Introduction to Computer Security - uni-tuebingen.de · Introduction to Computer Security Security...
Transcript of Introduction to Computer Security - uni-tuebingen.de · Introduction to Computer Security Security...
Introduction to Computer SecuritySecurity Principles, Vulnerabilities and Threats
Pavel LaskovWilhelm Schickard Institute for Computer Science
What is security?
Protection of organization’s assetsTechnical instruments (software and hardware infrastructure)Organizational measures (access control, policies etc.)A struggle with user work habits
Security vs. reliabilitySolutions vs. management
What is security?
Protection of organization’s assetsTechnical instruments (software and hardware infrastructure)Organizational measures (access control, policies etc.)A struggle with user work habits
Security vs. reliabilitySolutions vs. management
What is security?
Protection of organization’s assetsTechnical instruments (software and hardware infrastructure)Organizational measures (access control, policies etc.)A struggle with user work habits
Security vs. reliability
Solutions vs. management
What is security?
Protection of organization’s assetsTechnical instruments (software and hardware infrastructure)Organizational measures (access control, policies etc.)A struggle with user work habits
Security vs. reliabilitySolutions vs. management
Assets
Specific constituents of an organization’s businessPhysical devices, e.g. computers, communication lines, etc.SoftwareDataIntellectual property and know-howBusiness reputation
Asset valuation:Monetary replacement valueLost revenue
How long can your business survive without an asset X?
Security management
Goal: protection of organization’s assets.
How?
Asset “inventory”Vulnerability analysisThreat analysisRisk analysisInfrastructure designPolicy definition
Security scapegoat: Chief Information Security Officer(“Datenschutzbeaftragte”)
Security management
Goal: protection of organization’s assets.How?
Asset “inventory”Vulnerability analysisThreat analysisRisk analysisInfrastructure designPolicy definition
Security scapegoat: Chief Information Security Officer(“Datenschutzbeaftragte”)
Security management
Goal: protection of organization’s assets.How?
Asset “inventory”
Vulnerability analysisThreat analysisRisk analysisInfrastructure designPolicy definition
Security scapegoat: Chief Information Security Officer(“Datenschutzbeaftragte”)
Security management
Goal: protection of organization’s assets.How?
Asset “inventory”Vulnerability analysis
Threat analysisRisk analysisInfrastructure designPolicy definition
Security scapegoat: Chief Information Security Officer(“Datenschutzbeaftragte”)
Security management
Goal: protection of organization’s assets.How?
Asset “inventory”Vulnerability analysisThreat analysis
Risk analysisInfrastructure designPolicy definition
Security scapegoat: Chief Information Security Officer(“Datenschutzbeaftragte”)
Security management
Goal: protection of organization’s assets.How?
Asset “inventory”Vulnerability analysisThreat analysisRisk analysis
Infrastructure designPolicy definition
Security scapegoat: Chief Information Security Officer(“Datenschutzbeaftragte”)
Security management
Goal: protection of organization’s assets.How?
Asset “inventory”Vulnerability analysisThreat analysisRisk analysisInfrastructure design
Policy definition
Security scapegoat: Chief Information Security Officer(“Datenschutzbeaftragte”)
Security management
Goal: protection of organization’s assets.How?
Asset “inventory”Vulnerability analysisThreat analysisRisk analysisInfrastructure designPolicy definition
Security scapegoat: Chief Information Security Officer(“Datenschutzbeaftragte”)
Security management
Goal: protection of organization’s assets.How?
Asset “inventory”Vulnerability analysisThreat analysisRisk analysisInfrastructure designPolicy definition
Security scapegoat: Chief Information Security Officer(“Datenschutzbeaftragte”)
Vulnerabilities
Weaknesses of a system that can be exploited to damageassets
Technical: software bugs, lack of input validationConfigurational: unnecessary ports openAdministrative: wrong access permissions, etc.
Vulnerability repositories: CVE, BugTraq, etc.Vulnerability scanners: nmap, nessus, Webinspect.Vulnerability ratings:
Critical: automatic exploitation possibleModerate: exploitability mitigated by configurationLow: exploitability extremely difficult, low gain
Threats
Actions by adversaries toexploit vulnerabilitiesThreat examples:
Identity spoofingInformation disclosureDenial of serviceElevation of privilegeMalware infection...
