Description
Standards
Editor: Barry Leiba • barryleiba@computer.org
Aspects of Internet Security
Barry Leiba • Huawei Technologies
Internet standards development requires consideration of security issues in the
protocols. But what does “security” mean in this context? We often conflate
several different aspects into the blanket term “security.” Here, the author
looks at some of these aspects separately.
A
s we develop standards at the various
Internet layers, we must ensure that each
standard, each protocol, is secure. We
often talk about security with respect to computers and computer networks as though it were
a clearly defined, monolithic concept. It’s not;
security has several aspects, and, in differing contexts, we might refer to one aspect or
another, or some varying combination. In particular, when we develop Internet standards, we
often touch on these various aspects of Internet
security.
I like to loosely split the general topic of
security into the following subtopics:
• Availability. Is the system available when it’s
needed?
• Authentication. W ho am I, and how can
I prove it?
• Authorization. What am I allowed to do?
• Access control. What data am I allowed to
access, change, create, or delete?
• Confidentiality. Are communications and data
safe from unauthorized viewing?
• Integrity. Are communications and data safe
from unauthorized modification?
These aren’t absolute — you could certainly
come up with a different set or choose to add to
or remove things from the list, and some aspects
overlap. Also, not all aspects apply to all situations. Many Internet services we use don’t
need and wouldn’t benefit from authentication,
require no access control, or present no confidentiality issues. And you’ll note that “encryption”
72
IC-16-04-Standards.indd 72
Published by the IEEE Computer Society
isn’t on this list — encryption isn’t security, but
is rather a technology that can help establish
aspects of security. We generally use encryption
in authentication processes, for example, and to
ensure confidentiality and integrity.
On the whole, it’s a good list to work from. As
we design standards, protocols, and services, we
must decide what aspects are important, and at
what level of rigor we should apply them.
Availability
To provide context for these subtopics, I’ll be
examining some of the threats Internet security mechanisms and standards try to defend
against. One threat that came up in conversation
recently was from an old New York Times editorial1 about an investigation into overloading
telephone lines for a political purpose:
[…] the New Hampshire phone jamming case was
the real thing. Republican operatives hired an Idaho
telemarketing firm to jam the lines to prevent people
who needed help in voting from getting through. The
scheme was a direct attack on American democracy.
The scheme was also what we call a denial-ofservice (DoS) attack. In a DoS attack, the attacker
demands so much service that legitimate users
have little or no opportunity to get any. The one
described in the editorial isn’t computer-related,
but DoS attacks on websites are common, a popular way for a group to try to block a website
that it doesn’t like.
We sometimes refer to distributed DoS —
think about the difference between one phone
1089-7801/12/$31.00 © 2012 IEEE
IEEE INTERNET COMPUTING
6/5/12 9:31 AM
Aspects of Internet Security
calling repeatedly with the redial
button, as opposed to thousands of
phones each calling (distributed) —
but essentially every Internet DoS
attack these days is distributed,
and our defenses must assume that
they are, so the distinction is mostly
unimportant.
We can think of spam as a DoS
attack as well: if your inbox fills with
enough junk, it might be impossible
to find the real mail. Worse, spam filters, designed to defend your inbox,
might misclassify some mail as spam
and delete it. Spam isn’t generally
meant to have this effect — something
can become an unintentional DoS
attack.
Defense against DoS attacks can be
difficult because determining which
service requests are legitimate can be
problematic. Rate-limiting and blocklisting are probably the most common mechanisms. Certain Internet
addresses are known to be bad, and
are blocked outright — all contact from
them is discarded. Other addresses can
make requests, but if they make too
many in too short a time, they, too, are
blocked, usually for some time period,
although repeat offenders might be
put on a permanent block-list.
Availability issues are considered in many Internet standards and
related informational documents. For
example, RFC 5782 addresses using
block lists for spam, RFC 3882 is
about preventing DoS attacks on the
Border Gateway Protocol (a protocol
for routing data on the Internet), and
RFC 4732 looks at the general issue
of denial of service on the Internet.
