Computer Security Final (shorter)

**Safe Temporary Files

-Many programs use temporary files -Often in common, shared system area -Must be unique, not accessed by others Commonly create name using process ID: -Unique, but predictable -Attacker might guess and attempt to create own file between program checking and creating Secure temporary file creation and use requires the use of random names

**Alternative Encodings

-May have multiple means of encoding text -Growing requirement to support users around the globe and to interact with them using their own languages. Unicode used for internationalization: -Uses 16-bit value for characters -UTF-8 encodes as 1-4 byte sequences -Many Unicode decoders accept any valid equivalent sequence Canonicalization: -Transforming input data into a single, standard, minimal representation. -Once this is done the input data can be compared with a single representation of acceptable input values.

**PayloadSystem Corruption

-Real-world damage: Causes damage to physical equipment Chernobyl virus rewrites BIOS code Stuxnet worm: Targets specific industrial control system software There are concerns about using sophisticated targeted malware for industrial sabotage -Logic bomb: Code embedded in the malware that is set to "explode" when certain conditions are met

**Rootkit (form of stealthing)

-Set of hidden programs installed on a system to maintain covert access to that system. -Hides by subverting the mechanisms that monitor and report on the processes, files, and registries on a computer. -Gives administrator (or root) privileges to attacker: Can add or change programs and files, monitor processes, send and receive network traffic, and get backdoor access on demand. Rootkit Classification Characteristics: Persistent, memory based, user mode, kernel mode, virtual machine based, external mode.

**Virtualization Infrastructure Security

-Systems manage access to hardware resources -Access must be limited to just the appropriate guest -Access to VM image and snapshots must be carefully controlled

**DNS Amplification Attacks

-Use packets directed at a legitimate DNS server as the intermediary system. -Attacker creates a series of DNS requests containing the spoofed source address of the target system. -Exploit DNS behavior to convert a small request to a much larger response (amplification). -Target is flooded with responses. -Basic defense against this attack is to prevent the use of spoofed source addresses.

**High interaction honeypot

Is a real system, with a full operating system, services and applications, which are instrumented and deployed where they can be accessed by attackers.

Hash function requirements

The purpose of a hash function is to produce a "fingerprint" of a file, message, or other block of data. To be useful for message authentication, a hash function H must have the following properties: 1. H can be applied to a block of data of any size. 2. H produces a fixed-length output. 3. H(x) is relatively easy to compute for any given x, making both hardware and software implementations practical. 4. For any given code h, it is computationally infeasible to find x such that H(x) = h. A hash function with this property is referred to as one-way or pre- image resistant.6 5. For any given block x, it is computationally infeasible to find y ≠ x with H(y) = H(x). A hash function with this property is referred to as second preim- age resistant. This is sometimes referred to as weak collision resistant. 6. It is computationally infeasible to find any pair (x, y) such that H(x) = H(y). A hash function with this property is referred to as collision resistant. This is sometimes referred to as strong collision resistant.

**Malware

a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system or otherwise annoying or disrupting the victim.

**Identity Management

concerned with assigning attributes to a digital identity and connecting that digital identity to an individual or NPE. The goal is to establish a trustworthy digital identity that is independent of a specific application or context. The traditional, and still most common approach, to access control for applications and programs is to create a digital representation of an identity for the specific use of the application or program. As a result, maintenance and protection of the iden- tity itself is treated as secondary to the mission associated with the application. Fur- ther, there is considerable overlap in effort in establishing these application-specific identities.

**Lifecycle Management

includes the following: • Mechanisms, policies, and procedures for protecting personal identity information • Controlling access to identity data • Techniques for sharing authoritative identity data with applications that need it • Revocation of an enterprise identity

**Inferential Attack

•There is no actual transfer of data, but the attacker is able to reconstruct the information by sending particular requests and observing the resulting behavior of the Website/database server •Include: oIllegal/logically incorrect queries •This attack lets an attacker gather important information about the type and structure of the backend database of a Web application •The attack is considered a preliminary, information-gathering step for other attacks oBlind SQL injection •Allows attackers to infer the data present in a database system even when the system is sufficiently secure to not display any erroneous information back to the attacker

**Intrusion Detection

A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner.

**Bloom Filter

A technique [SPAF92a, SPAF92b] for developing an effective and efficient proactive password checker that is based on rejecting words on a list has been implemented on a number of systems, including Linux. It is based on the use of a Bloom filter [BLOO70]. To begin, we explain the operation of the Bloom filter. A Bloom filter of order k consists of a set of k independent hash functions H1(x), H2(x), c, Hk(x), where each function maps a password into a hash value in the range 0 to N - 1.That is, Hi(Xj) = y 1...i...k; 1...j...D; 0...y...N-1 where Xj = jth word in password dictionary D = number of words in password dictionary

**Stack Protection (Compile-Time Defense)

Add function entry and exit code to check stack for signs of corruption. Use random canary: Value needs to be unpredictable and Should be different on different systems. Stackshield and Return Address Defender (RAD): -GCC extensions that include additional function entry and exit code: --Function entry writes a copy of the return address to a safe region of memory --Function exit code checks the return address in the stack frame against the saved copy --If change is found, aborts the program

**Validating Numeric Input

Additional concern when input data represents numeric values: Internally stored in fixed sized value, 8, 16, 32, 64-bit integers, Floating point numbers depend on the processor used. Values may be signed or unsigned. Must correctly interpret text form and process consistently. Have issues comparing signed to unsigned. Could be used to thwart buffer overflow check.

**Host-Based Intrusion Detection (HIDS)

Adds a specialized layer of security software to vulnerable or sensitive systems. Can use either anomaly or signature and heuristic approaches. Monitors activity to detect suspicious behavior: Primary purpose is to detect intrusions, log suspicious events, and send alerts. Can detect both external and internal intrusions.

**Intrusion Prevention Systems (IPS)

Also known as Intrusion Detection and Prevention System (IDPS). Is an extension of an IDS that includes the capability to attempt to block or prevent detected malicious activity. Can be host-based, network-based, or distributed/hybrid. Can use anomaly detection to identify behavior that is not that of legitimate users, or signature/heuristic detection to identify known malicious behavior can block traffic as a firewall does, but makes use of the types of algorithms developed for IDSs to determine when to do so.

**Shellcode

Code supplied by attacker. Often saved in buffer being overflowed. Traditionally transferred control to a user command-line interpreter (shell). Machine code - Specific to processor and operating system. Traditionally needed good assembly language skills to create. More recently a number of sites and tools have been developed that automate this process. Metasploit Project - Provides useful information to people who perform penetration, IDS signature development, and exploit research.

**Out-of-Band Attack

Data are retrieved using a different channel This can be used when there are limitations on information retrieval, but outbound connectivity from the database server is lax.

