CP5603 E-Security

Lecture 1 Chapter 1 Tuesday 26 July 2011

The Textbook
Whitman and Mattord, Principles of Information Security 3rd edition 2009 Has a yellow cover showing a maze. Currently selling for $113 at the JCU bookshop (plus postage). US$81 at Amazon.

Two Assignments
The assignment. Involves answering some questions. Some purely technical, some need a short essay answer. Reseach report and seminar. Read about a topic you are interested in. Write a report, do a short presentation about it.

Research Topics
Topics can be anything related to security, including:
1. Pretty Good Privacy (PGP) 2. Multi-purpose Internet Mail Extension (MIME) 3. Private Key Management software 4. Internet Protocol (IP) security (IPSec) 5. Spam, phishing, stealing bank passwords. 6. Secure Sockets Layer (SSL) 7. Transport Layer Security (TLS) 8. Kerberos 9. Secure Electronic Transaction (SET) 10. Or anything else that youre interested in.

Learning Objectives
Upon completion of this material, you should be able to: Define information security Relate the history of computer security and how it evolved into information security Define key terms and critical concepts of information security as presented in this chapter Discuss the phases of the security systems development life cycle Present the roles of professionals involved in information security within an organization
6

Introduction: What Is Information Security?

Information security is a well-informed sense of assurance that the information risks and controls are in balance. Jim Anderson, Inovant ( (2002) Is that all? Feeling good about risk? I never liked textbook definitions. To understand something, look at the history. Where did it start?
7

The History of Information Security

People have been stealing information for thousands of years: Secret spy, torture, etc. World War 2 used radio networks could steal information more easily.

The Enigma Machine

World War 2 machine for encrypting messages. You set the secret key by plugging wires at the back. Kept radio messages secret.

Bombe the First Computer

Alan Turing Father of Computing

Bombe The First Computer

Bombe was the name for the first computer. It was used to decrypt Enigma messages.

The First Computers

Alan Turing invented the multi-purpose digital computer to help win World War 2. Turings name is all over computer science: The Turing Test, Turing switches, Turing degree, the Turing Award.
Alan Turing 1912-1954

But he committed suicide after being found guilty of being homosexual. Maybe if he had lived, comptuers might be better today.

Homosexuality and Computers

Some people say computers are evil, because they were invented by a homosexual, Alan Turing.

They use computers to print their signs.

Internet History
1957: Russia launches Sputnik. U.S. Government creates the Defense Advanced Research Projects Agency (DARPA). 1967: starts to develop a data network that can survive a nuclear war. A mesh of connections so that as bases get nuked, network traffic can travel around the damage.

How the Internet Started

1969: Larry Roberts develops ARPANET, some protocols for data communication. A protocol = a list of rules. Both a physical network and its compatible software protocols. During the 1970s, lots of universities use ARPANET to connect their own machines and to other universities: inter-network links. By the late 1980s, many inter-networks: BITNET, ARPANET, MILNET, NSFNET, TELNET, etc.

Figure 1-2 - ARPANET

15

A Single Compatible Inter-Network

All those inter-networks were compatible.

By 1987, any machine running DARPA protocols could talk to any other machine.

A single unified Internetwork or Internet.

The 1970s and 80s

ARPANET grew in popularity, as did its potential for misuse. Fundamental problems with ARPANET security were identified: No safety procedures for dial-up connections to ARPANET. Nonexistent user identification and authorization to system. Late 1970s: microprocessor expanded computing capabilities and security threats.
17

The 1970s and 80s (continued)

Information security began with Rand Report R-609 (started the study of computer security) Scope of computer security grew from physical security to include: Safety of data Limiting unauthorized access to data Involvement of personnel from multiple levels of an organization
18

The 1990s to Today

Most computers are networked. Internet Protocol (IP) is still very insecure. In early Internet deployments, security was treated as a low priority. Cant easily change IP to something better. The ability to secure a computers information is influenced by the security of every other computer connected to it.
19

