Computer and Network Security Introduction Dr. Ron Rymon Efi Arazi School of Computer Science IDC, Herzliya. 2010/11
Dec 18, 2015
Computer and Network Security
Introduction
Dr. Ron Rymon
Efi Arazi School of Computer Science
IDC, Herzliya. 2010/11
Today’s Lecture
Introduction
A Few Nightmare Scenarios
Statistics and Impact
Course Plan and Administrativia
Models of Computer Security
Our Security Needs/Threats Confidentiality of information stored on computers Confidentiality of information communications Control of our computers and networks Ensuring the integrity of information Identifying/authenticating communication partners Protecting information services (enterprise, www) Protecting information and people privacy Protecting digital rights and property Protecting computer-operated physical infrastructure
… and more as computers take greater role in our lives– hand-held devices, electronic voting, electronic payment, border
control, job entry, etc.
The Adversaries For Profit
– Organized crime– Fraudsters– Information thieves– Marketers– Spies (military, commercial)– Enemy states & terrorists
Vandals– Commercial and political reasons– Mostly, nut cases and irresponsible kids (“script kiddies”)
Joy riders– Technically skilled– Psychologically challenged– Again, mostly kids
Insiders!
Good hackers vs. Bad hackers (Crackers)
Their Tools of the Trade Viruses, worms, etc. Password cracking Intrusion and penetration attacks Eavesdropping attacks (esp. wireless) Communication hijacking attacks Denial of service attacks OS/Application vulnerability attacks Trojan horses, viruses/worms, spyware, keyloggers Server and access point impersonation Phishing and phraud Clickjacking Social Engineering More….
Our Tools of the Trade Encryption Anti-virus software Spam filters Firewalls Intrusion detection/prevention software Strong authentication Access control Authorization management Application security gateways and filters Patch management systems Electronic signatures Disaster Recovery … and more…
EDUCATION!!
Security and People People, not technology, are often the weakest link
– Create awareness and educate people that security matters– Create business processes that enhance security
• accurate provisioning, password mgmt, stronger authentication, segregation of duty
Security solutions shall be tied to business processes– “Treat security as an important part of doing business. It is not less
important than features and performance” (Bill Gates)– “The missing component in most security products is what Global 5000
buyers most want, the ability to manage business risk, innovation, and agility. Despite this, security suppliers continue to focus their efforts on honing technical access controls “ (Aberdeen, Mar 2004)
Corporate governance: Security is as enterprise management issue– New executives: Chief Security Officer & Chief Compliance Officer– Business managers in all ranks are asked to assume security responsibility
Nightmare Scenario #1:Information stolen from our systems 2000 – hacker breaks CDUniverse, steals 300,000 credit card numbers 2002 – hacker steals 1MM credit cards from merchants that didn’t patch 2007 – hacker steals millions of credit cards & personal info from TJMaxx
2001 – hacker pre-announces JDS earnings
1/2002, hacker penetrates financial software maker Online Resources; then uses this to hack into a NY bank and steal account data; then extorts the bank
2004 – Code of Win2K and NT stolen from Microsoft partner 2004 – Code of Cisco IOS stolen
2006 - 25% of companies reported attempted penetration (really, close to 100%) 2006 – 25% of computers believed infected
2007 - Theft of laptops and PDAs is top security concern for CIOs 2008 – Identity theft is top concern for individuals (1 in 6 Americans last year!) 2009 – Data Leakage is a key concern for security and compliance officers 2010 – Where are our (virtualized) systems? Who has access to them?
