sodapdf-merged.pdf

Transcript

AAA & Access Control
6COSC019W- Cyber Security

Dr Ayman El Hajjar
March 26, 2024
School of Computer Science and Engineering
University of Westminster
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

O UTLINE

1. Access Control

2. Logical Access Control

3. Access Control principles

4. Access Control Models

5. Authentication, Authorisation & Accountability (AAA)

1
Access Control
Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

Protecting Security Assets
The ultimate goal for any security practitioner is to be able to secure
all assets of their organisation.

Defning Access Control
❏ Access Control is the process of protecting a resource so that
it is used only by those allowed to.
❏ Mitigations put into place to protect a resource from a threat
such as to prevent unauthorised use.

2
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

ACCESS C ONTROL F UNCTIONS

❏ Identifcation: Who is asking to access the asset?
❐ Subjects supplying identifcation information
❐ Username, user ID, account number
❏ Authentication: Can their identities be verifed?
❐ Verifying the identifcation information
❐ Passphrase, PIN, biometric, password, OTP
❏ Authorisation: What can the requester access and do?
❐ Using criteria to determine what the subjects can do on
objects
❐ ”I know who you are, I will allow you to do what you are
allowed to ?”
❏ Accountability: How are actions traced to an individual to
ensure the person who makes data or system changes can be
identifed?
❐ Audit logs and/or real-time monitoring to track subject
activities with objects 3
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

ACCESS C ONTROL

4
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

P OLICY D EFINITION AND P OLICY E NFORCEMENT P HASES

❏ Policy Defnition phase: We start by defning Who has
access and what systems or resources they can use.
❐ Tied to the authorisation phase
❏ Then, the policy enforcement phase Grants/Rejects requests
for access based on the authorisations defned in the frst phase.
❐ Tied to identifcation, authentication, & accountability
An example
❏ In the policy defnition phase: We defne the following
❐ Students are only authorised to see contents of their
modules. They cannot edit.
❏ In the policy enforcement phase: For each student who
access the system:
❐ Identifed by their username and authenticated by their
password, they are given access to what they are authorised
to see as per the policy defnition phase. 5
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

ACCESS C ONTROL C OMPONENTS

6
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

T YPES OF ACCESS C ONTROL

Physical Access Control
❏ Cards control access to physical resources or fngerprint (less
used)
❏ Smart cards Programmed with ID number are an example
❏ Used at parking lots, elevators, offce doors

Logical Access Control
❏ Deciding which users can get into a system
❏ Monitoring what each user does on that system
❏ Restraining or infuencing a user’s behaviour on that system

7
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

E NFORCING ACCESS C ONTROL

The Security Kernel
❏ Enforces access control for computer systems
❏ Central point of access control
❏ Implements the reference monitor concept

How Access Control is enforced
❏ The subject requests access to an object. The security kernel
intercepts the request.
❏ The security kernel refers to its rules base, also known as the
security kernel database to allow or deny access.
❏ All access requests handled by the system are logged for later
tracking and analysis.

8
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

E NFORCING ACCESS C ONTROL

9
Logical Access Control
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

L OGICAL ACCESS C ONTROL S OLUTIONS

Logical Controls Solutions
Biometrics Static: Fingerprints, iris granularity, retina blood
vessels, facial features, and hand geometry Dy-
namic: Voice infections, keyboard strokes, and
signature motions
Tokens Synchronous or asynchronous Smart cards and
memory cards
Passwords Stringent password controls for users Account
lockout policies Auditing logon events
Single sign-on Kerberos process Secure European System
for Applications in a Multi-Vendor Environment
(SESAME)

10
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

AUTHENTICATION T YPES

Authentication by Knowledge: Something you know
❐ Passwords, passphrases. PIN number

Authentication by Ownership: Something you own
❏ Synchronous token- Calculates a number at both the
authentication server and the device
❐ Time-based synchronization, i.e. software authenticator
❐ Event-based synchronization, i.e. SMS one time password
❏ Asynchronous token: Fixed, no calculation is needed as long
as you prove you physically have it, you can access
❐ USB token or Smart card

11
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

A SYNCHRONOUS TOKEN C HALLENGE -R ESPONSE

12
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

AUTHENTICATION T YPES

Authentication by Characteristics: Something unique to you
❐ This can be:
❑ Biometrics - Something Static, What are you
Fingerprint, facial recognition, hand geometry, Retina
scan
❑ Something Dynamic such as What you do!
Voice patterns, keystroke dynamics, signature dynamics

Authentication by Location: Somewhere you are
❏ Location
❐ Strong indicator of authenticity

13
Access Control principles
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

G ENERAL P RINCIPLES

❏ Files and folders are managed by the operating system
❏ Applications, including shells, access fles through an API
❏ Access control entry (ACE)
❐ Allow/deny a certain type of access to a fle/folder by
user/group
❏ Access control list (ACL)
❐ Collection of ACEs for a fle/folder
❏ A fle handle provides an opaque identifer for a fle/folder
❏ File operations
❐ Open fle: returns fle handle
❐ Read/write/execute fle
❐ Close fle: invalidates fle handle
❏ Hierarchical fle organisation
❐ Tree (Windows)
❐ DAG (Linux)
14
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

ACCESS P OLICIES

15
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

ACCESS C ONTROL M ATRIX EXAMPLE

❐ Each entry in the matrix indicates the access rights of a
particular subject for a particular object

Objects
File 1 File 2 File 3 File 4
Own Own
User A Read Read
Subjects Write Write
Own
User B Read Read Write Read
Write
Own
Read
User C Read Read
Write
Write
16
Access Control Models
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

ACCESS C ONTROL M ODELS

❏ All access control models are built on the security operation
principles listed below:
❐ Need to know This principle ensures that subjects are
granted access only to what they need to know for their work
tasks and job functions.
❐ Least privilege This principle ensures that subjects are
granted only the privileges they need to perform their work
tasks and job functions.
❐ Separation of privileges This principle ensures that
sensitive functions are split into tasks performed by two or
more employees.

17
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

ACCESS C ONTROL M ODELS

❏ An access control model is a framework that dictates how
subjects access objects.
❏ It uses access control technologies and security mechanisms
to enforce the rules and objectives of the model.
❏ There are three main types of access control models:
❐ Discretionary
❐ Mandatory (Sometimes called Non-Discretionary)
❐ Rule Based
❐ Attribute-based access control (ABAC)
❏ Each model type uses different methods to control how
subjects access objects
❏ Each model has its own merits and limitations.