What is Security?
The quality or state of being secure to be free from danger A successful organization should have multiple layers of security in place: Physical security just steal a computer. Personal security torture employees. Operations security guess what youre doing, by watching what you do. Communications security, network security, information security steal a copy of your data.
20

21

What is Security? (continued)

The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information Necessary tools: policy, awareness, training, education, technology C.I.A. triangle was standard based on confidentiality, integrity, and availability C.I.A. triangle now expanded into list of critical characteristics of information
22

Key Security Concepts

The CIA Triad

Critical Characteristics of Information

The value of information comes from the characteristics it possesses: Availability Accuracy Authenticity Confidentiality Integrity Utility Possession If your data doesnt have these, its useless.
24

NSTISSC Security Model

25

Components of an Information System

Information system (IS) is entire set of: software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization
26

Securing Those Components

Computer can be subject of an attack and/or the object of an attack When the subject of an attack, computer is used as an active tool to conduct an attack on someone else. When the object of an attack, computer is the entity being attacked by someone else.
27

Subject and Object of Attack

28

Balancing Information Security and Access

Impossible to obtain perfect security. It is a process, not an absolute Security should be considered a balance between protection and availability To achieve balance, level of security must allow reasonable access, yet protect against threats
29

Balancing Security and Access

30

Approaches to Information Security Implementation: Bottom-Up Approach

Grassroots effort: systems administrators attempt to improve security of their systems Key advantage: technical expertise of individual administrators Seldom works, as it lacks a number of critical features:
Participant support Organizational staying power
31

Approaches to Information Security Implementation: Top-Down Approach

Initiated by upper management
Issue policy, procedures, and processes Dictate goals and expected outcomes of project Determine accountability for each required action

The most successful also involve formal development strategy referred to as systems development life cycle
32

33

The Systems Development Life Cycle

Systems Development Life Cycle (SDLC) is methodology for design and implementation of information system within an organization Methodology is formal approach to problem solving based on structured sequence of procedures Using a methodology: Ensures a rigorous process Avoids missing steps Goal is creating a comprehensive security posture/program Traditional SDLC consists of 6 general steps:
34

35

1. Investigation
What problem is the system being developed to solve? Objectives, constraints, and scope of project are specified Preliminary cost-benefit analysis is developed At the end, feasibility analysis is performed to assess economic, technical, and behavioral feasibilities of the process
36

2. Analysis
Consists of assessments of the organization, status of current systems, and capability to support proposed systems Analysts determine what new system is expected to do and how it will interact with existing systems Ends with documentation of findings and update of feasibility analysis

37

3. Logical Design
Main factor is business need; applications capable of providing needed services are selected Data support and structures capable of providing the needed inputs are identified Technologies to implement physical solution are determined Feasibility analysis performed at the end

38

4. Physical Design
Technologies to support the alternatives identified and evaluated in the logical design are selected Components evaluated on make-or-buy decision Feasibility analysis performed; entire solution presented to end-user representatives for approval
39

5. Implementation
Needed software created; components ordered, received, assembled, and tested Users trained and documentation created Feasibility analysis prepared; users presented with system for performance review and acceptance test

40

6. Maintenance and Change

Consists of tasks necessary to support and modify system for remainder of its useful life Life cycle continues until the process begins again from the investigation phase When current system can no longer support the organizations mission, a new project is implemented

41

The Security Systems Development Life Cycle

The same phases used in traditional SDLC may be adapted to support specialized implementation of an IS project Identification of specific threats and creating controls to counter them SecSDLC is a coherent program rather than a series of random, seemingly unconnected actions

42

1. Investigation
Identifies process, outcomes, goals, and constraints of the project Begins with Enterprise Information Security Policy (EISP) Organizational feasibility analysis is performed

43

2. Analysis
Documents from investigation phase are studied Analysis of existing security policies or programs, along with documented current threats and associated controls Includes analysis of relevant legal issues that could impact design of the security solution Risk management task begins
44

3. Logical Design
Creates and develops blueprints for information security Incident response actions planned: Continuity planning Incident response Disaster recovery Feasibility analysis to determine whether project should be continued or outsourced
45

