internet security 1 ( intsi1 )

ITA, 19.09.2011, 1-Introduction.pptx 1

Internet Security 1 (IntSi1)

Prof. Dr. Peter HeinzmannProf. Dr. Andreas Steffen

Institute for Internet Technologies and Applications (ITA)

1 Introduction



1.1 What is Internet Security?


Definition of Information Security

• Information Security (ISO/IEC 27001:2005)• Preservation of confidentiality, integrity and availability of

information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved.

• Information Security (Wikipedia) = IT Security• Information security means protecting information and

information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

• IT Security• IT Security is a subset of Information Security and is

concerned with the protection of computers and/or protecting information by meansof computers.

• Internet Security (Wikipedia)• Internet Security is a branch of Computer Security specifically

related to the Internet. Its objective is to establish rules and measures to use against attacks over the Internet.


xyz.ch

2095 Mio Internet users (March'11) vs. 850 Mio hosts (July'11)

ISPPrivateHomes

Business,Administration

Commerce, Shops

Worldwide Criminal Potential in the Internet


• ?• ? • ? • ?

What do you expect from Internet Security?


Security Elements: The CIA Triad + Extensions• Confidentiality

Valuable information or sensitive data must be protected from unauthorized access.

• IntegrityData must be protected from getting accidentally or mischievouslychanged either in its storage location or during transmission.

• AvailabilityIn a global business environment the server and communications infrastructure must be available on a 24/7 basis.• AuthenticityIn any electronic transaction the true identity of the communication partners (hosts/users) should be verifiable.

• Accountability (Non-Repudiation)There should be a provable association between anelectronic transaction and the entity which initiated it.


Identifying the Security Elements

Availability waiting

for response

Integrityprotects data

against change

Confidentiality

keep information

secret

Authenticationverifies the

host

SSL/TLSmakes it all

possible



1.2 Security Risks


ThreatsVulnerabilities

Assets, Values

Security measures

Data

Cost of incidents

Overall cost

Cost ofsecurity measures

unprotected high level protection

Security level

Value of systemto be protected

Cost

Security Risk Analysis

Risk = Value Threat Vulnerability



1.3 Security Threats


National Interest

PersonalProfit

PersonalEgo

Curiosity Author

Thief

Trespasser

Hacker / Expert

Vandal

Script Kiddy

Mot

ivat

ion

Expertise and ResourcesProfessional

Spy

Vandals, Script Kiddies, Thieves and Spies


Attack Sophistication vs. Intruder Knowledge

High

Low

1980 1985 1990 1995 2000

Intruders

TechnicalKnowledge

“stealth” / advanced scanning

techniquesdenial of service

exploiting known vulnerabilities

disabling audits

automated probes/scans

AttackSophistication

Cross site scripting

password guessingself-replicating code

password cracking

back doors

hijacking sessions

sweepers

sniffers

packet spoofing

GUI

www attacks

Tools

burglaries

network mgmt. diagnostics

distributedattack tools

Staged

Auto Coordinated


Vandalism - Web Defacing


Internet Security Threat Situation in 2010

Source: Symantec


Trojan Horse hidden in Android App

Source: Symantec


The Year 2010 in Numbers

Source: Symantec


Global Threat Situation Today

Source: Symantec

• New malicious code threats



• Top Web-based attacks

Source: Symantec



• Web browser plugin vulnerabilities

Source: Symantec



• Malicious activity by country

Source: Symantec



Source: Symantec


The Underground Economy

January 2010fraud of 1600$

Source: Symantec

• Goods and services available for sale in the underground economy


Denial of Service Attacks

• A Denial of Service (DoS) attack against a computer system makes the service unavailable to legitimate users.

• DoS is usually attempted by consuming CPU time, memory or network bandwidth of the target system or network.

• The original DoS attacks usually exploited bugs in a target platform• e.g. by sending malformed packets to a host (Ping of Death,

Winnuke) in order to crash the system.• Other classic DoS attacks

• SYN flood: send TCP connection requests with spoofed source IP addresses quickly causing the server to reach its maximum number of half-open connections (counter measures: SYN cookies)

• Smurf attack: send ICMP ping requests to an IP broadcast address using the IP source address of the target which then receives allICMP ping replies.

• Today, assuming correctly configured hosts and networks, the threat from a single host to bring down a server is rather small.