Authentication
Authentication is a precursor to
some of the other aspects, for reasons that we’ll see as we examine
those further. It should be obvious,
for instance, why authentication is
related to authorization and access
control. In particular, authentication mechanisms are built into many
Internet-standard protocols. As we
update these protocols, we often seek
to add new mechanisms that are
more secure.
Everyone reading this is familiar
with the authentication mechanism
we started out with: some sort of
user identifier (name, account number, serial number) and password. It
served us well over the years, but
isn’t a very secure system, for several reasons. For one thing, people
don’t choose good passwords. If
they’re made to use good passwords,
they record them in inappropriate
places. Even what seem like good
passwords often don’t have enough
unpredictability. And the password
authentication systems themselves
expose passwords to attack.
We can broadly divide what
authentication mechanisms use into
and what you are (your signature).
The latter combines what you have
(the ATM card) and what you know
(your PIN).
Another what-you-have mechanism is the SecurID device, which
gives you a generated code that you
can get only if you have the device
with you.
Other what-you-are mechanisms
use fingerprints, retina scans, and
voice or handwriting analysis —
collectively, biometric mechanisms.
The most secure authentication systems combine multiple biometric
mechanisms with an identification
card and password, with all authentication information transferred
securely. This makes a system that’s
pretty hard to break. Of course, it
also makes one that can be pretty
People don’t choose good passwords. If they’re
made to use good passwords, they record
them in inappropriate places.
three categories: what you know,
what you have, and what you are.
When you log into webmail, Flickr,
MySpace, online banking, or online
access to your credit-card account,
the authentication mechanism you
use employs what you know. Most
what-you-k now mechanisms are
variations on the user ID/password
combination, and all of them share
the weaknesses I’ve described previously. The other mechanisms can
help fix some of these deficiencies,
especially when used in combination
with passwords.
The most well-known combinations are point-of-sale credit-card
purchases, where you sign the credit
slip, and ATM transactions, where
you enter a PIN. The former combines what you have (the credit card)
cumbersome to use. Biometrics are
also subject to some serious limitations. If someone can spoof your left
thumbprint, for example, you aren’t
really in a position to change it. And
when you’re ill, your voice-print
might not be particularly useful.
Note, finally, that some people
are reluctant to use systems that
go beyond what you know, because
carrying the what-you-have card or
device is burdensome (what happens
if you lose it or leave it at home when
you’re traveling?), and biometr ic
readers can be expensive. But also,
you might sometimes wish to let an
assistant or some other delegate act
on your behalf, and it’s easy to give
the delegate your password — but
much harder to “lend” them your
retina.
JULY/AUGUST 201273
IC-16-04-Standards.indd 73
6/5/12 9:31 AM
Standards
The answer to this is to understand the difference between impersonation and delegation, which goes
beyond authentication and into the
next two aspects, authorization and
access control. The right way to handle delegation is to have the delegate
authenticate with his or her own
identity, and then be authorized to
act on your behalf and receive access
to the necessar y information and
resources. You should never allow
another person to act on your behalf
by impersonating you — there’s no
accountability in that.
Authorization and
Access Control
I group these two together because
they both deal with what the entity
you authenticated as can do once
you’ve logged in. I consider them
separate aspects, however, because
different mechanisms usually control each.
When I talk about authorization,
I’m usually referring to actions that
an authenticated user can take. Can
you start and stop services, such as a
Web server or a file transfer server?
Can you shut the computer down?
Can you add and remove users from
a multiuser system? Can you send
mail, install programs, change the
system time, or set a computer’s various other operational aspects?
Access control refers not to
actions but to access to data. What
files can you read? Can you create
new files? What files can you modify
or delete?
We’ll collectively call what you’re
authorized to do and what access
you’re allowed privileges. Many computer systems, particularly those set
up for use by more than one person,
have two kinds of users: administrators and normal users. The former can
do anything, and can get full access
to all files. The latter are restricted in
what they can do. On Windows systems prior to Vista, the lone user is
generally set up as an administrator.
