Title: CIS 600 Topics in CIS CSE 691 Topics in CSE Internet Security Principles
1CIS 600 Topics in CIS CSE 691 Topics in
CSEInternet Security Principles
- Dr. Leonard Popyack
- Spring 2001
2This course will focus on the growing concern for
information security in telecommunications,
computers, networks, and satellite communication.
The main emphasis will be Network and Computer
security, particularly concerning the Internet.
3Course Description E-business is the defacto
way of doing business today and in the future.
Protecting your valuable information assets is
paramount to performing effectively. Everything
from outright cash to stocks and commodities to
customer credit card number information has been
stolen through the Internet. Even intellectual
property (like product designs, and inventions,
even engineers notes) has been stolen through the
Internet. Hackers have been able to ship
expensive items to their homes through
maliciously manipulating e-business ordering
software to accept the order for a fraction of
the real cost. How do they do this? What steps
are you taking to protect yourself? Are you doing
all you can? Are your people you trust doing all
they can? Can you trust everyone? This course
takes a very straightforward and practical
approach to information security. Often the most
basic principles of Internet security are not
being adhered to. You can make a difference in
the bottom line of your company or agency by
following the principles and techniques taught in
this course. The techniques the hackers use to
gain access to your systems will be demonstrated
as well as effective techniques to prevent these
malicious acts.
4Outline 1. Introduction Trust Cyberspace,
some true stories 2. Elements of Computer and
Network Security. information protection,
information warfare, information assurance,
etc..., threats, risks, vulnerabilities.
Introduction of basic encryption and decryption.
3. Encryption properties. 4. What is a security
policy, how to develop a security policy,
assurance issues 5. Network security aspects,
TCP/IP security issues, firewalls, filtering
routers, data hiding (Steganography). 6.
steganography and data hiding. In-depth details.
7. Intrusion Detection Systems (IDS) (what to
look for) 8. Hacks Cracks including Password
Crackers, Trojans, Sniffers. 9. Applications
security issues, database security, e-commerce
security issues, intranets/extranet 10. Insider
Intrusion and detection 11. Computer Network
Forensics 12. Very Practical Computer and
Network Security Principles to follow (The basic
cookbook). (never go without this checklist!)
13. How to protect the high speed home user
(cable modem, DSL, wireless). 14. Red Teaming
your enterprise and your people
5Prerequisites Graduate standing in computer
engineering, computer science, electrical
engineering, or permission of instructor. Some
knowledge of TCP/IP is useful.
6(No Transcript)
7Go over Class Mechanics Handout
8My Questions
- LAST Name
- FIRST Name
- Student ID
- E-mail
9My Questions
- 1.How well do you understand TCP/IP and other
protocols? - 2.Have you ever had a computer hit by a virus? If
so which? - 3.Have you ever worked with firewalls?
- 4.Do you shop on-line and use your credit card?
- 5.What networking classes have you had before?
- 6.What (if any) computer security courses have
you had? - 7.PhD student? MS?
10My Questions?
- 8.Ever use encryption for e-mail?
- 9.Have you ever worked with steganography (data
hiding)? - 10.Do you do a lot of programming?
- 11.Do you do any banking on-line?
- 12.Do you work for a company? Would you say
their networked computers are secure? Why do you
suggest that they are or not?
11Topics
- Information Warfare
- Information assurance (threats to e-commerce and
intellectual property) - Vulnerabilities risks
- Intrusion detection
- Computer Forensics
- Hot topics in cyberspace (such as Back Orifice
2000, IEEE 802.11b). - Data Hiding (Steganography)
- Network security aspects, encryption
- TCP/IP security issues, firewalls, filtering
routers
12Topics (Continued)
- Database security
- Web security issues
- Intranets/extranets
- Security Policies
- Satellite data hacking (spoofing)
- Hacks and Cracks
- In-class demos where appropriate
- Recent Events!!!
13Textbook Readings
- Our Text is Computer Security, 2nd edition by
Charles Pfleeger - Hacking Exposed Network Security Secrets and
Solutions by Joel Scambray, et al (Paperback) - Additional material will be drawn from
- "Network Security" by Charlie Kaufman, Radia
Perlman Mike Speciner - Intrusion Detection, Edward Amoroso
- Information Warfare and Security, Denning
- E-Commerce Security, Anup Ghose
- Computer Forensics, IATAC
- Information Hiding, Fabien Petitcolas Stefan
Katzenbeisser
14Ethics!
