Lec1_Introduction,Need (1).ppt

Full Transcript

 Learning Objectives
Upon completion of this material, you should be able to:

 Understand the definition of information security
 Identify security threat types
 Develop basic security policies
 Develop strategies for the protection of information
systems
 Describe security audit and monitoring methodologies

Principles of Information Security, 2nd Edition 2
 Introduction

 The State of being free from danger or threat.

 Freedom from threat.

 To be secure is to be protected from risk of loss,
damage, unwanted modification etc.

Principles of Information Security, 2nd Edition 3
 Types of Computer Security

 Impossible to obtain perfect security—it is a process, not
an absolute

 Security should be considered balance between
protection and availability

 To achieve balance, level of security must allow
reasonable access, yet protect against threats

Principles of Information Security, 2nd Edition 4
 Types of Computer Security

 Application Security:
 Application security aims to protect applications from various
types of attacks and threats that could lead to data breaches,
unauthorized access, or system compromise.
 Software encryption, antivirus, firewall.
 Network Security:
 Protects your computer system from authorized intrusions and
access to your computer networks.
 Firewall, Network Access Control, VPN, Network Monitoring.

Principles of Information Security, 2nd Edition 5
 Types of Computer Security

 End Point Security:
 End users are facing a huge security risk in any organization.
 End users become the victims of Cybercrimes because of their
lack of knowledge about IT protection and policies. Because
they lack awareness, they can unknowingly give access to their
computer systems to Cyber criminals.
 Awareness training programs should be arranged for enhancing
their knowledge about computer security and its threats.
 Internet Security:
 It is a method for creating a perfect set of rules and actions to
prevent any unauthorized use or harm to computer systems
that are directly connected to the internet.

Principles of Information Security, 2nd Edition 6
 Types of Computer Security

 Information Security:
 Information security is a type of cyber security
that specially focuses on the methodology and
techniques that are built for ensuring computer
security.
 Information security is commonly known as the
CIA triad and this model is used for protecting
the integrity, availability, and confidentiality
of organizational data so that productivity is
maintained.

Principles of Information Security, 2nd Edition 7
 What is Information Security?

 Computer security means the protection
system that is installed in the computer
systems so that it can protect the
important data and information that is
stored in the computer from
unauthorized access, misuse of
information and data, and information
and data theft.

Principles of Information Security, 2nd Edition 8
 The History of Information Security
 Began immediately after the first mainframes were
developed

 Created to aid code-breaking computations during World
War II

 Physical controls to limit access to sensitive military
locations to authorized personnel: badges, keys, and
facial recognition

 Rudimentary in defending against physical theft,
espionage, and sabotage

Principles of Information Security, 2nd Edition 9
 Necessary tools to secure information

 policy,
 awareness,
 training,
 education,
 technology

Principles of Information Security, 2nd Edition 10
 Why Information Security is important?

 To protect personal information
 To protect company properties
 To prevent data theft
 To prevent malware and virus

Principles of Information Security, 2nd Edition 11
 To protect personal information

 Implement an anti-virus software.
 Update the operating system of your computer
regularly.
 Apply smart password and other locks.
 Always take a backup of your critical data information.
 Use computer locks for safety.
 Do not fall for the traps of phishing emails.

Principles of Information Security, 2nd Edition 12
 Protect company properties

 Installing a security system in the computers
ensures IT protection which indeed helps the
companies to protect their sensitive data and
information.

Principles of Information Security, 2nd Edition 13
 Prevent data theft
 Data theft means stealing any critical and sensitive
information such as account passwords, bank account
details, health-related information, personal
information, important documents that are stored in the
computer systems and its servers.
 Reasons for data theft
 Stolen and weak credentials.
 Errors caused by humans.
 Presence of any malicious insiders.

Principles of Information Security, 2nd Edition 14
 Prevent malware and virus
 Keep your software updated.
 Use paid and good professional software for antivirus.
 Apply a strong password to your computer system.
 Do not click irrelevant links on your system.
 Always back up your sensitive computer data.
 Only go through trusted and authorized security
websites.

