Transcript Computer & Network Security

Computer & Network Security
[email protected]
Outlines
 Definition of computer and network security
 Security Terminology
 Weaknesses and Vulnerabilities
 Identification and Authentications
 Authentication Mechanism
 Computer System and Network Intrusions
 Internet Etiquette
 Security Management
Definition of computer and network security
• Definitions
 Security
•

Security is about the protection of assets
*
Protective measures
•
•
•
Prevention
– Take measures that prevent assets from being damaged
Detection
– Take measures that be able to detect when an asset has
been damaged
Reaction
– Take measures that be able to recover from a damage
* From : Gollmann D., Computer Security, John Wiley &Sons, 1999
Definition of computer and network security
• Information security
 The tasks of guarding digital information
• Information :
– Typically processed by a computer
– Stored on a some devices
– Transmitted over a network
 Ensures that protective measures are properly
implemented
• A protection method
Definition of computer and network security
• Computer security


No absolute “secure” system
Security mechanisms protect against specific
classes of attacks
Definition of computer and network security
• Network security


Security of data in transit
• Over network link
• Over store-and-forward node
Security of data at the end point
• Files
• Email
• Hardcopies
Definition of computer and network security
• Network security differences from computer
security :




Attacks can come from anywhere, anytime
Highly automated (script)
Physical security measures are inadequate
Wide variety of applications, services, protocols
•
•

Complexity
Different constraints, assumptions, goals
No single “authority”/administrators
Security Terminology
• Security attack
• Security mechanism
• Security service
• Risk
• Risk Analysis
• Spies
• Cyberterrorists
Security Terminology
• Security attack
• Any action that compromises security information
• Security mechanism
• A mechanism that designed to detect, prevent, or
recover from a security attack
• Security service
• A service that enhances the security of data
processing systems and information transfers.
• Makes use of one or more security mechanisms
Security Terminology
• Risk
 A measure of the cost of a realised vulnerability
that incorporates the probability of a successful
attack
• Risk analysis :

Provides a quantitative means of determining
whether an expenditure on safeguards is
warranted
Security Terminology
• Spies
 A person who
•
•
Has been hired to break into a computer and steal information
Do not randomly search for unsecured computers to attack
• Cyberterrorists
 Terrorists that attack the network and computer
infrastructure to
•
•
•
Deface electronic information (such as web sites)
Deny service to legitimate computer users
Commit unauthorised intrusions into systems and networks
that result in infrastructure outages and corruption of vital data
Weaknesses, Vulnerabilities
and Threats
Weaknesses and Vulnerabilities
 Vulnerability
A
weakness in a system allowing an attacker to
violate the confidentiality, integrity, availability
 May
result from
Software bugs
Software of system design flaws
Weaknesses and Vulnerabilities
 Vulnerability
 Examples
of vulnerabilities
Buffer overflows
Race conditions
Unencrypted protocols
Bad/insufficient sanity checks
Backdoors
Unqualified trust
 Some of these vulnerabilities are described later
Threats
 Threat means
 A person, thing, event



which poses some danger to an asset in terms of that asset’s
confidentiality, integrity, availability
Accident threats
Delibrate threats : Passive and Active
 Examples of threat
 Hacker/cracker
 Script kiddies
 Spies and Malware
 Denial-of-service (DoS) attack
 Zombies
 Insecure/poorly designed applications
Threats
 Hacker/cracker**
 Hacker :
 a person who uses his/her advanced computer skills to
attack computers, but not with a malicious intent,
hackers use their skills to expose security flaws.
 Cracker :
 a person who violates system security with malicious
intent. Crackers destroy data, deny legitimate users of
services, cause serious problems on computers and
networks.
** from : M. Ciampa, Security+guide to network security fundamentals, Thomson
course technology, 2005
Threats
 Script kiddies
 Want to break into computers like crackers, but


unskilled users
download software from web sites, use to break into computers
 Spies
 A person who
Has been hired to break into a computer and steal information
 Do not randomly search for unsecured computers to attack

