Post on 23-Feb-2016
description
DSC 101: Security
Topics
1. Components of Security2. States of Information3. Threats4. Attacks5. Malware6. Vulnerabilities
What is Security?
Security is the prevention of certain types of intentional actions from occurring in a system.– The actors who might attack a system are threats.
– Threats carry out attacks to compromise a system.
– Objects of attacks are assets.
Components of Security
Integrity
Confidentiality Availability
Confidentiality
Confidentiality is the avoidance of the unauthorized disclosure of information.
Examples where confidentiality is critical:– Personal information– Trade secrets– Military plans
Security Controls for Confidentiality
Access Control: rules and policies that limit access to certain people and/or systems.
– File permissions (which users can access)– Firewall settings (which IP addresses can access)
Encryption: transforming information so that it can only be read using a secret key.
– AES– SSL
Integrity
Integrity is the property that information has not be altered in an unauthorized way.
Examples where integrity is critical:– Operating system files– Software updates and downloads– Bank account records
Security Controls for Integrity
• Backups: periodic archiving of data. • Checksums: the computation of a function
that maps the contents of a file to a numerical value.
• Data correcting codes: methods for storing data in such a way that small changes can be easily detected and automatically corrected.
Availability
Availability is the property that information is accessible and modifiable in a timely fashion by those authorized to do so.
Examples where availability is critical:– E-commerce site– Authentication server for your network– Current stock quotes
Security Controls for Availability
Physical protections: infrastructure meant to keep information available even in the event of physical challenges.
– Backup generators– Disaster recovery site
Computational redundancies: computers and storage devices that serve as fallbacks in the case of failures.
– Backup tapes– RAID
States of Information
1. Storage: information in memory or disk that is not currently being accessed.
2. Processing: information currently being used by processor.
3. Transmission: information in transit between one node and another on a network.
Is your information protected in all three states?
Threats, Attacks, and VulnerabilitiesThreats are people who are able to take advantage of security vulnerabilities to attack systems.
– Criminals, hacktivists, spies, disgruntled employees.
Attacks are tools, programs, and methods used by threats to obtain assets from systems in violation of the security policy.
– Stuxnet, Dark Comet, AirCrack, John the Ripper
Vulnerabilities are weaknesses in a system that allow a threat to obtain access to information assets in violation of a system’s security policy.
(2719662)Vulnerabilities in Gadgets Could Allow Remote Code Execution
How are Digital Threats Different?
Automation– Salami Attack from Office Space.
Action at a Distance– Volodya Levin, from St. Petersburg, Russia, stole
over $10million from US Citibank. Arrested in London.
Technique Propagation– Criminals share attacks rapidly and globally.
Who are the threats?
IBM X-Force 2012 Trend and Risk Report
Threat Model
A threat model describes which threats exist to a system, their capabilities, history, intentions, and likely targets.
– Are you worried about broad or targeted threats?
– Are your threats able to develop their own tools or just use off the shelf tools?
– Do you keep enough data about historical incidents to know what your threats are?
Threat Model Examples
Example 1: Disgruntled Insider– Targeted attack on organization– Knows systems and information assets already– Attacks more likely to focus on DoS than theft
Example 2: Outsider, broad attack– Broad attack, looking for any vulnerable system.– Looking for one particular type of asset, which
your organization may or may not have.
Attacks and ExploitsAn attack is an action taken by a threat to gain unauthorized access or to create unauthorized modification of assets.
– Spam– Phishing– Malware– Denial of Service
An exploit is a piece of software or a scripted set of actions that carry out an attack. Threats often turn attacks into exploits to automate compromising of systems.
Spam
Spam is the use of electronic messaging systems to send unsolicited bulk messages, especially advertising, indiscriminately.
– Mostly e-mail, but also– Blog and webforum comment spam,– Wiki spam,– IM spam, etc.
Over 90% of e-mail is spam!
Phishing E-mail
Phishing Site
Denial of Service
MalwareMalware, short for malicious software, is software designed to gain access to confidential information, disrupt computer operations, and/or gain access to private computer systems. Malware can be classified by how it infects systems:
– Trojan Horses – Viruses – Worms
Or by what assets it targets:– Ransomware– Spyware and adware– Backdoors– Rootkits– Botnets
How much malware is out there?
Trojan Horses
Trojan Horse Examples
Viruses
A computer virus is a type of malware that, when executed, replicates by inserting copies of itself (possibly modified) into other files. This process is called infecting.
WormsA worm is a type of malware that spreads itself to other computers.
Ransomware
Spyware and Adware
Backdoors
Backdoor Example: Dark Comet
Rootkits• Execution Redirection• File Hiding• Process Hiding• Network Hiding• Backdoor
User Program
Rootkit
Operating System
Botnets
Vulnerabilities
Vulnerabilities can be found in any software:– PC: Office, Adobe Reader, web browsers– Server: Databases, DNS, mail server software,
web servers, web applications, etc.– Mobile: Mobile phone OS, mobile applications– Embedded: printers, routers, switches, VoIP
phones, cars, medical devices, TVs, etc.– Third party software: Web browser plugins, Ad
affiliate network JavaScript include files, Mobile ad libraries
Document Format Vulnerabilities
IBM X-Force 2012 Trend and Risk Report
Web Browser Vulnerabilities
IBM X-Force 2012 Trend and Risk Report
Embedded Vulnerabilities
Patches
A patch is a piece of data or software designed to fix a security vulnerability or bug.
– Administrator may have to apply manually.– Some vendors specify certain days to patch,
such as “Patch Tuesday,” the 2nd Tuesday of the month when MS releases updates.
– Increasingly software auto updates itself with current patches.
Vulnerability Timeline
Vulnerability Markets
Vulnerability Databases
Key Points
1. Components: confidentiality, integrity, availability2. States of Info: storage, communication, processing3. Definitions: threat, attack, and vulnerability4. Attacks: spam, phishing, DoS, and malware5. Vulnerabilities affect all software
– Not just PC or mobile software– Lifecycle: 0day, exploit, then patch and signatures
References1. Nate Anderson, Meet the men who spy on women through their webcams: The Remote
Administration Tool is the revolver of the Internet's Wild West. Ars Technica, http://arstechnica.com/tech-policy/2013/03/rat-breeders-meet-the-men-who-spy-on-women-through-their-webcams/, 2013.
2. Honeynet Project, Know Your Enemy, 2nd edition, Addison-Wesley, 2004. 3. IBM, X-Force 2012 Risk and Trends Report, 2013.4. Stuart McClure, Joel Scambray, and George Kurtz, Hacking Exposed, 5th edition, McGraw-
Hill, 2005. 5. Norton, Fake Antivirus,
http://www.nortonantiviruscenter.com/security-resource-center/fake-antivirus.html6. Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006.7. Stuart Staniford, Vern Paxson, and Nicholas Weaver, "How to 0wn the Internet in Your
Spare Time," Proceedings of the 11th USENIX Security Symposium, 2002.