Document Details

SucceedingRadiance

Uploaded by SucceedingRadiance

University of Westminster

Tags

cyber security access control computer science

Full Transcript

AAA & Access Control 6COSC019W- Cyber Security Dr Ayman El Hajjar March 26, 2024 School of Computer Science and Engineering University of Westminster Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) O UT...

AAA & Access Control 6COSC019W- Cyber Security Dr Ayman El Hajjar March 26, 2024 School of Computer Science and Engineering University of Westminster Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) O UTLINE 1. Access Control 2. Logical Access Control 3. Access Control principles 4. Access Control Models 5. Authentication, Authorisation & Accountability (AAA) 1 Access Control Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) Protecting Security Assets The ultimate goal for any security practitioner is to be able to secure all assets of their organisation. Defning Access Control ❏ Access Control is the process of protecting a resource so that it is used only by those allowed to. ❏ Mitigations put into place to protect a resource from a threat such as to prevent unauthorised use. 2 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) ACCESS C ONTROL F UNCTIONS ❏ Identifcation: Who is asking to access the asset? ❐ Subjects supplying identifcation information ❐ Username, user ID, account number ❏ Authentication: Can their identities be verifed? ❐ Verifying the identifcation information ❐ Passphrase, PIN, biometric, password, OTP ❏ Authorisation: What can the requester access and do? ❐ Using criteria to determine what the subjects can do on objects ❐ ”I know who you are, I will allow you to do what you are allowed to ?” ❏ Accountability: How are actions traced to an individual to ensure the person who makes data or system changes can be identifed? ❐ Audit logs and/or real-time monitoring to track subject activities with objects 3 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) ACCESS C ONTROL 4 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) P OLICY D EFINITION AND P OLICY E NFORCEMENT P HASES ❏ Policy Defnition phase: We start by defning Who has access and what systems or resources they can use. ❐ Tied to the authorisation phase ❏ Then, the policy enforcement phase Grants/Rejects requests for access based on the authorisations defned in the frst phase. ❐ Tied to identifcation, authentication, & accountability An example ❏ In the policy defnition phase: We defne the following ❐ Students are only authorised to see contents of their modules. They cannot edit. ❏ In the policy enforcement phase: For each student who access the system: ❐ Identifed by their username and authenticated by their password, they are given access to what they are authorised to see as per the policy defnition phase. 5 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) ACCESS C ONTROL C OMPONENTS 6 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) T YPES OF ACCESS C ONTROL Physical Access Control ❏ Cards control access to physical resources or fngerprint (less used) ❏ Smart cards Programmed with ID number are an example ❏ Used at parking lots, elevators, offce doors Logical Access Control ❏ Deciding which users can get into a system ❏ Monitoring what each user does on that system ❏ Restraining or infuencing a user’s behaviour on that system 7 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) E NFORCING ACCESS C ONTROL The Security Kernel ❏ Enforces access control for computer systems ❏ Central point of access control ❏ Implements the reference monitor concept How Access Control is enforced ❏ The subject requests access to an object. The security kernel intercepts the request. ❏ The security kernel refers to its rules base, also known as the security kernel database to allow or deny access. ❏ All access requests handled by the system are logged for later tracking and analysis. 8 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) E NFORCING ACCESS C ONTROL 9 Logical Access Control Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) L OGICAL ACCESS C ONTROL S OLUTIONS Logical Controls Solutions Biometrics Static: Fingerprints, iris granularity, retina blood vessels, facial features, and hand geometry Dy- namic: Voice infections, keyboard strokes, and signature motions Tokens Synchronous or asynchronous Smart cards and memory cards Passwords Stringent password controls for users Account lockout policies Auditing logon events Single sign-on Kerberos process Secure European System for Applications in a Multi-Vendor Environment (SESAME) 10 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) AUTHENTICATION T YPES Authentication by Knowledge: Something you know ❐ Passwords, passphrases. PIN number Authentication by Ownership: Something you own ❏ Synchronous token- Calculates a number at both the authentication server and the device ❐ Time-based synchronization, i.e. software authenticator ❐ Event-based synchronization, i.e. SMS one time password ❏ Asynchronous token: Fixed, no calculation is needed as long as you prove you physically have it, you can access ❐ USB token or Smart card 11 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) A SYNCHRONOUS TOKEN C HALLENGE -R ESPONSE 12 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) AUTHENTICATION T YPES Authentication by Characteristics: Something unique to you ❐ This can be: ❑ Biometrics - Something Static, What are you Fingerprint, facial recognition, hand geometry, Retina scan ❑ Something Dynamic such as What you do! Voice patterns, keystroke dynamics, signature dynamics Authentication by Location: Somewhere you are ❏ Location ❐ Strong indicator of authenticity 13 Access Control principles Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) G ENERAL P RINCIPLES ❏ Files and folders are managed by the operating system ❏ Applications, including shells, access fles through an API ❏ Access control entry (ACE) ❐ Allow/deny a certain type of access to a fle/folder by user/group ❏ Access control list (ACL) ❐ Collection of ACEs for a fle/folder ❏ A fle handle provides an opaque identifer for a fle/folder ❏ File operations ❐ Open fle: returns fle handle ❐ Read/write/execute fle ❐ Close fle: invalidates fle handle ❏ Hierarchical fle organisation ❐ Tree (Windows) ❐ DAG (Linux) 14 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) ACCESS P OLICIES 15 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) ACCESS C ONTROL M ATRIX EXAMPLE ❐ Each entry in the matrix indicates the access rights of a particular subject for a particular object Objects File 1 File 2 File 3 File 4 Own Own User A Read Read Subjects Write Write Own User B Read Read Write Read Write Own Read User C Read Read Write Write 16 Access Control Models Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) ACCESS C ONTROL M ODELS ❏ All access control models are built on the security operation principles listed below: ❐ Need to know This principle ensures that subjects are granted access only to what they need to know for their work tasks and job functions. ❐ Least privilege This principle ensures that subjects are granted only the privileges they need to perform their work tasks and job functions. ❐ Separation of privileges This principle ensures that sensitive functions are split into tasks performed by two or more employees. 