You are on page 1of 56

CSE 4482 Computer Security Management: Assessment and Forensics

Introduction to Information Security

Instructor: N. Vlajic,

Fall 2010

Learning Objectives
Upon completion of this material, you should be able to:

Define key terms and critical concepts of information security. List the key challenges of information security, and key protection layers. Describe the CNSS security model (McCumber Cube). Be able to differentiate between threats and attacks to information. Identify today’s most common threats and attacks against information.

• •

Introduction
“In the last 20 years, technology has permeated every facet of the business environment. The business place is no longer static – it moves whenever employees travel from office to office, from office to home, from city to city. Since business have become more fluid, …, information security is no longer the sole responsibility of a small dedicated group of professionals, …, it is now the responsibility of every employee, especially managers.”

http://www.businessandleadership.com/fs/img/news/200811/378x/business-traveller.jpg http://www.businessandleadership.com/fs/img/news/200811/378x/businesshttp://www.koolringtones.co.uk/wp-content/uploads/2010/01/mobile-phones.jpg http://www.koolringtones.co.uk/wp- content/uploads/2010/01/mobile-

Information Technology
• Information Technology – enables storage and transportation of information from one business unit to another
in many organizations, information is seen as the most valuable asset

• Information System – entire set of data, software, hardware, networks, people, procedures and policies necessary to use information as a resource in an organization
each of 7 components has its own strengths, weaknesses, and its own security requirements

Information Technology (cont.)

A triangle – 3 key characteristics of information that must be protected by information security: confidentiality . people.I. • Information Security – protection of information and its critical characteristics achieved through appropriate deployment of products.only authorized parties can view information integrity .information is correct and not altered availability . free from danger.data is accessible to authorized users .Information Security Security = state of being secure. procedures and policies • C.

Information Security (cont.) policies & procedures people products .

terminating individuals in a way that protects all parties involved procedures and policies = organizational-level security required where product and people security are not sufficient – includes establishment of strategies that prevent any form of illegitimate activity and potential misuse of information . enforcing strict access control.Information Security (cont. hardware and networks are protected in three layers: products = physical-level security ensuring physical security around the data – may be as basic as placing door locks or as complicated as installing intrusion-detection systems and firewalls (security hardware and software) people = personnel-level security hiring most qualified individuals.) • Information. providing necessary training. software.

protect e-mail.g.Information Security (cont.) • Specific goals of information security in an organization: Protect the data that organization collects and uses – data in-motion and data at-rest e.g. protect and keep record of transactions. etc. from getting ‘infected’ Protect organization’s ability to function well externally e. minimize the probability of business interruption due to DDoS . etc. Enable safe operation of applications implemented on organization’s (internal) IT systems e.g. instant messaging. encrypt data.

saintcorporation.com/images/SAINTmanager-diagram1.) http://www.jpg .Information Security (cont.

) • Information security should balance protection and access a completely secure information system would not allow anyone access .Information Security (cont.

one must consider not only key security goals (CIA) but also how these goals relate to various states in which information resides and full range of available security measures .CNSS Security Model • CNSS = Committee on National Security Systems • McCumber Cube – Rubik’s cube-like detailed model for establishment and evaluation of information security to develop a secure system.

intersection between technology.g.. integrity and storage implies the need to use technology to protect data integrity of information while in storage solution: host intrusion system that alerts the security administrator when a critical file is modified Desired goals: Measures: Information states: .CNSS Security Model (cont.) • Each of 27 cells in the cube represents an area that must be addressed to secure an information system e.

Are all 27 aspects of security worth examining at every company? Where/how do we start building or evaluating a security system? .

general public. availability Agents: people or organizations originating the threat employees. commercial rivals. malicious / accidental alteration of information. integrity. criminals. etc. terrorists. customers Events: type of action that poses the threat misuse of authorized information. ex-employees.Threats • Security threat – action or event that represents a danger to organization’s asset(s) has the potential to breach security and cause harm • There are three components of threat: Targets: organization’s asset that might be attacked information confidentiality. hackers. . malicious / accidental destruction of information.

what are the company’s main assets: (a) web servers (e-commerce company).g.Threats (cont.g. are there any wireless links / access points? organizational strategy regarding risk e.g. cost/time of encrypting every file/email vs. • Each organization must prioritize its threats based on: particular situation in which it operates e. or (b) data (software company)? exposure levels in which its assets operate e.) • To make sound decisions about information security. are there any servers open to the public? e. worker’s productivity . organization (its management) must be informed about various security threats.g.

eicepower.Threats (cont.htm .) Example: Companies and their threats Which of the three threats is most critical for which of the three companies? Amazon IBM TD Bank http://www.com/NetworkSecurity.

