1. Introduction+Threat Arun Sood ISA 562 Information Security Theory and Practice This slide deck is modified with permission from Dan Fleck Outline Introduction: What is security Why is security hard? Security as risk management Aspects of security What does security mean? The term security is used in a variety of contexts. Whats the common thread? Personal security Corporate security
Personnel security Energy security Homeland security Operational security Communications security Network security System security What does security mean? In the most general terms, security seems to mean something like protection of assets against threats. What assets? What kinds of threats? What does protection mean? Does the nature of protection vary depending on the threat?
Coming up: Security on a Personal Level Security on a Personal Level Suppose youre visiting an online retailer, and need to enter personal information. What protections do you want? From what threats? Authentication (protection from phishing) Authorization Privacy of your data Answers Integrity of your data Availability Non-repudiation What else? Security on an Institutional Level
Consider the following scenarios: 1. A large corporations computer systems are penetrated and data on thousands of customers is stolen. 2. A student hacks into university registrars system and changes his grade in several classes he has taken. 3. An online retailers website is overwhelmed by malicious trac, making it unavailable for legitimate customer purchases. Does this suggest why its hard to define security in the context of digital systems? Why are Attacks Becoming More Prevalent? Increased connectivity Many valuable assets online
Low threshold to access Sophisticated attack tools and strategies available Others? Some Sobering Facts There were over 1 million new unique malware samples discovered in each of the past two quarters. Unlike the worms and mass-mailers of the past, many of these were extremely targeted to particular industries, companies and even users. (www.insecureaboutsecurity.com, 10/19/2009) Once PCs are infected they tend to stay infected. The median length of infection is 300 days. (www.insecureaboutsecurity.com,
10/19/2009) Some Sobering Facts A recent study of 32,000 Websites found that nearly 97% of sites carry a severe vulnerability. Web Application Security Consortium, Sept 2008 NSA found that inappropriate or incorrect software security configurations (most often caused by configuration errors at the local base level) were responsible for 80 percent of Air Force vulnerabilities. CSIS report on Securing Cyberspace for the 44th Presidency, Dec. 2008, p. 55 Why Should We Care? A dozen determined computer programmers can, if
they find a vulnerability to exploit, threaten the United States global logistics network, steal its operational plans, blind its intelligence capabilities or hinder its ability to deliver weapons on target. William J. Lynn, U.S. Deputy Secy of Defense, Foreign Aairs (2010) A top FBI ocial warned today that many cyber- adversaries of the U.S. have the ability to access virtually any computer system, posing a risk thats so great it could challenge our countrys very existence. Computerworld, March 24, 2010 Educate Yourself Educating yourself about computer security can: enhance your own protection; contribute to security in your workplace;
enhance the quality and safety of interpersonal and business transactions; improve overall security in cyberspace. Is Cyber Security Particularly Hard? Question: Why would security be any more dicult than most technological problems? Answer 1: Most technology-related eorts are concerned with ensuring that something good happens. Security is all about ensuring that bad things never happen. In security, not only do you have to find bugs that make the system behave dierently than expected, you have to identify any features of the system that are susceptible to misuse and abuse, even if your programs behave exactly as you expect them to.
What Bad Things? Answer 2: If security is all about ensuring that bad things never happen, that means we have to know what those bad things are. The hardest thing about security is convincing yourself that youve thought of all possible attack scenarios, before the attacker thinks of them. A good attack is one that the engineers never thought of. Bruce Schneier Programming Satans Computer Answer 3: Unlike most technology problems, you have to defeat one or more actively malicious adversaries. Ross Anderson characterizes this as Programming Satans Computer. The environment in which your
program is deployed works with malice and intelligence to defeat your every eort. The defender has to find and eliminate all exploitable vulnerabilities; the attacker only needs to nd one! Easiest Penetration Answer 4: Information management systems are a complex, target-rich environment comprising: hardware, software, storage media, peripheral devices, data, people. Principle of Easiest Penetration: an intruder will use any available means to subvert the security of a system. If one overlooks the basement windows while assessing the risks to ones house, it does not matter how many alarms are put on the doors and upstairs windows. Melissa Danforth
Security Isnt the Point Answer 5: Security is often an afterthought. No-one builds a digital system for the purpose of being secure. They build digital systems to do something useful. Security mechanisms may be viewed as a nuisance to be subverted, bypassed, or disabled. Upshot: Perfect Security Aint Happening Perfect security is probably impossible in any useful system. The three golden rules to ensure computer security are: do not own a computer; do not power it on; and do not use it. Robert H. Morris, former Chief Scientist of the National Computer Security Center (early 1980s)
Unfortunately the only way to really protect [your computer] right now is to turn it o, disconnect it from the Internet, encase it in cement and bury it 100 feet below the ground. Prof. Fred Chang, former director of research at NSA (2009) If Security Gets in the Way Security is meant to prevent bad things from happening; one side-eect is often to prevent useful things from happening. Typically, a tradeo is necessary between security and other important project goals: functionality, usability, eciency, time-tomarket, and simplicity.