74
IC-16-04-Standards.indd 74
www.computer.org/internet/
Those who try to do otherwise often
run into difficulty because software
(non-Windows software, that is —
applications) assumes that the user’s
privileges aren’t restricted. On MacOS,
certain actions (such as updating the
OS) and access to some files require
that an administrator password be
entered, essentially re-authenticating
the user as an administrator. And for
some things on MacOS, as on Linux,
you must explicitly authenticate as
the “root” user.
On the Internet, too, there are
privileges. By logging into my Gmail
account on my Web browser, I may
send, read, and delete mail; manage
my contacts; post to my blog and edit
and delete blog posts; and send and
receive instant messages. I can post
comments to other blogs that use
Blogger, and I can later delete those
comments, but not other users’ comments. On my own blog, I can delete
anyone’s comments, because I have
that access. By using other authentication, I can access my credit cards,
bank accounts, airline frequent-flier
programs, and so on.
Clearly, we must have restrictions on privileges over the Internet, but why should I want to limit
my privileges on my own computer?
Well, anyone who’s made a mistake
and deleted something accidentally,
or gotten their computer infected
with a virus while surfing the Web,
should understand: if you don’t have
privileges that you don’t need right
now, you can’t accidentally use those
privileges to hurt yourself (well, to
hurt your computer).
A rule of thumb called the leastprivilege principle says that you
should never be operating with more
privileges than you need at the time.
Most of us go around creating, modifying, and deleting personal files
constantly, so we normally want
such access. But how often do we
need to delete files in the Windows
directory, or in the System directory
on MacOS? Seldom. And so we’d like
to avoid having that access unless
we specifically ask for it.
And now we get back to something I said at the end of the authentication section: that authentication
should be separate from authorization and access control. The right way
to run a computer system is to have
me authenticate as Barry, and then
have privileges set up for what Barry
can do and access. This provides
auditability and accountability. If I
want someone to be able to post to
my blog and moderate comments
in my absence, rather than giving
him my Gmail password, allowing
him to act as me in all ways (such as
reading my mail, too), I should make
sure he has his own blog account,
and then give that account the privileges needed to manage my blog —
but not my email.
Internet standards, too, often have
delegation built into the protocols.
For example, the Salted Challenge
Response Authentication Mechanism
(S C R A M ; R F C 5 8 0 2) a l lo w s f o r
separate authentication identity and
authorization identity, which allows
delegation from the latter to the
former.
Confidentiality and Integrity
Like authentication and access control, confidentiality and integrity are
closely related: both deal with situations in which an attacker gets in the
middle of the data stream. In the first
case, the attacker is just snooping; in
the second, the attacker is trying to
modify or replace the data. These
attacks are similar but have different
characteristics and consequences.
Note that I’m talking, here, about the
confidentiality and integrity of data
flowing through the system. Once
the information is stored somewhere,
a largely different set of threats and
defenses are in play.
W hen you send a pa ss word ,
credit-card number, or other personal information over a computer
network — and especially over an
IEEE INTERNET COMPUTING
6/5/12 9:31 AM
Aspects of Internet Security
open network such as the Internet —
someone might be “listening in.”
We think of information being sent
from one computer to another, but it
doesn’t happen quite that way. Networks are segmented to a significant degree, but at some level, your
data goes out to a set of computers,
with a specific computer’s address
attached to it, and the other computers all ignore those data packets that
aren’t addressed to them. Imagine
if you received your postal mail by
having the whole pile for your street
left at the door of the first house,
with each house’s occupant looking
through the envelopes and keeping
only those meant for him or her, then
giving the rest of the pile to the next
house. What happens on the Internet
is something like this.
In this situation, someone could
choose to keep a piece of mail meant
for someone else, or could open one
and read it before passing it on. The
same is true with the Internet: a
computer could be programmed to
look at and record data intended for
other systems.
The most common way to avoid
this is to use data encryption, which
can happen at the network layer,
using IPsec (RFC 4301), on top of
the transport layer, using TLS (RFC
5246) or SSL, or at the application
layer, using standards such as S/MIME
for email (RFC 5751).
