1 / 22

CS 5950/6030 Network Security Class 3 ( W , 9/ 7 /05)

CS 5950/6030 Network Security Class 3 ( W , 9/ 7 /05). Leszek Lilien Department of Computer Science Western Michigan University [Using some slides prepared by: Prof. Aaron Striegel, University of Notre Dame

leaz
Télécharger la présentation

CS 5950/6030 Network Security Class 3 ( W , 9/ 7 /05)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS 5950/6030 Network SecurityClass 3 (W, 9/7/05) Leszek Lilien Department of Computer Science Western Michigan University [Using some slides prepared by: Prof. Aaron Striegel, University of Notre Dame Prof. Barbara Endicott-Popovsky and Prof. Deborah Frincke, University of Washington]

  2. 1.2. Survey of Students’Backgroundand Experience (1) Background Survey CS 5950/6030 Network Security - Fall 2005 Please print all your answers. First name: __________________________ Last name: _____________________________ Email _____________________________________________________________________ Undergrad./Year________ OR:Grad./Year or Status (e.g., Ph.D. student) ________________ Major _____________________________________________________________________ PART 1. Background and Experience 1-1) Please rate your knowledge in the following areas (0 = None, 5 = Excellent). UNIX/Linux/Solaris/etc. Experience (use, administration, etc.) 0 1 2 34 5 Network Protocols (TCP, UDP, IP, etc.) 0 1 2 34 5 Cryptography (basic ciphers, DES, RSA, PGP, etc.) 0 1 2 34 5 Computer Security (access control, security fundamentals, etc.) 0 1 2 34 5 Any new students who did not fill out the survey?

  3. Section 1– Class 3 Class 1: 1.1. Course Overview • Syllabus - Course Introduction 1.2. Survey of Students’ Background and Experience 1.3. Introduction to Security 1.3.1. Examples – Security in Practice 1.3.2. What is „Security?” 1.3.3. Pillars of Security: Confidentiality, Integrity, Availability (CIA) – PART 1 Class 2: 1.3.3. Pillars of Security: Confidentiality, Integrity, Availability (CIA) — PART 2 1.3.4. Vulnerabilities, Threats, and Controls– PART 1 Vulnerabilities, Threats, and Controls / Attacks Kinds of Threats (interception/interruption/modification/fabrication) Levels of Vulnerabilities / Threats A) Hardware level B) Software level Class 3: C) Data level D) Other levels 1.3.5. Attackers 1.3.6. How to React to an Exploit? 1.3.7. Methods of Defense

  4. C) Data Level of Vulnerabilities / Threats • How valuable is your data? • Credit card info vs. your home phone number • Source code • Visible data vs. context • „2345” -> Phone extension or a part of SSN? • Adequate protection • Cryptography • Good if intractable for a long time

  5. Identity Theft • Cases in 2003: • Credit card skimmers plus drivers license, Florida • Faked social security and INS cards $150-$250 • Used 24 aliases – used false id to secure credit cards, open mail boxes and bank accounts, cash fraudulently obtained federal income tax refund checks, and launder the proceeds • Bank employee indicted for stealing depositors' information to apply over the Internet for loans • $7M loss, Florida: Stole 12,000 cards from restaurants via computer networks and social engineering • Federal Trade Commission: http://www.consumer.gov/idtheft/ [cf. Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

  6. Handle data carefully Regular checks of your credit reports Put a password on your credit accounts; don’t use just “mother’s maiden name” Be cautious about sharing personal information From the web site: “Deposit outgoing mail in post office collection boxes or at your local post office, rather than in an unsecured mailbox” Shred, don’t just discard Practice good computer security Anti-virus s/w, firewall, secure browsers, … Minimize financial info on your computer Think before you “click” Clean up any computer before you sell/discard it Need special s/w to securely destroy „deleted” data Preventing Identity Theft [cf. Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

  7. Preventing Identity Theft:Government Suggestions • Suggestions from FTC: • Contact the three major credit agencies, check credit, put “stop” on unapproved new cards, issue “fraud alert” • Close all accounts; open new ones w/o mother’s maiden name (use password) • File a report in the appropriate jurisdiction and keep copies of those records • … and now there’s an ID Theft Affidavit, to • To prove to institutions that you are a victim of a crime, not a criminal [cf. Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

