Week1-Week2 (1).pptx
Document Details
Uploaded by GracefulMossAgate
Full Transcript
Introduction to Information Security • • Ch1 (Guide to Network Security) Many other sources indicated in every slide Who Am I • Name: Ahmad Samer Wazan (prefered name is Samer) Graduated from Aleppo University (Syria) in 2003 Worked with Ronaldo Mouchawar in Aleppo between 2003 and 2006 Assoc...
Introduction to Information Security • • Ch1 (Guide to Network Security) Many other sources indicated in every slide Who Am I • Name: Ahmad Samer Wazan (prefered name is Samer) Graduated from Aleppo University (Syria) in 2003 Worked with Ronaldo Mouchawar in Aleppo between 2003 and 2006 Associate professor Responsible of Cybersecurity master (SSIR) Master and PhD degrees from Toulouse university 2007-2011 Knowledge No Knowledge No Job No Experience No Good Job Unknown source SEC335 © 2021 Samer Wazan 3 Golden Rules of the course • Objective is help students build KNOWLEDGE • How do I achieve this objective? – Exams are open book: • you can use Book, personal notes, slides and even Internet if the exam is on campus • NO MEMORIZATION: answers of the exam are based on your understanding – Strict Attendance rules: • If you are not present, you are not present (i.e. marked absent)— No NEGOTIATION – Grading: • No Negotiation for grades. Grades are based on your knwoledge not on your capacity of NEGOTITATION – Bonus: • During the class session, I might ask questions. If you answer them you obtain some bonus marks that will be added to your exam grade – Syllabus: • Syllabus is the main reference to check before asking any question 4 SEC335© 2021 Samer Wazan How do you achieve this objective? This Photo by Unknown AuthorCC BY-SA You should be INTRINSICALLY MOTIVATED to build your knowledge, to know more about our world. Your learning should not be motivated by rewards, pressures, scholarships… READING EVERYDAY: Ask always yourselves how many Papers and Books are you reading everyday? Unknown source CRITICAL READING: many articles and books don’t give necessarily the correct information. The more you read, the more critical you become Ask whatever questions about ANYTHING you don’t understand by Unknown AuthorBY 5 SEC335© 2021 Samer Wazan Knowledge Building • “There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don’t know. But there are also unknown unknowns. There are things we don’t know we don’t know.” - Donald Rumsfeld We know that we know Your current knowledge We know that we don’t know You control your knowledge building We don’t know that we don’t know The BIG PROBLEM SEC335© 2021 Samer Wazan 6 My Library: Know what I don’t Know • My Library is built since 2008 • Daily reading to reduce “I don’t know what I don’t know” • Most of Items here: I know what I don’t know • Focus reading to build the “I know what I know” from my library SEC335© 2021 Samer Wazan 7 I’m also a student like you This Photo by Unknown Author is licensed under CC BY-SA-NC SEC335© 2021 Samer Wazan 8 Everyone can do something Lang Lang Salvador Dali Michael Jordan • You can play/draw Piano/Basketball without necessairly play/draw as good as Lang Lang/Micheal Jordan/Dali Whatever your previous knowlodge you will understand the course IF YOU WANT SEC335© 2021 Samer Wazan 9 Syllabus Presentation SEC335© 2021 Samer Wazan 10 What is Security? • The state of being free from danger or threat. [Merriam-Webster dictionary] • In Utopia ( )ا لمدينة ا لفاضلة, there is no dangers – No need to security • In Dystopia, the dangers are always here – Security is always needed. Trust can not be used. • In real life, the dangers are here but we are not certain when they will show up – Security and Trust can be used to make decisions – Security help us to reduce the probability of dangers or threat but not to remove them – Trust can be used when someone believes that dangers will not happen but he is not certain 11 SEC335© 2021 Samer Wazan Security vs Trust • In real life, we need to know when to use Trust and when to use security • Trust is cheap, efficient and make trusted people happy. • Security is expensive, complex and make controlled people unhappy. • Use trust whenever it is possible. • Unfortunatelly Trust can not be always used; so we need security. • Example: – Make all Exams open book: Trust studentsStudents are happyeasy to deploy – Use lockdown browser: securityStudents are not happymore complex preparation of the exam – Professor should only propose open book when he believes that students will not cheat 12 SEC335 © 2021 Samer Wazan What is Information Security? • The absence of threats or dangers to the information – Systems and hardware that use, store, and transmit information • Information security includes: – Information security management – Computer and data security – Network security What is the relation between Computer Security, Network Security, OS Security, ….and Information security? 