Professional Documents
Culture Documents
Cyber Security
Cyber Security
Cyber Security
Security
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Objectives
Define computer security as well as basic computer security terms
Introduce the C-I-A Triad
Introduce basic access control terminology
Explain basic threats, vulnerabilities, and attacks
Show how controls map to threats
What Is Computer Security?
• Protection of the items you value, called the assets of a computer or
computer system.
• There are many types of assets
Hardware
Software
Data
Or combinations of these
Assets
Values of Assets
Basic Terms
• Vulnerability
• Threat
• Attack
• Countermeasure or control
Vulnerabilities, Threats,
Attacks, Controls
• Vulnerability is a weakness in the security system
• (i.e., in procedures, design, or implementation), that might be exploited to cause
loss or harm.
Confidentiality
Secure
Integrity Availability
Access Control
Types of Threats
Types of Attackers
Threats
• In an interception means that some unauthorized party has gained access to an
asset.
• If an unauthorized party not only accesses but tampers (forges) with an asset, the
threat is a modification.
• method: the skills, knowledge, tools, and other things with which
to be able to pull off the attack
• Knowledge of systems are widely available
• Detection
• Detect attackers’ violation of security policy
• Recovery
• Stop attack, assess and repair damage
• Continue to function correctly even if attack succeeds
Trust and Assumptions
• Trust underlies all aspects of security
• Policies
• Unambiguously partition system states
• Correctly capture security requirements
• Mechanisms
• Assumed to enforce policy
• Support mechanisms work correctly
Control or Countermeasure
• Means to counter threats. Harm occurs when a threat is realized against a
vulnerability. To protect against harm, then, we can neutralize the threat, close
the vulnerability, or both.
• The possibility for harm to occur is called risk. We can deal with harm in several
ways:
• prevent it, by blocking the attack or closing the vulnerability
• deter it, by making the attack harder but not impossible
• deflect it, by making another target more attractive (or this one less so)
• mitigate it, by making its impact less severe
• detect it, either as it happens or some time after the fact
• recover from its effects
Controls/Countermeasures
Different Types of Controls
Controls Available
• Encryption
• We take data in their normal, unscrambled state, called:
• cleartext or plaintext, and transform them so that they are unintelligible to the outside
observer; the transformed data are called enciphered text or ciphertext.
• Operating system and network system controls: limitations enforced by the operating system
or network to protect each user from all other users
• i.e. chmod on UNIX: (Read, Write, Execute) vs. (Owner, Group, Other)
• Physical Controls
• i.e. locks on doors,
• guards at entry points,
• backup copies of important software and data, and
• physical site planning that reduces the risk of natural disasters.
Effectiveness of Controls
• Awareness of Problem
• People using controls must be convinced of the need for security. That is,
people will willingly cooperate with security requirements only if they
understand
• why security is appropriate in a given situation.
Effectiveness of Controls
• Likelihood of Use
• Of course, no control is effective unless it is used
• Principle of Effectiveness:
• Controls must be used properly to be effective.
• They must be efficient, easy to use, and appropriate.
• Periodic Review
• Just when the security specialist finds a way to secure assets against certain
kinds of attacks, the opposition doubles its efforts in an attempt to defeat the
security mechanisms. Thus, judging the effectiveness of a control is an
ongoing task.
Principle of Weakest Link
• Security can be no stronger than its weakest link !!!
• Whether it is the power supply that powers the firewall or the operating
system under the security application or the human who plans, implements,
and administers controls, a failure of any control can lead to a security failure.
Summary
• Vulnerabilities are weaknesses in a system;
• threats exploit those weaknesses;
• controls protect those weaknesses from exploitation
• Confidentiality, integrity, and availability are the three basic security
primitives
• Different attackers pose different kinds of threats based on their
capabilities and motivations
• Different controls address different threats; controls come in many
flavors and can exist at various points in the system
DES (Data Encryption
Standard)
Basics
• The Data Encryption Standard (DES) is a symmetric-key block cipher
created in the early 1970s by an IBM team and adopted by the
National Institute of Standards and Technology (NIST).
• Symmetric-key means that it employs the same key in both encrypting
and decrypting the data.
• DES uses 16 rounds and the block size is 64-bit. Though, key length is
64-bit, DES has an effective key length of 56 bits, since 8 of the 64 bits
of the key are not used by the encryption algorithm.
DES Algorithm Steps
• The process begins with the 64-bit plain text block getting handed
over to an initial permutation (IP) function.
• The initial permutation (IP) is then performed on the plain text.
• Next, the initial permutation (IP) creates two halves of the permuted
block, referred to as Left Plain Text (LPT) and Right Plain Text (RPT).
• Each LPT and RPT goes through 16 rounds of the encryption process.
• Finally, the LPT and RPT are rejoined, and a Final Permutation (FP) is
performed on the newly combined block.
• The result of this process produces the desired 64-bit ciphertext.
1. Initial permutation (IP)
2. 16 Rounds
In this step, S Box RPT will be permuted according to the P Box table
and gives rise to P Box RPT.
Step5: XOR
and Swap
3. Final permutation
DES Modes of Operation
• Electronic Codebook (ECB). Each 64-bit block is encrypted and
decrypted independently
• Cipher Block Chaining (CBC). Each 64-bit block depends on the
previous one and uses an Initialization Vector (IV)
• Cipher Feedback (CFB). The preceding ciphertext becomes the input for
the encryption algorithm, producing pseudorandom output, which in
turn is XORed with plaintext, building the next ciphertext unit
• Output Feedback (OFB). Much like CFB, except that the encryption
algorithm input is the output from the preceding DES
• Counter (CTR). Each plaintext block is XORed with an encrypted
counter. The counter is then incremented for each subsequent block
DES: The Data Encryption Standard
• Symmetric block cipher
AES: Advanced Encryption System
• Symmetric block cipher
• Developed in 1999 by
independent Dutch
cryptographers
• Still in common use
DES vs. AES
RSA Algorithm
Public Key (Asymmetric) Cryptography
• Instead of two users sharing one secret key, each user has two
keys: one public and one private.
• Messages encrypted using the user’s public key can only be
decrypted using the user’s private key, and vice versa.
Basics
• RSA algorithm is asymmetric cryptography algorithm. Asymmetric means
that it works on two different keys i.e. Public Key and Private Key. The
Public Key is given to everyone and Private key is kept private.
• An example of asymmetric cryptography :
o A client (for example browser) sends its public key to the server and
requests for some data.
o The server encrypts the data using client’s public key and sends the
encrypted data.
o Client receives this data and decrypts it.
Basics
Key Generation
RSA Encryption
RSA Decryption
𝐶𝑑
RSA Example
Security of RSA
Mathematical Attacks
Timing Attacks
Diffie-Hellman Key Exchange
The Problem of Key Exchange
• Alice mixed
• [(Yellow + Teal) from Bob] + Orange
• Bob mixed
• [(Yellow + Orange) from Alice] + Teal
Alice & Bob have agreed to a
shared color unknown to Eve
• How is it that Alice & Bob’s final mixture is
secret?
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
• Consider the secret key = "CHARLES".
Now decrypt the following cipher text using Playfair
Cipher.
PRSBHADGDCBCAZRZVPAMBW
PR
SB
C H A R L
HA
E S B D F DG
DC
G I/J K M N BC
Secret Key = AZ
O P Q T U RZ
VP
V W X Y Z AM
BW
Rules:
If 2 alphabets in same row, write most left alphabet.
If 2 alphabets in same column, write above most alphabet.
If none of above, then make rectangle out of them (alphabet) and write their
opposite corners.
Plain Text TH ES CH EM ER EA LX LY WO RK SX
Cipher Text PR SB HA DG DC BC AZ RZ VP AM BW
HELLOHOWAREYOU
Caesar Cipher
• Identify plain text from cipher text using Caesar
cipher with a shift of 4.
P = (C-shift) mod 26
Autokey Cipher
• Generate cipher text from plain text using Auto-key
cipher with initial key of 12.
n = p*q = 3*11 = 33
ø(n) = (p-1)*(q-1) = 2*10 = 20
choose d such that (d*e) % ø(n) = 1. One solution is d (private key) = 3
Decryption of cipher text (c) = 29 is M = 293 % 33 = 2
• Diffie-Hellman key exchange algorithm with example.
Program Security
Challenges to writing secure
code
Unintentional (Non-
malicious) Programming
Oversights
Non-malicious code
• Caused from a mistake done by a human such as programmers and
developers.
• Many such errors cause program malfunction but do not lead to more
serious security vulnerabilities.
http://www.somesite.com/subpage/userinput.asp?
parm1=(808)555-1212&parm2=2015Jan17
• As a security professional, you might examine the various parts of the URL to determine what they
mean and how they might be exploited.
