Lecture 01 - Introduction to Cyber Security (1).ppt
Document Details
Uploaded by LikableTelescope8501
Tags
Full Transcript
IE2022 – Introduction to Cyber Security Lecture - 01 Introduction to Cyber Security Mr. Amila Senarathne Lecture 1: Introduction to Cyber Security Objective: Describe the formal definition of Computer Security Describe Confidentiality, Integrity, and Availability as the key security require...
IE2022 – Introduction to Cyber Security Lecture - 01 Introduction to Cyber Security Mr. Amila Senarathne Lecture 1: Introduction to Cyber Security Objective: Describe the formal definition of Computer Security Describe Confidentiality, Integrity, and Availability as the key security requirements Computer Security Model and Strategy Describe the security threats and attacks types Recommended Texts W. Stallings and L. Brown, “Computer Security, Principles and Practice, 2nd edition, Pearson, 2012, Chapter 1. Supplementary text Charles P. Pfleeger and Shari L. Pfleeger, Security in Computing (3rd edition). Prentice- Hall. 2003. ISBN: 0-13-035548-8. IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 2 Computer Security Definition (NIST Computer Security Handbook) The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications). Key objectives of Computer Security: Confidentiality Integrity Availability IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 3 Information Security (InfoSec) The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. (Source : NIST Glossary of Key Information Security Terms) IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 4 Cyber Security Cybersecurity is the practice of protecting systems, networks, and programs from cyber attacks. These cyberattacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes (CISCO, 2021). The art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information. Also referred to as information technology security. IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 5 Computer Security Objectives 1) Confidentiality (C). This term covers two related concepts. – Data confidentiality. Assures that confidential information is not made available or disclosed to unauthorized individuals. – Privacy. Assures that the owners have control on: What information related to them may be collected and stored, By whom and to whom that information may be disclosed. NIST’s Requirement: Preserve authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information Loss of confidentiality means unauthorized disclosure of information. IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 6 Objectives (cont.) 2) Integrity (I). This term covers two related concepts. – Data integrity: Information and programs are changed only in a specified and authorized manner. – System integrity: A system performs its intended function in an unimpaired manner, and free from deliberate or inadvertent unauthorized manipulation of the system. Requirement: Guard against improper information modification or destruction, including ensuring information nonrepudiation authenticity. Loss of Integrity means unauthorized modification or destruction of information. IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 7 Objectives (cont.) 3) Availability (A). Systems work promptly and service is not denied to authorized users. NIST’s requirement: Ensuring timely and reliable access and use of information. Loss of Availability means disruption to the authorized users in accessing or use of information. Figure from Stallings & Brown textbook IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 8 Additional Objectives 4) Authenticity: Able to verify that – the users are who they claim they are, and – the system receives data from a trusted source. NIST includes authenticity as part of Integrity 5) Accountability: Able to trace back the actions performed by an entity to that entity. Accountability supports: nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, after- action recovery and legal action. Read the examples of C-I-A in the textbook (Stallings & Brown) IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 9 Computer Security Model (RFC 2828) 1) System Resource or asset that needs to be protected Hardware: e.g., Computer System, data storage, communication devices. Software: e.g., operating systems, program utilities and applications. Data: e.g., data and password files, databases. Communication facilities and networks: e.g., LAN, WAN, routers, etc. 2) Vulnerabilities of system resources Definition: A flaw or weaknesses in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy. When the resource is corrupted violate Integrity When the resource is leaky violate Confidentiality When the resource is unavailable violate Availability IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 10 Computer Security Model 3) Threat is a possible danger that might exploit a vulnerability. It represents a potential harm to the system resource. 4) Attack is a threat that is carried out (threat action) Two attack types: Active attack: An act that has negative effects on system resources Passive attack: An act to make use of system information but it does not affect the system The origin of an attack: Inside attack is carried out by an entity inside the security perimeter. Outside attack is performed by an unauthorized users. IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 11 Computer Security Model (cont.) 5) Adversary is an entity that carried out an attack – A threat agent or an attacker. 6) Countermeasure is any means taken – to address an attack, – to prevent an attack from being successful, – to detect the attack if the attack is successful, and – to recover from the damage due to the attack. 