CIS 600 Topics in CIS CSE 691 Topics in CSE Internet Security Principles

1
CIS 600 Topics in CIS CSE 691 Topics in
CSEInternet Security Principles

• Dr. Leonard Popyack
• Spring 2001

2
This course will focus on the growing concern for
information security in telecommunications,
computers, networks, and satellite communication.
The main emphasis will be Network and Computer
security, particularly concerning the Internet.
3
Course Description E-business is the defacto
way of doing business today and in the future.
Protecting your valuable information assets is
paramount to performing effectively. Everything
from outright cash to stocks and commodities to
customer credit card number information has been
stolen through the Internet. Even intellectual
property (like product designs, and inventions,
even engineers notes) has been stolen through the
Internet. Hackers have been able to ship
expensive items to their homes through
maliciously manipulating e-business ordering
software to accept the order for a fraction of
the real cost. How do they do this? What steps
are you taking to protect yourself? Are you doing
all you can? Are your people you trust doing all
they can? Can you trust everyone? This course
takes a very straightforward and practical
approach to information security. Often the most
basic principles of Internet security are not
being adhered to. You can make a difference in
the bottom line of your company or agency by
following the principles and techniques taught in
this course. The techniques the hackers use to
gain access to your systems will be demonstrated
as well as effective techniques to prevent these
malicious acts.
4
Outline 1. Introduction Trust Cyberspace,
some true stories 2. Elements of Computer and
Network Security. information protection,
information warfare, information assurance,
etc..., threats, risks, vulnerabilities.
Introduction of basic encryption and decryption.
3. Encryption properties. 4. What is a security
policy, how to develop a security policy,
assurance issues 5. Network security aspects,
TCP/IP security issues, firewalls, filtering
routers, data hiding (Steganography). 6.
steganography and data hiding. In-depth details.
7. Intrusion Detection Systems (IDS) (what to
look for) 8. Hacks Cracks including Password
Crackers, Trojans, Sniffers. 9. Applications
security issues, database security, e-commerce
security issues, intranets/extranet 10. Insider
Intrusion and detection 11. Computer Network
Forensics 12. Very Practical Computer and
Network Security Principles to follow (The basic
cookbook). (never go without this checklist!)
13. How to protect the high speed home user
(cable modem, DSL, wireless). 14. Red Teaming
your enterprise and your people
5
Prerequisites Graduate standing in computer
engineering, computer science, electrical
engineering, or permission of instructor. Some
knowledge of TCP/IP is useful.
6
(No Transcript)
7
Go over Class Mechanics Handout
8
My Questions

• LAST Name
• FIRST Name
• Student ID
• E-mail

9
My Questions

• 1.How well do you understand TCP/IP and other
  protocols?
• 2.Have you ever had a computer hit by a virus? If
  so which?
• 3.Have you ever worked with firewalls?
• 4.Do you shop on-line and use your credit card?
• 5.What networking classes have you had before?
• 6.What (if any) computer security courses have
  you had?
• 7.PhD student? MS?

10
My Questions?

• 8.Ever use encryption for e-mail?
• 9.Have you ever worked with steganography (data
  hiding)?
• 10.Do you do a lot of programming?
• 11.Do you do any banking on-line?
• 12.Do you work for a company? Would you say
  their networked computers are secure? Why do you
  suggest that they are or not?

11
Topics

• Information Warfare
• Information assurance (threats to e-commerce and
  intellectual property)
• Vulnerabilities risks
• Intrusion detection
• Computer Forensics

• Hot topics in cyberspace (such as Back Orifice
  2000, IEEE 802.11b).
• Data Hiding (Steganography)
• Network security aspects, encryption
• TCP/IP security issues, firewalls, filtering
  routers

12
Topics (Continued)

• Database security
• Web security issues
• Intranets/extranets
• Security Policies
• Satellite data hacking (spoofing)

• Hacks and Cracks
• In-class demos where appropriate
• Recent Events!!!

13
Textbook Readings

• Our Text is Computer Security, 2nd edition by
  Charles Pfleeger
• Hacking Exposed Network Security Secrets and
  Solutions by Joel Scambray, et al (Paperback)
• Additional material will be drawn from
• "Network Security" by Charlie Kaufman, Radia
  Perlman Mike Speciner
• Intrusion Detection, Edward Amoroso
• Information Warfare and Security, Denning
• E-Commerce Security, Anup Ghose
• Computer Forensics, IATAC
• Information Hiding, Fabien Petitcolas Stefan
  Katzenbeisser

14
Ethics!

15

• Thou shall not use a computer to harm other
  people.
• Thou shall not interfere with other peoples
  computer work.
• Thou shall not snoop around other peoples
  computer files.
• Thou shall not use a computer to steal.
• Thou shall not use a computer to bear false
  witness.
• Thou shall not copy or use proprietary s/w for
  which you have not paid.
• Thou shall not use other peoples computer
  resources without authorization or proper
  compensation.
• Thou shall not appropriate other peoples
  intellectual output.
• Thou shall think about the social consequences of
  the program or system you are building.
• Thou shall always use a computer in ways that
  insure consideration and respect for your fellow
  humans.

