1 / 74

Chapter 2

Chapter 2. Threats To Computer Systems. 2.1 Threats, Vaulnerabilities and Attacks. Threats: defines as any potential occurrence, malicious and otherwise, that can have undesirable effect on the assets and resources associated with a computer system Vulenerability:

althea
Télécharger la présentation

Chapter 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 2 Threats To Computer Systems

  2. 2.1 Threats, Vaulnerabilities and Attacks • Threats: • defines as any potential occurrence, malicious and otherwise, that can have undesirable effect on the assets and resources associated with a computer system • Vulenerability: • is some unfortunate characteristic that makes it possible for a threat to potentially occur

  3. Attack: • is some action taken by malicious intruder that involves the exploitation of certain vulnerabilities in order to cause an existing threats to occur

  4. 2.2 Types of Threats Categorization is needed to allow establishment of simple framework for understanding and solving security problems • Three main types of threats • disclosure threat • integrity threat • denial of service threat

  5. 2.2.1 Disclosure threat • This threat involves the dissemination of information to an individual for whom that information should not be seen • This information may be in computer storage or in transit between computer systems • disclosure of information is called “leak” • important for confidential organization such as military, government etc.

  6. 2.2.2 Integrity threat • This threat involves any unauthorized change to information stored on a computer system or in transit between computer systems • non-critical information has less consequence • critical information can be disastrous • important for battle plans and commercial activities

  7. 2.2.3 Denial of service threat • This threat arises whenever access to some computer system resource is intentionally blocked as a result of malicious action taken by another user • critical for delaying weapon deployment or stock dealing • because the services are temporal characterized, this threat is more difficult to address than others

  8. 2.3 System Security Engineering • To deal with problems of threats, vulnerabilities and attacks, a new discipline has recently emerged in the security community known as system security engineering • security engineering process (Fig. 2.1) will involve understanding of the security problems and derives protections against these problems

  9. Specify System Architecture Identify and Install Safeguards Identify Threats, Vulnerabilites, Attacks Estimate Component Risk Prioritize Vulnerabilities Risk is Acceptably Low Figure 2.1 System Security Engineering Process

  10. Specify System Architecture • Inspect the system • examine the network, host, interface and other associate architecture • use a structural specification include current security methods used • include a description of functional properties • create a security priority list

  11. Identify Threats, Vulnerabilities, Attacks • Identify potential threats from internal and external sources • estimate possible damage arises from attack • establish methodologies for minimise possibilities of attack

  12. Estimate Component Risk • Develop risk formula • Identify risk components • Prioritize risk factor

  13. Prioritize Vulnerabilities • Base on risk priority developed in previous stage • this stage provide an order for installing security protections • limited resources may exist the high risk component will be deal with first

  14. Identify and Install Safeguards • Identify all possible safeguard approaches include standard security mechanisms • safeguard mechanisms will be examined • considerations on minimal in impact, performance degradation, cost and resources are needed

  15. 2.4 Threat Tree • High level threats serve as the starting point for further decomposition • threat decomposition is based on a threat tree • military standard MIL-STD 1785 is used • threat tree is similar to decision tree used for risk management & reliability engineering

  16. 2.4.1 Arbitrary Threat List • Threat can be identified during system design or development • it can also identified by a random, unstructured process called arbitrary threat list process • the list can be enriched during the design, development and operation stages • However, most threats have some unfortunate characteristics

  17. Unfortunate Characteristics • Dubious Completeness: most threats are difficult to be identified completely • Lack of Rationale: known threats are identified by past history however ad hoc nature makes it difficult to rationale • Possible Inconsistencies: threats can be correlated and co-occurred. Independent events cannot prevent contradictory and redundant to be rectified simultaneously.