70% of all cases are “internal work” – profit, revenge, and ignorance
Nightmare Scenario #2:Our communication can be exposed In 16th century, Mary Queen of Scots loses her head when her coded
messages are deciphered
In WWII, many German U-boats were destroyed once the British were able to decipher their Enigma messages
Today, encryption mechanisms (VPNs, SSL, etc.) are very strong, usually rendering eavesdropping ineffective
Still, some cases surface from time to time– Wi-Fi networks originally unsecured and being targeted– US Carnivore/Echelon sift through millions of emails/phone calls– Al-Qaeda members caught using Swisscom GSM chips– Tempest attacks, capturing electromagnetic radiation– Cloning encryption cards for satellite-based entertainment systems– Chinese using supercomputers to break American satellite communication
Nightmare Scenario #3:Control of our computers is taken First viruses (e.g., Jerusalem) were spreading slowly
Code Red (2001) leaves back door on infected machines– infected 359,000 IIS servers in 14 hours, 2000 per minute at the peak
SQL Slammer (2003) generated huge traffic from infected network
In 2004, there were 112,000 known viruses
Today, most malware is commercially motivated– Professional and uses multiple infection mechanisms (“time to infection”
is down to FIVE minutes in 2008)– Soldiers in the botnets army… (~25% of all computers are infected)– Steal information, e.g., identity, passwords, credit cards…– Serve for commercial spam
Many recent attacks aimed at virtualization platforms Next, significant risk to mobile devices, VOIP systems
Nightmare Scenario #4:Website defacing Some are political protests
– 2000 - Pro-Israeli and Pro-Palestinian (e-Jihad) hackers deface sites– 2000 - Hamas site and Al Qaeda site visitors diverted to porn sites– 2001 - Chinese posted picture of downed pilot on US Govt sites– 2003 - web sites defaced by anti/pro war in Iraq– 2008 – CERN site was defaced after the big bang experiment
Businesses are also affected– 1999 - NASDAQ and AMEX sites are defaced– 2001 - British Telecom defaced by hackers complaining about service– 2002 – RIAA site is defaced and provides pirated music for download
Massive defacing– 2001- hacker group defaces 679 sites in 1 minute – 2003 - Blackhat defacing competition: winner must deface 6000 sites asap
2007 – US government sites pointing to Viagra and porn sites
Not Relevant T
oday
Nightmare Scenario #5:Service interruptions
1996 - Panix (ISP) suffers a DoS SYN attack 1999 - Melissa crashes e-mail servers (replicates to Outlook contacts) 2000 - Mafiaboy attack crashes Yahoo, CNN, Amazon for 3 hours 2003 - RIAA site is attacked 2004 - MyDoom (email virus) attacks Microsoft, SCO sites 2007 - Estonia infrastructure attacked by Russian hackers
27% of companies running web services reported DoS attacks The Knesset, Israeli PM and other ministries are constantly attacked
Today, the main concern is around VoIP, wireless infrastructure.
What is next? Power plants? Other forms of Cyber-Terrorism?
Nightmare Scenario #6:Fraud and Identity Theft FTC Survey (2003)
– 4.6% of consumers defrauded in 2003 (12.7% in past 5 years)– Mostly credit cards, but also bank accounts, loans, mortgage apps...– Total ID Fraud estimated at $50B a year
Internet payment fraud is rampant– 20 times the “normal” rate; typically identity theft– Used to be easy to change fields (e.g. price) in web forms
Fraudulent merchants and con-artists defraud users– Phishing rampant everywhere– Fraudulent porn services “re-used” credit card numbers
Identity theft becomes one of biggest problems (2007)– Fraudsters and mafia stealing “whole identities”– Use to buy, take loans, sell houses, etc., ruining victim’s credit history
Who is that merchant I am going to to buy from? difficult to authenticate…
Nightmare Scenario #7:E-Mail Blues It used to be many forms of Viruses. Worms, Trojans spread via mail
– Attract download software/applet (some pretend to help against a virus)– Phishing grows quickly– Spoof sender address and identity– Huge economic cost due to destruction, traffic, cleanup costs– At its peak, 8% of emails were MyDoom
