framework chapter 1 panko, corporate computer and network security copyright 2002 prentice-hall

Framework

Chapter 1

Panko, Corporate Computer and Network SecurityCopyright 2002 Prentice-Hall

2

Figure 1-1: CSI/FBI Computer Crime and Security Survey

How Bad is the Threat?

Survey conducted by the Computer Security Institute (http://www.gocsi.com).

Based on replies from 503 U.S. Computer Security Professionals.

If fewer than 20 firms reported quantified dollar losses, data for the threat are not shown.

3


Threat Percent Reporting

an Incident 1997

Percent Reporting

an Incident 2002

Average Annual

Loss per Firm

(x1000) 1997

Average Annual

Loss per Firm

(x1000) 2002

Viruses 82% 85% $76 $283

Laptop Theft

58% 65% $38 $89

4



an Incident 1997

Percent Reporting

an Incident 2002

Average Annual

Loss per Firm

(x1000) 1997

Average Annual

Loss per Firm

(x1000) 2002

Denial of Service

24% 40% $77 $297

System Penetration

20% 40% $132 $226

Unauthorized Access by Insiders

40% 38% NA NA

5



an Incident 1997

Percent Reporting

an Incident 2002

Average Annual

Loss per Firm

(x1000) 1997

Average Annual

Loss per Firm

(x1000) 2002

Theft of Intellectual Property

20% 20% $954 $6,571

Financial Fraud

12% 12% $958 $4,632

Sabotage 14% 8% $164 $541

6



an Incident 1997

Percent Reporting

an Incident 2002

Average Annual

Loss per Firm

(x1000) 1997

Average Annual

Loss per Firm

(x1000) 2002

Telecom Fraud

27% 9% NA NA

Telecom Eaves-dropping

11% 6% NA NA

Active Wiretap

3% 1% NA NA

7

Figure 1-2: Other Empirical Attack Data

Riptech

Analyzed 5.5 billion firewall log entries in 300 firms in five-month period

Detected 128,678 attacks—an annual rate of 1,000 per firm

Only 39% of attacks after viruses were removed were directed at individual firms

8


Riptech

23% of all firms experienced a highly aggressive attack in a 6-month period

Only one percent of all attacks, highly aggressive attacks are 26 times more likely to do severe damage than even moderately sophisticated aggressive attacks

9


SecurityFocus Data from 10,000 firms in 2001

Attack Frequency

129 million network scanning probes (13,000 per firm)

29 million website attacks (3,000 per firm)

6 million denial-of-service attacks (600 per firm)

10


SecurityFocus Attack Targets

31 million Windows-specific attacks 22 million UNIX/LINUX attacks 7 million Cisco IOS attacks All operating systems are attacked!

11


U.K. Department of Trade and Industry

Two-thirds of U.K. firms surveyed lost less than $15,000 from their worst incident

But 4% lost more than $725,000

12


MessageLabs

One in every 200 to 400 e-mail messages is infected

Most e-mail users are sent infected e-mail several times each year

The percentage of e-mails that are infected is rising

13


Honeynet project

Fake networks set up for adversaries to attack

To understand how adversaries attack

Windows 98 PC with open shares and no password compromised 5 times in 4 days

LINUX PCs took 3 days on average to compromise

14

Figure 1-3: Attack Trends

Growing Incident Frequency Incidents reported to the Computer Emergency

Response Team/Coordination Center

1997: 2,134

1998: 3,474 (75% growth from the year before)




Tomorrow?

