Defining Computer Security As applied to cybertechnology, security can be thought of in terms of various measures designed to protect against: (i) unauthorized.

Defining Computer Security As applied to cybertechnology, security

can be thought of in terms of various measures designed to protect against:

(i) unauthorized access to computer systems

(ii) alteration of data that resides in and is transmitted between computer systems

(iii) disruption, vandalism, and sabotage of computers systems and networks.

One way to overcome cybercrimes

Defining Computer Security (continued) A computer is secure

"if you can depend on it and its software behaves as you expect."  

According to this definition, at least two conditions must be satisfied: (a) you can depend on your computer (i.e., it is

reliable and available) (b) your computer system's software does what it is

supposed to do.

Defining Computer Security (continued) Kizza (1998) argues that computer security

involves three elements: Confidentiality; Integrity; Availability.

Confidentiality focuses on protecting against un- authorized disclosure of information to third parties.

Integrity can be understood as preventing unauthorized modification of files.

Availability means preventing unauthorized withholding of information from those who need it when they need it.

Cont…… Reliability Safety

Two Distinct Aspects of Computer Security The expression “computer security" is

sometimes used ambiguously. In one sense, "computer security" refers to

concerns related to a computer system's vulnerability to attacks involving system hardware and software resources from "malicious programs" (viruses and worms).

This aspect of computer security can be referred to as system security.

Two Distinct Aspects of Computer Security Another sense of "computer security" is

concerned with vulnerability to unauthorized access and modification of data.

The data can be either: (a) resident in one or more disk drives

or databases in a computer system; (b) transmitted between two or more

computer systems.  We call this “data security.”

Computer Security

Computer Security

System Security Data Security

Resident Data Transmitted Data

InformationSource

InformationDestination

NormalFlow

CodeBlue – Security Controls

Red – Threats Goal

Masquerade

Authenticity

Modification

Integrity

Interception

Confidentially

Interruption

Availability

Non-Repudiation

Capture

Authorization

Escalation

Identity Theft

Identification

Covering Tracks

Accountability

Access/availability Scene Characteristics

Ensure that network elements do not provide information pertaining to the end-users network activities (eg. Users geographic location, websites visited, content etc.) to unauthorised personnel.Privacy

Ensure that access to end-user data resident in in offline storage devices by authorised personnel and devices cannot be denied. Availability

Protect end-user data that is transiting a network element or communications link or is resident in offline storage devices against unauthorised modification, deletion, creation and replication.Data Integrity

Ensure that end-user data that is transiting a network element or communications link is not diverted or intercepted as it flows between the end points (without an authorised access)

Communication Security

Protect end-user data that is transiting a network element or communications link, or is resident in an offline storage device against unauthorised access or viewing. Techniques used to address access control may contribute to providing data confidentiality for end-user data.

Data Confidentiality

Provide a record identifying each individual or device that accessed end-user data that is transiting a network element or communications link, or is resident in offline devices and that the action was performed. The record is to be used as proof of access to end-user data.

Non-Repudiation

Verify the identity of the person or device attempting to access end-user data that is transiting a network element of communications link or is resident in an offline storage device.

Authentication techniques may be required as part of Access Control.Authentication

Ensure that only authorised personnel or devices are allowed access to end-user data that is transiting a network element or communications link or is resident in an offline storage device. Access Control

Security ObjectivesSecurity

Dimension

Ensure that network elements do not provide information pertaining to the end-users network activities (eg. Users geographic location, websites visited, content etc.) to unauthorised personnel.Privacy

Ensure that access to end-user data resident in in offline storage devices by authorised personnel and devices cannot be denied. Availability

Protect end-user data that is transiting a network element or communications link or is resident in offline storage devices against unauthorised modification, deletion, creation and replication.Data Integrity

Ensure that end-user data that is transiting a network element or communications link is not diverted or intercepted as it flows between the end points (without an authorised access)

Communication Security

Protect end-user data that is transiting a network element or communications link, or is resident in an offline storage device against unauthorised access or viewing. Techniques used to address access control may contribute to providing data confidentiality for end-user data.

Data Confidentiality

Provide a record identifying each individual or device that accessed end-user data that is transiting a network element or communications link, or is resident in offline devices and that the action was performed. The record is to be used as proof of access to end-user data.