13 Malicious attacks • Why are we sure that we will always have attacks in the future? • ROOT CAUSE: ALL TOOLS USEDTO MANAGE OUR INFORMATION ARE VULENRABLAE, INCLUDING HUMAN SEC335 © 2021 Samer Wazan 14 Causal factors • • • • • • Universally connected devices Increased speed of attacks Greater sophistication of attacks Availability and simplicity of attack tools Faster detection of vulnerabilities Delays in patching – Weak distribution of patches • Distributed attacks • User confusion 15 Today’s Security Attacks • Let’s study those examples of attacks by identifying the vulnerable tools • Examples of attacks – Nigerian 419 advanced fee fraud • Number one type of Internet fraud – Malware • Identity theft using Firesheep • Bogus antivirus software – Marketed by credit card thieves – Infected USB flash drive devices – Phishing – Hacking contest – Online banking attacks 16 • Jan, 2010 IAEA inspectors visiting Natanz uranium enrichment plant in Iran noticed that centrifuges used to enrich uranium gas were failing at an unprecedented rate. • 5 months later Belarus AV firm called in to troubleshoot computers in Iran that were crashing and rebooting repeatedly • Released in June 2009 • Stuxnet has been sabotaging centrifuges for a year 17 • 1 Billion USD! 2.5 -10m per bank!!!! • A bank from Ukraine asked Kaspersky to help with a forensic investigation. – Money was being mysteriously stolen from ATMs. – 3 a.m. call from CSO of a Russian bank Alerted that data was being sent from their Domain to the People’s Republic of China! • Carbanak Malware started with a spear phishing email with a CPL attachment – Carberp backdoor based installed 18 • “KeRanger” encrypts all of the data on Apple MACs • Forces their owners to pay so that they can re-gain access to the device. – $400/computer in Bitcoins • Infected through Transmission BitTorrent client – New version removes the malware • Apple revoked a digital certificate that allowed the software to install itself on computers 19 • Jeep Cherokee DRIVING @70 mph in St. Louis. • The vents started blasting cold air (maximum setting) • The radio switched to local hip hop station and began blaring Skee-lo at full volume. – I spun the control knob left and hit the power button, to no avail. • Then the windshield wipers and fluid blurred the glass. • A picture of the two hackers performing these stunts appeared on the car’s digital display! • Then Accelerator stopped working! 20 • Survey by Kaspersky Labs and B2B International • 51% involving financial theft attempts – Of whom 10% reported losing money as a result – 30% hacker gained access to their payment services accounts – 9% had fallen for fraudsters’ tricks and entered their credentials on a fake website © 2013 Course Technology/Cengage Learning. All Rights Reserved. Information Security Terminology • Asset – Organizational resource being protected • Exposure – Condition or state of being exposed to attack • Attack – Act that causes damage to information or systems • Loss – Single instance of damage to an information asset 22 Information Security Terminology (cont’d.) • Threat – Entity presenting danger to an asset • Threat agent – Specific instance of a threat – Examples: lightning strike, tornado, or specific hacker • Vulnerability – Weakness or fault in a system – Opens up the possibility of attack or damage • Exploit – Technique used to compromise a system 23 Information Security Terminology (cont’d.) • Control, safeguard, or countermeasure – Security mechanisms, policies, or procedures • Protection profile or security posture – Set of controls that protect an asset • Intellectual property – Works of the mind – Inventions, literature, art, logos, and other creative works • Privacy – Information is used in accordance with legal requirements 24 Risk • Likelihood that threat agent will exploit vulnerability – Cannot be eliminated entirely – Some degree of risk must be assumed • What the elements that define Risk? • Is there a risk in UTOPIA? • Options to deal with risk – Accept: Realize there is a chance of loss – Diminish • Take precautions • Most information security risks should be diminished – Transfer risk to someone else • Example: purchasing insurance 25 Critical Characteristics of Information • Characteristics of information determine its value • Availability – Ability to access information without obstruction • Accuracy – Information is free from errors • Authenticity – Quality