chapter 01

71
Lesson 1-Introduction and Security Trends

Upload: mr100sp

Post on 02-Dec-2014

879 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Chapter 01

Lesson 1-Introduction and Security Trends

Page 2: Chapter 01

Background

Terrorists have targeted people and physical structures.

– The average citizens are more likely to be the target of an

attack on their computers than they are to be the direct victim

of a terrorist attack.

Page 3: Chapter 01

Background

This presentation addresses the issues surrounding why

people should be concerned about computer and network

security.

It also introduces a number of issues involved in securing

computers and networks from a variety of threats utilizing

different attacks.

Page 4: Chapter 01

Objectives

Upon completion of this lesson, the students will be able to:

– List and discuss the recent trends in computer security.

– Describe simple steps to minimize the possibility of an attack

on a system.

– Describe the various types of threats that exist for computers

and networks.

– Discuss recent computer crimes that have been committed.

Page 5: Chapter 01

Yesterday and Today

Fifty years ago:

– Few people had access to a computer system or a network

– Securing these systems was easier.

– Companies did not conduct business over the Internet.

Today, companies rely on the Internet to operate and

conduct business.

Page 6: Chapter 01

The Security Problem

Networks are used to transfer vast amounts of money in

the form of bank transactions or credit card purchases.

When money is transferred via networks, people try to take

advantage of the environment to conduct fraud or theft.

Page 7: Chapter 01

Comparisons

Comparisons indicate that:

– Average bank robbery amounts to $2,500.

– Average bank fraud amounts to $25,000.

– Average computer crime amounts to $500,000.

– Computer crime loss amounts to $5 - $10 billion annually.

Page 8: Chapter 01

The Security Problem

There are various ways to attack computers and networks

to take advantage of what has made shopping, banking,

investment, and leisure pursuits a matter of “dragging and

clicking” for many people.

– Identity theft is common today.

Page 9: Chapter 01

Security Incidents

By examining some of the crimes that have been

committed over the last dozen or so years, we can:

– Understand the threats and the security issues that surround

the computer systems and networks.

Page 10: Chapter 01

F.B.I. Statistics

Of all the computer crimes, only 1% are detected, and 7%

of the detected crimes are reported.

Jail sentences, which are usually short-term, amount to only

3%.

A 75% increase per year has been reported in computer

intrusions.

Computer crime has increased to 36%.

Page 11: Chapter 01

Security Incidents

Electronic crime can take different forms.

The two categories of electronic crimes are:

– Crimes in which the computer is the target of the attack.

– Incidents in which the computer is a means of perpetrating a

criminal act.

Page 12: Chapter 01

The Morris Worm (November 1988)

Robert Morris, a graduate of Cornell University, released

The Internet Worm (or the Morris Worm).

– The worm infected 10 percent of the machines (approximately

6,000) connected to the Internet at that time.

– The virus caused an estimated $100 million in damage, though

this number has been the subject of wide debate.

Page 13: Chapter 01

Citibank and Vladamir Levin (June – October 1994)

From June 1994 through October, Vladimir Levin, of

St. Petersburg, made a number of bank transfers.

– When he and his accomplices were caught, they had

transferred an estimated $10 million.

– Eventually all but about $400,000 was recovered.

– Levin reportedly accomplished the break-ins by dialing into

Citibank’s cash management system.

Page 14: Chapter 01

Kevin Mitnick (February 1995)

Kevin Mitnick’s computer activities occurred over a number

of years from the 1980’s through 1990’s.

– Mitnick admitted to having gained unauthorized access to a

number of computer systems belonging to companies such as

Motorola, Novell, Fujitsu, and Sun Microsystems.

Page 15: Chapter 01

Omega Engineering Timothy Lloyd (July 1996)

On July 30, 1996, a software “time bomb” at Omega

Engineering deleted all design and production programs of

the company. This severely damaged the small company

forcing the layoff of 80 employees.

The program was traced back to Timothy Lloyd who had left

it in retaliation for his dismissal.

Page 16: Chapter 01

Jester and the Worcester Airport (March 1997)

In March 1997, airport services to the FAA control tower as

well as emergency services at the Worcester Airport and

the community of Rutland, Massachusetts, were cut off for

six hours.

This disruption occurred as a result of a series of commands

sent by a teenage computer “hacker” who went by the

name of “jester.”

The individual gained unauthorized access to the “loop

carrier system” operated by NYNEX.

Page 17: Chapter 01

Solar Sunrise (February 1998)

During a period of increased tensions between the United

States and Iraq and subsequent military preparations, a

series of computer intrusions occurred at a number of

military installations in the United States.