  18. Arbitrary threat list must be avoided • especially for some critical system missions • the development of a threat tree can overcome most of the shortfalls

  19. 2.4.2 Developing a Threat Tree • first identify a list of possible threats • then introduce them in an iterative manner and refine the description carefully and gradually • the tree structure allows various threats to be associated in a root-node relationship • this approach can rationale the identified threat and simplify a security solution

  20. 2.4.3 Structure of a threat tree • Each tree composes a top label called Threat • each label will contain some generalized description of threat present in a given system • each root is a sub-threat which represents the refinement for a given node • the repetitive process will be terminated when all threats and sub-threats are identified, i.e. complete

  21. Threat Sub-threat                   Structure of a Threat Tree

  22. Example: Hospital Computer System • Hospital Computer System Threat (HCST) is composed of Patient Medical Information (PMH) and non Patient Medical Information (NPMH) • PMH can further decomposed to Life Threatening (LT) and non Life Threatening (NLT) which both further decomposed to Disclosue (D), Integrity (I) and Denial of Service (DOS)

  23. NMPH can be refined into Billing threat (B) and non Billing Threat (NB). Where both threats are further decomposed into Malicious Developer (MDEV) threats introduced beforehand and those are not (NMDEV) threats • a simplified threat tree for hospital computer system is shown as follows:

  24. HCST NPMH PMH LT NB NLT B D I I DOS D DOS MDEV MDEV NMDEV NMDEV          Threat Tree of HCS

  25. Effects: • D: confidential patient information is disclosed • I: Patient information is corrupted • DOS: Patient information is not available • NMDEV(B) : billing information is corrupted • MDEV (NB): internal schedules are compromised

  26. 2.4.4 Using Threat Tree to Support System Security Engineering • Threat tree allows a structured means for documenting and organizing the estimation and calculations of critical, effort and risk factors • Critical defines the impact of the threat or the gain by introducing security measurements • Effort (E) defines the resources needed to resolve the threat • Risk (R=G/E) defines the normalized impact of threat if being attract

  27. HCST(8,2,4) PMH(8,2,4) NPMH(2,12) LT(8,2,4) NB(1,1,1) NLT(2.2,1) B(2,1,2) I(5,5,1) MDEV (1,1,1) NMDEV (2,1,2) DOS(8,2,4) D(1,1,1) Example on Risk Calculation using (G,E,R) value and maximum risk selection

  28. 2.5 Categorization of Attack “Computer Crimes are probably the tip of an iceberg - but just how big is the iceberg is no one know” T.Perry & P. Wallich • Traditional three classes: disclosure, integrity and denial of services • Unclassified attacks: internet browsing, computation, storage and whatever • To acoount for specific type of attack - taxonomies are used

  29. 2.5.1 Using an Attack Taxonomy • Attack Taxonomy is defined as any generalized categorization of potential attacks that might occur on a given computer system • Informal analysis can be used to identify threats and analytic means (threat tree) can be used to document attack or by reported experience with a target system

  30. Attack scenarios are sometimes identified for certain classes of systems including real-time, database and LAN and they must be dealt with appropriately in the target system in the early stage of security system development • Precisely determination of the system and attack characteristics with the interaction of environment will subsequently develop the final attack taxonomy by reducing the known attacks

  31. Attack Taxonomy Target system Attacks to the Target System Using an Attack Taxonomy Attack Taxonomy (many known attacks) Attack Taxonomy (fewer known attacks) ••• Mitigate Select attacks Mitigate Select attacks Reducing Known Attacks

  32. 2.5.2 Considerations in Selecting an Attack Taxonomy • Completeness: the categories of attack should be accompanied by evidence that all potentially unfortunate occurrences have been accounted for in the target system. The attack must be justifiable. However, most attacks are unstructured and system dependent, empirical evidence is the strongest justification for completeness in an attack taxonomy.

  33. Appropriateness: The selected attack taxonomy should appropriately characterize the attacks to the target systems. Assumption like malicious insiders are not present. Tradeoff sometimes required to evaluate common highly appropriate attack and less appropriate attack for a specified target systems • Internal vs. external threats: an attack taxonomy should differentiate between attacks form insider and outsider. Sometimes external attack taxonomy is entirely insecure for insider attack.

