1 Introduction

Download Report

Transcript 1 Introduction

Internet Security 1 (IntSi1)
1 Introduction
Prof. Dr. Peter Heinzmann
Prof. Dr. Andreas Steffen
Institute for Internet Technologies and Applications (ITA)
ITA, 19.09.2011, 1-Introduction.pptx 1
Internet Security 1 (IntSi1)
1.1 What is Internet Security?
ITA, 19.09.2011, 1-Introduction.pptx 2
Definition of Information Security
•
•
•
•
Information Security (ISO/IEC 27001:2005)
• Preservation of confidentiality, integrity and availability of information;
in addition, other properties such as authenticity, accountability, nonrepudiation and reliability can also be involved.
Information Security (Wikipedia) = IT Security
• Information security means protecting information and information
systems from unauthorized access, use, disclosure, disruption,
modification, or destruction.
IT Security
• IT Security is a subset of Information Security and is concerned with
the protection of computers and/or protecting information by means
of computers.
Internet Security (Wikipedia)
• Internet Security is a branch of Computer Security specifically related
to the Internet. Its objective is to establish rules and measures to use
against attacks over the Internet.
ITA, 19.09.2011, 1-Introduction.pptx 3
Worldwide Criminal Potential in the Internet
2095 Mio Internet users (March'11) vs. 850 Mio hosts (July'11)
Commerce,
Shops
Private
Homes
ISP
xyz.ch
Business,
Administration
ITA, 19.09.2011, 1-Introduction.pptx 4
What do you expect from Internet Security?
•
•
•
•
?
?
?
?
ITA, 19.09.2011, 1-Introduction.pptx 5
Security Elements: The CIA Triad + Extensions
•
Confidentiality
•
Integrity
•
Valuable information or sensitive data must be protected from
unauthorized access.
Data must be protected from getting accidentally or mischievously
changed either in its storage location or during transmission.
Availability
In a global business environment the server and communications
infrastructure must be available on a 24/7 basis.
•
Authenticity
•
Accountability (Non-Repudiation)
In any electronic transaction the true identity of the communication
partners (hosts/users) should be verifiable.
There should be a provable association between an
electronic transaction and the entity which initiated it.
ITA, 19.09.2011, 1-Introduction.pptx 6
Identifying the Security Elements
Authentication
verifies the host
Availability
waiting for
response
Integrity
protects data
against change
Confidentiality
keep
information
secret
SSL/TLS
makes it all
possible
ITA, 19.09.2011, 1-Introduction.pptx 7
Internet Security 1 (IntSi1)
1.2 Security Risks
ITA, 19.09.2011, 1-Introduction.pptx 8
Security Risk Analysis
Risk = Value  Threat  Vulnerability
Cost
Assets, Values
Overall cost
Cost of
security measures
Data
Security
measures
Value of system
to be protected
Cost of incidents
Threats
Vulnerabilities
Security
level
unprotected
high level protection
ITA, 19.09.2011, 1-Introduction.pptx 9
Internet Security 1 (IntSi1)
1.3 Security Threats
ITA, 19.09.2011, 1-Introduction.pptx 10
Vandals, Script Kiddies, Thieves and Spies
Motivation
National
Interest
Spy
Personal
Profit
Thief
Trespasser
Personal
Ego
Curiosity
Vandal
Author
Script Kiddy
Hacker / Expert
Professional
Expertise and Resources
ITA, 19.09.2011, 1-Introduction.pptx 11
Attack Sophistication vs. Intruder Knowledge
Auto
Coordinated
Tools
Cross site scripting
“stealth” / advanced
scanning
techniques
packet spoofing
denial of service
sniffers
High
Technical
Knowledge
Staged
distributed
attack tools
www attacks
automated probes/scans
GUI
sweepers
back doors
network mgmt. diagnostics
disabling audits
Attack
Sophistication
hijacking
burglaries sessions
exploiting known vulnerabilities
password cracking
self-replicating code
Intruders
password guessing
Low
1980
1985
1990
1995
2000