15- Thou shall not use a computer to harm other
people. - Thou shall not interfere with other peoples
computer work. - Thou shall not snoop around other peoples
computer files. - Thou shall not use a computer to steal.
- Thou shall not use a computer to bear false
witness. - Thou shall not copy or use proprietary s/w for
which you have not paid. - Thou shall not use other peoples computer
resources without authorization or proper
compensation. - Thou shall not appropriate other peoples
intellectual output. - Thou shall think about the social consequences of
the program or system you are building. - Thou shall always use a computer in ways that
insure consideration and respect for your fellow
humans.
From the Computer Ethics Institute, Washington DC.
16http//www.hackerz.org/help.html
17Security Differences vs bits
- Size (thousands of dollars worth of computers can
fit in your briefcase) - Avoid physical contactelectronic fund transfers,
direct deposit. Automatic debits (mortgages,
utility bills, fund transfers, etc) - Value of Assets value of information is high.
Confidential information. Medical history, new
products, customer lists, marketing strategy,
military targets, weapons capabilities, logistic
stores.
18Security Today Wild Wild West!
- At least bankers of the early 1800s knew the
value of money. - Many companies dont know the value of
information. Intellectual Property. - If you think there is a Cyber Crime, then what?
Call a Cyber Cop? - All about TRUST! Would you bank at a bank which
loses 10M yearly to Cyber Crooks?
19We will
- Examine the risks of security (computer
network) - Consider available countermeasures controls
- Stimulate your thought about uncovered
vulnerabilities - Examine Specific Topics
20Characteristics of Computer intrusion
- Target may be any piece of a computer system.
- A computer system includes hardware, software,
storage media, data, networks, and people.
21Principle of Easiest Penetration
- An intruder must be expected to use any available
means of penetration. This is not necessarily the
most obvious means, nor is it necessarily the one
against which the most solid defense has been
installed.
22Terms
- Exposure Loss or harm from unauthorized
disclosure of data, modification of data, or
denial of service (DoS). - Vulnerability A weakness in the security system
- Threat Circumstances that have the potential to
cause loss or harm (human attacks, natural
disasters, human error, software flaws)
23Terms (continued)
- Control A protective measure which reduces
vulnerability. This can be an action, device,
procedure, or technique.
24Major Assets
- Computer
- Software
- Data
- Network
25System Security Threats
26Interruption
- An asset (computer, software, data, network
connectivity) becomes lost, unavailable, or
unusable.
Exposure
27Human Interruption
Exposure
28Interception
- Unauthorized party gained access to an asset
(computer, software, data, network)
Exposure
29Modification
- Tampers with an asset. Example DNS Table, Data,
software, hardware.
Exposure
30Fabricate
- Counterfeit objects. Credit card Numbers.
Forgeries.
Exposure
31(No Transcript)
32(No Transcript)
33(No Transcript)
34(No Transcript)
35Credit Master Demo
36Security Goals
- Maintain Three Characteristics
- Confidentiality
- Integrity
- Availability
Security Goals
37Confidentiality
- Assets (computer, software, data, network
connectivity) are accessible only by authorized
parties. - Read Access?
- Write Access?
- Even knowing the existence of an object.
- Sometimes called secrecy or privacy
Security Goals
38Integrity
- Assets modified only by authorized parties or in
authorized ways. - Includes creating and deleting.
Security Goals
39Availability
- Assets are accessible to authorized parties.
- Authorized parties are not prevented from
accessing objects which he/she has a legitimate
access.
Security Goals
40These three goals can overlap and even be
mutually exclusive.
Confidentiality
Security Goals
Availability
Integrity
41Vulnerabilities
- Threats to Hardware
- Threats to Software
- Threats to Data
- Threats to Network
42Vulnerabilities
Interruption
NETWORK
Denial of Service
Interception
Modification
43Threats to Hardware
- Physical Device (visible, simple point of attack)
- Drenched with water, Gasoline, beer, soda
- Burned, gassed, electrocuted
- Mice chew on cables, dust, ash
- Kicked, slapped, thrown, punched, jarred
- Shot with guns, stabbed, metal objects to short
out circuits, acid, ferricloric acid (PCB etch),
coins, hammers, ice picks, run over with cars!
Vulnerabilities
44RAMBO!