Threat Events .

Threat Events (cont.) .

Threat Events (cont.) 1) Act of Human Error or Failure organization’s own employee’s are one of its greatest threats examples: entry of erroneous data accidental deletion or modification of data failure to protect data storing data in unprotected areas • Much of human error or failure can be prevented preventative measures: training and ongoing awareness activities enhanced control techniques: require users to type a critical command twice ask for verification of commands by a second party .

Morch started working for Calix Networks – a potential competitor with Cisco. and obtained (burned onto a CD) proprietary information about an ongoing project.Threat Events (cont. Morch was sentenced to 3 years’ probation.) 2) Compromise to Intellectual Property (IP) any unauthorized use of IP constitutes a security threat example: unlawful use or duplication of software – software piracy defense measures: use of digital watermarks and embedded code mandatory on-line registration process Example: Peter Morch story – compromise to IP In 2000. Shortly after. . while still employed at Cisco Systems. Morch logged into a computer belonging to another Cisco software engineer. He offered them Cisco’s information.

) 3) Deliberate Act of Trespass unauthorized access to information that an organization is trying to protect low-tech example: shoulder surfing collect data by viewing from a distance high-tech example: hacking attempt to bypass the controls placed around the information that is the property of someone else • Categories of hackers expert / elite hacker: develops software scripts and programs used by script kiddies unskilled hackers – script kiddies: hackers who use expertly written 3-rd party software to attack a system .Threat Events (cont.

) shoulder surfing hacker profiles .Threat Events (cont.

and without bail for nearly 5 years … (More at: www. where he was caught breaking into Pentagon computers over the ARPANET.Threat Events (cont. Mitnick had vanished. an episode of illegal use of a database was traced back to him.com/definition/Kevin_Mitnick) . At the age of 17 broke into Pacific Bell Computer Centre for Mainframe Operations. was charged of breaking into some of US’s most secure computer systems. In 1987 he was convicted of stealing software from the Santa Cruz Operations. in 1998 for possessing illegal long-distance access codes … In 1992. Eventually caught and sentence to 3 months in juvenile detention and a year of probation. He was arrested again in 1983 at the U of Southern California. He eluded the police and FBI for over 2 years.) Example: Kevin Mitnick story (Takedown) Kevin Mitnick (1963) – most notorious hacker to date. He was held in solitary confinement for 8 months. while committing another break-in into Tsutomu Shimomura’s computer on Christmas 1994.wordiq. He received 6 months in another juvenile prison. In 1995 he was finally tracked down and arrested. When FBI came to arrest him.

Many of these students also applied to other top universities. At Princeton.Threat Events (cont. he admitted doing the break-ins but said that he was merely testing the security of the Yale system. Yale story – deliberate act of trespass Yale University’s admission created a web-based system to enable applicants to check the status of their application on-line. To access the system. the applicants had to prove their identity by answering questions regarding their name. birth date. When the word got out. The case emphasizes that information used to control access must not be generally available … . associate dean and director of admissions Stephen LeMenager knew that the private information that Yale used to control access was also in the applications that candidates submitted to Princeton. Princeton put him on administrative leave. He used this information to log into the Yale system several times as applicants.) Example: Princeton vs. SIN.

ultimately. damage the image of an organization example: hackers accessing a system and damaging/destroying critical data hackers mounting a false Web-page so as to erode consumer confidence and organization’s reputation .) 4) Deliberate Act of Info.Threat Events (cont. Extortion / Blackmail hacker or trusted insider steals information from a computer and demands compensation for its return example: theft of data files containing customer credit card information 5) Deliberate Act of Sabotage or Vandalism acts aimed to destroy an information asset and.

