Computer & Network Security [email protected]. Outlines Definition of computer and network...
-
Upload
augustine-richards -
Category
Documents
-
view
226 -
download
2
Transcript of Computer & Network Security [email protected]. Outlines Definition of computer and network...
Computer & Network Security
Outlines
Definition of computer and network security
Security TerminologyWeaknesses and VulnerabilitiesIdentification and AuthenticationsAuthentication MechanismComputer System and Network Intrusions Internet EtiquetteSecurity Management
Definition of computer and network security
• Definitions Security
• Security is about the protection of assets *
Protective measures• Prevention
– Take measures that prevent assets from being damaged
• Detection– Take measures that be able to detect when an asset
has been damaged• Reaction
– Take measures that be able to recover from a damage
* From : Gollmann D., Computer Security, John Wiley &Sons, 1999
Definition of computer and network security
• Information security The tasks of guarding digital information
• Information : – Typically processed by a computer– Stored on a some devices– Transmitted over a network
Ensures that protective measures are properly implemented
• A protection method
Definition of computer and network security
• Computer security No absolute “secure” system Security mechanisms protect against
specific classes of attacks
Definition of computer and network security
• Network security Security of data in transit
• Over network link• Over store-and-forward node
Security of data at the end point• Files• Email• Hardcopies
Definition of computer and network security
• Network security differences from computer security : Attacks can come from anywhere, anytime Highly automated (script) Physical security measures are inadequate Wide variety of applications, services,
protocols• Complexity• Different constraints, assumptions, goals
No single “authority”/administrators
Security Terminology
• Security attack• Security mechanism• Security service• Risk• Risk Analysis• Spies• Cyberterrorists
Security Terminology
• Security attack• Any action that compromises security
information
• Security mechanism• A mechanism that designed to detect, prevent,
or recover from a security attack
• Security service• A service that enhances the security of data
processing systems and information transfers. • Makes use of one or more security
mechanisms
Security Terminology
• Risk A measure of the cost of a realised vulnera
bility that incorporates the probability of a successful attack
• Risk analysis : Provides a quantitative means of determin
ing whether an expenditure on safeguards is warranted
Security Terminology
• Spies A person who
• Has been hired to break into a computer and steal information
• Do not randomly search for unsecured computers to attack
• Cyberterrorists Terrorists that attack the network and computer
infrastructure to • Deface electronic information (such as web sites)• Deny service to legitimate computer users• Commit unauthorised intrusions into systems and networks
that result in infrastructure outages and corruption of vital data
Weaknesses, Vulnerabilities and
Threats
Weaknesses and Vulnerabilities
Vulnerability A weakness in a system allowing an
attacker to violate the confidentiality, integrity, availability
May result from Software bugs Software of system design flaws
Weaknesses and Vulnerabilities
Vulnerability Examples of vulnerabilities
Buffer overflows Race conditions Unencrypted protocols Bad/insufficient sanity checks Backdoors Unqualified trust
Some of these vulnerabilities are described later
Threats
Threat means A person, thing, event
which poses some danger to an asset in terms of that asse t’s confidentiality, integrity, availability
Accident threats Delibrate threats : Passive and Active
Examples of threat Hacker/cracker Script kiddies Spies and Malware Denial-of-service (DoS) attack Zombies Insecure/poorly designed applications
Threats
Hacker/cracker** Hacker :
a person who uses his/her advanced computer skills to attack computers, but not with a malicious intent, hackers use their skills to expose security flaws.
Cracker : a person who violates system security with
malicious intent. Crackers destroy data, deny legitimate users of services, cause serious problems on computers and networks.