18
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

Role-based access control
Discretionary access control
(RBAC)
(DAC)
Controls access based on the
Controls access based on the
roles that users have within the
identity of the requester and on
system and on rules stating what
access rules (authorisations)
accesses are allowed to users in
stating what requestors are (or are
given roles
not) allowed to do
Attribute-based access control
Mandatory access control
(ABAC)
(MAC)
Controls access based on
Controls access based on
attributes of the user, the resource
comparing security labels with
to be accessed, and current
security clearances
environmental conditions

19
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

D ISCRETIONARY ACCESS C ONTROL (DAC)

❏ The principle of discretionary access control (DAC) dictates
that the information owner is the one who decides who gets to
access the system(s)
❏Scheme in which an entity may be granted access rights that
permit the entity, by its own violation, to enable another entity to
access some resource
❏ Most of the common operating systems on the market today
(Windows, Macintosh, UNIX and others) rely on DAC principles
for access and operation
❏ Often provided using an access matrix
☞ One dimension consists of identifed subjects that may
attempt data access to the resources
☞ The other dimension lists the objects that may be
accessed
20
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

DAC T ERMS AND CONCEPTS

❏ Access Control Lists
❐ A list or a fle of users who are given the privilege of
access to a system or resource (a database, for example)
❐ Within the fle is a user ID and an associated privilege or
set of privileges for that user and that resource
❐ Privileges typically include Read, Write, Update, Execute,
Delete, or Rename
❐ The other dimension lists the objects that may be
accessed
❏ User Provisioning
❐ Granting access to new employees
❐ Include checking management approvals for grating
access

21
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

N ON - DISCRETIONARY ACCESS C ONTROL

❏ Access rules are closely managed by security administrator,
not system owner or ordinary users
❏ Sensitive fles are write-protected for integrity and readable
only by authorised users
❏ More secure than discretionary access control
❏ Ensures that system security is enforced and tamper-proof

22
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

M ANDATORY ACCESS C ONTROL (MAC)

❏ Determines the level of restriction by how sensitive the
resource is
❏ The system decides who gains access to information based on
the concepts of subjects, objects, and labels
❏ Often used in military and government systems with labels
given to objects and access is given to subject based on security
clearance level.
❐ Subjects: The people or other systems that are granted a
clearance to access an object within the information system
❐ Objects: The elements within the information system that
are being protected from use or access
❐ classifcation label: The mechanism that binds objects to
subjects. A subject’s clearance permits access to an object
based on the labelled security protection assigned to that
object such as Top Secret, Secret, Confdential and
unclassifed 23
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

R ULE BASED ACCESS C ONTROL (RBAC)

❏ Rule-based access control uses specifc rules that indicate
what can and cannot happen between a subject and an object.
❏ It is based on the simple concept of ”if X then Y” programming
rules, which can be used to provide fner-grained access control
to resources.
❏ Before a subject can access an object in a certain
circumstance, it must meet a set of predefned rules.
❐ An example can be as simple as ”If the user’s ID matches
the unique user ID value in the provided digital certifcate,
then the user can gain access.”
❐ or a complex example such as ”If the user is accessing
the system between Monday and Friday and between 8 A.M.
and 5 P.M., and if the user’s security clearance equals or
dominates the object’s classifcation, and if the user has the
necessary need to know, then the user can access the
object.” 24
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

R ULE -BASED ACCESS C ONTROL

25
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

ATTRIBUTE -BASED ACCESS C ONTROL (ABAC)

❏ Can defne authorisations that express conditions on
properties of both the resource and the subject
❏ Strength is its fexibility and expressive power
❏Main obstacle to its adoption in real systems has been concern
about the performance impact of evaluating predicates on both
resource and user properties for each access
❏ There is considerable interest in applying the model to cloud
services

26
Authentication, Authorisation &
Accountability (AAA)
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

AUTHENTICATION , AUTHORISATION , AND ACCOUNTING (AAA)

❏ AAA protocols are commonly used with remote access
systems such as virtual private networks (VPNs) and other types
of network access servers to provide centralised access control.
❏ They prevent internal LAN authentication systems and other
servers from being attacked remotely.
❏ When a separate system is used for remote access, only the
remote access users are affected if this system is successfully
attacked.
❏ The AAA protocols are also commonly used for mobile IP,
which provides access to mobile users with smart phones.

27
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

C ENTRALISED AND D ECENTRALISED AAA

❏ Additional access control mechanisms are required because
of the use of insecure networks to create a connection to the
corporate local area network
❏ Centralised authentication, authorization, and accounting
(AAA) servers
❐ RADIUS
❐ TACACS+
❐ DIAMETER
❏ Decentralised Access Control: Access control is in the hands
of the people closest to the system users
❐ Password Authentication Protocol (PAP)
❐ Challenge-Handshake Authentication Protocol (CHAP)
❐ Mobile device authentication, Initiative for Open
Authentication (OATH). For example One-Time Password
(OTP)
28
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

R EMOTE U SER ACCESS AND AUTHENTICATION (RADIUS)

❏ RADIUS is a client/server protocol and software that enables
remote access users to communicate with a central server to
authorise their access to the requested system or service
❏ It allows companies to have a single administered entry point,
which provides standardization in security and a simplistic way to
track usage and network statistics.

29
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

TACACS+ ARCHITECTURE :

❏ TACACS+ provides the same What does the use of TCP
functionality as RADIUS with a few means for us?
differences in some of its
❐ Any software that uses
characteristics.
UDP as its transport
❐ TACACS+ uses TCP as its protocol has to be ”fatter”
transport protocol, while RADIUS with intelligent code.
uses UDP. TACAS+ will be faster to
❏ If compared with RADIUS, transmit.
TACACS+ is the better choice for
complex environments such as
corporate networks that require
❐ More sophisticated
authentication steps
❐ Tighter control over more
complex authorisation activities,
30
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

D IAMETER

❏ Diameter is a protocol that has been developed to build upon
the functionality of RADIUS and overcome many of its limitations.
❏ Diameter uses TCP as its transport protocol
❏ It provides the same type of functionality as RADIUS and
TACACS+ in addition to wireless networks access.
❏ Diameter also provides more fexibility and capabilities to meet
the new demands of today’s complex and diverse networks.
❏ Diameter can deal with issues such as mobile IP.
❏ Diameter provides several functionalities in addition to AAA
functionality such as roaming operations and replay attack
protection.