17 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) ACCESS C ONTROL M ODELS ❏ An access control model is a framework that dictates how subjects access objects. ❏ It uses access control technologies and security mechanisms to enforce the rules and objectives of the model. ❏ There are three main types of access control models: ❐ Discretionary ❐ Mandatory (Sometimes called Non-Discretionary) ❐ Rule Based ❐ Attribute-based access control (ABAC) ❏ Each model type uses different methods to control how subjects access objects ❏ Each model has its own merits and limitations. 18 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) Role-based access control Discretionary access control (RBAC) (DAC) Controls access based on the Controls access based on the roles that users have within the identity of the requester and on system and on rules stating what access rules (authorisations) accesses are allowed to users in stating what requestors are (or are given roles not) allowed to do Attribute-based access control Mandatory access control (ABAC) (MAC) Controls access based on Controls access based on attributes of the user, the resource comparing security labels with to be accessed, and current security clearances environmental conditions 19 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) D ISCRETIONARY ACCESS C ONTROL (DAC) ❏ The principle of discretionary access control (DAC) dictates that the information owner is the one who decides who gets to access the system(s) ❏Scheme in which an entity may be granted access rights that permit the entity, by its own violation, to enable another entity to access some resource ❏ Most of the common operating systems on the market today (Windows, Macintosh, UNIX and others) rely on DAC principles for access and operation ❏ Often provided using an access matrix ☞ One dimension consists of identifed subjects that may attempt data access to the resources ☞ The other dimension lists the objects that may be accessed 20 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) DAC T ERMS AND CONCEPTS ❏ Access Control Lists ❐ A list or a fle of users who are given the privilege of access to a system or resource (a database, for example) ❐ Within the fle is a user ID and an associated privilege or set of privileges for that user and that resource ❐ Privileges typically include Read, Write, Update, Execute, Delete, or Rename ❐ The other dimension lists the objects that may be accessed ❏ User Provisioning ❐ Granting access to new employees ❐ Include checking management approvals for grating access 21 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) N ON - DISCRETIONARY ACCESS C ONTROL ❏ Access rules are closely managed by security administrator, not system owner or ordinary users ❏ Sensitive fles are write-protected for integrity and readable only by authorised users ❏ More secure than discretionary access control ❏ Ensures that system security is enforced and tamper-proof 22 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) M ANDATORY ACCESS C ONTROL (MAC) ❏ Determines the level of restriction by how sensitive the resource is ❏ The system decides who gains access to information based on the concepts of subjects, objects, and labels ❏ Often used in military and government systems with labels given to objects and access is given to subject based on security clearance level. ❐ Subjects: The people or other systems that are granted a clearance to access an object within the information system ❐ Objects: The elements within the information system that are being protected from use or access ❐ classifcation label: The mechanism that binds objects to subjects. A subject’s clearance permits access to an object based on the labelled security protection assigned to that object such as Top Secret, Secret, Confdential and unclassifed 23 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) R ULE BASED ACCESS C ONTROL (RBAC) ❏ Rule-based access control uses specifc rules that indicate what can and cannot happen between a subject and an object. ❏ It is based on the simple concept of ”if X then Y” programming rules, which can be used to provide fner-grained access control to resources. ❏ Before a subject can access an object in a certain circumstance, it must meet a set of predefned rules. ❐ An example can be as simple as ”If the user’s ID matches the unique user ID value in the provided digital certifcate, then the user can gain access.” ❐ or a complex example such as ”If the user is accessing the system between Monday and Friday and between 8 A.M. and 5 P.M., and if the user’s security clearance equals or dominates the object’s classifcation, and if the user has the necessary need to know, then the user can access the object.” 24 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) R ULE -BASED ACCESS C ONTROL 25 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) ATTRIBUTE -BASED ACCESS C ONTROL (ABAC) ❏ Can defne authorisations that express conditions on properties of both the resource and the subject ❏ Strength is its fexibility and expressive power ❏Main obstacle to its adoption in real systems has been concern about the performance impact of evaluating predicates on both resource and user properties for each access ❏ There is considerable interest in applying the model to cloud services 26 Authentication, Authorisation & Accountability (AAA) Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) AUTHENTICATION , AUTHORISATION , AND ACCOUNTING (AAA) ❏ AAA protocols are commonly used with remote access systems such as virtual private networks (VPNs) and other types of network access servers to provide centralised access control. ❏ They prevent internal LAN authentication systems and other servers from being attacked remotely. ❏ When a separate system is used for remote access, only the remote access users are affected if this system is successfully attacked. ❏ The AAA protocols are also commonly used for mobile IP, which provides access to mobile users with smart phones. 27 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) C ENTRALISED AND D ECENTRALISED AAA ❏ Additional access control mechanisms are required because of the use of insecure networks to create a connection to the corporate local area network ❏ Centralised authentication, authorization, and accounting (AAA) servers ❐ RADIUS ❐ TACACS+ ❐ DIAMETER ❏ Decentralised Access Control: Access control is in the hands of the people closest to the system users ❐ Password Authentication Protocol (PAP) ❐ Challenge-Handshake Authentication Protocol (CHAP) ❐ Mobile device authentication, Initiative for Open Authentication (OATH). For example One-Time Password (OTP) 28 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) R EMOTE U SER ACCESS AND AUTHENTICATION (RADIUS) ❏ RADIUS is a client/server protocol and software that enables remote access users to communicate with a central server to authorise their access to the requested system or service ❏ It allows companies to have a single administered entry point, which provides standardization in security and a simplistic way to track usage and network statistics. 29 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) TACACS+ ARCHITECTURE : ❏ TACACS+ provides the same What does the use of TCP functionality as RADIUS with a few means for us? differences in some of its ❐ Any software that uses characteristics. UDP as its transport ❐ TACACS+ uses TCP as its protocol has to be ”fatter” transport protocol, while RADIUS with intelligent code. uses UDP. TACAS+ will be faster to ❏ If compared with RADIUS, transmit. TACACS+ is the better choice for complex environments such as corporate networks that require ❐ More sophisticated authentication steps ❐ Tighter control over more complex authorisation activities, 30 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) D IAMETER ❏ Diameter is a protocol that has been developed to build upon the functionality of RADIUS and overcome many of its limitations. ❏ Diameter uses TCP as its transport protocol ❏ It provides the same type of functionality as RADIUS and TACACS+ in addition to wireless networks access. ❏ Diameter also provides more fexibility and capabilities to meet the new demands of today’s complex and diverse networks. ❏ Diameter can deal with issues such as mobile IP. ❏ Diameter provides several functionalities in addition to AAA functionality such as roaming operations and replay attack protection. 