csce 727 cyber attacks and risk management. csce 727 - farkas2 attack sophistication vs....
Post on 28-Dec-2015
219 Views
Preview:
TRANSCRIPT
CSCE 727 - Farkas 2
Attack Sophistication vs.Intruder’s Technical Knowledge
High
Low
1980 1985 1990 1995 2000
password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking sessions
sweepers
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
Tools
Attackers
IntruderKnowledge
AttackSophistication
“stealth” / advanced scanning techniques
burglaries
network mgmt. diagnostics
distributedattack tools
Cross site scripting
Stagedattack
Copyright: CERT, 2000
CSCE 727 - Farkas 3
Attack Sophistication vs.Intruder’s Technical Knowledge
From: http://people.ubuntu.com/~duanedesign/SurvivabilityandInformationAssuranceCurriculum/01survive/01survive.html
CSCE 727 - Farkas 5
ReadingReadingRequired:Denning Chapter 8, 9, 14Hutchins et al, Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, White paper,http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
Interesting Reading:DHS repairing internal security operations, Homeland Security News Wire, April 9, 2014, http://www.homelandsecuritynewswire.com/seworld20140409-dhs-repairing-internal-security-operationsStudent develops new way to detect hackers, Homeland Security News Wire, April 9, 2014, http://www.homelandsecuritynewswire.com/dr20140409-student-develops-new-way-to-detect-hackersMeasuring smartphone malware infection rates, Homeland Security News Wire, April 9, 2014, http://www.homelandsecuritynewswire.com/dr20140409-measuring-smartphone-malware-infection-rates
CSCE 727 - Farkas 6
AttackAttack
Internet Engineering Task Force: RFC 2828:
“ An assault on system security that derives from an intelligent threat, i.e., an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of the system.”
CSCE 727 - Farkas 8
InterruptionInterruption
Information source
Information destination
Asset is destroyed of becomes unavailable - AvailabilityExample: destruction of hardware, cutting communicationline, disabling file management system, etc.
CSCE 727 - Farkas 9
InterceptionInterception
Information source
Information destination
Unauthorized party gains access to the asset – ConfidentialityExample: wiretapping, unauthorized copying of files
CSCE 727 - Farkas 10
ModificationModification
Information source
Information destination
Unauthorized party tampers with the asset – IntegrityExample: changing values of data, altering programs, modify content of a message, etc.
CSCE 727 - Farkas 11
Fabrication Fabrication
Information source
Information destination
Unauthorized party insets counterfeit object into the system – AuthenticityExample: insertion of offending messages, addition of records to a file, etc.
CSCE 727 - Farkas 12
Phases of AttackPhases of Attack Improve detection by examining which “phase” an
intruder’s behavior is identified Attack phases:
– Intelligence gathering: attacker observes the system to determine vulnerabilities
– Planning: attacker decide what resource to attack (usually least defended component)
– Attack: attacker carries out the plan– Inside the system:
Hiding: attacker covers tracks of attack Future attacks: attacker installs backdoors for future entry points
CSCE 727 - Farkas 13
Passive AttackPassive Attack
“Attempts to learn or make use of information from the system but does not affect system resources” (RFC 2828)
Sniffer
CSCE 727 - Farkas 14
SniffersSniffers
All machines on a network can “hear” ongoing traffic
A machine will respond only to data addressed specifically to it
Network interface: “promiscuous mode” – able to capture all frames transmitted on the local area network segment
CSCE 727 - Farkas 15
Risks of SniffersRisks of Sniffers
Serious security threatCapture confidential information
– Authentication information– Private data
Capture network traffic information
CSCE 727 - Farkas 16
Passive attacks
Interception (confidentiality)
Disclosure of message contents Traffic analysis
CSCE 727 - Farkas 17
Disclosure of message contentDisclosure of message content
Intruder is able to interpret and extract information being transmitted
Highest risk:authentication information – Can be used to compromise additional system
resources
CSCE 727 - Farkas 18
Traffic AnalysisTraffic Analysis
Intruder is not able to interpret and extract the transmitted information