31
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

S INGLE S IGN -O N (SSO)

❏ In an SSO system, users have one password for all corporate
and back-offce systems and applications they need to perform
their jobs
❏ One password can be remembered and used, thus increasing
the security of the overall system of access controls
❏ Single Sign-On mechanisms include
❐ Kerberos
❐ Federated Identities

32
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

K ERBEROS

❏Kerberos is designed to provide authentication for client/server
applications by using symmetric-key cryptography
❏ A free implementation available from MIT
❏ Works by assigning a unique key, called a ticket, to each user
❏ User logs in once and then can access all resources based on
the permission level associated with the ticket

33
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

F EDERATED I DENTITIES

❏ Sites have an arrangement with a service so users can log in
with the service credentials and don’t have to create a new
unique user name and password
❐ Facebook
❐ Google

34
 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA)

R EFERENCES

❏ The lecture notes and contents were compiled from my own
notes and from various sources.
❏ Figures and tables are from the recommended books
❏ The lecture notes are very detailed. If you attend the
lecture, you should be able to understand the topics.
❏ You can use any of the recommended readings! You do
not need to read all the chapters!
❏ Recommended Readings note: Focus on what was covered
in the class.
❐ Chapter 14, Security Architecture and Design, CEH v11
Certifed Ethical Hacker Study Guide
❐ Chapter 6, Access Controls, Fundamentals of Information
Systems Security
❐ Chapter 14, Authentication, Authorisation & Accountability
CyBOK, The Cyber Security Body of Knowledge
35
Defensive Technologies -(Intrusion
Detection and Firewalls)
6COSC019W- Cyber Security

Dr Ayman El Hajjar
April 02, 2024
School of Computer Science and Engineering
University of Westminster
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

O UTLINE

1. Firewall Systems

2. Intrusion Detection Systems (IDS)

3. Intrusion Prevention Systems (IPS)

4. Honeypots

1
Firewall Systems
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

T HE N EED F OR F IREWALLS

❏ Internet connectivity is essential however it brings threats to
our information system enrolment.
❏ Placed between the premises network and the Internet to
establish a controlled link
❐ Can be a single computer system or a set of two or more
systems working together
❏ Used as a perimeter defence
❐ Single choke point to impose security and auditing
❐ separates the internal systems from external networks

2
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

F IREWALL C HARACTERISTICS

Design goals
❐ All traffc from inside to outside, and vice versa, must pass
through the frewall
❐ Only authorised traffc as defned by the local security policy
will be allowed to pass
❐ The frewall itself is immune to penetration

3
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

T YPES OF F IREWALL

❏ A frewall can monitor network traffc at a number of levels
from low-level network packets, either individually or as part of
a fow, to all traffc within a transport connection, up to
inspecting details of application protocols.
❏ The choice of which level is appropriate is determined by the
desired frewall access policy.
❏ Firewall levels are:
❐ Packet fltering frewall
❐ Stateful fltering frewall
❐ Application proxy frewall
❐ Circuit level proxy frewall

4
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

W HAT DO THEY F ILTER !
IP address and protocol values
❐ This type of fltering is used by packet flter and stateful
inspection frewalls, used to limit access to specifc services

Application protocol
❐ This type of fltering is used by an application-level gateway
that relays and monitors the exchange of information for specifc
application protocols

User identity
❐ Typically for inside users who identify themselves using some
form of secure authentication technology

Network activity
❐ Controls access based on considerations such as the time or
request, rate of requests, or other activity patterns
5
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

PACKET F ILTERING F IREWALL

Also called Stateless fltering Firewall
❏ Applies rules to each incoming and outgoing IP packet
❐ Typically a list of rules based on matches in the IP or TCP
header
❏ Two default policies:
❐ Discard (Deny) - prohibit unless expressly permitted
❐ Forward (Permit) - permit unless expressly prohibited
Filtering rules are based on information contained in a network
packet
❏ Source IP address
❏ Destination IP address
❏ Source and destination transport-level address
❏ IP protocol feld
❏ Interface
6
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

S TATEFUL FILTERING FIREWALL

❏ Tightens rules for TCP traffc by creating a directory of
outbound TCP connections
❐ There is an entry for each currently established
connection
❐ Packet flter allows incoming traffc to high numbered ports
only for those packets that ft the profle of one of the entries
in this directory
❏ Reviews packet information but also records information about
TCP connections
❐ Keeps track of TCP sequence numbers to prevent attacks
that depend on the sequence number

7
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

A PPLICATION PROXY FIREWALL

❏ Also called ”Application-Level Gateway”
❏ Acts as a relay of application-level traffc
❐ User contacts gateway using a TCP/IP application
❐ User is authenticated
❐ Gateway contacts application on remote host and relays
TCP segments between server and user
❏ Must have proxy code for each application
❐ May restrict application features supported
❏ Tend to be more secure than packet flters
❏ Disadvantage is the additional processing overhead on each
connection

8
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

C IRCUIT-L EVEL G ATEWAY

Circuit level proxy
❏ Sets up two TCP connections, one between itself and a TCP
user on an inner host and one on an outside host
❏ Relays TCP segments from one connection to the other
without examining contents
❏ Security function consists of determining which connections
will be allowed

❏ Typically used when inside users are trusted
❐ May use application-level gateway inbound and
circuit-level gateway outbound
❐ Lower overheads

9
Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

Figure 1: Types of Firewall

10
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

H OST-BASED F IREWALLS / P ERSONAL F IREWALL

❏ Used to secure an individual host
❏ Available in operating systems or can be provided as an
add-on package
❏ Can be housed in a router that connects all of the home
computers to the Internet
❏ Filter and restrict packet fows. Primary role is to deny
unauthorised remote access
❏ May also monitor outgoing traffc to detect and block worms
and malware activity
Advantages
❐ Filtering rules can be tailored to the host environment
❐ Protection is provided independent of topology
❐ Provides an additional layer of protection

11
Intrusion Detection Systems
(IDS)
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

Security Intrusion:
unauthorised act of bypassing the security
mechanisms of a system
Intrusion Detection:
A hardware or software function that gathers
and analyses information from various areas
within a computer or a network to identify
possible security intrusions