ITA, 19.09.2011, 1-Introduction.pptx 12
Vandalism - Web Defacing
ITA, 19.09.2011, 1-Introduction.pptx 13
Vandalism - Web Defacing
ITA, 19.09.2011, 1-Introduction.pptx 14
Internet Security Threat Situation in 2010
Source: Symantec
ITA, 19.09.2011, 1-Introduction.pptx 15
Internet Security Threat Situation in 2010
Source: Symantec
ITA, 19.09.2011, 1-Introduction.pptx 16
Trojan Horse hidden in Android App
Source: Symantec
ITA, 19.09.2011, 1-Introduction.pptx 17
The Year 2010 in Numbers
Source: Symantec
ITA, 19.09.2011, 1-Introduction.pptx 18
Global Threat Situation Today
•
New malicious code threats
Source: Symantec
ITA, 19.09.2011, 1-Introduction.pptx 19
Global Threat Situation Today
•
Top Web-based attacks
Source: Symantec
ITA, 19.09.2011, 1-Introduction.pptx 20
Global Threat Situation Today
•
Web browser plugin vulnerabilities
Source: Symantec
ITA, 19.09.2011, 1-Introduction.pptx 21
Global Threat Situation Today
•
Malicious activity by country
Source: Symantec
ITA, 19.09.2011, 1-Introduction.pptx 22
Global Threat Situation Today
Source: Symantec
ITA, 19.09.2011, 1-Introduction.pptx 23
The Underground Economy
•
Goods and services available for sale in the underground economy
Source: Symantec
January 2010
fraud of 1600$
ITA, 19.09.2011, 1-Introduction.pptx 24
Denial of Service Attacks
•
•
•
•
A Denial of Service (DoS) attack against a computer system makes
the service unavailable to legitimate users.
DoS is usually attempted by consuming CPU time, memory or
network bandwidth of the target system or network.
The original DoS attacks usually exploited bugs in a target platform
• e.g. by sending malformed packets to a host (Ping of Death, Winnuke)
in order to crash the system.
Other classic DoS attacks
• SYN flood: send TCP connection requests with spoofed source IP
•
•
addresses quickly causing the server to reach its maximum number of
half-open connections (counter measures: SYN cookies)
Smurf attack: send ICMP ping requests to an IP broadcast address
using the IP source address of the target which then receives all
ICMP ping replies.
Today, assuming correctly configured hosts and networks, the
threat from a single host to bring down a server is rather small.
ITA, 19.09.2011, 1-Introduction.pptx 25
Denial of Service – Ping Attack with IP Spoofing
Firewall
Internet
Victim
Corporate
Network
pings to broadcast address
of corporate network
with spoofed source
address of victim
Attacker
ITA, 19.09.2011, 1-Introduction.pptx 26
Distributed Denial of Service Attacks (DDoS)
Zombie
Handler
Zombie
Attacker
Target
Zombie
Handler
Available DDoS Tools:
Trinoo, Tribe Flood Network, Stacheldraht
Zombie
Attack Traffic
Control & Command
ITA, 19.09.2011, 1-Introduction.pptx 27
Vulnerability of amazon.com’s Internet Business
● Net sales in 2Q 2011:
● 9’910’000’000 $US
● Lost business due to one hour off the Internet
● 4’600’000 $US
● U.S. Server Outage on June 6, 2008
● 2 hour downtime due to human error
ITA, 19.09.2011, 1-Introduction.pptx 28
Novartis – a Global Player
ITA, 19.09.2011, 1-Introduction.pptx 29
Many Hops to www.novartis.com
traceroute to www.novartis.com (164.109.68.201)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
edugw.zhwin.ch
(160.85.160.1)
Winterthur
intfw.zhwin.ch
(160.85.111.1)
winfh1.zhwin.ch
(160.85.105.1)
swiEZ2-G2-9.switch.ch
(130.59.36.157) Zurich
swiIX1-10GE-1-1.switch.ch
(130.59.36.250)
zch-b1-geth3-1.telia.net
(213.248.79.189)
ffm-bb1-pos0-3-3.telia.net
(213.248.79.185) Frankfurt
prs-bb1-pos7-0-0.telia.net
(213.248.64.110) Paris
ldn-bb1-pos7-2-0.telia.net
(213.248.64.10) London
nyk-bb1-pos0-2-0.telia.net
(213.248.65.90) New York
nyk-b1-link.telia.net
(213.248.82.14)
POS3-1.IG4.NYC4.ALTER.NET
(208.192.177.29)
0.so-2-3-0.XL2.NYC4.ALTER.NET
(152.63.19.242)
0.so-6-0-0.XL2.DCA6.ALTER.NET
(152.63.38.74)
Washington, D.C.