  34. 2.5.3 Example - Simple Attack Taxonomy

  35. 2.5.4 Example: Risk-based Empirical Attack Taxonomy • Simplified taxonomy cannot cater for the actual situation, empirical taxonomy with reasonable justification can make it more complete • Possible empirical attacks: • external information theft (glancing at someone’s terminal) • external abuse of resources (smashing a disk drive)

  36. Masquerading (recording and playing back network transmission) • pest programs (installing a malicious program) • Bypassing authentication or authority (password cracking) • authority abuse (falsifying records) • abuse through inaction (intentionally bad administration) • indirect abuse (using another system to create a malicious program)

  37. External Information theft • unauthorized individual stealing information or glance at other’s terminal to steal sensitive information like password, salary data, confidential information and so on • Avoid by setting external procedures such as secured terminal room, secured printer or paper shredders for discarding sensitive information

  38. External Abuse of Resources • This involves physical destruction of hardware such as disk drives, circuit boards, communication media and so on • Because this is an integrity attack, attacker must physical access to the physical resources but not necessary the internal resources • physical destruction may include vandalizing, switching off air conditioner or electrical power • sometimes abuse may not damage the hardware such as jamming or tapping • Avoidance by introducing physical security means like locked, guarding, surveillance camera and so on

  39. External Masquerading • this involves a malicious intruder successfully impersonating another user using some mechanism external to the computer system • examples are: tapping communication medium, recording the information transferred and playing back this information in a later time • this attack has been used by network hacker to avoid from being located • Avoidance by setting up proper network security procedures but the techniques are not straightforward

  40. Pest Programs • this includes attacks that are set up by malicious individuals to cause subsequent harm • a pest program can be views as time bomb, I.e. it will occur at a much later time • this time lag may provide opportunity for an intruder to cover tracks and avoid being caught instantaneous • well know types are Trojan horse and virus attacks • Countering pest program requires secure internal controls, awareness broadcasting and possible some shield programs

  41. Bypassing of Internal Controls • this involves the explicit avoidance of controls that are set up to protect the resources on a computer system • Bypassing usually refers to authorization, access and authority control. The technique is based on clever use of some existing logical flaw in the system • Examples are well known password cracking techniques that subvert protective approaches that contain flaws and operating system and compiler attacks usually involves logical exploitation of flaws to bypass authority

  42. Active Authority Abuse • this attack occurs when an individual is trusted to perform some type of sensitive or important function and then actively abuses this privilege • Examples falsifying certain data entries or granting services in improper manner • Avoidance is difficult but can be minimized by personnel screening, background checks and even polygraph tests

  43. Abuse through Inaction • this involves the willful neglect of duty by some malicious individual • attack occurs whenever some action is required to avoid a harmful situation but is not performed • example is that an administrator has neglected the maintenance of a system or recorder in order to cause degraded or denied service • avoidance by identifying all possible inaction, this is the first step for all attack avoidance mechanism.

  44. Indirect Abuse • this involves an off-line system and is characterized by behavior that may appear normal but is actually being carried out as a component or step in some comprehensive attack • Example: an indirect abuse involves the factoring a large number on one system as a mean for breaking a protection routine on another system. • Avoidance is extremely difficult because the appearance is completely normal to the system being used.

  45. 2.6 Trojan Horses and Viruses • A type of program that is well known of provide self-reproduction is called Trojan Horse • This program is allow to distribute and propagate across different computer systems and is known as virus

  46. 2.6.1 Trojan Horses • A Trojan Horse program shall be defined as any program that is expected to perform some desirable function but that actually performs some unexpected and undesirable function • It means that Trojan Horse program may look like a good program but it can potentially turns into harmful

  47. Examples: cat command in unix user “cat x” (Trojan Horseversion) “cat x” (normal version) Maliciously altered sequence of system routines Normal sequence of operating system routines

  48. In a trusted group, the Trojan Horses is not critical and this approach allows co-workers to share information and resources and the malicious program will not be created • however if Trojan Horses has infiltrated into an trusted environment and can self-reproduced and propagated • this becomes viruses

  49. 2.6.2 Viruses • A virus program is defined as any Trojan Horse program that has been designed to self-produce and propagate so as to modify other programs to include a possible modified copy of the virus. • As computer networks have become more widespread, the potential for huge propagation has increased and this type of attack has become serious

  50. Figure below shows how viruses can be created as Trojan horse on one machine and then duplicated on others via some propagation means Trojan Horse Creation System A Electronic propagation Manual propagation Trojan Horse Duplication Trojan Horse Duplication System B (connected to system A) System C (No connection to system A)

More Related