2 - UTRGV Faculty Web

Download Report

Transcript 2 - UTRGV Faculty Web

Cyber Threat
Dr. John P. Abraham
Professor
University of Texas Pan
American
Intelligence threat

Why it is difficult to implement security
and counter intelligence




Open nature of our society
Technology and information is easily obtained
People travel with ease
Both friends of the country and foes are
looking to gain economic edge


Seek technological, financial & commercial
information
Target political, economic, military and
scientific information.
Exporting Technology

there is concern that too much high
technology is being freely traded around
the world, too easily.


Source:2007 - Remarks of Assistant Secretary
Christopher Padilla Computer & Communications
Industry Association
The United States sees more organized
efforts to obtain and illegally export
controlled U.S. technology to China than
to any other country.
Threats to homeland

National infrastructure is vulnerable



Physical threat
Computer attack
Infrastructure is interdependent

Attack against one sector would impact other
sectors


Example – attack against electric grid
Coordinated attack against selected
critical nodes
Is there Security Threat in Outsourcing?

Outsourcing



Reduces cost – tremendous savings to corp.
Eliminates American jobs
Is development of software outside the
country threat to national security?



Yes it could. Scripts (malicious code) can be
placed inside a program.
On the other hand, it could be argued,
Microsoft can place malicious code to spy on
other countries.
It is not good business practice to do so.
Can hardware be used to spy?
Yes. Computers contain chips that contain
programs.
 Malware can be programmed into these
chips.
 Can we trust computers manufactured
outside USA?


Capitalism is motivated by profits. While
corporations do cooperate with governments,
it does not make sense to jeopardize own
business.
Present major concern

Attacks by foreign hackers (increasingly
from China and Russia)


Sabotaging networks
Opening secret back doors for spying
Source:(http://www.businessweek.com/technology/co
ntent/nov2006/tc20061102_797312.htm?chan=top+
news_top+news+index_businessweek+exclusives)
How Hackers gain access

Directly




Leaving computers accessible in your home or
office.
Theft of computer
Shoulder surfing
Indirectly

Through Internet connection



Open ports (USB, serial etc are physical ports, but
they use logical ports assigned to the IP address)
Example: port 80 for HTTP, e-mail port 25, etc.
http://www.iana.org/assignments/port-numbers
Information Security as developed by the
National Security Telecommunication and
Information Systems Security Committee

Protection of:



Information
Hardware that store information
Hardware that transmit information
From direct and indirect attacks
 Without affecting availability to authorized
users

Deliberate Security Threat


Espionage (national security)
Industrial Espionage






Competitive intelligence (could be legal)
Shoulder surfing
Hacking
Sabotage (ex.denial of service by zombies)
Vandalism
Theft
Some techniques







Port scanning – enter through an open port
Password crack (brute force or dictionary)
Software scanning (what software is run)
Write scripts that can be used by software
(malware)
Back doors (system passwords not changed)
Get access to a site and go from there to a
trusted site
Man in the middle
Protection
Take all precautions
 Also have backup plans (contingency plan)



Off site systems
Disaster recovery
How can we protect our computers
Recognize that “your” computer is being
targeted.
 University computers are “doors” to more
secure sites.

“Open proxy servers are used by spammers to send unwanted emails. Proxy
servers can also be abused for bypassing access restrictions and
limitations such as in case of users in one country not allowed to access a
website in another country can go through a third country’s proxy server.
There are websites dedicated to provide and hourly updated list of free
anonymous proxy server sites.” Abraham, John. “A Proxy Server for
Mirrored Sites.”, ASEE 2007
Information Security as developed by the
National Security Telecommunication and
Information Systems Security Committee

Protection of:



Information
Hardware that store information
Hardware that transmit information
From direct and indirect attacks
 Without affecting availability to authorized
users

Computer Security step1.

Firewalls



Prevents a specific type of information from
moving between the outside world (untrusted
network) and the inside world (trusted).
Packet filtering – every packet header is
examined for address, packet type and port
request.
Dynamic packet filtering. Allows only a
particular packet with a particular source,
destination and port address to enter through
the firewall.
Computer Security step2.


Application firewall (proxy server).
An intermediary between a client and a
server


Proxy server intercepts all requests to a server
routed through it.
Keeps the user from interacting directly with
the server.