** from : M. Ciampa, Security+guide to network security fundamentals, Thomson course technology, 2005
Threats
Script kiddies Want to break into computers like crackers, but
unskilled users download software from web sites, use to break into
computers
Spies A person who
Has been hired to break into a computer and steal information
Do not randomly search for unsecured computers to attack
Malware A group of destructive programs such as viruses, worms,
Trojan horse, logic bombs, and spyware
Threats
Virus : a computer program that can copy itself and infect a computer without permissio
n or knowledge of the user spreads from one computer to another when its host
(such as an infected file) is taken to that computer viruses always infect or corrupt files on a targeted
computerWorm : a computer program that
is - a self replicating code Resides in active memory (the program is executed) Propagates itself
uses a network to send copies of itself to other node can spread itself to other computers without needing
to be transferred as part of an infected file always harm the network
Threats
Trojan horse : a program that installs malicious software while under the guise of
doing something else differs from a virus in that
a Trojan horse does not insert its code into other computer files
appears harmless until executed
Logic Bomb : a program that inactive until it is triggered by a specific event, e.g.
a certain date being reached once triggered, the program can perform many
malicious activities is difficult to defend against
Threats
Spyware : a computer program that installed surreptitiously on a personal computer
to intercept or take partial control over the user' s interaction with the computer, without the user 's awareness
• installing additional software• redirecting web browser activity
secretly monitors the user's behavior
• collects various types of personal information ,
Threats
Denial-of-service (DoS) attack : a threat that Prevents legitimate traffic from being able to
access the protected resource Common DoS
Crashes a targeted service or server Normally done by
• Exploiting program buffer overflow problem
• Sending too many packets to a host causing the host to crash
Threats
Zombies : systems that Have been infected with software (e.g. Trojan or
back doors) Under control of attackers
Be used to launch an attack against other targetsInsecure/poorly designed applications
One of the most difficult threats to be detected
Identification and Authentications
• Authentication Basics• Passwords• Biometrics• Multiple methods
Authentication Basics
• Authentication A process of verifying a user’s identity
• Two reasons for authenticating a user The user identity is a parameter in access
control decision (for a system) The user identity is recorded when
logging security-relevant events in an audit trail
Authentication Basics
• Authentication Binding of an identity to a principal (subject) An identity must provide information to enable
the system to confirm its identity Information (one or more)
• What the identity knows (such as password or secret information)
• What the identity has (such as a badge or card)• What the identity is (such as fingerprints)• Where the identity is (such as in front of a
particular terminal)
Authentication Basics
• Authentication process Obtaining information from the identity Analysing the data Determining if it is associated with that
identity
• Thus : authentication process is The process of verifying a claimed
identity
Authentication Basics
• Username and Password Very common and simple identities Used to enter into a system Username
• Announce who a user is• This step is called identification
Password• To prove that the user is who claims to be• This step is called authentication
Authentication Mechanism
• Password• Password Aging• One-Time Password
Passwords
• Passwords Based on what people know User supplies password Computer validates it If the password is associate with the user,
then the user’s identity is authenticated
Passwords
• Choosing passwords Password guessing attack is very simple and always
works !!• Because users are not aware of protecting their
passwords Password choice is a critical security issue
• Choose passwords that cannot be easily guessed
• Password defenses• Set a password to every account• Change default passwords• Password length
– A minimum password length should be prescribed
Passwords
• Password defences Password format
• Mix upper and lower case symbols• Include numerical and other non-alphabetical symbols
Avoid obvious passwords
Passwords
• How to improve password security? Password checker tool
• Check passwords against some dictionary of weak password
Password generation• A utility in some system• Producing random password for users
Password aging• A requirement that password be changed after some
period of time • Required mechanism
– Forcing users to change to a different password– Providing notice of need to change– A user-friendly method to change password
Passwords
• How to improve password security? One-Time Password
• A password is valid for only one use Limit login attempts
• A system monitors unsuccessful login attempts– Reacts by locking the user account if logging in
process failed Inform user
• After successful login a system display – The last login time – The number of failed login attempts
Attacking a Password System
• Password guessing Exhaustive search (brute force)
• Try all possible combination of valid symbols Dictionary attack Random selection of passwords Pronounceable and other computer-generated
passwords User selection passwords
• Passwords based on– Account names– User names– Computer names, etc.
