J. A. Drew Hamilton, Jr.,...

Mississippi State University Center for Cyber Innovation 1

J. A. “Drew” Hamilton, Jr., Ph.D. Director, Center for Cyber Innovation

Professor, Computer Science & Engineering

CCI Post Office Box 9627 Mississippi State, MS 39762

Voice: (662) 325-2294 Fax: (662) 325-7692 [email protected]


Introduction to Ethical Hacking

Dr. Drew Hamilton


Section Objectives •  Identify components of TCP/IP computer

networking •  Understand basic elements of information security •  Understand incident management steps •  Identify fundamentals of security policies •  Identify essential terminology associated with

ethical hacking •  Define ethical hacker and classifications of hackers •  Describe the five stages of ethical hacking •  Define the types of system attacks •  Identify laws, acts, and standards affecting IT

security


Outline

•  CIA Triad •  OSI and TCP IP Review •  Initial Set of Definitions •  Risk Management •  Applicable Laws


CIA Triad

Dr. Drew Hamilton


Understand and Apply Concepts of Confidentiality, Integrity & Availability

•  Confidentiality: protecting information from unauthorized disclosure;

•  Integrity: protecting information

from unauthorized modifications, and ensure that information is accurate and complete;

•  Availability: ensuring information is available when needed;

Virus researchers owe this man a debt of gratitude


(ISC)2 CBK Notes on “CIA”

•  Confidentiality –  Principle of least privilege –  Data Classification –  Controls

•  Integrity –  Limiting updates –  Verifying changes

•  Availability –  Denial of service –  Disaster recovery

1.  Not really an equilateral triangle

2.  Dependencies exist between confidentiality & integrity

3.  Integrity does not get enough attention


CIA Key Terms

•  Confidentiality –  Sensitivity, Discretion, Criticality,

Concealment, Secrecy, Privacy, Seclusion, Isolation

•  Integrity –  Modifications, Errors, Consistency,

Verification, Validation, Accountability, Responsibility, Completeness, Comprehensiveness

•  Availability –  Redundancy, Device Failure,

Software Errors, Usability, Accessibility, Timeliness


Attacks, Services and Mechanisms

•  Security Attack: Any action that compromises the security of information.

•  Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack.

•  Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms.


Security Attacks

Stallings’ Taxonomy


Security Attacks

•  Interruption: This is an attack on availability

•  Interception: This is an attack on confidentiality

•  Modification: This is an attack on integrity

•  Fabrication: This is an attack on authenticity


Five Elements of AAA Services

•  Identify subject and initiate accountability

•  Authenticate the identity of subject

•  Authorize access of authenticated subject

•  Audit subject’s actions to provide accountability

•  Accountability ties a subject to their actions


Non-repudiation •  “The order is final” •  Nonrepudiation is the assurance that someone

cannot deny something. Typically, nonrepudiation refers to the ability to ensure that a party to a contract or a communication cannot deny the authenticity of their signature on a document or the sending of a message that they originated.


OSI & TCP/IP Review

Dr. Drew Hamilton Dr. Chris Harrison, Sandia Laboratories

Matt Walker, CEH Certified Ethical Hacker Exam Guide 3rd Edition


Open System Interconnection Model

•  A model is an abstraction

•  Left hand identifies “units” at each layer

•  TCP/IP is what everyone uses and does not line up


NIC

B

VLA

N

Repeater

Switch

Router

Service Gateway

Bridge

Hub

Session Gateway

Gateway

Gateway

Fire

wal

l VP

N

N-ID

S

H-ID

S Presentation

Session

A

Network

Data-Link

Physical

Transport

1

2

3

4

5

6

7

Laye

rs

Application

Presentation

Session

Network

Data-Link

Physical

Transport

Application

Hardware in the OSI Model


OSI Communication Between Devices


Mapping OSI to Protocols


Mapping OSI to TCP/IP

•  This is not an exact mapping –  OSI is a reference model –  TCP/IP is a collection of protocols


Application

Presentation

A

Session

Transport

Network

Data Link

Physical 1

2

3

4

5

6

7

Laye

rs

B

FTP HTTP SMTP APPC

Telnet TFTP SNMP FTAM

Application

Host-to-Host

Internet

Network Access

TCP UDP

WinSock NetBIOS

ICMP DHCP IP

ARP

RARP

LLC

MAC

OSI Model TCP/IP Suite

TCP/IP Layers

TCP/IP Using the OSI Model


Amplitude

Frequency

Phase

Digital 0 0 0 1 1 0 1 1 0 1 0 0 1 0 1 1

Data Transmission – Digital vs Analog


Data Transmission – Asynchronous vs Synchronous


• Narrowband -  Single channel -  telephone, modem

• Baseband -  Comprises entire bandwidth -  Radar, TV

• Broadband -  Splits bandwidth into channels -  DSL, T1

Data Transmission – Broadband vs. Baseband


Ethernet Frame

Data field includes IP Packet


IPv4 Packet Header


Why IPv6?

•  Running out of Internet addresses?


Class ID

0

(1 bit) 126 IDs

(7 bits)

Network ID

16,777,214 Host IDs

(24 bits)

Host ID

Class A

Class ID

1 0

(2 bits) 16,382 IDs

(14 bits)

Network ID

65,534 Host IDs

(16 bits)

Host ID

Class B

Class ID

1 1 0

(3 bits) 2,097,150 IDs

(21 bits)

Network ID

255 Host IDs

(8 bits)

Host ID

Class C

IPv4 Address Classes


32 bits

Application Layer Data

Data Offset Acknowledgement Number

Sequence Number Destination Port Source Port

Window Checksum Urgent Pointer

Options Padding

TCP

Hea

der Length

Destination Port Source Port Checksum

32 bits

Application Layer Data

UD

P Header

TCP UDP

Service TCP UDP Reliability Returns ACKs when packets are received Does not guarantee packet arrival

Connection Connection-oriented; performs handshaking. Connectionless

Packet Sequence Uses sequence numbers None

Congestion Controls Can slow transmission to alleviate congestion. No flow control

Speed/Overhead Slower and more resource intensive Fast and Light

TCP/IP – Packet Structures & Difference


Rationale for IPv6

•  More options in header •  Larger address space •  Efficiency in addressing and routing •  Stateless and stateful addressing •  Security mechanisms •  Quality of Service (QoS) support


IPv6 Header Format


TCP/IP – Differences between IPv4/IPv6

•  Multicasting is globally routable. •  Stateless address autoconfiguration (SLAAC) •  Added Labeling of Traffic Flow for improved QoS. •  Jumbogram increase (64KO to 4GO) •  Added extension support for authentication, data integrity, and data

confidentiality.