• For instance, the parameters parm1 and parm2 look like a telephone number and a date, respectively.
• But what would happen if parm2 were submitted as 1800Jan01? Or 1800Feb30? Or 2048Min32? Or
1Aardvark2Many?
• Something in the program or the system with which it communicates would likely fail. One possibility is
that the system would fail catastrophically, with a routine’s failing on a data type error as it tried to
handle a month named “Min” or even a year (like 1800) that was out of expected range.
• Another possibility is that the receiving program would continue to execute but would generate a very
wrong result.
Solution to incomplete mediation
• Three properties of a reference monitor are
(1) small and simple enough to give confidence of correctness
(2) Unbypassable
(3) always invoked
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043).
Authentication
• The act of proving that a user is who she says she is.
• Methods:
– Something the user knows
– Something the user is
– Something the user has
Something You Know
• Passwords
• Security questions
• Attacks on “something you know”:
– Dictionary attacks
– Inferring likely passwords/answers
– Guessing
– Defeating concealment
– Exhaustive or brute-force attack
– Rainbow tables
Distribution of Password Types
Password Storage
Plaintext Concealed
Biometrics: Something You Are
Problems with Biometrics
• Intrusive
• Expensive
• Single point of failure
• Sampling error
• False readings
• Speed
• Forgery
Tokens: Something You Have
Federated Identity Management
Single Sign-On
Access Control
Access Policies
• Goals:
– Check every access
– Enforce least privilege
– Verify acceptable usage
Stream Block
Advantages Speed of High diff usion
transformation Immunity to
Low error insertion of
propagation symbol
• computational security
– given limited computing resources (eg time
needed for calculations is greater than age of
universe), the cipher cannot be broken
Brute Force Search
• always possible to simply try every key
• most basic attack, proportional to key size
• assume either know / recognise plaintext
Key Size (bits) Number of Alternative Time required at 1 Time required at 106
Keys decryption/µs decryptions/µs
32 231 µs = 35.8 minutes 2.15 milliseconds
2 32
= 4.3 × 10 9
128
2128 = 3.4 × 1038 2127 µs = 5.4 × 1024 years 5.4 × 1018 years
168
2168 = 3.7 × 1050 2167 µs = 5.9 × 1036 years 5.9 × 1030 years
26 characters
(permutation) 26! = 4 × 1026 2 × 1026 µs = 6.4 × 1012 years 6.4 × 106 years
Classical Substitution Ciphers
• where letters of plaintext are replaced by
other letters or by numbers or symbols
• example:
meet me after the toga party
PHHW PH DIWHU WKH WRJD SDUWB
Caesar Cipher
• can define transformation as:
a b c d e f g h i j k l m n o p q r s t u v w x y z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
Plain: abcdefghijklmnopqrstuvwxyz
Cipher: DKVQFIBJWPESCXHTMYAUOLRGZN
Plaintext: ifwewishtoreplaceletters
Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA
Monoalphabetic Cipher Security
• now have a total of 26! = 4 x 1026 keys.
• with so many keys, might think is secure.
• but would be !!!WRONG!!!.
• problem is language characteristics.
Language Redundancy and Cryptanalysis
– If both the letters are in the same column, take the letter
below each one (going back to the top if at the bottom)
T U O R I
A L S B C
D E F G H ‘H’ and ‘I’
are in same
K M N P Q column,
V W X Y Z hence take
letter below
them to
replace. HI
→ QC
• If both letters are in the same row, take the letter to the right
of each one (going back to the left if at the farthest right)
T U O R I
A L S B C
D E F G H ‘D’ and ‘E’
are in same
K M N P Q row, hence
V W X Y Z take letter to
the right of
them to
replace. DE
→ EF
• If neither of the preceding two rules are true, form
a rectangle with the two letters and take the
letters on the horizontal opposite corner of the
rectangle.
• Using these rules, the result of the encryption of
‘hide money’ with the key of ‘tutorials’ would be −
• QC EF NU MF ZV
• Decrypting the Playfair cipher is as simple as doing
the same process in reverse. Receiver has the same
key and can create the same key table, and then
decrypt any messages made using that key.
Security of Playfair Cipher
• security much improved over monoalphabetic.
• since have 26 x 26 = 676 digrams
• would need a 676 entry frequency table to analyse
(verses 26 for a monoalphabetic)
• and correspondingly more ciphertext
a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Vigenere Cipher
O W A R E Y
O U a b c d
B A C K I N
Product Ciphers
• ciphers using substitutions or transpositions are not
secure because of language characteristics
• hence consider using several ciphers in succession to
make harder, but:
– two substitutions make a more complex substitution
– two transpositions make more complex transposition
– but a substitution followed by a transposition makes a new
much harder cipher
• this is bridge from classical to modern ciphers
Rotor Machines
• before modern ciphers, rotor machines were most
common complex ciphers in use
• widely used in WW2
– German Enigma, Allied Hagelin, Japanese Purple
• implemented a very complex, varying substitution
cipher
• used a series of cylinders, each giving one
substitution, which rotated and changed after each
letter was encrypted
• with 3 cylinders have 263=17576 alphabets
Hagelin Rotor Machine
Steganography
• an alternative to encryption
• hides existence of message
– using only a subset of letters/words in a longer
message marked in some way
– using invisible ink
– hiding in LSB in graphic image or sound file
• has drawbacks
– high overhead to hide relatively few info bits
Summary
• have considered:
– classical cipher techniques and terminology
– monoalphabetic substitution ciphers
– cryptanalysis using letter frequencies
– Playfair cipher
– polyalphabetic ciphers
– transposition ciphers
– product ciphers and rotor machines
– stenography
Malicious Code
• Malicious code is software that performs unauthorized functions
causing the normal operation of an information system to be
abnormal.
• According to SPECTRIA InfoSec Services, malicious code is defined as
“software which interferes with the normal operation of a computer
system” or “software, which executes without the express consent of
the user.”
• The most sophisticated types of threats to computer systems are
presented by malicious codes that exploit vulnerabilities in computer
systems.
Malicious Code
• Any code which modifies or destroys data, steals data, allows
unauthorized access, exploits or damage a system, and does
something that user did not intend to do, is called malicious code.
• There are several types of malicious code such as viruses, worms,
Trojan horses, logic bombs, trapdoors/backdoors and programming
flaws.
• Back door
is another name for a trap door, back doors provide immediate access to a
system by passing employed authentication and security protocols, Attackers
can use back doors to bypass security control and gain control at a system
without time consuming hacking.
Malicious Code
• Logic Bombs
The logic bomb is code embedded in some legitimate program that
execute when a certain predefined events occurs.
These codes surreptitiously inserted into an application or operating
system that causes it to perform some destructive or security –
compromising activity whenever specified conditions are met.
A bomb may sent a note to an attacker when a user is logged on to
the internet and is using an specific program such as a word
processor, this message informs the attacker that the user is ready for
an attack.
1. Attacker implants logic bomb
2. Victim reports installation
3. Attacker sends attack message
4. Victim dose as logic bomb installation
Notice that this bomb dose not actually begin the attack but tells the attacker
that the victim has met needed state for an attack to begin.
Malicious Code
• Trojan Horses
A malicious, security–breaking program that is disguised as
something benign, such as directory lister, archiver, game, or a
program to find and destroy viruses!"
A Trojan horse is a useful, or apparently useful program or command
procedure containing hidden code that when invoked performs some
unwanted or harmful function.
Trojan Horses can be used to accomplish functions indirectly that an
unauthorized user could not accomplish directly.
for example, to gain access to the files of another user on a shared
system, a user could create a Trojan Horse program that when
executed, changed the invoking user’s file permissions so that the file
are readable by any user.
The program appears to be performing a useful function but it may
also be quietly deleting the victim’s files.
Malicious Code
• Zombie
A zombie is a program that secretly takes over another internet
attached computer and then uses that computer to launch attacks
that are difficult to trace to the zombie’s creator.
Zombies are used in Denial of service attacks, typically against
targeted web sites.
The zombie is planted on hundreds of computers belonging to
unsuspecting third parties and then used to overwhelm the target
website by launching on overwhelming onslaught of internet traffic.
Malicious Code
• Viruses
A cracker program that searches out other programs and 'infects‘
them by embedding a copy of itself in them so that they become
Trojan horses.
When these programs are executed, the embedded virus is executed
too, thus propagating the ' infection ' this normally happens invisibly
to the user.
Unlike a worm, a virus can not infect other computers without
assistance.
It is propagated by vectors such as humans trading programs with
their friends the virus may do nothing but propagate itself and then
allow the program to run normally.
