1 / 35

Lesson 1-Introduction and Security Trends

Lesson 1-Introduction and Security Trends. Security.

ayla
Télécharger la présentation

Lesson 1-Introduction and Security Trends

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lesson 1-Introduction and Security Trends

  2. Security “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” -- Sun Tzu - The Art of War

  3. Understanding Network Security • Network security • Process by which digital information assets are protected from unauthorized destruction, alteration or disclosure. • Provides assurance that the network performs critical functions correctly without harmful side-effects. • Goals - CIA • Protect Confidentiality – unauthorized disclosure • Maintain Integrity – unauthorized alteration • Assure Availability – data not available

  4. Yesterday and Today • Fifty years ago: • Few people had access to a computer system or a network • Companies did not conduct business over the Internet. • Today, companies rely on the Internet to operate and conduct business. • Terrorists have targeted people and physical structures. • The average citizens are more likely to be the target of a computer attack than they are to be the direct victim of a terrorist attack. Cyberterrorism is different.

  5. Security Problem • As of the first of 2006: • 150,000 virus outbreaks in 2005. • The anti-virus market reached $3.7 billion in annual revenue last year, and the newer, faster-growing anti-spyware segment more than doubled from the year before to $97 million. • Phishing and keystroke logging has generated losses of $2.75 billion (8/2/05) • In 2005 phishing along costs $2.65 Billion. • One of the best-known security surveys is the joint survey conducted annually by the Computer Security Institute (CSI) and the FBI. • Electronic crime can take different forms: • Crimes in which the computer is the target of the attack. • Incidents in which the computer is a means of perpetrating a criminal act (for example, conduct bank fraud).

  6. History • Crimes in which computers was targeted and incidents in which computers were used to commit crimes. • Morris Worm – Nov. 1988 - infected 10 percent of the machines (approximately 6,000) connected to the Internet at that time. The virus caused an estimated $100 million in damage, though this number has been the subject of wide debate. • Citibank and Vladimir Levin– June – Oct 1994 - they had transferred an estimated $10 million before getting caught. Eventually all but about $400,000 was recovered. Levin reportedly accomplished the break-ins by dialing into Citibank’s cash management system. • Kevin Mitnick– Feb 1995 - Mitnick admitted to having gained unauthorized access to a number of computer systems belonging to companies such as Motorola, Novell, Fujitsu, and Sun Microsystems. • Omega Engineering and Timothy Lloyd– Jul 1996 - On July 30, 1996, a software “time bomb” at Omega Engineering deleted all design and production programs of the company. This severely damaged the small company forcing the layoff of 80 employees.

  7. History • Jester and the Worcester Airport – Mar 1997 - In March 1997, airport services to the FAA control tower as well as emergency services at the Worcester Airport and the community of Rutland, Massachusetts, were cut off for six hours. This disruption occurred as a result of a series of commands sent by a teenage computer “hacker” who went by the name of “jester.” The individual gained unauthorized access to the “loop carrier system” operated by NYNEX. • Solar Sunrise – Feb 1998 - During a period of increased tensions between the United States and Iraq and subsequent military preparations, a series of computer intrusions occurred at a number of military installations in the United States. Over 500 domain name servers were compromised during the attacks. It was difficult to track the actual origin of the attacks. This was because the attackers made a number of “hops” between different systems, averaging eight systems before reaching the target. The attackers eventually turned out to be two teenagers from California and their mentor in Israel.

  8. History • Melissa Virus – Mar 1999 - Melissa is the best known of the early macro type of virus which attached itself to Microsoft Word 97 and Word 2000 documents. . The virus was written and released by David Smith. This virus infected about a million computers and caused an estimated $80 million in damages. This virus clogged networks with the traffic and caused problems for e-mail servers worldwide. Whenever a file was opened, a macro caused it to infect the current host and also sent itself to the first fifty addresses in the individual’s address book. • Love Letter Worm – May 2000 The worm spread via e-mail with the subject line “ILOVEYOU.” The number of infected machines worldwide may have been as high as 45 million. Similar to the Melissa virus, the Love Letter Worm spread via attachment to e-mails. In this case, instead of utilizing macros, the attachments were VBScript programs. • Code-Red Worm – 2001 - On July 19, 2001, over 350,000 computers connected to the Internet were infected by the Code-Red worm. The incident took only 14 hours to occur. Damages caused by the worm (including variations of the worm released on later dates) exceeded $2.5 billion. The vulnerability exploited by the Code-Red worm had been known for a month.