11
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

I NTRUSION D ETECTION S YSTEM (IDS)

❏ An IDS Comprises of three logical components
❐ Sensors - A fundamental component of intrusion
detection that collects data.
❐ Common data sources include System call traces, Audit
(log fle) records,File integrity checksums, Registry access.
❐ Analysers - determine if intrusion has occurred
❐ User interface - view output or control system behaviour
❏ An IDS uses either the Anomaly detection or the
Signature/Heuristic detection approach.
❏ There are three type of Intrusion Detection systems, a
Host-based IDS (HIDS) a Network-based IDS (NIDS) and a
Distributed or hybrid IDS that combines both characteristics

12
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

A NALYSIS A PPROACHES

❏ Anomaly detection
❐ Involves the collection of data relating to the behaviour of
legitimate users over a period of time
❐ Current observed behaviour is analysed to determine
whether this behaviour is that of a legitimate user or that of
an intruder
❏ Signature/Heuristic detection
❐ Uses a set of known malicious data patterns or attack
rules that are compared with current behaviour
❐ Also known as misuse detection
❐ Can only identify known attacks for which it has patterns
or rules

13
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

S IGNATURE OR A NOMALY ?

❏ Attacks suitable for Signature detection
❐ Application layer reconnaissance and attacks
❐ Transport layer reconnaissance and attacks
❐ Network layer reconnaissance and attacks
❐ Unexpected application services
❐ Policy violations
❏ Attacks suitable for Anomaly detection
❐ Denial-of-service (DoS) attacks
❐ Scanning
❐ Worms

14
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

H OST-BASED I NTRUSION D ETECTION S YSTEM (HIDS)

❏ Adds a specialised layer of security software to vulnerable or
sensitive systems
❏ Can use either anomaly or signature and heuristic approaches
❏ Monitors activity to detect suspicious behaviour
❐ Primary purpose is to detect intrusions, log suspicious
events, and send alerts
❐ Can detect both external and internal intrusions

15
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

N ETWORK -BASED I NTRUSION D ETECTION S YSTEM (NIDS)

❏ Monitors traffc at selected points on a network
❏ Examines traffc packet by packet in real or close to real time
❏ May examine network, transport, and/or application-level
protocol activity
❏ Comprised of a number of sensors, one or more servers for
NIDS management functions, and one or more management
consoles for the human interface
❏ Analysis of traffc patterns may be done at the sensor, the
management server or a combination of the two

16
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

A N I NTRUSION DETECTION SYSTEM MUST BE ABLE TO

❐ Run continually with minimal human supervision.
❐ Be fault tolerant - Must be able to recover from system crashes
and reinitialisations.
❐ Resist subversion. The IDS must be able to monitor itself and
detect if it has been modifed by an attacker.
❐ Impose a minimal overhead on the system where it is running.
❐ Be able to be confgured according to the security policies of
the system that is being monitored.
❐ Be able to adapt to changes in system and user behaviour
over time.
❐ Be able to scale to monitor a large number of hosts.
❐ Provide graceful degradation of service in the sense that if
some components of the IDS stop working for any reason, the
rest of them should be affected as little as possible.
❐ Allow dynamic reconfguration; that is, the ability to reconfgure
the IDS without having to restart it. 17
Intrusion Prevention Systems
(IPS)
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

I NTRUSION P REVENTION S YSTEMS (IPS)

❏ Also known as Intrusion Detection and Prevention System
(IDPS)
❏ Is an extension of an IDS that includes the capability to
attempt to block or prevent detected malicious activity
❏ Can be host-based, network-based, or distributed/hybrid
❏ Can use anomaly detection to identify behavior that is not that
of legitimate users, or signature/heuristic detection to identify
known malicious behavior can block traffc as a frewall does, but
makes use of the types of algorithms developed for IDSs to
determine when to do so

18
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

H OST-BASED IPS (HIPS)

❏ Can make use of either signature/heuristic or anomaly
detection techniques to identify attacks
❐ Signature: focus is on the specifc content of application
network traffc, or of sequences of system calls, looking for
patterns that have been identifed as malicious
❐ Anomaly: IPS is looking for behaviour patterns that
indicate malware
❏ Examples of the types of malicious behaviour addressed by a
HIPS are Modifcation of system resources, Privilege-escalation
exploits, Buffer-overfow exploits, Access to e-mail contact list,
Directory traversal

19
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

H OST-BASED IPS (HIPS)

❏ Capability can be tailored to the specifc platform
❏ A set of general purpose tools may be used for a desktop or
server system.
❏ Some packages are designed to protect specifc types of
servers, such as Web servers and database servers
❏ Can use a sandbox approach
❐ Sandboxes are especially suited to mobile code such as
Java applets and scripting languages
❐ HIPS quarantines such code in an isolated system area
then runs the code and monitors its behavior
❐ Areas for which a HIPS typically offers desktop protection
such as System calls, File system access.

20
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

T HE R OLE OF HIPS

❏ Many industry observers see the enterprise endpoint,
including desktop and laptop systems, as now the main target for
hackers and criminals
❐ Endpoint security is provided by a collection of products,
such as antivirus, and frewalls.
❏ Approach is an effort to provide an integrated, single-product
suite of functions
❏ HIPS can be used as a defence-in-depth strategy that involves
network-level devices, such as network-based IPSs

21
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

N ETWORK -BASED IPS (NIPS)

❏ Inline NIDS with the authority to modify or discard packets and
tear down TCP connections
❏ Makes use of signature/heuristic and anomaly detection
❏ May provide fow data protection
❐ Requires that the application payload in a sequence of
packets be reassembled

22
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

IPS METHODS TO IDENTIFY MALICIOUS PACKETS

❐ Signature-based : This method involves comparing network
traffc against a database of known attack patterns or signatures.
❐ Anomaly-based : Anomaly detection involves establishing a
baseline of normal network behaviour and then identifying
deviations from this baseline.
❐ Heuristic-based : Heuristic analysis involves using rules and
algorithms to identify potentially malicious behaviour. This
method is less specifc than signature-based method but can
detect previously unknown threats such as Zero-Day attacks
based on certain characteristics.
❐ Protocol Analysis: IPS devices may analyse network
protocols to detect abnormalities or violations. For example, if a
protocol is not adhering to its standard specifcations, it may be
fagged as suspicious.

