Lecture 2 - Part I (2).pdf

Full Transcript

THE BASICS
 COMPUTER SYSTEMS

o Early 60’s
o Centralized Computing
o Mainframes

o Distributed Computing
o Client-Server
o Cloud Computing

Cybersecurity and Digital Forensics 6
 MAINFRAME
Advantages
- Centralized
- Handle very large
quantity of data

Disadvantages
- Large in Size
- Hard to manage
- Costly

Cybersecurity and Digital Forensics 7
 CLIENT-SERVER

Cybersecurity and Digital Forensics 8
 CLOUD COMPUTING

Cybersecurity and Digital Forensics 9
 WHICH SOLUTION IS BETTER?
Mainframes Cloud Solutions
o Benefits o Benefits
o Reliability and Uptime o Cost Efficiency

⑪
o Performance and Scalability o Flexibility and Agility
o Maintenance and Management
o Security
o Security
o Legacy Systems and o Business Continuity and Disaster
Applications Recovery
o Data Sovereignty and
Compliance
o Concerns
o Integration and Control
o Dependency on Internet
o Latency and Proximity Connectivity
o Security and Privacy Concerns
o Limited Control and Flexibility
o Concerns o Unexpected Cost Management
o Cost Considerations o Downtime and Service Reliability
o Skill Availability and Expertise o Data Transfer Costs

Cybersecurity and Digital Forensics 10
KNOWLEDGE Purpose and
Importance
SECURITY
 KNOWLEDGE 4 efintions :

I-
o Knowledge is defined as a justified, true belief that meets specific
--

criteria for being considered certain or reliable.
-

o Knowledge is the fact or condition of being aware of something.

: o Knowledge is the familiarity, awareness, or understanding of facts,
skills, or concepts, acquired through education, training, or
experience.
4o Knowledge refers to the body of facts, theories, and principles that
-

---

have been systematically acquired and validated through
observation, experimentation, and reasoning within the scientific method
method. using

Cybersecurity and Digital Forensics 12
 KNOWLEDGE IS POWER?

-2 o Gaining knowledge is vital to any organization
o Knowledge and knowing certain things is what
sets an organization apart from others
o Companies that have the best information are
often successful

Cybersecurity and Digital Forensics 13
 SUCCESSFUL COMPANIES
D
o Provided they can utilize knowledge in the
most effective manner
②
o As companies attempt to understand what
their competitors know
o They want toBdefend and keep their
knowledge secretive

Cybersecurity and Digital Forensics 14
KNOWLEDGE SHARING-
PROTECTION
CHALLENGE
 THE CHALLENGE

o A company must find effective ways of allowing their
employees to share their knowledge
o Create a comprehensive body of knowledge that
can be used throughout the company
o However, this must be done in a secure way
o Once the knowledge is available to competitors, the
advantage of being the sole owner is lost

Cybersecurity and Digital Forensics 16
 INFORMATION TECHNOLOGY SERVICES

Cybersecurity and Digital Forensics
DOS & DDOS ATTACKS
 DOS DEFINITION

o DoS is an acronym for:
o Denial of Service
o A DoS is defined as an act of making one or more
computer systems unavailable
o The system cannot perform its normal function
o e.g. System cannot take orders for products, or

Ex o taking donations at a charity organization, or
o isplaying information, etc.

Cybersecurity and Digital Forensics 19
 DOS DEFINITION

o A DoS is defined as an act of making one or more
computer systems unavailable
o The system cannot perform its normal function
o E.g. System cannot take orders for products, or
o Taking donations at a charity organization, or
o Displaying information, etc.

Cybersecurity and Digital Forensics 20
 DOS TYPES

Logic attack

Flooding attack

Cybersecurity and Digital Forensics 21
 DOS TYPES

Logic attack
Exploits the SW vulnerabilities to remotely
crash servers

Flooding attack

Cybersecurity and Digital Forensics 22
 DOS TYPES

Logic attack
Exploits the SW vulnerabilities to remotely
crash servers

Flooding attack
Flood victim’s resources by massive
number of bogus requests

Cybersecurity and Digital Forensics 23
 DOS EXAMPLES AND SOURCE(S)

o Logic attack
o( Ping of Death
o very large packet
o crashing victim’s server
o Flooding attack
o Buffer overflow
!
o ICMP flood
oS SYN flood
o Sources
o One machine (DoS)
o Multiple machines (DDoS) (more common and effective)