or state of being genuine • Confidentiality – Protection from disclosure to unauthorized individuals or systems 26 Critical Characteristics of Information (cont’d.) • Data owners – Responsible for the security and use of a particular set of information • Data custodians – Responsible for information storage, maintenance, and protections • Data users – End users who work with information 27 Defining Information Security • Protections implemented to secure information – Authentication • Individual is who they claim to be – Authorization • Grant ability to access information – Accounting • Provides tracking of events 28 Security Models • Information security model – Maps security goals to concrete ideas • C.I.A. triad – Original basis of computer security Figure 1-3 C.I.A. triad © Cengage Learning 2013 29 Security Models (cont’d.) • Three types of information protection: often called CIA – Confidentiality • Only approved individuals may access information – Integrity • Information remains whole, complete, uncorrupted – Availability • Information is accessible to authorized users 30 Security Models (cont’d.) • McCumber cube – Graphical description of architectural approach – Widely used in computer and information security – 27 cells represent areas to address to secure information systems 31 Security Models (cont’d.) Figure 1-4 McCumber cube © Cengage Learning 2013 32 Balancing Information Security and Access • Information security must balance protection and availability – Allow reasonable access – Protect against threats • Imbalance occurs when: – Needs of end user are undermined 33 Categories of attackers – – – – – – – – – – Hackers Script kiddies Spies Insiders Cybercriminals Cyberterrorists Hacktivist or cyberactivist Packet monkeys Cracker Phreaker 34 Common Threats • Software piracy – Unlawful use or duplication of software IP • Malicious code or malicious software – Computer viruses • Macro or boot virus – – – – – Worms Trojan horses Backdoor, trap door, or maintenance hook Logic Bomb Rootkit 35 Malicious Software • Malicious software (malware) – Enters a computer system: • Without the owner’s knowledge or consent – Refers to a wide variety of damaging or annoying software 36 Malware calssification • According to Frank Knight(1): – our finite intelligence can deal with the world which is composed of infinite objects because the number of distinguishable properties and objects, as well as their modes of behavior, is limited, and relatively stable. – Categorization helps us to predict the future • Malware calssification is important to estimate the malware risk (i.e. prediction of the future) • Different categroization are possible: behaviour, damage, … • Every Maleware can fall in different categories SEC335 © 2021 Samer Wazan (1) Uncertainity, risk and profit (1921) https://fraser.stlouisfed.org/files/docs/publicatio ns/books/risk/riskuncertaintyprofit.pdf 37 Malware That Spreads • Viruses – Malicious computer code that reproduces itself on the same computer • Virus infection methods – Appender infection • Virus appends itself to end of a file • Moves first three bytes of original file to virus code • Replaces them with a jump instruction pointing to the virus code 38 Malware That Spreads (cont’d.) • Virus infection methods (cont’d.) – Swiss cheese infection • Viruses inject themselves into executable code • Original code transferred and stored inside virus code • Host code executes properly after the infection – Split infection • • • • Virus splits into several parts Parts placed at random positions in host program Head of virus code starts at beginning of file Gives control to next piece of virus code 39 Malware That Spreads (cont’d.) • When infected program is launched: – Virus replicates itself by spreading to another file on same computer – Virus activates its malicious payload • Viruses may display an annoying message: – Or be much more harmful • Examples of virus actions – Cause a computer to repeatedly crash – Erase files from or reformat hard drive – Turn off computer’s security settings 40 Malware That Spreads (cont’d.) Figure 2-4 Annoying virus message © Cengage Learning 2012 41 Malware That Spreads (cont’d.) • Virus cannot automatically spread to another computer – Relies on user action to spread • Viruses are attached to files • Viruses are spread by transferring infected files 42 Malware That Spreads (cont’d.) • Types of computer viruses – Program • Infects executable files – Macro • Infect documents and executes a script. – Resident • Virus infects files opened by user or operating system • Loaded into RAM each time the computer is turned on 43 Reverse Shell with Macro Source: https://john-woodman.com/research/malicious-vba-macros-trials-tribulations/ 44 Malware That Spreads (cont’d.) • Types of computer viruses (cont’d.) – Boot virus • Infects the Master Boot Record – Companion virus • Adds malicious copycat program to operating system • Add notepad.com 45 Malware That Spreads (cont’d.) • Worm – Malicious program – Exploits application or operating system vulnerability – Sends copies of itself to other network devices • Worms may: – Consume resources or – Leave behind a payload to harm infected systems • Examples of worm actions – Deleting computer files – Allowing remote control of a computer by an attacker 46 Malware That Spreads (cont’d.) Table 2-1 Difference between viruses and worms 47 Malware That Conceals • Trojans – Program that does something other than advertised – Typically executable programs • Contain hidden code that launches an attack – Sometimes made to appear as data file – Example • User downloads “free calendar program” • Seem legitimate documents.. • Program scans system for credit card numbers and passwords • Transmits information to attacker through network 48 Malware That Conceals (cont’d.) • Rootkits – Software tools used by an attacker to hide actions or presence of other types of malicious software – Hide or remove traces of log-in records, log entries – May alter or replace operating system files with modified versions: • Specifically designed to ignore malicious activity • Removal of a rootkit can be difficult – Rootkit must be erased – Original operating system files must be restored – Reformat hard drive and reinstall operating system 49 Malware That Conceals (cont’d.) • Logic bomb – Computer code that lies dormant • Triggered by a specific logical event • Then performs malicious activities – Difficult to detect before it is triggered • Backdoor – Software code that circumvents normal security to give program access – Common practice by developers • Intent is to remove backdoors in final application 50 Malware That Profits (cont’d.) • Botnets – Computer is infected with program that allows it to be remotely controlled by attacker • Often payload of Trojans, worms, and viruses – Infected computer called a zombie • Botnets’ advantages for attackers – Operate in the background: • Often with no visible evidence of existence – Provide means for concealing actions of attacker – Can remain active for years 51 Table 2-3 Uses of botnets 52 Malware That Profits (cont’d.) • Spyware – Software that gathers information without user consent – Usually used for: • Collecting personal information • Changing computer configurations • Spyware’s negative effects – Slows computer performance – Causes system instability 53 Malware That Profits (cont’d.) • Adware – Program that delivers advertising content: • In manner unexpected and unwanted by the user – – – – Typically displays advertising banners and pop-up ads May open new browser windows randomly Can also perform tracking of online activities May hijack home page 54 Malware That Profits (cont’d.) • Keyloggers – Program that captures user’s keystrokes – Information later retrieved by attacker – Attacker searches for useful information • Passwords • Credit card numbers • Personal information 55 Password Attacks • Password cracking – Attempt to bypass access controls – Guessing passwords • Dictionary – Trying specific, commonly used passwords • Rainbow tables – Used when the hash of the user’s password is known • Brute force attacks – Trying every possible combination 56 Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks • Denial-of-service attack – Attacker sends large number of requests to a target – Target system cannot handle volume of requests – System crashes • Or cannot handle legitimate requests • Distributed denial-of-service attack – Coordinated stream of requests against a target – Occurs from many locations simultaneously 57 Spoofing • Technique used to gain unauthorized access to computers • Intruder sends messages with fake IP address of a trusted host – Modifies the packet headers with the trusted IP • Newer routers and firewalls can offer protection 58 Figure 1-6 IP spoofing © Cengage Learning 2013 59 Man-in-the-Middle Attacks • • • • Attacker monitors packets from the network Modifies packets using IP spoofing techniques Inserts packets back into network Can be used to eavesdrop, modify, reroute, forge, divert data 60 Figure 1-7 Man-in-the-middle attack © Cengage Learning 2013 61 Sniffers • Program or device monitoring data traveling over a network • Can be used for legitimate functions – Also for stealing information • Unauthorized sniffers virtually impossible to detect • Shows all data