**SQLi Countermeasures

Defensive Coding Detection Run-time Prevention

**Hypertext Transfer Protocol (HTTP) Based Attacks

HTTP Flood: -Attack that bombards Web servers with HTTP requests. -Consumes considerable resources -Spidering: Bots starting from a given HTTP link and following all links on the provided Web site in a recursive way. Slowloris: -Attempts to monopolize by sending HTTP requests that never complete. -Eventually consumes Web server's connection capacity. -Utilizes legitimate HTTP traffic. -Existing intrusion detection and prevention solutions that rely on signatures to detect attacks will generally not recognize Slowloris.

**Social Engineering

"Tricking" users to assist in the compromise of their own systems: Spam -Unsolicited bulk e-mail -Significant carrier of malware -Used for phishing attacks Trojan horse: -Program or utility containing harmful hidden code -Used to accomplish functions that the attacker could not accomplish directly. Mobile phone trojans: First appeared in 2004 (Skuller) Target is the smartphone

**Inference Detection

- Inference detection during database design: This approach removes an inference channel by altering the database structure or by changing the access control regime to prevent inference. Examples include removing data dependencies by splitting a table into multiple tables or using more fine- grained access control roles in an RBAC scheme. Techniques in this category often result in unnecessarily stricter access controls that reduce availability. • Inference detection at query time: This approach seeks to eliminate an inference channel violation during a query or series of queries. If an inference channel is detected, the query is denied or altered.

**Malware Countermeasure Approaches

- Prevention is the ideal solution: four elements of prevention - policy, awareness, vulnerability mitigation, and threat mitigation. - If prevention fails, technical mechanisms can be used to support the following threat mitigation options: Detection, Identification, and Removal. Generations of Anti-Virus Software: -First Gen.: Simple Scanners - requires a malware signature to identify the malware. Limited to the detection of known malware. -2nd Gen: heuristic scanners - Uses heuristic rules to search for probable malware instances. Another approach is integrity checking. -3rd Gen: activity traps - Memory-resident programs that identify malware by its actions rather than its structure in an infected program. -4th Gen: full-featured protection - packages consisting of a variety of anti-virus techniques used in conjunction. Include scanning and activity trap components and access control capability.

**Virtualization

-A technology that provides an abstraction of the resources used by some software which runs in a simulated environment called a virtual machine (VM) -Benefits include better efficiency in the use of the physical system resources -Provides support for multiple distinct operating systems and associated applications on one physical system -Raises additional security concerns

**Encryption Technology

-Is a key enabling technology that may be used to secure data both in transit and when stored. -Must be configured and appropriate cryptographic keys created, signed, and secured. -If secure network services are provided using TLS or IPsec suitable public and private keys must be generated for each of them. -If secure network services are provided using SSH, appropriate server and client keys must be created. -Cryptographic file systems are another use of encryption.

**Perimeter Scanning Approaches

-Anti-virus software typically included in e-mail and Web proxy services running on an organization's firewall and IDS. -May also be included in the traffic analysis component of an IDS. -May include intrusion prevention measures, blocking the flow of any suspicious traffic. -Approach is limited to scanning malware. --Ingress monitors: -Located at the border between the enterprise network and the Internet -One technique is to look for incoming traffic to unused local IP addresses --Egress monitors: -Located at the egress point of individual LANs as well as at the border between the enterprise network and the Internet -Monitors outgoing traffic for signs of scanning or other suspicious behavior

**Reflection Attacks

-Attacker sends packets to a known service on the intermediary with a spoofed source address of the actual target system. -When intermediary responds, the response is sent to the target. -"Reflects" the attack off the intermediary (reflector). -Goal is to generate enough volumes of packets to flood the link to the target system without alerting the intermediary. -The basic defense against these attacks is blocking spoofed-source packets.

**DoS Attack Prevention

-Block spoofed source addresses: On routers as close to source as possible. -Filters may be used to ensure path back to the claimed source address is the one being used by the current packet: Filters must be applied to traffic before it leaves the ISP's network or at the point of entry to their network. -Use modified TCP connection handling code: --Cryptographically encode critical information in a cookie that is sent as the server's initial sequence number: Legitimate client responds with an ACK packet containing the incremented sequence number cookie. --Drop an entry for an incomplete connection from the TCP connections table when it overflows. -Block IP directed broadcasts -Block suspicious services and combinations -Manage application attacks with a form of graphical puzzle (captcha) to distinguish legitimate human requests -Good general system security practices -Use mirrored and replicated servers when high-performance and reliability is required

**Logging

-Can only inform you about bad things that have already happened -In the event of a system breach or failure, system administrators can more quickly identify what happened -Key is to ensure you capture the correct data and then appropriately monitor and analyze this data -Information can be generated by the system, network and applications -Range of data acquired should be determined during the system planning stage -Generates significant volumes of information and it is important that sufficient space is allocated for them -Automated analysis is preferred

**System Corruption (form of Payload)

-Chernobyl virus: First seen in 1998 Windows 95 and 98 virus Infects executable files and corrupts the entire file system when a trigger date is reached -Klez: Mass mailing worm infecting Windows 95 to XP systems On trigger date causes files on the hard drive to become empty -Ransomware: Encrypts the user's data and demands payment in order to access the key needed to recover the information PC Cyborg Trojan (1989) Gpcode Trojan (2006

**Virus Classifications

-Classification by Target: -Boot sector infector: Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus -File infector: Infects files that the operating system or shell considers to be executable -Macro virus: Infects files with macro or scripting code that is interpreted by an application -Multipartite virus: Infects files in multiple ways - classification by concealment strategy: - Encrypted virus A portion of the virus creates a random encryption key and encrypts the remainder of the virus - Stealth virus A form of virus explicitly designed to hide itself from detection by anti-virus software - Polymorphic virus A virus that mutates with every infection - Metamorphic virus A virus that mutates and rewrites itself completely at each iteration and may change behavior as well as appearance

**Worm Countermeasures

-Considerable overlap in techniques for dealing with viruses and worms: Once a worm is resident on a machine anti-virus software can be used to detect and possibly remove it. -Perimeter network activity and usage monitoring can form the basis of a worm defense -Worm defense approaches include: --Signature-based worm scan filtering --Filter-based worm containment --Payload-classification-based worm containment --Threshold random walk (TRW) scan detection --Rate limiting --Rate halting

**Generic Decryption (GD)

-Enables the anti-virus program to easily detect complex polymorphic viruses and other malware while maintaining fast scanning speeds. -Executable files are run through a GD scanner which contains the following elements: CPU emulator, Virus signature scanner, and Emulation control module. -The most difficult design issue with a GD scanner is to determine how long to run each interpretation.