IPv6 Packet

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

32

Ver. Traffic Class Flow Label

32

Payload Length Next Header Hop Limit

128 Source Address

128 Destination Address

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

32

Ver. IHL Service Types Total Length

32

Identification Flags Fragment Offset

32

Time to Live Protocol Header Checksum

32

Source Address

32

Destination Address


IPv4

ver

sus

IPv6

IP V6 •  Traffic class to support priority •  Flow label (experimental) -- flow controllable -- Can traffic be slowed in case of congestion? •  Header simplified because of option to add extension headers else indicates which transport handler to pass the packet to.

IP V4 •  IHL describes how long the variable length header is •  ToS – reliability vs. speed •  Length – header & data •  ID – dest uses to assemble fragments •  Protocol – UDP, TCP etc.


Network Address Translation (NAT) (Cisco)

•  Developed by Cisco, Network Address Translation is used by a device (firewall, router or computer) that sits between an internal network and the rest of the world.

•  NAT has many forms and can work in several ways


Static NAT •  Static NAT - Mapping an unregistered IP address to a

registered IP address on a one-to-one basis. Particularly useful when a device needs to be accessible from outside the network. –  unregistered means a host with an IP address but no domain

name registered in the DNS.

In static NAT, the computer with the IP address of 192.168.32.10 will always translate to 213.18.123.110.


Dynamic NAT •  Dynamic NAT - Maps an unregistered IP address to a

registered IP address from a group of registered IP addresses.

In dynamic NAT, the computer with the IP address 192.168.32.10 will translate to the first available address in the range from 213.18.123.100 to 213.18.123.150.


Overloading •  Overloading - A form of dynamic NAT that maps multiple

unregistered IP addresses to a single registered IP address by using different ports.

•  This is known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT.

In overloading, each computer on the private network is translated to the same IP address (213.18.123.100), but with a different port number assignment.


Overlapping •  Overlapping - When the IP addresses used on your internal network are

registered IP addresses in use on another network, the router must maintain a lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses.

–  It is important to note that the NAT router must translate the "internal" addresses to registered unique addresses as well as translate the "external" registered addresses to addresses that are unique to the private network.

–  This can be done either through static NAT or by using DNS and implementing dynamic NAT.

•  The internal IP range (237.16.32.xx) is also a registered range used by another network.

–  Therefore, the router is translating the addresses to avoid a potential conflict with another network.

–  It will also translate the registered global IP addresses back to the unregistered local IP addresses when information is sent to the internal network.


Applying packet filtering rules •  Apply rules in the order specified

–  Reordering makes it more difficult to analyze what is going on –  Any quirks or bugs in the rule set may be obscured –  Reordering rules can break a rule set that would otherwise work correctly

•  Example –  Rule A permits the university network to reach your research subnet –  Rule B locks out a hostile subnet at the university out of everything else –  Rule C disallows Internet access to your subnet

•  Rule order ABC -- Packet from hostile subnet allowed to research subnet (rule A) •  Rule order BAC --Packet from hostile subnet denied access to research subnet (rule B)

–  Rule may have limited granularity •  Allow rules to be applied separately to incoming and outgoing packets on a

per-interface basis –  provide maximum flexibility –  when only outgoing packets can be viewed then:

•  The filtering system is always “outside” of its filters •  More difficult to detect forged packets

–  Forgery is most easily detected when the packet enters from outside the system –  Routers can generate packets themselves and sometimes process internal packets (due to fixed

paths for example).

•  Allow option to log accepted or dropped packets •  Support good testing and validation capabilities


TCP Review & Syn Flooding

•  The establishment of a TCP connection typically requires the exchange of three Internet packets between two machines in an interchange known as the TCP three-way handshake. Here's how it works:

–  SYN: A TCP client (such as a web browser, ftp client, etc.) initiates a connection with a TCP server by sending a SYN packet to the server.

–  SYN/ACK: When a connection-requesting SYN packet is received at an ‘open’ TCP service port, the server's operating system replies with a connection-accepting SYN/ACK packet.

–  ACK: When the client receives the server's acknowledging SYN/ACK packet for the pending connection, it replies with an ACK packet.

•  Traditional SYN flooding DoS attacks are –  either one-on-one

•  (one machine sending out enough SYN packets to the target machine to effectively choke off access to the other machine)

–  or many-on-one •  (SYN flooding ‘zombie’ programs loaded by the attacker into compromised

machines and commanded by the attacker to send huge volumes of SYN commands to the target machine).


Review of SYN Packets SYN: A TCP client (such as a web browser, ftp client, etc.)

initiates connection with a TCP server by sending a "SYN" packet to the server.

SYN/ACK: When a connection-requesting SYN packet is received at an "open“ TCP service port, the server's operating system replies with a connection accepting the "SYN/ACK" packet.

ACK: When the client receives the server's acknowledging SYN/ACK packet for the pending connection, it replies with an ACK packet.


SYN Packet with Deliberately Spoofed Return Address

Through the use of "Raw Sockets", the packet's "return address" (source IP) can be overridden and falsified. When a SYN packet with a spoofed source IP arrives at the server, it appears as any other valid connection request.


Raw Socket Review

•  Data is exchanged across the Internet by either establishing a bi-directional "TCP Connection" between two machines, or by sending a uni-directional "UDP Datagram" message from one machine to another. Both of these data transferring operations employ standard sockets.


Raw Sockets Review

•  Smooth and orderly traffic flow across the Internet requires machines to inform each other of various non-data events such as closed ports, network congestion, unreachable IP addresses, etc. The ICMP (Internet Control Message Protocol) was created to fill this need.

