•
•
•
•
•
•
•
Logic Bombs
Backdoors
Spyware
Covert Channel
Race Conditions
Address Space Attacks
Waste Searching
File Vault on Mac OS X
Design Flaws and Oversights
Viruses
•
pieces of software that can attach themselves to
– executable files
– disk boot sectors
– documents (whose loading is likely to cause embedded code execution at some
point)
– even additionally hide elsewhere in the operating system, including the kernel.
•
These "infected" entities become carriers of a virus's malicious code, and
thereby allow it to self-replicate.
•
Viruses detection
– detect viruses by looking for known strings, unique code sequences, etc. in
suspected code.
– signature-matching
– by executing it within a restricted, virtualized environment, such as a sandbox.
– others
Worms
• A worm also self-replicates like a virus, but usually over a network.
• Early and good worms: intend to create useful programs that would
utilize any otherwise idle machines.
• Worms infiltrate computers usually by exploiting holes in the security
of networked systems.
• Worms usually attack programs that are already running.
– The attack might result in creation of new processes, after which a
worm can run independently, and self-propagate.
• Unlike a virus, a worm may not change existing programs, but like a
virus, a worm may have some "payload" code, which in turn may
modify existing programs or system configuration.
Worms (cont’)
• Causing denial ( or degradation) of service
• Sending emails: allow spammers to use the
victims’ machines for sending spam while hiding
their own tacks
• Removing information on the victim system
• Installing backdoors for subsequent misuse
Bacteria and Trojan Horses
• Bacteria
– Programs that replicate themselves and feed off the host system
by preempting system resources such as processor time and
memory
• Trojan Horses
– Like the Greek Trojan horse, these programs have a hidden,
negative, subversive, and thus potentially harmful aspect.
– Trojan horses are programs that masquerade as useful
programs, but contain malicious code to attack the system or
leak information. An unsuspecting user would typically run a
Trojan horse willingly, to use its supposed (advertised) features.
Logic Bombs
• A logic bomb is a program that does something, usually
malicious (it "explodes"), when some logical condition is
satisfied.
• If the condition is time-related, such programs could also
be termed time bombs.
• Some examples of logic bombs:
– Introduction of a deliberate error in a program, say, by a
disgruntled employee, that will result in disaster in the future —
usually after the employee is gone.
– A program that deletes your files on every full-moon night.
– A disgruntled administrator changes (administrator) passwords
for certain systems, and leaves the company.
Backdoors
• A backdoor opens a system for access by an external entity:
– by overthrowing, or bypassing, the local security policies.
– The goal of a backdoor usually is to allow remote access and control
(over a network), although it may also work "locally".
– Backdoors are sometimes referred to as trapdoors.
• Backdoors may exist for various reasons:
– Explicitly programmed by the creators of the system, perhaps even as
an undocumented feature — a debugging aid, perhaps.
– A result of a flaw in the design or implementation of a program.
– Planted by an attacker once he has infiltrated a system, to facilitate
easy entry in future.
• Some specific, somewhat contrived, examples of backdoors:
– A network server, such as the web server or the mail server, could be
modified to provide a shell (interactive or otherwise), when a request
with a specific signature is received.
Spyware
•
•
•
Spyware is apparently useful software that transmits private user data to an
external entity, without the user's consent or even knowledge.
The external entity stands to gain from the information thus harvested.
•
A common example is that it helps the external entity send targeted
advertising to the user.
•
Spyware constitutes malware because it makes unauthorized use of a
system's resources and leaks information (that is, violates privacy).
•
In certain cases, spyware may enter a system not through an apparently
useful program, but as payload of another malicious program, such as a
worm or a virus.
Covert Channel and Race Conditions
• Covert Channel:
– an information channel might be used to transfer certain
information, possibly malicious, in a way that was not intended
by the system's designers.
– Such a covert channel can be an effective mechanism to help in
subversive activities.
• Race Conditions:
– are flaws, either in design or implementation, that involve an
attacker exploiting a window of time in a sequence of (privileged)
non-atomic operations.
– The window of time exists when a programs checks for a
condition, and subsequently uses the result of the check, with
the two being non-atomic.
– Such flaws are also called Time Of Check To Time Of Use
(TOCTOU) flaws.
Waste Searching
• looking for sensitive information in areas that are
traditionally unprotected, or weakly protected
• scavenge printer ribbons, tapes, disk drives,
floppy diskettes, garbage paper, and so on.
• A system's swap space is another potentially
lucrative area to look at for sensitive information.
Database security
• Security Objectives
– Confidentiality—prevent/detect/deter improper
disclosure of information or access to
resource.
– Integrity—prevent/detect/deter improper
modification of information
– Availability– prevent/detect/deter improper
denial or access to resources provided by the
system
Database security (cont’)
• Mechanism to achieve security objectives
– Confidentiality
• Access control policy and its enforcement,
authentication, inference prevention, cryptography
– Integrity
• Integrity policy and its enforcement, auditing,
cryptography
– Availability
• Fault-tolerant, intrusion detection
Security and Surveillance
•
•
•
•
•
•
•
Logging systems
Keystroke loggers (hardware & software)
Backdoor
Van Eck radiation/Tempest
Network sniffing/wifi interception
DCS 2000, cell-phone cameras
Others?
– Tracks in your word?
Security and Surveillance (cont’)
•
•
•
•
•
Website Logs
Web bugs
Proxy logs
Cookies
Sniffers