03Lecture-NetworkSecurity1.pdf

Full Transcript

1901 Lecture Three: Network Security 1 Overview In this course, we will be looking at information security …     Information security is about protecting the information on the devices that store, manipulate, and transmit the information through products, people, and procedures. o Products – Networking hardware and software o People – Those who protect the data as well as those who use the data o Procedures – Plans and policies established by an organization to ensure that people correctly use the products Basic information security protections include: o Confidentiality – only approved individuals are able to access important information o Integrity – the information is correct and no unauthorized person or malicious software has altered the data o Availability – the data is accessible to authorized users Basic information security implementations include: o Authentication – ensures that the individual is who they claim to be and not someone else o Authorization – providing permissions to specific resources o Accounting – tracking of events Problems encountered with information security include: o Universally connected devices – Attacks (attempts at violating information security) can happen from anywhere in the world. o Increased speed of attacks – Attacks can be launched against millions of computers within minutes. o Greater sophistication of attacks – Attack tools vary their behaviour so the same attack appears differently each time. o Availability and simplicity of attack tools – Attacks are no longer limited to highly skilled attackers. o Faster detection of vulnerabilities – Attackers can discover security holes in hardware or software more quickly. o Delays in security updating – Software products (including the firmware inside of computer hardware) need to be constantly updated. o Distributed attacks – Attackers can use thousands of computers in an attack against a single computer or network. o Introduction of BYOD (bring your own device) – Organizations are having difficulty providing security for a wide array of personal devices. o User confusion – Users are asked to make security decisions (like being asked by a program to install an add-0n) with little or no instruction. Basic Information Security Terminology        Asset – an item that has value. For a corporation, assets include: o Something (typically data) that provides value to the organization o Something that cannot be easily replaced (computers can be easily replaced but data on the computer can’t) Threat – events or actions that represent a danger to information assets. Threat Agent – a person(s) or element (like a hurricane or earthquake) that has the power to carry out a threat. Vulnerability – a flaw or weakness that allows a threat agent to bypass security. Threat Vector – the means by which an attack can occur (like exploiting a vulnerability). Threat Likelihood – the probability that a security threat actually happens. Risk – a situation that involves exposure to some type of security threat. Risk   There are different options available when dealing with risks: o Risk avoidance – involves identifying the risk and avoiding any activity that exposes information to that risk. o Risk acceptance – the risk is identified but no steps are taken to avoid it. o Risk mitigation – the risk is identified and steps are taken to minimize, but not negate, the risk. o Risk deterrence – involves informing potential threat actors of consequences of their actions (like being sued or banned from a service). o Risk transference – transfer the risk to a 3rd party – let someone else deal with the risk (like an outside security company). Risk can be illustrated by the calculation: Risk = Asset Importance x Vulnerability x Threat Likelihood Threat Actors         Hacker – a general term used to refer to a person who uses advanced computer skills to attack computers or networking hardware. o Black Hat Hackers – those who attack for personal gain or to inflict damage. o White Hat Hackers – ‘ethical hackers’ that look for vulnerabilities in a system and privately report these vulnerabilities to the organization (usually they have the organizations permission before looking for vulnerabilities). o Grey Hat Hackers – those who look for vulnerabilities without prior consent by the organization. If vulnerabilities were found, they would then publically disclose the vulnerably in order to shame the organization into taking action. Cybercriminals (sometimes just called attackers) – are a loose network of attackers, identity thieves, and financial fraudsters. Cybercriminals exploit vulnerabilities to steal information or launch attacks that can generate income. Script Kiddies – attackers who use prewritten software and scripts to attack since they usually lack the knowledge of computers and networks. Brokers – those who sell vulnerability information to anyone who is willing to pay for it. Insiders – employees, contractors, and business partners that are motivated by various reasons – financial, revenge, etc. Cyberterrorists – those who want to disrupt and cause panic to others motivated usually by ideological reasons. Hacktivists – typically a loosely organized group that attacks as a form of protesting or retaliation. State-Sponsored Attackers – government sponsored attacks against another government or person(s). Attacker