•  The operating system's built-in TCP/IP stack automatically and transparently generates and receives most of these "Internet plumbing" ICMP messages on behalf of the machine. To facilitate the creation of Internet plumbing applications, such as "ping" and "traceroute", which also employ ICMP messages, the Berkeley designers allowed programmers to manually generate and receive their own ICMP, and other, message traffic. As shown in the diagram, the Berkeley Sockets system provides this power through the use of a so-called "Raw Socket".

•  A Raw Socket short-circuits the TCP/IP stack to open a "backdoor" directly into the underlying network data transport.

–  This provides full and direct "packet level" Internet access to any Unix sockets programmer.


SYN Packet: Destination Unknown •  The server will allocate the required memory buffers, record the

information about the new connection, and send an answering SYN/ACK packet back to the client.

•  But since the source IP contained in the SYN packet was deliberately falsified (it is often a random number), the SYN/ACK will be sent to a random IP address on the Internet.

•  If the packet were addressed to a valid IP, the machine at that address might reply with a "RST" (reset) packet to let the server know that it did not request a connection.

•  But with over 4 billion Internet addresses, the chances are that there will be no machine at the address and the packet will be discarded.


Initial Set of Definitions

Dr. Drew Hamilton Matt Walker, CEH Certified Ethical Hacker

Exam Guide 3rd Edition


The Information Assurance partnership (NIAP), in conjunction with the U.S. State Department, negotiated a Recognition Arrangement�that provides recognition of Common Criteria certificates by 19 nations:�Canada, United Kingdom, France, Germany, Australia, New Zealand, Greece, Norway, Finland, Italy, Israel, Spain, The Netherlands, Japan, Hungary, Austria, Sweden, Turkey, United States

National Information Assurance Partnership �Partnership to meet the security testing �

needs of IT producers


Common Criteria Evaluation and Validation Scheme (CCEVS)

•  Objective –  Test Security Properties of Commercial Products

•  Approach –  Tests performed by Accredited Commercial Laboratories –  Validity/Integrity of results underwritten by NIAP –  Results posted for public access

•  Evaluates conformance of the security

features of IT products to the International Common Criteria (CC) for Information Technology Security Evaluation.

•  Issues Certificates to vendors for successful completion of evaluations.

–  Not an NSA or NIST endorsement –  Not a statement about

goodness of product


Example Common Criteria Certificate


Common Criteria & Related Documents

US-DOD TCSEC

1983-85

US-NIST MSFR

1990

Federal Criteria

1992

Europe ITSEC

1991

Canada TCPEC

1993

Common Criteria

1993-98

ISO 15408 Common Criteria

1999

European National/Regional

Initiatives 1989-93

Canadian Initiatives 1989-93


Scope of the Common Criteria

•  Within the scope of the CC: –  Specification of security properties of IT products and systems to

address: •  Confidentiality- Unauthorized disclosure •  Integrity- Unauthorized modification •  Availability- Loss of use

–  Applicable to IT security countermeasures implemented in HW, SW, and firmware

•  Outside the scope of the CC: –  “People-based” and physical security measures –  Administration, Legal, Procedural Issues –  Certification and Accreditation –  Evaluation Methodology –  Cryptographic “algorithm” definition (the CC evaluation only

addresses use of crypto, not strength of crypto algorithm)


IT Security Requirements The Common Criteria defines two types of IT security requirements--

Functional Requirements - for defining security behavior of the IT product or system: •  implemented requirements become security functions

Assurance Requirements - for establishing confidence in security functions: •  correctness of implementation •  effectiveness in satisfying security objectives

Examples: • Identification & Authentication • Audit • User Data Protection • Cryptographic Support

Examples: • Development • Configuration Management • Life Cycle Support • Testing • Vulnerability Analysis


Evaluation Assurance Levels

Common Criteria defines seven hierarchical assurance levels—effective 28 March 2012 NIAP will no longer specify EALs

EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7

Functionally Tested Structurally Tested Methodically Tested & Checked Methodically Designed, Tested & Reviewed Semiformally Designed & Tested Semiformally Verified Design & Tested Formally Verified Design & Tested

EAL Designation


NSTISSP #11 Guidance IA & IA-Enabled Products

NSA Involvement inProduct Evaluation

NSA Evaluated Product List

NIAP - CertifiedCCTL Evaluations

FIPS evaluated �under CMVP�

(FIPS 140-1 or 140-2)

Validated Product Listhttp://csrc.nist.gov/cryptval

Type 1 Cryptofor Classified

Leve

l 1

Leve

l 2

Leve

l 3

Leve

l 4

EAL

Basic robustness

products

Medium robustness

products

High robustness

products

Types of IA Products

4

7

6

5

3

2

1

0

4+

CMVP Labs•  Atlan•  Cygnacom (CEAL)•  CoACT•  EWA•  Domus•  InfoGard

NIAP Labs•  Booz Allen

Hamilton•  Cable & Wireless•  CoACT•  Criterian

Levels Of Robustness

Crypto Modules and Algorithms

•  CSC•  Cygnacom•  InfoGard•  SAIC

Products:http://niap.nist.gov/cc-scheme/ValidatedProducts.htmlhttp://www.commoncriteria.org/ep/index.html


What Does EAL 4 Really Mean? •  “It’s secure as long as nothing is connected to it”

– NSA security evaluator

•  “Security experts have been saying the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this.” – Jonathan Shapiro, Johns Hopkins computer security expert

•  EAL4 “is the highest level at which it is likely to be economically feasible to retrofit an existing product line.” – Common Criteria v2.1

•  EAL4 means: Certified Hackable


‘Target’ of an evaluation

•  Evaluation criteria cover products, e.g. operating systems & systems, i.e. collections of products for a specific use.

•  Product evaluation needs a set of generic requirements - provided by classes of Orange Book and profiles of ITSEC, Common Criteria.

•  System evaluation needs reqs. capture to be part of evaluation – covered by ITSEC (European Consortium -- (UK, France, Germany, Netherlands).