15


Growing Randomness in Victim Selection

In the past, large firms were targeted

Now, targeting is increasingly random

No more security through obscurity for small firms and individuals

16


Growing Malevolence

Most early attacks were not malicious

Malicious attacks are becoming the norm

17


Growing Attack Automation

Attacks are automated, rather than humanly-directed

Essentially, viruses and worms are attack robots that travel among computers

Attack many computers in minutes or hours

18

Figure 1-4: Framework for Attackers

Elite Hackers

Hacking: intentional access without authorization or in excess of authorization

Cracking versus hacking

Technical expertise and dogged persistence

Use attack scripts to automate actions, but this is not the essence of what they do

19


Elite Hackers

White hat hackers This is still illegal Break into system but notify firm or vendor of

vulnerability

Black hat hackers Do not hack to find and report vulnerabilities Gray hat hackers go back and forth between

the two ways of hacking

20


Elite Hackers

Hack but with code of ethics Codes of conduct are often amoral “Do no harm,” but delete log files, destroy

security settings, etc. Distrust of evil businesses and government Still illegal

Deviant psychology and hacker groups to reinforce deviance

21


Virus Writers and Releasers

Virus writers versus virus releasers

Only releasing viruses is punishable

22


Script Kiddies

Use prewritten attack scripts (kiddie scripts)

Viewed as lamers and script kiddies

Large numbers make dangerous

Noise of kiddie script attacks masks more sophisticated attacks

23


Criminals

Many attackers are ordinary garden-variety criminals

Credit card and identity theft

Stealing trade secrets (intellectual property)

Extortion

24


Corporate Employees

Have access and knowledge

Financial theft

Theft of trade secrets (intellectual property)

Sabotage

Consultants and contractors

IT and security staff are biggest danger

25


Cyberterrorism and Cyberwar

New level of danger

Infrastructure destruction

Attacks on IT infrastructure

Use IT to establish physical infrastructure (energy, banks, etc.)

26


Cyberterrorism and Cyberwar

Simultaneous multi-pronged attacks

Cyberterrorists by terrorist groups versus cyberwar by national governments

Amateur information warfare

27

Figure 1-5: Framework for Attacks

Attacks

Physical AccessAttacks

--Wiretapping

Server HackingVandalism

Dialog Attacks--

EavesdroppingImpersonation

Message Alteration

PenetrationAttacks

Social Engineering--

Opening AttachmentsPassword Theft

Information Theft

Scanning(Probing) Break-in

Denial ofService

Malware--

VirusesWorms

28

Figure 1-6: Attacks and Defenses (Study Figure)

Access Control

Access control is the body of strategies and practices that a company uses to prevent improper access

Prioritize assets

Specify access control technology and procedures for each asset

Test the protection

29


Site Access Attacks and Defenses

Wiretaps (including wireless LANs intrusions

Hacking servers with physical access

30


Social Engineering

Tricking an employee into giving out information or taking an action that reduces security or harms a system

Opening an e-mail attachment that may contain a virus

Asking for a password claming to be someone with rights to know it

Asking for a file to be sent to you

31


Social Engineering Defenses

Training

Enforcement through sanctions (punishment)

32


Dialog Attacks and Defenses Eavesdropping

Encryption for Confidentiality

Imposters and Authentication

Cryptographic Systems

33

Figure 1-7: Eavesdropping on a Dialog

Client PCBob Server

Alice

Dialog

Attacker (Eve) interceptsand reads messages

Hello

Hello

34

Figure 1-8: Encryption for Confidentiality

Client PCBob

ServerAlice

Attacker (Eve) interceptsbut cannot read

“100100110001”

EncryptedMessage

“100100110001”

Original Message

“Hello”

Decrypted Message

“Hello”

35

Figure 1-9: Impersonation and Authentication

Client PCBob

ServerAlice

Attacker(Eve)

I’m Bob

Prove it!(Authenticate Yourself)

36

Figure 1-10: Message Alteration

Client PCBob

ServerAlice

Dialog

Attacker (Eve) interceptsand alters messages

Balance =$1

Balance =$1 Balance =

$1,000,000

Balance =$1,000,000

37

Figure 1-11: Secure Dialog System

Client PCBob Server

Alice

Secure Dialog

Attacker cannot read messages, alter

messages, or impersonate

Automatically HandlesNegation of Security Options

AuthenticationEncryption

Integrity

38

Figure 1-12: Network Penetration Attacks and Firewalls

AttackPacket

Internet

Attacker

HardenedClient PC

HardenedServer Internal

CorporateNetwork

Passed Packet

DroppedPacket

InternetFirewall

Log File

39

Figure 1-13: Scanning (Probing) Attacks

Attack Packets to172.16.99.1, 172.16.99.2, etc.