Principles of Information Security, 2nd Edition 15
 Critical Characteristics of Information
 The value of information comes from the characteristics it
possesses:
 Timeliness
 No value if it is too late
 Availability
 No interference or obstruction
 Required format
 Accuracy
 Free from mistakes
 Authenticity
 Quality or state of being genuine, i.e., sender of an email
 Confidentiality
 Disclosure or exposure to unauthorized individuals or system is prevented

Principles of Information Security, 2nd Edition 16
 Security Threats (Class Activity)

 Virus
 Worms
 Phishing
 Botnet
 Rootkit
 Keylogger

Principles of Information Security, 2nd Edition 17
 Security Threats

 Virus
 A computer virus is a type of malicious software (malware) that is
designed to replicate itself and spread from one computer to
another.
 May corrupt your sensitive information as well.
 Computer viruses are often created by malicious individuals or
groups with the intent of causing damage, stealing information, or
disrupting computer systems.
 Melissa, Sasser, Conficker, CodeRed, WannaCry, Nimda

Principles of Information Security, 2nd Edition 18
 Security Threats
 Computer Worm
 Computer worms are a type of malicious software that can
self-replicate and spread without needing to attach
themselves to other programs or files.
 Unlike viruses, worms don't require a host to propagate;
they can independently move across networks and
systems.
 Worms can have various negative effects from slowing
down networks to causing data breaches.
 Morris Worm, Slammer, Blaster, Mydoom, Sasser.

Principles of Information Security, 2nd Edition 19
Principles of Information Security, 2nd Edition 20
 Security Threats
 Phishing
 Phishing is a type of cyber attack that involves tricking
individuals into revealing sensitive information, such as
passwords, credit card numbers, or personal details.
 This is typically done by posing as a legitimate and
trustworthy entity, such as a reputable company,
government agency, or financial institution.
 Email phishing, Spear Phishing, Smishing, Vishing,
Pharming, Clone Phishing, Whaling.

Principles of Information Security, 2nd Edition 21
 Security Threats: Botnets
 A botnet is a network of compromised computers, often
referred to as "bots" or "zombies," that are under the control
of a single entity or attacker.
 These compromised computers are usually infected with
malicious software or malware, which allows the attacker to
remotely control and manipulate them without the knowledge
or consent of their owners.
 Botnets can send out vast amounts of spam emails,
promoting scams, phishing attempts, or other malicious
activities.

Principles of Information Security, 2nd Edition 22
 Security Threats: Rootkit
 A rootkit is a type of malicious software
(malware) designed to gain unauthorized
access and control over a computer system,
while remaining hidden from the system's legitimate users and
security tools.
 Rootkits get their name from the term "root," which refers to
the highest level of administrative access in Unix-like
operating systems, and "kit," which implies a collection of
tools.
 This makes them difficult to detect using traditional antivirus
and anti-malware software, as they can alter the way the
operating system functions and effectively hide their
presence.

Principles of Information Security, 2nd Edition 23
 Security Threats: Keylogger
 A keylogger is a type of software or hardware device
designed to record and log every keystroke made on a
computer's keyboard.
 It's typically used to capture the information entered by a
user, including passwords, usernames, credit card numbers,
personal messages, and other sensitive data.
 Keyloggers can be employed for legitimate purposes such as
monitoring computer usage, but they can also be used
maliciously to steal confidential information.

Principles of Information Security, 2nd Edition 24
 Types of cyber attacks
 Direct
 Hacker uses their computer to break into a system
 Indirect
 System is compromised and used to attack other
systems

Principles of Information Security, 2nd Edition 25
 Direct Attack
 A direct attack refers to a situation where a
hacker directly targets a system or network with
the intention of gaining unauthorized access,
stealing data, disrupting services, or causing
other types of harm.

 This could involve exploiting vulnerabilities in
software, using phishing techniques to trick users
into revealing sensitive information, or employing
brute force attacks to guess passwords.

 The key characteristic of a direct attack is that
the hacker is actively engaging with the target
system to breach its defenses and achieve their
objectives.

Principles of Information Security, 2nd Edition 26
 Indirect Attack
 An indirect attack involves a compromised system
that is being controlled by a hacker, often without
the knowledge of the system's owner.

 This compromised system, known as a "bot" or
part of a "botnet," is used to launch attacks on
other systems. These attacks could include
distributed denial of service (DDoS) attacks, where
multiple compromised systems flood a target
system with traffic to overwhelm it, rendering it
unavailable.