**Operating System Hardening

-First critical step in securing a system is to secure the base operating system Basic steps: -Install and patch the operating system -Harden and configure the operating system to adequately address the indentified security needs of the system by: --Removing unnecessary services, applications, and protocols --Configuring users, groups, and permissions --Configuring resource controls -Install and configure additional security controls, such as anti-virus, host-based firewalls, and intrusion detection system (IDS) -Test the security of the basic operating system to ensure that the steps taken adequately address its security needs

**Intrusion Detection System (IDS)

-Host-based IDS (HIDS): Monitors the characteristics of a single host for suspicious activity. -Network-based IDS (NIDS): Monitors network traffic and analyzes network, transport, and application protocols to identify suspicious activity. -Distributed or hybrid IDS: Combines information from a number of sensors, often both host and network based, in a central analyzer that is able to better identify and respond to intrusion activity. Comprises three logical components: Sensors - collect data, Analyzers - determine if intrusion has occurred, and User interface - view output or control system behavior. IDS Requirements: Run continually, Be fault tolerant, Resist subversion, Impose a minimal overhead on system, Configured according to system security policies, Adapt to changes in systems and users, Scale to monitor large numbers of systems, Provide graceful degradation of service, and Allow dynamic reconfiguration.

**Network-Based IDS (NIDS)

-Monitors traffic at selected points on a network. -Examines traffic packet by packet in real or close to real time. -May examine network, transport, and/or application-level protocol activity. -Comprised of a number of sensors, one or more servers for NIDS management functions, and one or more management consoles for the human interface. -Analysis of traffic patterns may be done at the sensor, the management server or a combination of the two.

**Stateful Protocol Analysis (SPA)

-Subset of anomaly detection that compares observed network traffic against predetermined universal vendor supplied profiles of benign protocol traffic: This distinguishes it from anomaly techniques trained with organization specific traffic protocols. -Understands and tracks network, transport, and application protocol states to ensure they progress as expected. -A key disadvantage is the high resource use it requires.

**Source Address Spoofing

-Use forged source addresses: Usually via the raw socket interface on operating systems. Makes attacking systems harder to identify. -Attacker generates large volumes of packets that have the target system as the destination address. -Congestion would result in the router connected to the final, lower capacity link. -Requires network engineers to specifically query flow information from their routers. -Backscatter traffic: Advertise routes to unused IP addresses to monitor attack traffic.

**Distributed Denial of Service DDoS Attacks

-Use of multiple systems to generate attacks. -Attacker uses a flaw in operating system or in a common application to gain access and installs their program on it (zombie). -Large collections of such systems under the control of one attacker's control can be created, forming a botnet.

**Firewall Access Policy

A critical component in the planning and implementation of a firewall is specifying a suitable access policy: This lists the types of traffic authorized to pass through the firewall and Includes address ranges, protocols, applications and content types. This policy should be developed from the organization's information security risk assessment and policy. Should be developed from a broad specification of which traffic types the organization needs to support. Then refined to detail the filter elements which can then be implemented within an appropriate firewall topology. Characteristics that a firewall access policy could use to filter traffic include: IP address and protocol values: This type of filtering is used by packet filter and stateful inspection firewalls Typically used to limit access to specific services Application protocol: This type of filtering is used by an application-level gateway that relays and monitors the exchange of information for specific application protocols User identity: Typically for inside users who identify themselves using some form of secure authentication technology Network activity: Controls access based on considerations such as the time or request, rate of requests, or other activity patterns

**Data Sources and Sensors

A fundamental component of intrusion detection is the sensor that collects data. Common data sources include: System call traces Audit (log file) records File integrity checksums Registry access

**Clickjacking

Also known as a user-interface (UI) redress attack: Using a similar technique, keystrokes can also be hijacked. A user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker. Vulnerability used by an attacker to collect an infected user's clicks: The attacker can force the user to do a variety of things from adjusting the user's computer setters to unwittingly sending the user to Web sites that might have malicious code. By taking advantage of Adobe Flash or JavaScript an attacker could even place a button under or over a legitimate button making it difficult for users to detect. A typical attack uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. The attacker is hijacking clicks meant for one page and routing them to another page.

Rainbow Table

An alternative is to trade-off space for time by precomputing potential hash values. In this approach the attacker generates a large dictionary of possible pass- words. For each password, the attacker generates the hash values associated with each possible salt value. The result is a mammoth table of hash values Known as this. This approach can be countered using a sufficiently large salt value and a sufficiently large hash length

**Snort

An example of a rule-based NIDS. A large collection of rules exists for it to detect a wide variety of network attacks. Snort Architecture: packet --> decoder --> detection engine --> logger or alerter Categories of rule options: • Meta-data: Provide information about the rule but do not have any affect during detection. • Payload: Look for data inside the packet payload and can be interrelated. • Non-payload: Look for non-payload data. • Post-detection: Rule-specific triggers that happen after a rule has matched a packet.

**Virtualization Alternatives

Application virtualization: -Allows applications written for one environment to execute on some other operating system Full virtualization: -Multiple full operating system instances execute in parallel Virtual machine monitor (VMM) -Hypervisor -Coordinates access between each of the guests and the actual physical hardware resources

**Packet Filtering Firewall

Applies rules to each incoming and outgoing IP packet: Typically a list of rules based on matches in the IP or TCP header. Forwards or discards the packet based on rules match. Filtering rules are based on information contained in a network packet: -Source IP address -Destination IP address -Source and destination transport-level address -IP protocol field -Interface Two default policies: -Discard - prohibit unless expressly permitted More conservative, controlled, visible to users -Forward - permit unless expressly prohibited Easier to manage and use but less secure -Advantages: Simplicity, Typically transparent to users and are very fast. -Weaknesses: Cannot prevent attacks that employ application specific vulnerabilities or functions, Limited logging functionality, Do not support advanced user authentication, Vulnerable to attacks on TCP/IP protocol bugs, and Improper configuration can lead to breaches.

Security of hash functions

As with symmetric encryption, there are two approaches to attacking a secure hash function: cryptanalysis and brute-force attack. As with symmetric encryption algorithms, cryptanalysis of a hash function involves exploiting logical weaknesses in the algorithm. The strength of a hash function against brute-force attacks depends solely on the length of the hash code produced by the algorithm. For a hash code of length n, the level of effort required is proportional to the following: (see attached photo) If collision resistance is required (and this is desirable for a general-purpose secure hash code), then the value 2n/2 determines the strength of the hash code against brute-force attacks. Van Oorschot and Wiener [VANO94] presented a design for a $10 million collision search machine for MD5, which has a 128-bit hash length, that could find a collision in 24 days. Thus a 128-bit code may be viewed as inadequate. The next step up, if a hash code is treated as a sequence of 32 bits, is a 160-bit hash length. With a hash length of 160 bits, the same search machine would require over four thousand years to find a collision. With today's technology, the time would be much shorter, so that 160 bits now appears suspect.