Intruder is able to derive (infer) information from the traffic characteristics
CSCE 727 - Farkas 19
Protection Against Passive Protection Against Passive AttacksAttacks
Shield confidential data from sniffers: cryptography
Disturb traffic pattern: – Traffic padding – Onion routing
Detect and eliminate sniffers
CSCE 727 - Farkas 20
Detection of Sniffer ToolsDetection of Sniffer Tools Difficult to detect: passive programs Tools:
– Promisc – Linux – cmp – SunOS 4.x: detects promiscuous mode– AntiSniff (L0pht Heavy Industries, Inc. ): remotely
detects computers that are packet sniffing, regardless of the OS
Interesting read: S. Truth, How to Test for Sniffing Vulnerabilities, http://web.securityinnovation.com/appsec-weekly/blog/bid/63274/How-to-Test-for-Sniffing-Vulnerabilities
CSCE 727 - Farkas 21
Active attacksActive attacks
“Attempts to alter system resources of affect their operation” (Internet Enginering Task Force, RFC 2828)
CSCE 727 - Farkas 22
Active attacks
Interruption Modification FabricationDOS, DDOS (integrity) (integrity)(availability)
Replay Masquarade(Authentication) (Authentication)
CSCE 727 - Farkas 23
Protection against DoS, DDoSProtection against DoS, DDoS
Hard to provide full protectionSome of the attacks can be prevented
– Filter out incoming traffic with local IP address as source
– Avoid established state until confirmation of client’s identity
Internet trace back: determine the source of an attack
CSCE 727 - Farkas 24
Degradation of ServiceDegradation of Service
Do not completely block service just reduce the quality of service
CSCE 727 - Farkas 25
Intrusion ControlIntrusion Control
It is better to prevent something than to plan for loss.
Problem: Misuse happens!
CSCE 727 - Farkas 26
NeedNeed::
Intrusion Prevention: protect system resources
Intrusion Detection: (second line of defense) identify misuse
Intrusion Recovery: cost effective recovery models
CSCE 727 - Farkas 27
Intrusion PreventionIntrusion Prevention
First line of defenseTechniques: cryptography, identification,
authentication, authorization, access control, security filters, etc.
Not good enough (prevention, reconstructions)
CSCE 727 - Farkas 28
Intrusion Detection System Intrusion Detection System (IDS(IDS))
Looks for specific patterns (attack signatures or abnormal usage) that indicate malicious or suspicious intent
Second line of defense against both internal and external threats
See recommended reading!
CSCE 727 - Farkas 29
Intrusion Detection SystemsIntrusion Detection Systems
Deter intrudersCatch intrudersPrevent threats to fully occur (real-time IDS)Improve prevention techniquesIDS deployment, customisation and
management is generally not trivialSee required reading!
CSCE 727 - Farkas 30
Audit-Based Intrusion Audit-Based Intrusion DetectionDetection
Intrusion Detection System
Audit DataProfiles, Rules, etc.
Decision
Need:• Audit data• Ability to characterize behavior
CSCE 727 - Farkas 31
Audit DataAudit Data Format, granularity and completeness depend on the
collecting tool Examples
– System tools collect data (login, mail)– Additional collection of low system level– “Sniffers” as network probes– Application auditing
Honey Net Needed for
– Establishing guilt of attackers– Detecting suspicious user activities
CSCE 727 - Farkas 32
Audit Data AccuracyAudit Data Accuracy
Collection method– System architecture and collection point– Software and hardware used for collection
Storage method– Protection of audit data
Sharing– Transmission protection and correctness– Availability
CSCE 727 - Farkas 33
IDS CategoriesIDS Categories1. Time of data analysis
Real-time v.s. off-the-line IDS2. Location where audit data was gathered
Host-based v.s. network-based v.s. hybrid3. Technique used for analysis
Rule-based v.s. statistic-based4. Location of analysis
Centralized, distributed, network-based5. Pattern IDS looking for
Misuse v.s. anomaly-based v.s. hybrid
CSCE 727 - Farkas 34
Intrusion RecoveryIntrusion Recovery Actions to avoid further loss from intrusion Terminate intrusion and protect against reoccurrence Law enforcement Enhance defensive security Reconstructive methods based on:
– Time period of intrusion– Changes made by legitimate users during the effected
period– Regular backups, audit trail based detection of effected
components, semantic based recovery, minimal roll-back for recovery.
