CSE 4471 Final

Physical security ■ Personal security ■ Operations security ■ Communications security ■ Network security ■ Information security ■

A successful organization should have what layers of security in place?

Signature-Based IDS! § Examine data traffic in search of patterns that match known signatures ! § Widely used because many attacks have clear and distinct signatures! § Problem with this approach is that as new attack strategies are identified, the IDS's database of signatures must be continually updated! ■ Statistical Anomaly-Based IDS! § The statistical anomaly-based IDS (stat IDS) or behavior-based IDS sample network activity to compare to traffic that is known to be normal! § When measured activity is outside baseline parameters or clipping level, IDS will trigger an alert ! § IDS can detect new types of attacks! § Requires much more overhead and processing capacity than signature-based ! § May generate many false positives!

All IDSs use one of two detection methods:

Information security began with Rand Report R-609 (paper that started the study of computer security). ■ Computer security began immediately after first mainframes were developed

How did information security begin?

Sender, receiver keep track of bytes sent and bytes received ACKs have an indication of next byte expected ■ Three duplicate ACKs considered a packet loss; sender retransmits

How does TCP delivery work?

Trojan horse arrives via email or software such as free games. ■ Trojan horse is activated when the software or attachment is executed. ■ Trojan horse releases its payload, monitors computer activity, installs back door, or transmits information to the hacker

How does a trojan horse work?

ARPA began to examine feasibility of redundant networked communications

In the 1960s, how was the internet conceived?

No safety procedures for dial-up connections to ARPANET ■ Non-existent user identification and authorization to system

In the 70s and 80s, what fundamental problems with ARPANET security were identified?

IP scan and attack - the infected system scans a random or local range of IP addresses and targest any of serveral vulnerabilities known to hackers ■ Web browsing - if the infected system has write access to any web pages, it makes all web content files infections, so that users who browse to those pages become infected ■ virus - each infected machine infects certain common executable or script files on all computers to which it can write with virus code that can cause infection ■ unprotected shares - using vulnerabilities in file systems and the way many organizations configure them, the infected machine copies the viral component to all locations it can reach ■ mass mail - by sending email infections to addresses found in the address book, the infected machine infects many users, whose mail reading programs also automatically run the program and infect other systems ■ simple network management protocol SNMP - by using the widely known and common passwords that were employed in early versions of this protocol the attacking program can gain control of the device

Name and describe attack replication vectors

Autonomous Systems (AS)

The Global Internet consists of ____________ interconnected with each other:

Stub AS: small corporation! ■ Multihomed AS: large corporation (no transit)! ■ Transit AS: provider ■

The global internet consists of these 3 AS's

-Decide whether to distribute handsets to employees for business purposes, allow use ■ - Encrypt device data ■ - Remote data wipe as needed ■ - Procure, install anti-malware, firewall products ■ - Require VPN use, strong passwords, inventory mgmt. ■ - Monitor employee handset use to detect attacks ■ - Educate employees about the threatspace, train them to ■ treat handsets as any other computer system - Prevent, detect, and respond appropriately ■

What are some risk management tactics for mobile phones?

Flow control ■ responds to congestion ■ Reliable In-order delivery

What are the characteristics of TCP?

No reliability, flow control, congestion control Sends data in a burst ■ Provides multiplexing and demultiplexing of sources Many multimedia applications using UDP ■ segments may be delivered out of order to app segments may be lost ■

What are the characteristics of UDP?

Confidentiality: self-explanatory ■ Integrity: (Bitwise) identical to the original! ■ Availability: of info, services, etc.! ■ Authenticity: "it is what it claims to be"! ■ Accuracy: free from mistakes and errors! ■ Utility: self-explanatory! ■ Possession: different from confidentiality! ■

What are the critical characteristics of information?

Centralized: all IDS control functions are implemented and managed in a central location! ■ § Fully distributed: all control functions are applied at the physical location of each IDS component! ■ § Partially distributed: combines the two; while individual agents can still analyze and respond to local threats, they report to a hierarchical central facility to enable organization to detect widespread attacks

What are the different IDS control strategies?