31 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) S INGLE S IGN -O N (SSO) ❏ In an SSO system, users have one password for all corporate and back-offce systems and applications they need to perform their jobs ❏ One password can be remembered and used, thus increasing the security of the overall system of access controls ❏ Single Sign-On mechanisms include ❐ Kerberos ❐ Federated Identities 32 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) K ERBEROS ❏Kerberos is designed to provide authentication for client/server applications by using symmetric-key cryptography ❏ A free implementation available from MIT ❏ Works by assigning a unique key, called a ticket, to each user ❏ User logs in once and then can access all resources based on the permission level associated with the ticket 33 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) F EDERATED I DENTITIES ❏ Sites have an arrangement with a service so users can log in with the service credentials and don’t have to create a new unique user name and password ❐ Facebook ❐ Google 34 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) R EFERENCES ❏ The lecture notes and contents were compiled from my own notes and from various sources. ❏ Figures and tables are from the recommended books ❏ The lecture notes are very detailed. If you attend the lecture, you should be able to understand the topics. ❏ You can use any of the recommended readings! You do not need to read all the chapters! ❏ Recommended Readings note: Focus on what was covered in the class. ❐ Chapter 14, Security Architecture and Design, CEH v11 Certifed Ethical Hacker Study Guide ❐ Chapter 6, Access Controls, Fundamentals of Information Systems Security ❐ Chapter 14, Authentication, Authorisation & Accountability CyBOK, The Cyber Security Body of Knowledge 35 Defensive Technologies -(Intrusion Detection and Firewalls) 6COSC019W- Cyber Security Dr Ayman El Hajjar April 02, 2024 School of Computer Science and Engineering University of Westminster Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots O UTLINE 1. Firewall Systems 2. Intrusion Detection Systems (IDS) 3. Intrusion Prevention Systems (IPS) 4. Honeypots 1 Firewall Systems Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots T HE N EED F OR F IREWALLS ❏ Internet connectivity is essential however it brings threats to our information system enrolment. ❏ Placed between the premises network and the Internet to establish a controlled link ❐ Can be a single computer system or a set of two or more systems working together ❏ Used as a perimeter defence ❐ Single choke point to impose security and auditing ❐ separates the internal systems from external networks 2 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots F IREWALL C HARACTERISTICS Design goals ❐ All traffc from inside to outside, and vice versa, must pass through the frewall ❐ Only authorised traffc as defned by the local security policy will be allowed to pass ❐ The frewall itself is immune to penetration 3 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots T YPES OF F IREWALL ❏ A frewall can monitor network traffc at a number of levels from low-level network packets, either individually or as part of a fow, to all traffc within a transport connection, up to inspecting details of application protocols. ❏ The choice of which level is appropriate is determined by the desired frewall access policy. ❏ Firewall levels are: ❐ Packet fltering frewall ❐ Stateful fltering frewall ❐ Application proxy frewall ❐ Circuit level proxy frewall 4 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots W HAT DO THEY F ILTER ! IP address and protocol values ❐ This type of fltering is used by packet flter and stateful inspection frewalls, used to limit access to specifc services Application protocol ❐ This type of fltering is used by an application-level gateway that relays and monitors the exchange of information for specifc application protocols User identity ❐ Typically for inside users who identify themselves using some form of secure authentication technology Network activity ❐ Controls access based on considerations such as the time or request, rate of requests, or other activity patterns 5 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots PACKET F ILTERING F IREWALL Also called Stateless fltering Firewall ❏ Applies rules to each incoming and outgoing IP packet ❐ Typically a list of rules based on matches in the IP or TCP header ❏ Two default policies: ❐ Discard (Deny) - prohibit unless expressly permitted ❐ Forward (Permit) - permit unless expressly prohibited Filtering rules are based on information contained in a network packet ❏ Source IP address ❏ Destination IP address ❏ Source and destination transport-level address ❏ IP protocol feld ❏ Interface 6 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots S TATEFUL FILTERING FIREWALL ❏ Tightens rules for TCP traffc by creating a directory of outbound TCP connections ❐ There is an entry for each currently established connection ❐ Packet flter allows incoming traffc to high numbered ports only for those packets that ft the profle of one of the entries in this directory ❏ Reviews packet information but also records information about TCP connections ❐ Keeps track of TCP sequence numbers to prevent attacks that depend on the sequence number 7 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots A PPLICATION PROXY FIREWALL ❏ Also called ”Application-Level Gateway” ❏ Acts as a relay of application-level traffc ❐ User contacts gateway using a TCP/IP application ❐ User is authenticated ❐ Gateway contacts application on remote host and relays TCP segments between server and user ❏ Must have proxy code for each application ❐ May restrict application features supported ❏ Tend to be more secure than packet flters ❏ Disadvantage is the additional processing overhead on each connection 8 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots C IRCUIT-L EVEL G ATEWAY Circuit level proxy ❏ Sets up two TCP connections, one between itself and a TCP user on an inner host and one on an outside host ❏ Relays TCP segments from one connection to the other without examining contents ❏ Security function consists of determining which connections will be allowed ❏ Typically used when inside users are trusted ❐ May use application-level gateway inbound and circuit-level gateway outbound ❐ Lower overheads 9 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots Figure 1: Types of Firewall 10 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots H OST-BASED F IREWALLS / P ERSONAL F IREWALL ❏ Used to secure an individual host ❏ Available in operating systems or can be provided as an add-on package ❏ Can be housed in a router that connects all of the home computers to the Internet ❏ Filter and restrict packet fows. Primary role is to deny unauthorised remote access ❏ May also monitor outgoing traffc to detect and block worms and malware activity Advantages ❐ Filtering rules can be tailored to the host environment ❐ Protection is provided independent of topology ❐ Provides an additional layer of protection 11 