Biometrics
• The automated measurement of biological or behavioral features that identifies a person
• Method: A set of measurement of a user is taken
(recorded) when a user is given an account When a user access the system
• The biometric authentication mechanism identify the identity
Biometrics
• Fingerprints• Voices• Eyes• Faces• Keystrokes
Keystroke intervals Keystroke pressure Keystroke duration
• Combinations
Computer System and Network Intrusions
Intrusion Profiles
Exploiting passwords Exploiting known vulnerabilities Exploiting protocol flaws Examining source files for new security flaws - - Denial of service attacks Abusing anonymous FTP Installing sniffer programs IP source address spoofing
Typical Network Intrusions
Locate a system to attack New systems Network sweeps
Gain entry to a user’ s account - - No password or easy to guess password Sniffed password
Exploiting system configuration weakness or software vulnerability to obtain access to a p rivileged account
Typical Network Intrusion
Once inside, and intruder may: Remove traces from auditing records Install back door for future use Install Trojan Horse programs to capture system a
nd account information Jump to other hosts on your network Use your system to launch attacks against other si
tes Modify, destroy, or inappropriately disclose inform
ation
Why Should You Care
Protect your own operational environment Protect your user’ s data Provide service to your users
What Should You Do?
Stay current with security issues
-Internet Etiquette 1
Do: Understand and respect security poli
cies Take responsible for your own securit
y Respect other Internet neighbours Cooperate to provide security
EEEEEEEEE-E2
Avoid: Unauthorised access to other accounts an
d systems Cracking password file from other system
s Sharing accountsUnauth orised access to unprotected files - Reading the e mail of other users Disrupting service
Security Management45
Understanding Security Writing a security policy Monitoring the network Auditing the network Preparing for an attack Handling an attack Forensics Log analysis Damage control
Understanding Security :Security Objectives**
Confidentiality Confidentiality is the term used to prevent the
disclosure of information to unauthorized individuals or systems.
Integrity In information security, integrity means that data
cannot be modified undetectably.
Availability For any information system to serve its purpose, the
information must be available when it is needed.
(CIA)
** http://en.wikipedia.org/wiki/Information_security
Understanding Security
What are we protecting Asses value Protecting cost
Thinking like a defender List of problems might happen in various
situations The organisation we are protecting
Business types different levels of security
Understanding Security
The process of security1
Expands on this endless loop
Endless loop of Security Learn everything about the threats
The Internet is full of information How to protect a system How to break in to a system System vulnerabilities, etc.
Well design every thing before implement !! Analysis must come before synthesis !!
Understanding Security
The process of security2
Endless loop of Security Think “pathologically” about the design (or “think
evil thought”) Implement it the way it is designed
Never let any components be altered from the design Continuously recheck it to make sure that it has
not changed, such as Configuration change in routers/computers
Practice running it to make sure that you understand it and can operate it correctly
Understanding Security
The process of security3
Endless loop of Security Make it simple for others to do when you want them to
do Make it hard for people to do when you do not want
them to do Make it easy for you to detect problems Make it difficult to hide what you do not want to be
hidden Test everything you can test Practice everything you can practice Improve anything you can improve Repeat this process endlessly, at all levels of detail
Security Management
51
Understanding Security Writing a security policy Monitoring the network Auditing the network Preparing for an attack Handling an attack Forensics Log analysis Damage control
Writing a Security Policy
Security Policy : Definitions : (1) Information security policy **
Objective : To provide management direction and support for information security in accordance with
Business requirements,Relevant laws and regulations
** ISO/IEC 17799:2005(E)
Writing a Security Policy
Security Policy : Definition
(2) [Ciampa] : “The backbone of any infrastructureis its security policy. Without a policy that clearly outlines what needs to be protected, how it should be protected, and what users can – and cannot – do in support of the policy, there is no effective security.”