When you visit a website whose
URL begins with https://, your communication with that website is
encrypted using TLS or SSL. The
Web browser ensures that the computer you’re talking to has security
credentials that match the address in
the URL, then negotiates encrypted
communication. A computer program
can still peek at and record the data
packets — but a snooper won’t be able
to decipher the data, which will thus
be useless. Similarly, if a snooper
should try to replace or modify the
data you’re sending — say, to change
a $20 payment to $2,000 — encrypted
communication would prevent the
attacker from being able to modify the encr ypted information in a
valid way.
Encr ypting an entire communication, however, has been fairly
expensive in the past, slowing down
the communication. Encrypting the
information you get from Wikipedia
or the New York Times is fairly unnecessary, so to speed things up, we don’t
encrypt everything on the Internet.
This is, however, changing, as computing speeds have increased to the
point where Web traffic encryption is
no longer a performance issue.
Sometimes, though, it’s not important to protect information from
prying eyes, and the likelihood of its
being altered by an attacker is small —
but it’s important enough that we
want to know if it’s been altered. In
such cases, we don’t need to prevent
the alteration, but we do need to
detect it. For that, we can use digital
signatures.
A detailed explanation of digital signatures goes beyond this column’s scope. The short version is
that they provide a mechanism for
ensuring that the person we think
sent information is actually the person who sent it, and that it wasn’t
altered along the way. Otherwise, we
know something is wrong — we don’t
know how to correct it, but we know
to ignore the faulty data.
Of cou r se, a l l d i sc u s sion of
encryption and digital signatures
here assumes that the encryption
technology and algorithms used
are current and sufficiently strong,
and are used properly. This is usually the case, but weak and compromised algorithms are still used
on the Internet surprisingly often.
As developers of Internet standards,
we often update the standards to
deprecate the older algorithms and
replace them with stronger ones.
Still, it takes time for deployed software to catch up. As a user, your best
defense is to make sure you’re using
a current Web browser (and other
software, such as mobile apps), and
that you’re keeping the browser and
the operating system updated regularly. Current versions of Firefox,
Internet Explorer, and Chrome no
longer support older, f lawed versions of SSL, or they have those old
versions disabled by default. So stay
up to date.
S
tandards development organizations have shown increasing
awareness of the need to think about
security at every stage of development, and to consider what aspects
are needed for the protocols and use
cases they’re developing. The IETF, for
example, has an organizational area
devoted to security, and every document must have a Security Considerations section that describes what the
issues are for that document. ATIS has
started a focus group on cybersecurity.
And, of course, the IEEE’s Standards
Association includes security review
for appropriate standards.
Reference
1. “The New Hampshire Phone Scam,” New
York Times, 17 Sept. 2007; www.nytimes.
com/2007/09/17/opinion/17mon3.html.
Barry Leiba is a standards manager at Huawei Technologies. He currently focuses
on the Internet of Things, messaging and
collaboration on mobile platforms, security and privacy of Internet applications,
and Internet standards development and
deployment. Leiba has been active in the
IETF for roughly 15 years, is an author
of several current and pending proposed
standards, has chaired numerous working groups, served on the Internet Architecture Board from 2007 to 2009, and is
currently serving as Applications Area
Director. He edits this column, and can
be reached at barryleiba@computer.org.
Selected CS articles and columns
are also available for free at http://
ComputingNow.computer.org.
JULY/AUGUST 201275
IC-16-04-Standards.indd 75
6/5/12 9:31 AM
EEL 4935: Spring 2021
Homework 1
Questions
1. Define the terms Authentication, confidentiality, integrity, and availability.
2. Describe the following terms used for attackers:
• Black hat hacker
• White hat hacker
• Gray hat hacker
3. Research and give a practical example of the first step of the kill chain.
4. An organization that purchased security products from different vendors is
demonstrating which security principle? Explain.
a. obscurity
b. diversity
c. limiting
d. layering
5. Consider an automated teller machine (ATM) in which users provide a personal
identification number (PIN) and a card for account access. Give examples of
confidentiality, integrity, and availability requirements associated with the system. In
each case, indicate the degree of importance of the requirement.