23
Honeypots
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

H ONEYPOTS

❏ Decoy systems designed to:
❐ Lure a potential attacker away from critical systems
❐ Collect information about the attacker’s activity
❐ Encourage the attacker to stay on the system long enough
for administrators to respond
❏ Systems are flled with fabricated information that a legitimate
user of the system wouldn’t access
❏ Resources that have no production value
❐ Therefore incoming communication is most likely a probe,
scan, or attack
❐ Initiated outbound communication suggests that the
system has probably been compromised
❏ A collection of honeypots is called HoneyNets.

24
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

H ONEYPOT C LASSIFICATIONS

❏ Low interaction honeypot
❐ Software package that emulates particular IT services or
systems well enough to provide a realistic initial interaction
❐ Provides a less realistic target
❐ Often suffcient for use as a component of a distributed
IDS to warn of imminent attack
❏ High interaction honeypot
❐ A real system, with a full operating system, services and
applications, which are instrumented and deployed where
they can be accessed by attackers
❐ Is a more realistic target that may occupy an attacker for
an extended period

25
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

R EQUIREMENTS OF H ONEYPOTS /H ONEYNETS

❏ Isolation
❐ They should be isolated from the production system and
network are typically
❐ They should contain and study any malicious activity
without putting actual production systems at risk.
❏ Continuous monitoring
❐ They should be monitored continuously analyse potential
threats on the company and the behaviour of attackers.
❏ Deception
❐ They should be as realistic as possible as they rely on the
principle of deception.
❐ By presenting an attractive target to potential attackers,
security experts can observe and learn from their activities
without exposing real assets

26
 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots

R EFERENCES

❏ The lecture notes and contents were compiled from my own
notes and from various sources.
❏ Figures and tables are from the recommended books
❏ The lecture notes are very detailed. If you attend the
lecture, you should be able to understand the topics.
❏ You can use any of the recommended readings! You do
not need to read all the chapters!
❏ Recommended Readings note: Focus on what was covered
in the class.
❐ Chapter 3, Security Foundations , CEH v11 Certifed
Ethical Hacker Study Guide
❐ Chapter 5 ,Networks and Telecommunications,
Fundamentals of Information Systems Security
❐ Chapter 19, Network Security, The Cyber Security Body of
Knowledge
27
Security Controls
6COSC019W- Cyber Security

Dr Ayman El Hajjar
February 19, 2024
School of Computer Science and Engineering
University of Westminster
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

O UTLINE

1. Security Controls

2. Application layer controls

3. Host to Host/Transport layer Controls

4. Network Layer Security

1
Security Controls
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

S ECURITY C ONTROL

Control is defned as:
“An action, device, procedure, or other
measure that reduces risk by eliminating or
preventing a security violation, by
minimizing the harm it can cause, or by
discovering and reporting it to enable
corrective action.”

1
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

C ONTROL C LASSIFICATIONS

Management controls
✺ Focus on security policies, planning, guidelines, and
standards that infuence the selection of operational and
technical controls to reduce the risk of loss and to protect
the organization’s mission
✺ These controls refer to issues that management needs to
address
Operational controls
✺ Address the correct implementation and use of security
policies and standards, ensuring consistency in security
operations and correcting identifed operational defciencies
✺ These controls relate to mechanisms and procedures that
are primarily implemented by people rather than systems
✺ They are used to improve the security of a system or
group of systems
2
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

C ONTROL C LASSIFICATIONS

Technical controls
✺ Involve the correct use of hardware and software security
capabilities in systems
✺ These range from simple to complex measures that work
together to secure critical and sensitive data, information,
and IT systems functions

3
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

C ONTROL C LASSES

Each of the control classes may include the following:
Supportive controls
✺ Pervasive, generic, underlying technical IT security
capabilities that are interrelated with, and used by, many
other controls
Preventative controls
✺ Focus on preventing security breaches from occurring, by
inhibiting attempts to violate security policies or exploit a
vulnerability
Detection and recovery controls
✺ Focus on the response to a security breach, by warning of
violations or attempted violations of security policies or the
identifed exploit of a vulnerability and by providing means to
restore the resulting lost computing resources
4
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

T ECHNICAL CONTROLS - TCP/IP SECURITY SOLUTION

A number of approaches to providing Internet security are
possible.
The various approaches that have been considered are similar in
the services they provide in relation to to the TCP/IP protocol
stack.

Relative location of security facilities in the TCP/IP protocol stack

5
Application layer controls
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

E MAIL S ECURITY: MIME AND S/MIME

Multipurpose Internet Mail
Secure/Multipurpose Internet
Extension
Mail Extension
✺ Simple heading with To, From,
Security enhancement to the
Subject
MIME Internet e-mail format
✺Assumes ASCII text format
✺ Based on technology
Provides a number of new from RSA Data Security
header felds that defne
Provides the ability to sign
information about the body of the
and/or encrypt e-mail messages
message

6
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

S/M IME F UNCTIONS

6
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

S IMPLIFIED S/MIME F UNCTIONAL F LOW

6
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

P RETTY G OOD P RIVACY (PGP) C RYPTOGRAPHY

❏ Another standard for electronic-mail encryption and digital
signatures
❏ Use a Public Private Keys (PPK) method
❐ Users can sign one another’s public keys, adding some
degree of confdence to a key’s validity
❐ Someone who signs another’s public key acts as an
introducer for that person to someone else so that if
someone trusts the introducer, they should also trust the
person who’s being introduced
❐ Pretty Good Privacy (PGP) is often used to encrypt
documents that can be shared via e-mail over the open
Internet
❏ S/MIME and Open PGP use proprietary encryption techniques
and handle digital signatures differently

7
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

DNS THREATS P REVENTION

❏ DNSSEC adds
❏ To prevent DNS Hijacking and considerable load to dns
DNS Pharming, DNS Security servers with packet sizes
(DNSSEC) is deployed to ensure: considerably larger than
❐ Authenticity of DNS answer 512 byte size of UDP
origin packets
❐ Integrity of reply
❐ Authenticity of denial of
existence
❐ Accomplishes this by signing
DNS replies at each step of the
way
❐ Uses public-key cryptography
to sign responses DNSSEC Signing

8
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

S ECURE S HELL (SSH)

A protocol for secure network communications designed to be
relatively simple and inexpensive to implement
The initial version, SSH1 was focused on providing a secure
remote logon facility to replace TELNET and other remote login
schemes that provided no security
SSH also provides a more general client/server capability and
can be used for such network functions as fle transfer and e-mail
SSH client and server applications are widely available for
most operating systems
SSH2 fxes a number of security faws in the original scheme.