Writing a Security Policy
Security Policy A document or sets of documents that
Clearly defines the defense mechanisms an organisatoin will employ to keep information secure
Outlines how the organisation will respond to attacks
Outlines the duties and responsibilities of its employee for information security
Writing a Security Policy
Security Policy : Definition:
(3) [Northcutt] : A security policy establishes what you must do to protect information stored on computers A well-written policy contains sufficient definition of
“what” to do so you can identify and measure, or evaluate “how”
Writing a Security Policy
Purpose of Security Policy Describes of what being protected and why Sets priorities about what must be protected first and at
what cost Allows an explicit agreement to be made with various
parts of the organisation regarding the value of security Provides the security department with a valid reasons to
say “no” when that is needed Provides the security department to back up the “no” Prevents the security department from acting illegally
Writing a Security Policy
Security Policy Trade of suggested by Wadlow
A good policy today is better that a great policy next year
A weak-policy that is well distributed is better than a strong policy no one has read
A simple policy that is easily understood is better than a complicated and confusing policy that no one ever bother to read
A policy whose details are slightly wrong is better than a policy with no details at all
A living-policy that is constantly updated is better than one that grow obsolete over time
Writing a Security Policy
An amateur (simple) policy State a coup
A formal policy Follow some guidelines/standards
59
Suggestion A suggestion to get a decent policy for an
organisation (which currently no security policy)1. Write a security policy for your organisation
Say nothing specific State generalities Should cover no more than 5 pages Should not take more than 2 days to write Don’t ask for help, do it yourself Don’t try to make it perfect, just try to get some key
issues written down It doesn’t have to be complete It doesn’t have to be crystal clear
(From : T. A. Wadlow, The process of network security)
Writing a Security Policy
60
Suggestion (cont.)1. find 3 people who are willing to become “security
committee” : their job is• To make ruling and amendment to the policy• To be judges, not enforcers
2. create an internal web site • with
• policy page• Committee contact information
• Amendments• Approved and added to the web site as quick
as possible
Writing a Security Policy
61
Suggestion (cont.)
3. treat the policy as if it were absolute rule of the law• Do not violate the policy• Allow no violation to occur
4. if someone has a problem with the policy • Have the person propose an amendment• The policy committee members need to agree
• Make an amendment
Writing a Security Policy
62
Suggestion (cont.)
5. schedule a regula meeting to consolidate policy and amendments• Once a year, for example• Involve
• You and the security committee• Current security policy and the amendments
• Make a new policy statements
6. repeat the processes 3-6
Writing a Security Policy
63
Contents• What are we protecting?
Describe in detail The types of security levels expected to
have in an organisation Characterise the machines on the network
(for example)
Writing a Security Policy
Writing a Security Policy64
Contents (cont.) Red : contains extremely confidential information or
provide mission-critical service Yellow : contains sensitive information or provides
important service Green : able to access red or yellow machines but
does not directly store sensitive information or perform crucial function
White : unable to access red, yellow, or green systems but not externally accessible. No sensitive information or function
Black : externally accessible. Unable to access red, yellow, green or white systems
Writing a Security Policy65
Contents (cont.)• Methods of protection
• Describe Levels for protection Priorities for protection For example
Writing a Security Policy66
Contents (cont.)Organisation priorities :
1. health and human safety2. compliant with applicable local, state, and
federal laws3. Preservation of the interests of the
organisation4. Preservation of the interests of partners of the
organisation5. Free and open dissemination of nonsensitive
information
Height Priority
Low Priority
67
Describe general policies for access to each category of system
Red red networks only Red-cleared employees only
Monthly
Category
Network Access Qualification Cycle*
Yellow Yellow and red network
Employees only Quarterly
Green Yellow, red, and green network
Employees and cleared contractors
Yearly
White White networks only Employees and contractors
Yearly
Black Black networks only Employees, contractors, and public (through cleared access means)
monthly
Writing a Security Policy68
Contents (cont.)• Responsibility
Describes the responsibilities, privileges that are accorded each class of system user : e.g.