Protection Profiles (generic) & Security Targets (specific)

Protection Profile •  Introduction •  TOE Description •  Security Environment

•  Assumptions •  Threats •  Organizational security policies

•  Security Objectives •  Security Requirements

•  Functional requirements •  Assurance requirements

•  Rationale

Security Target •  Introduction •  TOE Description •  Security Environment

•  Assumptions •  Threats •  Organizational security policies

•  Security Objectives •  Security Requirements

•  Functional requirements •  Assurance requirements •  TOE Summary Spec.

•  Protection Profile Claims •  Rationale


Examples of Profiles & Targets

•  Protection Profiles (Product Independent) •  Operating Systems •  Firewalls (Packet Filter and Application) •  Smart cards (Stored value and other)

•  Security Targets (Product Specific) •  Oracle Database Management System •  Lucent, Cisco, Checkpoint Firewalls


Pay to Play Federal Register / Vol. 72, No. 122 / Tuesday, June 26, 2007 / Notices


Other Definitions

Dr. Drew Hamilton


Security, Functionality, Usability


ECC Defined Zones •  Internet •  Internet DMZ (more later on this)

–  Screened subnet architecture •  Production Network Zone

–  Outside user space –  Very restricted access from uncontrolled sites

•  Intranet Zone –  Internal but limited controls –  Research networks

•  Management Network Zone –  VLANs –  VPNs


Security Policies •  Access Control Policy

–  Mandatory Access Control (MAC) –  Discretionary Access Control (DAC)

•  Information Security Policy –  Describes what company equipment can be used for and not

used for. •  Information Protection Policy

–  Information sensitivity levels (DoD = confidentiality levels) •  Password Policy

–  Ex. DoD Green Book •  E-Mail Policy •  Information Audit Policy

–  Framework for audit – 5w&h audit –  RMF, DIACAP and DITSCAP have some overlap


Hacker Classification and Attack Types

•  Classification –  White Hats –  Black Hats –  Gray Hats

•  Attack Types –  OS Attacks

•  Windows –  Application Level Attacks

•  Macro Viruses –  Shrink-wrap Code Attacks

•  Easter Eggs –  Misconfiguration Attacks

•  Ex BGP


Hacking Phases


The Ethical Hacker

•  Ethical Hacker •  Cracker (Malicious Hacker) •  Get out of Jail Free Card •  Pen Testing

–  Black Box –  White Box –  Gray Box


Security planning can be broken down into three areas: •  strategic - long term goals •  tactical - medium term goals •  operational - short term goals

A security program is more than just having a security policy and annual network assessment. There are existing security frameworks that can be utilized: •  ISACA’s COBIT defines goals for controls for managing

IT and insuring it maps to business needs. Four domains: o  Plan and Organize o  Acquire and Implement o  Deliver and Support o  Monitor and Evaluate

Organizational Security Model


Some Applicable Laws

Dr. Drew Hamilton Dr. C.W. Perr, Sandia Laboratories


Overview

•  Computer crimes and computer laws •  Motives and profiles of attackers •  Various types of evidence •  Laws and acts put into effect to fight computer

crime •  Computer crime investigation process and

evidence collection •  Incident-handling procedures •  Ethics pertaining to information security

professionals and best practices


The short intro

•  Computer crime is the natural response of criminals to the dependence on information technology as well as the increase in complexity which helps to mask their nefarious deeds.

•  How does this affect the company? You want to ensure compliance with regulation to protect the bottom line and company’s image.


The Crux of Computer Crime Laws •  Threemaincategories

–  Computerassistedcrime–computerwasatooltohelpcarryoutthecrime

–  Computertargetedcrime–thecomputerwasthevic6mofana8ackcra:edtoharmit(anditsowners)specifically.

–  Computerisincidental–acomputerjusthappenedtobeinvolved.


Computer Assisted Crime

Some examples of computer-assisted crimes are: •  Attacking financial systems to carry out theft of

funds and/or sensitive information •  Obtaining military and intelligence material by

attacking military systems •  Carrying out industrial spying by attacking

competitors and gathering confidential business data

•  Carrying out information warfare activities by attacking critical national infrastructure systems

•  Carrying out hactivism, which is protesting a government or company’s activities by attacking their systems and/or defacing their web sites


Computer-targeted crimes

Some examples of computer-targeted crimes include: •  Distributed Denial-of-Service (DDoS) attacks •  Capturing passwords or other sensitive data •  Installing malware with the intent to cause destruction •  Installing rootkits and sniffers for malicious purposes •  Carrying out a buffer overflow to take control of a system


Rule of Thumb

One way to look at it is that a computer-targeted crime could not take place without a computer, whereas a computer-assisted crime could.


Now, this in no way means countries can just depend upon the laws on the books and that every computer crime can be countered by an existing law. Many countries have had to come up with new laws that deal specifically with different types of computer crimes. For example, the following are just some of the laws that have been created or modified in the United States to cover the various types of computer crimes: •  18 USC 1029: Fraud and Related Activity in Connection with

Access Devices •  18 USC 1030: Fraud and Related Activity in Connection with

Computers •  18 USC 2510 et seq.: Wire and Electronic Communications

Interception and Interception of Oral Communications •  18 USC 2701 et seq.: Stored Wire and Electronic

Communications and Transactional Records Access •  The Digital Millennium Copyright Act •  The Cyber Security Enhancement Act of 2002


We have laws, so we should be good, right?

•  Nope. Getting the identity of the criminals is hard. The spoof their addresses and jump through other systems.

•  VOCAB: –  Botnets – A group of zombies. –  Zombies - The attacker will install malicious software on

a computer using many types of methods: e-mail attachments, a user downloading a Trojan horse from a web site, exploiting a vulnerability, and so on. Once the software is loaded, it stays dormant until the attacker tells it what systems to attack and when.


TheLAW

•  Even though the FBI and other agencies are charged with investigating cyber crime doesn’t mean that they have the time.


Electronic Assets

•  Dataisnowanasset.Examples:(productblueprints,SocialSecuritynumbers,medicalinforma6on,creditcardnumbers,personalinforma6on,tradesecrets,militarydeploymentandstrategies,andsoon).