 Malware

A group of destructive programs such as viruses, worms,
Trojan horse, logic bombs, and spyware
Threats
 Virus : a computer program that
 can copy itself and infect a computer without permission or
knowledge of the user
 spreads from one computer to another when its host (such as
an infected file) is taken to that computer
 viruses always infect or corrupt files on a targeted computer
 Worm : a computer program that
 is a self-replicating code
Resides in active memory (the program is executed)
 Propagates itself




uses a network to send copies of itself to other node
can spread itself to other computers without needing to be
transferred as part of an infected file
always harm the network
Threats
 Trojan horse : a program that
 installs malicious software while under the guise of doing
something else
 differs from a virus in that


a Trojan horse does not insert its code into other computer files
appears harmless until executed
 Logic Bomb : a program that
 inactive until it is triggered by a specific event, e.g.



a certain date being reached
once triggered, the program can perform many malicious
activities
is difficult to defend against
Threats
 Spyware : a computer program that

installed surreptitiously on a personal computer
 to intercept or take partial control over the user's
interaction with the computer, without the user's
awareness

•
installing additional software
•
redirecting web browser activity
secretly monitors the user's behavior
•
collects various types of personal information,
Threats
 Denial-of-service (DoS) attack : a threat that
 Prevents legitimate traffic from being able to access the
protected resource
 Common DoS
 Crashes a targeted service or server
 Normally done by
•
•
Exploiting program buffer overflow problem
Sending too many packets to a host 
causing the host to crash
Threats
 Zombies : systems that
 Have been infected with software (e.g. Trojan or back
doors)
 Under control of attackers
 Be used to launch an attack against other targets
 Insecure/poorly designed applications
 One of the most difficult threats to be detected
Identification and Authentications
• Authentication Basics
• Passwords
• Biometrics
• Multiple methods
Authentication Basics
• Authentication

A process of verifying a user’s identity
• Two reasons for authenticating a user


The user identity is a parameter in access
control decision (for a system)
The user identity is recorded when logging
security-relevant events in an audit trail
Authentication Basics
• Authentication



Binding of an identity to a principal (subject)
An identity must provide information to enable the
system to confirm its identity
Information (one or more)
• What the identity knows (such as password or secret
information)
• What the identity has (such as a badge or card)
• What the identity is (such as fingerprints)
• Where the identity is (such as in front of a particular
terminal)
Authentication Basics
• Authentication process



Obtaining information from the identity
Analysing the data
Determining if it is associated with that identity
• Thus : authentication process is

The process of verifying a claimed identity
Authentication Basics
• Username and Password




Very common and simple identities
Used to enter into a system
Username
• Announce who a user is
• This step is called identification
Password
• To prove that the user is who claims to be
• This step is called authentication
Authentication Mechanism
• Password
• Password Aging
• One-Time Password
Passwords
• Passwords




Based on what people know
User supplies password
Computer validates it
If the password is associate with the user, then
the user’s identity is authenticated
Passwords
• Choosing passwords
 Password guessing attack is very simple and always works !!
•

Because users are not aware of protecting their passwords
Password choice is a critical security issue
•
Choose passwords that cannot be easily guessed
• Password defenses
•
•
•
Set a password to every account
Change default passwords
Password length
– A minimum password length should be prescribed
Passwords
• Password defences


Password format
• Mix upper and lower case symbols
• Include numerical and other nonalphabetical symbols
Avoid obvious passwords
Passwords
• How to improve password security?

Password checker tool
•

Password generation
•
•

Check passwords against some dictionary of weak password
A utility in some system
Producing random password for users
Password aging
•
•
A requirement that password be changed after some period of
time
Required mechanism
–
–
–
Forcing users to change to a different password
Providing notice of need to change
A user-friendly method to change password
Passwords
• How to improve password security?
 One-Time Password
•

Limit login attempts
•

A password is valid for only one use
A system monitors unsuccessful login attempts
– Reacts by locking the user account if logging in process
failed
Inform user
•
After successful login a system display
– The last login time
– The number of failed login attempts
Attacking a Password System
• Password guessing
 Exhaustive search (brute force)
• Try all possible combination of valid symbols
 Dictionary attack
 Random selection of passwords
 Pronounceable and other computer-generated
passwords
 User selection passwords
• Passwords based on
– Account names
– User names
– Computer names, etc.
Biometrics
• The automated measurement of biological or
behavioral features that identifies a person
• Method:


A set of measurement of a user is taken (recorded) when
a user is given an account
When a user access the system
• The biometric authentication mechanism identify the
identity
Biometrics
• Fingerprints
• Voices
• Eyes
• Faces
• Keystrokes
 Keystroke intervals
 Keystroke pressure
 Keystroke duration
• Combinations
Computer System and
Network Intrusions
Intrusion Profiles
 Exploiting passwords
 Exploiting known vulnerabilities
 Exploiting protocol flaws
 Examining source files for new security flaws
 Denial-of-service attacks
 Abusing anonymous FTP
 Installing sniffer programs
 IP source address spoofing
Typical Network Intrusions
 Locate a system to attack
 New systems
 Network sweeps
 Gain entry to a user’s account
No password or easy-to-guess password
 Sniffed password

 Exploiting system configuration weakness or
software vulnerability to obtain access to a
privileged account
Typical Network Intrusion
 Once inside, and intruder may:
Remove traces from auditing records
 Install back door for future use

Install Trojan Horse programs to capture system and
account information
 Jump to other hosts on your network
 Use your system to launch attacks against other sites
 Modify, destroy, or inappropriately disclose information

Why Should You Care
 Protect your own operational environment
 Protect your user’s data
 Provide service to your users
What Should You Do?
 Stay current with security issues
Internet Etiquette-1
 Do:
 Understand
and respect security policies
 Take responsible for your own security
 Respect other Internet neighbours
 Cooperate to provide security
Internet Etiquette-2
 Avoid:
 Unauthorised
access to other accounts and
systems
 Cracking password file from other systems
 Sharing accounts
 Unauthorised access to unprotected files
 Reading the e-mail of other users
 Disrupting service
Security Management
45









Understanding Security
Writing a security policy
Monitoring the network
Auditing the network
Preparing for an attack
Handling an attack
Forensics
Log analysis
Damage control
Understanding Security :Security Objectives**
 Confidentiality
 Confidentiality is the term used to prevent the disclosure of
information to unauthorized individuals or systems.
 Integrity
 In information security, integrity means that data cannot be
modified undetectably.
 Availability
 For any information system to serve its purpose, the
information must be available when it is needed.
 (CIA)
** http://en.wikipedia.org/wiki/Information_security
Understanding Security

What are we protecting
 Asses
value
 Protecting cost

Thinking like a defender
 List

of problems might happen in various situations
The organisation we are protecting
 Business
types  different levels of security
Understanding Security

The process of security1
 Expands
 Endless
 Learn

loop of Security
everything about the threats
The Internet is full of information
 How to protect a system
 How to break in to a system
 System vulnerabilities, etc.
 Well

on this endless loop
design every thing before implement !!
Analysis must come before synthesis !!
Understanding Security

The process of security2
Endless loop of Security
 Think
“pathologically” about the design (or “think evil thought”)
 Implement it the way it is designed

Never let any components be altered from the design
 Continuously
recheck it to make sure that it has not changed,
such as

Configuration change in routers/computers
 Practice
running it to make sure that you understand it and can
operate it correctly
Understanding Security

The process of security3
Endless loop of Security
Make it simple for others to do when you want them to do
 Make it hard for people to do when you do not want them to do
 Make it easy for you to detect problems
 Make it difficult to hide what you do not want to be hidden
 Test everything you can test
 Practice everything you can practice
 Improve anything you can improve
 Repeat this process endlessly, at all levels of detail

Security Management
51









Understanding Security
Writing a security policy
Monitoring the network
Auditing the network
Preparing for an attack
Handling an attack
Forensics
Log analysis
Damage control
Writing a Security Policy

Security Policy : Definitions :
 (1) Information security policy **
 Objective
: To provide management direction
and support for information security in
accordance with
 Business requirements,
 Relevant laws and regulations
** ISO/IEC 17799:2005(E)
Writing a Security Policy

Security Policy : Definition
 (2)
[Ciampa] : “The backbone of any infrastructureis
its security policy. Without a policy that clearly
outlines what needs to be protected, how it should
be protected, and what users can – and cannot – do
in support of the policy, there is no effective
security.”
Writing a Security Policy

Security Policy
A
document or sets of documents that
 Clearly
defines the defense mechanisms an organisatoin
will employ to keep information secure
 Outlines how the organisation will respond to attacks
 Outlines the duties and responsibilities of its employee
for information security
Writing a Security Policy