**Safe Coding Techniques (Compile-Time Defense)

C designers placed much more emphasis on space efficiency and performance considerations than on type safety: Assumed programmers would exercise due care in writing code. Programmers need to inspect the code and rewrite any unsafe coding. An example of this is the OpenBSD project. Programmers have audited the existing code base, including the operating system, standard libraries, and common utilities. This has resulted in what is widely regarded as one of the safest operating systems in widespread use.

**Keyloggers (form of payload - information theft)

Captures keystrokes to allow attacker to monitor sensitive information. Typically uses some form of filtering mechanism that only returns information close to keywords ("login", "password").

**Host-Based IPS (HIPS)

Can make use of either signature/heuristic or anomaly detection techniques to identify attacks: -Signature: focus is on the specific content of application network traffic, or of sequences of system calls, looking for patterns that have been identified as malicious -Anomaly: IPS is looking for behavior patterns that indicate malware Examples of the types of malicious behavior addressed by a HIPS include: Modification of system resources, Privilege-escalation exploits, Buffer-overflow exploits, Access to e-mail contact list, and Directory traversal. Capability can be tailored to the specific platform: A set of general purpose tools may be used for a desktop or server system. Some packages are designed to protect specific types of servers, such as Web servers and database servers. In this case the HIPS looks for particular application attacks. Can use a sandbox approach: Sandboxes are especially suited to mobile code such as Java applets and scripting languages. HIPS quarantines such code in an isolated system area then runs the code and monitors its behavior. Areas for which a HIPS typically offers desktop protection: System calls, File system access, System registry settings and Host input/output The Role of HIPS: -Many industry observers see the enterprise endpoint, including desktop and laptop systems, as now the main target for hackers and criminals. Thus security vendors are focusing more on developing endpoint security products. Traditionally, endpoint security has been provided by a collection of distinct products, such as antivirus, antispyware, antispam, and personal firewalls. Approach is an effort to provide an integrated, single-product suite of functions. Advantages of the integrated HIPS approach are that the various tools work closely together, threat prevention is more comprehensive, and management is easier.A prudent approach is to use HIPS as one element in a defense-in-depth strategy that involves network-level devices, such as either firewalls or network-based IPSs.

**Cipher Block Chaining

Cipher block chaining prevents the problem of the same plaintext mapping to multiple ciphertext blocks (subject to the square root attack) In the following, "E" stands for "Encipher" C1 = E(P1 XOR IV) C2 = E(P2 XOR C1) C3 = E(P3 XOR C2) ... Cn = E(Pn XOR Cn-1) Since XOR is reversible, you can decipher by doing this in reverse Cipher Block Chaining will work with any block cipher

**Flooding Attacks

Classified based on network protocol used Intent is to overload the network capacity on some link to a server. Virtually any type of network packet can be used: ICMP flood: Ping flood using ICMP echo request packets. Traditionally network administrators allow such packets into their networks because ping is a useful network diagnostic tool. UDP flood: Uses UDP packets directed to some port number on the target system. TCP SYN flood: Sends TCP packets to the target system Total volume of packets is the aim of the attack rather than the system code.

**SYN Spoofing

Common DoS attack. Attacks the ability of a server to respond to future connection requests by overflowing the tables used to manage them. Thus legitimate users are denied access to the server. Hence an attack on system resources, specifically the network handling code in the operating system.

**Low interaction honeypot

Consists of a software package that emulates par- ticular IT services or systems well enough to provide a realistic initial interac- tion, but does not execute a full version of those services or systems.

**Personal Firewall

Controls traffic between a personal computer or workstation and the Internet or enterprise network for both home or corporate use. Typically is a software module on a personal computer. Can be housed in a router that connects all of the home computers to a DSL, cable modem, or other Internet interface. Typically much less complex than server-based or stand-alone firewalls. Primary role is to deny unauthorized remote access. May also monitor outgoing traffic to detect and block worms and malware activity.

**Input Fuzzing

Developed by Professor Barton Miller at the University of Wisconsin Madison in 1989. Software testing technique that uses randomly generated data as inputs to a program. Range of inputs is very large. Intent is to determine if the program or function correctly handles abnormal inputs. Simple, free of assumptions, cheap. Assists with reliability as well as security. Can also use templates to generate classes of known problem inputs. Disadvantage is that bugs triggered by other forms of input would be missed. Combination of approaches is needed for reasonably comprehensive coverage of the inputs.

**Morris Worm

Earliest significant worm infection Released by Robert Morris in 1988 Designed to spread on UNIX systems Attempted to crack local password file to use login/password to logon to other systems Exploited a bug in the finger protocol which reports the whereabouts of a remote user Exploited a trapdoor in the debug option of the remote process that receives and sends mail Successful attacks achieved communication with the operating system command interpreter Sent interpreter a bootstrap program to copy worm over.

**Firewalls

Effective means of protecting LANs: Inserted between the premises network and the Internet to establish a controlled link. Can be a single computer system or a set of two or more systems working together. Used as a perimeter defense. Single choke point to impose security and auditing. Insulates the internal systems from external networks. Design goals: -All traffic from inside to outside, and vice versa, must pass through the firewall. -Only authorized traffic as defined by the local security policy will be allowed to pass. -The firewall itself is immune to penetration. Capabilities: -Defines a single choke point -Provides a location for monitoring security events -Convenient platform for several Internet functions that are not security related -Can serve as the platform for IPSec Limitations: -Cannot protect against attacks bypassing firewall -May not protect fully against internal threats -Improperly secured wireless LAN can be accessed from outside the organization -Laptop, PDA, or portable storage device may be infected outside the corporate network then used internally

**Credential Management

Examples of credentials are smart cards, private/public cryp- tographic keys, and digital certificates. Credential management is the management of the life cycle of the credential. Credential management encompasses the follow- ing five logical components: 1. An authorized individual sponsors an individual or entity for a credential to establish the need for the credential. For example, a department supervisor sponsors a department employee. 2. The sponsored individual enrolls for the credential, a process which typically consists of identity proofing and the capture of biographic and biometric data. This step may also involve incorporating authoritative attribute data, maintained by the identity management component. 3. A credential is produced. Depending on the credential type, production may involve encryption, the use of a digital signature, the production of a smart- card, or other functions. 4. The credential is issued to the individual or NPE. 5. Finally, a credential must be maintained over its lifecycle, which might include revocation, reissuance/replacement, reenrollment, expiration, personal identi- fication number (PIN) reset, suspension, or reinstatement.