Threat Events (cont. said Richard M.nytimes.000 from CDUniverse company in exchange for not releasing the names and credit card numbers of over 350. 25th on an Internet Relay Chat group devoted to stolen credit cards.000 customers he had obtained from the company website. titled Maxus Credit Cards Datapipe. Maxus decided to set up the site. Maxus appears to move about online using stolen accounts and relays his email through other sites to conceal the originating Internet protocol address … www. Apprehending Maxus will not be easy. Mass.com/2000/01/10/business/thief-reveals-credit-card-data-when-web-extortion-plot-fails.html www.com/news/?page=2 . Smith.cyberagecard.) Example: Maxus story – information extortion In 2000. who helped federal agents track down the author of the Melissa virus. Soon after launching his site. a mysterious hacker identified as Maxus demanded $100. He announced the site’s presence Dec. and to give away the stolen customer data. David L.. Maxus said it became so popular among credit card thieves that he had to implement a cap to limit visitors to one stolen card at a time. Smith. After CDUniverse failed to pay him. an online security expert in Brookline.

two employees in a company in Kazakhstan allegedly got access to Bloomberg L.gov/zezevIndict. At the meeting there were police officials who arrested the two alleged extortionists.cybercrime. Bloomberg opened an offshore account with $200.Threat Events (cont.000 balance. NOTE: finding a vulnerability and requiring payment to learn about it may be considered extortion. financial information database because their company was an affiliate of Bloomberg. and invited the pair to London to personally meet with Michael Bloomberg.htm .000 from Bloomberg to reveal how they got access to the database. They allegedly demanded $200.P.) Example: Two Kazakhstan Employees story – information extortion In 2002. http://www.

4) sent emails. 2) modified computer user access levels. he remotely accessed his former employer’s computer server. 3) altered billing records.614. which appeared to have originated from an authorized representative of the victim company to over 100 clients.Threat Events (cont. followed by 2-years of supervised release. Emails contained false statement about business activities of the company. He was sentenced to 6 months in prison.) Example: Patrick McKenna story – information vandalism In 2000. As a revenge.htm . He was also ordered to pay $13. and: 1) deleted approximately 675 computer files.11 for caused damages … http://www.cybercrime. McKenna was fired by Bricsnet (software company).gov/McKennaSent.

destroy.) 6) Deliberate Software Attacks use of specialized software (malware) to damage. or deny service to the target system types of malware: VIRUS WORM TROJAN HORSE LOGIC BOMB ROOTKIT ‘advanced’ example – denial of service (DoS) attacks .Threat Events (cont.

e.Threat Events (cont.: send/activate an infected file by email download/activate an infected file from the Internet download/activate an infected file from a USB drive viruses can cause the following damage: cause a computer to crash repeatedly erase files from a hard drive.g. 2 carriers needed: document/program and user a virus secretly attaches itself to a document. reformat a hard drive reduce security settings and allow intruders to remotely access the computer .) VIRUS – malware that needs a ‘carrier’ to survive in fact. and then executes its malicious payload when that document is is opened and respective program launched most viruses rely on actions of users to spread.

com vs.) VIRUS (cont.stands for ‘command file’ .com . raw binary file.com format than . . . . with small footprint .Threat Events (cont.com .exe.com is executed first! .com & .exe – stands for ‘executable’ – more complex and more powerful executable format than .com In MS-DOS. if a directory contains both . the virus runs … . notepad.g. if a directory contains both .executable.exe) macro virus – program/code-segment written in internal macro language of an application and attached to a data file (e.exe file.stands for ‘command file’ .) types of viruses: file infector virus – infects program executable files (.com) by overwriting/inserting parts of code.exe file.com is executed first! In MS-DOS. gets activated when program is launched companion virus – instead of modifying adds a new program to the OS that is a malicious version of a legitimate program (notepad.com & . with small footprint of up to 64 kbyte (old DOS format) of up to 64 kbyte (old DOS format) .exe – stands for ‘executable’ – more complex and more powerful executable . raw binary file. Word or Excel) – when the file gets opened in target application.executable.

are typically spread through the Internet/Web. worm would start scanning random IP addresses at port 80 looking for other servers to infect … Slammer (2003) – exploited a hole in Microsoft’s SQL server . once infecting a system.Threat Events (cont. worm deposits its payload and searches for another computer differences between viruses and worms viruses need a carrier document/program. and require user action worms do NOT need a carrier document/program (they can ‘move’ on their own). are typically delivered by email.) WORM – malware that uses computer networks & security-holes in applications or OSs to replicate itself once it exploits vulnerability on one system. and do NOT rely on user action examples: Code Red (2001) – each copy of the worm scanned the Internet for Windows NT / 2000 servers that did not have the Microsoft Security patch installed.

