Computer security 101 computer security 101 Eric Pancer Computer Security Response Team

Click here to load reader

  • date post

    18-Dec-2015
  • Category

    Documents

  • view

    227
  • download

    2

Embed Size (px)

Transcript of Computer security 101 computer security 101 Eric Pancer Computer Security Response Team

  • Slide 1
  • computer security 101 computer security 101 Eric Pancer Computer Security Response Team http://security.depaul.edu/
  • Slide 2
  • april, 2004 2 welcome! Why Are You Here? Why Am I Here?
  • Slide 3
  • april, 2004 3 sponsors Information Services Computer Security Response Team
  • Slide 4
  • incidents and trends
  • Slide 5
  • april, 2004 5 what defines an incident? A computer security incident covers a large range of violations, including: Harassment, Denial/Interruption of Service, Malware Infection (worm, virus), Unauthorized Access, Misuse of Data or Services, Copyright Infringement, Spam?
  • Slide 6
  • april, 2004 6 general statistics CERT/CC: Incidents Reported 1991 406 1993 1,334 1995 2,412 1997 2,134 1999 9,859 2001 52,658 2003 137,529
  • Slide 7
  • april, 2004 7 in our backyard W32.Blaster Worm Exploited a vulnerability patched in July, 2003. Unleashed August, 2003. 900+ Infections from August 11, 2003 to October 11, 2003. Persists at approximately 8-10 infections weekly. Bots Exploits common vulnerabilities. Variants released weekly. Centrally controlled. Growing more and more malicious. 700+ unique hosts since January, 2004.
  • Slide 8
  • april, 2004 8 even more alarming W32.Slammer Worm January, 2003. Attacked unpatched MS-SQL 2000 servers unpatched desktops with Microsoft Desktop Engine Interrupted Bank of America ATM Services. Caused a meltdown of University network services due to other bugs on the network. Vulnerability was announced June, 2002!
  • Slide 9
  • april, 2004 9 how do we find violations? Intelligence gathering is performed in many ways though human interaction and communication is still the best method. Reports to [email protected]@depaul.edu Internal reports. Monitoring network flows. Searching for attack patterns. Hearsay, rumors, gossip.
  • Slide 10
  • april, 2004 10 sample e-mail report Date: Fri, 9 Apr 2004 12:57:16 -0400 From: [email protected] To: [email protected] Cc: [email protected], [email protected] Subject: Abuse! Suspicious Activity!!! 140.192.21.254 Hello, You are being contacted regarding suspicious activity logged from a host on your network. We found that the address 140.192.21.254 was attempting to connect to the VPN port 500 (TCP) on Apr 8 at 18:15:41 (EST). Log Entries (All times are EDT): *Apr 8 18:15:41 140.192.21.254 500 x.123.208.2 500 1 *Apr 8 18:15:43 140.192.21.254 500 x.123.208.2 500 1 Please review the log information included below. The data reflected in the log could be interpreted as a user from your domain attempting to probe a federal government network. Please investigate this immediately and take action to prevent further probing of the network.
  • Slide 11
  • april, 2004 11 network flows 19 Apr 04 10:49:33.61177 tcp 140.192.27.47.3076 -> 66.18.100.2.80 RS 19 Apr 04 10:49:33.62319 tcp 140.192.83.97.1302 -> 63.123.232.243.80 FIN 19 Apr 04 10:49:33.63790 tcp 192.77.161.22.44274 ?> 140.192.220.21.80 EST 19 Apr 04 10:49:33.62713 tcp 140.192.55.29.4462 -> 12.130.91.26.80 EST 19 Apr 04 10:49:33.63408 tcp 140.192.131.188.4726 -> 216.73.87.20.80 FIN 19 Apr 04 10:49:33.64504 tcp 140.192.110.86.3986 -> 64.40.102.42.80 FIN 19 Apr 04 10:49:33.64507 tcp 140.192.132.134.4947 -> 216.120.60.144.80 FIN 19 Apr 04 10:49:33.65468 tcp 140.192.132.67.3357 -> 207.68.173.254.80 FIN 19 Apr 04 10:49:33.66201 tcp 140.192.15.106.4881 -> 207.68.162.24.80 FIN 19 Apr 04 10:49:33.66328 tcp 140.192.15.106.4882 -> 207.68.162.24.80 FIN 19 Apr 04 10:49:33.66709 tcp 140.192.227.36.1106 -> 205.158.62.54.80 FIN 19 Apr 04 10:49:33.66836 tcp 140.192.132.134.4948 -> 216.120.60.175.80 FIN 19 Apr 04 10:49:39.36782 tcp 140.192.151.158.4632 -> 216.239.41.104.80 RST 19 Apr 04 10:50:06.11342 tcp 140.192.196.6.3649 -> 1.0.0.1.80 TIM 19 Apr 04 10:51:27.93013 udp 24.186.52.241.1620 140.192.170.146.3845 ACC 19 Apr 04 10:50:55.77691 tcp 