Attack trees can be constructed tohandle complex attack scenarios
Cost of security
Security cost vs. asset costWhat are my assets worth?Asset inventory
Security cost vs. potential damageHow much will I loose (e.g. in future income) if... ?Risk analysis
Technology vs. operational costShall I buy a product X or hire an additional sysadmin?One-time vs. continuous investment
Risk analysis
Risk is a function of assets, vulnerabilities and threats:
Risk = Assets× Vulnerabilities× Threats
Quantitative analysisValues from a mathematical domain, e.g. price and probabilityOutcome: a mathematical characterization, e.g. expected loss
Qualitative analysisValues from a domain without a mathematical structureOutcome: ad-hoc advice by security experts
A fundamental quadrilemma
Cost (low)
Security (high)
Functionality (rich)
User expertise (low)
Poorly qualified users undermine security features.Rich functionality is in conflict with security.Security at no cost does not exist.
Design principles of computer security
Economy of mechanism: keep it simple.Fail-safe defaults: when in doubt, do not grant access.Open design: no “security by obscurity”.Separation of privilege: don’t make it root.Least privilege: minimum access rights necessary.
Defense-in-depth
Internet
Emailserver
Web, DNSservers
SQLservers
Intranetserver
Fileserver
User workstations
− Email antivirus− User authentication
− Web server antivirus
− Server IPS− User authentication
− Server antivirus− User authentication
− Personal firewall− Antivirus scanner− User authentication
− Network firewall− Network IPS− VPN gateway− Web application firewall
− Network firewall− Network IPS− User authentication
Layered protection: complementary security layersDefense in multiple placesDiversification: use of complementary products
The onion model of protection mechanisms
Application security: application-levelprotection mechanismsServices security: security ofservices such as DNS, DHCP etc.Operating system security: main OSsecurity mechanismsOS kernel security: security modelsat hardware abstraction levelHardware security: tamper-resistanthardware modules, (e.g. for PKI)
hardware
OS kernel
operating system
services
applications
Access to the layer below
Attackers will attempt to overcome security mechanisms by“digging deeper” in the system hierarchy.Examples of “layer-below”-attacks:
System call hooking: overwriting pointers to audit functions withcustomized codeHacking in the physically available memoryUse of recovery tools to access raw memory dumpsHypervisor attacks in virtualized systems
Resume of security management
Security is not a solution but an ongoing process.Security management is a struggle between 4 conflictingforces: security, functionality, cost and user qualification.The main problem of security management is highuncertainty in cost factors:
Asset costRisk and theat analysisHuman factor
Main security design principles are defense-in-depth andlayered protectiion.
Current vulnerability landscape
Operating systems: vulnerability decreasingFew computers are connected directly to InternetWidespread deployment of firewalls (including PCs)Improving OS quality (less than 10 vulnerabilities per year)Still occasional problems (e.g. 17-year old VDM bug inWindows XP – 7 allows priviledge escalation)
General network services: rarely seriously exploitedMostly DDoS-AttacksDNS cache poisoning (2008): gradual transition to DNSSEC
Web browsers: highly wanted!Email programs: surprisingly quiet!Applications: Office, PDF, Flash, Browser plugins (!)
Current vulnerability landscape
Operating systems: vulnerability decreasingFew computers are connected directly to InternetWidespread deployment of firewalls (including PCs)Improving OS quality (less than 10 vulnerabilities per year)Still occasional problems (e.g. 17-year old VDM bug inWindows XP – 7 allows priviledge escalation)
General network services: rarely seriously exploitedMostly DDoS-AttacksDNS cache poisoning (2008): gradual transition to DNSSEC
Web browsers: highly wanted!Email programs: surprisingly quiet!Applications: Office, PDF, Flash, Browser plugins (!)