Usually, however, after propagating silently for a while, it starts doing
things like writing cute messages on the terminal or playing strange
tricks with the display.
Many nasty viruses, written by particularly perversely minded
crackers, do irreversible damage, like nuking the entire user’s files...
During its lifetime a typical virus goes through the following four phases:
1- Dormant phase: The virus is idle the virus will eventually be activated by
some event, such as a date. The presence of another program or file, or the
capacity of the disk exceeding some limit, not all viruses have this stage.
2- Propagation phase: The virus places an identical copy of itself into other
programs or into certain system areas on the disk. Each infected program will
now contain a clone of the virus, which will itself enter a propagation phase.
3- Triggering phase: The virus is activated to perform the function for which
it was intended. As with the dormant phase, the triggering phase can be
caused by a variety of system events, including a count of the number of
times that this copy of the virus has made copies of itself.
4- Execution phase: The function is performed. The function may be
harmless, such as a message on the screen, or damaging, such as the
destruction of programs and data files.
• Virus Anatomy,
Virus Structure has four ports
1. Mark can prevent re-infection attempt.
2. Infection Mechanism causes spread to
other files
3. Trigger are conditions for delivering payload
4. Payload is the possible damage to infected
computer
• Program File Viruses
• Memory – resident virus
lodges in main memory as part of a resident system program. From that
point on, virus infects every program that executes.
• Polymorphic virus
creates copies during replication that are functionally equivalents but have
distinctly different bit patterns.
In this case the “signature “of the virus will vary with each copy. To achieve
this variation, the virus may randomly insert superfluous instructions or
interchange the order of independent in-generally called a mutation
engine, creates a random encryption key to encrypt the reminder of the
virus. The key is stored with the virus, and the mutation engine itself is
altered.
When an infected program is invoked, the virus uses the stored random
key to decrypt the virus, when the virus replicates, a different random key
is selected.
• Boot Sector Virus
Boot sector viruses infect the system area of the disk that is read when the
disk is initially accessed or booted. This area can include the master boot
record, the operation system’s boot sector or both.
A virus infecting these areas typically takes the system instructions it finds
and moves them to some other area on the disk. The virus is then free to
place its own code in the boot record.
When the system initializes, the virus loads into memory and simply points
to the new location for the system instructions. The system then boots in a
normal fashion except the virus is now resident in memory.
A boot sector virus can replicate without your executing any programs
from an infected disk. Simply accessing the disk is sufficient.
• Stealth Virus
A format virus explicitly designed to hide itself from detection by antivirus
software.
When the virus is loaded into memory, it monitors system calls to files and
disk sectors, when a call is trapped the, virus modifies the information
returned to the process making the call so that it sees the original
uninfected information. This aids the virus in avoiding detection.
For example many boot sector viruses contain stealth ability. If the infected
disk is booted, programs such as FDISK report a normal boot record. The
virus is intercepting sector calls from FDISK and returning the original boot
sector information.
If you boot the system from a clean floppy disk however, the drive is
inaccessible. If you run FDISK again, the program reports a corrupted boot
sector on the drive.
• Macro Virus
Macro Virus is set of macro commands, specific to an application, which
automatically executes in an unsolicited manner and spread to that application’s
documents.
According to the national computer security agency (www.ncsa.com), macro
viruses now make up two – thirds of all computer viruses.
Macro viruses are particularly threatening for a number of reasons:
1- A macro virus is platform independent. Virtually all of the macro viruses infect
Microsoft word documents. Any hardware platform and operating system that
supports word can be infected.
2- Macro viruses infect documents, not executable portions of code. Most of the
information introduced on to a computer system is in the form of a document
rather than a program.
3- Macro viruses are easily spread. A very common method is by electronic mail.
• Email Virus
A more recent development in malicious software is the e-mail virus.
The first rapidly spreading e-mail viruses, such as Melissa, made use
of a Microsoft word macro embedded in an attachment.
If the recipient opens the e-mail attachment, the word macro is
activated then:
1- The e-mail virus sends itself to everyone on the mailing list in the
user’s e-mail package
2- The virus does local damage
• Worms
A program that propagates itself over a network, reproducing itself as
it goes.
Worm is also self-replicating but a stand-alone program that exploits
security holes to compromise other computers and spread copies of
itself through the network.
Unlike viruses, worms do not need to parasitically attach to other
programs.
Because of the recursive structure of this propagation, the spread
rate of worms is very fast and poses a big threat on the Internet
infrastructure as a whole.
Worms Anatomy
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043).
Countermeasures for Users
User Vigilance
• The easiest control against malicious code is hygiene: not engaging in
behavior that permits malicious code contamination.
• The two components of hygiene are avoiding points of contamination
and blocking avenues of vulnerability.
To avoid contamination,
Use only commercial software acquired from reliable, well-established
vendors.
Test all new software on an isolated computer.
Open attachments—and other potentially infected data files—only when
you know them to be safe.
Install software—and other potentially infected executable code files—
only when you really, really know them to be safe.
Recognize that any website can be potentially harmful.
Make a recoverable system image and store it safely.
Make and retain backup copies of executable system files.
For blocking system vulnerabilities,
As new vulnerabilities become known we should apply patches.
Zero-day attacks are especially problematic, because a vulnerability
presumably unknown to the software writers is now being exploited.
Systems run many different software products from different vendors, but
a vendor’s patch cannot and does not consider possible interactions with
other software.
We should apply all patches promptly except when doing so would cause
more harm than good, which of course you seldom know in advance.
Virus Detectors
• Virus scanners are tools that look for signs of malicious code infection.
Most such tools look for a signature or fingerprint, a telltale pattern in
program files/memory. Limitations of detection tools:
1. Detection tools are necessarily retrospective, looking for patterns of
known infections. As new infectious code types are developed, tools
need to be updated frequently with new patterns.
2. Patterns are necessarily static. If malicious code always begins with, or
even contains, the same four instructions, the binary code of those
instructions may be the invariant pattern for which the tool searches.
Because tool writers want to avoid misclassifying good code as malicious,
they seek the longest pattern they can.
Virus Signatures
• A virus cannot be completely invisible. Code must be stored somewhere,
and the code must be in memory to execute.
• The virus executes in a particular way, using certain methods to spread.
Each of these characteristics yields a telltale pattern, called a signature,
that can be found by a program that looks for it.
• The virus’s signature is important for creating a program, called a virus
scanner, that can detect and, in some cases, remove viruses.
• The scanner searches memory and long-term storage, monitoring
execution and watching for the telltale signatures of viruses.
Code Analysis
• To determine what it does, how it propagates and where it originated.
Out-of-Band Communication
• Transferring one fact along a communication path separate from that
of another fact. Eg. bank card PINs are always mailed separately from
the bank card so that if the envelope containing the card is stolen, the
thief cannot use the card without the PIN.
Continuous Authentication
• Encryption can provide continuous authentication, but care must be
taken to set it up properly and guard the end points.
• If two parties carry on an encrypted communication, an interloper
wanting to enter into the communication must break the encryption
or cause it to be reset with a new key exchange between the
interceptor and one end. (This latter technique is known as a session
hijack).
Q1: The SilentBanker man-in-the-browser attack depends on malicious
code that is integrated into the browser. These browser helpers are
essentially unlimited in what they can do.
Suggest a design by which such helpers are more rigorously controlled.
Does your approach limit the usefulness of such helpers?
A1:
If a computer responds to a prompt with a user’s password, software can
direct that computer to save the password and later reuse it or repeat it to
another process, as was the case with the SilentBanker man-in-the-
browser attack.
If authentication involves computing a cryptographic result, the encryption
key has to be placed somewhere during the computing, and it might be
susceptible to copying by another malicious process.
Or on the other end, if software can interfere with the authentication-
checking code to make any value succeed, authentication is compromised.
Thus, vulnerabilities in authentication include not just the authentication
data but also the processes used to implement authentication
Q2:A cryptographic nonce is important for confirming that a party is
active and fully participating in a protocol exchange. One reason
attackers can succeed with many web-page attacks is that it is relatively
easy to craft authentic-looking pages that spoof actual sites.
Suggest a technique by which a user can be assured that a page is both
live and authentic from a particular site. That is, design a mark, data
interchange, or some other device that shows the authenticity of a web
page.
A2:
Before giving any information to a website, you should make sure it is
secure. Below are some quick tips that you can use to tell if a site is
secure.
Check the SSL Certificate. Look at the URL of the website. If it begins
with “https” instead of “http” it means the site is secured using an SSL
Certificate (the s stands for secure). SSL Certificates secure all of your
data as it is passed from your browser to the website’s server.
To get an SSL Certificate, the company must go through a validation
process.
Web Attacks
targeting Users
False or Misleading Content
• Defaced Web Site
Occurs when an attacker replaces or modifies the content of a
legitimate web site.