Internet

Attacker

Corporate Network

Host172.16.99.1

Host172.16.99.2

I’m Here

I’m Here

40

Figure 1-14: Single-Message Break-In Attack

1.Single Break-In Packet

2.Server

Taken OverBy Single Message

Attacker

41

Figure 1-15: Denial-of-Service (DoS) Flooding Attack

Message Flood

ServerOverloaded ByMessage Flood

Attacker

42

Figure 1-16: Intrusion Detection System (IDS)

1.Suspicious

Packet

Internet

Attacker

NetworkAdministrator

HardenedServer

Corporate Network

2. SuspiciousPacket Passed

3. LogSuspicious

Packet

4. Alarm IntrusionDetectionSystem (IDS)

Log File

43

Figure 1-17: Security Management

Security is a Primarily a Management Issue, not a Technology Issue

Top-to-Bottom Commitment Top-management commitment

Operational execution

Enforcement

44


Comprehensive Security Closing all avenues of attack

Asymmetrical warfare Attacker only has to find one opening

Defense in depth Attacker must get past several defenses to

succeed

Security audits Run attacks against your own network

45


General Security Goals (CIA) Confidentiality

Attackers cannot read messages if they intercept them

Integrity If attackers change messages, this will be

detected

Availability System is able to server users

46

Figure 1-18: The Plan—Protect—Respond Cycle

Planning Need for comprehensive security (no gaps)

Risk analysis (see Figure 1-19)

Enumerating threats

Threat severity = estimated cost of attack X probability of attack

Value of protection = threat severity – cost of countermeasure

Prioritize countermeasures by value of prioritization

47

Figure 1-19: Threat Severity Analysis

Step Threat

1

2

3

4

5

Cost if attack succeeds

Probability of occurrence

Threat severity

Countermeasure cost

Value of protection

Apply countermeasure?

Priority

6

7

A

$500,000

80%

$400,000

$100,000

$300,000

Yes

1

B

$10,000

20%

$2,000

$3,000

($1,000)

No

NA

C

$100,000

5%

$5,000

$2,000

$3,000

Yes

2

D

$10,000

70%

$7,000

$20,000

($13,000)

No

NA

48


Planning Security policies drive subsequent specific

actions (see Figure 1-20)

Selecting technology

Procedures to make technology effective

The testing of technology and procedures

49

Figure 1-20: Policy-Driven Technology, Procedures, and Testing

Policy

Technology(Firewall,Hardened

Webserver)

Procedures(Configuration,

Passwords,Etc.)

Protection Testing(Test Security)Attempt to Connect to

Unauthorized Webserver

Only allow authorized personnel to use accounting webserver

50


Protecting

Installing protections: firewalls, IDSs, host hardening, etc.

Updating protections as the threat environment changes

Testing protections: security audits

51


Responding

Planning for response (Computer Emergency Response Team)

Incident detection and determination

Procedures for reporting suspicious situations

Determination that an attack really is occurring

Description of the attack to guide subsequent actions

52


Responding

Containment Recovery Containment: stop the attack Repair the damage

Punishment Forensics Prosecution Employee Punishment

Fixing the vulnerability that allowed the attack

framework chapter 1 panko, corporate computer and network security copyright 2002 prentice-hall

Documents

average annual loss

csifbi computer crime

empirical attack datau

empirical attack datariptech23

firm x1000 2002viruses82

security surveythreatpercent

attack frequency129

attack trendsgrowing