**Drive-By-Downloads

Exploits browser vulnerabilities to download and installs malware on the system when the user views a Web page controlled by the attacker In most cases does not actively propagate Spreads when users visit the malicious Web page.

**Phishing (form of payload - information theft)

Exploits social engineering to leverage the user's trust by masquerading as communication from a trusted source: Include a URL in a spam e-mail that links to a fake Web site that mimics the login page of a banking, gaming, or similar site, Suggests that urgent action is required by the user to authenticate their account, and Attacker exploits the account using the captured credentials. Spear-phishing: -Recipients are carefully researched by the attacker. -E-mail is crafted to specifically suit its recipient, often quoting a range of information to convince them of its authenticity.

**Mobile Phone Worms

First discovery was Cabir worm in 2004 Then Lasco and CommWarrior in 2005 Communicate through Bluetooth wireless connections or MMS Target is the smartphone Can completely disable the phone, delete data on the phone, or force the device to send costly messages CommWarrior replicates by means of Bluetooth to other phones, sends itself as an MMS file to contacts and as an auto reply to incoming text messages.

**Classic DoS Attacks

Flooding ping command: -Aim of this attack is to overwhelm the capacity of the network connection to the target organization -Traffic can be handled by higher capacity links on the path, but packets are discarded as capacity decreases -Source of the attack is clearly identified unless a spoofed address is used -Network performance is noticeably affected

**Network-Based IPS (NIPS)

In essence is an inline NIDS with the authority to discard packets and tear down TCP connections. As with a NIDS, a NIPS makes use of techniques such as signature detection and anomaly detection. Among the techniques used in a NIPS but not commonly found in a firewall is flow data protection. This requires that the application payload in a sequence of packets be reassembled. The IPS device applies filters to the full content of the flow every time a new packet for the flow arrives. When a flow is determined to be malicious, the latest and all subsequent packets belonging to the suspect flow are dropped. In terms of the general methods used by a NIPS device to identify malicious packets, the following are typical: • Pattern matching: Scans incoming packets for specific byte sequences (the signature) stored in a database of known attacks • Stateful matching: Scans for attack signatures in the context of a traffic stream rather than individual packets • Protocol anomaly: Looks for deviation from standards set forth in RFCs Traffic anomaly: Watches for unusual traffic activities, such as a flood of UDP packets or a new service appearing on the network • Statistical anomaly: Develops baselines of normal traffic activity and throughput, and alerts on deviations from those baselines

**Validating Input Syntax

Given that the programmer cannot control the content of input data, it is necessary to ensure that such data conform with any assumptions made about the data before subsequent use. If the data are textual, these assumptions may be that the data contain only printable characters, have certain HTML markup, are the name of a person, a userid, an e-mail address, a filename, and/or a URL. Alternatively, the data might represent an integer or other numeric value. A program using such input should confirm that it meets these assumptions. An important principle is that input data should be compared against what is wanted, accepting only valid input. The alternative is to compare the input data with known dangerous values. The problem with this approach is that new problems and methods of bypassing existing checks continue to be discovered. By trying to block known dangerous input data, an attacker using a new encoding may succeed. By only accepting known safe data, the program is more likely to remain secure. This type of comparison is commonly done using regular expressions. It may be explicitly coded by the programmer or may be implicitly included in a supplied input processing routine. Figures 11.2d and 11.3b show examples of these two approaches. A regular expression is a pattern composed of a sequence of characters that describe allowable input variants. Some characters in a regular expression are treated literally, and the input compared to them must contain those characters at that point. Other characters have special meanings, allowing the specification of alternative sets of characters, classes of characters, and repeated characters. Details of regular expression content and usage vary from language to language. An appropriate reference should be consulted for the language in use. If the input data fail the comparison, they could be rejected. In this case a suitable error message should be sent to the source of the input to allow it to be corrected and reentered. Alternatively, the data may be altered to conform. This generally involves escaping metacharacters to remove any special interpretation, thus rendering the input safe.

**Responding to DoS Attacks

Good Incident Response Plan: -Details on how to contact technical. personal for ISP -Needed to impose traffic filtering upstream. -Details of how to respond to the attack. -Antispoofing, directed broadcast, and rate limiting filters should have been implemented. -Ideally have network monitors and IDS to detect and notify abnormal traffic patterns. --Identify type of attack: Capture and analyze packets, Design filters to block attack traffic upstream, Or identify and correct system/application bug. --Have ISP trace packet flow back to source: May be difficult and time consuming and Necessary if planning legal action --Implement contingency plan: Switch to alternate backup servers and Commission new servers at a new site with new addresses. --Update incident response plan: Analyze the attack and the response for future handling.

**Language Extensions/Safe Libraries (Compile-Time Defense)

Handling dynamically allocated memory is more problematic because the size information is not available at compile time. It Requires an extension and the use of library routines. Programs and libraries need to be recompiled Likely to have problems with third-party applications. Concern with C is use of unsafe standard library routines. One approach has been to replace these with safer variants. Libsafe is an example, Library is implemented as a dynamic library arranged to load before the existing standard libraries

**Firewall Topologies

Host-resident firewall - Includes personal firewall software and firewall software on servers. Screening router - Single router between internal and external networks with stateless or full packet filtering. Single bastion inline - Single firewall device between an internal and external router. Single bastion T - Has a third network interface on bastion to a DMZ where externally visible servers are placed. Double bastion inline - DMZ is sandwiched between bastion firewalls. Double bastion T - DMZ is on a separate network interface on the bastion firewall. Distributed firewall configuration - Used by large businesses and government organizations

**Attack Kits

Initially the development and deployment of malware required considerable technical skill by software authors. The development of virus-creation toolkits in the early 1990s and then more general attack kits in the 2000s greatly assisted in the development and deployment of malware. Toolkits are often known as "crimeware". Include a variety of propagation mechanisms and payload modules that even novices can deploy. Variants that can be generated by attackers using these toolkits creates a significant problem for those defending systems against them. -Widely used toolkits include: Zeus Blackhole Sakura Phoenix

**Cross site scripting (XSS) attack

Injects scripts into a web application server that will then direct attacks at clients. Another broad class of vulnerabilities concerns input provided to a program by one user that is subsequently output to another user. They are most commonly seen in scripted Web applications. This vulnerability involves the inclusion of script code in the HTML content of a Web page displayed by a user's browser. The script code could be JavaScript, ActiveX, VBScript, Flash, or just about any client-side scripting language supported by a user's browser. To support some categories of Web applications, script code may need to access data associated with other pages currently displayed by the user's browser. Because this clearly raises security concerns, browsers impose security checks and restrict such data access to pages originating from the same site. The assumption is that all content from one site is equally trusted and hence is permitted to interact with other content from that site. Cross-site scripting attacks exploit this assumption and attempt to bypass the browser's security checks to gain elevated access privileges to sensitive data belonging to another site. These data can include page contents, session cookies, and a variety of other objects. Attackers use a variety of mechanisms to inject malicious script content into pages returned to users by the targeted sites. The most common variant is the XSS reflection vulnerability. The attacker includes the malicious script content in data supplied to a site. If this content is subsequently displayed to other users without sufficient checking, they will execute the script assuming it is trusted to access any data associated with that site. Consider the widespread use of guestbook programs, wikis, and blogs by many Web sites. They all allow users accessing the site to leave comments, which are subsequently viewed by other users. Unless the contents of these comments are checked and any dangerous code removed, the attack is possible.