6. Read the article “Aspects of Internet Security.” Compose a paper of no more than 2
pages that summarizes the key concepts that emerge from the paper.
2
Objectives
• Define malware and payloads
• List the types of malware
• Describe the types of social engineering psychological attacks
• Explain physical social engineering attacks
3
Malware
• Generic term for software that has a malicious purpose
4
Signature
A malware signature is a continuous sequence of bytes
(common for a certain malware sample)
It’s contained within the malware or the infected file and not
in unaffected files
5
Malware Classification Based on Traits
• Circulation
Primary trait of spreading rapidly (e.g., viruses, worms, Trojans)
• Infection
Primary trait of “infect/embed” into the system; some attach
themselves to a legit program (virus), others function as stand-alone
(Trojan)
• Concealment
Primary trait of avoiding detection by concealing its presence from
scanners (e.g., rootkit)
• Payload capability
When payload capability is the primary malware focus. Payload
carries the destructive capabilities of the malware (collect data, delete
data, modify security settings, launch attacks)
6
Malware Classification Based on Mutation
Malware mutates to attempt to evade pattern matching
• Oligomorphic malware
Changes its internal code to one of a set number of predefined
mutations whenever executed
• Polymorphic malware
Changes from its original form whenever it is executed. E.g.,
encrypted payload; when ready, it decrypts the payload
• Metamorphic malware
Can actually rewrite its own code and thus appears different each time
it is executed (adding useless loops, instructions, etc.)
7
Virus
• Symantec:
“a small program that
replicates and hides itself inside other
programs”
• Keywords: replicate, spread on the same
computer
• Relies on user action to spread to other
computers (e.g., email)
• Two “carriers”: program it attaches to, and
human (to transport to other computers)
• Actions
• Crash computers, erase files, reformat hard
drive
• Turn off computer’s security settings
• Spread to another file on same computer
8
Virus – Swiss Cheese Infection
• Instead of having a single “jump” instruction to the “plain” virus
code, some viruses perform two actions
• Encrypt the virus code to make it more difficult to detect
• Then divide engine to “unscramble” (decryptor) the virus code into different
pieces and inject the pieces throughout the infected program code
• When the program is launched, the different pieces are then tied together
and unscramble (decrypt) the virus code
9
Virus – Split infection
• Instead of inserting pieces of the decryptor throughout the
program code, some viruses split the malicious code
• These parts are placed at random positions throughout the
program code
10
Worm ~ Network Virus
• Execute an arbitrary code and install copies of itself in the
memory of the computer system
• Spread across the network
• Slow down networks
• Most often used to create backdoor to the infected host or create DoS
11
Worm
• Worms are responsible for some of the most devastating
attacks on the Internet
• In 2001, Code Red worm infected 658 servers. Within 19
hours, the worm had infected over 300,000 servers
12
Worm
• Worms are responsible for some of the most devastating
attacks on the Internet
• In 2001, Code Red worm infected 658 servers. Within 19
hours, the worm had infected over 300,000 servers
13
Trojan Horse
• Term originated from Greek mythology
• Greek warriors offered the people of Troy (Trojans) a giant hollow
horse
• The Trojans brought the giant horse into their walled city
• After most Trojans were asleep, Greek warriors burst out of the horse
14
Trojan Horse
• Electronic Trojan horse appears to be legit software
• Once inside, it secretly downloads a malware
• User downloads “free calendar program”
• Program scans system for credit card numbers and passwords
• Transmits information to attacker through network
• Trojan Vs Virus
• Virus infects system without user’s knowledge
• Trojan is installed with user’s knowledge but conceals malicious
payload
15
Trojan Horse
• Remote-access Trojan horse