7) Risk is the expected loss due to a particular attack. – Examples? IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 12 Exploits An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service (DoS or related DDoS) attack. Used as a verb, exploit refers to the act of successfully making such an attack (make use of a vulnerability). IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 13 Vulnerability Assessment A vulnerability assessment is the process of defining, identifying, classifying and prioritizing vulnerabilities in Information systems, applications and network infrastructures and providing the organization doing the assessment with the necessary knowledge, awareness and risk background to understand the threats to its environment and react appropriately. IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 14 Penetration Testing Penetration testing (also called pen testing or ethical hacking) is the practice of testing a Information system, network or web application to find security vulnerabilities that an attacker could exploit. The process involves gathering information about the target before the test, identifying possible entry points, attempting to break in either virtually or for real and reporting back the findings. Penetration testing can be automated with software applications or performed manually. IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 15 Goal of Penetration Testing Identify weak spots in an organization's security posture Measure the compliance of its security policy Test the staff's awareness of security issues Determine whether and how the organization would be subject to security disasters. IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 16 Computer Security Model Figure from Stallings & Brown textbook IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 17 Threats and Attacks Four kinds of threats and their types of attacks (RFC 2828) 1) Unauthorized disclosure: a threat to system confidentiality Types of Attacks: Exposure. The attacker obtains unauthorized knowledge of sensitive data. Interception. The attacker gain access to data being transmitted – A common attack in communication network Inference. The attacker gains information from analyzing the pattern of traffic in a network Intrusion. The attacker gains unauthorized access to data – Probably after breaking the system’s access control protection IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 18 Threats and Attacks (cont.) 2) Deception: a threat to system or data integrity Types of Attacks: Masquerade. The attacker accesses to the system acting as an authorized user – the attacker may have the login name and password. Falsification. The attacker modifies or replaces valid data or produces false data Repudiation. The attacker denies – sending the data, – denies receiving the data, or – Possessing the data IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 19 Threats and Attacks 3) Disruption: a threat to system availability and integrity Types of Attacks: Incapacitation. An attack on system availability by destructing or damaging system resources (e.g., hardware) and their services. Corruption. An attack to system integrity such that the system resources or services operate in an unintended manner. – This can be done by a malware or an attacker that modifies system function Obstruction. An attack to system availability by interfering, altering, or overloading communication functions IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 20 Threats and Attacks 4) Usurpation: a threat to system integrity Types of Attacks: Misappropriation. An unauthorized software uses the OS and hardware resources – E.g., DoS attack that steals system services Misuse. Disabling security functions, can be by the following means: – malicious logic, or – an attacker that gains access to the system IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 21 Threats and Assets Four categories of assets and their attacks. 1) Threats on hardware: attack on system availability e.g., damaging or stealing the hardware 2) Threats on software: attack of system availability and integrity/authenticity e.g., deleting and damaging (availability), and modifying (integrity/authenticity) the software 3) Threats on data: attack on availability, integrity and confidentiality e.g., destroying data (availability), accessing and analyzing unauthorized data a(confidentiality), and modifying data (integrity) IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 22 Threats and Assets 4) Threats on communication lines and networks: can be passive or active attacks Passive attack is performed by eavesdropping or monitoring data transmission The attacker only learns or makes use of information without affecting system resources Passive attack is hard to detect because data is not altered – Use attack prevention (not detection) to handle it Two types of passive attacks. Release of message contents (confidentiality) Traffic analysis, if the data is encrypted. IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 23 Threats and Assets (cont. ) 4) Threats on communication lines and networks (cont. ) Active attacks alters system resources or affecting their operations Active attack is difficult to prevent but easy to detect Four categories of active attack: Replay. Capture and retransmit data unit to produce an unauthorized effect Masquerade. One entity pretends to be another entity – It usually includes other form of attack, e.g., replay Data modification. Alter some portion of legitimate data, delay the data, or reorder the data to produce an unauthorized effect Denial of Service. Prevent or disallow the legitimate use of facilities IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 24 Security Functional Requirement FIPS PUB 200 (NIST) lists 17 security related areas to protect confidentiality, integrity, and availability of systems and information stored, processed and transmitted in the system. Countermeasures to security vulnerabilities and threats are divided into two categories: 1) Those that require computer security technical measures: access control, identification and authentication, system and communication protection, system information integrity. 