**Host-Based Behavior-Blocking Software

Integrates with the operating system of a host computer and monitors program behavior in real time for malicious action: -Blocks potentially malicious actions before they have a chance to affect the system -Blocks software in real time so it has an advantage over anti-virus detection techniques such as fingerprinting or heuristics. Limitations: Because malicious code must run on the target machine before all its behaviors can be identified, it can cause harm before it has been detected and blocked.

**Anomaly detection

Involves the collection of data relating to the behavior of legitimate users over a period of time. Current observed behavior is analyzed to determine whether this behavior is that of a legitimate user or that of an intruder. A variety of classification approaches: -Statistical - Analysis of the observed behavior using univariate, multivariate, or time-series models of observed metrics. -Knowledge based - Approaches use an expert system that classifies observed behavior according to a set of rules that model legitimate behavior. -Machine-learning - Approaches automatically determine a suitable classification model from the training data using data mining techniques.

**Address Space Randomization (Run-Time Defense)

Manipulate location of key data structures: -Stack, heap, global data -Using random shift for each process -Large address range on modern systems means wasting some has negligible impact Randomize location of heap buffers Random location of standard library functions

**SQL Injection Attacks (SQLi)

One of the most prevalent and dangerous network-based security threats •Designed to exploit the nature of Web application pages •Sends malicious SQL commands to the database server •Most common attack goal is bulk extraction of data •Depending on the environment SQL injection can also be exploited to: oModify or delete data oExecute arbitrary operating system commands oLaunch denial-of-service (DoS) attacks

**Securing Virtualization Systems

Organizations using virtualization should: -Carefully plan the security of the virtualized system. -Secure all elements of a full virtualization solution and maintain their security -Ensure that the hypervisor is properly secured -Restrict and protect administrator access to the virtualization solution

**Attacks (threats carried out)

Passive - attempt to learn or make use of information from the system that does not affect system resources Active - attempt to alter system resources or affect their operation Insider - initiated by an entity inside the security parameter Outsider - initiated from outside the perimeter

**Hashing

Passwords: Chapter 3 explains a scheme in which a hash of a password is stored by an operating system rather than the password itself. Thus, the actual password is not retrievable by a hacker who gains access to the password file. In simple terms, when a user enters a password, the hash of that password is compared to the stored hash value for verification. This application requires preimage resistance and perhaps second preimage resistance. • Intrusion detection: Store the hash value for a file, H(F), for each file on a system and secure the hash values (e.g., on a CD-R that is kept secure). One can later determine if a file has been modified by recomputing H(F). An intruder would need to change F without changing H(F). This application requires weak second preimage resistance.

**Data Backup and Archive

Performing regular backups of data is a critical control that assists with maintaining the integrity of the system and user data: -May be legal or operational requirements for the retention of data. Backup: -The process of making copies of data at regular intervals. Archive: -The process of retaining copies of data over extended periods of time in order to meet legal and operational requirements to access past data. Needs and policy relating to backup and archive should be determined during the system planning stage: -Kept online or offline. -Stored locally or transported to a remote site. -Trade-offs include ease of implementation and cost versus greater security and robustness against different threats.

**Viruses

Piece of software that infects programs Modifies them to include a copy of the virus Replicates and goes on to infect other content. Easily spread through network environments When attached to an executable program a virus can do anything that the program is permitted to do. Executes secretly when the host program is run. Specific to operating system and hardware Takes advantage of their details and weaknesses.

**Guard Pages (Run-Time Defense)

Place guard pages between critical regions of memory: Flagged in MMU as illegal addresses and Any attempted access aborts process. Further extension places guard pages Between stack frames and heap buffers: Cost in execution time to support the large number of page mappings necessary.

**Operating System Security

Possible for a system to be compromised during the installation process before it can install the latest patches. Building and deploying a system should be a planned process designed to counter this threat. Process must: -Assess risks and plan the system deployment -Secure the underlying operating system and then the key applications -Ensure any critical content is secured -Ensure appropriate network protection mechanisms are used -Ensure appropriate processes are used to maintain security.

**Security Maintenance

Process of maintaining security is continuous Security maintenance includes: -Monitoring and analyzing logging information. -Performing regular backups. -Recovering from security compromises. -Regularly testing system security. -Using appropriate software maintenance processes to patch and update all critical software, and to monitor and revise configuration as needed.

**Worms

Program that actively seeks out more machines to infect and each infected machine serves as an automated launching pad for attacks on other machines Exploits software vulnerabilities in client or server programs Can use network connections to spread from system to system Spreads through shared media (USB drives, CD, DVD data disks) E-mail worms spread in macro or script code included in attachments and instant messenger file transfers Upon activation the worm may replicate and propagate again Usually carries some form of payload First known implementation was done in Xerox Palo Alto Labs in the early 1980s

Vulnerable Compiled Programs

Programs can be vulnerable to PATH variable manipulation: -Must reset to "safe" values If dynamically linked may be vulnerable to manipulation of LD_LIBRARY_PATH: -Used to locate suitable dynamic library -Must either statically link privileged programs or prevent use of this variable

**Preventing Race Conditions

Programs may need to access a common system resource and they Need suitable synchronization mechanisms: -Most common technique is to acquire a lock on the shared file. Lockfile: -Process must create and own the lockfile in order to gain access to the shared resource. Concerns: -If a program chooses to ignore the existence of the lockfile and access the shared resource the system will not prevent this. -All programs using this form of synchronization must cooperate. -Implementation.