Enables unauthorized remote access
• Data-sending Trojan horse
Provides the attacker with sensitive data, such as passwords
• Destructive Trojan horse
Corrupts or deletes files
• Proxy Trojan horse
Uses victim’s computer as source device to perform illegal activities
• FTP Trojan horse
Enables unauthorized file transfer services on end devices
• Security-software disabler Trojan horse
Stops antivirus programs or firewalls from functioning
16
Viruses, Worms, and Trojans
• Differences
17
Spyware
• Secretly spies on users by collecting their information
• E.g., keylogger
• Records your keystrokes
• Takes periodic screenshots of your computer
• Data sent immediately or stored for later retrieval by the attacker
• Can also make screen captures or silently turn on web
camera
18
Other Malware
• Logic bomb
Lays dormant until some logical condition is met; software does malicious
act (delete files, alter configuration, release virus)
• Ransomware
Denies access to infected computer and demands a paid ransom
• Adware
Displays annoying pop-ups to generate revenue for its author; analyzes user
interests by tracking websites visited
• Phishing
Attempts to convince people to provide sensitive information; e.g., receiving
an email from the bank asking for password
• Rootkits
Installed on a compromised system; hide its intrusion and maintain
privileged access to the hacker
19
Other Malware
• A rootkit remove all traces of evidence that may reveal the
malware, such as log entries
• One approach is to alter OS files with modified versions
• Modified files are designed to ignore malicious evidence
• Rootkit will replace OS’s files with rootkit’s own files
• Scanning software assumes OS will willingly carry out
those instructions and retrieve all files; it does not know
that the computer is providing files approved by rootkit
20
Other Malware
• Logic bomb examples
21
Backdoor
• A backdoor gives access to a computer, program, or
service that circumvents any normal security protections
• Backdoors that are installed on a computer allow the
attacker to return at a later time and bypass security
settings
22
Zombies and Botnets
• Zombie ~ robot (bot); botnet ~ multiple zombies
• Bot herder controls botnet
• Command and control (C&C or C2) are instructions from
bot herder/s regarding which computers to attack
• Communication protocol can be HTTP
23
Social Engineering
• Technology is not always needed for attacks on IT
• Social engineering is a means of gathering information for
an attack by relying on weaknesses of individuals
24
Social Engineering
• Impersonation
Masquerade as a real or fictitious character, play out the role of that
person on a victim (IT support, manager, trusted third party)
25
Social Engineering
• Phishing
Fraudulent attempt to obtain sensitive information; e.g., sending
emails claiming to be from legitimate source, trick user into giving
private info: password, credit card number, etc.
Variation of phishing attacks
• Spear phishing: targets only specific users; emails are customized
• Whaling: spear phishing targeting “big fish” (wealthy individuals)
26
Social Engineering
• Phishing
Fraudulent attempt to obtain sensitive information; e.g., sending
emails claiming to be from legitimate source, trick user into giving
private info: password, credit card number, etc.
Variation of phishing attacks
• Pharming: automatically redirects the user to the fake site
• Vishing: Instead of using email to contact the potential victim, a phone
call can be used instead (voice phishing)
27
Module Activities
• CSSIA Lab 09: Analyze and Differentiate Types of Malware
• Assignment Module 2
28
Module Activities
• Main idea of Lab 09
192.168.100.5
192.168.100.3
Attacker
Internet
Firewall and/or other
security appliance
Victim
Windows
Protected network
2
Objectives
• Describe the challenges of securing information
• Define information security and explain why it is important
• Identify the types of attackers that are common today
• List the basic steps of an attack
• Describe the five basic principles of defense
3
Challenges of Securing Information
• Widespread attacks on desktops, laptops, smartphone,
tablets, servers, etc.
