* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download attacks
Buffer overflow wikipedia , lookup
Distributed firewall wikipedia , lookup
Unix security wikipedia , lookup
Information privacy law wikipedia , lookup
Security-focused operating system wikipedia , lookup
Wireless security wikipedia , lookup
Cyberwarfare wikipedia , lookup
Buffer overflow protection wikipedia , lookup
Password strength wikipedia , lookup
Cross-site scripting wikipedia , lookup
Information security wikipedia , lookup
Operation Payback wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Operation AntiSec wikipedia , lookup
Computer security wikipedia , lookup
Cyberattack wikipedia , lookup
Mobile security wikipedia , lookup
The Need for Security Principles of Information Security Chapter 2 Chapter Objectives     Explain the business need for security. Describe the responsibility of an organization's general management and IT management for a successful information security program. Identify threats to information security and common attacks associated with those threats. Differentiate between threats to information systems and attacks against the information systems. 2 Introduction  The primary mission of information security is to ensure that systems and their contents remain the same. 3 4 Important Functions of Information Security Protect the ability to function.  Enable the safe operation of applications.  Protect data.  Safeguard technology assets.  4 Protecting the Functionality of the Organization  Shared responsibility between general management and IT managment ◦ Set security policy in compliance with legal requirements. ◦ Not really a technology issue  Address information security in terms of ◦ Business impact ◦ Cost of business interruption 5 Enabling Safe Operation  Organization requires integrated, efficient, and capable applications. ◦ Technologically complex. ◦ Must protect critical applications  Operating system platforms  Electronic mail  Instant messaging ◦ Infrastructure developed by  outsourcing to a service provider  develop internally ◦ Protection of the infrastructure must be overseen by management. 6 Protecting Data  Data provides ◦ Record of transactions (e.g., banking) ◦ Ability to deliver value to customers ◦ Enable creation and movement of goods and services.  Data in motion (online transactions)  Data at rest (not online transaction)  Information systems must support these transactions. 7 Safeguarding Technology Assets  Must have secure infrastructure services based on the size and scope of the enterprise. ◦ Smaller businesses may require less protection.  Email and personal encryption. ◦ Additional services required for larger businesses.  Public Key Infrastructure (PKI) - more complex ◦ Needs change as network grows. 8 Threats  Requirements to protect information ◦ Be familiar with  The information to be protected  The systems that store, transport and process it ◦ Know the threats you face  An object, person, or entity that represents a constant danger to an asset. 9 12 General Categories of Threat Acts of human error or failure – mistakes, sloppiness Compromises to intellectual property - piracy, licensing Deliberate acts of espionage or trespass 1. 2. 3. ◦ shoulder surfing, hacking, script kiddies, cracker, phreaker Deliberate acts of information extortion - demanding a ransom Deliberate acts of sabotage or vandalism 4. 5. ◦ damage reputation, cyberactivist, cyberterrorism Deliberate acts of theft - difficult to detect Deliberate software attacks 6. 7. ◦ malware, virus, worm, trojan horses, back door, hoaxes Forces of nature - fire, flood, earthquake, lightning, storms, etc. 9. Deviations in quality or service - service disruptions 10. Technical hardware failures or errors - hardware defects 11. Technical software failures or errors - accidental or intentional flaws 12. Technological obsolescence - unreliable and untrustworthy 8. 10 The Endless Game of Cat and Mouse: Meet the Cast Hackers versus crackers  White hats, black hats, all the shades of gray, and mysterious color changing  Conferences?  Web sites?  Drills?   http://www.safepatrolsolutions.com/paper s/Crackers.pdf 11 Meet the Players Top 10  And the others  ◦ From http://www.pbs.org/wgbh/pages/frontline/sho ws/hackers/  And where they congregate – do NOT go there unless you want to risk catching something http://phrack.com, …. 12 Attacks   At act or action that takes advantage of a vulnerability to compromise a controlled system. Accomplished by a threat agent that damages or steals information or physical assets. Vulnerability ◦ an identified weakness in a controlled system, where controls are not present or no longer effective.  Attacks exist when a specific action occurs that may cause a potential loss.  Question: how will the attacker “identify weakness” and/or know what to attack? 13 Well-Known Types of Attack Against Controlled Systems Malicious Code  Hoaxes  Back Doors  Password Crack  Brute Force  Dictionary  Denial-of-Service (DoS)  Distributed Denial-ofService (DDoS)  Spoofing  Man-in-the-Middle  Spam  Mail Bombing  Sniffers  Social Engineering  Buffer Overflow  Timing Attack  Of course, any of these attacks can be distributed, and/or coming from a botnet. 14 Malicious Code   Viruses, worms, Trojan horses, active web scripts. State-of-the-art ◦ Polymorphic or multivector worm ◦ CERT, Symantec, etc. warnings  Known attack vectors ◦ ◦ ◦ ◦ ◦ ◦ IP scan and attack web browsing Virus unprotected shares mass mail SNMP 15 Hoaxes  Transmit a virus hoax with a real virus attached. ◦ More readily transmitted by trusting users! 16 Back Doors  Use known or previously discovered access mechanism to gain access to a system or network resource. ◦ May be left by system designers or maintenance staff. ◦ Referred to as trap doors.  