 In this scenario, the hacker doesn't necessarily
interact directly with the target system but instead
manipulates the compromised system to carry out
the attack.

Principles of Information Security, 2nd Edition 27
 Computer Security Attacks

Principles of Information Security, 2nd Edition 28
 Computer Security Attacks
Social engineering is a form of cyberattack that
manipulates individuals into revealing sensitive
information, taking certain actions, or
compromising security measures.
It exploits human psychology and behavior rather
than relying solely on technical vulnerabilities.
Social engineering attacks often involve
manipulation, deception, and psychological tricks
to gain unauthorized access to systems, networks,
or information.
Examples??

Principles of Information Security, 2nd Edition 29
 Computer Security Attacks: Password Attacks
Password attacks are
techniques used by
cyber attackers to
gain unauthorized
access to computer
systems, accounts, or
networks by exploiting
weaknesses in
passwords.
These attacks target
the security
vulnerabilities of
passwords and aim to
either guess or
circumvent them,
allowing the attacker
Principles of Information Security, 2nd Edition 30
 Forms of attacks
Active and passive attacks
An attacker tries to change the content of the messages
in an active attack.
Active Attack is a danger to Integrity as well
as availability.
DOS
An attacker monitors the communications and duplicates
them in a passive attack.
Passive Attack is a danger to Confidentiality.
Traffic analysis, Data capturing, Eavesdropping.

Principles of Information Security, 2nd Edition 31
 Computer Security Attacks

Principles of Information Security, 2nd Edition 32
 Information Security: Critical Elements

 Confidentiality
 Integrity
 Availability

Principles of Information Security, 2nd Edition 33
 Figure 1-4 – NSTISSC Security
C.I.A Triad
Model
 Confidentiality :No unauthorized access
 Few methods to breach confidentiality
 Password Cracking
 Phishing scams
 Malware attacks
 Social Engineering
 Tools to achieve confidentiality
 Encryption, VeraCrypt, TrueCrypt, GnuPG, xCrypt,
BitLocker.
Principles of Information Security, 2nd Edition 34
 Figure 1-4 – NSTISSC Security
C.I.A Triad
Model
 Integrity : Modification of Data
 Few methods to breach integrity
 SQL injection
 Malware attacks
 Man-in-the-middle attacks
 Data Tampering
 Tools to achieve integrity
 HashCheck, astSum, checksum, md5sum, QuickSFV

Principles of Information Security, 2nd Edition 35
 Figure 1-4 – NSTISSC Security
C.I.A Triad
Model
 Availability : Data unavailable
 Few methods to breach integrity
 DDoS attacks
 Malware attacks
 Natural Disasters
 Human errors/System Failures
 Tools to achieve availability
 Firewalls, Regular Backups, IDS/IPS, Cloud based
solutions.
Principles of Information Security, 2nd Edition 36
 Confidentiality
 Password Cracking (John the Ripper)
 File Encryption(GPG)
 Authorization (Configure privileges)
 Authorization (Privilege Escalation)
 Firewall
 Integrity
 Checksum
 Non Repudiation (Digital Certificate)
 SQL Map
 Availability
 Stress Test

Principles of Information Security, 2nd Edition 37
 The Systems Development Life Cycle
 Systems development life cycle (SDLC) is methodology and
design for implementation of information security within an
organization
 Methodology is formal approach to problem-solving based
on structured sequence of procedures
 Using a methodology
 ensures a rigorous process
 avoids missing steps
 Goal is creating a comprehensive security posture/program
 Traditional SDLC consists of six general phases
Principles of Information Security, 2nd Edition 38
Principles of Information Security, 2nd Edition 39
 The Security Systems Development Life Cycle

 The same phases used in traditional SDLC may be
adapted to support specialized implementation of an IS
project

 Identification of specific threats and creating controls to
counter them

 SecSDLC is a coherent program rather than a series of
random, seemingly unconnected actions

Principles of Information Security, 2nd Edition 40
 The Security Systems Development Life Cycle

 Investigation

 Identifies process, outcomes, goals, and constraints of the
project

 Begins with enterprise information security policy

 Analysis

 Existing security policies, legal issues,

 Perform risk analysis

Principles of Information Security, 2nd Edition 41
 The Security Systems Development Life Cycle
 Logical Design
 Creates and develops blueprints for information security