Non-Repudiation

Verify the identity of the person or device attempting to access end-user data that is transiting a network element of communications link or is resident in an offline storage device.

Authentication techniques may be required as part of Access Control.Authentication

Ensure that only authorised personnel or devices are allowed access to end-user data that is transiting a network element or communications link or is resident in an offline storage device. Access Control

Security ObjectivesSecurity

Dimension

ITU-T X.800 Threat Model(simplified)

XX

XX

5 - Interruption (an attack on availability):

– Interruption of services. Network becomes unavailable or unusable

4 - Disclosure (an attack on confidentiality):

– Unauthorized access to an asset

3 - Removal (an attack on availability):

– Theft, removal or loss of information and/or other resources

2 - Corruption (an attack on integrity):

– Unauthorized tampering with an asset

1 - Destruction (an attack on availability):

– Destruction of information and/or network resources

5 - Interruption (an attack on availability):

– Interruption of services. Network becomes unavailable or unusable

4 - Disclosure (an attack on confidentiality):

– Unauthorized access to an asset

3 - Removal (an attack on availability):

– Theft, removal or loss of information and/or other resources

2 - Corruption (an attack on integrity):

– Unauthorized tampering with an asset

1 - Destruction (an attack on availability):

– Destruction of information and/or network resources

Computer Security and Computer Crime Computer security issues often overlap

with issues analyzed under the topic of computer crime.

Virtually every violation of security involving cybertechnology is also criminal in nature.

So only cyber specific crimes are involved in cyber security not cyber related crimes.

But not every instance of crime in cyberspace necessarily involves a breach or violation of security.

Computer Security Issues as Distinct from Computer Crime Some computer-related crimes have no

direct implications for computer security. An individual can use a personal computer

to: Make unauthorized copies of software

programs; Stalk a victim in cyberspace; Elicit sex with young children; Distribute child pornography; Engage in illegal gambling activities.

None of these kinds of crimes are a direct result of insecure computer systems.

Security as Related to Privacy Cyber-related issues involving privacy and

security often overlap. Some important distinctions can be drawn.

Privacy concerns often arise because on-line users are concerned about losing control over ways in which personal information about them can be accessed by organizations (especially by businesses and government agencies).

Securing personal information stored in computer databases is an important element in helping individuals to achieve and maintain their privacy.

The objectives of privacy would seem compatible with, and even complementary to, security.

Security as Related to Privacy (continued) Privacy and security concerns can be

thought of as two sides of a single coin, where each side complements and completes the other.

Many people wish to control who has information about them, and how that information is accessed by others.

Who is doing and what is doing ,How is doing

How Do Security Issues Raise Ethical Concerns? To realize autonomy, individuals need to

be able to have some access control over how information about them is gathered and used.

Computer security can help users realize this goal. Disclosing privacy is unethical.

Personal privacy also requires that certain kinds of information stored in electronic databases be kept confidential. Secure computers are needed to ensure this.

BACK DOORS …. Are accounts left by manufacturers and

vendors on devices that allow them to bypass a locked-out or clueless system administrator in case of emergency.  Every network device comes shipped with more than one default username and password, and these built-in accounts offer administrative privileges to anyone who finds them.

Virus spread

A small malicious executable program. The definition of virus is a program that can be broken into 3 functional parts Replication Concealment Bomb

The combination of these three attributes makes the collective program a virus

Cont…. A virus adds a small piece of code

to the beginning of the file so that when file is executed, the virus is loaded into to memory before the actual application

Replication A virus must include some method of

replication, I.e., some way to reproduce or duplicate itself.

When a virus reproduces itself in a file, the result is sometimes referred as an “Infection”

Replication occurs when the virus is loaded into memory and has access to CPU cycles

A virus cant spread by existing on a hard disk and an infected file must be executed in order for a virus to become active

Method of Replicating Resident replicating virus: A resident replicating

virus, once loaded into memory, waits for other programs to be executed and then infects them.

Nonresident replicating virus: A nonresident replicating virus selects one or more executable files on disk and directly infects them without waiting for them to be processed in memory.