2) Those that are fundamentally management issues: awareness and training, audit and accountability, certification, accreditation, and security assessments, etc. IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 25 From Stallings & Brown textbook IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 26 OSI Security Architecture The International Telecommunication Union (ITU) Recommendation X.800 defines the Security Architecture for Open System Interconnection (OSI) Architecture – To asses the security needs of an organization – To evaluate and choose various security products and policies – To define security requirements and approaches to satisfy the requirements OSI Security Architecture focuses on – Security Attack. Any action that compromises the security information owned by an organization. – Security Mechanism. A process to detect, prevent, or recover from a security attack. – Security Service. A service that enhances the security of the data processing systems and the information transfers of an organization to counter security attacks by making use of one or more security mechanisms IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 27 OSI Security Services X 800 divides security services into six categories and 14 specific services. X800 focuses on distributed and networked systems – It stresses on network security than single computer security Six categories of security services: 1)Authentication. Make sure that a communication is authentic 2)Access control. Limit and control accesses to host systems through communication channels 3)Data confidentiality. Protect data from passive attacks 4)Data Integrity. Make sure that data received is that sent by authorized entity 5)Nonrepudiation. Prevent sender or receiver from denying a transmitted data. 6)Availability. Prevent denial of authorized access to system resources IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 28 Table 1.5 Security Services Figure from Stallings & Brown textbook IE2022 | Introduction to Cyber Security Source: From X.800,| Security Lecture 01 | for Architecture Amila OSI Senarathne 29 OSI Security Mechanism X800 divides security mechanism into Those specific to specific protocol layers and protocol applications, e.g., TCP Others. IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 30 TABLE 1.6 X.800 Security Mechanisms Figure from Stallings & Brown textbook IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 31 Computer Security Trends Survey (2010/2011) conducted by Computer Security Institute with respondents from 350 organizations in US based on Types of Attacks (see Fig. 1.4) – There is growing incidents on malware infection Security Technology used (See Fig. 1.5) – Most organizations use anti-virus software and firewalls IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 32 80 80 re 70 Malw a 70 ion infect 60 60 50 50 Figure 1.4 Laptop/ mobile Security Trends In device theft ne sider ta 40 cce abu 40 ss se or o em f ail g shin Phi 30 30 Denial of service Figure from Stallings Bots on network 20 20 & Brown textbook Exploit w ireless of netw ork s 10 Passw ord 10 d sniffing ial frau Financ 0 0 06 07 08 09 0 0 0 0 2 2 2 2 Source: Computer Security Institute 2010/2011 Computer Crime and Security Survey Figure1.4 Types of Attacks Experienced IE2022(by percent of resto | Introduction pondents)Security | Lecture 01 | Amila Senarathne Cyber 33 Anti-virus software Firewall Anti-spyware software Virtual private network (VPN) Vulnerability/Patch Management Encryption of data in transit Intrusion detection system (IDS) Encryption of data at rest (in storage) Web/URL filtering Application firewall Intrusion prevention system (IPS) Log management software Endpoint security software Data loss prevention/ content monitoring Server-based access control list Forensic tool Static account logins/passwords Public key infrastructure (PKI) Smart cards and other one-time tokens Specialized wireless security Virtualization-specific tools Biometrics Other 0% 20% 40% 60% 80% 100% Figure from Stallings Percent of respondents & Brown textbook Source: Computer Security Institute 2010/2011 Computer Crime and Security Survey Figure1.5 Security Technologies Used IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 34 Computer Security Strategy Lampson suggests a security strategy to include three aspects Specification/policy: What to do Implementation/mechanisms: How to do it Correctness/assurance: Does it work Factors to considers for Security Policy: The value of the assets to be protected The system’s vulnerabilities Potential threats and their possible attacks Ease of use versus security Cost of security versus cost of security failure and recovery IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 35 Computer Security Strategy (cont. ) Security implementation includes these four complementary actions: Prevention – This is an ideal case; but not always feasible Detection – When prevention is not possible, detect security attacks – Can use intrusion detection Response – When an attack is detected, respond to halt the attack or prevent further damage Recovery – Recover from the attack by using, for example, a backup copy IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 36 Computer Security Strategy (cont. ) NIST defines assurance as: The degree of confidence one has that the security measures, both technical and operational, work as intended to protect the system and the information it processes Does the security system design meet its requirements? Does the security system implementations meet its specifications? Evaluation is the process of examining a computer product or system with respect to certain criteria Involves testing and analysis IE2022 | Introduction to Cyber Security | Lecture 01 | Amila Senarathne 37