Packet Filtering Routers" § Most organizations with Internet connection have a router serving as interface to Internet"! § Many of these routers can be configured to reject packets that organization does not allow into network"! § Drawbacks include a lack of auditing and strong authentication ■ Screened Host Firewalls" § Combines packet filtering router with separate, dedicated firewall such as an application proxy server " § Allows router to pre-screen packets to minimize traffic/load on internal proxy" § Separate host is often referred to as bastion host; can be rich target for external attacks, and should be very thoroughly secured ■ Dual-Homed Host Firewalls" § Bastion host contains two network interface cards (NICs): one connected to external network, one connected to internal network" § Implementation of this architecture often makes use of network address translation (NAT), creating another barrier to intrusion from external attackers ■ Screened Subnet Firewalls (with DMZ)! § Dominant architecture used today is the screened subnet firewall" § Commonly consists of two or more internal bastion hosts behind packet filtering router, with each host protecting trusted network:" § Connections from outside (untrusted network) routed through external filtering router" § Connections from outside (untrusted network) are routed into and out of routing firewall to separate network segment known as DMZ" § Connections into trusted internal network allowed only from DMZ bastion host servers" § Screened subnet performs two functions:" § Protects DMZ systems and information from outside threats" § Protects the internal networks by limiting how external connections can gain access to internal systems" § Another facet of DMZs: extranets"

What are the different firewall architectures and how do they work?

physical, data link, network, transport, session, presentation, application

What are the network transport layers in order?

Advanced Research Procurement Agency

What does ARPA stand for?

Computer Security Institute

What does CSI stand for?

Internet Control Message Protocol. It is used by network devices to send error messages indicating, for example, that a requested service is not available (i.e. ping - could not find host)

What does ICMP stand for and what is it?

Transport Control Protocol

What does TCP stand for?

User Datagram Protocol

What does UDP stand for?

Used by hosts, routers, gateways to communicate network-level information ■ - Error reporting: unreachable host, network, port, protocol ■ - Echo request/reply (used by ping) ■

What is ICMP used for?

Intrusion Detection Systems (IDSes): in effort to detect unauthorized activity within inner network, or on individual machines, organization may wish to implement an IDS

What is an IDS?

The protection of information and its critical elements, including systems that use, store, and transmit that information

What is information security?

Information System is an entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization

What is information systems?

- Microprocessor ■ - ROM ■ - RAM ■ - Digital signal processor ■ - Radio module ■ - Microphone and speaker ■ - Hardware interfaces ■ - LCD display ■

What is inside a smartphone?

acts of human error or failure

What is the most common threat to information security?

Security should be considered a balance between protection and availability

What should be considered in security?

Larry Roberts

Who created ARPANET?

no connection establishment (which can add delay) ■ simple: no connection state at sender, receiver ■ small segment header ■ no congestion control: UDP can blast away as fast as desired

Why is there a UDP?

Employees

__________ are among the greatest threats to an organization's data

What attacker gains from successful attack, e.g., $$, status in 1337 h4x0r underground, spreading political message by website defacement, etc.

define Attacker benefit

What attacker "spends" to launch attack Not limited to successful attacks Not limited to $$ - could include special equipment, software, time, expertise, probability of getting caught and penalized

define Attacker cost

determining the identity of a person, computer, or service on a computer

define Authentication

determining whether an entity (person, program, computer) has access to object Can be implicit (email account access) or explicit (attributes specifying users/groups who can read/write/ execute file)

define Authorization

the act of disclosing information. responsible, full, partial, none, delayed, etc.

define Disclosure

sustained efforts to protect others

define Due diligence

a successful attack

define Exposure

definitions vary Any attack, all attacks using vulnerability X, etc. Anything resulting in service degradation other than problem mgmt., service request fulfillment

define Incident

court's ability to "reach far" and apply law (another state, country)

define Long-arm jurisdiction

malicious codes such as viruses, worms, Trojan horses, bots, backdoors, spyware, adware, etc.

define Malware

Probability that "something bad" happens times expected damage to the organization ■ Unlike vulnerabilities/exploits; e.g., a web service running on a server may have a vulnerability, but if it's not connected to the network, risk is 0

define Risk

what must be done to comply with policy, how to do so

define Standards, guidelines, best practices

Generic term for objects, people who pose a potential danger to an asset (via attacks)!