Over 500 domain name servers were compromised during

the attacks.

Page 18: Chapter 01

Solar Sunrise (February 1998)

It was difficult to track the actual origin of the attacks. This

was because the attackers made a number of “hops”

between different systems, averaging eight systems before

reaching the target.

The attackers eventually turned out to be two teenagers

from California and their mentor in Israel.

Page 19: Chapter 01

Melissa Virus (March 1999)

Melissa is the best known of the early macro type of virus

that attaches itself to documents, which contain programs

with a limited macro programming capability.

The virus was written and released by David Smith.

This virus infected about a million computers and caused an

estimated $80 million in damages.

Page 20: Chapter 01

Melissa Virus (March 1999)

This virus clogged networks with the traffic and caused

problems for e-mail servers worldwide.

It attached itself to Microsoft Word 97 and Word 2000

documents.

Whenever a file was opened, a macro caused it to infect the

current host and also sent itself to the first fifty addresses

in the individual’s address book.

To avoid infection by Melissa, users should not open the

attached file.

Page 21: Chapter 01

Love Letter Worm (May 2000)

The worm spread via e-mail with the subject line

“ILOVEYOU.”

The number of infected machines worldwide may have

been as high as 45 million.

Similar to the Melissa virus, the Love Letter Worm spread

via attachment to e-mails. In this case, instead of utilizing

macros, the attachments were VBScript programs.

Page 22: Chapter 01

Code-Red Worm (2001)

On July 19, 2001, over 350,000 computers connected to the

Internet were infected by the Code-Red worm. The incident

took only 14 hours to occur.

Damages caused by the worm (including variations of the

worm released on later dates) exceeded $2.5 billion.

The vulnerability exploited by the Code-Red worm had been

known for a month.

Page 23: Chapter 01

Adil Yahya Zakaria Shakour (Aug 2001-May 2002)

Shakour accessed several computers without authorization,

including:

– Eglin Air Force Base (where he defaced the web site)

– Accenture (a Chicago-based management consulting and

technology services company)

– Sandia National Laboratories (a Department of Energy facility)

– Cheaptaxforms.com

At Cheaptaxforms.com, Shakour obtained credit card and

personal information, which he used to purchase items

worth over $7,000 for his own use.

Page 24: Chapter 01

Slammer Worm (2003)

The Slammer virus was released on Saturday, January 25,

2003.

It exploited a buffer-overflow vulnerability in computers

running Microsoft's SQL Server or Microsoft SQL Server

Desktop Engine.

– This vulnerability was not new.

– It had been discovered in July 2002.

– Microsoft had released a patch for the vulnerability even

before it was announced.

Page 25: Chapter 01

Slammer Worm (2003)

By the next day, the worm had infected at least 120,000

hosts and caused network outages and disruption of airline

flights, elections, and ATMs.

Page 26: Chapter 01

Slammer Worm (2003)

Slammer-infected hosts generated 1TB of worm-related

traffic every second.

– The worm doubled in the number of infected hosts every 8

seconds.

It took less than ten minutes to reach global proportions

and infect 90 percent of the possible hosts it could infect.

Page 27: Chapter 01

Threats to Security

In a highly networked world, new threats have developed.

There are a number of ways to break down the various

threats.

Page 28: Chapter 01

Breaking Down Threats

To break down threats, users need to:

– Categorize external threats versus internal threats.

– Examine the various levels of sophistication of the attacks

from “script kiddies” to “elite hackers.”

– Examine the level of organization for the various threats from

unstructured to highly structured threats.

Page 29: Chapter 01

Viruses and Worms

Employees in an organization may not follow certain

practices or procedures because of which an organization

may be exposed to viruses and worms.

However, organizations generally do not have to worry

about their employees writing or releasing viruses and

worms.

Page 30: Chapter 01

Viruses and Worms

Viruses and worms:

Are expected to be the most common problem that an

organization will face as thousands of them have been

created.

Are also generally non-discriminating threats that are

released on the Internet and are not targeted at a specific

organization.

Page 31: Chapter 01

Hacking

The act of deliberately accessing computer systems and

networks without authorization is called “hacking”.

The term may also be used to refer to the act of exceeding

one’s authority in a system.

Intruders are very patient as it takes persistence and

determination to gain access to a system.

Page 32: Chapter 01

Unstructured Threats

Attacks by individuals or even small groups of attackers fall

into the unstructured threat category.

Attacks at this level are generally conducted over short

periods of time (lasting at most a few months).

They do not involve a large number of individuals, and have

little financial backing.