For example, in January 2010, BBC reported that the web site of
the incoming president of the European Union was defaced to
present a picture of British comic actor Rowan Atkinson (Mr. Bean)
instead of the president.
http://www.google.com/search?q=cross+site+scripting
&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official
&client=firefox-a&lr=lang_enent or server.
2. SQL Injection
• Operates by inserting code into an exchange between a client and
database server. Eg., Bank application
3. Dot-Dot-Slash
• Enter the dot-dot. In both Unix and Windows, ‘..’ is the directory
indicator for “predecessor.” And ‘../..’ is the grandparent of the current
location.
• So someone who can enter file names can travel back up the
directory tree one .. at a time.
• Eg., passing the following URL causes the server to return the
requested file, autoexec.nt, enabling an attacker to modify or delete
it.
4. Sever-Side Include
• Web pages can be organized to invoke a particular function
automatically. For example, many pages use web commands to send
an email message in the “contact us” part of the displayed page.
• One of the server-side include commands is exec, to execute an
arbitrary file on the server.
Website Data: A User’s Problem, Too
• Some website data affect users significantly. Consider one of the most
common data items that web sites maintain: user IDs and passwords.
• Faced with many passwords to remember, users skimp by reusing the
same password on multiple sites. Even that reuse would be of only
minor consequence if websites protected IDs and corresponding
passwords.
• Websites’ ID and password tables are both valuable to attackers and
frequently obtained. Even if it is the website that is attacked, it is the
users who suffer the loss.
Foiling Data Attacks
Single Users
Multitasking
Protected Objects
The rise of multiprogramming meant that several aspects of a
computing system required protection:
memory
sharable I/O devices, such as disks
serially reusable I/O devices, such as printers and tape drives
sharable programs and subprocedures
networks
sharable data
Operating System Design to Protect Objects
• The operating system must protect itself in order to protect its users
and resources.
Advantages of hiding
addresses?
Security benefits of
Segmentation?
• Virtual Memory - Paging
• Combined Paging with Segmentation
Security in
design of OS
• Simplicity of Design
• Layered Design
Layered Trust
Separation: physical, temporal, logical, and cryptographic
Encapsulation: Each layer uses the more central layers as services,
and each layer provides a certain level of functionality to the
layers farther out
Damage control: possible with hierarchical structuring
• Kernelized Design
Security kernel: locus of all security enforcement
Coverage
Separation
Unity
Modifiability
Compactness
• Reference Monitor
• Correctness and Completeness
• Secure Design Principles
least privilege
economy of mechanism
open design
complete mediation
permission based
separation of privilege
least common mechanism
ease of use
• Trusted system
one with evidence to substantiate the claim it implements some
function or policy. To trust any program, we looking for certain key
characteristics:
Functional correctness
Enforcement of integrity
Limited privilege
Appropriate confidence level
• Trusted System Functions
Trusted Computing Base (TCB)
Everything necessary for a system to enforce its security policy. It
constitute:
hardware, including processors, memory, registers, a clock, and I/O devices
some notion of processes, so that we can separate and protect security-
critical processes
primitive files, such as the security access control database and
identification and authentication data
protected memory, so that the reference monitor can be protected against
tampering
some interprocess communication
System separated into TCB and non-TCB sections
• TCB Design and Implementation
• Secure Startup
Secure startup ensures no malicious code can block or interfere with
security enforcement.
• Trusted Path
A trusted path precludes interference between a user and the security
enforcement mechanisms of the operating system.
• Object Reuse
Object sanitization ensures no leakage of data if a subject uses a
memory object released by another subject.
• Audit
Trusted systems must also track any security relevant changes, such as
installation of new programs or modification to the operating system.
Rootkit
• Root: most privileged subject (in a Unix system)
• Rootkit: Tool or script that obtains privileges of root
Phone Rootkit
Rootkit Evades Detection
Antivirus tools (and most programs) do not contain code to query the disk,
determine the disk format, identify files and where they are stored, find the file
names and properties from an index table, or structure the results for use and
display.
Instead the tools call builtin functions through an application programming
interface (API) to get this information. What if malicious code intruded on that
sequence of calls?
OS Security Exercise
• If two users share access to a segment, they must do so
by the same name. Must their protection rights to it be
the same? Why or why not?
• No.
a) object name
b) rights-set
c) both object name and rights-set
d) none of the mentioned
• Explain how a fence register is used for relocation of a
user’s program.
• The address in the fence register is the starting address
of the user space. Thus, the user program can be
written relative to address 0. Adding the fence register’s
contents will properly relocate the user’s address
references.
• Give an example of an object whose sensitivity may
change during execution.
• One example is a printer that is used to print both
confidential and non-confidential data.
• Another example is a portion of unused disk space that
would initially have low sensitivity. However, once the
space is assigned to an active file, it would acquire a
different sensitivity value, depending on the sensitivity
of the data in the file.
• Why should the directory of one user not be generally
accessible to other users (not even for read-only
access)?
• The knowledge of the existence of certain objects should
not be available to unauthorized users.
• For example, a knowledge that Jones and Smith are
working together on a project (as evidenced by shared
access to many files) might be sensitive.
• Sometimes, testing or development versions of hardware
components or software systems should not be known by
all users.
• List two disadvantages of using physical separation in a
computing system. List two disadvantages of using
temporal separation in a computing system.
• Disadvantages (of both forms of separation):
Inability to share
Inconvenience to users
Record keeping burden
Inefficient resource utilization
TOP
Web Security Issues and
Solutions
Issue 1:
SQL
Injections
• Restrict searches for users.
• Don’t allow freeform input by users.
• Validate all data server-side.
• Clearly define who can and can’t access the data.
Issue 2:
Cross-Site
Scripting (XSS)
Attacks
• Validate all client-side inputs.
• Use properly configured firewalls.
• Update your software and anti-malware.
• Use a strong content security policy.
Issue 3:
Secure
Authentication
• Require use of strong passwords (which should never
be shared).
• Use passwordless authentication.
• Implement stringent session management.
• Set unique session keys.
• Don’t use session IDs in URLs.
• Limit login attempts.
• Don’t open links from unknown sources.
Issue 4: Sensitive data
Exposure
The sensitive data you need to protect includes but is not limited to:
Google had 17 data centers in 2014, accounting for 0.01 percent of the
world’s total energy usage.
Microsoft has over a billion users and over 100,000 servers.
Notice and Consent
• Notice of collection and consent to allow collection of data are
foundations of privacy.
Telephone companies record the date, time, duration, source, and
destination of each telephone call.
ISPs track sites visited.
Some sites keep the IP address of each visitor to the site.
The user is not necessarily aware of this third category of data collection and
thus cannot be said to have given informed consent to the collection.
Control and Ownership of Data
• Disseminated data are almost impossible to get back.
• In many instances, you are asked to provide data (with proper notice)
and you consent to do so, explicitly or implicitly. But what happens
when the data are transferred to the requesting person or system?
• Having collected data with your permission, others may keep the data
you give them; you have ceded control (and sometimes ownership,
depending on the law in your region) of that copy of the data to
them.
Privacy Principles and Policies
• Fair Information Practices
• U.S. Privacy Laws
• Controls on U.S. Government Websites
• Controls on Commercial Websites
• Non-U.S. Privacy Principles
• Individual Actions to Protect Privacy
• Governments and Privacy
• Identity Theft
Fair Information Practices
• Collection limitation.
• Data quality.
• Purpose specification.
• Use limitation.
• Security safeguards.
• Openness.
• Individual participation.
• Accountability.
• Conflicting Laws
Different laws in different jurisdictions will inevitably clash.
Individual Actions to Protect
Privacy
• Anonymity
For example, a rock star buying a beach house might want to avoid
unwanted attention from neighbors.
• Multiple Identities—Linked or Not
To your bank, you are your account number. To your motor vehicles bureau,
you are your driver’s license number. And to your credit card company, you
are your credit card number.
• Pseudonymity
Multiple identities can also be convenient; Similarly, disposable identities
(that you use for a while and then stop using) can be convenient.
Governments and Privacy
• Authentication
• Data Access Risks
• Steps to Protect Against Privacy Loss
Data minimization. Data anonymization. Auditing. Security and controlled
access. Training. Quality. Restricted usage. Data left in place. Policy.
Web merchants are under no obligation to price products the same for all
customers, or the same as other sellers price the same product.
Privacy-Preserving Technology
Encrypting a vote with the public key of the election board, could preserve
confidentiality. The difficulty is in ensuring that only authorized people can
vote and that an authorized person can vote only once .