9
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

SSH transport layer packets exchange

10
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

SSH PROTOCOL PACKET EXCHANGE

First, the client establishes
a TCP connection to the
server.
This is done via the TCP
protocol and is not part of the
Transport Layer Protocol.
Once the connection is
established, the client and
server exchange packets in
the data feld of a TCP
segment.

SSH protocol packet exchanges
11
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

SSH PROTOCOL STACK

SSH protocol stack
12
Host to Host/Transport layer
Controls
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

T RANSPORT LAYER S ECURITY - A DEFINITION

13
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

TLS PROTOCOL STACK

TLS is designed to make use of TCP to provide a reliable
end-to-end secure service.
The TLS Record Protocol provides basic security services to
various higher layer protocols.
Three higher-layer protocols are defned as part of TLS:
✺ The Handshake Protocol;
✺ The Change Cipher Spec Protocol;
✺ and the Alert Protocol.
These TLS specifc protocols are used in the management of
TLS exchanges.
A fourth protocol, the Heartbeat Protocol, is defned in a
separate RFC.

14
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

TLS C ONCEPTS

Two important TLS concepts are the TLS session and the TLS
connection which are defned in the specifcation.
✺ TLS Session:
❍ Created by the Handshake Protocol
❍ Defne a set of cryptographic parameters
❍ Used to avoid the expensive negotiation of new
security parameters for each connection
✺ TLS Connection:
❍ A transport layer protocol that provides a suitable
type of service
❍ Peer-to-peer relationships
❍ Every connection is associated with one session

15
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

TLS H ANDSHAKE MESSAGES

Most complex part of TLS
Is used before any application data are transmitted
Allows server and client to:
✺ Authenticate Each Other → Negotiate encryption and
MAC algorithms → Negotiate cryptographic keys to be used
Comprises a series of messages exchanged by client and
server
Exchange has four phases

16
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

H ANDSHAKE PROTOCOL ACTION

17
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

HTTPS (HTTP OVER TSL)

Combination of HTTP and TLS (RFC 2818, HTTP Over TLS)
to implement secure communication between a Web browser
and a Web server
Built into all modern Web browsers
✺ URL addresses begin with https://
Agent acting as the HTTP client also acts as the TLS client
Closure of an HTTPS connection requires that TLS close the
connection with the peer TLS entity on the remote side, which
will involve closing the underlying TCP connection

18
Network Layer Security
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

IP S ECURITY

RFC 1636: “Security in the Internet Architecture” issued in
1994 by the Internet Architecture Board (IAB)

Security for IP & Networks
✺ Need to secure the network infrastructure from unauthorised
monitoring and control of network traffc
✺ Need to secure end-user-to-end-user traffc using
authentication and encryption mechanisms

19
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

A PPLICATIONS OF IP SEC

IPsec provides the capability to secure communications
across a LAN, private and public WANs, and the Internet
Examples include:
✺ Secure branch offce connectivity over the Internet
✺ Secure remote access over the Internet
✺ Establishing extranet and intranet connectivity with
partners
✺ Enhancing electronic commerce security
Principal feature of IPsec is that it can encrypt and/or
authenticate all traffc at the IP level
✺ Thus all distributed applications (remote logon,
client/server, e-mail, fle transfer, Web access) can be
secured

20
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

IP SEC S ERVICES

IPsec provides security services at the IP layer by enabling a
system to:
✺ Select required security protocols
✺ Determine the algorithm(s) to use for the service(s)
✺ Put in place any cryptographic keys required to provide
the requested services
RFC 4301 lists the following services:
✺ Access control
✺ Connectionless integrity
✺ Data origin authentication
✺ Rejection of replayed packets (Integrity)
✺ Confdentiality (encryption/confdentiality)

21
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

B ENEFITS OF IPS EC

When IPsec is implemented in a frewall or router, it provides
strong security that can be applied to all traffc crossing the
perimeter
Traffc within a company or workgroup does not incur the
overhead of security-related processing
IPsec is below the transport layer (TCP, UDP) and so is
transparent to applications
There is no need to train users on security mechanisms
This is useful for offsite workers and for setting up a secure
virtual subnetwork within an organisation for sensitive
applications

22
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

T HE SCOPE OF IPS EC

Provides two main functions:
✺ A combined authentication/encryption function called
Encapsulating Security Payload (ESP)
✺ Key exchange function
Also an authentication-only function, implemented using an
Authentication Header (AH)
✺ Because message authentication is provided by ESP, the
use of AH is included in IPsecv3 for backward compatibility
but should not be used in new applications
VPNs want both authentication and encryption

23
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

T RANSPORT M ODE

Provides protection primarily for upper-layer protocols
Examples include a TCP or UDP segment or an ICMP packet
Typically used for end-to-end communication between two
hosts
ESP in transport mode encrypts and optionally authenticates
the IP payload but not the IP header
AH in transport mode authenticates the IP payload and
selected portions of the IP header

24
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

T UNNEL M ODE

Provides protection to the entire IP packet
Used when one or both ends of a security association (SA) are
a security gateway
A number of hosts on networks behind frewalls may engage in
secure communications without implementing IPsec
ESP in tunnel mode encrypts and optionally authenticates the
entire inner IP packet, including the inner IP header
AH in tunnel mode authenticates the entire inner IP packet and
selected portions of the outer IP header

25
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

IPS EC : T UNNEL MODE FORMAT

Tunnel mode makes use of an IPsec function, a combined
authentication/encryption function called Encapsulating Security
Payload (ESP), and a key exchange function.
For VPNs, both authentication and encryption are generally
desired, because it is important both to (1) assure that
unauthorised users do not penetrate the VPN, and (2) assure
that eavesdroppers on the Internet cannot read messages sent
over the VPN.