Intrusion Detection Systems (IDS) Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots Security Intrusion: unauthorised act of bypassing the security mechanisms of a system Intrusion Detection: A hardware or software function that gathers and analyses information from various areas within a computer or a network to identify possible security intrusions 11 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots I NTRUSION D ETECTION S YSTEM (IDS) ❏ An IDS Comprises of three logical components ❐ Sensors - A fundamental component of intrusion detection that collects data. ❐ Common data sources include System call traces, Audit (log fle) records,File integrity checksums, Registry access. ❐ Analysers - determine if intrusion has occurred ❐ User interface - view output or control system behaviour ❏ An IDS uses either the Anomaly detection or the Signature/Heuristic detection approach. ❏ There are three type of Intrusion Detection systems, a Host-based IDS (HIDS) a Network-based IDS (NIDS) and a Distributed or hybrid IDS that combines both characteristics 12 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots A NALYSIS A PPROACHES ❏ Anomaly detection ❐ Involves the collection of data relating to the behaviour of legitimate users over a period of time ❐ Current observed behaviour is analysed to determine whether this behaviour is that of a legitimate user or that of an intruder ❏ Signature/Heuristic detection ❐ Uses a set of known malicious data patterns or attack rules that are compared with current behaviour ❐ Also known as misuse detection ❐ Can only identify known attacks for which it has patterns or rules 13 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots S IGNATURE OR A NOMALY ? ❏ Attacks suitable for Signature detection ❐ Application layer reconnaissance and attacks ❐ Transport layer reconnaissance and attacks ❐ Network layer reconnaissance and attacks ❐ Unexpected application services ❐ Policy violations ❏ Attacks suitable for Anomaly detection ❐ Denial-of-service (DoS) attacks ❐ Scanning ❐ Worms 14 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots H OST-BASED I NTRUSION D ETECTION S YSTEM (HIDS) ❏ Adds a specialised layer of security software to vulnerable or sensitive systems ❏ Can use either anomaly or signature and heuristic approaches ❏ Monitors activity to detect suspicious behaviour ❐ Primary purpose is to detect intrusions, log suspicious events, and send alerts ❐ Can detect both external and internal intrusions 15 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots N ETWORK -BASED I NTRUSION D ETECTION S YSTEM (NIDS) ❏ Monitors traffc at selected points on a network ❏ Examines traffc packet by packet in real or close to real time ❏ May examine network, transport, and/or application-level protocol activity ❏ Comprised of a number of sensors, one or more servers for NIDS management functions, and one or more management consoles for the human interface ❏ Analysis of traffc patterns may be done at the sensor, the management server or a combination of the two 16 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots A N I NTRUSION DETECTION SYSTEM MUST BE ABLE TO ❐ Run continually with minimal human supervision. ❐ Be fault tolerant - Must be able to recover from system crashes and reinitialisations. ❐ Resist subversion. The IDS must be able to monitor itself and detect if it has been modifed by an attacker. ❐ Impose a minimal overhead on the system where it is running. ❐ Be able to be confgured according to the security policies of the system that is being monitored. ❐ Be able to adapt to changes in system and user behaviour over time. ❐ Be able to scale to monitor a large number of hosts. ❐ Provide graceful degradation of service in the sense that if some components of the IDS stop working for any reason, the rest of them should be affected as little as possible. ❐ Allow dynamic reconfguration; that is, the ability to reconfgure the IDS without having to restart it. 17 Intrusion Prevention Systems (IPS) Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots I NTRUSION P REVENTION S YSTEMS (IPS) ❏ Also known as Intrusion Detection and Prevention System (IDPS) ❏ Is an extension of an IDS that includes the capability to attempt to block or prevent detected malicious activity ❏ Can be host-based, network-based, or distributed/hybrid ❏ Can use anomaly detection to identify behavior that is not that of legitimate users, or signature/heuristic detection to identify known malicious behavior can block traffc as a frewall does, but makes use of the types of algorithms developed for IDSs to determine when to do so 18 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots H OST-BASED IPS (HIPS) ❏ Can make use of either signature/heuristic or anomaly detection techniques to identify attacks ❐ Signature: focus is on the specifc content of application network traffc, or of sequences of system calls, looking for patterns that have been identifed as malicious ❐ Anomaly: IPS is looking for behaviour patterns that indicate malware ❏ Examples of the types of malicious behaviour addressed by a HIPS are Modifcation of system resources, Privilege-escalation exploits, Buffer-overfow exploits, Access to e-mail contact list, Directory traversal 19 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots H OST-BASED IPS (HIPS) ❏ Capability can be tailored to the specifc platform ❏ A set of general purpose tools may be used for a desktop or server system. ❏ Some packages are designed to protect specifc types of servers, such as Web servers and database servers ❏ Can use a sandbox approach ❐ Sandboxes are especially suited to mobile code such as Java applets and scripting languages ❐ HIPS quarantines such code in an isolated system area then runs the code and monitors its behavior ❐ Areas for which a HIPS typically offers desktop protection such as System calls, File system access. 20 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots T HE R OLE OF HIPS ❏ Many industry observers see the enterprise endpoint, including desktop and laptop systems, as now the main target for hackers and criminals ❐ Endpoint security is provided by a collection of products, such as antivirus, and frewalls. ❏ Approach is an effort to provide an integrated, single-product suite of functions ❏ HIPS can be used as a defence-in-depth strategy that involves network-level devices, such as network-based IPSs 21 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots N ETWORK -BASED IPS (NIPS) ❏ Inline NIDS with the authority to modify or discard packets and tear down TCP connections ❏ Makes use of signature/heuristic and anomaly detection ❏ May provide fow data protection ❐ Requires that the application payload in a sequence of packets be reassembled 22 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots IPS METHODS TO IDENTIFY MALICIOUS PACKETS ❐ Signature-based : This method involves comparing network traffc against a database of known attack patterns or signatures. ❐ Anomaly-based : Anomaly detection involves establishing a baseline of normal network behaviour and then identifying deviations from this baseline. ❐ Heuristic-based : Heuristic analysis involves using rules and algorithms to identify potentially malicious behaviour. This method is less specifc than signature-based method but can detect previously unknown threats such as Zero-Day attacks based on certain characteristics. ❐ Protocol Analysis: IPS devices may analyse network protocols to detect abnormalities or violations. For example, if a protocol is not adhering to its standard specifcations, it may be fagged as suspicious. 