going by including passwords 62 E-Mail Attacks • Mail bomb – Attacker reroutes large quantities of e-mail to the target system – Poorly-configured e-mail systems at risk • Spam – Malicious code may be embedded in attachments 63 Social Engineering • Process of using social skills to convince people to reveal access credentials • Directly gathering information from individuals – Relies on trusting nature of individuals • Psychological approaches – Goal: persuade the victim to provide information or take action – Flattery or flirtation – Conformity – Friendliness 64 Social Engineering Attacks (cont’d.) • Attacker will ask for only small amounts of information – Often from several different victims • Request needs to be believable • Attacker “pushes the envelope” to get information: – Before victim suspects anything • Attacker may smile and ask for help 65 Social Engineering Attacks (cont’d.) • Impersonation – Attacker pretends to be someone else • • • • Help desk support technician Repairperson Trusted third party Individuals in roles of authority 66 Social Engineering Attacks (cont’d.) • Phishing – Sending an email claiming to be from legitimate source • May contain legitimate logos and wording – Tries to trick user into giving private information • Variations of phishing – Pharming • Automatically redirects user to fraudulent Web site 67 Social Engineering Attacks (cont’d.) • Variations of phishing (cont’d.) – Spear phishing • Email messages target specific users – Whaling • Going after the “big fish” • Targeting wealthy individuals – Vishing (voice phishing) • Attacker calls victim with recorded “bank” message with callback number • Victim calls attacker’s number and enters private information 68 Social Engineering Attacks (cont’d.) • Spam – Unsolicited e-mail – Primary vehicles for distribution of malware – Sending spam is a lucrative business • Spim: targets instant messaging users • Image spam – Uses graphical images of text – Circumvents text-based filters – Often contains nonsense text 69 Social Engineering Attacks (cont’d.) • Spammer techniques – Word splitting • Horizontally separating words • Can still be read by human eye – Geometric variance • Uses speckling and different colors so no two emails appear to be the same – GIF layering • Image spam divided into multiple images • Layers make up one complete legible message 70 Figure 2-10 Image spam © Cengage Learning 2012 71 Social Engineering Attacks (cont’d.) • Hoaxes – False warning or claim – May be first step in an attack • Physical procedures – Dumpster diving • Digging through trash to find useful information – Tailgating • Following behind an authorized individual through an access door 72 Social Engineering Attacks (cont’d.) • Methods of tailgating – Tailgater calls “please hold the door” – Waits outside door and enters when authorized employee leaves – Employee conspires with unauthorized person to walk together through open door • Shoulder surfing – Casually observing user entering keypad code 73 Buffer Overflow • Application error • Occurs when more data is sent to a buffer than it can handle • Attacker can take advantage of the consequence of the failure 74 Example Buffer Overflow Source: https://dcoster.medium.com/getting-your-hands-dirty-exploiting-bufferoverflow-vulnerability-in-c-5f3272b2a7bd 75 Example Buffer Overflow Source: https://dcoster.medium.com/getting-your-hands-dirty-exploiting-buffer-overflow-vulnerability-in-c5f3272b2a7bd 76 Timing Attacks • Measuring the time required to access a Web page • Deducing that the user has visited the site before – Presence of the page in browser’s cache • Another type of timing attack: – Side channel attack on cryptographic algorithms 77 The ISO 27000 series • One of the most widely referenced security models • Gives recommendations for information security management • See Figure 1-9 for overall methodology 78 Table 1-6 ISO 27000 series current and planned standards (www.27000.org) © Cengage Learning 2013 79 NIST Security Models • • • • Available from csrc.nist.gov Publicly available Free Reviewed by government and industry professionals • Many documents available 80 IETF Security Architecture • Security area working group – Acts as advisory board for IETF • RFC 2196: Site security handbook – Good reference – Covers five basic areas of security 81 Benchmarking and Best Business Practices • Methods used by some organizations – To assess security practices • Federal Agency Security Practices Web site – Popular resource for best practices • SANS Institute – Cooperative information security research organization • Other sources – www.cert.org – http://www.us-cert.gov – https://aecert.ae/en 82