define Threat

Specific object, person who poses such a danger (by carrying out an attack) ■ DDoS attacks are a threat; if a hacker carries out a DDoS attack, he's a threat agent

define Threat agent

how the attack was carried out, e.g., malicious email attachment. a path or means by which a hacker can gain access to a computer or network server in order to deliver a payload or malicious outcome

define Vector

What happens to victim as the result of a successful attack ■ § Damaged reputation ■ § Lost sales ■ § Replacement cost ■ § Recovery cost (e.g., reinstall OS and applications) ■ § Not limited to $$

define Victim impact (or cost)

Weakness or fault that can lead to an exposure

define Vulnerability

documentation about application of law in various cases

define case law

fixed morals or customs of a group of people, form basis of ethics

define cultural mores

has been taken when employees know what is/isn't acceptable, what the consequences are!

define due care

Rules that define socially acceptable behavior, not necessarily criminal, not enforced

define ethics

a court's right to hear a case if a wrong was committed in its territory or against its citizens

define jurisdiction

Rules that mandate or prohibit behavior, enforced by governing authority (courts)

define laws

legal obligation beyond what's required by law, increased if you fail to take due care

define liability

"Organizational laws" Body of expectations that defines acceptable workplace behavior ■ General and broad, not aimed at specific technologies or procedures ■ To be enforceable, policy must be distributed, readily available, easily understood, and acknowledged by employees

define policy

Product of likelihood and magnitude of loss (when "bad things" happen)

define risk

Collection of hardware, software, data, procedures, networks, people, etc. that "belong together"

define system

Risk management involves identifying organization's assets and identifying threats/ vulnerabilities ■ Risk identification begins with identifying organization's assets and assessing their value

how do you assess a companies risks?

Designed to operate at the media access control layer of OSI network model" ■ § Able to consider specific host computer' identity in its filtering decisions" ■ § MAC addresses of specific host computers are linked to access control list (ACL) entries that identify specific types of packets that can be sent to each host; all other traffic is blocked"

how does a MAC layer firewall work?

Circuit gateway firewall operates at transport layer" ■ § Like filtering firewalls, do not usually look at data traffic flowing between two networks, but prevent direct connections between one network and another" ■ § Accomplished by creating tunnels connecting specific processes or systems on each side of the firewall, and allow only authorized traffic in the tunnels ■

how does a circuit gateway firewall work?

Packet filtering firewalls examine header information of data packets ■ Simple firewall models enforce rules designed to prohibit packets with certain addresses or partial addresses ■ Three subsets of packet filtering firewalls: " ■ § Static filtering: requires that filtering rules governing how the firewall decides which packets are allowed and which are denied are developed and installed" ■ § Dynamic filtering: allows firewall to react to emergent event and update or create rules to deal with event" ■ § Stateful inspection: firewalls that keep track of each network connection between internal and external systems using a state table

how does a packet filtering firewall work?

proxy server that determines whether and how each connection through it is made § Frequently installed on a dedicated computer; also known as a proxy server" ■ § Since proxy server is often placed in unsecured area of the network (e.g., DMZ), it is exposed to higher levels of risk from less trusted networks" ■ § Additional filtering routers can be implemented behind the proxy server, further protecting internal systems

how does an application gateway firewall work?

inexperience, improper training, incorrect assumptions

what are the causes of Acts of Human Error or Failure?

people: trusted employees, other staff, nonemployees ■ procedures: it and business sensitive procedures ■ data: transmission, processing, storage ■ software: applications, operating systems, security components ■ hardware: system and peripherals, security devices, networking components

what are the components/assets in risk management?

Packet filtering" ■ Application gateways" ■ Circuit gateways" ■ MAC layer firewalls" ■ Hybrids

what are the different firewall processing modes?

Civil: laws governing nation or state ■ Criminal: harmful actions to society, prosecuted by the state ■ Tort: individual lawsuits as recourse for "wrongs", prosecuted by individual attorneys ■ Private: includes family, commercial, labor law ■ Public: includes criminal, administrative, constitutional law ■

what are the different types of law?

§ Apply safeguards (avoidance) ■ § Transfer the risk (transference) ■ § Reduce impact (mitigation) ■ § Understand consequences and accept risk (acceptance)

what are the four different risk control strategies?