Tunnel mode format

26
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

R EFERENCES

❏ The lecture notes and contents were compiled from my own
notes and from various sources.
❏ Figures and tables are from the recommended books
❏ The lecture notes are very detailed. If you attend the
lecture, you should be able to understand the topics.
❏ You can use any of the recommended readings! You do
not need to read all the chapters!
❏ Recommended Readings note: Focus on what was covered
in the class.
❐ Chapter 13- Attack and Defence, CEH v11 Certifed
Ethical Hacker Study Guide
❐ SQL Injection on Owasp site Link
❐ Chapter 8, Malicious Software and Attack Vectors,
Fundamentals of Information Systems Security
❐ Chapter 15, 16 & 17, CyBOK, The Cyber Security Body of
Knowledge 27
Malicious Software
6COSC019W- Cyber Security

Dr Ayman El Hajjar
February 20, 2024
School of Computer Science and Engineering
University of Westminster
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

O UTLINE

1. Malicious Software

2. Malware Taxonomy

3. Malware Types

4. Payload Classifcations

5. Threats & Countermeasures

1
Malicious Software
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

M ALWARE

NIST 800-83 defnes malware as:
“A program that is inserted into a system, usually covertly, with the
intent of compromising the confdentiality, integrity, or availability of
the victim’s data, applications, or operating system or otherwise
annoying or disrupting the victim.”

NCSC defnes malware as:
“a term that includes virus, trojans, worms or any code or content that
could have an adverse impact on organisations or individuals..”

2
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

M ALICIOUS C ODE AND ACTIVITY

❏ Any program that carries out actions that you (user/System)
did not intend to do is considered to be a Malicious software
(malware)
❏ Malicious code attacks one or more of the three information
security properties:
❐ Confdentiality: Malware can disclose your organisation’s
private information
❐ Integrity: Malware can modify database records, either
immediately or over a period of time
❐ Availability: Malware can erase or overwrite fles or infict
considerable damage to storage media

3
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

C HARACTERISTICS , A RCHITECTURE , AND O PERATIONS OF MA-
LICIOUS S OFTWARE

❏ An attacker gains administrative control of a system and uses
commands to infict harm
❏ An attacker sends commands directly to a system; the system
interprets and executes them
❏ An attacker uses software programs that harm a system or
that make the data unusable
❏ An attacker uses legitimate remote administration tools and
security probes to identify and exploit security vulnerabilities on a
network

4
Malware Classifcations
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

M ALWARE C LASSIFICATION APPROACH

❏ The original approach to classify malware focuses on how they
spread or propagate through an information system environment
to reach the desired target/s
❏ A more conventional approach was developed to consider all
dimensions of malware in order to classify them.
❏ This approach is used by the NCSC and it contains the
following dimensions:
❐ Host dependent or independent
❐ persistent or transient
❐ Where it install itself (persistent malware only)
❐ How it is triggered
❐ Static or dynamically updated
❐ Act alone or coordinated attack

5
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

M ALWARE C LASSIFICATION APPROACH

❏ Host dependent or Independent malware
❐ Independent malware or standalone is a complete
program that can run on its own once it is installed on a
compromised machine and executed.
❐ Host dependent malware requires a host program to
run. It cannot run independently, but infect a program on a
computer by inserting its instructions into the program or
modifying the host code.
❏ Persistent or Transient
❐ Persistent malware are installed in persistent storage
such as a fle system (your hard drive) or an external storage
device. They can be either standalone or host independent.
❐ Transient malware are installed in volatile memory such
as as RAM memory.

6
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

M ALWARE C LASSIFICATION APPROACH

❏ Where it install itself
❐ This dimension generally applies to only persistent
malware (Ones that requires installation)
❐ Malware are categorised based on which layer of the
system stack the malware is installed and run on
❐ this could the frmware, the boot sector, the operating
system level, the driver, the api, or user application
❏ How it is triggered
❐ Auto-spreading malware runs and then looks for other
vulnerable machines on the Internet, compromises these
machines and installs itself on them;
❐ User-activated malware is run on a computer only
because a user accidentally downloads and executes it, e.g.,
by clicking on an attachment or URL in a received email.

7
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

M ALWARE C LASSIFICATION APPROACH

❏ Static or dynamically updated
❐ Malware that are supported by an infrastructure and can
still communicate with such infrastructure are dynamically
updated with new version regularly.
❐ Static malware or one time malware has no infrastructure
to support it and are standalone software with no network
connection to an external infrastructure
❏ Act alone or coordinated attack
❐ Act alone malware are isolated malware that runs on
their own. They do not participate in a larger scale attack.
Such malware usually have a specifc target.
❐ Coordinated malware are attacks that contribute to a
larger scale attack as on their own they will not cause much
damage. For example, collectively several devices infected
by such malware can cause networks or systems to crash
(DDoS). 8
Malware Types
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

M ALWARE C ONTENTS

❏ Malware are divided into two parts:
❐ Infection mechanism: How it propagates
❐ The Payload: what happens after it reaches the target

9
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

T HE M AIN T YPES OF M ALWARE

❏ Virus
❏ Denial of service attacks
❏ Spam
❏ Spyware
❏ Worms
❏ Adware
❏ Trojan horses
❏ Phishing
❏ Logic bombs
❏ Keystroke loggers
❏ Active content
❏ Hoaxes and myths
vulnerabilities
❏ Homepage hijacking
❏ Malicious add-ons
❏ Webpage defacements
❏ Botnets

10
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

V IRUS

❏ Piece of software that infects programs
❐ Modifes them to include a copy of the virus
❐ Replicates and goes on to infect other content
❐ Easily spread through network environments
❏ When attached to an executable program a virus can do
anything that the program is permitted to do
❐ Executes secretly when the host program is run
❏ Specifc to operating system and hardware
❐ Takes advantage of their details and weaknesses

11
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

V IRUS C OMPONENTS

Infection Mechanism
❏ Means by which a virus spreads or propagates
❏ Also referred to as the infection vector

Trigger
❏Event or condition that determines when the payload is
activated or delivered
❏ Sometimes known as a logic bomb

Payload
❏ What the virus does (besides spreading)
❏ May involve damage or benign but noticeable activity

12
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

V IRUS P HASES

13
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

V IRUS C LASSIFICATIONS : B Y TARGETS

Boot sector infector
❏ Infects a master boot record or boot record and spreads when
a system is booted from the disk containing the virus

File Infectors
❏ Infects fles that the operating system or shell considers to be
executable

Macro virus
❏ Infects fles with macro or scripting code that is interpreted by
an application

Multipartite virus
❏ Infects fles in multiple ways

14
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

V IRUS C LASSIFICATIONS : B Y CONCEALMENT STRATEGY

Encrypted virus
❏A portion of the virus creates a random encryption key and
encrypts the remainder of the virus