23 Honeypots Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots H ONEYPOTS ❏ Decoy systems designed to: ❐ Lure a potential attacker away from critical systems ❐ Collect information about the attacker’s activity ❐ Encourage the attacker to stay on the system long enough for administrators to respond ❏ Systems are flled with fabricated information that a legitimate user of the system wouldn’t access ❏ Resources that have no production value ❐ Therefore incoming communication is most likely a probe, scan, or attack ❐ Initiated outbound communication suggests that the system has probably been compromised ❏ A collection of honeypots is called HoneyNets. 24 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots H ONEYPOT C LASSIFICATIONS ❏ Low interaction honeypot ❐ Software package that emulates particular IT services or systems well enough to provide a realistic initial interaction ❐ Provides a less realistic target ❐ Often suffcient for use as a component of a distributed IDS to warn of imminent attack ❏ High interaction honeypot ❐ A real system, with a full operating system, services and applications, which are instrumented and deployed where they can be accessed by attackers ❐ Is a more realistic target that may occupy an attacker for an extended period 25 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots R EQUIREMENTS OF H ONEYPOTS /H ONEYNETS ❏ Isolation ❐ They should be isolated from the production system and network are typically ❐ They should contain and study any malicious activity without putting actual production systems at risk. ❏ Continuous monitoring ❐ They should be monitored continuously analyse potential threats on the company and the behaviour of attackers. ❏ Deception ❐ They should be as realistic as possible as they rely on the principle of deception. ❐ By presenting an attractive target to potential attackers, security experts can observe and learn from their activities without exposing real assets 26 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots R EFERENCES ❏ The lecture notes and contents were compiled from my own notes and from various sources. ❏ Figures and tables are from the recommended books ❏ The lecture notes are very detailed. If you attend the lecture, you should be able to understand the topics. ❏ You can use any of the recommended readings! You do not need to read all the chapters! ❏ Recommended Readings note: Focus on what was covered in the class. ❐ Chapter 3, Security Foundations , CEH v11 Certifed Ethical Hacker Study Guide ❐ Chapter 5 ,Networks and Telecommunications, Fundamentals of Information Systems Security ❐ Chapter 19, Network Security, The Cyber Security Body of Knowledge 27 Security Controls 6COSC019W- Cyber Security Dr Ayman El Hajjar February 19, 2024 School of Computer Science and Engineering University of Westminster Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security O UTLINE 1. Security Controls 2. Application layer controls 3. Host to Host/Transport layer Controls 4. Network Layer Security 1 Security Controls Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security S ECURITY C ONTROL Control is defned as: “An action, device, procedure, or other measure that reduces risk by eliminating or preventing a security violation, by minimizing the harm it can cause, or by discovering and reporting it to enable corrective action.” 1 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security C ONTROL C LASSIFICATIONS Management controls ✺ Focus on security policies, planning, guidelines, and standards that infuence the selection of operational and technical controls to reduce the risk of loss and to protect the organization’s mission ✺ These controls refer to issues that management needs to address Operational controls ✺ Address the correct implementation and use of security policies and standards, ensuring consistency in security operations and correcting identifed operational defciencies ✺ These controls relate to mechanisms and procedures that are primarily implemented by people rather than systems ✺ They are used to improve the security of a system or group of systems 2 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security C ONTROL C LASSIFICATIONS Technical controls ✺ Involve the correct use of hardware and software security capabilities in systems ✺ These range from simple to complex measures that work together to secure critical and sensitive data, information, and IT systems functions 3 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security C ONTROL C LASSES Each of the control classes may include the following: Supportive controls ✺ Pervasive, generic, underlying technical IT security capabilities that are interrelated with, and used by, many other controls Preventative controls ✺ Focus on preventing security breaches from occurring, by inhibiting attempts to violate security policies or exploit a vulnerability Detection and recovery controls ✺ Focus on the response to a security breach, by warning of violations or attempted violations of security policies or the identifed exploit of a vulnerability and by providing means to restore the resulting lost computing resources 4 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security T ECHNICAL CONTROLS - TCP/IP SECURITY SOLUTION A number of approaches to providing Internet security are possible. The various approaches that have been considered are similar in the services they provide in relation to to the TCP/IP protocol stack. Relative location of security facilities in the TCP/IP protocol stack 5 Application layer controls Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security E MAIL S ECURITY: MIME AND S/MIME Multipurpose Internet Mail Secure/Multipurpose Internet Extension Mail Extension ✺ Simple heading with To, From, Security enhancement to the Subject MIME Internet e-mail format ✺Assumes ASCII text format ✺ Based on technology Provides a number of new from RSA Data Security header felds that defne Provides the ability to sign information about the body of the and/or encrypt e-mail messages message 6 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security S/M IME F UNCTIONS 6 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security S IMPLIFIED S/MIME F UNCTIONAL F LOW 6 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security P RETTY G OOD P RIVACY (PGP) C RYPTOGRAPHY ❏ Another standard for electronic-mail encryption and digital signatures ❏ Use a Public Private Keys (PPK) method ❐ Users can sign one another’s public keys, adding some degree of confdence to a key’s validity ❐ Someone who signs another’s public key acts as an introducer for that person to someone else so that if someone trusts the introducer, they should also trust the person who’s being introduced ❐ Pretty Good Privacy (PGP) is often used to encrypt documents that can be shared via e-mail over the open Internet ❏ S/MIME and Open PGP use proprietary encryption techniques and handle digital signatures differently 7 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security DNS THREATS P REVENTION ❏ DNSSEC adds ❏ To prevent DNS Hijacking and considerable load to dns DNS Pharming, DNS Security servers with packet sizes (DNSSEC) is deployed to ensure: considerably larger than ❐ Authenticity of DNS answer 512 byte size of UDP origin packets ❐ Integrity of reply ❐ Authenticity of denial of existence ❐ Accomplishes this by signing DNS replies at each step of the way ❐ Uses public-key cryptography to sign responses DNSSEC Signing 8 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security S ECURE S HELL (SSH) A protocol for secure network communications designed to be relatively simple and inexpensive to implement The initial version, SSH1 was focused on providing a secure remote logon facility to replace TELNET and other remote login schemes that provided no security SSH also provides a more general client/server capability and can be used for such network functions as fle transfer and e-mail SSH client and server applications are widely available for most operating systems SSH2 fxes a number of security faws in the original scheme. 