Network-Based IDS (NIDS)! § Resides on computer or appliance connected to segment of an organization's network; looks for signs of attacks! § When examining packets, a NIDS looks for attack patterns! § Installed at specific place in the network where it can watch traffic going into and out of particular network segment! ■ Host-Based IDS ! § Host-based IDS (HIDS) resides on a particular computer or server and monitors activity only on that system! § Benchmark and monitor the status of key system files and detect when intruder creates, modifies, or deletes files! § Most HIDSs work on the principle of configuration or change management ! § Advantage over NIDS: can usually be installed so that it can access information encrypted when traveling over network ■ Application-Based IDS! § Application-based IDS (AppIDS) examines application for abnormal events ! § AppIDS may be configured to intercept requests: ! § File System! § Network ! § Configuration! § Execution Space

what are the three different IDS types?

act of human error or failure: accidents, employee mistakes deliberate software attacks: viruses, worms, macros, ddos

what are the two most common threats to information security?

Transport Mode" § Data within IP packet is encrypted, but header information is not" § Allows user to establish secure link directly with remote host, encrypting only data contents of packet" § Two popular uses:" § End-to-end transport of encrypted data" § Remote access worker connects to office network over Internet by connecting to a VPN server on the perimeter" ■ Tunnel Mode" § Organization establishes two perimeter tunnel servers" § These servers act as encryption points, encrypting all traffic that will traverse unsecured network" § Primary benefit to this model is that an intercepted packet reveals nothing about true destination system" § Example of tunnel mode VPN: Microsoft's Internet Security and Acceleration (ISA) Server

what are the two vpn modes and how do they work?

Digital Millennium Copyright Act of 1998 (DMCA): criminalizes circumvention of technological copyright protection measures

what is DMCA?

Demilitarized zone no-man's land between inside and outside networks where some organizations place Web servers

what is DMZ?

Family Education Rights and Privacy Act (FERPA): Restricts distribution of "student academic records" such as names and grades

what is FERPA?

Health Insurance Portability and Accountability Act Requires privacy policies in healthcare and financial industries, restricts sharing & use of customer info

what is HIPAA?

risk "left over" after identification and control

what is Residual risk?

attacker monitors network packets, modifies them, and inserts them back into network

what is a Man-in-the-middle attack?

gaining access to system or network using known or previously unknown/newly discovered access mechanism

what is a backdoor?

application error occurring when more data is sent to a buffer than can be handled

what is a buffer overflow?

The failure of an IDS system to react to an actual attack event.

what is a false negative?

An alarm or alert that indicates that an attack is in progress or that an attack has successfully occurred when in fact there was no such attack.

what is a false positive?

device that selectively discriminates against information flowing into or out of organization

what is a firewall?

collection of honey pots connecting several honey pot systems on a subnet

what is a honeynet?

decoy systems designed to lure potential attackers away from critical systems and encourage attacks against the themselves

what is a honeypot?

honey pot that has been protected so it cannot be easily compromised

what is a padded cell?

secretly observes computer screen contents/electromagnetic radiation, keystroke sounds, etc.

what is a side-channel attack?

program or device that monitors data traveling over network; can be used both for legitimate purposes and for stealing information from a network

what is a sniffer?

explores contents of a Web browser's cache to create malicious cookie

what is a timing attack?

A program that searches out other programs and infects them by embedding a copy of itself in them

what is a virus?

VPNs, or Virtual Private Networks, allow users to securely access a private network and share data remotely through public networks.

what is a vpn?

A program that propagates itself over a network, reproducing itself as it goes

what is an active worm?

Benchmarking is process of seeking out and studying practices in other organizations that one's own organization desires to duplicate

what is benchmarking?

execution of viruses, worms, Trojan horses, and active Web scripts with intent to destroy or steal information

what is malicious code?

applying controls to reduce risks to an organization's data and information systems

what is risk control?

process of examining an organization's current information technology security situation

what is risk identification?

process of identifying and controlling risks facing an organization

what is risk management?

using social skills to convince people to reveal access credentials or other valuable information to attacker

what is social engineering?

technique used to gain unauthorized access; intruder assumes a trusted IP address

what is spoofing?

Active worm can be used for network reconnaissance in preparation for ddos

what is the relationship between an active worm and ddos?