They do not include collusion with insiders.

Page 33: Chapter 01

Intruders

Intruders, or those who are attempting to conduct an

intrusion, are of various types and have varying degrees of

sophistication.

Page 34: Chapter 01

Script Kiddies

At the low end technically are script kiddies.

They do not have the technical expertise to develop scripts

or discover new vulnerabilities in software.

They have just enough understanding of computer systems

to be able to download and run scripts that others have

developed.

Page 35: Chapter 01

Script Kiddies

Script kiddies are generally not as interested in attacking

specific targets.

Script kiddies look for any organization that may not have

patched a newly discovered vulnerability for which they

have located a script to exploit.

At least 85 to 90% of the individuals conducting

“unfriendly” activities on the Internet are probably

accomplished by these individuals.

Page 36: Chapter 01

Sophisticated Intruders

These individuals are capable of writing scripts to exploit

known vulnerabilities.

They are more technically competent than script kiddies.

They account for an estimated 8 to 12% of the individuals

conducting intrusive activity on the Internet.

Page 37: Chapter 01

Elite Hackers

Elite hackers are highly technical individuals and are able

to:

– Write scripts that exploit vulnerabilities.

– Discover new vulnerabilities.

This group is the smallest accounting for only 1 to 2% of the

individuals conducting intrusive activity.

Page 38: Chapter 01

Insider Threats

Insiders:

Are more dangerous than outside intruders.

Have the access and knowledge necessary to cause

immediate damage to an organization.

Page 39: Chapter 01

Insider Threats

Most security is designed to protect against outside

intruders and thus lies at the boundary between the

organization and the rest of the world.

Besides employees, insiders also include a number of other

individuals who have physical access to facilities.

Page 40: Chapter 01

Criminal Organizations

Criminal activity on the Internet at its most basic is not

different than criminal activity in the physical world.

A difference between criminal groups and the “average”

hacker is the level of organization that criminal elements

may employ in their attack.

Page 41: Chapter 01

Structured Threats

Attacks by criminal organizations can fall into the

structured threat category, which is characterized by:

– Planning.

– Long period of time to conduct the activity.

– More financial backing.

– Corruption of or collusion with insiders.

Page 42: Chapter 01

Terrorists and Information Warfare

As nations become dependent on computer systems and

networks, essential elements of the society might become a

target.

They might be attacked by organizations or nations

determined to adversely affect another nation.

Page 43: Chapter 01

Terrorists and Information Warfare

Many nations today have developed to some extent the

capability to conduct information warfare.

Information warfare is warfare conducted against

information and the information-processing equipment used

by an adversary.

Page 44: Chapter 01

Highly Structured Threats

Highly structured threats are characterized by:

– A long period of preparation (years is not uncommon).

– Tremendous financial backing.

– A large and organized group of attackers.

These threats may not only include attempts to subvert

insiders, but also include attempts to plant individuals

inside potential targets before an attack.

Page 45: Chapter 01

Highly Structured Threats

In information warfare, military forces are certainly still a

key target

Other likely targets can be the various infrastructures that a

nation relies on for its daily existence.

Page 46: Chapter 01

Critical Infrastructure

Critical infrastructures are those infrastructures whose loss

would have a severe detrimental impact on a nation.

Examples:

– Water.

– Electricity.

– Oil and gas refineries and distribution.

– Banking and finance.

– Telecommunications.

Page 47: Chapter 01

Information Warfare

Many countries have already developed a capability to

conduct information warfare.

Terrorist organizations can also accomplish information

warfare.

Terrorist organizations are highly structured threats that:

– Are willing to conduct long-term operations.

– Have tremendous financial support.

– Have a large and organized group of attackers.

Page 48: Chapter 01

Security Trends

The biggest change in security over the last 30 years has

been the change in the computing environment.

Large mainframes are replaced by highly interconnected

networks of much smaller systems.

Security has switched from a closed environment to one in

which computer can be accessed from almost anywhere.

Page 49: Chapter 01

Profile of Individuals

The type of individual who attacks a computer system or a

network has also evolved over the last 30 years.

– The rise of non-affiliated intruders, including “script-kiddies,”

has greatly increased the number of individuals who probe

organizations looking for vulnerabilities to exploit.

Page 50: Chapter 01

Important Trend

Another trend that has occurred is: as the level of

sophistication of attacks has increased, the level of

knowledge necessary to exploit vulnerabilities has

decreased.

Page 51: Chapter 01

Security Studies

One of the best-known security surveys is the joint survey

conducted annually by the Computer Security Institute (CSI)

and the FBI.