9 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security SSH transport layer packets exchange 10 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security SSH PROTOCOL PACKET EXCHANGE First, the client establishes a TCP connection to the server. This is done via the TCP protocol and is not part of the Transport Layer Protocol. Once the connection is established, the client and server exchange packets in the data feld of a TCP segment. SSH protocol packet exchanges 11 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security SSH PROTOCOL STACK SSH protocol stack 12 Host to Host/Transport layer Controls Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security T RANSPORT LAYER S ECURITY - A DEFINITION 13 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security TLS PROTOCOL STACK TLS is designed to make use of TCP to provide a reliable end-to-end secure service. The TLS Record Protocol provides basic security services to various higher layer protocols. Three higher-layer protocols are defned as part of TLS: ✺ The Handshake Protocol; ✺ The Change Cipher Spec Protocol; ✺ and the Alert Protocol. These TLS specifc protocols are used in the management of TLS exchanges. A fourth protocol, the Heartbeat Protocol, is defned in a separate RFC. 14 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security TLS C ONCEPTS Two important TLS concepts are the TLS session and the TLS connection which are defned in the specifcation. ✺ TLS Session: ❍ Created by the Handshake Protocol ❍ Defne a set of cryptographic parameters ❍ Used to avoid the expensive negotiation of new security parameters for each connection ✺ TLS Connection: ❍ A transport layer protocol that provides a suitable type of service ❍ Peer-to-peer relationships ❍ Every connection is associated with one session 15 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security TLS H ANDSHAKE MESSAGES Most complex part of TLS Is used before any application data are transmitted Allows server and client to: ✺ Authenticate Each Other → Negotiate encryption and MAC algorithms → Negotiate cryptographic keys to be used Comprises a series of messages exchanged by client and server Exchange has four phases 16 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security H ANDSHAKE PROTOCOL ACTION 17 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security HTTPS (HTTP OVER TSL) Combination of HTTP and TLS (RFC 2818, HTTP Over TLS) to implement secure communication between a Web browser and a Web server Built into all modern Web browsers ✺ URL addresses begin with https:// Agent acting as the HTTP client also acts as the TLS client Closure of an HTTPS connection requires that TLS close the connection with the peer TLS entity on the remote side, which will involve closing the underlying TCP connection 18 Network Layer Security Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security IP S ECURITY RFC 1636: “Security in the Internet Architecture” issued in 1994 by the Internet Architecture Board (IAB) Security for IP & Networks ✺ Need to secure the network infrastructure from unauthorised monitoring and control of network traffc ✺ Need to secure end-user-to-end-user traffc using authentication and encryption mechanisms 19 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security A PPLICATIONS OF IP SEC IPsec provides the capability to secure communications across a LAN, private and public WANs, and the Internet Examples include: ✺ Secure branch offce connectivity over the Internet ✺ Secure remote access over the Internet ✺ Establishing extranet and intranet connectivity with partners ✺ Enhancing electronic commerce security Principal feature of IPsec is that it can encrypt and/or authenticate all traffc at the IP level ✺ Thus all distributed applications (remote logon, client/server, e-mail, fle transfer, Web access) can be secured 20 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security IP SEC S ERVICES IPsec provides security services at the IP layer by enabling a system to: ✺ Select required security protocols ✺ Determine the algorithm(s) to use for the service(s) ✺ Put in place any cryptographic keys required to provide the requested services RFC 4301 lists the following services: ✺ Access control ✺ Connectionless integrity ✺ Data origin authentication ✺ Rejection of replayed packets (Integrity) ✺ Confdentiality (encryption/confdentiality) 21 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security B ENEFITS OF IPS EC When IPsec is implemented in a frewall or router, it provides strong security that can be applied to all traffc crossing the perimeter Traffc within a company or workgroup does not incur the overhead of security-related processing IPsec is below the transport layer (TCP, UDP) and so is transparent to applications There is no need to train users on security mechanisms This is useful for offsite workers and for setting up a secure virtual subnetwork within an organisation for sensitive applications 22 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security T HE SCOPE OF IPS EC Provides two main functions: ✺ A combined authentication/encryption function called Encapsulating Security Payload (ESP) ✺ Key exchange function Also an authentication-only function, implemented using an Authentication Header (AH) ✺ Because message authentication is provided by ESP, the use of AH is included in IPsecv3 for backward compatibility but should not be used in new applications VPNs want both authentication and encryption 23 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security T RANSPORT M ODE Provides protection primarily for upper-layer protocols Examples include a TCP or UDP segment or an ICMP packet Typically used for end-to-end communication between two hosts ESP in transport mode encrypts and optionally authenticates the IP payload but not the IP header AH in transport mode authenticates the IP payload and selected portions of the IP header 24 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security T UNNEL M ODE Provides protection to the entire IP packet Used when one or both ends of a security association (SA) are a security gateway A number of hosts on networks behind frewalls may engage in secure communications without implementing IPsec ESP in tunnel mode encrypts and optionally authenticates the entire inner IP packet, including the inner IP header AH in tunnel mode authenticates the entire inner IP packet and selected portions of the outer IP header 25 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security IPS EC : T UNNEL MODE FORMAT Tunnel mode makes use of an IPsec function, a combined authentication/encryption function called Encapsulating Security Payload (ESP), and a key exchange function. For VPNs, both authentication and encryption are generally desired, because it is important both to (1) assure that unauthorised users do not penetrate the VPN, and (2) assure that eavesdroppers on the Internet cannot read messages sent over the VPN. Tunnel mode format 26 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security R EFERENCES ❏ The lecture notes and contents were compiled from my own notes and from