  8. Types of Attacks on Data CIA • Disclosure • Attack on data confidentiality • Unauthorized modification / deception • E.g., providing wrong data (attack on data integrity) • Disruption • DoS (attack on data availability) • Usurpation • Unauthorized use of services (attack on data confidentiality, integrity or availability)

  9. Ways of Attacking Data CIA • Examples of Attacks on Data Confidentiality • Tapping / snooping • Examples of Attacks on Data Integrity • Modification: salami attack -> little bits add up • E.g/ „shave off” the fractions of cents after interest calculations • Fabrication: replay data -> send the same thing again • E.g., a computer criminal replays a salary deposit to his account • Examples of Attacks on Data Availability • Delay vs. „full” DoS • Examples of Repudiation Attacks on Data: • Repudiation / denial of origin of data: „I never sent it” Repudiation = refusal to acknowledge or pay a debt or honor a contract (especially by public authorities).[http://www.onelook.com] • Repudiation / denial of receipt of data: „I never got it”

  10. D) Vulnerab./Threats at Other Exposure Points • Network vulnerabilities / threats • Networks multiply vulnerabilties and threats, due to: • their complexity => easier to make design/implem./usage mistakes • „bringing close” physically distant attackers • Esp. wireless (sub)networks • Accessvulnerabilities / threats • Stealing cycles, bandwidth • alicious physical access • Denial of access to legitimate users • Peoplevulnerabilities / threats • Crucial weak points in security • too often, the weakest links in a security chain • Disgruntled employees • Honest insiders subjected to skillful social engineering

  11. 1.3.5. Attackers • Attackers need MOM • MethodSkill, knowledge, tools, etc. with which to pull off an attack • OpportunityTime and access to accomplish an attack • MotiveReason to perform an attack

  12. Types of Attackers (1) • Amateurs • Opportunistic attackers • Uses a password he found • Script kiddies • Hackers- nonmalicious • in broad use beyond security community: also malicious • Crackers - malicious • Career criminals • State-supported spies and information warriors

  13. Types of Attackers (2)(in: the „Threat Spectrum” slide) [cf. Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

  14. Example: Hacking As Social Protest • Hactivism • Electro-Hippies • DDOS attacks on government agencies • SPAM attacks as “retaliation” [Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

  15. New Internet Attacks High Packet Forging& Spoofing Stealth Diagnotics Sophistication of Hacker Tools DDOS Sniffers Sweepers Hijacking Sessions Back Doors Technical KnowledgeRequired Self-Replicating Code Password Cracking Password Guessing Time [cf. Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

  16. 1.3.6. How to React to an Exploit? Exploit = successful attack • Should you release it to the public? • Include source code / not include source code • Release to vendor first, etc.

  17. “To Report or Not To Report:” Tension between Personal Privacyand Public Responsibility An info tech company will typically lose between ten and one hundred times more money from shaken consumer confidence than the hack attack itself represents if they decide to prosecute the case. Mike Rasch, VP Global Security, testimony before the Senate Appropriations Subcommittee, February 2000 reported in The Register and online testimony transcript [Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

  18. Further Reluctance to Report • One common fear is that a crucial piece of equipment, like a main server, say, might be impounded for evidence by over-zealous investigators, thereby shutting the company down. • Estimate: fewer than one in ten serious intrusions are ever reported to the authorities. Mike Rasch, VP Global Security, testimony before the Senate Appropriations Subcommittee, February 2000 reported in The Register and online testimony transcript [cf. Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

  19. Computer Forensics: Fighting Computer Crime • Technology • Law Enforcement • Individual and Societal Rights • Judiciary • … [cf. Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

  20. 1.3.7. Methods of Defense • Five basic approaches to defense of computing systems • Preventattack • Block attack / Close vulnerability • Deterattack • Make attack harder(can’t make it impossible ) • Deflectattack • Make another target more attractive than this target • Detectattack • During or after • Recoverfrom attack

  21. Continued - Class 4

More Related