**Mobile Code

Programs that can be shipped unchanged to a variety of platforms Transmitted from a remote system to a local system and then executed on the local system Often acts as a mechanism for a virus, worm, or Trojan horse Takes advantage of vulnerabilities to perform its own exploits Popular vehicles include Java applets, ActiveX, JavaScript and VBScript

**Target Discovery

Scanning (or fingerprinting): First function in the propagation phase for a network worm. Searches for other systems to infect. Scanning strategies that a worm can use: Random: -Each compromised host probes random addresses in the IP address space using a different seed -This produces a high volume of Internet traffic which may cause generalized disruption even before the actual attack is launched Hit-list: -The attacker first compiles a long list of potential vulnerable machines -Once the list is compiled the attacker begins infecting machines on the list -Each infected machine is provided with a portion of the list to scan -This results in a very short scanning period which may make it difficult to detect that infection is taking place Topological: -This method uses information contained on an infected victim machine to find more hosts to scan. Local subnet: -If a host can be infected behind a firewall that host then looks for targets in its own local network -The host uses the subnet address structure to find other hosts that would otherwise be protected by the firewall

**Cloud Security As A Service

SecaaS Is a segment of the SaaS offering of a CP Defined by The Cloud Security Alliance as the provision of security applications and services via the cloud either to cloud-based infrastructure and software or from the cloud to the customers' on-premise systems

**Virtualization Security Issues

Security concerns include: -Guest OS isolation ==Ensuring that programs executing within a guest OS may only access and use the resources allocated to it -Guest OS monitoring by the hypervisor ==Which has privileged access to the programs and data in each guest OS -Virtualized environment security ==Particularly image and snapshot management which attackers may attempt to view or modify

**Hypervisor Security

Should be : -Secured using a process similar to securing an operating system -Installed in an isolated environment -Configured so that it is updated automatically -Monitored for any signs of compromise -Accessed only by authorized administration May support both local and remote administration so must be configured appropriately. Remote administration access should be considered and secured in the design of any network firewall and IDS capability in use. Ideally administration traffic should use a separate network with very limited access provided from outside the organization

**Return to System Call

Stack overflow variant replaces return address with standard library (system()) function: -=Response to non-executable stack defenses -=Attacker constructs suitable parameters on stack above return address -=Function returns and library function executes -=Attacker may need exact buffer address -=Can even chain two library calls Defenses: -=Any stack protection mechanisms to detect modifications to the stack frame or return address by function exit code -=Use non-executable stacks -=Randomization of the stack in memory and of system libraries

**Spyware (form of payload - information theft)

Subverts the compromised machine to allow monitoring of a wide range of activity on the system: Monitoring history and content of browsing activity, Redirecting certain Web page requests to fake sites, and Dynamically modifying data exchanged between the browser and certain Web sites of interest.

**Bastion Hosts

System identified as a critical strong point in the network's security: Serves as a platform for an application-level or circuit-level gateway. Common characteristics: Runs secure O/S, only essential services, May require user authentication to access proxy or host, Each proxy can restrict features, hosts accessed, Each proxy is small, simple, checked for security, Each proxy is independent, non-privileged, and Limited disk use, hence read-only code.

**Bots/Zombies/Drones (form of Payload - Attack Agents)

Takes over another Internet attached computer and uses that computer to launch or manage attacks Botnet - collection of bots capable of acting in a coordinated manner Uses: Distributed denial-of-service (DDoS) attacks Spamming Sniffing traffic Keylogging Spreading new malware Installing advertisement add-ons and browser helper objects (BHOs) Attacking IRC chat networks Manipulating online polls/games

**Denial-of-Service (DoS) Attack

The NIST Computer Security Incident Handling Guide defines a DoS attack as: "An action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space." ::A form of attack on the availability of some service. Categories of resources that could be attacked are: Network bandwidth: -Relates to the capacity of the network links connecting a server to the Internet -For most organizations this is their connection to their Internet Service Provider (ISP). System resources: Aims to overload or crash the network handling software. Application resources: -Typically involves a number of valid requests, each of which consumes significant resources, thus limiting the ability of the server to respond to requests from other users.

**Cloud Computing Reference Architecture

The NIST cloud computing reference architecture focuses on the requirements of 'what' cloud services provide, not a 'how to' design solution and implementation. The reference architecture is intended to facilitate the understanding of the operational intricacies in cloud computing. It does not represent the system architecture of a specific cloud computing system; instead it is a tool for describing, discussing, and developing a system-specific architecture using a common framework of reference. Objectives: NIST developed the reference architecture with the following objectives in mind: To illustrate and understand the various cloud services in the context of an overall cloud computing conceptual model To provide a technical reference for consumers to understand, discuss, categorize, and compare cloud services To facilitate the analysis of candidate standards for security, interoperability, and portability and reference implementations

**Injection Technique

The SQLi attack typically works by prematurely terminating a text string and appending a new command. Because the inserted command may have additional strings appended to it before it is executed the attacker terminates the injected string with a comment mark "- -" Subsequent text is ignored at execution time

**Database Encryption

The database is typically the most valuable information resource for any organization Protected by multiple layers of security: Firewalls, authentication, general access control systems, DB access control systems, database encryption. Encryption becomes the last line of defense in database security. Can be applied to the entire database, at the record level, the attribute level, or level of the individual field. Disadvantages to encryption: -Key management: Authorized users must have access to the decryption key for the data for which they have access. -Inflexibility: When part or all of the database is encrypted it becomes more difficult to perform record searching.

**Digital Immune System

The final category of IPS is in a distributed or hybrid approach. This gathers data from a large number of host and network-based sensors, relays this intelligence to a central analysis system able to correlate, and analyze the data, which can then return updated signatures and behavior patterns to enable all of the coordinated systems to respond and defend against malicious behavior. A number of such systems have been proposed. The digital immune system is a comprehensive defense against malicious behavior caused by malware, developed by IBM and subsequently refined by Symantec. The motivation for this development includes the rising threat of Internet-based malware, the increasing speed of its propagation provided by the Internet, and the need to acquire a global view of the situation. In response to the threat posed by these Internet-based capabilities, IBM developed the original prototype digital immune system. This system expands on the use of program emulation discussed in Section 6.9 and provides a general-purpose emulation and malware detection system. The objective of this system is to provide rapid response time so that malware can be stamped out almost as soon as they are introduced. When new malware enters an organization, the immune system automatically captures it, analyzes it, adds detection and shielding for it, removes it, and passes information about it to client systems, so the malware can be detected before it is allowed to run elsewhere. The success of the digital immune system depends on the ability of the malware analysis system to detect new and innovative malware strains. By constantly analyzing and monitoring malware found in the wild, it should be possible to continually update the digital immune software to keep up with the threat.