various sources. ❏ Figures and tables are from the recommended books ❏ The lecture notes are very detailed. If you attend the lecture, you should be able to understand the topics. ❏ You can use any of the recommended readings! You do not need to read all the chapters! ❏ Recommended Readings note: Focus on what was covered in the class. ❐ Chapter 13- Attack and Defence, CEH v11 Certifed Ethical Hacker Study Guide ❐ SQL Injection on Owasp site Link ❐ Chapter 8, Malicious Software and Attack Vectors, Fundamentals of Information Systems Security ❐ Chapter 15, 16 & 17, CyBOK, The Cyber Security Body of Knowledge 27 Malicious Software 6COSC019W- Cyber Security Dr Ayman El Hajjar February 20, 2024 School of Computer Science and Engineering University of Westminster Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures O UTLINE 1. Malicious Software 2. Malware Taxonomy 3. Malware Types 4. Payload Classifcations 5. Threats & Countermeasures 1 Malicious Software Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures M ALWARE NIST 800-83 defnes malware as: “A program that is inserted into a system, usually covertly, with the intent of compromising the confdentiality, integrity, or availability of the victim’s data, applications, or operating system or otherwise annoying or disrupting the victim.” NCSC defnes malware as: “a term that includes virus, trojans, worms or any code or content that could have an adverse impact on organisations or individuals..” 2 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures M ALICIOUS C ODE AND ACTIVITY ❏ Any program that carries out actions that you (user/System) did not intend to do is considered to be a Malicious software (malware) ❏ Malicious code attacks one or more of the three information security properties: ❐ Confdentiality: Malware can disclose your organisation’s private information ❐ Integrity: Malware can modify database records, either immediately or over a period of time ❐ Availability: Malware can erase or overwrite fles or infict considerable damage to storage media 3 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures C HARACTERISTICS , A RCHITECTURE , AND O PERATIONS OF MA- LICIOUS S OFTWARE ❏ An attacker gains administrative control of a system and uses commands to infict harm ❏ An attacker sends commands directly to a system; the system interprets and executes them ❏ An attacker uses software programs that harm a system or that make the data unusable ❏ An attacker uses legitimate remote administration tools and security probes to identify and exploit security vulnerabilities on a network 4 Malware Classifcations Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures M ALWARE C LASSIFICATION APPROACH ❏ The original approach to classify malware focuses on how they spread or propagate through an information system environment to reach the desired target/s ❏ A more conventional approach was developed to consider all dimensions of malware in order to classify them. ❏ This approach is used by the NCSC and it contains the following dimensions: ❐ Host dependent or independent ❐ persistent or transient ❐ Where it install itself (persistent malware only) ❐ How it is triggered ❐ Static or dynamically updated ❐ Act alone or coordinated attack 5 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures M ALWARE C LASSIFICATION APPROACH ❏ Host dependent or Independent malware ❐ Independent malware or standalone is a complete program that can run on its own once it is installed on a compromised machine and executed. ❐ Host dependent malware requires a host program to run. It cannot run independently, but infect a program on a computer by inserting its instructions into the program or modifying the host code. ❏ Persistent or Transient ❐ Persistent malware are installed in persistent storage such as a fle system (your hard drive) or an external storage device. They can be either standalone or host independent. ❐ Transient malware are installed in volatile memory such as as RAM memory. 6 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures M ALWARE C LASSIFICATION APPROACH ❏ Where it install itself ❐ This dimension generally applies to only persistent malware (Ones that requires installation) ❐ Malware are categorised based on which layer of the system stack the malware is installed and run on ❐ this could the frmware, the boot sector, the operating system level, the driver, the api, or user application ❏ How it is triggered ❐ Auto-spreading malware runs and then looks for other vulnerable machines on the Internet, compromises these machines and installs itself on them; ❐ User-activated malware is run on a computer only because a user accidentally downloads and executes it, e.g., by clicking on an attachment or URL in a received email. 7 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures M ALWARE C LASSIFICATION APPROACH ❏ Static or dynamically updated ❐ Malware that are supported by an infrastructure and can still communicate with such infrastructure are dynamically updated with new version regularly. ❐ Static malware or one time malware has no infrastructure to support it and are standalone software with no network connection to an external infrastructure ❏ Act alone or coordinated attack ❐ Act alone malware are isolated malware that runs on their own. They do not participate in a larger scale attack. Such malware usually have a specifc target. ❐ Coordinated malware are attacks that contribute to a larger scale attack as on their own they will not cause much damage. For example, collectively several devices infected by such malware can cause networks or systems to crash (DDoS). 8 Malware Types Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures M ALWARE C ONTENTS ❏ Malware are divided into two parts: ❐ Infection mechanism: How it propagates ❐ The Payload: what happens after it reaches the target 9 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures T HE M AIN T YPES OF M ALWARE ❏ Virus ❏ Denial of service attacks ❏ Spam ❏ Spyware ❏ Worms ❏ Adware ❏ Trojan horses ❏ Phishing ❏ Logic bombs ❏ Keystroke loggers ❏ Active content ❏ Hoaxes and myths vulnerabilities ❏ Homepage hijacking ❏ Malicious add-ons ❏ Webpage defacements ❏ Botnets 10 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures V IRUS ❏ Piece of software that infects programs ❐ Modifes them to include a copy of the virus ❐ Replicates and goes on to infect other content ❐ Easily spread through network environments ❏ When attached to an executable program a virus can do anything that the program is permitted to do ❐ Executes secretly when the host program is run ❏ Specifc to operating system and hardware ❐ Takes advantage of their details and weaknesses 11 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures V IRUS C OMPONENTS Infection Mechanism ❏ Means by which a virus spreads or propagates ❏ Also referred to as the infection vector Trigger ❏Event or condition that determines when the payload is activated or delivered ❏ Sometimes known as a logic bomb Payload ❏ What the virus does (besides spreading) ❏ May involve damage or benign but noticeable activity 12 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures V IRUS P HASES 13 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures V IRUS C LASSIFICATIONS : B Y TARGETS Boot sector infector ❏ Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus File Infectors ❏ Infects fles that the operating system or shell considers to be executable Macro virus ❏ Infects fles with macro or scripting code that is interpreted by an application Multipartite virus ❏ Infects fles in multiple ways 14 