Hacking used to be just for fun.

•  Organizedcrimemadehackingawholelotworse…


Different Countries

•  IfahackerintheUkrainehackedabankinFrance,whohasjurisdic6on?(Answer:WalkerTexasRangerisonit…).


Solution

•  Little reason for governments to work together •  The Council of Europe (CoE) Convention on

Cybercrime is one example of an at- tempt to create a standard international response to cybercrime.

•  In fact, it is the first international treaty seeking to address computer crimes by coordinating national laws and improving investigative techniques and international cooperation.

•  The Convention’s objectives include the creation of a framework for establishing jurisdiction and extradition of the accused.

•  For example, extradition can only take place when the event is a crime in both jurisdictions.


Organization for Economic Co-operation and Development (OECD) Guidelines

•  The OECD is an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy.


are as follows: •  Collection of personal data should be limited, obtained by lawful and fair

means, and with the knowledge of the subject. •  Personal data should be kept complete and current, and be relevant to the

purposes for which it is being used. •  Subjects should be notified of the reason for the collection of their

personal information at the time that it is collected, and organizations should only use it for that stated purpose.

•  Only with the consent of the subject or by the authority of law should personal data be disclosed, made available, or used for purposes other than those previously stated.

•  Reasonable safeguards should be put in place to protect personal data against risks such as loss, unauthorized access, modification, and disclosure.

•  Developments, practices, and policies regarding personal data should be openly communicated. In addition, subjects should be able to easily establish the existence and nature of personal data, its use, and the identity and usual residence of the organization in possession of that data.

•  •Subjects should be able to find out whether an organization has their personal information and what that information is, to correct erroneous data, and to challenge denied requests to do so.

•  Organizations should be accountable for complying with measures that support the previous principles.

Seven core principles defined by the OECD


Expansion

•  Europe is usually stricter than the U.S., and to expand we would need to comply

•  Safe Harbor requirements...a provision or statute that reduces or eliminates a party’s legal liability, usually to encourage desirable practices.

•  European Union Principles on Privacy - set of principles with six areas that address using and transmitting information considered sensitive in nature. All states in Europe must abide by these six principles to be in compliance.


•  Civil law deals with wrongs against individuals or companies that result in damages or loss.

•  This is referred to as tort law. •  Examples include trespassing, battery, negligence, and

products liability. •  A civil lawsuit would result in financial restitution and/or

community service instead of a jail sentence. •  When someone sues another person in civil court, the

jury decides upon liability instead of innocence or guilt. •  If the jury determines the defendant is liable for the act,

then the jury decides upon the punitive damages of the case.

Civil Law


•  Criminal law is used when an individual’s conduct violates the government laws, which have been developed to protect the public.

•  Jail sentences are commonly the punishment for criminal law cases, whereas in civil law cases the punishment is usually an amount of money that the liable individual must pay the victim.

•  For example, in the O.J. Simpson case, he was first tried and found not guilty in the criminal law case, but then was found liable in the civil law case.

•  This seeming contradiction can happen because the burden of proof is lower in civil cases than in criminal cases.

Criminal Law


•  Administrative/regulatory law deals with regulatory standards that regulate performance and conduct.

•  Government agencies create these standards, which are usually applied to companies and individuals within those specific industries.

•  Some examples of administrative laws could be that every building used for business must have a fire detection and suppression system, must have easily seen exit signs, and cannot have blocked doors, in case of a fire.

•  Companies that produce and package food and drug products are regulated by many standards so the public is protected and aware of their actions.

•  If a case was made that specific standards were not abided by, high officials in the companies could be held accountable, as in a company that makes tires that shred after a couple of years of use.

•  The people who held high positions in this company were most likely aware of these conditions but chose to ignore them to keep profits up.

•  Under administrative, criminal, and civil law, they may have to pay dearly for these decisions.

Administra6ve/RegulatoryLaw


Intellectual Property Law



Atradesecretissomethingthatisproprietarytoacompanyandimportantforitssurvivalandprofitability.Anexampleofatradesecretistheformulausedforaso:drink,suchasCokeorPepsi.


IntellectualPropertyLaw•  Copyright law protects the right of an author to

control the public distribution, reproduction, display, and adaptation of his original work.

•  The law covers many categories of work: pictorial, graphic, musical, dramatic, literary, pantomime, motion picture, sculptural, sound recording, and architectural.

•  Copyright law does not cover the specific resource, as does trade secret law.



Atrademarkisslightlydifferentfromacopyrightinthatitisusedtoprotectaword,name,symbol,sound,shape,color,orcombina6onofthese.Thereasonacompanywouldtrademarkoneofthese,oracombina6on,isthatitrepresentstheircompany(brandiden6ty)toagroupofpeopleortotheworld.



Patents are given to individuals or companies to grant them legal ownership of, and enable them to exclude others from using or copying, the invention covered by the patent. The invention must be novel, useful, and not obvious—which means, for example, that a company could not patent air. Thank goodness. If a company figured out how to patent air, we would have to pay for each and every breath we took! Algorithms...hmmmm...


Internal Protection of Intellectual Property

•  The resources protected by one of the previously mentioned laws need to be identified and integrated into the company’s data classification scheme. This should be directed by management and carried out by the IT staff.

•  Once the individuals who are allowed to have access are identified, their level of access and interaction with the resource should be defined in a granular method.

•  Employees must be informed of the level of secrecy or confidentiality of the resource, and of their expected behavior pertaining to that resource.

•  If a company fails in one or all of these steps, it may not be covered by the laws described previously, because it may have failed to practice due care and properly protect the resource that it has claimed to be so important to the survival and competitive- ness of the company.


Software Piracy

•  Software piracy occurs when the intellectual or creative work of an author is used or duplicated without permission or compensation to the author. It is an act of infringement on ownership rights, and if the pirate is caught, he could be sued civilly for damages, be criminally prosecuted, or both. HANG HIM FROM A YARD ARM!

•  When a vendor develops an application, it usually licenses the program rather than sells it outright. The license agreement contains provisions relating to the use and security of the software and the corresponding manuals. If an individual or company fails to observe and abide by those requirements, the license may be terminated and, depending on the actions, criminal charges may be leveled.