Denial of Service – Ping Attack with IP Spoofing

CorporateNetwork

Victim

Internet

Attacker

pings to broadcast address of corporate network with spoofed source address of victim

Firewall


Distributed Denial of Service Attacks (DDoS)

TargetAttack

er

Zombie

Zombie

Zombie

Zombie

Handler

Handler

Control & Command

Attack TrafficAvailable DDoS Tools:Trinoo, Tribe Flood Network, Stacheldraht


Vulnerability of amazon.com’s Internet Business

● Net sales in 2Q 2011: ● 9’910’000’000 $US

● Lost business due to one hour off the Internet● 4’600’000 $US

● U.S. Server Outage on June 6, 2008● 2 hour downtime due to human error


Novartis – a Global Player


Many Hops to www.novartis.com

traceroute to www.novartis.com (164.109.68.201)

1 edugw.zhwin.ch (160.85.160.1) Winterthur 2 intfw.zhwin.ch (160.85.111.1) 3 winfh1.zhwin.ch (160.85.105.1) 4 swiEZ2-G2-9.switch.ch (130.59.36.157) Zurich 5 swiIX1-10GE-1-1.switch.ch (130.59.36.250) 6 zch-b1-geth3-1.telia.net (213.248.79.189) 7 ffm-bb1-pos0-3-3.telia.net (213.248.79.185) Frankfurt 8 prs-bb1-pos7-0-0.telia.net (213.248.64.110) Paris 9 ldn-bb1-pos7-2-0.telia.net (213.248.64.10) London10 nyk-bb1-pos0-2-0.telia.net (213.248.65.90) New York11 nyk-b1-link.telia.net (213.248.82.14)12 POS3-1.IG4.NYC4.ALTER.NET (208.192.177.29)13 0.so-2-3-0.XL2.NYC4.ALTER.NET (152.63.19.242)14 0.so-6-0-0.XL2.DCA6.ALTER.NET (152.63.38.74) Washington, D.C.15 0.so-7-0-0.GW6.DCA6.ALTER.NET (152.63.41.225)16 digex-gw.customer.alter.net (157.130.214.102)17 gigabitethernet1-0.dca2c-fcor-rt2.netsrv.digex.net (164.109.3.10)18 vlan28.dca2c-fdisc-sw1-msfc1.netsrv.digex.net (164.109.3.166)19 164.109.92.14 (164.109.92.14)20 164.109.68.201 (164.109.68.201)


Emerging Challenges

• Mobile Devices• Loss of confidential data

• Embedded Systems• About 8 billion microcontrollers sold in 2006 • Usually no or only marginal security mechanisms

• Ubiquitous (pervasive) Computing• RFID (profiling)

• Home Automation• Controllable over the Internet


Stuxnet attacks Industrial Control Equipment

• Targeted at Siemens Supervisory Control and Data Acquisition systems that control and monitor specific industrial processes.

• Stuxnet includes a Programmable Logic Controller (PLC) rootkit.

• Designed by a team of 5-10 professionalsand meant to sabotage the Iranianuranium enrichment facility at Natanz.



1.4 Vulnerabilites


Vulnerabilities and Exposures

• A universal vulnerability is a state in a computing system(or set of systems) which either:• allows an attacker to execute commands as another user • allows an attacker to access data that is contrary to the

specified access restrictions for that data • allows an attacker to pose as another entity • allows an attacker to conduct a denial of service

• An exposure is a state in a computing system (or set of systems) which is not a universal vulnerability, but either:• allows an attacker to conduct information gathering activities • allows an attacker to hide activities • includes a capability that behaves as expected, but can be

easily compromised • is a primary point of entry that an attacker may attempt to

use togain access to the system or data

• is considered a problem according to some reasonable security policySource: www.cve.mitre.org/about/terminology.html


Common Vulnerabilities and Exposures Database


NIST Statistics on Vulnerabilities with High Severity



1.5 Security Measures


Security Measures

• Organize (Plan) Set up a security policy, build awareness, analyze and classify security risks, decide on and implement security measures, define responsibilities, train staff periodically.

• Protect (Do)Encrypt stored data and transmitted information, use authentication in order to insure data integrity, install patches, use and periodically check data backup mechanisms.

• Filter (Do)Limit physical access to systems and data by using strong authentication for users and hosts. Filter traffic by using firewalls and virus scanners.

• Combine (Do)Combine multiple security measures (multilevel / in-depth security)

• Monitor and Control (Act)detect attacks (Intrusion Detection Systems, Honey Pot), run periodic security checks (Tiger Teams), react and correct.


Security Life Cycle

1: Security Policy(Why?) 2: Risk Analysis

3: Define measures5: Control measures

4: Implement measures

internet security 1 ( intsi1 )

Documents

internet security elements1

introduction internet

aspects of internet

securityit security

security risksita

information security

subset of information

internet situation