Computer and Network Security

Introduction
Dr. Ron Rymon Efi Arazi School of Computer Science IDC, Herzliya. 2010/11

Todays Lecture
Introduction
A Few Nightmare Scenarios Statistics and Impact Course Plan and Administrativia Models of Computer Security

What do we mean by Computer Security?

Examples
Threats Attacks Security Mechanisms Security Needs and Services

Our Security Needs/Threats

Confidentiality of information stored on computers Confidentiality of information communications Control of our computers and networks Ensuring the integrity of information Identifying/authenticating communication partners Protecting information services (enterprise, www) Protecting information and people privacy Protecting digital rights and property Protecting computer-operated physical infrastructure
hand-held devices, electronic voting, electronic payment, border control, job entry, etc.

and more as computers take greater role in our lives

The Adversaries
For Profit Organized crime Fraudsters Information thieves Marketers Spies (military, commercial) Enemy states & terrorists

Vandals Commercial and political reasons Mostly, nut cases and irresponsible kids (script kiddies)
Joy riders Technically skilled Psychologically challenged Again, mostly kids Insiders!

Good hackers vs. Bad hackers (Crackers)

Their Tools of the Trade

Viruses, worms, etc. Password cracking Intrusion and penetration attacks Eavesdropping attacks (esp. wireless) Communication hijacking attacks Denial of service attacks OS/Application vulnerability attacks Trojan horses, viruses/worms, spyware, keyloggers Server and access point impersonation Phishing and phraud Clickjacking Social Engineering More.

Our Tools of the Trade

Encryption Anti-virus software Spam filters Firewalls Intrusion detection/prevention software Strong authentication Access control Authorization management Application security gateways and filters Patch management systems Electronic signatures Disaster Recovery and more

EDUCATION!!

Security and People

People, not technology, are often the weakest link
Create awareness and educate people that security matters Create business processes that enhance security
accurate provisioning, password mgmt, stronger authentication, segregation of duty

Security solutions shall be tied to business processes

Treat security as an important part of doing business. It is not less important than features and performance (Bill Gates) The missing component in most security products is what Global 5000 buyers most want, the ability to manage business risk, innovation, and agility. Despite this, security suppliers continue to focus their efforts on honing technical access controls (Aberdeen, Mar 2004) Corporate governance: Security is as enterprise management issue New executives: Chief Security Officer & Chief Compliance Officer Business managers in all ranks are asked to assume security responsibility

A Few Nightmare Scenarios

Nightmare Scenario #1: Information stolen from our systems

2000 hacker breaks CDUniverse, steals 300,000 credit card numbers 2002 hacker steals 1MM credit cards from merchants that didnt patch 2007 hacker steals millions of credit cards & personal info from TJMaxx 2001 hacker pre-announces JDS earnings 1/2002, hacker penetrates financial software maker Online Resources; then uses

this to hack into a NY bank and steal account data; then extorts the bank
2004 Code of Win2K and NT stolen from Microsoft partner 2004 Code of Cisco IOS stolen 2006 - 25% of companies reported attempted penetration (really, close to 100%) 2006 25% of computers believed infected

2007 - Theft of laptops and PDAs is top security concern for CIOs 2008 Identity theft is top concern for individuals (1 in 6 Americans last year!) 2009 Data Leakage is a key concern for security and compliance officers 2010 Where are our (virtualized) systems? Who has access to them?