Threat Events (cont.witiger.com/ecommerce/viruses.) http://www.htm .

) TROJAN HORSE – malware that looks legitimate and is advertised as performing one activity but actually does something else. would delete hard drive http://www.smartcomputing.asp?article=articles/archive/l0902/03l02/03l02.com/editorial/article.advertised free access to AOL Internet Service.asp . it does NOT self-replicate can achieve various attacks on the host: irritate the user with pop-ups or changing desktops can create back doors to give malicious users access to the system – needed for DDoS!!! example: AOL4Free .Threat Events (cont.

Threat Events (cont. a person’s rank in a company dropped below a previous level .) LOGIC BOMB – malware that lies dormant until triggered by a specific logical event once triggered it can perform any number of malicious activities trigger events: a certain date reached on the system calendar.

but my understanding was that trading was not doable.com/insiderreports/insider/spn-49-20060608DuronioLogicBombTrialBegins. His plan was to drive down the company’s stock.Threat Events (cont." she said. brokers could not access the UBS network or make trades. They couldn't log onto their desktops and [get to] their applications because the servers were down. Duronio was convicted and sentenced to 8 years and 1 month in prison as well as $3.) Example: Roger Duronio story – logic bomb In 2002." In 2006.1 million restitution to UBS.html . "Every single broker was complaining. disgruntled system administrator for UBS was accused of planting a logic bomb shortly before quitting his job. The brokers might have been able to make some calls to friend brokers.000 files on the main servers for UBS. and cripple the company. http://www.securitypronews. During the downtime caused by the logic bomb. According to one employer: "Every branch was having problems. and eventually profit from that. The bomb had been designed to wipe out 2.

However. the software would hide all related file names from the user.Threat Events (cont. but to hide the presence and control the function of other (malicious) software unlike virus. The software was automatically installed on Windows desktop computers when customers tried to play the CD. obtain special privileges to perform unauthorized functions & then hide all traces unlike virus. . while creating a vulnerability … The software would allow only a limited degree of actions over the songs.) ROOTKIT – software tools used to break into a computer. Sony included a rootkit program Extended Copy Protection (XCP) on many of its music CDs in an attempt to prevent illegal copying. rootkit’s goal is not to damage computer directly. rootkit typically does not spread. and limits itself to one system Example: Sony story – rootkit In 2005.

the ISP may accrue fines to cover losses incurred by the client alternative solution: backup ISP . as defined by Service Level Agreement (SLA) with the ISP will still satisfy its needs if the ISP fails to meet the SLA. employees and/or customers cannot contact the host system in some reasonable interval of time organization must ensure that ‘minimum service level’.) 7) Deviations in Quality of Service in organizations that rely heavily on the Internet and Web.g.Threat Events (cont. irregularities in available bandwidth can dramatically affect their operation e.

earthquake.) 8) Hardware and Software Failures and Errors cannot be controlled or prevented by the organization best defense: keep up-to-date about latest hardware /software vulnerabilities 9) Forces of Nature fire.Threat Events (cont. dust contamination organization must implement controls to limit damage as well as develop incident response plans and business continuity plans . electrostatic discharge. tsunami. hurricane. flood.

Attacks • Security attack – a deliberate action aimed to violate / compromise a system’s security (just) subgroup of threat events! types of attacks: Use of Spyware and Adware Password Cracking (Brute Force and Dictionary) Denial and Distributed Denial of Service (DoS and DDoS) Spoofing Man-in-the-Middle Sniffing Social Engineering Phishing Pharming .

) .Attacks (cont.

) 1) Use of Malicious Code includes execution of viruses. adware spyware – software that aids in gathering information about a person or organization without their knowledge frequently downloaded with freeware programs e. Trojan horses. once the trial version expires. 007SpySoftware – secretly monitor and record user activity (web-site visited. applications used) adware – software intended for marketing purposes – automatically delivers and displays advertising banners or popups to the user’s screen Eudora email client – example of adware within a legitimate program. a pop-up keeps prompting the user to obtain full/paid version . bots.Attacks (cont. such as SpyAnytime. as well as the use of spyware. keyloggers. worms.g.

g.) by booting the machine on an alternate OS such as NTFSDOS or Linux .a registry data file .be obtained SAM file (c:\windows\system32\config\SAM) contains the hashed representation of the user’s password – LM or NTLM hash algorithms are used cracking procedure: hash any random password using the same algorithm.) 2) Password Cracking attempt to reverse-calculate a password requires that a copy of Security Account Manager (SAM) . copied or removed (unless pwdump is run by the administrator) off-line copy of SAM’s content can be obtained (e.Attacks (cont. and then compare to the SAM file’s entries SAM file is locked when Windows is running: cannot be opened.