Current vulnerability landscape
Operating systems: vulnerability decreasingFew computers are connected directly to InternetWidespread deployment of firewalls (including PCs)Improving OS quality (less than 10 vulnerabilities per year)Still occasional problems (e.g. 17-year old VDM bug inWindows XP – 7 allows priviledge escalation)
General network services: rarely seriously exploitedMostly DDoS-AttacksDNS cache poisoning (2008): gradual transition to DNSSEC
Web browsers: highly wanted!Email programs: surprisingly quiet!Applications: Office, PDF, Flash, Browser plugins (!)
Current vulnerability landscape
Operating systems: vulnerability decreasingFew computers are connected directly to InternetWidespread deployment of firewalls (including PCs)Improving OS quality (less than 10 vulnerabilities per year)Still occasional problems (e.g. 17-year old VDM bug inWindows XP – 7 allows priviledge escalation)
General network services: rarely seriously exploitedMostly DDoS-AttacksDNS cache poisoning (2008): gradual transition to DNSSEC
Web browsers: highly wanted!
Email programs: surprisingly quiet!Applications: Office, PDF, Flash, Browser plugins (!)
Current vulnerability landscape
Operating systems: vulnerability decreasingFew computers are connected directly to InternetWidespread deployment of firewalls (including PCs)Improving OS quality (less than 10 vulnerabilities per year)Still occasional problems (e.g. 17-year old VDM bug inWindows XP – 7 allows priviledge escalation)
General network services: rarely seriously exploitedMostly DDoS-AttacksDNS cache poisoning (2008): gradual transition to DNSSEC
Web browsers: highly wanted!Email programs: surprisingly quiet!
Applications: Office, PDF, Flash, Browser plugins (!)
Current vulnerability landscape
Operating systems: vulnerability decreasingFew computers are connected directly to InternetWidespread deployment of firewalls (including PCs)Improving OS quality (less than 10 vulnerabilities per year)Still occasional problems (e.g. 17-year old VDM bug inWindows XP – 7 allows priviledge escalation)
General network services: rarely seriously exploitedMostly DDoS-AttacksDNS cache poisoning (2008): gradual transition to DNSSEC
Web browsers: highly wanted!Email programs: surprisingly quiet!Applications: Office, PDF, Flash, Browser plugins (!)
Service portfolio of Internet organized crime
End services: phishing, spam, DDoS extortion, Ebay fraud,banking fraud, industrial espionageTechnical services: exploit trade, support services (includinglicense keys), botnet leasingResearch and development: vulnerability research,development of obfuscation techniques.Other services:
“Bullet-proof” hosting (in countries with lacking Internetcontrols)Domain-name falcification“Botnet-warfare”
Example of an exploit auction
Earning money with security violations
Study by T. Holz, M. Engelberth and F. Freiling at theUniversity of Mannheim in April - October 2008.Methodology: recovery of stolen credentials from dropzones.Malware:
Limbo/Nethell: keylogger, infection via drive-by-downloadZeuS/Zbot: keylogger, infection via spam attachments
Impersonation attacks using keyloggers
A keylogger is installed on a usermachine by some attack vector.Keylogger downloads configurationdata from a dropzone.Keylogger monitors keystrokesduring access to specific websitesand uploads them to a dropzone.Attacker retrieves credentials from adropzone and sells it.
Analysis methodology
Collect malware samples from honeypots and spam-traps.Execute malware samples in a specially instrumentedsandbox, record and analyze outgoing communication.Contact a dropzone and download log files.Assess market value of stolen credentials using well-knownestimates.
Kassensturz
Credentials Amount Price range Average value
Bank accounts 10,775 $10 - 1000 $5,387,500Credit cards 5,682 $0.40 - 20 $56,820Social network IDs 78,359 $1 - 15 $587,162Auction accounts 7,105 $1-8 $28,420Email passwords 149,458 $4-30 $2,540,786
Total 224,485 $8,600,688
Summary
Threat landscape is highly dynamic as it is driven byeconomic motivation, and especially organized crime.No “final state of security”Prevention not always possible; intelligent responsemechanisms are strongly needed.
Next lecture
Principles of secure communicationSymmetric cryptographyAsymmetric cryptography