**DoS Attack Defenses

These attacks cannot be prevented entirely because high traffic volumes may be legitimate: High publicity about a specific site, Activity on a very popular site, and Described as slashdotted, flash crowd, or flash event. Attack prevention and preemption Before attack Attack detection and filtering During the attack Attack source traceback and identification During and after the attack Attack reaction After the attack

**Stateful Inspection Firewall

Tightens rules for TCP traffic by creating a directory of outbound TCP connections: -There is an entry for each currently established connection. -Packet filter allows incoming traffic to high numbered ports only for those packets that fit the profile of one of the entries in this directory. Reviews packet information but also records information about TCP connections: -Keeps track of TCP sequence numbers to prevent attacks that depend on the sequence number -Inspects data for protocols like FTP, IM and SIPS commands

**Programming Language (Compile-Time Defense)

Use a modern high-level languageL Not vulnerable to buffer overflow attacks, and Compiler enforces range checks and permissible operations on variables. Disadvantages: Additional code must be executed at run time to impose checks Flexibility and safety comes at a cost in resource use Distance from the underlying machine language and architecture means that access to some instructions and hardware resources is lost

**Executable Address Space Protection (Run-Time Defense)

Use virtual memory support to make some regions of memory non-executable: -Requires support from memory management unit (MMU) -Long existed on SPARC / Solaris systems -Recent on x86 Linux/Unix/Windows systems Issues: Support for executable stack code Special provisions are needed

**Host-Based Firewalls

Used to secure an individual host. Available in operating systems or can be provided as an add-on package. Filter and restrict packet flows. Common location is a server. Advantages: -Filtering rules can be tailored to the host environment. -Protection is provided independent of topology. -Provides an additional layer of protection.

**SQLi Attack Avenues

User input - Attackers inject SQL commands by providing suitable crafted user input. Server Variables - Attackers can forge the values that are placed in HTTP and network headers and exploit this vulnerability by placing data directly into the headers. Second-order injection - A malicious user could rely on data already present in the system or database to trigger an SQL injection attack, so when the attack occurs, the input that modifies the query to cause an attack does not come from the user, but from within the system itself. Cookies - An attacker could alter cookies such that when the application server builds an SQL query based on the cookie's content, the structure and function of the query is modified. Physical User Input - Applying user input that constructs an attack outside the realm of web requests

**Signature/Heuristic detection

Uses a set of known malicious data patterns or attack rules that are compared with current behavior. Also known as misuse detection. Can only identify known attacks for which it has patterns or rules. Signature approaches: -Match a large collection of known patterns of malicious data against data stored on a system or in transit over a network. -The signatures need to be large enough to minimize the false alarm rate, while still detecting a sufficiently large fraction of malicious data. -Widely used in anti-virus products, network traffic scanning proxies, and in NIDS. Rule-based heuristic identification: -Involves the use of rules for identifying known penetrations or penetrations that would exploit known weaknesses. -Rules can also be defined that identify suspicious behavior, even when the behavior is within the bounds of established patterns of usage. -Typically rules used are specific, SNORT is an example of a rule-based NIDS

**Inband Attacks

Uses the same communication channel for injecting SQL code and retrieving results The retrieved data are presented directly in application Web page Include: Tautology - this form of attack injects code in one or more conditional statements so that they always evaluate to true. End-of-line comment - After injecting code into a particular field, legitimate code that follows are nullified through usage of end of line comments. Piggybacked queries - the attacker adds additional queries beyond the intended query, piggybacking the attack on top of a legitimate request.

**Replacement Stack Frame

Variant that overwrites buffer and saved frame pointer address: -Saved frame pointer value is changed to refer to a dummy stack frame. -Current function returns to the replacement dummy frame. -Control is transferred to the shellcode in the overwritten buffer. Off-by-one attacks: -Coding error that allows one more byte to be copied than there is space available. Defenses: -Any stack protection mechanisms to detect modifications to the stack frame or return address by function exit code -Use non-executable stacks -Randomization of the stack in memory and of system libraries

**Macro and Scripting Viruses

Very common in mid-1990s -Platform independent -Infect documents (not executable portions of code) -Easily spread -Exploit macro capability of MS Office applications -More recent releases of products include protection -Various anti-virus programs have been developed so these are no longer the predominant virus threat

**Snort Inline

We introduced Snort as a lightweight intrusion detection system. This is a modified version of Snort which enhances Snort to function as an intrusion prevention system. Snort Inline adds three new rule types that provide intrusion prevention features: • Drop: Snort rejects a packet based on the options defined in the rule and logs the result. • Reject: Snort rejects a packet and logs the result. In addition, an error message is returned. In the case of TCP, this is a TCP reset message, which resets the TCP connection. In the case of UDP, an ICMP port unreachable message is sent to the originator of the UDP packet. • Sdrop: Snort rejects a packet but does not log the packet. Snort Inline includes a replace option, which allows the Snort user to modify packets rather than drop them. This feature is useful for a honeypot implementation. Instead of blocking detected attacks, the honeypot modifies and disables them by modifying packet content. Attackers launch their exploits, which travel the Internet and hit their intended targets, but Snort Inline disables the attacks, which ultimately fail. The attackers see the failure but can't figure out why it occurred. The honeypot can continue to monitor the attackers while reducing the risk of harming remote systems.

**Advanced Persistent Threats (APTs)

Well-resourced, persistent application of a wide variety of intrusion technologies and malware to selected targets (usually business or political) Typically attributed to state-sponsored organizations and criminal enterprises Differ from other types of attack by their careful target selection and stealthy intrusion efforts over extended periods High profile attacks include Aurora, RSA, APT1, and Stuxnet. APT Attacks: -Aim: Varies from theft of intellectual property or security and infrastructure related data to the physical disruption of infrastructure -Techniques used: Social engineering Spear-phishing email Drive-by-downloads from selected compromised websites likely to be visited by personnel in the target organization -Intent: To infect the target with sophisticated malware with multiple propagation mechanisms and payloads Once they have gained initial access to systems in the target organization a further range of attack tools are used to maintain and extend their access

Vigenere Cipher

a method of encrypting text by applying a series of Caesar ciphers based on the letters of a keyword. Use a key which represents a series of shifts Example in Chapter 1 used different shift values for letters depending on their position in the text A key of length n represents a series of shifts, s0,s1,...sn-1 pi is the plaintext character. t is # of characters in the plaintext message Encipher ci ≡ pi + sr (mod m) 0≤ ci ≤ m, 0 ≤ i < t where r ≡ i (mod n) 0≤ r < n Decipher: pi ≡ ci - sr (mod m) 0≤ ci ≤ m, 0 ≤ i < t where r ≡ i (mod n) 0≤ r < n Weaknesses: Can be broken by a frequency analysis

**Honeypot

a resource that has no production value. There is no legitimate reason for anyone outside the network to interact with a honeypot. Thus, any attempt to communicate with the system is most likely a probe, scan, or attack. Con- versely, if a honeypot initiates outbound communication, the system has probably been compromised. Honeypots are typically classified as being either low or high interaction.