) types of password cracking attacks brute force – every possible combination/password is tried guessing – the attacker uses his/her knowledge of the user’s personal information and tries to guess the password dictionary – a list of commonly used passwords (the dictionary) is used .Attacks (cont.

etc.org/dosstep/roadmap. patch computers.Attacks (cont. organizations.g. etc. prevent spoofing. user latest antivirus tools. block (broadcast) requests.DDoS.php . e. a coordinated stream of requests is launched from many locations (zombies) at the same time zombie: a compromised machine that can be commanded remotely by the master machine defence against DDoS requires coordinated actions by ISPs.sans. http://www. software providers.) 3) Denial of Service (DoS) attacker sends a large number of connection or information requests to a target target gets overloaded and cannot respond to legitimate requests in case of distributed DoS .

) zombie zombie target zombie zombie master .Attacks (cont.

At first.fibreculture.Attacks (cont. a number of major firms were subjected to devastatingly effective distributed denial-of-service (DDoS) attack that blocked each of their e-commerce systems for hours at a time. the attack was thought to be the work of an elite hacker. eBay. Yahoo.org/issue9/issue9_genosko. He was sentenced to eight months detention plus one year probation and $250 fine.) Example: Mafiaboy story . The Yankee Group estimated that these attacks cost $1.html .com. ZDNet.com.com. and other firms. Dell. but it turned to be orchestrated by a 15-year-old hacker in Canada.com.2 billion in 48 hours: $100 million from lost revenue $100 million from the need to create tighter security $1 billion in combined market capitalization loss. http://journal. Victims of this series of attacks included: CNN.DDoS In 2000. Amazon.

that does not belong to that organization http://www. if the source address is not valid i.) 4) Spoofing insertion of forged (but trusted) IP addresses into IP packets in order to gain access to networks/computers new routers and firewalls can offer protection against IP spoofing ingress filtering – upstream ISP discards any packet coming into a network from outside.e.org/event/lisa05/tech/full_papers/kim/kim_html/fig1. IP does not belong to any of the networks connected to the ISP egress filtering – organization’s firewall discards any outgoing packet with a source addr.gif .usenix.Attacks (cont.

Attacks (cont.) .

and inserts them back into the network IP spoofing involved to enable the attacker to impersonate another entity .Attacks (cont.) 5) Man-in-the-Middle (aka TCP Hijacking) attacker monitors/sniffs packets from the network. modifies them.

yet they can sniff/extract critical information from the packets traveling over the network wireless sniffing is particularly simple.Attacks (cont.) 6) Sniffing use of a program or device that can monitor data traveling over a network unauthorized sniffers can be very dangerous – they cannot be detected. due to the ‘open’ nature of the wireless medium .

password.Attacks (cont. and it directs users to enter sensitive information at a fake Web site whose look and feel is very much like the legitimate one example: AOL phishing of the late 1990s – individuals posing as AOL technicians attempted to get logon info from AOL subscribers .g.) 7) Social Engineering process of using social skills to manipulate people into revealing vulnerable information example: perpetrator posing as a higher-up in the organization hierarchy than the victim to obtain some critical data 7. credit card number) by posing as a legitimate entity phishing is typically carried out by an email.1) Phishing attempt to gain sensitive personal information (e. username.

Attacks (cont.) .

Attacks (cont.net/papers/images/pharming030.jpg .) 8) Pharming redirection of legitimate Web site’s traffic to another illegitimate Web site ultimate goal: obtain users’ personal information or damage reputation of victim company performed either by changing the victim’s hosts file or through DNS poisoning http://www.technicalinfo.

pharming In 2005. Once the original address was moved to the new address. It is believed that this attack was result of ‘social engineering’ – the attacker duped the personnel into entering the false IP address into their DNS records. . the Domain Name for a large New York ISP Panix was hijacked to point the users to a site in Australia. the genuine site was impossible to reach.) Example: ISP Panix story .Attacks (cont.