Licenses...ARRRRRRGGH!

•  Freeware is software that is publicly available free of charge and can be used, copied, studied, modified, and redistributed without restriction.

•  Shareware, or trialware, is used by vendors to market their software. Users obtain a free, trial version of the software. Once the user tries out the program, the user is asked to purchase a copy of it.

•  Commercial software is, quite simply, software that is sold for or serves commercial purposes.

•  Academic software is software that is provided for academic purposes at a reduced cost. It can be open source, freeware, or commercial software.

•  End User Licensing Agreement (EULA) specifies more granular conditions and restrictions than a master agreement.


Let me throw some numbers at you...

•  A study by the Business Software Alliance (BSA) and International Data Corporation (IDC) found that the frequency of illegal software is 36 percent worldwide.

•  This means that for every two dollars’ worth of legal software that is purchased, one dollar’s worth is pirated.

•  Software developers often use these numbers to calculate losses resulting from pirated copies.

•  The assumption is that if the pirated copy had not been available, then everyone who is using a pirated copy would have instead purchased it legally.


Digital Millennium Copyright Act

•  ThenewDigitalMillenniumCopyrightAct(DMCA)makesitillegaltocreateproductsthatcircumventcopyrightprotec6onmechanisms


Privacy •  Seeking to protect Personally Identifiable

Information (PII). •  In response, countries have enacted privacy

laws. –  For example, although the United States already had

the Federal Privacy Act of 1974, it has enacted new laws, such as the Gramm-Leach-Bliley Act of 1999 and the Health Insurance Portability and Account- ability Act (HIPAA), in response to an increased need to protect personal privacy information.

–  These are examples of a vertical approach to addressing privacy, whereas Canada’s Personal Information Protection and Electronic Documents Act and New Zealand’s Privacy Act of 1993 are horizontal approaches.


Sarbanes-Oxley Act (SOX)

•  SOX provides requirements for how companies must track, manage, and report on financial information. This includes safeguarding the data and guaranteeing its integrity and authenticity. Most companies rely on computer equipment and electronic storage for transacting and archiving data; therefore, processes and controls must be in place to protect the data.

•  Failure to comply with the Sarbanes-Oxley Act can lead to stiff penalties and potentially significant jail time for company executives, including the Chief Executive Officer (CEO), the Chief Financial Officer (CFO), and others.


The Health Insurance Portability and Accountability Act (HIPAA)

•  HIPAA outlines how security should be managed for any facility that creates, accesses, shares, or destroys medical information.

•  HIPAA mandates steep federal penalties for noncompliance. If medical information is used in a way that violates the privacy standards dictated by HIPAA, even by mistake, monetary penalties of $100 per violation are enforced, up to $25,000 per year, per standard.

•  If protected health information is obtained or disclosed knowingly, the fines can be as much as $50,000 and one year in prison.

•  If the information is obtained or disclosed under false pretenses, the cost can go up to $250,000 with ten years in prison if there is intent to sell or use the information for commercial advantage, personal gain, or malicious harm.


The Gramm-Leach-Bliley Act of 1999 (GLBA)

•  The Gramm-Leach-Bliley Act of 1999 (GLBA) requires financial institutions to develop privacy notices and give their customers the option to prohibit financial institutions from sharing their information with nonaffiliated third parties.

•  It also requires these institutions to have a written security policy in place.


The Computer Fraud and Abuse Act The Computer Fraud and Abuse Act, written in 1986 and amended in 1996, is the primary U.S. federal anti-hacking statute. It prohibits seven forms of activity and makes them federal crimes: •  The knowing access of computers of the federal government to obtain

classified information without authorization or in excess of authorization •  The intentional access of a computer to obtain information from a financial

institution, the federal government, or any protected computer involved in interstate or foreign communications without authorization or through the use of excess of authorization

•  The intentional and unauthorized access of computers of the federal government, or computers used by or for the government when the access affects the government’s use of that computer

•  The knowing access of a protected computer without authorization or in excess of authorization with the intent to defraud

•  Knowingly causing the transmission of a program, information, code, or command and, as a result of such conduct, intentionally causing damage without authorization to a protected computer

•  The knowing trafficking of computer passwords with the intent to defraud •  The transmission of communications containing threats to cause damage to a

protected computer


The Federal Privacy Act of 1974

•  To keep the government in check on gathering information on U.S. citizens and other matters, a majority of its files are considered open to the public.

•  Government files are open to the public unless specific issues enacted by the legislature deem certain files unavailable. –  This is what is explained in the Freedom of Information Act. –  This is different from what the Privacy Act outlines and protects.

•  The Privacy Act applies to records and documents developed and maintained by specific branches of the federal government, such as executive departments, government corporations, independent regulatory agencies, and government-controlled corporations. –  It does not apply to congressional, judiciary, or territorial

subdivisions. –  You can gather information, but you must have a need for it, and

they cannot disclose your information without your written permission.


Basel II

•  Basel II is built on three main components, called “Pillars.” Minimum Capital Requirements measures the risk and spells out the calculation for determining the minimum capital. Supervision provides a framework for oversight and review to continually analyze risk and improve security measures. Market Discipline requires member institutions to disclose their exposure to risk and validate adequate market capital.

•  Information security is integral to Basel II. Member institutions seeking to reduce the amount of capital they must have on hand must continually assess their exposure to risk and implement security controls or mitigations to protect their data.


Payment Card Industry Data Security Standards (PCI DSS)

•  The PCI DSS applies to any entity that processes, transmits, stores, or accepts credit card data.

•  The control objectives are implemented via 12 requirements, as stated at https:// www.pcisecuritystandards.org/security_standards/pci_dss.shtml:

–  Use and maintain a firewall. –  Reset vendor defaults for system passwords and other security

parameters. –  Protect cardholder data at rest. –  Encrypt cardholder data when it is transmitted across public networks. –  Use and update antivirus software. –  Systems and applications must be developed with security in mind. –  Access to cardholder data must be restricted by business “need to

know.” –  Each person with computer access must be assigned a unique ID. –  Physical access to cardholder data should be restricted. –  All access to network resources and cardholder data must be tracked

and monitored. –  Security systems and processes must be regularly tested. –  A policy must be maintained that addresses information security.