Companion virus: A virus which facilities the loading of the virus code without actually infecting the existing file.

It makes advantage of default OS order of executing file e.g., windows first tries to execute a file with .com extension, then .exe extension, and the finally a .bat extension

File Infection The method of replication can be the result

of file infection or boot sector replication. File infection relies on the virus’s ability to

attach itself to a file. In theory, any type of file is vulnerable to attack.

Attackers tend to focus, however, on files that provide some form of access to CPU cycles. This access can be through direct execution or through some secondary application processing the code.

Contd.. Some viruses have even embedded

themselves in raw source-code files. When the code is eventually compiled, the virus becomes capable of accessing CPU cycles, thus replicating even further.

The most popular type of infection affects direct executable files like .com, .exe, .pif, or .bat file extensions

Boot Sector Replication Boot sector virus infect the system

area of the disk that is read when the disk is initially accessed or booted.

This area can include the MBR, the OS boot sector or both.

Concealment

To facilitate replication, a virus must have one or more methods of masking its existence. If a running virus simply show up on your Windows Taskbar, you’d see a problem right away.

Stealth allows a virus t hide the modifications made to a file or boot sector.

Small Footprint Viruses tend to be small. Even a large

virus can be less than 2KB in size.This small footprint makes it far easier for the virus to conceal itself on the local storage media and while it is running in memory. Resides in space between two stored files

To ensure that a virus is as small as possible, most virus are coded in assembly language.

Polymorphic Virus A polymorphic virus can change its virus

signature from infected file to infected while still remaining operational.

Many virus scanners detect a virus by searching for signature code.

Since a polymorphic virus can change its appearance between infections, it is far more difficult to detect.

One way to produce a polymorphic virus is to include a variety of encryption schemes that use different decryption routines

Social engineering viruses Social-engineering viruses meet all the

criteria of a normal virus, except they rely on people to spread the infection, not a computer. A good example of a social engineering virus is the Good Times virus hoax that has circulated on the Internet for many years. This e-mail message announces that a dangerous virus is being circulated via e-mail and has the ability to wipe out all the files on your computer. This message even claims that the virus’s existence has been confirmed. People concerned that their friends may be attacked by this virus then forward the hoax to every person in their address books

Bomb Our virus has successfully replicated

itself and avoided detection. The question now becomes, What will the virus do next? Most viruses are programmed to wait for a specific event. This event can be almost anything…….including the arrival of a specific date, the infection of a specific number of files, or even he detection of a predetermined activity.

Worms Traditionally, a computer worm was

considered an application that could replicate itself via a permanent or a dial-up network connection.

Unlike a virus, which seeds itself within the computer’s hard disk or file system, a worm is a self-supporting program. Not need to attach it with some file.

A typical worm maintains only a functional copy of itself in active memory; it does not even write itself to disk.

The Vampire Worm, The Great Internet Worm, The Wank Worm

Trojan Horse An application that hides a nasty surprise Process or Function that Performs an

activity that user is unaware of TROJANS are programs that look like

ordinary software, but actually perform unintended (and sometimes malicious) actions behind the scenes when launched. 

Replace network services. Does not replicates

An E-mail virus I LOVE YOU are considered to be Trojan Horse

How Trojan Horses are Different From Viruses Does not replicate or attach itself to a file Is a stand alone application that had its

bomb included from the original source code

Unix Trojan can replace Telnet Server process (Telnetd)

Quietly records all logon names and passwords that authenticate to the system

Are immediately destructive

Dos Attack On the Internet, a denial of service (DoS)

attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have. In a Denial of Service (DoS) attack, the attacker sends a stream of requests to a service on the server machine in the hope of exhausting all resources like "memory" or consuming all processor capacity.

E.g. Ping of broad cast, Smurf ,Ping of death, Teardrop attack

Other Dos Attacks are FTP Bounce Attacks Port Scanning Attack Ping Flooding Attack Smurf Attack SYN Flooding Attack IP Fragmentation/Overlapping Fragment Attack IP Sequence Prediction Attack DNS Cache Poisoning SNMP Attack Send Mail Attack

Ping broadcast - A ping request packet is sent to a broadcast

network address where there are many hosts. The source address is shown in the packet to be the IP address of the computer to be attacked. If the router to the network passes the ping broadcast, all computers on the network will respond with a ping reply to the attacked system. The attacked system will be flooded with ping responses which will cause it to be unable to operate on the network for some time, and may even cause it to lock up.