70% of all cases are internal work profit, revenge, and ignorance

Nightmare Scenario #2: Our communication can be exposed

In 16th century, Mary Queen of Scots loses her head when her coded

messages are deciphered

In WWII, many German U-boats were destroyed once the British were

able to decipher their Enigma messages

Today, encryption mechanisms (VPNs, SSL, etc.) are very strong,

usually rendering eavesdropping ineffective

Still, some cases surface from time to time Wi-Fi networks originally unsecured and being targeted US Carnivore/Echelon sift through millions of emails/phone calls Al-Qaeda members caught using Swisscom GSM chips Tempest attacks, capturing electromagnetic radiation Cloning encryption cards for satellite-based entertainment systems Chinese using supercomputers to break American satellite communication

Nightmare Scenario #3: Control of our computers is taken

First viruses (e.g., Jerusalem) were spreading slowly

Code Red (2001) leaves back door on infected machines infected 359,000 IIS servers in 14 hours, 2000 per minute at the peak
SQL Slammer (2003) generated huge traffic from infected network In 2004, there were 112,000 known viruses Today, most malware is commercially motivated Professional and uses multiple infection mechanisms (time to infection is down to FIVE minutes in 2008) Soldiers in the botnets army (~25% of all computers are infected) Steal information, e.g., identity, passwords, credit cards Serve for commercial spam Many recent attacks aimed at virtualization platforms Next, significant risk to mobile devices, VOIP systems

Nightmare Scenario #4: Website defacing

Some are political protests 2000 - Pro-Israeli and Pro-Palestinian (e-Jihad) hackers deface sites 2000 - Hamas site and Al Qaeda site visitors diverted to porn sites 2001 - Chinese posted picture of downed pilot on US Govt sites 2003 - web sites defaced by anti/pro war in Iraq 2008 CERN site was defaced after the big bang experiment Businesses are also affected 1999 - NASDAQ and AMEX sites are defaced 2001 - British Telecom defaced by hackers complaining about service 2002 RIAA site is defaced and provides pirated music for download

Massive defacing 2001- hacker group defaces 679 sites in 1 minute 2003 - Blackhat defacing competition: winner must deface 6000 sites asap
2007 US government sites pointing to Viagra and porn sites

Nightmare Scenario #5: Service interruptions

1996 - Panix (ISP) suffers a DoS SYN attack 1999 - Melissa crashes e-mail servers (replicates to Outlook contacts) 2000 - Mafiaboy attack crashes Yahoo, CNN, Amazon for 3 hours 2003 - RIAA site is attacked 2004 - MyDoom (email virus) attacks Microsoft, SCO sites 2007 - Estonia infrastructure attacked by Russian hackers

27% of companies running web services reported DoS attacks The Knesset, Israeli PM and other ministries are constantly attacked

Today, the main concern is around VoIP, wireless infrastructure.

What is next? Power plants? Other forms of Cyber-Terrorism?

Nightmare Scenario #6: Fraud and Identity Theft

FTC Survey (2003) 4.6% of consumers defrauded in 2003 (12.7% in past 5 years) Mostly credit cards, but also bank accounts, loans, mortgage apps... Total ID Fraud estimated at $50B a year Internet payment fraud is rampant 20 times the normal rate; typically identity theft Used to be easy to change fields (e.g. price) in web forms Fraudulent merchants and con-artists defraud users Phishing rampant everywhere Fraudulent porn services re-used credit card numbers Identity theft becomes one of biggest problems (2007) Fraudsters and mafia stealing whole identities Use to buy, take loans, sell houses, etc., ruining victims credit history Who is that merchant I am going to to buy from? difficult to

authenticate

Nightmare Scenario #7: E-Mail Blues

It used to be many forms of Viruses. Worms, Trojans spread via mail Attract download software/applet (some pretend to help against a virus) Phishing grows quickly Spoof sender address and identity Huge economic cost due to destruction, traffic, cleanup costs At its peak, 8% of emails were MyDoom

Today, Spam makes up >80% of email traffic Started with Internet economic model of direct marketing fails Spoofing mail address, headers, names, etc Cause significant economic damage
Unprotected e-mail became almost unusable for simple e-mail users Proposed solutions are both technological and legal New comprehensive email solutions include: anti-virus/worms, fraud, spam, content policy, privacy, and confidentiality Microsoft initiative, Challenge-response mechanisms, Caller-ID

Current Statistics and Impact

Security Incidents and Reporting

9000 8000 7000 6000 5000 4000 3000 2000 1000 0 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006

# of incidents and # reported (CERT)

Vulnerability disclosures (IBM)

Security Threats (2008)

What? How? Who?