Today, Spam makes up >80% of email traffic– Started with Internet – economic model of direct marketing fails– Spoofing mail address, headers, names, etc– Cause significant economic damage
Unprotected e-mail became almost unusable for simple e-mail users
Proposed solutions are both technological and legal– New comprehensive email solutions include: anti-virus/worms, fraud,
spam, content policy, privacy, and confidentiality– Microsoft initiative, Challenge-response mechanisms, Caller-ID
Security Incidents and Reporting
# of incidents and # reported (CERT)
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006
Vulnerability disclosures (IBM)
Course Plan Cryptography
– history, conventional, public-key, key dist/mgmt Identity Authentication
– Signatures, challenge-response, identity authentication Securing Communications Protocols
– IPSec, VPNs, Web security (SSL), WiFi Security Access Control
– Kerberos, Firewalls, PKI Malicious Code and Intruders
– Viruses, Worms, Intrusion detection, Spyware Application Security
– Email security, Spam, VoIP, Cellphones Market Trends: Guest Presentations
Course Materials Course site
– http://www1.idc.ac.il/compsec
Most course material is from current sources– News, Industry (analysts, conferences, vendors), Academic– Subject-specific books
Main Textbook– “Network Security Essentials: Applications and Standards” /
William Stallings (old edition OK)
Highly recommended– Applied Cryptography / Bruce Schneier
Administrativia Lecturer: Dr. Ron Rymon Teaching Assistant: Ilan Atias
Lectures: Sunday 9:15-11:45am, C109 Secondary slot: Tue evening, 6pm (if needed)
Office Hours: by appointment
Credits: 3 Open to CS MSc, and BSc (2nd and 3rd year) students
Grade: 70% exam, 30% other (project, in-class quizes, homework)– Must pass the exam– Must turn in all work, in time
Example
Alice Bob
Comm(Bob)
PubK(Bob)
PrivK(Alice) PrivK(Bob)
PubK(Alice)
EncPubK(Bob) (SessK)
DecryptSignPrivK(Alice) (“Alice”)
SignPrivK(Bob) (“Bob”)
EncSessK(Message)
Decrypt
Decrypt
Decrypt
Sign/Encrypt
Encrypt
Encrypt
Sign/Encrypt
Gen Sess Key
Trusted Server
Access Control Model
Authentication– Must provide credentials to access a resource
• E.g., password, fingerprint, identification card
Authorization– Must be authorized to gain access to specific data, other
computing resources.• E.g., file systems, firewalls, application authorization model
• Various levels of granularity
ITU/IETF X.800: Security Threats, Attacks, Services, and Mechanisms Security Threat: A potential attack on systems or on information
security needs
Security Attack: An attempt to compromise the security of systems or information– Example: Eavesdropping on communication
Security Service: Use of one or more mechanisms to enhance the security of a system or application– Example: Confidentiality of communications
Security Mechanism: A specific method to detect, prevent, or recover from an attack, and to provide the required service– Example: Encryption software
Examples of Attacks Attacks can be Active, e.g., intrusion, or Passive, e.g,
eavesdropping
Examples of attacks:– Intrusion– Eavesdropping– Impersonation– Viruses / Worms– Denial of service– Man-in-the-middle– Reflection attack– Replay attack– Password cracking– Data/code modification– Fraudulent attribution– Repudiation
X.800 Security Services Authentication
– Identify peers, Source authentication for data
Access Control– Who can access to what
Data Confidentiality– Connection, Connectionless (system), Traffic, Privacy
Data Integrity– With or without recovery
Non-repudiation– Origin, Destination, Both
Availability– A service on its own, or a property of other services
Security Mechanisms Specific use of certain algorithms, protocols, and
procedures to provide one or more security services
Examples– Authentication – use password, fingerprint, magnetic card
– Access Control – specify access rights based on the user id, role/group to specific transactions and/or specific content
– Data Confidentiality – encrypt information using a specific algorithm
– Data Integrity – detect and prevent unauthorized change to content
– Non-Repudiation – use electronic signature to ensure authenticity
– Availability – increase resiliency, filter malicious traffic
Many security mechanisms use Cryptography as an underlying technology