Cont….. Ping of death - An oversized ICMP

datagram can crash IP devices that were made before 1996.

Smurf - An attack where a ping request is sent to a broadcast network address with the sending address spoofed so many ping replies will come back to the victim and overload the ability of the victim to process the replies.

Teardrop Attack This type of denial of service attack exploits the way

that the Internet Protocol (IP) requires a packet that is too large for the next router to handle be divided into fragments. The fragment packet identifies an offset to the beginning of the first packet that enables the entire packet to be reassembled by the receiving system. In the teardrop attack, the attacker's IP puts a confusing offset value in the second or later fragment. If the receiving operating system does not have a plan for this situation, it can cause the system to crash

Brute force Attack on encryption Exhaustive encryption key search

Session hijacking An attacker may watch a session open

on a network. Once authentication is complete, they may attack the client computer to disable it, and use IP spoofing to claim to be the client who was just authenticated and steal the session.

By lunching ICMP flood on server and then acting like a server.

DNS Poisoning DNS poisoning - This is an attack

where DNS information is falsified. This attack can succeed under the right conditions, but may not be real practical as an attack form. The attacker will send incorrect DNS information eg incorrect IP address which can cause traffic to be diverted.

SNIFFING Is the interception of data packets

traversing a network . An example of active intrusion is when PACKET SNIFFING is used for IP SPOOFING

IP spoofing - An attacker may fake their IP address so the receiver thinks it is sent from a location that it is not actually from. This may cause some operating systems such as Windows to crash or lock up.

Similarly DNS poisoning is used for server spoofing.

Attacks on Different Layers

IP Attacks ICMP Attacks Routing Attacks TCP Attacks Application Layer Attacks

Security Countermeasures Security countermeasures act as an action,

device, procedure, technique or other measure that reduces the vulnerability of a threat to a computer system.

We have come to rely increasingly on countermeasures.

Many security analysts believe that countermeasures would not be as necessary as they currently are if better security features were built into computer systems.

Implementating Security Unique to each individual

user/company and system Solution should contain three

components for completeness Prevention (Access control measures) Detection (Fire walls, IDS, Virus scanners) Reaction (disaster mode and severity) Recovery (Network disaster management

sys)

Types of Security Countermeasures

Firewalls (Pix fire wall) Anti-Virus Software Encryption Tools Anonymity Tools IDS VPN’s Access control Honey pot

Firewall Technology A firewall is a system or combination of

systems that enforces a boundary between two or more networks.

Firewalls help to secure systems not only from unauthorized access to information in databases, but also help prevent unwanted and unauthorized communication into or out of a privately owned network. Proxy and Pix Fire walls A firewall is a "blockage" between an

internal privately owned network and an external network, which is not assumed to be secure.

Define IDS IDS has all been about analyzing network

traffic to look for evidence of attack. IDS is also about scanning access logs

and analyzing the characteristics of files to see if they have been compromised.

IDS have thousands of attack pattern saved in their database. So they match them with ordinary traffic to detect malicious traffic.

IDS may be hardware based or software based, e.g. SNORT

Functions of IDS Monitoring and analyzing both user and

system activities Analyzing system configurations and

vulnerabilities Assessing system and file integrity Ability to recognize patterns typical of

attacks Analysis of abnormal activity patterns Tracking user policy violations

Types of IDS Network Intrusion Detection Systems

(NIDS) (Snort, zone alarm) Host Intrusion Detection Systems (HIDS) System Integrity Verifier (SIV) Tripwire Log File Monitor (LFM) Honeypot: A fake deception server to

trace and misleading the cracker. production and research honeypots.

VPN Virtual private network is a private

network that uses links across private or public networks e.g. internet

You must have PPTP tunneling protocol or L2TP layer two tunneling protocol to support VPN, both are automatically installed on WIN 2003 server.

Configure a VPN server on WIN 2003 server

Make a VPN client and connect via VPN.