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures V IRUS C LASSIFICATIONS : B Y CONCEALMENT STRATEGY Encrypted virus ❏A portion of the virus creates a random encryption key and encrypts the remainder of the virus Stealth virus ❏ A form of virus explicitly designed to hide itself from detection by anti-virus software Polymorphic virus ❏A virus that mutates with every infection Metamorphic virus ❏ A virus that mutates and rewrites itself completely at each iteration and may change behaviour as well as appearance 15 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures M ALVERTISING ❏ Places malware on websites without actually compromising them ❏ The attacker pays for advertisements that are highly likely to be placed on their intended target websites and incorporate malware in them ❏ Using these malicious ads, attackers can infect visitors to sites displaying them ❏The malware code may be dynamically generated to either reduce the chance of detection or to only infect specifc systems ❏ Has grown rapidly in recent years because they are easy to place on desired websites with few questions asked and are hard to track ❏ Attackers can place these ads for as little as a few hours, when they expect their intended victims could be browsing the targeted websites, greatly reducing their visibility 16 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures C LICKJACKING ❏ Also known as a user-interface (UI) redress attack ❏ Using a similar technique, keystrokes can also be hijacked ❐ A user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker ❏ Vulnerability used by an attacker to collect an infected user’s clicks ❐ The attacker can force the user to do a variety of things from adjusting the user’s computer settings to unwittingly sending the user to Web sites that might have malicious code ❐ A typical attack uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page ❐ The attacker is hijacking clicks meant for one page and routing them to another page 17 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures S OCIAL E NGINEERING ❏ “Tricking” users to assist in the compromise of their own systems 18 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures M ACRO AND S CRIPTING VIRUS ❏ Macro virus infect scripting code used to support active content in a variety of user document types ❏ Are threatening for a number of reasons: ❐ Is platform independent ❐ Infect documents, not executable portions of code ❐ Are easily spread ❐ Because they infect user documents rather than system programs, traditional fle system access controls are of limited use in preventing their spread, since users are expected to modify them ❐ Are much easier to write or to modify than traditional executable virus 19 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures M ACRO AND S CRIPTING VIRUS : T RUSTED D OWNLOAD ? 20 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures ACTIVE C ONTENT VIRUS ❏ Active content ❐ Refers to dynamic objects that do something when the user opens a webpage (ActiveX, Java, JavaScript, VBScript, macros, browser plugins, PDF fles, and other scripting languages) ❐ Has potential weaknesses that malware can exploit ❏ Active content threats are considered mobile code because these programs run on a wide variety of computer platforms ❏ Users download bits of mobile code, which gain access to the hard disk and do things like fll up desktop with infected fle icons 21 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures W ORMS ❏ Program that actively seeks out more machines to infect and each infected machine serves as an automated launching pad for attacks on other machines ❏ Exploits software vulnerabilities in client or server programs ❏ Usually carries some form of payload 22 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures W ORM T ECHNOLOGY 1. Multiplatform: Worms are not Operating System specifc. 2. Multi-exploit: Worms penetrate systems using a variety of methods 3. Ultrafast spreading: Exploit various techniques to optimize the rate of spread of the worm 4. Polymorphic: To evade detection, skip past flters, and foil real-time analysis, worms adopt the virus polymorphic technique. 5. Metamorphic: In addition to changing their appearance, metamorphic worms have a collection of behaviour patterns that are unleashed at different stages of propagation. 6. Zero-day exploit : To achieve maximum surprise and distribution, a worm should exploit an unknown vulnerability that is only discovered by the general network community when the worm is launched. 23 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures R OOTKITS ❏ Type of malware that modifes or replaces one or more existing programs to hide the fact that a computer has been compromised ❏ Modify parts of the operating system to conceal traces of their presence ❏ Provide attackers with access to compromised computers and easy access to launching additional attacks ❏ Diffcult to detect and remove 24 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures R OOTKITS C LASSIFICATION C HARACTERISTICS 1. Persistent: Activates each time the system boots. The rootkit must store code in a persistent store, such as the registry or fle system, and confgure a method by which the code executes without user intervention. 2. Memory based: Has no persistent code and therefore cannot survive a reboot. However, because it is only in memory, it can be harder to detect. 3. User mode: Intercepts calls to APIs (application program interfaces) and modifes returned results. 4. Kernel mode: Can intercept calls to native APIs in kernel mode. The rootkit can also hide the presence of a malware process by removing it from the kernel’s list of active processes. 5. External mode: The malware is located outside the normal operation mode of the targeted system, in BIOS or system management mode, where it can directly access hardware. 25 Payload Classifcations Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures PAYLOAD ❏ Payload are classifed based on the damage or threat they bring to the system ❏ The different classes of payload are: ❐ System Corruption ❐ Attack Agents Bots ❐ Remote Control Facility ❐ Information Theft- Keyloggers and Spyware ❐ Information Theft- Phishing ❐ Stealthing Backdoor ❐ Stealthing Rootkit System Corruption ❏ Causes damage to physical equipment such as Stuxnet worm ❐ Targets specifc industrial control system software ❏ There are concerns about using sophisticated targeted malware for industrial sabotage 26 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures PAYLOAD CLASSES Attack Agents Bots ❏ Takes over another Internet attached computer and uses that computer to launch or manage attacks ❏ Botnet - collection of bots capable of acting in a coordinated manner ❐ For example DDoS botnets Remote Control Facility ❏ Typical means of implementing the remote control facility is on an IRC server ❐ Bots join a specifc channel on this server and treat incoming messages as commands 27 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures PAYLOAD CLASSES Information Theft- Keyloggers and Spyware ❏ Keyloggers ❐ Captures keystrokes to allow attacker to monitor sensitive information ❏ Spyware ❐ Subverts the compromised machine to allow monitoring of a wide range of activity on the system Information Theft- Phishing ❏ Phishing exploits social engineering to leverage the user’s trust by masquerading as communication from a trusted source ❐ Include a URL in a spam e-mail that links to a fake Web site that mimics the login page of a banking, gaming, or similar site ❐ Attacker exploits the account using the captured

Use Quizgecko on...
Browser
Browser