  9. History • Adil Yahzy Shakour – Aug 2001 – May 2002 - Shakour accessed several computers without authorization, including: Eglin Air Force Base (where he defaced the web site), Accenture (a Chicago-based management consulting and technology services company), Sandia National Laboratories (a Department of Energy facility), Cheaptaxforms.com At Cheaptaxforms.com. Shakour obtained credit card and personal information, which he used to purchase items worth over $7,000 for his own use. • Slammer Worm – 2003 - The Slammer virus was released on Saturday, January 25, 2003. It exploited a buffer-overflow vulnerability in computers running Microsoft's SQL Server or Microsoft SQL Server Desktop Engine. This vulnerability was not new. It had been discovered in July 2002. Microsoft had released a patch for the vulnerability even before it was announced. By the next day, the worm had infected at least 120,000 hosts and caused network outages and disruption of airline flights, elections, and ATMs. Slammer-infected hosts generated 1TB of worm-related traffic every second. .The worm doubled in the number of infected hosts every 8 seconds. It took less than ten minutes to reach global proportions and infect 90 percent of the possible hosts it could infect.

  10. Phishing • Phishingis a form of social engineering, characterized by attempts to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message • In its simplest form, phishing involves sending out fake e-mail messages that ask recipients to enter personal information, such as bank account numbers, PINs or credit card numbers, into forms on Web sites that are designed to mimic bank or e-commerce sites. • Many fake sites are online for just two or three days, and most of the actual phishing activity takes place in the first 24 hours after messages are sent, experts say.

  11. Malware • The term Malware (malicious code) is software designed for a nefarious purpose and may cause damage by: • Deleting all files. • Performs undesirable tasks without your knowledge or permission! • Modifying Operating System and PC’s settings • Creating a backdoor in the system to grant access to unauthorized individuals. • Although there is no official breakdown, we can divide malware into several broad categories: adware, spyware, hijackers, toolbars, phishing, rootkits, viruses, worms, trojan horses, data mining and dialers. • It is very common for people to use the words adware, spyware, and malware interchangeably • Anti-virus software doesn’t protect you

  12. Infectious Malware - Virus • A virus is a type of malicious code that replicates by attaching itself to an authorized piece of executable code. • File Infector • Boot Sector • Macro (Microsoft Viruses) • Stealth and polymorphic virus • The program virus attaches itself to executable files. • The virus is attached in such a way that it executes before the program. • Avoiding Viruses • Good PC Practices: • Antivirus Software

  13. Infectious Malware - Worms • A worm is a code that attempts to penetrate networks and computer systems and creates a copy of itself • Reproduction of a worm, unlike a virus, does not rely on the attachment of the virus to another piece of code or a file. • The blurring of the distinction between viruses and worms has come about because of the attachment of malicious code to e-mail. • The important distinction, however, is whether the code has to attach itself to something else (a virus), or if it can “survive” on its own (a worm).

  14. Concealment Malware - Trojan Horses • A Trojan horse (Trojan) is a stand-alone program that must be copied or installed by the user and appears to do one thing but hides another action. • The challenge for the attacker is enticing the user to copy and run the program. • To prevent a Trojan from entering a system is: • Never run software if unsure of its origin, security, and integrity. • Use antivirus programs to detect and prevent the installation of known Trojans.

  15. Malware for profit • spyware, botnets, loggers, and dialers • Botnetsare harder to trace - Botnets are networks of computers infected with code that allows hackers to control them. Once grouped together, a botnet is illegally used to send spam, propagate viruses, and carry out DDOS (distributed denial of service) attacks aimed at causing a Web site to crash. • Keyloggers - Keep track of all your keystrokes and can record credit card information, passwords, addresses, etc. • Dialers - Programs that use a computer or modem to dial out to a toll number or internet site, typically to accrue charges. Dialers can be installed with or without a user’s explicit knowledge, and may perform their dialing activity without a user’s specific consent prior to dialing.

