Computer Security/Network

security

1
 Computer Security/Network
security
Kenya is experiencing a growing number of cyber crimes
(information security ) that threaten national security,
Information, communications and technology infrastructure as
well as citizens privacy.
 The country losing an estimated 2 billion shillings ($23.3 million)
annually through cyber crime.

2
 Examples:
 77 Chinese nationals cuffed for Internet hacking in Kenya
[Link]
for-internet-hacking-in-kenya/
 Kenya defense forces twitter account hacked.
[Link]
hack-government-of-kenya-at-will-and-the-state-is-
helpless/#.VbdauJflxF4-
 Hacking of the Integrated Financial Management Information
System (IFMIS), the nerve centre of government of Kenya
financial and fiscal data.
 In 2012 128 government websites were hacked by an
Indonesian hacker. After the incident the government
promised to put in tighter controls.

[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

3
 Critical Infrastructure Areas
 Include:

 Telecommunications
 Electrical power systems
 Water supply systems
 Gas and oil pipelines
 Transportation
 Government services
 Emergency services
 Banking and finance
 …
4
What is Computer Security?
 Network/Computer security is designed to protect your computer
and everything associated with it --- the building, the workstations
and printers, cabling, and disks and other storage media. Most
importantly, computer security protects the information stored in
your system.
 Network/Computer security is not only designed to protect against
outside intruders who break into systems, but also dangers arising
from sharing a password with a friend, failing to back up a disk,
spilling a soda on a keyboard.
There are three distinct aspects of security: Confidentiality,
Accuracy, and Availability (CAI).
 Having said this, we should emphasize that “Information Security” or
“Cybersecurity” is more up-to-date terminology, since rarely are we
concerned with the protection of a single computer system.
What is a “Secure” Computer System?
 To decide whether a computer system is “secure”,
you must first decide what “secure” means to you,
then identify the threats you care about.

You Will Never Own a Perfectly Secure System!

 Threats - examples

Viruses, trojan horses, etc.

Denial of Service

Stolen Customer Data

Modified Databases

Identity Theft and other threats to personal privacy

Equipment Theft

Espionage in cyberspace

Hack-tivism

Cyberterrorism

…
6
 Basic Components of Security:
Confidentiality, Integrity, Availability
CIA (CIA)
 Confidentiality: Who is authorized to use C I
data? S
 Integrity: Is data „good?”
 Availability: Can access data whenever need A
it?
S = Secure

7
Confidentiality
 A secure computer system must not allow information to
be disclosed to anyone who is not authorized to access
it. In highly secure government systems, secrecy
ensures that users access only information they’re
allowed to access.

 In business environments, confidentiality ensures the

protection of private information such as payroll data.
Integrity- (Accuracy, Authenticity)

 A secure computer system must maintain the continuing

integrity of the information stored in it. Accuracy or
integrity means that the system must not corrupt the
information or allow any unauthorized malicious or
accidental changes to it.

 In network communications, a related variant of accuracy

known as authenticity provides a way to verify the origin
of data by determining who entered or sent it, and by
recording when it was sent and received.
Availability

 A secure computer system must keep

information available to its users. Availability
means that the computer system’s hardware and
software keeps working efficiently and that the
system is able to recover quickly and completely
if a disaster occurs.
The opposite of availability is denial of service.
Denial of service can be every bit as disruptive
as actual information theft.
 Need to Balance
 CIA
Example 1: C vs. I+A
 Disconnect computer from Internet to increase
confidentiality
 Availability suffers, integrity suffers due to lost
updates

 Example 2: I vs. C+A

 Have extensive data checks by different
people/systems to increase integrity
 Confidentiality suffers as more people see data,
availability suffers due to locks on data under
verification)

11
 4. Vulnerabilities, Threats, and

Controls
Understanding Vulnerabilities, Threats, and Controls

Vulnerability = a weakness in a security system

Threat = circumstances that have a potential to
cause harm

Controls = means and ways to block a threat, which
tries to exploit one or more vulnerabilities

Most of the class discusses various controls and their
effectiveness
[Pfleeger & Pfleeger]

12
  Attack (materialization of a vulnerability/threat
combination)
 = exploitation of one or more vulnerabilities by a threat; tries
to defeat controls

Attack may be:
 Successful (a.k.a. an exploit)

resulting in a breach of security, a system
penetration, etc.
 Unsuccessful


when controls block a threat trying to exploit a
vulnerability
[Pfleeger & Pfleeger]