0.so-7-0-0.GW6.DCA6.ALTER.NET
(152.63.41.225)
digex-gw.customer.alter.net
(157.130.214.102)
gigabitethernet1-0.dca2c-fcor-rt2.netsrv.digex.net (164.109.3.10)
vlan28.dca2c-fdisc-sw1-msfc1.netsrv.digex.net
(164.109.3.166)
164.109.92.14
(164.109.92.14)
164.109.68.201
(164.109.68.201)
ITA, 19.09.2011, 1-Introduction.pptx 30
Emerging Challenges
•
Mobile Devices
•
Embedded Systems
•
Ubiquitous (pervasive) Computing
•
Home Automation
• Loss of confidential data
• About 8 billion microcontrollers sold in 2006
• Usually no or only marginal security mechanisms
• RFID (profiling)
• Controllable over the Internet
ITA, 19.09.2011, 1-Introduction.pptx 31
Stuxnet attacks Industrial Control Equipment
•
•
•
Targeted at Siemens Supervisory Control and Data Acquisition
systems that control and monitor specific industrial processes.
Stuxnet includes a Programmable Logic Controller (PLC) rootkit.
Designed by a team of 5-10 professionals
and meant to sabotage the Iranian
uranium enrichment facility at Natanz.
ITA, 19.09.2011, 1-Introduction.pptx 32
Internet Security 1 (IntSi1)
1.4 Vulnerabilites
ITA, 19.09.2011, 1-Introduction.pptx 33
Vulnerabilities and Exposures
•
A universal vulnerability is a state in a computing system
(or set of systems) which either:
• allows an attacker to execute commands as another user
• allows an attacker to access data that is contrary to the specified
•
access restrictions for that data
• allows an attacker to pose as another entity
• allows an attacker to conduct a denial of service
An exposure is a state in a computing system (or set of systems)
which is not a universal vulnerability, but either:
• allows an attacker to conduct information gathering activities
• allows an attacker to hide activities
• includes a capability that behaves as expected, but can be easily
•
•
compromised
is a primary point of entry that an attacker may attempt to use to
gain access to the system or data
is considered a problem according to some reasonable security policy
Source: www.cve.mitre.org/about/terminology.html
ITA, 19.09.2011, 1-Introduction.pptx 34
Common Vulnerabilities and Exposures Database
ITA, 19.09.2011, 1-Introduction.pptx 35
NIST Statistics on Vulnerabilities with High Severity
ITA, 19.09.2011, 1-Introduction.pptx 36
Internet Security 1 (IntSi1)
1.5 Security Measures
ITA, 19.09.2011, 1-Introduction.pptx 37
Security Measures
•
Organize
(Plan)
•
Protect
(Do)
Filter
(Do)
Combine
(Do)
•
•
•
Set up a security policy, build awareness, analyze and classify security
risks, decide on and implement security measures, define responsibilities,
train staff periodically.
Encrypt stored data and transmitted information, use authentication in
order to insure data integrity, install patches, use and periodically check
data backup mechanisms.
Limit physical access to systems and data by using strong authentication
for users and hosts. Filter traffic by using firewalls and virus scanners.
Combine multiple security measures (multilevel / in-depth security)
Monitor and Control (Act)
detect attacks (Intrusion Detection Systems, Honey Pot), run periodic
security checks (Tiger Teams), react and correct.
ITA, 19.09.2011, 1-Introduction.pptx 38
Security Life Cycle
1: Security Policy
(Why?)
2: Risk Analysis
3: Define measures
5: Control
measures
4: Implement measures
ITA, 19.09.2011, 1-Introduction.pptx 39