The Computer Security Act of 1987

•  The Computer Security Act of 1987 requires U.S. federal agencies to identify computer systems that contain sensitive information.

•  The agency must develop a security policy and plan for each of these systems and conduct periodic training for individuals who operate, manage, or use these systems.

•  Federal agency employees must be provided with security-awareness training and be informed of how the agency defines acceptable computer use and practices.


The Economic Espionage Act of 1996

•  Prior to 1996, industry and corporate espionage was taking place with no real guidelines for who could properly investigate the events.

•  The Economic Espionage Act of 1996 provides the necessary structure when dealing with these types of cases and further defines trade secrets to be technical, business, engineering, scientific, or financial.

•  This means that an asset does not necessarily need to be tangible to be protected or be stolen.

•  Thus, this act enables the FBI to investigate industrial and corporate espionage cases.


Employee Privacy Issues

•  If a company has learned that the state the facility is located in permits keyboard, e-mail, and surveillance monitoring, it must take the proper steps to ensure that the employees know that these types of monitoring may be put into place.

•  This is the best way for a company to protect itself, make sure it has a legal leg to stand on if necessary, and not present the employees with any surprises.

•  The monitoring must be work related, meaning that a manager may have the right to listen in on his employees’ conversations with customers, but he does not have the right to listen in on personal conversations that are not work related.

•  Monitoring also must happen in a consistent way, such that all employees are subjected to monitoring, not just one or two people.


Review


Reasonable Expectation of Privacy (REP)

•  If a company feels it may be necessary to monitor e-mail messages and usage, this must be explained to the employees, first through a security policy and then through a constant reminder such as a computer banner or regular training.

•  It is best to have an employee read a document describing what type of monitoring they could be subjected to, what is considered acceptable behavior, and what the consequences of not meeting those expectations are.

•  The employees should sign this document, which can later be treated as a legally admissible document if necessary.

•  This document is referred to as a waiver of reasonable expectation of privacy (REP). •  By signing the waiver, employees waive their expectation to

privacy.


Liability and Its Ramifications

•  Thecompanyisresponsibleforprovidingfiredetec6onandsuppressionsystems,fire-resistantconstruc6onmaterialincertainareas,alarms,exits,fireex6nguishers,andbackupsofalltheimportantinforma6onthatcouldbeaffectedbyafire.

•  Ifafireburnsacompany’sbuildingtothegroundandconsumesalltherecords(customerdata,inventoryrecords,andsimilarinforma6onthatisnecessarytorebuildthebusiness),thenthecompanydidnotexerciseduecaretoensureitwasprotectedfromsuchloss(bybackinguptoanoffsiteloca6on,forexample).

•  Inthiscase,theemployees,shareholders,customers,andeveryoneaffectedcouldsuccessfullysuethecompany.

•  However,ifthecompanydideverythingexpectedofitinthepreviouslylistedrespects,itcouldnotbesuccessfullysuedforfailuretoprac6ceduecare(negligence).


Care and Diligence

•  Due care - means that a company did all it could have reasonably done, under the circumstances, to prevent security breaches, and also took reasonable steps to ensure that if a security breach did take place, proper controls or countermeasures were in place to mitigate the damages.

•  Due diligence - means that the company properly investigated all of its possible weaknesses and vulnerabilities.


Types of attacks

•  Salami – A little bite...geesh •  Data Diddling – alters existing data •  Excessive privileges – more rights than you need •  Password sniffing – yeah...that just happened •  IP Spoofing – here we go... •  Dumpster diving – •  Emanation capturing – Tempest, section 4... •  Wiretapping – Dan and Coke machines


Ethics

•  Read this https://www.isc2.org/cgi-bin/content.cgi?category=12 The short version... •  Act honorably, honestly, justly, responsibly, and legally, and

protect society. •  Work diligently, provide competent services, and advance the

security profession. •  Encourage the growth of research—teach, mentor, and value the

certification. •  Discourage unnecessary fear or doubt, and do not consent to bad

practices. •  Discourage unsafe practices, and preserve and strengthen the

integrity of public infrastructures. •  Observe and abide by all contracts, expressed or implied, and give

prudent advice. •  Avoid any conflict of interest, respect the trust that others put in

you, and take on only those jobs you are fully qualified to perform. •  Stay current on skills, and do not become involved with activities

that could injure the reputation of other security professionals.


Ethical Fallacies

The following are examples of these ethical fallacies: •  Hackers only want to learn and improve their

skills. Many of them are not making a profit off of their deeds; therefore, their activities should not be seen as illegal or unethical.

•  The First Amendment protects and provides the right for U.S. citizens to write viruses.

•  Information should be shared freely and openly; therefore, sharing confidential information and trade secrets should be legal and ethical.

•  Hacking does not actually hurt anyone.


Computer Ethics Institute 10 Commandments

1. Thou shalt not use a computer to harm other people. 2. Thou shalt not interfere with other people’s computer work. 3. Thou shalt not snoop around in other people’s computer files. 4. Thou shalt not use a computer to steal. 5. Thou shalt not use a computer to bear false witness. 6. Thou shalt not copy or use proprietary software for which you have not paid. 7. Thou shalt not use other people’s computer resources without authorization or proper compensation. 8. Thou shalt not appropriate other people’s intellectual output. 9. Thou shalt think about the social consequences of the program you are writing or the system you are designing. 10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.


Internet Architecture Board The Internet Architecture Board (IAB) is the coordinating committee for Internet design, engineering, and management. It is responsible for the architectural oversight of the Internet Engineering Task Force (IETF) activities, Internet Standards Process oversight and appeal, and editor of Request for Comments (RFCs).