Stealth virus
❏ A form of virus explicitly designed to hide itself from detection
by anti-virus software

Polymorphic virus
❏A virus that mutates with every infection

Metamorphic virus
❏ A virus that mutates and rewrites itself completely at each
iteration and may change behaviour as well as appearance

15
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

M ALVERTISING

❏ Places malware on websites without actually compromising
them
❏ The attacker pays for advertisements that are highly likely to
be placed on their intended target websites and incorporate
malware in them
❏ Using these malicious ads, attackers can infect visitors to sites
displaying them
❏The malware code may be dynamically generated to either
reduce the chance of detection or to only infect specifc systems
❏ Has grown rapidly in recent years because they are easy to
place on desired websites with few questions asked and are hard
to track
❏ Attackers can place these ads for as little as a few hours, when
they expect their intended victims could be browsing the targeted
websites, greatly reducing their visibility
16
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

C LICKJACKING

❏ Also known as a user-interface (UI) redress attack
❏ Using a similar technique, keystrokes can also be hijacked
❐ A user can be led to believe they are typing in the
password to their email or bank account, but are instead
typing into an invisible frame controlled by the attacker
❏ Vulnerability used by an attacker to collect an infected user’s
clicks
❐ The attacker can force the user to do a variety of things
from adjusting the user’s computer settings to unwittingly
sending the user to Web sites that might have malicious
code
❐ A typical attack uses multiple transparent or opaque layers
to trick a user into clicking on a button or link on another
page when they were intending to click on the top level page
❐ The attacker is hijacking clicks meant for one page and
routing them to another page 17
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

S OCIAL E NGINEERING

❏ “Tricking” users to assist in the compromise of their own
systems

18
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

M ACRO AND S CRIPTING VIRUS

❏ Macro virus infect scripting code used to support active
content in a variety of user document types
❏ Are threatening for a number of reasons:
❐ Is platform independent
❐ Infect documents, not executable portions of code
❐ Are easily spread
❐ Because they infect user documents rather than system
programs, traditional fle system access controls are of
limited use in preventing their spread, since users are
expected to modify them
❐ Are much easier to write or to modify than traditional
executable virus

19
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

M ACRO AND S CRIPTING VIRUS : T RUSTED D OWNLOAD ?

20
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

ACTIVE C ONTENT VIRUS

❏ Active content
❐ Refers to dynamic objects that do something when the
user opens a webpage (ActiveX, Java, JavaScript, VBScript,
macros, browser plugins, PDF fles, and other scripting
languages)
❐ Has potential weaknesses that malware can exploit
❏ Active content threats are considered mobile code because
these programs run on a wide variety of computer platforms
❏ Users download bits of mobile code, which gain access to the
hard disk and do things like fll up desktop with infected fle icons

21
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

W ORMS

❏ Program that actively seeks out more machines to infect and
each infected machine serves as an automated launching pad
for attacks on other machines
❏ Exploits software vulnerabilities in client or server programs
❏ Usually carries some form of payload

22
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

W ORM T ECHNOLOGY

1. Multiplatform: Worms are not Operating System specifc.
2. Multi-exploit: Worms penetrate systems using a variety of
methods
3. Ultrafast spreading: Exploit various techniques to optimize the
rate of spread of the worm
4. Polymorphic: To evade detection, skip past flters, and foil
real-time analysis, worms adopt the virus polymorphic technique.
5. Metamorphic: In addition to changing their appearance,
metamorphic worms have a collection of behaviour patterns that
are unleashed at different stages of propagation.
6. Zero-day exploit : To achieve maximum surprise and
distribution, a worm should exploit an unknown vulnerability that
is only discovered by the general network community when the
worm is launched.
23
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

R OOTKITS

❏ Type of malware that modifes or replaces one or more existing
programs to hide the fact that a computer has been compromised
❏ Modify parts of the operating system to conceal traces of their
presence
❏ Provide attackers with access to compromised computers and
easy access to launching additional attacks
❏ Diffcult to detect and remove

24
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

R OOTKITS C LASSIFICATION C HARACTERISTICS

1. Persistent: Activates each time the system boots. The rootkit
must store code in a persistent store, such as the registry or fle
system, and confgure a method by which the code executes
without user intervention.
2. Memory based: Has no persistent code and therefore cannot
survive a reboot. However, because it is only in memory, it can
be harder to detect.
3. User mode: Intercepts calls to APIs (application program
interfaces) and modifes returned results.
4. Kernel mode: Can intercept calls to native APIs in kernel mode.
The rootkit can also hide the presence of a malware process by
removing it from the kernel’s list of active processes.
5. External mode: The malware is located outside the normal
operation mode of the targeted system, in BIOS or system
management mode, where it can directly access hardware.
25
Payload Classifcations
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

PAYLOAD

❏ Payload are classifed based on the damage or threat they
bring to the system
❏ The different classes of payload are:
❐ System Corruption
❐ Attack Agents Bots
❐ Remote Control Facility
❐ Information Theft- Keyloggers and Spyware
❐ Information Theft- Phishing
❐ Stealthing Backdoor
❐ Stealthing Rootkit
System Corruption
❏ Causes damage to physical equipment such as Stuxnet worm
❐ Targets specifc industrial control system software
❏ There are concerns about using sophisticated targeted
malware for industrial sabotage 26
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

PAYLOAD CLASSES

Attack Agents Bots
❏ Takes over another Internet attached computer and uses that
computer to launch or manage attacks
❏ Botnet - collection of bots capable of acting in a coordinated
manner
❐ For example DDoS botnets

Remote Control Facility
❏ Typical means of implementing the remote control facility is on
an IRC server
❐ Bots join a specifc channel on this server and treat
incoming messages as commands

27
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

PAYLOAD CLASSES

Information Theft- Keyloggers and Spyware
❏ Keyloggers
❐ Captures keystrokes to allow attacker to monitor sensitive
information
❏ Spyware
❐ Subverts the compromised machine to allow monitoring of
a wide range of activity on the system

Information Theft- Phishing
❏ Phishing exploits social engineering to leverage the user’s trust
by masquerading as communication from a trusted source
❐ Include a URL in a spam e-mail that links to a fake Web
site that mimics the login page of a banking, gaming, or
similar site
❐ Attacker exploits the account using the captured