CSCE 727 - Farkas 35
What is “Survivability”?What is “Survivability”?
To decide whether a computer system is “survivable”, you must first decide what “survivable” means.
37
Real Cost of Cyber AttackReal Cost of Cyber Attack
Damage of the target may not reflect the real amount of damage
Services may rely on the attacked service, causing a cascading and escalating damage
Need: support for decision makers to – Evaluate risk and consequences of cyber attacks– Support methods to prevent, deter, and mitigate
consequences of attacks
38
Risk Management Framework(Business Context)
Understand BusinessContext
Identify Business and Technical Risks
Synthesize and RankRisks
Define RiskMitigation Strategy
Carry Out Fixesand Validate
Measurement and Reporting
39
Understand the Business ContextUnderstand the Business Context
“Who cares?”Identify business goals, priorities and
circumstances, e.g., – Increasing revenue– Meeting service-level agreements– Reducing development cost– Generating high return investment
Identify software risk to consider
40
Identify Business and Technical Identify Business and Technical RisksRisks
“Why should business care?” Business risk
– Direct threat– Indirect threat
Consequences– Financial loss– Loss of reputation– Violation of customer or regulatory constraints– Liability
Tying technical risks to the business context in a meaningful way
41
Synthesize and Rank the RisksSynthesize and Rank the Risks
“What should be done first?” Prioritization of identified risks based on business
goals Allocating resources Risk metrics:
– Risk likelihood– Risk impact– Risk severity– Number of emerging risks
42
Define the Risk Mitigation Define the Risk Mitigation StrategyStrategy
“How to mitigate risks?”Available technology and resourcesConstrained by the business context: what
can the organization afford, integrate, and understand
Need validation techniques
43
Carry Out Fixes and ValidateCarry Out Fixes and Validate
Perform actions defined in the previous stage
Measure “completeness” against the risk mitigation strategy– Progress against risk– Remaining risks– Assurance of mechanisms
Testing
44
Measuring and ReportingMeasuring and Reporting
Continuous and consistent identification and storage of risk information over time
Maintain risk information at all stages of risk management
Establish measurements, e.g., – Number of risks, severity of risks, cost of
mitigation, etc.
45
Assets-Threat Model (1)
Threats compromise assets
Threats have a probability of occurrence and severity of effect
Assets have values
Assets are vulnerable to threats
Threats Assets
46
Assets-Threat Model (2)
Risk: expected loss from the threat against an asset
R=V*P*S R risk V value of asset P probability of occurrence of threat V vulnerability of the asset to the threat
47
Risk Acceptance
Certification How well the system meet the security
requirements (technical)
Accreditation Management’s approval of automated system
(administrative)
Readings for the Student Presentations 04/14/2014
Yinyan He – Zahid H. Qureshi. 2007. A review of accident modelling approaches for complex
socio-technical systems. In Proceedings of the twelfth Australian workshop on Safety critical systems and software and safety-related programmable systems - Volume 86 (SCS '07), Tony Cant (Ed.), Vol. 86. Australian Computer Society, Inc., Darlinghurst, Australia, Australia, 47-59. http://dl.acm.org/citation.cfm?id=1387046
Frank Peloquin
Robert D. Larkin, Juan Lopez, Jr., Jonathan W. Butts, and Michael R. Grimaila. 2014. Evaluation of security solutions in the SCADA environment. SIGMIS Database 45, 1 (March 2014), 38-53. , http://dl.acm.org/citation.cfm?id=2591060
David Rodriquez – Yakkala V. Naga Manikanta and Anjali Sardana. 2012. Protecting web applications
from SQL injection attacks by using framework and database firewall. In Proceedings of the International Conference on Advances in Computing, Communications and Informatics (ICACCI '12). ACM, New York, NY, USA, 609-613., http://dl.acm.org/citation.cfm?id=2345495
CSCE 727 - Farkas 48
top related