4. Physical Design
Needed security technology is evaluated, alternatives are generated, and final design is selected At end of phase, feasibility study determines readiness of organization for project

46

5. Implementation
Security solutions are acquired, tested, implemented, and tested again Personnel issues evaluated; specific training and education programs conducted Entire tested package is presented to management for final approval

47

6. Maintenance and Change

Perhaps the most important phase, given the ever-changing environment and new threats Often, reparation and restoration of information is a constant duel with an unseen adversary Information security profile of an organization requires constant adaptation as new threats emerge and old threats evolve
48

Security Professionals and the Organization

A wide range of professional people are required to support a diverse information security program Senior management is key component. Also, additional administrative support and technical expertise are required to implement details of IS program

49

Senior Management
Chief Information Officer (CIO) C Senior technology officer Primarily responsible for advising senior executives on strategic planning Chief Information Security Officer (CISO) C Primarily responsible for assessment, management, and implementation of IS in the organization Usually reports directly to the CIO
50

Information Security Project Team

A number of individuals who are experienced in one or more facets of required technical and nontechnical areas:
Champion Team leader Security policy developers Risk assessment specialists Security professionals Systems administrators End users
51

Data Ownership
Data owner: responsible for the security and use of a particular set of information Data custodian: responsible for storage, maintenance, and protection of information Data users: end users who work with information to perform their daily jobs supporting the mission of the organization

52

Communities of Interest
Group of individuals united by similar interests/values within an organization
Information security management and professionals Information technology management and professionals Organizational management and professionals

53

Information Security: Is it an Art or a Science?

Implementation of information security often described as combination of art and science Security artesan idea: based on the way individuals perceive systems technologists, since computers became commonplace

54

Security as Art
No hard and fast rules nor many universally accepted complete solutions No manual for implementing security through entire system Expect the unexpected

55

Security as Science
Dealing with technology designed to operate at high levels of performance Specific conditions cause virtually all actions that occur in computer systems Nearly every fault, security hole, and systems malfunction are a result of interaction of specific hardware and software If developers had sufficient time, they could resolve and eliminate faults
56

Security as a Social Science

Social science examines the behavior of individuals interacting with systems Security begins and ends with the people that interact with the system Security administrators can greatly reduce levels of risk caused by end users, and create more acceptable and supportable security profiles
57

Key Terms
Access Asset Attack Control, Safeguard, or Countermeasure Exploit Exposure Hack Object Risk Security Blueprint Security Model Security Posture or Security Profile Subject Threats Threat Agent Vulnerability

58

Summary of Chapter 1
Information security is a well-informed sense of assurance that the information risks and controls are in balance Computer security began immediately after first mainframes were developed Successful organizations have multiple layers of security in place: physical, personal, operations, communications, network, and information
59

S Summary of Chapter 1 (continued)

Security should be considered a balance between protection and availability Information security must be managed similarly to any major system implemented in an organization using a methodology like SecSDLC Implementation of information security often described as a combination of art and science
60

CP5603 E-Security
Lecture 1 (part 2) Case Study: Stealing Passwords Tuesday 26 July 2011

Case Study: Your Personal Computer

How to steal someones password? Two ways: Attack the encrypted password. Fool the human element. The technology works perfectly. The usual aim is to work on the human mistakes people are often lazy.
62

How Long Is Your Password?

The most popular password length is only 6 characters. 26% of passwords are only 6 characters. Short enough to try every possible combination of 6 characters.

Common Passwords
20 most popular passwords, in order of how popular they are:
password1 abc123 Blink182 baseball1 monkey1 slipknot1 qwerty1 football1 liverpool1 myspace1 fuckyou 123456 princess1 password 123abc soccer jordan23 monkey

superman1 iloveyou1

Is your password here?

The Most Common Password

Password1 is a very popular password. 123456 is also very popular. Different surveys give different results.

Common Passwords
Blink 182 is a music band. A lot of people use the band's name Easy to remember. It has numbers in its name, and so it seems like a good password.