45Threats to Software
- VERY IMPORTANT COMPONENT
- operating system
- utility programs
- application programs
- connectivity components
- data base components
Vulnerabilities
46Threats to Software
- Very different than Hardware threats
- May not leave an obvious mark
- May not change function of your favorite
programs. - Some can be subtle. Some can go S-L-O-W
- Some are hidden very well. (Steganography)
- Some are dynamic (change on their own) making
them oblivious to signature detection.
Vulnerabilities
47Threats to Software (cont)
- Software Deletion
- Some threats will try to delete software or data
- Some are accidental by the intended user!
- Cure Maintain good configuration Management!
- Software Modification
- a working program is modified to fail, or to
cause it to do some unintentional task.
Vulnerabilities
48Threats to Software (cont)
- Software Modification (cont)
- Subtle changes -- LOGIC BOMB
- Timer sets it to go off after an action, event,
time, or a watchdog timeout. - Can destroy data, modify data, send data, load
new data, transfer funds, etc. - Hidden Side Effects
- Trojan Horse - overtly does one thing while
covertly doing another - Virus - specific type of Trojan to spread
infection - Trapdoor - program which has a secret entry point
- Information Leaks - make information accessible
to unintended people or programs
Vulnerabilities
49Threats to Software (cont)
- Software Theft
- Unauthorized copying of software
- WARZ (application software copies)
- CRACKS a.k.a. CRAKZ (serial numbers,
keygenerators) - MANY WEB SITES, FTP SITES, CRACK SITES.
- ALMOST ANYTHING YOU WANT IS DOWNLOADABLE TODAY!!!!
Vulnerabilities
50Threats to Data
- Data is more readable to public.
- Data attacks are widespread and perhaps more
vulnerable than that of hardware or software
attacks. - Networks make data attacks accessible to all
parts of the world. - Data is V-A-L-U-A-B-L-E!!!!!
Vulnerabilities
51Principle of Adequate Protection
- Computer items must be protected only until they
lose their value. They must be protected to a
degree consistent with their value.
Things with a short life, and be protected with
security measures which are effective for a short
lifetime.
523 Quantities of Data Security
- DATA CONFIDENTIALITY
- DATA INTEGRITY
- DATA AVAILABILITY
Vulnerabilities
53Data Confidentiality
- Data can be gathered in many ways
- Wiretaps
- bugs in output devices
- sifting through trash
- monitoring RF
- bribing key employees
- inferring data (Clancy)
- request it! FOIA
Vulnerabilities
54Data Integrity
- Stealing, buying, hearing (no computer)
- Making or modifying data for computer
interpretation. To the crooks advantage! - Penny attacks, Salami attack, interest
calculations. - Interception Replay
Vulnerabilities
55Other Exposed Data Assets
- Storage Media
- garbage never goes away!
- Networks
- Data is exposed
- no control over routing
- Access to equipment
- Key People (weak points)
Vulnerabilities
56People
57New Kind of Criminal
- Educated
- wear business suits, college educated
- may appear to be pillars in community
- some are teens, college students
- mentally deranged
- overtly hostile
- extremely committed to a cause
People
58Amateurs
- Most reported so far, however, this is changing!
- Not career criminals
- notice a security flaw, and exploit it
- mis-use of resources at work, school
People
59Crackers
- Gain access to systems, networks, or programs
- Hobby
- Peer pressure (see the crack groups)
- personal gain (free software)
- enjoy causing chaos, loss, or harm
People
60Career Criminals Groups
- Organized
- Committed to achieving goals
- do not advertise their deeds
- more than just money
- Warfare (look at Chinas 4th military branch!)
- Intellectual property
- Religion or political reasons
- Terror
People
61Methods of Defense
62Defensive Mechanisms
- Controls
- Encryption
- Software Controls
- internal program controls
- operating system controls
- development controls (formal methods)
- Hardware Controls
- encryption devices, dongles, limit access, verify
user
Defense
63Defensive Mechanisms
- Controls
- Policies - legal and ethical controls
- Slow to adopt legal methods
- Good ethics comes from within (parents need to be
active) - Physical Controls
- easiest, most effective, least expensive
- Network Control
- Firewalls
- Automated monitoring
Defense
64Effectiveness of Controls
- Awareness of Problem
- Likelihood of Use
- Principle of Effectiveness Controls must be used
to be effective. They must be efficient, easy to
use, and appropriate. - Overlapping controls
- Periodic Review
- Test your controls! Try to hack in. Test your
people! Test their passwords!
Defense