• VoIP and Skype
Cellular telephony and Internet-based phone service have significantly
changed the situation of traditional telephony. Voice over IP (VoIP) is a
protocol for transmission of voice traffic over the Internet.
Major VoIP carriers include Skype, Google Talk, and Vonage.
Privacy can be sacrificed even if the voice traffic is solidly encrypted,
the source and destination of the phone call will be somewhat exposed
through packet headers.
• Privacy in Cloud
Where the Field Is Headed
• Various privacy rights organizations, such as the Center for Democracy and Technology,
the Electronic Privacy Information Center (EPIC), Privacy.Org, and Privacy International,
and professional computing societies, such as IEEE and ACM, must continue their efforts.
• The Johns Hopkins Information Security Institute, of which Rubin is Technical Director,
has produced several good studies of privacy vulnerabilities.
• Annie Antón of Georgia Institute of Technology has developed tools to analyze privacy
policies.
• Bob Gellman is a well-respected consultant on privacy issues.
• IEEE Security & Privacy magazine has at least one article about privacy in every issue, in
its Privacy Interests department.
CLOUD
COMPUTING
INTRODUCTION
What is a Cloud Service?
Risks to consider when choosing cloud
Services
Security tools
CLOUD COMPUTING
A model “for enabling convenient, on-demand
network access to a shared pool of configurable
computing resources.”
Consists of Networks, servers, storage, applications,
and services that are connected in
Loose
Easily configurable
CHARACTERISTICS
On-demand self-service: If you are a cloud customer,
you can automatically ask for computing resources
(such as server time and network storage) as you
need them.
Broad network access: You can access these services
with a variety of technologies, such as mobile phones,
laptops, desktops, and mainframe computers.
Resource pooling: The cloud provider can put
together a large number of multiple and varied
resources to provide your requested services. This
“multitenant model” permits a single resource (or
collection of resources) to be accessed by multiple
customers, and a particular resource (such as
storage, processing or memory) can be assigned and
reassigned dynamically, according to the customers’
demands.
Rapid elasticity: Services can quickly and
automatically be scaled up or down to meet a
customer’s need. To the customer, the system’s
capabilities appear to be unlimited.
Measured service: Like water, gas, or telephone
service, use of cloud services and resources can be
monitored, controlled, and reported to both provider
and customer.
SERVICE MODELS
SOFTWARE AS A SERVICE
(SAAS)
Software as a service (SaaS) is a software distribution model in which a
third-party provider hosts applications and makes them available to
customers over the Internet.
SaaS is closely related to the application service provider (ASP) and on
demand computing software delivery models.
the provider gives customers network-based access to a single copy of an
application that the provider created specifically for SaaS distribution.
The application’s source code is the same for all customers and when new
features or functionalities are rolled out, they are rolled out to all customers
There are SaaS applications for fundamental business
technologies, such as email, sales management, customer
relationship management (CRM), financial management,
human resource management (HRM), billing and collaboration.
Leading SaaS providers include Salesforce, Oracle, SAP, Intuit
and Microsoft.
Advantages
ADVANTAGES
removes the need for organizations to install and run
applications on their own computers or in their own data
centres.
eliminates the expense of hardware acquisition, provisioning
and maintenance, as well as software licensing, installation
and support
Flexible payments: Rather than purchasing software to install,
or additional hardware to support it, customers subscribe to a
SaaS offering. Generally, they pay for this service on a
monthly basis using a pay-as-you-go model
ADVANTAGES
Scalable usage: Cloud services like SaaS offer high vertical scalability,
which gives customers the option to access more, or fewer, services or
features on-demand.
Automatic updates: Rather than purchasing new software, customers
can rely on a SaaS provider to automatically perform updates and
patch management. This further reduces the burden on in-house IT staff.
Accessibility and persistence: Since SaaS applications are delivered over
the Internet, users can access them from any Internet-enabled device and
location.
DISADVANTAGES
Businesses must rely on outside vendors to provide the
software, keep that software up and running, track and report
accurate billing and facilitate a secure environment for the
business' data.
Providers that experience service disruptions, impose
unwanted changes to service offerings, experience a security
breach or any other issue can have a profound effect on the
customers' ability to use those SaaS offerings.
PLATFORM AS A SERVICE
cloud computing model in which a third-party provider delivers
hardware and software tools over the Internet.
A PaaS provider hosts the hardware and software on its own
infrastructure.
does not typically replace a business's entire IT infrastructure
a business relies on PaaS providers for key services, such as
application hosting or Java development.
Users can focus on creating and running applications rather
than constructing and maintaining the underlying
infrastructure and services.
ADVANTAGES
The principal benefit of PaaS is simplicity and convenience for users -- the
PaaS provider supplies much of the infrastructure and other IT services,
which users can access anywhere via a web browser.
providers then charge for that access on a per-use basis -- a model that
many enterprises prefer, as it eliminates the capital expenses they
traditionally have for on-premises hardware and software. Some PaaS
providers charge a flat monthly fee to access their service, as well as the
apps hosted within it.
DISADVANTAGES
Service availability or resilience can be a concern with PaaS.
If provider experiences a service outage or other infrastructure disruption,
this can adversely affect customers and result in costly lapses of
productivity.
since users cannot easily migrate many of the services and much of the
data produced through one PaaS product to another competing product.,
evaluation of business risk is involved.
Internal changes to a PaaS product : if a PaaS provider stops supporting a
certain programming language or opts to use a different set of
development tools, the impact on users can be difficult and disruptive.
Eg:Google App Engine( supports distributed web applications using Java,
Python, PHP and Go), Heroku PaaS, Heroku PaaS etc.
INFRASTRUCTURE AS A
SERVICE (IAAS
Infrastructure as a service (IaaS) is a service model that
delivers computer infrastructure on an outsourced basis to
support enterprise operations. Typically, IaaS provides
hardware, storage, servers and data center space or network
components
Infrastructure as a service (IaaS) is also known as hardware as
a service (HaaS).
IaaS provider provides policy-based services and is responsible
for housing, operating and maintaining the equipment it
provides for a client. Clients usually pay on a per-use or utility
computing basis.
CHARACTERISTICS OF IAAS
Automated administrative tasks
Dynamic scaling
Platform virtualization
Internet connectivity
ADVANTAGES
it is often easier, faster and more cost-efficient to operate a
workload without having to buy, manage and support the
underlying infrastructure.
a business can simply rent or lease that infrastructure from
another business.
effective model for workloads that are temporary,
experimental or that change unexpectedly.
business is developing a new software product, it might be
more cost-effective to host and test the application using an
IaaS provider.
DISADVANTAGES
Cloud billing is extremely granular, and it is broken out to reflect the
precise usage of services.
users to experience sticker shock -- or finding costs to be higher than
expected -- when reviewing the bills for every resource and service
involved in an application deployment.
Insight is another common problem for IaaS users. Because IaaS providers
own the infrastructure, the details of their infrastructure configuration and
performance are rarely transparent to IaaS users.
service resilience, availability and performance is highly dependent on the
provider.
Egs :Amazon EC2, Windows Azure, Rackspace, Google Compute Engine
Cloud Computing
and Security
Cloud Computing Concepts, Moving to the Cloud, Cloud
Security Tools and Techniques, Cloud Identity Management,
Securing IaaS
Cloud Computing Concepts
• On-demand self-service.
• Broad network access.
• Resource pooling.
• Rapid elasticity.
• Measured service.
Service Models
Deployment Models
• Cloud computing implies export of processor, storage, applications,
or other resources. Sharing resources increases security risk.
• Private cloud has infrastructure that is operated exclusively by and for
the organization that owns it, but cloud management may be
contracted out to a third party.
• Community cloud is shared by several organizations and is usually
intended to accomplish a shared goal.
• Public cloud, available to the general public, is owned by an
organization that sells cloud services.
Moving to the Cloud
• Risk Analysis
Moving to a cloud model entails risks that must be accounted for.
• Cloud Provider Assessment
Cloud providers vary widely in terms of how much information they divulge about
security architecture.
Larger providers are likely to divulge more detail than smaller ones, and IaaS providers
are likely to divulge more detail than PaaS or SaaS providers.
Large providers generally have more funding and staff available to address such
issues. IaaS services are so complex and customizable that customers need to know
how the services are architected, in order to understand how to configure them.
• Switching Cloud Providers
1. When you delete a file in the cloud, the file system deallocates it—
that is, forgets it exists—but the file stays on a hard drive
somewhere until it is overwritten.
2. IaaS providers use logical access controls to make sure that users
cannot sniff one another’s network traffic within the IaaS
environment.