  16. Malware for Profit - Spyware Spyware • Generally gets on PC through Freeware or Shareware; also email or instant message, or by someone with access to a user's computer. • A program that sends information from your computer to another location on the Internet without your knowledge and without your explicit consent. They then sell the use of this information to advertisers who can purchase the opportunity to make ads pop up. • Automatically starts each time you start your computer • Runs in the background where you can’t see it • Some people believe that Spyware has advantages, like delivering “wanted“ advertisements to you while you are surfing the net sort of like TV • Data analysis of Spyware data (your personal information) is now a big thriving enterprise • Tracks web site visits • Has an autoupdate feature that updates automatically.

  17. Spyware Symptoms • Top 10 Symptoms of Spyware: • Slow Computer Peformance.  • System instability - PC freezes up, reboots, or loses information. • New Toolbars, links, menus or buttons.  • New Shortcuts on your Desktop or system tray.  • Hijacked Homepage.  • Hijacked Search results.  • New “page cannot be displayed” landing page.  • Abnormal increase in pop-ups.  • Unusual number of hyperlinks. • Ending up on unknown websites.

  18. Websearch Toolbar Hotbar CoolWeb Toolbar My Search Toolbar Tro.DesktopScam E-Zula Comet Cursor Bonzai Buddy Jupiter Double Click Alexz Adware.cmdService SaveNow YourSiteBar Active Spyware

  19. Statistics • 8 out of 10 PC’s are infected with some sort of Spyware, with an average of 24.4 spies per PC scanned. • Microsoft estimates that 50% of all PC crashes are due to spyware. • Dell reports that 20% of all technical support calls involve spyware. • The growth of Spyware is exponential • 50% of all Free Sofware is bundled with spyware • “Data Mining“ companies pay a lot of $$ to the smaller developers to include spyware with their products • This offer is very enticing for small companies, it helps them survive

  20. Spyware – Data Mining/Trackware • Data MinerThe application is designed to collect information about the user and does so actively. This may or may not include transmission of the information to a remote server, the information collected is disclosed to the user via privacy policy and/or licensing (EULA). The EULA is where they ask you for permission to install their software and by checking “OK” - you have given them permission to do this and often more. • AdwareThis is content that is designed to display advertising to the user that may not be expected or wanted. While some also categorize advertising applications that may include tracking features or capabilities as Adware, we place them within more descriptive categories such as Trackware or Data Miner to provide more information to the user. Adware is generally innocuous and consumers may want to remove this content if they no longer wish to receive the advertising content. They may wish to keep them though if the programs are required for the use of a host application.

  21. Concealment Malware -Rootkits • Rootkits • It's a stealthing approach and virtually undetectable. A program can be loaded on your hard drive and running in the system, and no matter what you do, you can't see it. Essentially it modifies the way the OS itself works by compromising the kernel. • How does it get into the PC? • Downloadable spyware and malware, freeware, file sharing systems, stuff you can have it on your system right now... • How can the PC be protected? • Rootkits are a hard-to-detect-and-remove technology and none of the anti-spyware technology, Ad-Aware or Spybot Search & Destroy are effective. • Microsoft is developing a project called Ghostbuster • RootkitRevealer at sysinternals.com • Latest issue of Phrack mag and rootkit.com are full of rootkit source code • Can be used for legitimate reasons.

  22. Summary of Effects • Collection of Data from your PC without your consent • Execution of Malicious code without your knowledge • Collects data pertaining to your habitual use and sells it to marketing companies • Makes it impossible to remove their software by standard methods and sometimes not at all • Performs other undesirable tasks on your PC such as using your PC as a go between other PC’s and their servers • Control Panel will not open up or take 5-10 minutes to open • Internet Explorer can stop working or not access particular websites. • Some even keep you from accessing Microsoft.com • You change your Home Page and when you reboot it has changed back to an Adult Links Pornographic Site

  23. Protection • Adaware • Spybot Search and Destroy • Hijack This • Activate Cox spam filters and install Spyware and Popup blockers • PC Magazine • Microsoft has a removal tool • Before adding any other Spyware Detection and Removal programs always check the Rogue Anti-Spyware List for programs known to be misleading, mistaken, or just outright "Foistware". You will find the list here: http://www.spywarewarrior.com/rogue_anti-spyware.htm

  24. Threats Viruses and worms: • Are generally not written by employees of organizations. • Are expected to be the most common problem that an organization will face as thousands of them have been created. • Are also generally non-discriminating threats that are released on the Internet and are not targeted at a specific organization.