Common Passwords
"qwerty1" refers to the first letters on a standard English computer keyboard.
QWERTY is the most common keyboard layout on English-language computer.

Common Passwords
The band Slipknot doesn't have any numbers in its name Many people just put a 1 on the end.

Common Passwords
The password "jordan23" refers to Basketball player Michael Jordan and his number 23.

Common Passwords
I don't know why so many people choose monkey or monkey1.

5 Most Common Passwords, According to another Survey

500 Most Popular Passwords (from another survey)

Passwords Are Encrypted

Encryption: the original password gets messed up, so nobody can read it.

This happens when a password is saved to disk or sent over a network.

How To Get Encrypted Passwords

In order to steal data, you first need to get the encrypted password. Well decrypt it later. There are 2 popular ways to get the encrypted password: Take it off the hard drive of the client computer (e.g., Internet Explorer saved it). Take it off the network, as it travels from the client computer to the server.

Encrypted Passwords on Disk

All operating systems have a file that contains encrypted passwords. Windows: SAM (Security Accounts Manager) database in \WINNT\system32\config Backup copy stored in \WINNT\repair Unix: /etc/passwd or /etc/shadow

Encrypted Passwords on Disk

Your web browser can also store encrypted passwords on disk.

If you can steal the computer, you can get all these encrypted passwords.

Passwords on the Network

Internet Protocol = IP. Every computer connected to the Internet has to have an IP address.
A 32-bit number. Written as 4 numbers, from 0 to 255. Examples: 172.17.65.43 211.32.45.214

A bit like a phone number. IP is not secure you can pretend to be someone elses IP number!

What Is IP Spoofing?
To spoof = to pretend to be someone else. IP spoofing you pretend to be another computer, take over their IP number.
Pretend to be 2 other computers. All traffic between the two computers can be routed through your computer. Example: firewall and the email server so you can read emails.

IP Spoofing for IP Sniffing

Intruder

A
Original message

Intruder Gives Fake Updates

Intruder
I am computer B I am computer A

Intruder passes messages on to avoid being detected.

Intruder
Message from A to B Message from A to B

IP Spoofing / Sniffing Programs

Ettercap
Complete sniffing and ARP corruption tool with command-line, ascii, and full GUI interfaces.

Arpspoof
Part of the dsniff package. Basic ARP manipulation tool.

ARPoison
Basic ARP manipulation tool

And many more But dont do this in a real network!

Sniffing Encrypted Passwords

Intruder
Encrypted Password Encrypted Password

Internet Bank User

Internet Bank Web Site

Source: www.ethereal.com

Dictionary-Based Password Crackers

No way to turn an encrypted password back into the password. But you can encrypt any word
encrypted word = encrypted password?

Encrypt every word in the dictionary!

There is free software to do this. Then compare encrypted password to encrypted dictionary word. If you find a match, you are in!

Dictionary-Based Password Crackers

Encrypted password: A5Ibo25Gj Encrypt every word in the dictionary!
Aardman Y5iR4Bz2 Aardvark 8Ip5TyUkl Abba tL519vh59 Abcama Q0h2nv8s Petunia A5Ibo25Gj

Yes!

Dictionary-Based Password Crackers

Word lists can be from:
A dictionary. List of names of people and places. All the words on the victims hard drive.

Software will also:

Add numbers to the front and back of each word. Do upper / lower case. petunia, petunia1, 1petunia, Petunia, Petunia1, 1Petunia,

etc.

Dictionary-Based Cracker
The U.S. Secret Service has a program for finding passwords:
Uses all the words on the victims criminals hard drive. Has a 50% success rate. Runs as a screensaver, so all the idle office PCs are running it.

So dont use a password that is similar to a word in your files or emails.

Conclusions
Dont use dictionary words. Dont use a word in any email or file that you have ever touched. Dont let Internet Explorer remember your passwords. Run anti-IP-sniffing software. Will tell you if someone on your local network is IP sniffing. Are you going to change your password when you get home?