itp 457 network security joseph greenfield [email protected]
TRANSCRIPT
Overview
Introduction Syllabus What are your expectations? Questions? Current affairs with Network Security Introduction to Network Security
Student Introductions
Name Major Experience with Linux / Windows
My expectations Pre-requisites
Basic Knowledge of Computers No networking experience required !!!
We will teach you everything you need to know Ideally you should have taken or be currently enrolled in
ITP 325 – Web Security We are working to remove all of the overlap between the two
My expectations Show up to class At the end of the semester, I expect you to have a good understanding of the basic
principles of network security I don’t expect you to be experts, and I will not grade you as if you are an
expert Guest Lectures
We are hoping to have two guest lecturers this semester. Attendance is absolutely mandatory. An absence from either lecture will result in a grade penalty of one-third (i.e. a B+ will be lowered to a B)
Brief History of the World
Course Philosophy
“The most important step towards securing your network
Is trying to break into it.”
Attacks vs. Countermeasures
Course Outline Computer Networking Fundamentals
Networking technologies, products, methodologies Hackers
Mentality and Mindset Methodology
Network Node Security Windows XP, 2000, and 2003
Vista will NOT be covered Linux/Unix Network Security
Perimeter Security Firewalls Intrusion Detection Systems Router Security
Wireless Network Security Security Policy
Hacking Today
Congressional Aide is caught trying to solicit hackers for hire(12/22/06): http://www.securityfocus.com/brief/391
UCLA breach exposes 800,000 individual’s personal information http://www.securityfocus.com/brief/391
Loss due to Computer Incidents
Technologies used by companies
Overview
What is Security? Why do we need Security Who is vulnerable?
What is Security?
Dictionary.com says: 1. Freedom from risk or danger; safety. 2. Freedom from doubt, anxiety, or fear; confidence. 3. Something that gives or assures safety, as:
1. A group or department of private guards: Call building security if a visitor acts suspicious.
2. Measures adopted by a government to prevent espionage, sabotage, or attack.
3. Measures adopted, as by a business or homeowner, to prevent a crime such as burglary or assault: Security was lax at the firm's smaller plant.
Why do we need Security
Protect vital information while still allowing access to those who need it Trade secrets, medical records, etc.
Provide authentication and access control for resources
Guarantee availability of resources Ex: 5 9’s (99.999% reliability)
Who is vulnerable?
Financial institutions and banks Internet service providers Pharmaceutical companies Government and defense agencies Contractors to various government agencies Multinational corporations Educational Institutions Basically ANYONE ON A NETWORK
Who gets hacked?
Everybody http://www.2600.com/hacked_pages/
Government servers Swordfish – Hugh Jackman’s character hacked
Department of Defense
Banks, e-commerce sites Ebay!!!
Educational institutions UCLA recently USC in the past
What is a Hacker?
Wikipedia has three definitions: Hacker: Highly skilled programmer
One who has l33t c0ding skillz Generally, then can get the job done when no one else can
by writing “hack-job” code Downside – impossible to maintain without the “hacker”
Hacker: Computer and network security expert One who specializes in access control mechanisms for
computer and network systems In a sense, you are taking this class to become hackers
Hacker: Hardware Modifier Not normally used anymore; they are called “modders”
What does the rest of the world think a hacker is?
Media definition of hacker = our definition of cracker Someone who maliciously breaks into networks
and systems for personal gain Crack (v) – to break into a system with malicious
intent
Who are these hackers? Internal threats (rogue insiders)
Bored students Disgruntled employees
External threats Bored people (lots of them out there worldwide!), political action groups
Example: Phil Angelides, Democratic Candidate for Governor of California http://www.theregister.co.uk/2006/09/13/schwarzenegger_audio_hack/
crackers & hackers ex-employees
Levels of Hackers Script kiddies/Cyberpunks
Novices Very little actual knowledge of what goes on behind the scenes. They simply find a
cool tool on the net Media stereotype (pimply faced, lives in his mom’s basement, etc) Sloppy, leave all sorts of digital evidence of their actions Most annoying and cause the most headaches
Intermediate Hackers “halfway hackers” Know enough to cause serious damage Most want to be advanced (l33t), and will get there if they’re not caught
Advanced Hackers Criminal Experts Uber/l33t hackers These are the authors of the hacking tools, viruses, and malware They know enough to hide their tracks – most of the time you won’t even know that
your system has been compromised
Why Hack?
Because they can! Curiosity, notoriety, fame Profit ($$$ or other gain)
Hackers for Hire Korean National Police Agency busted the Internet’s
largest known organized hacking mafia 4,400 members!!!!!
Sell people’s personal information on the black market
Why hack? Underlying the psyche of the criminal hacker is a deep sense of
inferiority Consequently, the mastery of computer technology, or the shut
down of a major site, might give them a sense of power "Causing millions of dollars of damage is a real power trip“
Hacktivism – hactivist.net “Free Kevin” messages that were put onto websites without the
owners permission Cyberterrorists
Crash critical systems, bring down power grids & air traffic control towers
US fights this through the Department of Homeland Security Customs, FBI & CIA
Hacker Methodology
1. Gather target information2. Identify services offered by target to the
public (whether intentional or not)3. Research the discovered services for known
vulnerabilities4. Attempt to exploit the services5. Utilize exploited services to gain additional
privileges from the target6. Reiterate steps 1-5 until goals are achieved
Most notorious hacker ever was a…
USC Student!!! “Hacking is a noble, honorable art” – Kevin
Mitnick Inverview
Dangers of Security
Fine line between legal and illegal hacking No laws in place to protect hackers from
technically illiterate lawyers Ethics
Assignment
1. Read “Hacker Hall of Fame” http://
tlc.discovery.com/convergence/hackers/bio/bio.html
2. Visit the following websites and search for security related articles in the past 2 weeks.
www.cnn.com, www.news.com, www.nytimes.com and www.latimes.com