  25. Threats to Security • The act of deliberately accessing computer systems and networks without authorization or exceeding one’s authority is called “hacking”. • There are a number of ways to break down the various threats. • To break down threats, users need to: • Categorize external threats versusinternal threats. • Examine the various levels of sophistication of the attacks from “script kiddies” to “elite hackers.” • Examine the level of organization for the various threats from unstructured to highly structured threats.

  26. Levels of Sophistication • Intruders are very patient as it takes persistence and determination to gain access to a system. • Insiders: • Are more dangerous than outside intruders. • Have the access and knowledge necessary to cause immediate damage to an organization.. • Besides employees, insiders also include a number of other individuals who have physical access to facilities.

  27. Levels of Sophistication • Unstructured Threats– newbies with hacking tools. • Attacks are generally conducted over short periods of time (3 months) • Small number of individuals with little financial backing. • They do not include collusion with insiders. • Script Kiddies At the low end technically are script kiddies. • Don’t have the technical expertise to develop scripts or discover new vulnerabilities in software. • They have just enough understanding of computer systems to be able to download and run scripts that others have developed.

  28. Levels of Sophistication • Sophisticated Intruders - These individuals are capable of writing scripts to exploit known vulnerabilities. • They are more technically competent than script kiddies. • They account for an estimated 8 to 12% of the individuals conducting intrusive activity on the Internet. • Elite hackersare highly technical individuals and are able to: • Write scripts that exploit vulnerabilities. • Discover new vulnerabilities. • This group is the smallest accounting for only 1 to 2% of the individuals conducting intrusive activity.

  29. Structured Threat • Criminal Organizations • Criminal activity on the Internet at its most basic is not different than criminal activity in the physical world. • A difference between criminal groups and the “average” hacker is the level of organization that criminal elements may employ in their attack. • Attacks by criminal organizations can fall into the structured threat category, which is characterized by: • Planning. • Long period of time to conduct the activity. • More financial backing. • Corruption of or collusion with insiders.

  30. Highly Structured Threats • Highly structured threats are characterized by: • A long period of preparation (years is not uncommon). • Tremendous financial backing. • A large and organized group of attackers. • These threats subvert insiders, and attempts to plant individuals inside before an attack. • In information warfare, military forces are certainly still a key target • Other likely targets can be infrastructures that a nation relies on for its daily existence. • Terrorist organizations can also accomplish information warfare.

  31. Critical Infrastructure • Critical infrastructures are those infrastructures whose loss would have a severe detrimental impact on a nation. Examples: • Water. • Electricity. • Oil and gas refineries and distribution. • Banking and finance. • Telecommunications.

  32. Security Trends • The biggest change in security over the last 30 years has been the change in the computing environment. • Large mainframes are replaced by pc networks • Access can be from the outside • The type of attacker has changed, non-affiliated intruders, including “script-kiddies.” • As the level of sophistication of attacks has increased, the level of knowledge necessary to exploit vulnerabilities has decreased.

  33. Avenues of Attack • The two most frequent types of attacks: • viruses and insider abuse. • 2 general reasons a particular computer system is attacked: • it is either specifically targeted by the attacker, not because of the hardware or software the organization is running but for some other reason, such as a political reason hacktivism. • or it is an opportunistic target, is conducted against a site that has hardware or software that is vulnerable to a specific exploit. • Targeted attacks are more difficult and take more time than attacks on a target of opportunity.

  34. The Steps in an Attack • The steps an attacker takes are similar to the ones that a security consultant performing a penetration test would take. • gather as much information about the organization as possible. • determine what target systems are available and active. • ping sweep, sends an ICMP echo request to the target machine. • perform a port scan to identify the open ports, which indicates the services running on the target machine. • Determine OS – refer to page 18 of The Google Hacking Guide for an example • An attacker can search for known vulnerabilities and tools that exploit them, download the information and tools, and then use them against a site. • If the exploits do not work, other, less system-specific, attacks may be attempted.

  35. Minimizing Avenues of Attack • Understanding the steps an attacker takes help guard against attacks. • ensure that all patches for the operating system and the applications are installed. • limit the services running on a system. • provide as little information as possible on an organization and its computing resources.

More Related