 Incident response actions: Continuity planning, Incident
response, Disaster recovery
 Feasibility analysis to determine whether project should continue
or be outsourced

 Physical Design
 Needed security technology is evaluated, alternatives
generated, and final design selected
Principles of Information Security, 2nd Edition 42
 The Security Systems Development Life Cycle
 Implementation
 Security solutions are acquired, tested, implemented, and
tested again
 Personnel issues evaluated; specific training and education
programs conducted
 Entire tested package is presented to management for final
approval

 Maintenance and Change
 Most important
 Constant changing threats
 Constant monitoring, testing updating and implementing
change

Principles of Information Security, 2nd Edition 43
 Information Security Project Team
 A number of individuals who are experienced in one or
more facets of technical and non-technical areas:
 Champion: Senior executive who promotes the project
 Team leader: project manager, departmental level
manager
 Security policy developers
 Risk assessment specialists
 Security professionals
 Systems administrators
 End users

Principles of Information Security, 2nd Edition 44
Need for Security
 Why do we need Security?

 Protect vital information while still allowing access to
those who need it
 Trade secrets, medical records, etc.

 Provide authentication and access control for resources

 Guarantee availability of resources

Principles of Information Security, 2nd Edition 46
 Reasons for information security
 Preventing Data Breaches and Cyberattacks:
 Cyber-attacks, such as viruses, malware,
phishing, and ransomware, are becoming
increasingly sophisticated and frequent.
Information security helps prevent these
attacks and minimizes their impact if they do
occur.

 Protecting Confidential Information
 Certain information, such as personal data,
trade secrets, financial records, and sensitive
government data, needs to be kept confidential
to protect individuals' privacy and
organizations' competitive advantages.

Principles of Information Security, 2nd Edition 47
 Reasons for information security
 Integrity:

 Maintaining the integrity of information ensures that it
remains accurate, reliable, and unaltered. Unauthorized
modifications to data can lead to misinformation, financial
errors, and even safety risks.

 Availability:

 Information should be available when needed. Denial-of-
service attacks and other disruptions can render critical
systems and data inaccessible, causing operational
disruptions and financial losses.
Principles of Information Security, 2nd Edition 48
 Reasons for information security
 Compliance:

 Many industries are subject to regulations and standards that
mandate the protection of sensitive information. Non-
compliance can result in hefty fines and legal actions.

 Protecting Customer Trust:

 Customers expect organizations to keep their data safe and
secure. Breaches or data leaks can erode customer trust,
leading to a loss of business and damage to the
organization’s reputation.

Principles of Information Security, 2nd Edition 49
 Reasons for information security
 National Security:
 Governments hold sensitive information related to national
security, defense, and diplomacy. Ensuring the security of
this information is vital to protect the interests of a country
and its citizens.
 Technological Advancements:
 As technology advances, new avenues for cyber threats
emerge. The rise of the Internet of Things (IoT), cloud
computing, and artificial intelligence has expanded the
attack surface for malicious actors.

Principles of Information Security, 2nd Edition 50
 Reasons for information security
 Personal Privacy:
 Individuals store a vast amount of personal
information online. Protecting this information
is crucial for preventing identity theft, financial
fraud, and other forms of misuse.
 Intellectual Property Protection:
 Companies invest significant resources in
research and development. Information security
safeguards these valuable intellectual assets
from theft and unauthorized use.
 Securing Online Transactions:
 Information security is important to help
individuals protect their financial information
and prevent fraud and other financial crimes.