From the Computer Ethics Institute, Washington DC.
16
http//www.hackerz.org/help.html
17
Security Differences vs bits

• Size (thousands of dollars worth of computers can
  fit in your briefcase)
• Avoid physical contactelectronic fund transfers,
  direct deposit. Automatic debits (mortgages,
  utility bills, fund transfers, etc)
• Value of Assets value of information is high.
  Confidential information. Medical history, new
  products, customer lists, marketing strategy,
  military targets, weapons capabilities, logistic
  stores.

18
Security Today Wild Wild West!

• At least bankers of the early 1800s knew the
  value of money.
• Many companies dont know the value of
  information. Intellectual Property.
• If you think there is a Cyber Crime, then what?
  Call a Cyber Cop?
• All about TRUST! Would you bank at a bank which
  loses 10M yearly to Cyber Crooks?

19
We will

• Examine the risks of security (computer
  network)
• Consider available countermeasures controls
• Stimulate your thought about uncovered
  vulnerabilities
• Examine Specific Topics

20
Characteristics of Computer intrusion

• Target may be any piece of a computer system.
• A computer system includes hardware, software,
  storage media, data, networks, and people.

21
Principle of Easiest Penetration

• An intruder must be expected to use any available
  means of penetration. This is not necessarily the
  most obvious means, nor is it necessarily the one
  against which the most solid defense has been
  installed.

22
Terms

• Exposure Loss or harm from unauthorized
  disclosure of data, modification of data, or
  denial of service (DoS).
• Vulnerability A weakness in the security system
• Threat Circumstances that have the potential to
  cause loss or harm (human attacks, natural
  disasters, human error, software flaws)

23
Terms (continued)

• Control A protective measure which reduces
  vulnerability. This can be an action, device,
  procedure, or technique.

24
Major Assets

• Computer
• Software
• Data
• Network

25
System Security Threats

• Exposures

26
Interruption

• An asset (computer, software, data, network
  connectivity) becomes lost, unavailable, or
  unusable.

Exposure
27
Human Interruption
Exposure
28
Interception

• Unauthorized party gained access to an asset
  (computer, software, data, network)

Exposure
29
Modification

• Tampers with an asset. Example DNS Table, Data,
  software, hardware.

Exposure
30
Fabricate

• Counterfeit objects. Credit card Numbers.
  Forgeries.

Exposure
31
(No Transcript)
32
(No Transcript)
33
(No Transcript)
34
(No Transcript)
35
Credit Master Demo

36
Security Goals

• Maintain Three Characteristics
• Confidentiality
• Integrity
• Availability

Security Goals
37
Confidentiality

• Assets (computer, software, data, network
  connectivity) are accessible only by authorized
  parties.
• Read Access?
• Write Access?
• Even knowing the existence of an object.
• Sometimes called secrecy or privacy

Security Goals
38
Integrity

• Assets modified only by authorized parties or in
  authorized ways.
• Includes creating and deleting.

Security Goals
39
Availability

• Assets are accessible to authorized parties.
• Authorized parties are not prevented from
  accessing objects which he/she has a legitimate
  access.

Security Goals
40
These three goals can overlap and even be
mutually exclusive.
Confidentiality
Security Goals
Availability
Integrity
41
Vulnerabilities

• Threats to Hardware
• Threats to Software
• Threats to Data
• Threats to Network

42
Vulnerabilities
Interruption
NETWORK
Denial of Service
Interception
Modification
43
Threats to Hardware

• Physical Device (visible, simple point of attack)
• Drenched with water, Gasoline, beer, soda
• Burned, gassed, electrocuted
• Mice chew on cables, dust, ash
• Kicked, slapped, thrown, punched, jarred
• Shot with guns, stabbed, metal objects to short
  out circuits, acid, ferricloric acid (PCB etch),
  coins, hammers, ice picks, run over with cars!