Some Lessons He who defends everything defends nothing. old military adage Security is dicult for several reasons. Since you can never achieve perfect security, there is always a tradeo between security and other system goals. Security as Risk Management If perfect security is not possible, what can be done. Viega and McGraw (Building Secure Software) assert that software and system security really is all about managing risk. Risk is the possibility that a particular threat will
adversely impact an information system by exploiting a particular vulnerability. The assessment of risk must take into account the consequences of an exploit. Risk Management Framework Risk management is a process for an organization to identify and address the risks in their environment. One particular risk management procedure (from Viega and McGraw) consists of six steps: 1. Assess assets 2. Assess threats 3. Assess vulnerabilities 4. Assess risks 5. Prioritize countermeasure options
6. Make risk management decisions Coping with Risk Once the risk has been identified and assessed, managing the risk may involve: Risk acceptance: risks are tolerated by the organization. e.g. sometimes the cost of insurance is greater than the potential loss. Risk avoidance: not performing an activity that would incur risk. e.g. disallow remote login. Risk mitigation: taking actions to reduce the losses due to a risk; most technical countermeasures fall into this category. Risk transfer: shift the risk to someone else. e.g. most insurance contracts, home security systems.
GMU Does it: https://itsecurity.gmu.edu/DRAC/aboutComing up: Annualized Loss Expectancy DRAC.cfm Annualized Loss Expectancy One common tool for risk assessment is annualized loss expectancy (ALE), which is a table of possible losses, their likelihood, and potential cost for an average year. Example: consider a bank with the Loss following type Amount ALE ALE. WhereIncidence should the bank
$20,000 0.50 $10,000 $3,240 200 $648,000 Teller theft * - large scale transfer of funds. Is ALE the Right Model? Annualized Loss Expectancy eectively computes
the expected value of any security expenditure. Consider the following two scenarios: I give you a dollar. We ip a coin. Heads: I give you $1000. Tails: you give me $998. Note that the expected values are the same in both cases ($1), but the risks seem quite dierent. Lessons Because perfect security is impossible, realistic security is really about managing risk. Systematic techniques are available for assessing risk. Assessing risk is important, but dicult
and depends on a number of factors (technical, economic, psychological, etc.) Threats Cybers Vectors Col (Retired) Bob Banks, GMU doctoral student Anatomy of an Hack Analyze publicly available info. Set scope of attack and identify key targets Foot
print analysis Check for vulnerabilities on each target Automated Scanning Machines Ports Applications Identify Target Install Malicious Code Hack Other Machines Take over Domain Controller 28 Exploitation Buer Overow
Spoofing Password DOS Attack targets using library of tools and techniques Deliver Payload Custom Trojan Rootkit Attack targets using installed software Damage Owning IP Theft, Blackmail, Grati, Espoinage
Destruction Damage Owning IP Theft, Blackmail, Grati, Espoinage Destruction Automated Approach Who is NSLookup Search Engines Enumeration Scanning Machines Ports
Applications Manual Approach Foot print analysis Who is NSLookup Search Engines Enumeration Richard Stiennon, May 2006, http://blogs.zdnet.com/threatchaos/?p=330 03/01/202 0 Insider Attacks Anderson Masqueraders
Clandestine: evade audit controls Legitimate Combs Internal users with accounts Internal users in the physical space but no accounts 29 03/01/202 0 Anatomy of an Insider Attack Understand business process Determines who
has credentials Plant keystroke Lorgger or sniffer Execution Install hardware or software keystroke logger. Steal credentials. Escape Move funds Ship products Steal data Plant time bomb Fly to Cayman
Islands. http://threatchaos.com/2009/03/new-new-anatomy-of-a-hack/ http://www.threatchaos.com/images/AnatomyOfInsiderAttack.jpg 30 CS469 Security Engineering 03/01/202 0 Manual Approach Reconnaissance Classes of Threats Disclosure Unauthorized access to info
Examples: Snooping, wiretapping Deception Acceptance of false data Examples: Modification, spoofing, repudiation of origin, denial of receipt 31 CS469 Security Engineering 03/01/202 0 Classes of Threats Disruption Interruption or prevention of correct operation
Example: Modification Usurpation Unauthorized control of some part of the system Examples: Modification, spoofing, delay, denial of service 32 CS469 Security Engineering 03/01/202 0 Cyber Risk = Threats X Vulnerabilities X Consequences 33 CS469 Security Engineering
03/01/202 0 Attack Examples : DOS, Social Engineering Host Vulnerability and Exploits, Common Attacks on Hosts Why Care About Hosts? Most Attacks/Intrusions Have Targeted Hosts Break-in, penetration Root privilege compromise Steal, delete, modify and fabricate information
in server Why? Hosts are more interesting It has (almost) all the sensitive and useful information Medical record Payroll information Classified information 35 Hosts have all the executables It has potentially more vulnerabilities It is easier for the intruders to exploit with many03/01/202 0 executables
Common Attack on Hosts Gain Unauthorized Access to Host User level Could impersonate that user, change, delete or forge information Root level Could do everything to the host worst possible scenario Denial of Service Provided by the Host Denial of use of a host completely Disable the mail server Denial of use of an application Disable the online stock trading Denial of use of data
Make the financial record inaccessible to users What Else? 36 03/01/202 0 DoS: Web Server Attacks Many DoS Attacks Are Against Web Servers Attacker sends enormous amount of bogus requests to the web server i.e. Syn-ood attack Attacker sends a request consisting of thousands of /s.