Principles of Information Security, 2nd Edition 51
 Who is vulnerable?
 Financial institutions and banks
 Internet service providers
 Pharmaceutical companies
 Government and defense agencies
 Contractors to various government agencies
 Multinational corporations
 Anyone on the network

Principles of Information Security, 2nd Edition 52
 Common security attacks and their
countermeasures
 Finding a way into the network
 Firewalls
 Exploiting software bugs, buffer overflows
 Intrusion Detection Systems
 Denial of Service
 Ingress filtering, IDS
 TCP hijacking
 IPSec
 Packet sniffing
 Encryption (SSH, SSL, HTTPS)
 Social problems
 Education

53
 Finding a way into the network
 Basic problem – many network applications and
protocols have security problems that are fixed
over time
 Difficult for users to keep up with changes and keep
host secure
 Solution
 Administrators limit access to end hosts by using a firewall
 Firewall is kept up-to-date by administrators

54
 Firewalls
 A firewall is like a castle with a drawbridge
 Only one point of access into the network
 This can be good or bad
 Can be hardware or software
 Ex. Some routers come with firewall functionality
 ipfw, ipchains, pf on Unix systems, Windows XP and
Mac OS X have built in firewalls

55
 Intrusion Detection
 Used to monitor for “suspicious activity” on a
network
 Can protect against known software exploits, like buffer
overflows
 Open Source IDS: Snort, www.snort.org

56
 Intrusion Detection
 Uses “intrusion signatures”
 Well known patterns of behavior
 Ping sweeps, port scanning, web server indexing, OS fingerprinting, DoS
attempts, etc.
 Example
 IRIX vulnerability in webdist.cgi
 Can make a rule to drop packets containing the line
 “/cgi-bin/webdist.cgi?distloc=?;cat%20/etc/passwd”

 However, IDS is only useful if contingency plans are in
place to curb attacks as they are occurring

57
 Dictionary Attack
 We can run a dictionary attack on the passwords
 The passwords in /etc/passwd are encrypted with the crypt(3)
function (one-way hash)
 Can take a dictionary of words, crypt() them all, and compare
with the hashed passwords
 This is why your passwords should be meaningless
random junk!
 For example, “sdfo839f” is a good password
 That is not my andrew password
 Please don’t try it either

58
 Denial of Service
 Purpose: Make a network service unusable, usually
by overloading the server or network
 Many different kinds of DoS attacks
 SYN flooding
 SMURF
 Distributed attacks
 Mini Case Study: Code-Red

59
 Denial of Service
 SYN flooding attack
 Send SYN packets with bogus source address
 Why?
 Server responds with SYN ACK and keeps state about
TCP half-open connection
 Eventually, server memory is exhausted with this state
 Solution: use “SYN cookies”
 In response to a SYN, create a special “cookie” for the
connection, and forget everything else
 Then, can recreate the forgotten information when the ACK
comes in from a legitimate connection

60
 Denial of Service
 Mini Case Study – CodeRed
 July 19, 2001: over 359,000 computers infected with
Code-Red in less than 14 hours
 Used a recently known buffer exploit in Microsoft IIS
 Damages estimated in excess of $2.6 billion

61
 Denial of Service
 How can we protect ourselves?
 Ingress filtering
 If the source IP of a packet comes in on an interface which
does not have a route to that packet, then drop it
 RFC 2267 has more information about this
 Stay on top of CERT advisories and the latest security
patches
 A fix for the IIS buffer overflow was released sixteen days
before CodeRed had been deployed!

62
 TCP Attacks
 Recall how IP works…
 End hosts create IP packets and routers process them
purely based on destination address alone
 Problem: End hosts may lie about other fields
which do not affect delivery
 Source address – host may trick destination into
believing that the packet is from a trusted source
 Especially applications which use IP addresses as a simple
authentication method
 Solution – use better authentication methods

63
 TCP Attacks
 TCP connections have associated state
 Starting sequence numbers, port numbers
 Problem – what if an attacker learns these values?
 Port numbers are sometimes well known to begin with
(ex. HTTP uses port 80)
 Sequence numbers are sometimes chosen in very
predictable ways

64
 TCP Attacks
 If an attacker learns the associated TCP state for
the connection, then the connection can be
hijacked!
 Attacker can insert malicious data into the TCP
stream, and the recipient will believe it came from
the original source
 Ex. Instead of downloading and running new program,
you download a virus and execute it

65
 TCP Attacks
 Say hello to Alice, Bob and Mr. Big Ears

66
 TCP Attacks
 Alice and Bob have an established TCP connection

67
 TCP Attacks
 Mr. Big Ears lies on the path between Alice and
Bob on the network
 He can intercept all of their packets