Security Policy : Definition:
(3) [Northcutt] : A security policy establishes what
you must do to protect information stored on
computers

A well-written policy contains sufficient definition of “what”
to do so you can


identify and measure, or
evaluate “how”
Writing a Security Policy

Purpose of Security Policy
Describes of what being protected and why
 Sets priorities about what must be protected first and at
what cost
 Allows an explicit agreement to be made with various
parts of the organisation regarding the value of security
 Provides the security department with a valid reasons to
say “no” when that is needed
 Provides the security department to back up the “no”
 Prevents the security department from acting illegally

Writing a Security Policy

Security Policy
 Trade
A
of suggested by Wadlow
good policy today is better that a great policy next year
 A weak-policy that is well distributed is better than a
strong policy no one has read
 A simple policy that is easily understood is better than a
complicated and confusing policy that no one ever
bother to read
 A policy whose details are slightly wrong is better than a
policy with no details at all
 A living-policy that is constantly updated is better than
one that grow obsolete over time
Writing a Security Policy

An amateur (simple) policy


State a coup
A formal policy

Follow some guidelines/standards
Writing a Security Policy
59
Suggestion

A suggestion to get a decent policy for an organisation (which
currently no security policy)
1. Write a security policy for your organisation








Say nothing specific
State generalities
Should cover no more than 5 pages
Should not take more than 2 days to write
Don’t ask for help, do it yourself
Don’t try to make it perfect, just try to get some key issues written
down
It doesn’t have to be complete
It doesn’t have to be crystal clear
(From : T. A. Wadlow, The process of network security)
Writing a Security Policy
60
Suggestion (cont.)
1. find 3 people who are willing to become “security
committee” : their job is
• To make ruling and amendment to the policy
• To be judges, not enforcers
2. create an internal web site
• with
• policy page
• Committee contact information
• Amendments
• Approved and added to the web site as quick
as possible
Writing a Security Policy
61
Suggestion (cont.)
3. treat the policy as if it were absolute rule of the law
• Do not violate the policy
• Allow no violation to occur
4. if someone has a problem with the policy
• Have the person propose an amendment
• The policy committee members need to agree
• Make an amendment
Writing a Security Policy
62
Suggestion (cont.)
5. schedule a regula meeting to consolidate policy and
amendments
• Once a year, for example
• Involve
• You and the security committee
• Current security policy and the
amendments
• Make a new policy statements
6. repeat the processes 3-6
Writing a Security Policy
63
Contents
•
What are we protecting?

Describe in detail


The types of security levels expected to have in an
organisation
Characterise the machines on the network (for example)
Writing a Security Policy
64
Contents (cont.)





Red : contains extremely confidential information or provide missioncritical service
Yellow : contains sensitive information or provides important service
Green : able to access red or yellow machines but does not directly
store sensitive information or perform crucial function
White : unable to access red, yellow, or green systems but not
externally accessible. No sensitive information or function
Black : externally accessible. Unable to access red, yellow, green or
white systems
Writing a Security Policy
65
Contents (cont.)
•
Methods of protection
•
Describe



Levels for protection
Priorities for protection
For example
Writing a Security Policy
66
Contents (cont.)
Organisation priorities :
1.
2.
3.
4.
5.
Height Priority
health and human safety
compliant with applicable local, state, and federal laws
Preservation of the interests of the organisation
Preservation of the interests of partners of the
organisation
Free and open dissemination of nonsensitive information
Low Priority
Describe general policies for access to
each category of system
67
Category
Network
Access
Qualification
Cycle*
Red
red networks only
Red-cleared employees
only
Monthly
Yellow
Yellow and red network Employees only
Quarterly
Green
Yellow, red, and green
network
Employees and cleared
contractors
Yearly
White
White networks only
Employees and
contractors
Yearly
Black
Black networks only
Employees, contractors, monthly
and public (through
cleared access means)
Writing a Security Policy
68
Contents (cont.)
•
Responsibility


Describes the responsibilities, privileges that are accorded
each class of system user : e.g.
General





Knowledge of this policy
All actions in accordance with this policy
Report any known violations of this policy to security
Report any suspected problems with this policy to security
Sysadmin/operations



All user information to be treated as confidential
No authorised access to confidential information
Indemnified for any action consistent with systems administrator
code of conduct
Writing a Security Policy
69
Contents (cont.)