Host Access
a) Security
b) Availability
c) Large Network Access
d) All of the mentioned
a) Security
b) Availability
c) Large Network Access
d) All of the mentioned
4. Which of the following is the application of cloud computing?
a) Adobe
b) Paypal
c) Google G Suite
d) All of the above
a) Adobe
b) Paypal
c) Google G Suite
d) All of the above
5. Which of the following is an example of the cloud?
a) Parallel computing
b) Soft computing
c) Distributed computing
d) Cloud computing
a) Parallel computing
b) Soft computing
c) Distributed computing
d) Cloud computing
7. Which of the following is an example of a PaaS cloud service?
a) Heroku
b) AWS Elastic Beanstalk
c) Windows Azure
d) All of the above
a) Heroku
b) AWS Elastic Beanstalk
c) Windows Azure
d) All of the above
8. Which of the following is an example of an IaaS Cloud service?
a) DigitalOcean
b) Linode
c) Rackspace
d) All of the above
a) DigitalOcean
b) Linode
c) Rackspace
d) All of the above
9. Which of the following is the correct statement about cloud
computing?
a) Web-application frameworks
b) Service-oriented architecture
c) Standardized Web services
d) All of the mentioned
a) Web-application frameworks
b) Service-oriented architecture
c) Standardized Web services
d) All of the mentioned
11. Which of the following is the correct statement?
a) cloud
b) real
c) virtual
d) none of the mentioned
a) cloud
b) real
c) virtual
d) none of the mentioned
15. Which of the following is the Cloud Platform provided by Amazon?
a) AWS
b) Cloudera
c) Azure
d) All of the mentioned
a) AWS
b) Cloudera
c) Azure
d) All of the mentioned
16. SaaS providers manage and secure all the following except:
a) Infrastructure
b) OS
c) Application stack
d) Access controls
a) Infrastructure
b) OS
c) Application stack
d) Access controls
17. In which environment do admins have the most control over cloud
app security?
a) SaaS
b) PaaS
c) IaaS
a) SaaS
b) PaaS
c) IaaS
• Does Access Control & Authentication is Necessary in cloud?
Yes, Both Access control and Authentication control are necessary with
proper password policy, Two-factor authentication, and Identity Access
Management Controls
• How will you make sure data stored in the cloud is secured?
• Routing
• Ports
Threats to Network
Communications
1. interception, or unauthorized viewing
2. modification, or unauthorized change
3. fabrication, or unauthorized creation
4. interruption, or preventing authorized access
Interception: Eavesdropping and
Wiretapping
• Wiretapping is the name given to data interception, often covert and
unauthorized. Encryption is the strongest and most commonly used
countermeasure against interception.
• What Makes a Network Vulnerable to Interception?
Anonymity: An attacker can mount an attack from thousands of miles
away and never come into direct contact with the system, its
administrators, or users. The potential attacker is thus safe behind an
electronic shield.
• Many Points of Attack: Sharing, System Complexity, Unknown Perimeter,
Unknown path
Modification, Fabrication: Data
Corruption
• Network data corruption occurs naturally because of minor failures of
transmission media. Corruption can also be induced for malicious
purposes. Both must be controlled.
1. Sequencing Attack
2. Substitution Attack
3. Insertion Attack
4. Replay Attack
5. Physical Replay Attack
6. Modification Attacks in General
Interruption: Loss of Service
Network design incorporates redundancy to counter hardware failures.
• Routing
Routing supports efficient resource use and quality of service. Misused, it can
cause denial of service.
• Excessive Demand
Denial-of-service attacks usually try to flood a victim with excessive demand.
• Component Failure
Being hardware devices, components fail; these failures tend to be sporadic,
individual, unpredictable, and nonmalicious.
Port Scanning
• A port scan maps the topology, hardware and software components
of a network segment.
• Port Scanning Tools (Nmap scanner, netcat, Nessus, CyberCop
Scanner, Secure Scanner, and Internet Scanner)
• Port Scanning Results (next slide)
Nmap Scanner
Output
Wireless Network Security
• WiFi Background
Wireless traffic uses a section of the radio spectrum, so the signals are available to anyone with
an effective antenna within range.
Wireless Communication
Wireless (and also wired) data communications are implemented through an orderly set of
exchanges called a protocol. 802.11 Protocol Suite:
1. Describe how devices communicate in the 2.4 GHz radio signal band (essentially 2.4 GHz–2.5
GHz) allotted to WiFi.
2. The band is divided into 14 channels or subranges within the band; these channels overlap to
avoid interference with nearby devices.
3. WiFi devices are designed to use only a few channels, often channels 1, 6, and 11. Wireless
signals can travel up to 100 meters although the quality of the signal diminishes with distance.
• WiFi Access Range
• WiFi Frames
Each WiFi data unit is called a frame. Each frame contains three fields: MAC
header, payload, and FCS (frame check sequence).
• Management Frames
They control the establishment and handling of a series of data flows.
Management Frames Types
1. Beacon. Each access point periodically sends a beacon frame to
announce its presence and relay information, such as timestamp,
identifier, and other parameters regarding the access point.
2. Authentication. A NIC initiates a request to interact with an access
point by sending its identity in an authentication frame.
3. Association request and response. Following authentication, a NIC
requests an access point to establish a session, meaning that the
NIC and access point exchange information about their capabilities
and agree on parameters of their interaction.
• Wireless attacks
Unauthorized WiFi Access
WiFi Protocol Weaknesses
Picking Up the Beacon
SSID in All Frames
• Authentication in Wireless Networks
Access points can manage lists of MAC addresses of devices with which
they will accept connections. Thus, authentication in step 2 could be
accomplished by accepting only devices on the positive accept list.
• Changeable MAC Addresses
An operating system can send any address as if it were the MAC
address of a NIC. Changing the NIC’s MAC address not only undermines
MAC-based authentication on an access point, it can lead to a larger
attack called MAC spoofing, in which one device impersonates another,
thereby assuming another device’s communication session.
• Stealing the Association
• Preferred Associations
Failed Countermeasure: WEP (Wired
Equivalent Privacy)
WEP Security Weaknesses
Weak Encryption Key
Static Key
Weak Encryption Process
Weak Encryption Algorithm
Initialization Vector Collisions
Faulty Integrity Check
No Authentication
Bottom Line: WEP Security Is Unacceptable
Stronger Protocol Suite: WPA (WiFi
Protected Access)
• Strengths
1.Non-Static Encryption Key
2.Authentication
3.Strong Encryption
4.Integrity Protection
5.Session Initiation
• Attacks on WPA
Man-in-the-Middle, Incomplete Authentication, Exhaustive Key Search
Internet Control Message Protocol
(ICMP)
1
Overview
Routing
RIP OSPF BGP PIM
2
Overview
IP payload
3
ICMP message format
bit # 0 7 8 15 16 23 24 31
additional information
or
0x00000000
4 byte header:
• Type (1 byte): type of ICMP message
• Code (1 byte): subtype of ICMP message
• Checksum (2 bytes): similar to IP header checksum.
Checksum is calculated over entire ICMP message
If there is no additional data, there are 4 bytes set to zero.
each ICMP messages is at least 8 bytes long
4
ICMP Query message
ICMP Request
ICMP Reply
ICMP query:
• Request sent by host to a router or host
• Reply sent back to querying host
5
Example of ICMP Queries
Type/Code: Description
10/0
9/0
Router Solicitation
Router Advertisement The ping command
uses Echo Request/
Echo Reply
6
Example of a Query:
Echo Request and Reply
ICMP ECH
O REQUES
T
Host Host
or or
Router router
RE PLY
M P ECHO
IC
7
Example of a Query:
ICMP Timestamp
• A system (host or router) asks Sender
Timestamp
Request
another system for the current time.
• Time is measured in milliseconds Receiver
8
ICMP Error message
IP datagram IP datagram
is discarded
ICMP Error
Message
9
ICMP Error message
ICMP Message
Unused (0x00000000)
10
Frequent ICMP Error message
11
Some subtypes of the “Destination Unreachable”
12
Example: ICMP Port Unreachable
• RFC 792: If, in the destination host, the IP module cannot deliver the datagram because the indicated protocol module or process port is not
active, the destination host may send a destination unreachable message to the source host.
• Scenario:
Request
a
service
No process
at a por
t 80 is waiting
at port 80
Client Server
t e
Por achabl
e
Unr
13
IP Packet
• Version - A 4-bit field that identifies the IP version being used. The current
version is 4, and this version is referred to as IPv4.
• Length - A 4-bit field containing the length of the IP header in 32-bit
increments. The minimum length of an IP header is 20 bytes, or five 32-bit
increments. The maximum length of an IP header is 24 bytes, or six 32-bit
increments. Therefore, the header length field should contain either 5 or 6.
• Type of Service (ToS) - The 8-bit ToS uses 3 bits for IP Precedence, 4 bits for
ToS with the last bit not being used. The 4-bit ToS field, although defined,
has never been used.