Cybersecurity and Digital Forensics 24
DOS ATTACK METHODS
 IN SUMMARY

o Bandwidth Reap
o SYN Attack
o SMURF Attack
o FRAGGLE Attack
o Ping Flooding Attack
o UDP Flooding Attack
o BONK and Teardrop Attacks

Cybersecurity and Digital Forensics 26
 1. BANDWIDTH REAP

o The attacker floods the network beyond its
bandwidth
o Attackers use many machines to generate bogus
requests
o Overwhelming the network
o Preventing legitimate users from accessing
resources

Cybersecurity and Digital Forensics 27
 2. SYN ATTACK

o Makes use of the TCP handshake process
o The attacker sends the connection request (SYN)
o The victim machine responds back (SYN/ACK)
o Waiting for acknowledgment from sender (ACK)
o The attacker never sends the final acknowledgment
o The connection table fills up quickly and legitimate
users cannot gain access

Cybersecurity and Digital Forensics 28
 2. SYN ATTACK

o Makes use of the TCP handshake process
o The attacker sends the connection request (SYN)
o The victim machine responds back (SYN/ACK)
o Waiting for acknowledgment from sender (ACK)
o The attacker never sends the final acknowledgment
o The connection table fills up quickly and legitimate
users cannot gain access

Cybersecurity and Digital Forensics 29
 3. SMURF ATTACK

o Third-party server attacks the victim machine by
acting as a simple proxy on behalf of the attacker
o This process requires 3 machines; the attacker, the
proxy, and the victim
o The attacker uses ICMP packets to proxy machines
with source IP spoofed to that of target machine
o The proxy machine responds to the spoofed IP with
the unsolicited responses

Cybersecurity and Digital Forensics 30
 4. FRAGGLE ATTACK

o Like SMURF
o But uses UDP echo packets instead of ICMP

Cybersecurity and Digital Forensics 31
 5. PING FLOODING ATTACK
-

o Simply, sends a massive number of& ICMP ping
requests to the target machine
o More effective when the attacking machine has a
higher bandwidth than the target machine

Cybersecurity and Digital Forensics 32
 6. UDP FLOODING ATTACK
-

&
o The attacker sends a huge number of UDP packets
to consume the target’s resources
o Since it is a UDP, it does not require a connection
setup first
o The attacker sends the UDP packet with a random
port of target machine
o The target machine replies with a “port
unreachable”
o The target machine crashes when enough UDP
packets are sent by the attacker

Cybersecurity and Digital Forensics 33
 6. UDP FLOODING ATTACK

o The attacker sends a huge number of UDP packets
to consume the target’s resources
o Since it is a UDP, it does not require a connection
setup first
o The attacker sends the UDP packet with a random
port of target machine
o The target machine replies with a “port
unreachable”
o The target machine crashes when enough UDP
packets are sent by the attacker

Cybersecurity and Digital Forensics 34
 7. BONK AND TEARDROP ATTACKS

o Old-style attacks against old Windows OSs
o TearDrop manipulates the offset fields of a
fragment in a TCP/IP packet
o The target machine tries to reconstruct the packet,
but fails
o BONK is like TearDrop but it manipulates the
fragment offset to make the packet seems too large
to reassemble
o Both methods cause the machine to crash

Cybersecurity and Digital Forensics 35
 7. BONK AND TEARDROP ATTACKS

o Old-style attacks against old Windows OSs
o TearDrop manipulates the offset fields of a
fragment in a TCP/IP packet
o The target machine tries to reconstruct the packet,
but fails
o BONK is like TearDrop but it manipulates the
fragment offset to make the packet seems too large
to reassemble
o Both methods cause the machine to crash

Cybersecurity and Digital Forensics 36
ATTACK MITIGATION
 DOS CHARACTERISTICS

o DoS can be launched easily but is hard to defend
o DoS does not provide the attackers access to
computing devices of victims, but denies access to
legitimate users
o Causes capital expenditure loss

Cybersecurity and Digital Forensics 5
 DOS CHARACTERISTICS

o DDoS tools are available widely
o Some tools can be used to mitigate and protect
against DoS attacks (e.g. filtering), and possibly
identify the attackers
o Knowledgeable individuals may be capable of
launching attacks by themselves without
compromising third-party computers