140.192.196.6.4670 207.44.246.72.80 CON 19 Apr 04 10:51:28.05120 udp 128.175.131.52.3964 140.192.177.213.1480 ACC 19 Apr 04 10:50:54.13063 tcp 140.192.196.6.4671 -> 207.44.246.72.80 RST 19 Apr 04 10:51:28.07679 udp 209.6.25.71.2021 140.192.176.87.3068 ACC 19 Apr 04 10:51:27.81926 udp 140.192.175.192.1343 62.143.31.15.1870 ACC 19 Apr 04 10:51:27.93307 udp 140.192.231.133.1612 142.179.17.60.1053 ACC 19 Apr 04 10:50:51.29740 tcp 200.87.50.62.10547 -> 140.192.175.183.139 EST 19 Apr 04 10:51:28.08786 udp 209.6.25.71.2021 140.192.176.87.3068 ACC 19 Apr 04 10:51:28.08839 udp 149.159.97.73.1576 140.192.172.92.1495 ACC 19 Apr 04 10:50:54.13644 tcp 140.192.196.6.4686 -> 207.44.246.72.80 RST 19 Apr 04 10:51:28.09423 udp 62.163.81.124.11480 140.192.171.165.11895 ACC
  • Slide 12 10.203.54.114:135 TCP TTL:126 TOS:0x0 ID:49784 IpLen:20 DgmLen:48 DF ******S* Seq: 0xC6D0AB86 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK"> $EXTERNAL_NET 135 \ (msg:"SCAN - Microsoft Directory and File Services"; \ stateless; flags">
  • april, 2004 12 known signatures alert tcp $HOME_NET any -> $EXTERNAL_NET 135 \ (msg:"SCAN - Microsoft Directory and File Services"; \ stateless; flags:S,12; threshold: type threshold, track by_src, \ count 520, seconds 600; classtype:network-scan; priority:7; sid:6010001; rev:1;) [**] [1:6010001:1] SCAN - Microsoft Directory and File Services [**] [Classification: Detection of a Network Scan] [Priority: 7] 04/19/04-01:54:42.622054 140.192.21.254:2460 -> 10.203.54.114:135 TCP TTL:126 TOS:0x0 ID:49784 IpLen:20 DgmLen:48 DF ******S* Seq: 0xC6D0AB86 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK
  • Slide 13
  • april, 2004 13 is it 1984? Are you Big Brother? Why do you care? Do you read my email? Isnt the network secure? I dont do anything malicious, so dont look at what I do please.
  • Slide 14
  • general concepts
  • Slide 15
  • april, 2004 15 common myths Why should I care, I have nothing to hide. Why does anyone care about my computer? Its too difficult to get access to my computer or personal information If someone tries to [insert malicious activity here], I will notice! Ignorance is bliss!
  • Slide 16
  • april, 2004 16 are you at risk? Using the following puts you at risk: Computers Credit Cards Banks Airlines Automobiles many more
  • Slide 17
  • april, 2004 17 CIA the building blocks Confidentiality AuthenticityIntegrity
  • Slide 18
  • april, 2004 18 confidentiality Ensures privacy. Applies to both data on disks and network communication. Accomplished through encryption: https:// s/mime pgp ssh and ipsec Confidentiality
  • Slide 19
  • april, 2004 19 integrity Develops trust of the network and computer systems. Applies to both data on disks and network communication. Integrity is increased by proper data and system management. Integrity
  • Slide 20
  • april, 2004 20 authenticity Another catalyst for trust. Required for data on disk and network communication. Prevents ID theft, man in the middle attacks, etc. Authenticity
  • Slide 21
  • april, 2004 21 vulnerability life cycle vulnerability discussion concept code exploit automation research
  • Slide 22
  • april, 2004 22 assumptions Researchers will continue to find new bugs and vulnerabilities. Active exploitation of these vulnerabilities will continue through worms, viruses, etc. Technology will continue to progress and the quality of code will continue to fall. Santa Claus is real!
  • Slide 23
  • terminology
  • Slide 24
  • april, 2004 24 denial of service The overload of a system preventing the normal use of that system. A denial of service (DoS) attack is a common method to prevent users from accessing websites.
  • Slide 25
  • april, 2004 25 scanning Enumerating the security of a computer system and/or the service(s) they provide. A portscan commonly occurs to check the type of computer operating system being used. Thousands of portscans against the University have taken place in the time you have read this slide!
  • Slide 26
  • april, 2004 26 exploit A piece of malicious code or action against a computer system to elevate privileges or gain further access. Exploits mostly act on bugs found in software or hardware. These bugs are usually due to human error coding or system misconfiguration.