Security Administrator
•
Highest level of ethical conduct
Indemnified for any action consistent with security officer code of
conduct

Contractor
•
•
•
Access to specifically authorised machine in specifically
authorised fashion
Request advance authorisation in writing for any actions which
might be interpreted as security issue
Guest

•
No access to any computing facilities except with written
advance notice to security
Writing a Security Policy
70
Contents (cont.)

Appropriate Use
Describe the ways in which employees should not use the
network

General




Minimal personal use during normal business hours
No use of network for outside business activity
Access to Internet resource consistent with HR policies
Sysadmin


Responsible access to sensitive or personal information on the
network
All special access justifiable for business operations
Writing a Security Policy
71
Contents (cont.)
 Security Personal
• Responsible access to sensitive information on the network
• All special access justifiable for business operations
• Use of security tools for legitimate business purpose only
 Contractor
• No personal access any time
• Minimal use of the network and only for specific reasons
relating to specific contracts
 Guest
• No use of the network at any time
Writing a Security Policy
72
Contents (cont.)
•
Consequence
Describe the way in which the magnitude of a
policy violation is determined and the categories
of consequences. Examples:


Security review board
Penalties



Critical
Serious
limited
Writing a Formal policy
73


Known as “risk-based security management”.
Risk


Risk analysis


Combination of the probability of an event and its
consequence
Systematic use of information to identify sources and to
estimate the risk
Risk evaluation

Process of comparing the estimated risk against given
risk criteria to determine the significance of the risk
Writing a Formal Policy
74


Risk (Cont.)
Risk assessment


Overall process of risk analysis and risk evaluation
Risk management

Coordinated activities to direct and control an
organization with regard to risk
Writing a Formal Policy
75

Some guidelines


ISO/IEC 17799:2005(E)
SANS guidelines
www.sans.org/security-resources/policies
‫﮸‬

NIST guidelines
http://csrc.nist.gov/index.html

etc.
ISO/IEC 17799:2005(E) Security Policy
76

Should contain

Definitions of information security




Overall objectives and scope
Importance of security
A statement of management intent
A framework for setting control objectives and controls

Including the structure of risk assessment and risk
management
ISO/IEC 17799:2005(E) Security Policy
77

A brief explanation of the security policies,
principles, standards, and compliance requirements
of particular importance to the organization,
including




Compliance with legislative, regulatory, and contractual
requirements;
Security education, training, and awareness
requirements;
Business continuity management;
Consequence of information security policy violations;
ISO/IEC 17799:2005(E) Security Policy
78

A definition of general and specific
responsibilities for information security
management, including


Reporting information security incidents;
References to documentation which may support
the policy, e.g.

More detailed security policies and procedures for
specific systems or security rules should comply
with.
ISO/IEC 17799:2005(E) Security Policy
79

Review of the information security policy

The information security policy should be reviewed



At a planned intervals, or
If significant changes occur
To ensure its continuing suitability, adequacy, and
effectiveness
Example of Security Policy Format
80
1.
2.
3.
4.
5.
Purpose/Overview
Scope
Policy
Enforcement
Revision history
Example of Policies
(suggested by SANS*)











81
Organization Policy
Audit policy
Computer security policy
Desktop security policy
Email security policy
Internet security policy
Mobile security policy
Network security policy
Physical security policy
Server security policy
Wireless security policy
* www.sans.org/security-resources/policies
Monitoring Your Network
82






The Shape of Logging System
What to Log
Logging Mechanisms
Time
Sensor
Log Management
Monitoring Your Network
83

Goals of a monitoring system
 Reduce
the likelihood of an attack going unlogged
 Increase the likelihood that the events logged for an
attack will be recognized as an attack
The Shape of Logging System
84

Problem of logging system
 What
events to be logged?
if every event is logged  the log file will be very large
 if only selected events are logged  some crucial events
might not be logged !!