• IP Precedence - A 3-bit field used to identify the level of service a packet
receives in the network.
• Differentiated Services Code Point (DSCP) - A 6-bit field used to identify
the level of service a packet receives in the network. DSCP is a 3-bit
expansion of IP precedence with the elimination of the ToS bits.
• Total Length - Specifies the length of the IP packet that includes the IP
header and the user data. The length field is 2 bytes, so the maximum size
of an IP packet is 216 – 1 or 65,535 bytes.
• Identifier, Flags, and Fragment Offset - As an IP packet moves through the
Internet, it might need to cross a route that cannot handle the size of the
packet. The packet will be divided, or fragmented, into smaller packets
and reassembled later. These fields are used to fragment and reassemble
packets.
• Time to Live (TTL) - It is possible for an IP packet to roam aimlessly
around the Internet. If there is a routing problem or a routing loop, then
you don't want packets to be forwarded forever. A routing loop is when a
packet is continually routed through the same routers over and over. The
TTL field is initially set to a number and decremented by every router
that is passed through. When TTL reaches 0 the packet is discarded.
• Protocol - In the layered protocol model, the layer that determines which
application the data is from or which application the data is for is
indicated using the Protocol field. This field does not identify the
application, but identifies a protocol that sits above the IP layer that is
used for application identification.
• Header Checksum - A value calculated based on the contents of the IP
header. Used to determine if any errors have been introduced during
transmission.
• Source IP Address - 32-bit IP address of the sender.
• Destination IP Address - 32-bit IP address of the intended recipient.
• Options and Padding - A field that varies in length from 0 to a multiple
of 32-bits. If the option values are not a multiple of 32-bits, 0s are
added or padded to ensure this field contains a multiple of 32 bits.
Network Security
• Blocked Access
An attacker may simply prevent a service from functioning, could exploit a software
vulnerability in an application and cause the application to crash. Or the attacker could
interfere with the network routing mechanisms, preventing access requests from getting
to the server.
• Access Failure
Hardware and software fail from time to time; of course, it always seems that such
nonmalicious failures occur only at critical times. Software stops working due to a flaw,
or a hardware device wears out or inexplicably stops.
Flooding Attacks in Detail
Insufficient Resources
Insufficient Capacity
• IP Fragmentation: Teardrop
Denial of Service by Addressing Failures
• DNS Spoofing
• Rerouting Routing
Router Advertises Its Subnet Router Advertises Its Own Subnet and Its Neighbor’s
Router Propagates Routing Information More Complex Router Connectivity Diagram
• Router Takes Over a Network
Routers communicate available paths by the BGP (Border Gateway Protocol),
which is complex, so attacks against it are sophisticated but certainly feasible.
Details such as timing and sequence numbers must be captured and used
correctly.
A successful attacker, however, can redirect, read, copy, modify, or delete all
traffic of the network under attack.
• Traffic Redirection
DNS Attacks
1. Name Server Application Software Flaws
By overtaking a name server or causing it to cache spurious entries, an
attacker can redirect the routing of any traffic, with an obvious implication
for denial of service.
2. Top-Level Domain Attacks
In 2002 attack, a massive flood of traffic inundated the Internet’s top-level
domain DNS servers (.com,.edu, .fr, .uk, .org, or .biz). In 2005, attackers used
a flaw in a Symantec firewall to allow a change in the DNS records used on
Windows machines.
3. DNS Cache Poisoning
In cache poisoning an incorrect name-to-address DNS conversion is placed in
and remains in a translation cache.
4. Session Hijack
IP Header
TCP Header
TCP Session Hijack
Exploiting Known Vulnerabilities
Hacker tools often begin with a known vulnerability, sometimes a well-
known one for which a patch has long been available; A zero-day exploit
is one for which an exploitation occurs before the vulnerability is publicly
known and hence before a patch is available.
Physical Disconnection
A network consists of appliances, connectors, and transmission media,
any of which can fail. A broken cable, faulty circuit board, or
malfunctioning switch or router can cause a denial of service just as
harmful as a hacker attack.
1. Transmission Failure
2. Component Failure
Distributed Denial-of-Service
Distributed denial-of-service attacks change the balance between
adversary and victim by marshalling many forces on the attack side.
• Scripted Denial-of-Service Attacks
Compromised zombies to augment an attack are located by scanning
random computers for unpatched vulnerabilities.
• Bots and Botnets
• Botnet Command and Control Update
Design of Firewalls
Policy
Trust
OSI Reference Model
Types of Firewalls
A packet filter that blocks access from (or to) addresses in one network; the
filter allows HTTP traffic but blocks traffic by using the Telnet protocol.
Packet filters operate at OSI level 3.
2. Stateful Inspection Firewall
Maintains state information from one packet to another in the input stream.
3. Application Proxy
Application proxy gateway (also called a bastion host) is a two-headed
device: From inside, the gateway appears to be the outside (destination)
connection, while to outsiders the proxy host responds just as the insider
would.
4. Circuit-Level Gateway
A circuit is a logical connection that is maintained for a period of time, then
torn down or disconnected. The firewall verifies the circuit when it is first
created. After the circuit has been verified, subsequent data transferred over
the circuit are not checked.
5. Guard
The guard determines what services to perform on the user’s behalf in
accordance with its available information, such as whatever it can reliably
ascertain of the (outside) user’s identity, previous interactions, and so
forth.
Screening Router
Firewall on separate LAN
Application Proxy
Demilitarized Zone
What Firewalls Can—and Cannot—Block
• Firewalls can protect an environment only if the firewalls control the
entire perimeter. They do not protect data outside the perimeter.
• Firewalls are the most visible part of an installation to the outside, so
they are the most attractive target for attack.
• Firewalls must be correctly configured, that configuration must be
updated as the internal and external environment changes.
• Firewalls are targets for penetrators.
• Firewalls exercise only minor control over the content admitted to the
inside.
Network Address Translation
(NAT)
Data Loss Prevention (DLP)
• A set of technologies designed to detect and possibly prevent
attempts to send data where it is not allowed to go.
• Typical data of concern are classified documents, proprietary
information, and private personal information (e.g., social security
numbers, credit card numbers).
• DLP can be implemented in a number of ways: Agent-based systems,
Network-based solutions, other solutions may be application-specific.
• DLP solutions will generally look for a variety of indicators: Keywords,
Traffic patterns, Encoding/encryption.
Intrusion Detection and
Prevention Systems
An intrusion detection system (IDS) is a device, typically another separate
computer, that monitors activity to identify malicious or suspicious events.
An IDS is a sensor, like a smoke detector, that raises an alarm if specific
things occur.
Types of IDSs
• Signature-based intrusion detection systems perform simple pattern-
matching and report situations that match a pattern (signature)
corresponding to a known attack type. Signature-based IDSs are limited to
known patterns.
1. Ping and echo commands require the IDS to inspect the individual
packets to determine packet type.
2. Malformed packets require the IDS to detect an error in the general
structure of the packet.
3. Fragmentation requires the IDS to recognize over time that the
separate pieces of the data unit cannot be reassembled correctly.
4. Buffer overflow attacks require the IDS to monitor applications.
• intrusion prevention system (IPS) extend IDS technology with built-in
protective response. IPS, tries to block or stop harm.
• Intrusion Response
Responding to Alarms
Responses fall into three major categories :
Monitor, collect data, perhaps increase amount of data collected.
Protect, act to reduce exposure.
Signal an alert to other protection components.
Call a human.
Adaptive Behavior
1. Continue to monitor the network.
2. Block the attack by redirecting attack traffic to a monitoring host, discarding the
traffic, or terminating the session.
3. Reconfigure the network by bringing other hosts online (to increase capacity) or
adjusting load balancers.
4. Adjust performance to slow the attack, for example, by dropping some of the
incoming traffic.
5. Deny access to particular network hosts or services.
6. Shut down part of the network.
7. Shut down the entire network.
Counterattack
Offensive action must be taken with great caution for several reasons:
1. The apparent attacker may not be the real attacker. Determining the true
source and sender of Internet traffic is not foolproof. Taking action against
the wrong party only makes things worse.
2. A counterattack can lead to a real-time battle in which both the defenses
and offenses must be implemented with little time to assess the situation.
3. Retaliation in anger is not necessarily well thought out.
4. Legality can shift. Measured, necessary action to protect one’s resources is
a well-established legal principle. Taking offensive action opens one to
legal jeopardy, comparable to that of the attacker.
5. Provoking the attacker can lead to escalation. The attacker can take the
counterattack as a challenge.
Goals for Intrusion Detection
Systems
• Filter on packet headers and packet content.
• Maintain connection state.