Ref: Abraham, John. “A Proxy Server for Mirrored Sites.”, ASEE 2007.
Computer Security step3

Intrusion detection systems (IDS)




Like a burglar alarm.
Works by examining network traffic.
Performs protocol analysis, content
searching/matching, and is commonly used to
actively block or passively detect a variety of
attacks and probes, such as buffer overflows
and port scans.
Can detect if attack has occurred and if the
attack was successful. This information is
emailed to the administrator.
Computer Security step4.

Network Address Translation





A computer needs a public IP address to attach to a
public network.
Private IP addresses are not visible from the outside
world.
It makes sense to use only private IP to secure your
computer.
When outside communication is needed the private IP
is mapped to public IP address using a port number.
DHCP – not as good as NAT
Computer Security step5.

Encrypt transmissions
The word cryptography in Greek means “secret writing.” The
term today refers to the science and art of transforming
messages to make them secure and immune to attacks.
Encryption contd.
Encryption Cont.




One secret key is used by both - known as
symmetric encryption. (example DES)
Both sender and receiver must know the key.
Challenge is to send the key to the receiver. Must
be send over another channel.
Two keys – public and private. Also known as
Asymmetric encryption. Public key is stored in a
public location, anyone can use it. Use public key
to encrypt and private to decrypt. If Alice uses
bob’s public key to encrypt, only bob with his
private key can decrypt.
Encryption Cont. Public Key .
Encryption cont. Non-repudiation
When a digital signature is encrypted
using a private key – it can be read by
anyone with a public key. But the
message was sent by only one who has
the private key.
 Digital certificates are used to
authenticate the source of a file.
 If alice encrypts with her private key, it
could be re-encrypted with bob’s public
key so that only bob can open it.

Computer Security step6

Install Current Version of Antivirus
software.


Virus - A small program that attaches to
another program and replicates itself onto
other programs. This activity itself slows down
the computer. The virus may do annoying
activities, damaging activities or information
theft.
Anti-virus programs are always trailing actual
virus.
Computer Security Step7
Apply all latest operating system patches.
 Malware exploits weakness in OS.
 OS developers fix these holes as they
become aware of it.

Computer Security Step8
Assign complex passwords to your
computer. Avoid dictionary words.
 Use different passwords for different
accounts you have.
 Assign passwords for your user files and
turn on encryption.

Computer Security Step9
Assign CMOS password
 http://www.newschannel5.tv/2007/11/28/
983060/Computer-Hard-Drive-Search

Computer Security Step10

Have a disaster recovery plan including
backups.
Controlling Access

Following slides will deal with mechanisms
for controlling data and applications.



Authentication
Authorization
Options for Implementing Authentication
and Authorization
Authentication
Process of identifying a user who is
legitimate.
 Login process, access card or other
biometric techniques.


Evidence that the requesting user is who
he/she claims to be.
Authorization
The process of deciding which resources
the user is permitted to access. Different
degrees of access.
 In B2B applications consider





Identity
Employer
Role
Company type
Options for implementing
Authentication and Authorization

Network Operating System

LDAP OR OTHER LOCAL DATABASE


The Lightweight Directory Access Protocol (LDAP) is a
directory service protocol that runs on a layer above
the TCP/IP stack. It provides a mechanism used to
connect to, search, and modify Internet directories.
Active Directory is a database based system that
provides authentication, directory, policy, and other
services in a Windows environment.
 B2B
applications may not be able to use LDAP
because of number of users.
Other authorization mechanisms
Access Control Lists (ACLs)
 Third Party such as Microsoft HailStorm
 Application specific –customized database
to hold user information.
 SQL based authentication

Security for Customers
Use SSL and digital certificates
 Protect Customers info including credit
card





Firewall, malware, anti-virus, etc. Patch os and
apps. set up strong passwords
Encrypt card information, restrict who has
access to it, restrict physical access to
computer
Monitor and track all accesses to cardholder
data file.
Screen your employees.
More on SSL
Two parties can establish an encrypted
communication channel
 Designed to protect against man-in-themiddle attacks
 During initial stages (Handshake) a public
key algorithm is used to share a
premaster secret
 Each party then uses the premaster secret
to generate a master secret
 This secret is now used to exchange
symmetric key encrypted massages.

SSL certificates
Both server and the browser need to be
SSL enabled (https)
 On the Webserver side a server certificate
is obtained from the certification authority




first generate a CSR (Certificate Signing
Request) for your server
Order the certificate (about $200 per year)
Validate SSL certificate and install on the
server