Some servers go belly up at this How to Detect? How To Handle This Kind of DoS? Shutdown the web server? 37 03/01/202 0 DoS: Mailbomb Exploits The Open-Door Nature of Email System Mail server is supposed to receive emails Attacker sends thousands of huge junk emails Fill up disks, overow the quotas
Deny access to emails Cause legitimate emails lost Usually done by some automated tools Mailbomb Is Dierent From Spam There is no particular desire to have the email read, responded, or even necessarily received The goal is to jam the email server and make is unusable How To Detect This? How To Handle This? 38 03/01/202 0 DoS: Resource Hogging Resource Hogs Programs that uses up the resources of the
machine Fill up disks Use all the memory Use all the CPU cycle Could be some executable downloaded Code Wars was a game Let opponents write programs that would use up all the resources, until the opponents code was unable to run Detection Is Not Dicult Except for memory leak How To Handle This? 39 03/01/202 0 Social Engineering/Phishing
Tricking People into Giving Access Example Hello, this Smith, the Vice President of marketing. I need to update my photo in the corporate directory, and Ive fogot my password Hello, Im a customer support from Citibank, and we are upgrading the security mechanism of our customer account management. Please login into web site www.phishing.org to verify the status of your account How to detect this automatically? 40 03/01/202 0 Council of Europe: Convention on Cyber Crime
Convinced that the present Convention is necessary to deter action directed against the confidentiality, integrity and availability of computer systems, networks and computer data as well as the misuse of such systems, networks and data by providing for the criminalisation of such conduct, as described in this Convention, and the adoption of powers sucient for eectively combating such criminal oences, by facilitating their detection, investigation and prosecution at both the domestic and international levels and by providing arrangements for fast and reliable international co-operation; Source: http://conventions.coe.int/Treaty/en/Treaties/html/185.htm 41 03/01/202
0 Computer Security - Triad Confidentiality Access Control Who has the rights to access Integrity Correctness and consistency Unauthorized change deliberate or accidental breach Availability Constancy and timely access Denial-of-service. Service level agreements 42 03/01/202
0 Hexad CIA are three tradition pillars Donn Parker (2002) proposed 3 additional attributes Possession or Control I leave by credit card at a restaurant by mistake No breach of confidentiality: still a concern for potential misuse Authenticity Claim / assignment of authorship: signature 43 on paper
Digital signatures Utility 03/01/202 0 Cyber Crimes Burglary Data theft Download, Laptop Personal Identification Information (PII) for customers, partners, employees Intellectual Property; Commercial Info; Bid pricing Reliable attribution is hard Vandalism Defacement Mischievous alteration of the data
Extortion Encryption of dataset Attach value to the key Espionage 44 03/01/202 0 Value on Black Market Credit card details for $2 to $90: Pirated credit card details can include the cardholder's full name, mailing address, phone number, Social Security number, date of birth, the card type, card number, expiration date, security number, PIN and bank name. The more details, the more it costs. Armed with this information, thieves can make online purchases or clone fake cards for use at ATMs. Physical credit cards for $180, plus the cost of the details:
These are counterfeit plastic credit cards that have been replicated down to the bank hologram. They are available in white plastic or color printing at additional cost. The stolen credit card details, such as the card number, PIN and security number, are not included in the price of the card. Minimum order: five cards. Card cloners for $200 to $1,000: These machines allow you to print or clone phony credit cards, complete with magnetic stripes and embossed numbers. Thieves obtain the information needed to clone cards through skimmers or fake ATMs that capture and copy the card data. Several cloner models are available. All can make multiple copies of the same card . Fake ATMs for $80 to $700: There are two basic types: devices called skimmers that fit over the card intake slot on a regular bank ATM or a full replica of an ATM console. When people insert their credit or debit cards into the machine, it copies the card data and tells users there was an error and the transaction was aborted. Bank credentials for $3,500:
User names and passwords for customer bank accounts, plus any other credentials, such as answers to security questions, that you may need to log in to the accounts. Thieves may obtain this information from malicious software that captures keystrokes. When bank customers access their online accounts, the programs copy the information and send it back to the cyberthieves. Money laundering for 10% to 40% of the amount laundered : Bank transfers and check cashing services are available to move stolen money from victims' accounts into untraceable accounts. This service can include using stolen bank credentials to hack accounts and transfer money to "money mules," who are paid to transfer the money to legitimate accounts using money transfer services. Revenue loss in North America 2010: $2.7 B Source; http://money.msn.com/identity-theft/what-you-are-worth-on-black-market-credit-cards.aspx (Posting date: 4/28/2011) Data theft: $114 B per year; US Bank Robberies 2010 $43M ; Global Cocaine $85 M
http://www.bloomberg.com/news/2011-12-20/stolen-credit-cards-go-for-3-50-each-at-online-bazaar-that-mimics-amazon.html 45 03/01/202 0 Cost per Data Breach Incident Large companies: loss of 1000 to 100,000 records Average cost $ 7.2 M in 2010 $ 6.8 in 2009 $ 6.7 in 2008 Cost per activity in 2010 Loss of business $ 4.5 M Ex-post response $ 1.7 M Notification $ 0.5 M Detection and escalation
$ 0.5 M Source: Ponemon Institute Report for 2010 http://www.symantec.com/content/en/us/about/media/pdfs/ symantec_ponemon_data_breach_costs_report.pdf? om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2011Mar_worldwide_cost ofdatabreach 46 03/01/202 0 Cost per Record of Data Breach Large Companies Average Cost per Record in 2010: $214 2009: $204 2008: $ 202
Cost per Activity Per Record Lost Business $134 Ex-post Response$51 Notification $15 Detection & Escalation $13 Source: Ponemon Institute Report 47 03/01/202 0 Breach Costs by Activity Source: Ponemon Institute Report 48
03/01/202 0 What do You Conclude? Does this data impact on the development strategy? Does this impact architectural decisions? Does this inuence the design approach? With this data would you have changed your choices? How does this data impact on security architecture? 49 03/01/202 0
Example: Architecture Choices Increase Security Ex-filtration volume = Ex-filtration rate X Time Ex-filtration rate = f(Available BW, program choices,) Database Bandwidth Usage Alternatives 50 03/01/202 0 Cyber Defense Stages
Prevent Prevention Detection Location Detect Information Sharing Firewall Breach Reportin g Isolation Breach
reporting and notification Forensics Remediation Recovery 51 Restorat ion 03/01/202 0 Why has cyber security become such a big problem today as compared to 20 years ago? 52
03/01/202 0 Why Now? Reduce cost Reduce redundancy: less spare capacity Standardize: less diversity leads to easier targets Ultimate example: Cloud Increased international cyber capability Knowledge dissemination 53 03/01/202 0 Annual Threat Reports
Verizon HP Symantec McAfee IBM Mandiant Sophos Check out Assignment 1 for pointers 54 03/01/202 0
Towards Defining and Exploiting Similarities in Web Application Use Cases through User Session Analysis Sreedevi Sampath, University of Delaware Amie Souter, Drexel University Lori Pollock, University of Delaware Workshop on Dynamic Analysis (WODA), May 25, 2004 co-located with International Conference...
On-Demand Reports - Preliminary results available during the testing window. Longitudinal Reports - Results loaded to the system for districts to analyze trends and patterns over time. Data Exports - Downloadable exports of on-demand or longitudinal data at an organization...
Jean Brodeur Center for Research in Geomatics (CRG) Department of Geomatics Sciences Laval University Canada ER 2007 Workshop on Semantics and Conceptual Issues in GIS (SeCoGIS) Auckland, Newzeland * There is no visual hybrid spatial ICSL. However, modeling languages (which...
Completion of PM 160 Assessment Outcome Columns (Columns A through D) Entries are made in the assessment outcome columns for procedures 01 through 12 and for Other tests. Every screening procedure must have either a check mark (√) in column...
DSHS created the Background Check Central Unit (BCCU) in 2000 by consolidating five existing background check units. The BCCU provides the most wide-ranging and comprehensive background check information to ensure authorized service providers and DSHS programs are positioned to make...
to ACORN-SAT removed), and that model scaled to an ECS of 1.5. and 6 °C using the additive scaling and to 6 °C using the proportional. scaling (marked ECS6*), b . the projection of Australian and Global. temperature from 1986-2005...
- ACOM, ASCC, or DRU SCI Program Manager - Fill out CSI request form that can be obtained by contacting the SCI Policy office or via the SCI Policy webpage - At least one year experience in field - Attended...
Ready to download the document? Go ahead and hit continue!