2008 Baseline Mag Security Survey

How Important Is IT Security?

Source: IBM Market Monitor, 2004

Course Plan and Administrativia

Course Plan
Cryptography
history, conventional, public-key, key dist/mgmt

Identity Authentication
Signatures, challenge-response, identity authentication

Securing Communications Protocols

IPSec, VPNs, Web security (SSL), WiFi Security

Access Control
Kerberos, Firewalls, PKI

Malicious Code and Intruders

Viruses, Worms, Intrusion detection, Spyware

Application Security
Email security, Spam, VoIP, Cellphones

Market Trends: Guest Presentations

Course Materials
Course site
http://www1.idc.ac.il/compsec

Most course material is from current sources

News, Industry (analysts, conferences, vendors), Academic Subject-specific books

Main Textbook
Network Security Essentials: Applications and Standards / William Stallings (old edition OK)

Highly recommended
Applied Cryptography / Bruce Schneier

Administrativia
Lecturer: Dr. Ron Rymon Teaching Assistant: Ilan Atias Lectures: Sunday 9:15-11:45am, C109 Secondary slot: Tue evening, 6pm (if needed) Office Hours: by appointment Credits: 3 Open to CS MSc, and BSc (2nd and 3rd year) students Grade: 70% exam, 30% other (project, in-class quizes, homework) Must pass the exam Must turn in all work, in time

Models of Computer Security

Secured Communication Model

Alice

Bob

Example
Alice

Trusted Server

Bob

Sign/ Encrypt
PrivK(Alice)

SignPrivK(Alice) (Alice) SignPrivK(Bob) (Bob) EncPubK(Bob) (SessK) EncSessK(Message)

Decrypt
PrivK(Bob) Sign/ Encrypt

Decrypt Gen Sess Key Encrypt

Decrypt

Encrypt

Decrypt

Secured Access Model

Identify and filter requests for information

Access Control Model

Authentication Must provide credentials to access a resource
E.g., password, fingerprint, identification card

Authorization Must be authorized to gain access to specific data, other computing resources.
E.g., file systems, firewalls, application authorization model Various levels of granularity

ITU/IETF X.800: Security Threats, Attacks, Services, and Mechanisms

Security Threat: A potential attack on systems or on information

security needs
Security Attack: An attempt to compromise the security of systems or

information
Example: Eavesdropping on communication Security Service: Use of one or more mechanisms to enhance the

security of a system or application

Example: Confidentiality of communications

Security Mechanism: A specific method to detect, prevent, or recover

from an attack, and to provide the required service

Example: Encryption software

Attacks: The X.800 Threat Model

Security Attacks (Stallings)

Examples of Attacks
Attacks can be Active, e.g., intrusion, or Passive, e.g,

eavesdropping
Examples of attacks:
Intrusion Eavesdropping Impersonation Viruses / Worms Denial of service Man-in-the-middle Reflection attack Replay attack Password cracking Data/code modification Fraudulent attribution Repudiation

X.800 Security Services

Authentication Identify peers, Source authentication for data Access Control Who can access to what Data Confidentiality Connection, Connectionless (system), Traffic, Privacy Data Integrity With or without recovery

Non-repudiation Origin, Destination, Both

Availability A service on its own, or a property of other services

Security Mechanisms
Specific use of certain algorithms, protocols, and

procedures to provide one or more security services

Examples
Authentication use password, fingerprint, magnetic card Access Control specify access rights based on the user id, role/group to specific transactions and/or specific content Data Confidentiality encrypt information using a specific algorithm Data Integrity detect and prevent unauthorized change to content Non-Repudiation use electronic signature to ensure authenticity Availability increase resiliency, filter malicious traffic

Many security mechanisms use Cryptography as an

underlying technology

Next Class: Steganography and History of Cryptography