  • Slide 27
  • april, 2004 27 virus A virus is a piece of code that modifies existing applications or data to change the behavior of that application or of data. Viruses rely on human interaction to ensure their survival and propagation.
  • Slide 28
  • april, 2004 28 worm A worm is a program that propagates itself over a network, reproducing itself and changing as needed, to survive and adapt. The term worm is derived from tapeworm as coined in John Brunners book Shockwave Rider.
  • Slide 29
  • april, 2004 29 (ro)bot A software program or computer that performance repetetive functions; usually commanded as part of a botnet (see next slide). Although robots were first introduced to spider the world wide web, the term bot has come to represent an increasing threat against computer users.
  • Slide 30
  • april, 2004 30 botnet A collection of computers acting in conjunction with one another to perform automated tasks. Botnets can be built using viruses, worms or other attacks. These botnets (sometimes thousands of computers) can then carry out scan and sploit actions automatically.
  • Slide 31
  • april, 2004 31 feeling overwhelmed yet?
  • Slide 32
  • defending with technology
  • Slide 33
  • april, 2004 33 start with the basics Basic computer security is through technology is easy; use A firewall, Anti-Virus Software, Patch your computer quickly, when required, Strong passwords!
  • Slide 34
  • april, 2004 34 firewalls The most useful tool in your bag of defenses. Prevents intruders from accessing services on your computer. Validates/normalizes network traffic. May provide reports and trend analysis. Available for all major operating systems usually for free!
  • Slide 35
  • april, 2004 35 anti-virus software Stops viruses and worms sent by email, attachments, downloads, etc. Detects malicious software through intelligent heuristics. Available for all major desktop and server operating systems. A requirement; not an option.
  • Slide 36
  • april, 2004 36 patches (Usually) free updates to your computer; can be downloaded from the Internet. Available before most exploits surface. Automated, usually. Critical to overall security. Chant: We Must Patch, We Must Patch
  • Slide 37
  • april, 2004 37 strong passwords Keeps you on-target with best practices. Is composed of 8 or more characters and includes letters, numbers and 2 special characters, including [email protected]#$%^&.-+-=|]{}:. Not based on any dictionary word from any language. Changes regularly; not shared.
  • Slide 38
  • april, 2004 38 coordinated efforts result in success! Goal
  • Slide 39
  • behavioral changes
  • Slide 40
  • april, 2004 40 what technology doesnt solve Security technologies adapt as threats appear. They are not able to (easily) combat: Threats, Hoaxes, Scams, The behavior of others.
  • Slide 41
  • april, 2004 41 the clue factor
  • Slide 42
  • april, 2004 42 education and awareness Education and awareness are key to increasing the security posture of the University, and global Internet. Dispells the FUD (fear, uncertainty, doubt). Addresses problems before they exist. Extends the radius of clue. Creates inclusion in the entire infosecurity effort.
  • Slide 43
  • april, 2004 43 self-education You can increase your own awareness of security related issues. Subscribe to mailing lists for security notifications. Visit security related websites. Contact us, were always willing to help. Voice your concern on security related issues, helping raise awareness in others.
  • Slide 44
  • april, 2004 44 test your efforts Contact us and we can schedule a vulnerability scan for your department or network. Register your network with us; we can send you reports of suspicious behavior. Help us tailor an awareness program for your department. Remember: security is about sharing knowledge and contacts, not technology.
  • Slide 45
  • april, 2004 45 thank you! Questions? Contact CSRT: Computer Security Response Team [email protected] [email protected] http://security.depaul.edu/ or Eric Pancer [email protected] pgp: C022 4991 41E5 51E7 683C F765 62F7 7F8E 7ACB CFF3