13
 Threat Spectrum
 Local threats
 Recreational hackers
 Institutional hackers
 Shared threats
 Organized crime
 Industrial espionage
 Terrorism
 National security threats
 National intelligence
 Info warriors

14
 Kinds of Threats
 Kinds of threats:
 Interception

an unauthorized party (human or not) gains
access to an asset
 Interruption

an asset becomes lost, unavailable, or unusable
 Modification

an unauthorized party changes the state of an
asset
 Fabrication

an unauthorized party counterfeits an asset
[Pfleeger & Pfleeger]

15
 Types of Malicious Code
Logic bomb - Malicious [program] logic that activates when specified conditions are met.
Usually intended to cause denial of service or otherwise damage system resources.
Trapdoor - A hidden computer flaw known to an intruder, or a hidden computer mechanism
(usually software) installed by an intruder, who can activate the trap door to gain access to the
computer without being blocked by security services or mechanisms.
Trojan horse - A computer program that appears to have a useful function, but also has a
hidden and potentially malicious function that evades security mechanisms, sometimes by
exploiting legitimate authorizations of a system entity that invokes the program.
Virus - A hidden, self-replicating section of computer software, usually malicious logic, that
propagates by infecting (i.e., inserting a copy of itself into and becoming part of) another
program. A virus cannot run by itself; it requires that its host program be run to make the virus
active.
Worm - A computer program that can run independently, can propagate a complete working
version of itself onto other hosts on a network, and may consume computer resources
destructively.
More types of malicious code exist… [cf. [Link]

16
 Types of Attacks on Data CIA

 Disclosure
 Attack on data confidentiality
 Unauthorized modification / deception
 E.g., providing wrong data (attack on data integrity)
 Disruption
 DoS (attack on data availability)

17
 DoS attack
 Short for Denial-of-Service attack.
 A denial of service (DoS) attack is an
incident in which a user or organization
is deprived of the services of a resource
they would normally expect to have.
 Typically, the loss of service is the
inability of a particular network service,
such as e-mail, to be available or the
temporary loss of all network
connectivity and services.
18
 DoS attack
 A type of attack on a network that is designed to
bring the network to its knees by flooding it with
useless traffic.
 Many DoS attacks, such as the Ping of Death,
exploit limitations in the TCP/IP protocols.
 For all known DoS attacks, there are software
fixes that system administrators can install to
limit the damage caused by the attacks. But, like
viruses, new DoS attacks are constantly being
dreamed up by hackers.

19
 Vulnerab./Threats at Other
Exposure
Points
Network vulnerabilities / threats

 Networks multiply vulnerabilties and threats, due to:

their complexity => easier to make
design/implem./usage mistakes

„bringing close” physically distant attackers
 Esp. wireless (sub)networks
 Access vulnerabilities / threats
 Stealing cycles, bandwidth
 Malicious physical access

Denial of access to legitimate users
 People vulnerabilities / threats
 Crucial weak points in security

too often, the weakest links in a security chain
 Honest insiders subjected to skillful social engineering
 Disgruntled employees
20
 Attackers
 Attackers need MOM
 Method
Skill, knowledge, tools, etc. with which to pull off an
attack
 Opportunity
Time and access to accomplish an attack
 Motive
Reason to perform an attack

21
 Types of Attackers
 Types of Attackers - Classification 1
 Amateurs

Opportunistic attackers (use a password they found)

Script kiddies
 Hackers - nonmalicious

In broad use beyond security community: also malicious
 Crackers – malicious
 Career criminals
 State-supported spies and information warriors

 Types of Attackers - Classification 2 (cf. before)

 Recreational hackers / Institutional hackers
 Organized criminals / Industrial spies / Terrorists
 National intelligence gatherers / Info warriors

22
 Example: Hacking As Social
Protest
 Hactivism
 DDOS attacks on government agencies

[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

23
 Reacting to an Exploit

Exploit = successful attack

 Report to the vendor first?

 Report it to the public?

 What will be public relations effects if you do/do not?

24
 “To Report or Not To Report:”
Tension between Personal
Privacy and Public
Responsibility
An info tech company will typically lose
between ten and one hundred times more
money from shaken consumer confidence
than the hack attack itself represents if they
decide to prosecute the case.

Mike Rasch, VP Global Security, testimony before

the Senate Appropriations Subcommittee,
February 2000 reported in The Register and online
testimony transcript
[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
25
 Further Reluctance to Report

 One common fear is that a crucial piece of

equipment, like a main server, say, might be
impounded for evidence by over-zealous
investigators, thereby shutting the company
down.