Preventive Measures

Access Control Checksum Verification Process Monitoring Virus Scanners

Access Control (ACL) Access Control will not remove or

even detect the existence of a infected program

However, it will help your system to resist for infection by enabling intelligent permissions on files in a multi-user operating system environment on user-by-user basis

Attribute manipulation (ACE) To protect files form virus infection,

early DOS computer users set their executable file permissions to read-only.

If the file could not be modified, a virus would be unable to infect it.

Virus programmers responded by adding code to the virus and reset the attributes to their original values

This method of protection is of little value against today’s viruses.

Attribute manipulation If the administrator level privileges

are required to change a file’s permission, the virus can’t change these attributes when run form a regular user account

Checksum Verification using FCS

Checksum or CRC is a Mathematical verification of the data within a file.

Cannot actually detect file infection but it can only look for changes

Error detection and error correction

Process Monitoring Process monitoring observe system

activity and intercepts anything that looks suspicious

E.g., by enabling BIOS antivirus, it will intercepts all write attempts to MBR.

Problem is that virus and normal programs share a lot of similar attributes, thus enabling the difficulties to detect viruses

Virus Scanners/Detectors The most popular way of detecting viruses is

the use of virus-scanning software. Use signature file to locate viruses in infected

file. A signature file is simply a database that lists

all the know viruses, along with their attributes

Anti-virus software is designed to "inoculate" computer systems against viruses, worms, and other malicious programs.

Virus scanners can only detect known viruses

Cont….. Typically used in conjunction with

firewall technology to protect individual computer systems as well as network domains in universities, and governmental and commercial organizations.

Types of Virus Scanners On Demand

Must be initialized on demand manually or through some automatic process

System will contract virus before it is detected

Memory Resident Are programs that runs at the back ground of

a system Can identify a virus before it infects the

system

Encryption Tools

Encryption is the technique used to convert the information in a message composed in ordinary text ("plain text"), into "ciphertext."

The use of data encryption or cryptography techniques in communicating sensitive information is not new.

Types of Encryption

In private-key encryption, both parties use the same encryption algorithm and the same private key.

Public cryptography uses two keys: one public and the other private.

Terminology plaintext - the original message ciphertext - the coded message cipher - algorithm for transforming plaintext to

ciphertext key - info used in cipher known only to sender/receiver encipher (encrypt) - converting plaintext to ciphertext decipher (decrypt) - recovering ciphertext from

plaintext cryptography - study of encryption principles/methods cryptanalysis (codebreaking) - the study of

principles/ methods of deciphering ciphertext without knowing key

cryptology - the field of both cryptography and cryptanalysis

Encryption If A wishes to communicate with B, A

uses B's public key to encode the message.

That message can then only be decoded with B's private key, which is secret.

Similarly when B responds to A, B uses A's public key to encrypt the message.

Certificates and digital signatures

Anonymity Tools Users want to secure the integrity and confi-

dentiality of their electronic communications.

They also wish to protect their identity while engaging in on-line activities.

Anonymity tools such as the Anonymizer, and pseudonymity agents such as Lucent's Personalized Web Assistant, enable users to roam the Web either anonymously or pseudonymously.

Anonymity Tools (Continued) An individual is anonymous in

cyberspace when that person is able to navigate the Internet is a way that his or her personal identity is not revealed. e.g., the user cannot be identified

beyond certain technical information such as the user's IP (Internet protocol) address, ISP, and so forth.

Tradeoffs Involving Computer Security

Can total security in cyberspace be achieved? More secure computer systems might also result in

products that are more expensive. Would consumers be willing to spend more money for

securer computer systems? The costs associated with computer security can be

measured both in monetary and non-monetary terms (such as convenience and flexibility) because more secure systems might also be less user-friendly. It is an avoidance approach conflict. one way

we need anonymity on internet and on other way we want security in terms of cybercrimes.

Cont….. Seeking perfect security would

make a system useless, because "anything worth doing requires some risk."

Computer Security and Risk Analysis What is the acceptable level of risk in

computer systems? How can we assess it?

Risk can be understood and assessed in terms of the net result of the impacts of five elements:

Assets; Threats; Vulnerabilities; Impact; Safeguards.

Thank You