Hard to detect --- may be exempt from usual audit logging procedures. 17 Password Crack Reverse calculate a password.  Component of many dictionary attacks.  Security Account Manager (SAM) file is accessible  ◦ contains hashed representation of the user's password. ◦ a guessed password can be hashed using the same algorithm and compared to the stored hash version of the real password. 18 Brute Force Attack AKA, password attack  Try every possible combination of options for a password.  Easier, if passwords are easy to guess or default passwords.  Avoid using easy to guess passwords --- and don't use default passwords.  Rarely used, if basic security precautions have been implemented (e.g., complex passwords)  19 Dictionary Attack    Use a list of commonly used passwords (i.e., a dictionary) instead of random combinations. Takes less time to crack than a brute force attack. Use electronic dictionaries to enforce use of (more) complex passwords. 20 Denial of Service (DoS) Distributed Denial of Service (DDoS)   Overload target with requests Many different flavors: ◦ TCP SYN flood attack: send many TCP connection requests. ◦ Send million emails or faxes and clog the server  DDoS ◦ Often uses compromised machines (called zombies, from a botnet) to attack the target system. ◦ The most difficult to defend against. ◦ No controls that any single organization can apply. ◦ Some cooperative efforts among service providers. ◦ MyDoom worm attack. 21 Spoofing  Technique of sending messages to a computer using a source IP address that indicates the messages are coming from a trusted host. ◦ Must find an IP address for a trusted host. ◦ Must modify packet headers for the attack messages.  Routers and firewalls can protect against spoofing attacks. 22 Man-in-the-Middle Attack   AKA, TCP hijacking attack Attacker "sniffs" packets from the network, modifies them, then inserts them back into the network. ◦ Uses IP spoofing to impersonate another entity on the network.  Allows the attacker to: ◦ eavesdrop, change, delete, reroute, add, forge, or divert data.  Spoofing involves the interception of an encryption key exchange, which enables the hijacker to act as an eavesdropper (transparent to the network). 23 Spam  Unsolicited commercial email. ◦ Has been used as a vector for malicious code attacks. ◦ Wastes computer and human resources i.e. it is a DOS attack  Methods to counteract spam ◦ Delete offending messages ◦ Use filtering technologies to stem the flow 24 Mail Bombing  Email denial-of-service attack. ◦ Send large emails with forged headers  Mechanisms ◦ Social engineering ◦ SMTP flaws 25 Sniffers AKA, packet sniffers.  A program or device that can monitor data traveling over a network.  ◦ Use for legitimate network management functions or maliciously.  Unauthorized sniffers are dangerous to security. ◦ Virtually impossible to detect. ◦ Can be inserted anywhere. 26 Social Engineering  The process of using social skills to persuade people to reveal access credentials or other valuable information. ◦ Over the phone: “Hey, Joe, this is Andy from department C. Aaron (the boss) told me to ask you to give me the XYZ plans, the customers is demanding we fix the bugs by tomorrow. “ ◦ Over the phone or in person, to the secretarial support: “…”  May involve impersonating someone higher in the organizational hierarchy (requesting information). ◦ “Hey, Joe, this is Aaron (the boss). What was the …. “   Tailgating, shoulder surfing, etc. May be a scam --- Nigerian banking, etc. 27 Physical (illegal) access  War Driving: driving around trying to catch a signal ◦ Wireless without encryption ◦ Non-wireless el.magn. radiation Garbage Diving: looking through disposed documents  Tapping: any cable that is not optical. Or, at exposed locations (switches, control panels, etc.)  28 Buffer Overflow “Buffer” is a term for data storage, on logical level (often called “queue” in networking)  Buffers are used for many different reasons: for example, to temporarily store networking data when waiting to be processed, etc.  Buffers are often implemented as “arrays” in code  Arrays typically have fixed size  A buffer overflow is a programming error that occurs when more data is sent to a buffer than it can handle AND the programmer did not specify what happens in that special case  ◦ Attacker can take advantage of this programming error to cause unintended side effects. 29 Timing Attack Something bad happens when a certain time is reached  Many different flavors. Examples:  ◦ Explores web browser's cache.  Allows web designer to develop malicious cookie to be stored on user's system.  Could allow designer to collect information on how to access password-protected sites. 30 Port Scanning http://www.pctopsecurity.com/types-ofattacks/port-scan-attack Port scan sees which ports are available, which OS you are using, …  http://www.softpanorama.org/Security/ID S/port_scan_detectors.shtml A view from the trenches  http://www.cipherdyne.org/psad/ A tool to detect port scans  31  Review http://www.scribd.com/doc/20138373/CC NA-Security-Chapter-1-assessment  Challenge: go through the PCWeek Hack on p.47 and try to understand each step the attacker took. 32
 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
                                             
                                             
                                             
                                             
                                             
                                             
                                             
                                             
                                             
                                             
                                            