• Information security is focused on protecting electronic
information of organizations and users
4
Needs for Information Security Personnel
• Chief Information Security Officer
Assessing, managing, implementing security;
may be primary author of security policies
• Security manager
Supervises technicians, admins, security staff
• Security administrator
Manages daily security operations
• Security technician
Provide technical support, configure security
hardware, implement security software, t’shoot
problems
5
Information Security Employment
• Security is rarely offshored or outsourced
• Job outlook is exceptionally strong
• U.S. Bureau of Labor Statistics (BLS)
• “Occupational Outlook Handbook” indicates job outlook for
information security analysts through end of decade expected to
grow by more than 25%, much faster than average
(https://www.bls.gov/emp/ep_table_102.htm)
E.g., jobs.lanl.gov
6
Today’s Security Attacks
• Balances manipulated on prepaid debit cards (intrusion)
• Twitter accounts exploited
• ATM malware
• Aircraft manipulation
• Computer cluster for cracking passwords
• Electronic data records stolen
7
Equifax Case
• Equifax was alerted in March to the software security
vulnerability that led to hackers obtaining
personal
information of more than 140 million Americans but took
months to patch it
Website offers customer an interactive user
experience, allowing them to input data and
receive responses
Customers interactive with a web
application
that
uses
potentially
vulnerable plugin
Plug-in is a software component that adds a specific feature to a program.
8
Difficulties in Defending
9
Understanding Security
• Security can be defined as a process (how to achieve
security) or as a goal (what it means to have security)
• Maybe both? The goal to be free from danger as well as
the process to achieve that freedom
• Security is the necessary steps to protect a person or
property from harm
10
Goal of Information Security
• Ensure that protective measures are implemented to ward
off attacks and prevent the system collapse when a
successful attack occurs
• Information security cannot completely guarantee that a
system is totally secure
11
Data Protection
• Data is likely to be an organization’s most valuable asset
• How can we protect it?
• Ensuring confidentiality: only authorized parties can access
information
• Ensuring integrity: information is not altered
• Ensuring availability: information is accessible when needed
• Also, AAA must be employed
• Authentication: the individual is who he/she claims to be
• Authorization: Providing permission to specific resources
• Accounting: Provides tracking of events
12
Security Layers
Data stored (at rest) by hardware, manipulated by software, and
transmitted by communications, must be protected
• Policies and procedures
Plans and policies in place to ensure
people correctly use the products
• People
Those who implement and properly use
security products to protect data
• Products
Security around the data (door locks,
firewalls, intrusion prevention system)
13
Information Security Definition
• Information security defined as
“that which protects the confidentiality, integrity, and availability of
information on the devices that store, manipulate, and transmit the
information through products, people, and procedures”
14
Technology Assets
• An item that has value
• Provide value to the organization
• Cannot easily be replaced without a significant investment in
expense, time, worker skill, and/or resources
15
Technology Assets
• An item that has value
• Provide value to the organization
• Cannot easily be replaced without a significant investment in
expense, time, worker skill, and/or resources
16
Threats
• Information security threats
Events representing a danger to
information assets
• The potential for creating a
loss is real
Corruption or theft of
information, a delay in
information being transmitted,
loss of reputation, etc.
• Threat agent
Person or element (e.g.,
malicious software) that has the
power to carry out a threat
17
Information Security Terminology: Vulnerability
• Vulnerability is a weakness that allows a threat agent to
bypass security
A software defect that allows an unauthorized user to gain control of
a computer without the user’s knowledge or permission
18
Information Security Terminology: Threat Vector
• An threat vector is a path or other means by which an
attacker can gain access to a server, host, or network
• An attacker, knowing that a flaw in a web server’s OS has
not been patched, is using the threat vector (exploiting the
vulnerability) to steal user passwords
19
Importance of Information Security: Preventing Theft
• Preventing data theft
• Often cited as primary objective of information security
• Business, personal data; e.g., credit card numbers
• Lost wages and productivity during an attack and cleanup:
Cost of attacks
20
Importance of Information Security: Preventing Identity Theft
• Using another’s personal information for financial gain
• Steal person’s SSN
• Create new credit card account
• Charge purchases
• Serious problem for Internal Revenue Service (IRS)
• In one year, it delivered more than $5 billion in refund checks
• A single address in Lansing, Michigan, was used to file 2137
separate tax returns ($3.3 million in refunds)
• 590 refunds totaling more than $900,000 into a single bank account
21
Importance of Information Security: Avoid Legal Consequences
• Businesses that fail to protect data they possess may face
serious financial penalties from federal or state laws
• Laws protecting electronic data privacy:
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Those who wrongfully disclose individually identifiable health information can be fined
up to $50,000 for each violation up to a maximum of $1.5 million per calendar year and
sentenced up to 10 years in prison
• Sarbanes-Oxley Act of 2002 (Sarbox)
Covers the corporate officers, auditors, and attorneys of publicly traded companies.
