Security fundamentals

Topic 1Addressing security threats and

vulnerabilities

Agenda

• Goals of security• Risk assessment• Common threats• Types of attacks• Common defences• Security guidelines

Goals of security

• Confidentiality – Ensures that information is accessed only by those who are authorized to do so

• Integrity – Ensures that the information is modified or deleted only by those who are authorized to do so

• Availability – Ensures that information and equipment can be used only by those who are authorized to do so

• C-I-A triad– Trade-offs

Basic steps of risk assessment

1. Identifying assets, such as computers or data2. Assigning a value to the assets3. Assigning a likelihood that an event will occur

that could cause loss or damage4. Assigning values to that risk based on both

the possible damage and the likelihood that an event will occur

Identifying assets

Take an inventory of tangible and intangible assets.

• Tangible Assets – Physical items that the business owns, IT equipment, network, servers, desktops, applications, databases, procedures

• Intangible Assets – Goodwill, intellectual property, patents, copyrights, and trademarks, logos, reputation

MethodAssign a value to the assets:

1. For tangible assets get the initial cost and adjust for depreciation

2. Make an estimate based on market value3. Estimate of the value of revenue that could be generated

from the asset4. Compare to a similar asset’s value

Assign a likelihood that an event will occur that could cause loss or damage:– Use a scale such as high, moderate, low

Assign values to a risk based on both the possible damage and the likelihood that an event will occur:– Prioritise your risks

Key security terms

1. Risk2. Threat3. Vulnerability4. Risk acceptance5. Risk transfer6. Risk avoidance7. Risk mitigation

Risk management• Identify the risks

– List assets– Assign value to assets– Likelihood of damage– Assign priority

• Identify threats• Identify vulnerabilities

– Where are the weaknesses?• Minimise risk

– Minimise weakness by taking preventative steps• Review

Identifying threats

Disasters• Natural disasters – eg flood, earthquake, fire• Man made disasters – eg arson, loss of power• Mishap – eg accidental deletion of data, misconfiguration

Threats from attack– An attempt to bypass security controls– To defend from these threats you must understand the

technology

How severe will the impact be?What is the likelihood of the event happening?

Threats from attack

• Specific to business – DoS attack on the company Web Server

• Threats that are not directed – DDoS• Widely known threats – worms, viruses• External threats – originates from outside the

company (not the network)• Internal threats – originates from within the

company (eg technically savvy users)

Intrusion points

Physical access points – Access to the media (cable, devices, storage)– Security guards and locks and cameras

Access points via the network– Wireless– Dial-in via phone lines– Hacking through security controls– Internet

Data disposal– Printed material– Laptops and hard drives

Attack sourcesIt is your responsibility to both defend againstpossible attacks and detect successful attacks.

• White hats: ethical security experts looking for vulnerabilities

• Black hats: hackers/crackers– Expert: finding areas of weakness– Intermediate: programmers creating exploits from the

vulnerabilities– Novice: script kiddies– What motivates them?

Identifying attacks

Scanning– Ping and port scans – is there an IP and an open port?

Fingerprinting– What OS, applications and services are running, what versions

and protocols?

Denial of Service (DoS)– Shutting down or overloading a service so it becomes

unavailable

Spoofing– Disguising the source (IP, email or others)

Identifying attacks

Source routing– Route is specified in packet header and bypasses controls

Man-in-middle– Messages are intercepted and reviewed or altered before

being sent on to destination

Back door– Unknown and undocumented way to access a program or

system• Left in by developers• Installed by hackers

Identifying attacks

Password guessing– Default passwords– Blank passwords– Easy to guess passwords– Short passwords– Common words– Automated scripts to find password hashes– Dictionary attack– Brute force attack

Identifying attacks

Replay attack– Intercepting and recording a connection setup and

replaying at a later time to gain authorised access

Encryption breaking– Breaking the encryption algorithm or guessing the key

used by the algorithm

Hijacking– Taking over an existing connection- sending packets as if

from source

Malicious code– Viruses, worms and trojans

Identifying attacks

Software exploitation– Buffer overflow attack– Cross site scripting – inserting malicious HTTP code on a

webpage

Social engineering– Manipulating people by exploiting their ignorance, fears or

willingness to help– Impersonation, piggybacking entry into restricted areas– This is the most difficult to prevent

Defending against threats

Defence in depth• Must include multiple elements• Layered defence• Hacker must overcome multiple defence

checks • Each defence check is monitored and

alarmed

Defending against threatsSecure the network infrastructure– Network Access Control– Secure Communications Protocols– System hardening – systems, applications and resources

(files and databases)

Authenticating users– Passwords– Biometrics– Certificates– Tokens– Smart Cards

Auditing– Monitoring operations – intrusion detection, logs

Basic security guidelines

Physical security– Locks, facility access controls, surveillance– Circumvention threats, using bootable media to access

hard drives, key loggers

Trust– Trusting administrators– Trusting certificates– Servers trusting servers

Privilege levels– Principle of least privilege– Standard, admin and root accounts

Maintaining documentationDocument all procedures related tosystems security:– Planning– Policies– Configurations– Monitoring and reporting– Archiving

Lesson summary

Addressing security threats and vulnerabilities– Goals of security– Risks, threats and vulnerabilities– Risk assessment– Common threats– Types of attacks– Common defences– Basic security guidelines