Category Cybercriminals Objective Fortune over fame Script Kiddies Brokers Thrills, notoriety Sell vulnerability to highest bidder Retaliate against employer, shame government Cause disruption and panic Insiders Cyberterrorists Hacktivists State-Sponsored To right a perceived wrong against them Spy on citizens, disrupt foreign government Typical Target Users, businesses, governments Businesses, users Any Governments, businesses Sample Attack Steal credit card information Erase data Find vulnerability in operating system Steal documents to publish sensitive information Cripple computers that control water treatment Disrupt financial website Users, governments Read user’s email messages Governments, businesses Businesses Steps of an Attack – The Cyber Kill Chain ™ (Trademarked by Lockheed Martin)        Reconnaissance: The first step in an attack is to probe for any information about the system: the type of hardware used, version of operating system software, and even personal information about the users. This can reveal if the system is a viable target for an attack and how it could be attacked. Weaponization: The attacker creates an exploit (like a virus) and packages it into a deliverable payload (like a Microsoft Excel spreadsheet) that can be used against the target. Delivery: At this step the threat vector is transmitted to the target, such as by an email attachment or through an infected web server. Exploitation: After the threat vector is delivered to the victim, the exploitation stage triggers the attacker’s exploit. Generally, the exploitation targets an application or operating system vulnerability, but it also could involve tricking the user into taking a specific action. Installation: At this step the threat vector is installed to either attack the computer or install a remote ‘backdoor’ so the attacker can access the system. Command and Control: Many times the compromised system connects back to the attacker so that the system can be remotely controlled by the attacker and receive future instructions. Actions on Objectives: Now the attackers can start to take actions to achieve their original objectives, such as stealing user passwords or launching attacks against other computers. Defending Against an Attack Basics Although multiple defenses may be necessary to withstand an attack, these defenses should be based on five fundamental security principles:      Layering: A security system must have layers, making it unlikely that an attacker has the tools and skills to break through all the layers of defenses. A layered security approach, also called defense-in-depth, can be useful in resisting a variety of attacks. Layered security provides the most comprehensive protection. Limiting: Limiting access to information reduces the threat against it. This means that only those personnel who must use the data should have access to it – and only the type of access that is required. o Technology based limiting can be something like assigning file permissions so that a user can only read but not modify a file. o Procedural based limiting can be something like prohibiting an employee from removing a sensitive document from the premises. Diversity: Related to layering in that each security layer should be different. If attackers penetrate one layer, they cannot use the same techniques to break through all other layers. This can be done in different ways like using security products from different companies (vender diversity) or have different people responsible for each layer of security (control diversity). Obscurity: Hiding various types of information makes attacks that much more difficult – sometimes called security by obscurity. An example would be to not reveal the type of computer, version of operating system, or brand of software that is used. Simplicity: Complex security systems can be hard to understand and troubleshoot. Complex security schemes are often compromised to make them easier for trusted users to work with, yet this can also make it easier for the attackers. Keeping a system simple from the inside, but complex on the outside, can sometimes be difficult but has major benefits. Security Standards  There are a number of security standards (sometimes called security frameworks or security reference architectures) that provide a resource of how to create a secure IT (information technology) environment. These include: o ETSI (European Telecommunications Standards Institute) Cyber Security Technical Committee standards (usually abbreviated: TC CYBER) o ISO/IEC standards (International Organization for Standardization and the International Electrotechnical Commission) o Standard of Good Practice (SoGP) published by ISF (Information Security Forum) o NIST (National Institute of Standards and Technology) Cybersecurity Framework (NIST CSF) o COBIT (Control Objectives for Information and Related Technologies) published by ISACA (Information Systems Audit and Control Association) Malware Malware (malicious software or computer contaminant) is software that enters a computer system without the user’s knowledge or consent and then performs an unwanted and harmful action. Malware is most often used as the general term that refers to a wide variety of damaging software programs. One method of classifying the various types of malware is by using the primary trait that the malware possesses:     Circulation: The primary trait is to spread rapidly to other systems to impact a large number of users. The two most common types of malware in this class are viruses and worms. o Viruses: malicious computer code that reproduces itself on the same computer. o Worms: a malicious program that uses a computer network to replicate. Once a worm has exploited a vulnerability on one system, it immediately searches for another computer on the network that has the same vulnerability. Infection: The primary trait is to embed itself into the system. It might run only once or remain on the system and be launched an infinite number of times. It can attach itself to a benign program while others function as a stand-alone process. The three most common types of malware in this class are Trojans, ransomware, and crypto-malware. o Trojans: an executable program that masquerades as a legitimate program but performs malicious activities. o Ransomware: prevents a user’s device from properly and fully functioning until a fee is paid. o Crypto-malware: a more malicious form of ransomware that encrypts all the files on a device so that none of them can be opened. A screen usually appears telling the victim that his files are now encrypted and a fee must be paid to receive a key to unlock them. Concealment: The primary trait is avoiding detection. Some malware attempts to avoid detection by changing itself, while other malware can embed itself within existing processes or modify the underlying host operating system. The most common type of malware in this class is a rootkit. o Rootkit: can hide its presence or the presence of other malware (like a virus) on the computer by accessing lower layers of the operating system. This enables the rootkit and its accompanying software to become undetectable by the operating system and common antimalware scanning software. Payload Capabilities: The primary trait is the actions the malware performs. Actions include stealing passwords and other valuable user data, deleting programs, modifying security settings, or using the infected systems to launch attacks against other computers. o Spyware: tracking software that is deployed without the consent or control of the user. One type of spyware is a keylogger that silently captures and stores each keystroke that a user types. The threat actor can then search the captured text for any useful information such as passwords, credit card numbers, or other personal information. o Adware: delivers advertising content in a manner that is unexpected and unwanted by the user – usually through constant popups. Adware can also contain other forms of malware. o o o Logic Bombs: computer code that is typically added to a legitimate program but lies dormant until a specific event triggers it. Once it is triggered, the program then deletes data or performs other malicious activities. Backdoors: gives access to a computer, program, or service that circumvents any normal security protections. Bots (or Zombie): software that will allow the infected computer to be placed under the remote control of an attacker for the purpose of launching attacks. When a large number of computers are infected and gathered together, they create a botnet under the control of a bot herder. Social Engineering Attacks Social engineering is a means of gathering information for an attack by relying on the weaknesses of individuals. Social engineering attacks can involve psychological approaches as well as physical procedures. (So, technology is not always needed for attacks.)   Psychological Approaches: relies on an attacker’s manipulation of human nature to persuade the victim to provide information or take actions. Social engineering psychological approaches often involve: o Impersonation: masquerade as a real or fictitious character and then play out the role of that person on a victim. o Phishing: sending an email or displaying a web page that falsely claims to be from a legitimate company in an attempt to trick the user into surrendering private information or install harmful software. Several variations include:  Spear Phishing: phishing emails that target specific users.  Whaling: phishing emails that target wealthy individuals or senior executives (the ‘big fish’).  Vishing (Voice Phishing): instead of using email, a telephone call is used instead. o Spam: unsolicited email that is sent to a large number of recipients. Generally, advertisements for products or services – the spammer can make money on any products or services sold. Spam is also a common means by which threat actors distribute their malware. o Hoaxes: a false warning, often contained in an email message, claiming to come from some authority figure or organization. o Watering Hole Attack: an attack on a smaller group of individuals that use a specific resource like an Internet website – the Internet website can be hacked and malware placed on the website that will infect only those people using that particular site. Physical Procedures: o Dumpster Diving: involves digging through trash to find information that can be useful in an attack. An electronic variation is to use Google’s search engine to look for documents and data posted that can be used in an attack. o Tailgating: following an individual into a protected area without the individual knowing. o Shoulder Surfing: watching an individual entering a security code or password.