General Knowledge of this policy All actions in accordance with this policy Report any known violations of this policy to
security Report any suspected problems with this policy to
security Sysadmin/operations
All user information to be treated as confidential No authorised access to confidential information Indemnified for any action consistent with systems
administrator code of conduct
Writing a Security Policy69
Contents (cont.) Security Administrator
• Highest level of ethical conduct• Indemnified for any action consistent with security
officer code of conduct Contractor
• Access to specifically authorised machine in specifically authorised fashion
• Request advance authorisation in writing for any actions which might be interpreted as security issue
Guest• No access to any computing facilities except
with written advance notice to security
Writing a Security Policy70
Contents (cont.) Appropriate Use
Describe the ways in which employees should not use the network
General Minimal personal use during normal business hours No use of network for outside business activity Access to Internet resource consistent with HR
policies Sysadmin
Responsible access to sensitive or personal information on the network
All special access justifiable for business operations
Writing a Security Policy71
Contents (cont.) Security Personal
• Responsible access to sensitive information on the network
• All special access justifiable for business operations • Use of security tools for legitimate business purpose
only Contractor
• No personal access any time• Minimal use of the network and only for specific
reasons relating to specific contracts Guest
• No use of the network at any time
Writing a Security Policy72
Contents (cont.)• Consequence
Describe the way in which the magnitude of a policy violation is determined and the categories of consequences. Examples: Security review board Penalties
Critical Serious limited
73
Writing a Formal policy
Known as “risk-based security management”. Risk
Combination of the probability of an event and its consequence
Risk analysis Systematic use of information to identify sources
and to estimate the risk Risk evaluation
Process of comparing the estimated risk against given risk criteria to determine the significance of the risk
74
Writing a Formal Policy
Risk (Cont.) Risk assessment
Overall process of risk analysis and risk evaluation
Risk management Coordinated activities to direct and control an
organization with regard to risk
75
Writing a Formal Policy
Some guidelines ISO/IEC 17799:2005(E) SANS guidelines
﮸ www.sans.org/security-resources/policies NIST guidelines
http://csrc.nist.gov/index.html etc.
76
ISO/IEC 17799:2005(E) Security Policy
Should contain Definitions of information security
Overall objectives and scope Importance of security
A statement of management intent A framework for setting control objectives and
controls Including the structure of risk assessment and
risk management
77
ISO/IEC 17799:2005(E) Security Policy
A brief explanation of the security policies, principles, standards, and compliance requirements of particular importance to the organization, including
Compliance with legislative, regulatory, and contractual requirements;
Security education, training, and awareness requirements;
Business continuity management; Consequence of information security policy
violations;
78
ISO/IEC 17799:2005(E) Security Policy
A definition of general and specific responsibilities for information security management, including
Reporting information security incidents; References to documentation which may
support the policy, e.g. More detailed security policies and
procedures for specific systems or security rules should comply with.
79
ISO/IEC 17799:2005(E) Security Policy
Review of the information security policy The information security policy should be
reviewed At a planned intervals, or If significant changes occur
To ensure its continuing suitability, adequacy, and effectiveness
80
Example of Security Policy Format
1. Purpose/Overview2. Scope3. Policy4. Enforcement5. Revision history
81
Example of Policies (suggested by SANS*)
Organization PolicyAudit policyComputer security policyDesktop security policyEmail security policyInternet security policyMobile security policyNetwork security policy Physical security policyServer security policyWireless security policy
* www.sans.org/security-resources/policies
Monitoring Your Network82
The Shape of Logging System What to Log Logging Mechanisms Time Sensor Log Management
Monitoring Your Network83
Goals of a monitoring system Reduce the likelihood of an attack going
unlogged Increase the likelihood that the events
logged for an attack will be recognized as an attack
The Shape of Logging System84
Problem of logging system What events to be logged?
if every event is logged the log file will be very large
if only selected events are logged some crucial events might not be logged !!