 Log
file can be tampered by attackers
 To
delete attack traces
 Attackers
 If
can tamper the log file
the logs are accessible to them
The Shape of Logging System
85


Log should not be accessible to an attacker
Mechanisms can deny access to logs
 The
logs are kept on a separate machine
 The logs are encrypted
 The logs are stored in a write-only media
 The logs are stored in multiple places
The Shape of Logging System
86

Log should not be tampered with
 Tampering

efforts should be easily detected
Achieved by
 Cryptographically
signing each log entry to detect
invalid entries
 Monitoring the log entries to look for a sudden
decrease in log size
 Indicates
 Assigning
that the log entries have been deleted
a sequence number to each log entry and
verifying that the sequence is unbroken
What to Log
87


The network should log any events necessary to
detect known attack patterns
The network should log any events necessary to
detect unusual patterns of access
Logging Mechanisms
88

Syslog
 The
most common network logging mechanism
 Runs on Unix systems

Components
 Syslog
daemon
 Syslog ruleset
 Syslog-enabled programs
Syslog
89

Syslog daemon
A
program that runs in a background on all machines
using syslog
 Serves several purposes
 Collects
messages from syslog-enabled programs on the
machine hosting it
 Collects certain messages from the system that are not
syslog enabled (such as kernel messages regarding startingup and some device problems)
 Listens on the syslog port (port 514/UDP) for messages
 Save all of the above messages in a file
Syslog Ruleset
90


Usually in /etc/syslog.conf
Contains directives to the syslog daemon
 Determine
where various types of messages should be
logged

Choices of logging
 Put
a message into a file
 Log a message to another machine via UDP
 Write a message to the system console
 Write a message to all log-in users
Syslog-enabled Program
91

Syslog is a standard facility in Unix
 many
Unix programs have calls to syslog built into them
 Enable these programs to log various events
 To
the local syslog daemon
Pro (of syslog)
92




Universally available
Standard implementation
Available from nonprogrammable devices
A read-only logging mechanism
Con (syslog)
93

Unauthenticated protocol
 Can

Unencrypted transmission
 Can

be spoofed
be eavesdropped by attackers
Unreliable UDP transmission
 Not
all syslog messages reach their intended
destination
Time
94

An important issue in log gathering and analysis
Jun 4 22:33:21 machine1.ycom.com login: user smt login ok
Jun 4 22:34:29 machine3.ycom.com login: user smt login ok



Time is used in analysis process
It should be accurate and synchronised with other
systems
A logging system should synchronise its time with a
time server machine (NTP server)
Sensors
95


A mechanism that can be used to aid device-based
logging
Provides a means for gathering information and
integrating it into the logging system
Sensors
96

Examples
 Some
sensors can detect several variations on attacks
 Some sensors can detect problems with the network
being monitored
Sensors
97

Some sensors are built to detect conditions on the
logging system
 Are
 If
the logs increasing monotonically?
not  a log file might be tampered
 Is
the logging system receiving all the logs that are
being sent?
 Some
devices transmit a sequence number with each log
entry
 if a particular number is missing  something goes
wrong
Sensors
98
 Has
any machine stopped logging?
A
machine that has stopped logging
 Might
indicate a network problem OR an attack
Log Management
99

A process of making sure that logging system
 Stable
 Useful
References
1.
2.
3.
4.
5.
Wadlow T. A., The process of network security:
Designing and managing a safe network, AddisonWesley, 2000
Ciampa M., Security + guide to network security
fundamentals, Thomson course technology, 2005
Northcutt S., et.al., Inside network perimeter
security, Sam publishing, 2005
ISO/IEC 27001:2005(E)
ISO/IEC 17799
Security Contest Topics
Network Security Concept
Network Security Architecture
Network Security Assessment & Penetration Test
Method
Network Security Monitoring
ISO27001 and series
Computer Laws
ประกาศเลื่อนการสมัครและสอบ security contest
 วันที่ปิดรับสมัคร
 จากวันที่ 14
ตุลาคม เลื่อนเป็ นวันที่ 31 ตุลาคม
 วันที่สอบคัดเลือกรอบแรก
 จากวันที่ 28 ตุลาคม เลื่อนเป็ นวันที่ 18 พฤศจิกายน
 วันที่รอบชิงชนะเลิศพร้อมประกาศรางวัล
 จากวันที่ 25 พฤศจิกายน เลื่อนเป็ นวันที่ 19 ธันวาคม
CS subject
344-422 Computer and Network Security
วิชาเลือก ประจาภาคการศึกษา 1 ของทุกปี