• Definition of • CIA++security.hsr.ch/mse/lectures/01_Goals_Threats_FS13.pdfThieves are active...
Transcript of • Definition of • CIA++security.hsr.ch/mse/lectures/01_Goals_Threats_FS13.pdfThieves are active...
1
1 Goals and Threats
1.1 Security Goals
• Definition of information and IT Security
• CIA++ (confidentiality, integrity, availability, authenticity, accountability)
• Cryptographical building blocks
1.2 Security Threats
• Security risk analysis (risk, assets, values, threats, vulnerabilities)
• Passive and attacks
• Malware (virus, worm, trojan, backdoor, logical bomb, zombie, spyware)
• Denial of service attacks (DoS and DDoS), bot nets
• The attackers and their motivation
• Attack sophistication versus intruder knowledge
1.3 Current Threats
• Trends 2011 from the Symantec Internet Security Threat report
2
3
4
5
Glossary:
• DH Diffie-Hellman public key cryptosystem
• RSA Rivest-Shamir-Adleman public key cryptosystem
• IV Initialization Vector, required to initialize symmetric encryption algorithms
• Nonce Random number, used in challenge-response protocols
• MAC Message Authentication Code, cryptographically secured checksum
• MIC Message Integrity Code – synonym for MAC
6
7
Terms
• Assets / Values: Assets can be of a material nature as money and goods or
valuable data as. e.g. intellectual property, business records,
customer or inventory data but also an organization‘s public
reputation or credibility is a valuable asset.
• Vulnerability: A vulnerability is a IT security weakness that could be exploited
to endanger or cause harm to an asset.
• Threat: A threat is an actual exploit of a detected vulnerability.
• Risk: Risk is the likelihood that something bad will happen that causes
harm to an asset or the loss thereof, multiplied by the amount of
possible damage.
Risk can be minimized bei either
• minimizing the threat or the amount (value) of encurred loss. In most cases these
variables cannot be directly influenced, though.
or by
• reducing the likelihood of a successful attack by taking security protection
measures, i.e. by reducing the number and severity of vulnerabilities.
The cost of the security measures increase drastically with increasing levels
security but cause a monotonously decreasing cost of suffered incidents.
Therefore in principle an optimum security level minimizing the overall cost can
always be found although the actual computation of the Return on Security
Investment (ROSI) is quite a tricky task due to the often unknown probabilities.
8
9
10
11
12
13
14
15
General Principle of a DDoS Attack
The attacker planning a DDoS attack identifies and infiltrates numerous computers and
networks (using vulnerabilities) and installs and hides DDoS attack tools in them. These
computers are named zombies because they lie asleep until they are wakened. Since
it would be difficult for a single attacker to control, say, 50’000 zombies, handlers are
used, which are basically an additional hierarchy level to control a large number of
zombies. One way for the attacker to get handlers is to pick some of the zombies he
has compromised before.
When starting the attack, the attacker communicates with the handlers, which in turn
each send commands to a troop of zombie computers, which triggers the zombies to
start the actual attack on the target.
Many DDoS attacks are even more automated. The attacker writes a virus or worm and
starts spreading it. The malware contains the attack code and also a fixed time at which
to trigger the attack. The advantage is that the attacker does not have to actively trigger
the attack, which makes it easier for him to hide his traces. On the other hand, it gives
the attacker much less control over the zombies, which makes it virtually impossible to
change the attack time or target once the malware has been spread.
16
17
18
A set of “profiles” of various participants in the hacker community, is derived from actual data
gathered by Microsoft researchers and engineers who are working with national law
enforcement agencies in the US. The threat situation can be structured by various levels of
“motivation”
•The “Vandal” is the person who, for example. hacks into a poorly-protected Web site and
defaces the content.
•“Trespassers” are more capable than Vandals and they’re motivated by ego and a sense of
personal fame. Their intentions are relatively benign, but they can cause significant problems.
The hackers who create many of the worms and viruses that make news usually fall into this
category. Because their attacks create huge amounts of traffic and sometimes Denial of
Service attacks, their actions can result in serious material damage to computer users,
businesses and other organizations.
•The “Author” is the highly-capable hacker who has the tools and expertise to reverse-
engineer a patch and write exploit code, or find vulnerabilities in security software, hardware,
or processes. Authors are generally motivated by ego, ideology, and/or personal fame.
Authors create the building blocks for criminal hackers. The tools and code they produce are
usually made readily available to the less-sophisticated, meaning that the Vandals and the
Script-Kiddies are able to cause a lot more trouble with less work.
•The “Thieves” are people who are in it for the money, and they include organized crime
syndicates from around the world. Thieves are active and effective in hacking into corporate
and enterprise systems, sometimes to steal information that has monetary value (such as
credit card numbers), sometimes to divert cash into their accounts, and sometimes to extort
payments to prevent their systems or data from being exposed to the public. The Thieves
benefit from the author’s efforts.
•The “Spies,” who work on behalf of governments, are highly skilled, and have virtually
unlimited resources. And the largest expenditures on protection – building strong defenses –
are made, not surprisingly, by the Spies.
19
Tim Shimeall, CERT Centers, Software Engineering Institute,
© 2002 by Carnegie Mellon University
www.cert.org/archive/ppt/cyberterror.ppt
20
21
Source: Symantec Internet Security Threat Report XVII, April 2012
22
Source: Symantec Internet Security Threat Report XVII ,April 2012
23
Source: Symantec Internet Security Threat Report XVII, April 2012
24
New malicious code threats
One result that Symantec has drawn from the observance of increased
professionalization in the underground economy is that the coordination of specialized
and, in some cases, competitive groups for the production and distribution of items
such as customized malicious code and phishing kits has led to a dramatic increase
in the general proliferation of malicious code.
A prime example of this type of underground professional organization is the Russian
Business Network (RBN). The RBN reputedly specializes in the distribution of
malicious code, hosting malicious websites, and other malicious activity. The RBN
has been credited with creating approximately half of the phishing incidents that
occurred worldwide in 2008.
With the increasing adaptability of malicious code developers and their ability to
evade detection, Symantec also expects that overt attack activities will either be
abandoned or pushed further underground. This has already been seen with the use
of HTTP and P2P communication channels in threats such as Downadup. Because of
the distributed nature of these control channels, it is much more difficult to disable an
entire network and locate the individual or group behind the attacks.
The focus of threats in 2008 continued to be aimed at exploiting end users for profit,
and attackers have continued to evolve and refine their abilities for online fraud. While
some criminal groups have come and gone, other large organizations persist and
continue to consolidate their activities. These pseudo-corporations and their up-and-
coming competitors will likely remain at the forefront of malicious activity in the
coming year.
Source: Symantec Global Internet Security Threat Report XIV, April 2009
25
Source: Symantec Internet Security Threat Report XV, April 2010
26
Source: Symantec Internet Security Threat Report XV, April 2010
27
Source: Symantec Internet Security Threat Report XVI, April 2011
28
Source: Symantec Internet Security Threat Report XVII, April 2012
29
Source: Symantec Internet Security Threat Report XVII, April 2012
30
Source: Symantec Internet Security Threat Report XVII, April 2012
31
Source: http://en.wikipedia.org/wiki/Advanced_persistent_threat
32
Infomation on Stuxnet
http://en.wikipedia.org/wiki/Stuxnet
33
Source: Symantec Internet Security Threat Report XVII, April 2012
34