 Estimate: fewer than one in ten serious intrusions

are ever reported to the authorities.

Mike Rasch, VP Global Security, testimony before the Senate

Appropriations Subcommittee, February 2000
reported in The Register and online testimony transcript
Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
26
 Methods of Defense
 Five basic approaches to defense of
computing systems
 Prevent attack

Block attack / Close vulnerability
 Deter attack

Make attack harder (can’t make it
impossible )
 Deflect attack

Make another target more attractive than
this target
 Detect attack

During or after
27  Recover from attack
 Controls
 Computers Today
 Encryption
 Software controls
 Hardware controls
 Policies and
procedures

Physical controls

28
 Controls
 To minimize the amount of risk, it is
important to understand that no single
product can make an organization secure.
 True network security comes from a
combination of products and services,
combined with a thorough security policy
and a commitment to adhere to that policy.
 A security policy is a formal statement of the
rules that users must adhere to when
accessing technology and information assets.
 It can be as simple as an acceptable use
policy, or can be several hundred pages in
length, and detail every aspect of user
connectivity and network usage procedures.
29
  Some things to include in a security policy are:


Identification and authentication policies,

password policies,

acceptable use policies,

remote access policies and

incident handling procedures.

 When a security policy is developed, it is necessary that all

users of the network support and follow the security policy
in order for it to be effective.
 A security policy should be the central point for how a
network is secured, monitored, tested and improved upon.
 Security procedures implement security policies.
 Procedures define configuration, login, audit, and
maintenance processes for hosts and network devices.
They include the use of both preventative measures to
reduce risk, as well as active measure for how to handle
known security threats.

30
 10.3. Some of the security tools and applications
used in securing a network
Some of the security tools and
applications used in securing a network
include:
1. Software patches and updates-
regular updates and patches
2. Virus protection- Antivirus
3. Spyware protection
4. Spam blockers
5. Pop-up blockers
6. Firewalls
31
 Multiple controls in computing systems can include:
 system perimeter – defines „inside/outside”

 preemption – attacker scared away

 deterrence – attacker could not overcome

defenses
 faux environment (e.g. honeypot, sandbox) –

attack deflected towards a worthless target (but

the attacker doesn’t know about it!)
Note layered defense /

multilevel defense / defense in depth

(ideal!)

32
 Controls: Encryption
 Primary controls!

 Cleartext scambled into ciphertext (enciphered text)

 Protects CIA:
 confidentiality – by „masking” data
 integrity – by preventing data updates

e.g., checksums included
 availability – by using encryption-based protocols

e.g., protocols ensure availablity of resources for
different users

33
 Controls: Software Controls
 Secondary controls – second only to encryption
 Software/program controls include:
 OS and network controls

E.g. IDS, IPS

Logs/firewalls, OS/net virus scans, recorders
 independent control programs (whole programs)

E.g. password checker, virus scanner, IDS (intrusion
detection system)
 internal program controls (part of a program)

E.g. read/write controls in DBMSs
 development controls

E.g. quality standards followed by developers
 incl. testing

34
  Considerations for Software Controls:
 Impact on user’s interface and workflow

E.g. Asking for a password too often?

35
 Controls: Hardware Controls

 Hardware devices to provide higher degree of

security
 Locks and cables (for notebooks)
 Smart cards, dongles, hadware keys, ...
 ...

36
 Controls: Policies and Procedures

 Policy vs. Procedure

 Policy: What is/what is not allowed
 Procedure: How you enforce policy
 Advantages of policy/procedure controls:
 Can replace hardware/software controls
 Can be least expensive

37
  Policy - must consider:
 Alignment with users’ legal and ethical standards
 Probability of use (e.g. due to inconvenience)
Inconvenient: 200 character password,
change password every week
(Can be) good: biometrics replacing passwords
 Periodic reviews

As people and systems, as well as their goals, change

38
 Controls: Physical Controls

 Walls, locks
 Guards, security cameras
 Backup copies and archives
 Cables an locks (e.g., for notebooks)
 Natural and man-made disaster
protection
 Fire, flood, and earthquake protection
 Accident and terrorism protection
 ...
39
  A Kenyan (27 years old graduate of
JKUAT) Hacker with a mission to
correct costly omissions (earns
between 100K and 2M per job)
[Link]
hacker-with-a-mission-to-correct-
costly-omissions/
40