Stringent reporting requirements and internal controls on electronic financial reporting
systems are required
• Gramm-Leach-Bliley Act (GLBA)
All electronic and paper data containing personally identifiable financial information must
be protected. The penalty for noncompliance for a class of individuals is up to $500,000
22
Importance of Information Security: Avoid Legal Consequences
• Businesses that fail to protect data they possess may face
serious financial penalties from federal or state laws
• Laws protecting electronic data privacy:
• Payment Card Industry Data Security Standard (PCI DSS)
Security standards that all companies that process, store, or transmit credit card
information must follow. The maximum penalty for not complying is $100,000 per month
• CA Database Security Breach Notification Act
Requires businesses to inform California residents within 48 hours if a breach of
personal information has or is believed to have occurred
23
Who Are the Attackers?
• Hacker – skilled
Older term for someone who uses advanced knowledge to attack
computers
• Black hat hackers – personal gain
Attackers who violated computer security for personal gain or to
inflict malicious damage
• White hat hackers – received permission
“Ethical attackers” who received permission to probe system for any
weaknesses
• Gray hat hackers – no permission, disclose vulnerability
Attackers who would break into a computer system without
permission and then publically disclose vulnerability
24
Who Are the Attackers?
• Cybercriminals
• Launch attacks against other users and their computers
• == attackers
• Highly motivated, less risk-averse, well-funded
• Goal is financial gain; steal information to generate income
• Can launch advanced persistent threats (APTs)
APT ~ unauthorized access to a network and stays there undetected for a long period of
time (or try to …)
25
Who Are the Attackers?
• Script kiddies
• Unskilled users; goal: breaking into computers (damage)
• Download automated hacking software (scripts)
• Attack software today has attack capabilities that are even easier
for unskilled users; ~40% of attacks performed by script kiddies
26
Who Are the Attackers?
• Brokers
• Uncover vulnerabilities and do not report them to vendor
• Sell vulnerability to other attackers, governments
• Buyers pay a high price because this vulnerability is unknown
27
Who Are the Attackers?
• Insiders
• Employees, contractors, partners who steal from employer
• Sabotage or theft of intellectual property
• Employees believing that accumulated data is owned by them
28
Who Are the Attackers?
• Cyberterrorists
• Ideologically motivated
• Perform attacks because of their beliefs
• Target example: computers that control the electrical power grid of
a state or region
29
Who Are the Attackers?
• Hactivists
• Ideologically motivated
• Unlike cyberterrorists who incite panic, hactivists are generally not
well defined
• Attacks can involve breaking into a website and changing the
contents on the site to make a political statement
• Retaliatory attacks
• E.g., Anonymous, Wikileaks
• Who (if any) should be punished for disclosing information?
30
Who Are the Attackers?
• State-sponsored attackers
• Supported by governments
• Attackers target foreign governments or even citizens of the
government who are considered hostile or threatening
• Do countries participate (to some degree) in state-sponsored
hacking?
31
Steps of an Attack
• Kill chain
Malware delivers a malicious “payload” that performs a harmful function
32
Defenses Against Attacks – Principles
• Layering
If a layer is penetrated, several more layers must still be breached
• Limiting
Only those who must use the data should have access to it; access
should be limited to what those people need to perform
• Diversity
Attackers cannot use the same technique to break multiple layers
• Obscurity
Not revealing the network topology, computer type, OS version
• Simplicity
System should be simple for those on the inside to understand
33
Module 1 Activities
• Homework Module 1
Purchase answer to see full
attachment