Vulnerabilities
44
RAMBO!
45
Threats to Software

• VERY IMPORTANT COMPONENT
• operating system
• utility programs
• application programs
• connectivity components
• data base components

Vulnerabilities
46
Threats to Software

• Very different than Hardware threats
• May not leave an obvious mark
• May not change function of your favorite
  programs.
• Some can be subtle. Some can go S-L-O-W
• Some are hidden very well. (Steganography)
• Some are dynamic (change on their own) making
  them oblivious to signature detection.

Vulnerabilities
47
Threats to Software (cont)

• Software Deletion
• Some threats will try to delete software or data
• Some are accidental by the intended user!
• Cure Maintain good configuration Management!
• Software Modification
• a working program is modified to fail, or to
  cause it to do some unintentional task.

Vulnerabilities
48
Threats to Software (cont)

• Software Modification (cont)
• Subtle changes -- LOGIC BOMB
• Timer sets it to go off after an action, event,
  time, or a watchdog timeout.
• Can destroy data, modify data, send data, load
  new data, transfer funds, etc.
• Hidden Side Effects
• Trojan Horse - overtly does one thing while
  covertly doing another
• Virus - specific type of Trojan to spread
  infection
• Trapdoor - program which has a secret entry point
• Information Leaks - make information accessible
  to unintended people or programs

Vulnerabilities
49
Threats to Software (cont)

• Software Theft
• Unauthorized copying of software
• WARZ (application software copies)
• CRACKS a.k.a. CRAKZ (serial numbers,
  keygenerators)
• MANY WEB SITES, FTP SITES, CRACK SITES.
• ALMOST ANYTHING YOU WANT IS DOWNLOADABLE TODAY!!!!

Vulnerabilities
50
Threats to Data

• Data is more readable to public.
• Data attacks are widespread and perhaps more
  vulnerable than that of hardware or software
  attacks.
• Networks make data attacks accessible to all
  parts of the world.
• Data is V-A-L-U-A-B-L-E!!!!!

Vulnerabilities
51
Principle of Adequate Protection

• Computer items must be protected only until they
  lose their value. They must be protected to a
  degree consistent with their value.

Things with a short life, and be protected with
security measures which are effective for a short
lifetime.
52
3 Quantities of Data Security

• DATA CONFIDENTIALITY
• DATA INTEGRITY
• DATA AVAILABILITY

Vulnerabilities
53
Data Confidentiality

• Data can be gathered in many ways
• Wiretaps
• bugs in output devices
• sifting through trash
• monitoring RF
• bribing key employees
• inferring data (Clancy)
• request it! FOIA

Vulnerabilities
54
Data Integrity

• Stealing, buying, hearing (no computer)
• Making or modifying data for computer
  interpretation. To the crooks advantage!
• Penny attacks, Salami attack, interest
  calculations.
• Interception Replay

Vulnerabilities
55
Other Exposed Data Assets

• Storage Media
• garbage never goes away!
• Networks
• Data is exposed
• no control over routing
• Access to equipment
• Key People (weak points)

Vulnerabilities
56
People

57
New Kind of Criminal

• Educated
• wear business suits, college educated
• may appear to be pillars in community
• some are teens, college students
• mentally deranged
• overtly hostile
• extremely committed to a cause

People
58
Amateurs

• Most reported so far, however, this is changing!
• Not career criminals
• notice a security flaw, and exploit it
• mis-use of resources at work, school

People
59
Crackers

• Gain access to systems, networks, or programs
• Hobby
• Peer pressure (see the crack groups)
• personal gain (free software)
• enjoy causing chaos, loss, or harm

People
60
Career Criminals Groups

• Organized
• Committed to achieving goals
• do not advertise their deeds
• more than just money
• Warfare (look at Chinas 4th military branch!)
• Intellectual property
• Religion or political reasons
• Terror

People
61
Methods of Defense

62
Defensive Mechanisms

• Controls
• Encryption
• Software Controls
• internal program controls
• operating system controls
• development controls (formal methods)
• Hardware Controls
• encryption devices, dongles, limit access, verify
  user

Defense
63
Defensive Mechanisms

• Controls
• Policies - legal and ethical controls
• Slow to adopt legal methods
• Good ethics comes from within (parents need to be
  active)
• Physical Controls
• easiest, most effective, least expensive
• Network Control
• Firewalls
• Automated monitoring

Defense
64
Effectiveness of Controls

• Awareness of Problem
• Likelihood of Use
• Principle of Effectiveness Controls must be used
  to be effective. They must be efficient, easy to
  use, and appropriate.
• Overlapping controls
• Periodic Review
• Test your controls! Try to hack in. Test your
  people! Test their passwords!

Defense