Log file can be tampered by attackers To delete attack traces
Attackers can tamper the log file If the logs are accessible to them
The Shape of Logging System85
Log should not be accessible to an attacker
Mechanisms can deny access to logs The logs are kept on a separate machine The logs are encrypted The logs are stored in a write-only media The logs are stored in multiple places
The Shape of Logging System86
Log should not be tampered with Tampering efforts should be easily detected
Achieved by Cryptographically signing each log entry to
detect invalid entries Monitoring the log entries to look for a
sudden decrease in log size Indicates that the log entries have been
deleted Assigning a sequence number to each log
entry and verifying that the sequence is unbroken
What to Log87
The network should log any events necessary to detect known attack patterns
The network should log any events necessary to detect unusual patterns of access
Logging Mechanisms88
Syslog The most common network logging
mechanism Runs on Unix systems
Components Syslog daemon Syslog ruleset Syslog-enabled programs
Syslog89
Syslog daemon A program that runs in a background on all
machines using syslog Serves several purposes
Collects messages from syslog-enabled programs on the machine hosting it
Collects certain messages from the system that are not syslog enabled (such as kernel messages regarding starting-up and some device problems)
Listens on the syslog port (port 514/UDP) for messages
Save all of the above messages in a file
Syslog Ruleset90
Usually in /etc/syslog.conf Contains directives to the syslog daemon
Determine where various types of messages should be logged
Choices of logging Put a message into a file Log a message to another machine via UDP Write a message to the system console Write a message to all log-in users
Syslog-enabled Program91
Syslog is a standard facility in Unix many Unix programs have calls to syslog
built into them Enable these programs to log various
events To the local syslog daemon
Pro (of syslog)92
Universally available Standard implementation Available from nonprogrammable
devices A read-only logging mechanism
Con (syslog)93
Unauthenticated protocol Can be spoofed
Unencrypted transmission Can be eavesdropped by attackers
Unreliable UDP transmission Not all syslog messages reach their
intended destination
Time94
An important issue in log gathering and analysisJun 4 22:33:21 machine1.ycom.com login: user smt login
ok
Jun 4 22:34:29 machine3.ycom.com login: user smt login ok
Time is used in analysis process It should be accurate and synchronised
with other systems A logging system should synchronise its
time with a time server machine (NTP server)
Sensors 95
A mechanism that can be used to aid device-based logging
Provides a means for gathering information and integrating it into the logging system
Sensors96
Examples Some sensors can detect several variations
on attacks Some sensors can detect problems with the
network being monitored
Sensors97
Some sensors are built to detect conditions on the logging system Are the logs increasing monotonically?
If not a log file might be tampered Is the logging system receiving all the logs
that are being sent? Some devices transmit a sequence number
with each log entry if a particular number is missing
something goes wrong
Sensors98
Has any machine stopped logging?A machine that has stopped logging
Might indicate a network problem OR an attack
Log Management99
A process of making sure that logging system Stable Useful
References
1. Wadlow T. A., The process of network security: Designing and managing a safe network, Addison-Wesley, 2000
2. Ciampa M., Security + guide to network security fundamentals, Thomson course technology, 2005
3. Northcutt S., et.al., Inside network perimeter security, Sam publishing, 2005
4. ISO/IEC 27001:2005(E)5. ISO/IEC 17799
Security Contest Topics
Network Security Concept
Network Security Architecture
Network Security Assessment &Penetration T est Method
Network Security Monitoring
ISO27001 and series
Computer Laws
ประกาศเลื่� อนการสมั�ครแลื่ะสอบ security contest
วั�นที่� ป�ดร�บสมั�คร จากวั�นที่� 14 ตุ�ลื่าคมั เลื่� อนเป�นวั�นที่� 31 ตุ�ลื่าคมั
วั�นที่� สอบค�ดเลื่�อกรอบแรก จากวั�นที่� 28 ตุ�ลื่าคมั เลื่� อนเป�นวั�นที่� 18
พฤศจ"กายนวั�นที่� รอบชิ"งชินะเลื่"ศพร&อมัประกาศรางวั�ลื่
จากวั�นที่� 25 พฤศจ"กายน เลื่� อนเป�นวั�นที่� 19 ธั�นวัาคมั
CS subject
344-422344-422 Computer and Network Securityวั"ชิาเลื่�อก ประจ(าภาคการศ*กษา 1 ของที่�กป-