Page 52: Chapter 01

Security Studies

The number of organizations that have reported

unauthorized use of their computer systems has been

declining slowly (from 70% in 2000 to 56% in 2003).

The number of organizations that have reported attacks

from Internet connections has increased (from 59% in 2000

to 78% in 2003).

Organizations citing independent hackers as a likely source

of attacks have also increased (from 77% in 2000 to 82% in

2003).

Page 53: Chapter 01

Two Common Attacks

The two most frequent types of attacks have remained

constant with viruses and insider abuse of net access being

the most common.

Page 54: Chapter 01

A Steady Increase

With the exception of Denial-of-Service attacks and telecom

frauds, all categories had recorded a steady increase from

2000 through 2002, but then took a sharp decline in 2003.

Page 55: Chapter 01

A Decline in Loss

The average loss as a result of theft of proprietary

information hit a high of $6.57 million in 2002 but was only

$2.70 million in 2003.

Financial fraud plunged from $4.63 million in 2002 to $328

thousand in 2003.

Page 56: Chapter 01

Avenues of Attack

When a computer system is attacked, it is either specifically

targeted by the attacker, or it is an opportunistic target.

Page 57: Chapter 01

Specific Target

In the first case, the attacker chooses the target not

because of the hardware or software the organization is

running but for some other reason, such as a political

reason.

Page 58: Chapter 01

Target of Opportunity

The second type of attack, an attack against a target of

opportunity, is conducted against a site that has hardware

or software that is vulnerable to a specific exploit.

The attackers, in this case, are not targeting the

organization. Instead, they have learned of a vulnerability

and are looking for an organization with this vulnerability

that they can exploit.

Page 59: Chapter 01

Target of Opportunity

Targeted attacks are more difficult and take more time than

attacks on a target of opportunity.

– The second type of attack relies on the fact that with any piece

of widely distributed software, there will almost always be

somebody who has not patched the system.

Page 60: Chapter 01

The Steps in an Attack

The steps an attacker takes in attempting to penetrate a

targeted network are similar to the ones that a security

consultant performing a penetration test would take.

The attacker will need to gather as much information about

the organization as possible.

Page 61: Chapter 01

Perform a Ping Sweep

The first step in the technical part of an attack is often to

determine what target systems are available and active.

This is often done with a ping sweep, which sends a “ping”

(an ICMP echo request) to the target machine. If the

machine responds, it is reachable.

Page 62: Chapter 01

Perform a Port Scan

The next step is to perform a port scan. This will help

identify the ports that are open, which gives an indication

of the services running on the target machine.

Page 63: Chapter 01

Determine the Operating System

After determining the services available, the attacker needs

to determine the operating system running on the target

machine and specific application programs.

Page 64: Chapter 01

Sources of Information

There are numerous web sites that provide information on

vulnerabilities in specific application programs and

operating systems.

Page 65: Chapter 01

Sources of Information

In addition to information about specific vulnerabilities,

some sites may also provide tools that can be used to

exploit vulnerabilities.

An attacker can search for known vulnerabilities and tools

that exploit them, download the information and tools, and

then use them against a site.

Page 66: Chapter 01

Administrative Mistake

The attack may be successful if the administrator for the

targeted system has not installed the correct patch.

The attacker will move on to the next possible vulnerability

if the patch has been installed.

Page 67: Chapter 01

The General Process

There are different ways in which a system can be

attacked.

– Gathering as much information as possible about the target

(using both electronic and non-electronic means).

– Gathering information about possible exploits based on the

information about the system, and then systematically

attempting to use each exploit.

Page 68: Chapter 01

If It Does Not Work

If the exploits do not work, other, less system-specific,

attacks may be attempted.

Page 69: Chapter 01

Minimizing Avenues of Attack

Understanding the steps an attacker will take enables to

limit the exposure of the system and minimize the avenues

an attacker might possibly exploit.

Page 70: Chapter 01

Minimizing Avenues of Attack

The first step an administrator can take to minimize the

possible attacks is to ensure that all patches for the

operating system and the applications are installed.

The second step an administrator can take is to limit the

services running on a system.

Another step that can be taken to minimize the possible

avenues of attack is to provide as little information as

possible on an organization and its computing resources.

Page 71: Chapter 01

Types of Attacks

There are a number of ways that a computer system or a

network can be attacked.

Attacks can result in one of a few general consequences:

– A loss of confidentiality where information is disclosed to

unauthorized individuals.

– A loss of integrity where information is modified by

unauthorized individuals.

– A loss of availability where information or the systems

processing it are not available for authorized users.