Cybersecurity and Digital Forensics 6
 TOOLS AVAILABILITY

o Many tools are available to perpetrate a DoS attack
o Some tools are built-in in OS kernel (e.g. ping)
o Some tools are provided with GUI
o Preventive measures are needed to stop these
attacks

Cybersecurity and Digital Forensics 7
 SYMPTOMS

It is normal that a popular site experience spikes in
regular traffic
However, certain indicators of probable attack should
be noticed
Programs running slowly
High failure rates for HTTP services
Large number of connection requests arrive from various networks
Users’ complaints about slow or no site access
The machine experience an unexpected very high CPU load

Cybersecurity and Digital Forensics 8
 PREVENTIVE MEASURES

o Strict adherence to some fundamental security
policies and procedures
o Keeping up-to-date systems (always apply vendor
patches once available)
o Continuous monitoring of the system to discover
any intrusions
o Check incoming traffic packets for source IP
addresses; if not valid the router should drop the
packets

Cybersecurity and Digital Forensics 9
 UNDER ATTACK MEASURES

o Now, you are under attack …
o What to do?
o Trace back the packets to know the source
o May not be helpful if the source IP address is spoofed
o Once found, put a filter to block the traffic (time
consuming effort)

Cybersecurity and Digital Forensics 10
 UNDER ATTACK MEASURES

o You can limit the rate of the traffic if the
type of the traffic is known (bandwidth
limit)
o Black hole filtering: ISP can send the
offending traffic to a null location

Cybersecurity and Digital Forensics 11
 ATTACK MITIGATION TECHNIQUES

1 Bandwidth limitations
o
o Traceback suspicious sources of attacks
2a
3 o Mitigation
②
-

D
o Offered by vendors like VeriSign, Symantec
o Uses traffic cleaning center at peering points on the
-

internet
o These nodes scrub the traffic and directing only clean
traffic to web servers

Cybersecurity and Digital Forensics 12
ISSUES AND CONCERNS
 DISTRIBUTED COMPUTING CONCERNS

o Without prepared and effective information security
plan, organizations face important challenges
o Especially, when dealing with distributed computing
and knowledge security

Cybersecurity and Digital Forensics 14
 DISTRIBUTED COMPUTING CONCERNS

o Known issues:
o Costs and risks associated with data leaking
o Determining responsible parties
o Creating a security culture fostering employee
accountability and liability
o Ongoing, recurring costs of management

Cybersecurity and Digital Forensics 15
 KEY ISSUES IN THE
PROTECTION OF DATA
WHAT DO YOU KNOW
ABOUT WIKILEAKS?
 DATA CLASSIFICATION

o The incident of WikiLeaks was a wakeup call for all
government organizations responsible for
safeguarding sensitive information
o IT personnel can protect information easily by
instituting strong data classification controls
o Two Data Classifications i
o Military-based
In data classification
o Public data classification
2 -

Cybersecurity and Digital Forensics 18
 TSCSU

1 MILITARY-BASED CLASSIFICATION
-

o Top Secret
o Never disclose; damage can be grave
oS Secret
o Serious damage can be caused if disclosed
oC Confidential
o Damage can be caused if disclosed
-

o Sensitive but unclassified
S

o Avoid disclosure
-

oS Unclassified
o No damage can be caused if released
-

Cybersecurity and Digital Forensics 19
 CPSP
2 =

PUBLIC DATA CLASSIFICATION

o Confidential
o Highest level of sensitivity and disclosure could cause
serious damage to company
o Private
o Only for company use
-

o Sensitive
o Requires protection
- -

o Public
o No damage caused if disclosed
-

Cybersecurity and Digital Forensics 20
METHODS OF PROTECTION
 PROTECTION METHODS

o Current methods for protecting distributed
computing environments and knowledge security
include, but not limited to:
o Establishing trust in employees, computers, and
resources
o Technical solutions are not always the answer to establish trusts.
o How to trust employees?!!
o Background check?! Seems ok.. but …
o What about the future?
o Creating a security policy and fostering a security culture
o Protecting data through encryption and data classification
7 7

Cybersecurity and Digital Forensics 22
 MITIGATION SOLUTIONS

o A few solutions exist
o Only a small percentage of
organizations have changed their
structure:
o Moving large, organizational structures
to smaller, manageable units
o Determining how to transition
employee motivations from altruistic to
extrinsic reasons
o Reevaluating security policies and
adding effective preventative
measures

Cybersecurity and Digital Forensics 23