IAB Ethics

The IAB considers the following acts as unethical and unacceptable behavior: •  Purposely seeking to gain unauthorized access to

Internet resources •  Disrupting the intended use of the Internet •  Wasting resources (people, capacity, and

computers) through purposeful actions •  Destroying the integrity of computer-based

information •  Compromising the privacy of others •  Conducting Internet-wide experiments in a

negligent manner


Corporate Ethics Programs

•  Why this ethics stuff really matters… •  The Federal Sentencing Guidelines for Organizations

(FSGO) created an outline for ethical requirements, and in some cases will reduce the criminal sentencing and liability if ethical programs are put in place.

•  This was updated with requirements that made it much more important for the senior executives and board members of an organization to actively participate and be aware of the ethics program in an organization.


Risk Management

Dr. Drew Hamilton


•  Who Really Understands Risk Management?

•  Information Risk Management Policy

•  The Risk Management Team

Information Risk Management (IRM)


IRM is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level. You must be aware of the several types of risk and address them all: •  Physical damage •  Human interaction •  Equipment malfunction •  Inside and outside attacks •  Misuse of data •  Loss of data •  Application error

Real risk is hard to measure, but prioritizing the potential risks is possible.



Applications, devices, protocols, viruses, and hacking should be considered small pieces of the overall security puzzle. Businesses operate to make money, not to just be secure. While understanding individual threats is important, it is more important to be able to calculate the risk of these threats and map them to business drivers. IRM policy should provide direction on how the IRM team relates information on risks to senior management and how to execute management's decisions on risk mitigation tasks.



•  The Risk Analysis Team •  The Value of Information and Assets •  Costs That Make Up the Value •  Identifying Threats •  Failure and Fault Analysis •  Quantitative Risk Analysis •  Qualitative Risk Analysis •  Quantitative vs. Qualitative •  Protection Mechanisms •  Putting It Together •  Total Risk vs. Residual Risk •  Handling Risk

Risk Analysis


Four main goals: 1.  Identify assets and their values 2.  Identify vulnerabilities and threats 3.  Quantify the probability and business impact of these

potential threats 4.  Provide an economic balance between the impact of

the threat and the cost of the countermeasure Risk analysis provides a cost/benefit comparison. If management determines early on in the risk analysis process that certain assets are not important, the risk assessment team should not spend additional time or resources evaluating those assets.

Risk Analysis


Questions to ask when performing a risk assessment: •  What event could occur (threat event)? •  What could be the potential impact (risk)? •  How often could it happen (frequency)? •  What level of confidence do we have in the answers to

the first three questions (certainty)? The value of an asset should reflect all identifiable costs that would arise if there were an actual impairment of the asset, not just the replacement cost. Definitions: Loss potential - what the company would lose if a threat agent were to exploit a vulnerability Delayed loss - any loss that occurs after the initial exposure

Risk Analysis


FMEA was first developed for systems engineering. It proved to be successful and has been more recently adapted for use in evaluating risk management priorities. For working with more complex systems, you may want to do fault tree analysis:

Risk Analysis


Quantitative Risk Analysis This attempts to assign real and meaningful numbers to all elements of the risk analysis process. Purely quantitative risk analysis is not possible because the method attempts to quantify qualitative items. Most automated systems store base data in a database and then can run scenarios with that data with different parameters to give a view of the outcomes for different exposures.

Risk Analysis


Steps of a Quantitative Risk Analysis 1. Assign Value to Assets 2. Estimate Potential Loss per Threat 3. Perform a Threat Analysis 4. Derive the Overall Annual Loss Potential per Threat 5. Reduce, Transfer, Avoid, or Accept the Risk

Definitions: exposure factor (EF): percentage loss of an asset single loss expectancy (SLE) = asset value * EF annualized rate of occurrence (ARO): frequency of exposure annualized loss expectancy (ALE) = SLE * ARO

Risk Analysis


Results of a Risk Analysis •  Monetary values assigned to assets •  Comprehensive list of all possible and significant

threats •  Probability of the occurrence rate of each threat •  Loss potential the company can endure per threat in a

12-month time span •  Recommended safeguards, countermeasures, and

actions

Risk Analysis


Qualitative Risk Analysis Techniques include judgement, best practices, intuition, and experience 1. A risk analysis team is built consisting of members

from across many departments with experience and education on the threats being evaluated

2. A scenario is written for each major threat 3. Safeguards that diminish the damage of the threat are

evaluated and the scenario is played out for each

Risk Analysis


Qualitative Risk Analysis Benefits •  communication must happen among team members •  risks and safeguards are ranked •  strengths and weaknesses are identified •  those who know the subjects best provide their

opinions to management

Risk Analysis


Countermeasure Selection Again, you need to do a cost/benefit analysis. Example: If the ALE of a threat is $12,000 before applying the safeguard, and $3,000 after applying it, and the annual cost of the safeguard is $650, then the value of the safeguard is $8,350/year. Remember that the cost of a countermeasure is more that just the purchase price. Also, note that you will likely never reduce the ALE to $0. This is due to residual risk.

Risk Analysis


Total Risk vs. Residual Risk No system or environment is 100% secure, which means there is always some risk left over to deal with. Total risk is the risk a company faces if it chooses not to implement a certain safeguard. Residual risk is the risk left over after implementing that safeguard. threats * vulnerability * asset value = total risk total risk * controls gap = residual risk

Risk Analysis


Handling Risk Risk can be dealt with by: •  transferring it - through insurance or delegating •  rejecting it - also called risk avoidance, you do this by

terminating the activity that is introducing the risk •  reducing it - also called risk mitigation •  accepting it

Risk acceptance: •  Is the potential loss lower than the countermeasure? •  Can the organization deal with the "pain" that will

come with accepting the risk? This "pain" can include more than just financial

Risk Analysis


Risk Analysis Risk Analysis


Summary – Section Objectives •  Identify components of TCP/IP computer

networking •  Understand basic elements of information security •  Understand incident management steps •  Identify fundamentals of security policies •  Identify essential terminology associated with

ethical hacking •  Define ethical hacker and classifications of hackers •  Describe the five stages of ethical hacking •  Define the types of system attacks •  Identify laws, acts, and standards affecting IT

security

J. A. Drew Hamilton, Jr.,...

Documents

Transcript of J. A. Drew Hamilton, Jr.,...