68
 TCP Attacks
 First, Mr. Big Ears must drop all of Alice’s packets
since they must not be delivered to Bob (why?)

Packets

The Void

69
 TCP Attacks
 Then, Mr. Big Ears sends his malicious packet with
the next ISN (sniffed from the network)

ISN, SRC=Alice

70
 TCP Attacks
 How do we prevent this?
 IPSec
 Provides source authentication, so Mr. Big Ears cannot
pretend to be Alice
 Encrypts data before transport, so Mr. Big Ears cannot
talk to Bob without knowing what the session key is

71
 Packet Sniffing
 Recall how Ethernet works …
 When someone wants to send a packet to some
else …
 They put the bits on the wire with the destination
MAC address …
 And remember that other hosts are listening on the
wire to detect for collisions …
 It couldn’t get any easier to figure out what data is
being transmitted over the network!

72
 Packet Sniffing
 What kinds of data can we get?
 Asked another way, what kind of information would
be most useful to a malicious user?
 Answer: Anything in plain text
 Passwords are the most popular

73
 Packet Sniffing
 How can we protect ourselves?
 SSH, not Telnet
 Many people at CMU still use Telnet and send their password in the clear (use
PuTTY instead!)
 Now that I have told you this, please do not exploit this information
 Packet sniffing is, by the way, prohibited by Computing Services
 HTTP over SSL
 Especially when making purchases with credit cards!
 SFTP, not FTP
 Unless you really don’t care about the password or data
 Can also use KerbFTP (download from MyAndrew)
 IPSec
 Provides network-layer confidentiality

74
 Social Problems
 People can be just as dangerous as unprotected
computer systems
 People can be lied to, manipulated, bribed, threatened,
harmed, tortured, etc. to give up valuable information
 Most humans will breakdown once they are at the
“harmed” stage, unless they have been specially trained
 Think government here…

75
 Social Problems
 Fun Example 3:
 Who saw Office Space?
 In the movie, the three disgruntled employees installed
a money-stealing worm onto the companies systems
 They did this from inside the company, where they had
full access to the companies systems
 What security techniques can we use to prevent this type of
access?

76
 Measures taken to improve Information
Security
Security Awareness Training: Many organizations provide
security awareness training to employees to help them identify
and respond to security threats.
Encryption: Encryption is used to protect sensitive information
as it is transmitted or stored. This helps prevent unauthorized
access or theft of data.
Firewalls: Firewalls are used to control access to computer
networks and help prevent unauthorized access to sensitive
information.
Access Controls: Access controls are used to restrict access to
sensitive information and systems to only those who need it.
Penetration Testing: Penetration testing is used to identify
vulnerabilities in an organization’s systems and to test its
defenses against cyber attacks.

Principles of Information Security, 2nd Edition 77
 Challenges in implementing Information Security
1. Constantly Evolving Threat Landscape: Cyber threats are
constantly evolving, with hackers developing new techniques and
exploits. Staying up-to-date with the latest threats and vulnerabilities
requires continuous monitoring and adaptation.

2. Complexity of Technology: Modern IT environments are complex,
often involving a mix of on-premises systems, cloud services, mobile
devices, and more. Managing security across these diverse platforms
can be challenging.

3. Lack of Awareness: Many individuals within organizations may not
fully understand the importance of information security or how their
actions can impact it. This lack of awareness can lead to security
vulnerabilities.
Principles of Information Security, 2nd Edition 78
 Challenges in implementing Information Security
Human Error: Despite technological advancements,
human error remains a significant contributor to security
breaches. Mistakes such as clicking on phishing emails or
misconfiguring security settings can lead to breaches.

Insider Threats: Malicious actions or negligence by
employees, contractors, or partners can pose a significant
risk to information security. Insiders with access to
sensitive information can intentionally or unintentionally
compromise it.

Principles of Information Security, 2nd Edition 79
 References
 https://www.cs.cmu.edu/~srini/15-441/F02/lectures/lec21
-security.pdf

 https://www.f-secure.com/v-descs/slapper.shtml
 http://www.robertgraham.com/pubs/network-intrusion-det
ection.html
 http://online.securityfocus.com/infocus/1527
 http://www.snort.org/
 http://www.cert.org/
 http://www.nmap.org/
 http://grc.com/dos/grcdos.htm
 http://lcamtuf.coredump.cx/newtcp/

Principles of Information Security, 2nd Edition 80