• Use complex, multipacket signatures.
• Use minimal number of signatures with maximum effect.
• Filter in real time, online.
• Hide its presence.
• Use optimal sliding-time window size to match signatures
Stealth Mode
Accurate Situation Assessment
Network Management
Management to Ensure Service
Network activity is dynamic, administrators need to monitor network
performance and adjust characteristics as necessary.
Capacity Planning
Load balancing
Network Tuning
Network Addressing
Shunning
Blacklisting and Sinkholing
Security Information and Event
Management (SIEM)
• A Security Operations Center (SOC)
• Data Collection
• SIEM Challenges
1. Cost
2. Data portability
3. Log-source compatibility
4. Deployment complexity
5. Customization
6. Data storage
7. Segregation and access control
8. Full-time maintenance
9. User training
Network Security
Exercise
• Identify sequence number, window length, source port number and
destination port number from the following TCP header in
hexadecimal format:
• What are the factors that affect the performance of the network?
• Security planning
• Incident response and business continuity planning
• Risk analysis
• Handling natural and human-caused disasters
Handling Incidents
• Incident Response Plans
Details how to address security incidents of all types. It should
define what constitutes an incident
identify who is responsible for taking charge of the situation
describe the plan of action
• The plan usually has three phases: advance planning, triage, and
running the incident. A fourth phase, review, is useful after the
situation abates.
Advance Planning
An incident response plan tells whom to contact in the event of an Incident,
which may be just an unconfirmed, unusual situation.
Responding
Response team is the set of people charged with responding to the incident.
May include – director, technician(s), advisor(s).
To develop policy and identify a response team, consider certain matters like
Legal issues, Preserving evidence, Records, Public relations.
After the Incident Is Resolved
Is any security control action to be taken?
Did the incident response plan work?
• Incident Response Teams
computer security incident response teams (CSIRTs) or computer emergency
response teams (CERTs) are standard at large private and government
organizations, as well as many smaller ones.
Types of CSIRTs:
a full organizational response team
coordination centers
national CSIRTs
sector CSIRTs
vendor CSIRTs
outsourced CSIRT teams
CSIRT Activity: Reporting, Detection, Triage, Response, Post-mortem,
Education
Team Membership
Response teams need a variety of skills, including the ability to
• collect, analyze, and preserve digital forensic evidence
• analyze data to infer trends
• analyze the source, impact, and structure of malicious code
• help manage installations and networks by developing defences
• perform penetration testing and vulnerability analysis
• understand current technologies used in attacks
• Improve awareness
• Relate security mission to management objectives
• Identify assets, vulnerabilities, and controls
• Improve basis for decisions
• Justify expenditures for security
• Human Vandals
Unauthorized Access and Use
Theft
o Preventing Access
o Preventing Portability
o Detecting Theft
• Interception of Sensitive Information
Shredding
Overwriting Magnetic Data
Degaussing
Protecting Against Emanation: Tempest
Solution to preventing emanations is to trap the signals before they can
be picked up.
Enclosing a device in a conductive case, such as copper, diffuses all the
waves by conducting them throughout the case.
• Contingency Planning
Backup
- permits recovery from loss or failure of a computing device.
- Revolving backup and selective backup
Offsite Backup
A backup copy is useless if it is destroyed in the crisis, too. Many major
computing installations rent warehouse space some distance from the
computing system, far enough away that a crisis is not likely to affect
the offsite location at the same time.
• Networked Storage
• Cloud Backup
• Cold Site
• Hot Site
• Physical Security Recap
The primary physical controls are strength and duplication. Strength means
overlapping controls implementing a defense-in-depth approach so that if
one control fails, the next one will protect. Duplication means eliminating
single points of failure. Redundant copies of data protect against harm to
one copy from any cause.
Legal Issues and
Ethics
Protecting Programs and Data, Information and the Law, Rights of
Employees and Employers, Redress for Software Failures, Computer
Crime, Ethical Issues in Computer Security, Incident Analysis with Ethics
Protecting programs and data
• Copyrights
• Patents
• Trade secrets
Copyrights protects expression of a creative work and promotes
exchange of ideas. It applies to a creative work, such as a story,
photograph, song.
• Information as an Object
1. Information Is Not Depletable
2. Information Can Be Replicated
3. Information Has a Minimal Marginal Cost
4. The Value of Information Is Often Time Dependent
5. Information Is Often Transferred Intangibly
1. Ownership of Products
2. Ownership of a Patent
3. Ownership of a Copyright
4. Work for Hire
5. Licenses
6. Trade Secret Protection
• Employment Contracts
It is a signed agreement between an individual employee and an employer or a labor
union. It establishes both the rights and responsibilities of the two parties: the worker
and the company.
Redress for Software Failures
• Security planning
• Incident response and business continuity planning
• Risk analysis
• Handling natural and human-caused disasters
Security Planning
• Organizations and Security Plans
Plan Maintenance
• Security plans must be revisited periodically to adapt them to changing
conditions.
Security Planning Team Members
A security planning team should represent each of the following
groups.
computer hardware group
system administrators
systems programmers
applications programmers
data entry personnel
physical security personnel
representative users
Assuring Commitment to a Security
Plan
• Three groups of people must contribute to making the plan a success.
The planning team must be sensitive to the needs of each group affected
by the plan.
Those affected by the security recommendations must understand what
the plan means for the way they will use the system and perform their
business activities. In particular, they must see how what they do can affect
other users and other systems.
Management must be committed to using and enforcing the security
aspects of the system.
Business Continuity Plan
• It documents how a business will continue to function during or after
a computer security incident. Deals with situations having two
characteristics: catastrophic situations and long duration.
• Steps in business continuity planning are:
Assess the business impact of a crisis
Develop a strategy to control impact
Develop and implement a plan for the strategy
Assess Business Impact
• To assess the impact of a failure on your business, two key questions:
What are the essential assets? What are the things that if lost will
prevent the business from doing business?
What could disrupt use of these assets? For example, whether
destroyed by a fire or zapped in an electrical storm.
Develop Strategy
• The continuity strategy investigates how the key assets can be
safeguarded. Business continuity planning forces a company to set
base priorities.
• IoT device developers, managers and healthcare providers must ensure that
they adequately secure data collected by IoT devices.
• Much of the data collected by medical devices qualifies as protected health
information under HIPAA and similar regulations. As a result, IoT devices
could be used as gateways for stealing sensitive data if not properly secured.
• Security Issues: Unauthorized access, Distributed denial of service (DDoS),
Device hijack, Disclosure of Personal Health Information (PHI), Privacy
violations.
• Best Security Practices for Embedded Healthcare: Network segmentation,
AI-driven security systems, IoT aggregation hubs, Inventory tracking systems,
Hardware protection, Data encryption, Authentication
Economics
• Cybersecurity planning includes deciding how to allocate scarce
resources for investing in security controls.
• Making a business case:
A description of the problem or need to be addressed
A list of possible solutions
A list of constraints on solving the problem
A list of underlying assumptions
An analysis of the risks, costs, and benefits of each alternative
A summary of why the proposed investment is a good idea
Influences on Cybersecurity Investment
Quantifying Security
• Technology adds more steps to the process and thus increases the possibility of error with
each additional step, all of which are largely unseen by the voter. Put Murphy’s Law of
‘whatever can go wrong, will go wrong’ into play, and one can surmise that technology will
most likely falter. The voters can also commit mistakes due to confusion with the user
interface.
• There also comes the higher possibilities of fraudulent machines and practices. First of all,
the technology is “black box software,” meaning that the public is not allowed access into
the software that controls the voting machines. It would be simple for the company to
manipulate the software to produce fraudulent results. Also, the vendors who market the
machines are in competition with each other, and there is no guarantee that they are
producing the machines in the best interest of the voters and the accuracy of the ballots.
• Lastly, vote accuracy is also an issue, because voters have no way of confirming there vote,
and there is also no way of conducting a recount with direct-recording electronic (DRE)
voting. With DRE, there is no paper trail, no verification, and thus no scrutiny of the
processes. Voter anonymity is also a problem.
Cyber Warfare
• Open questions:
When is an attack on cyber infrastructure considered an act of warfare?
Is cyberspace different enough to be considered a separate domain for
war, or is it much like any other domain (e.g., land, sea, or air)?
What are the different ways of thinking about cyber war offense and
defense?
What are the benefits and risks of strategic cyber warfare and tactical
cyber warfare?
Critical Issues
• Open questions:
When Is It Warfare?
How Likely Is It?
What Are Appropriate Reactions to Cyber War?
Other Policy, Ethical, and Legal Issues
Does a “Kill Switch” Make Sense?
Do Existing National Compacts Apply to Cyber Warfare?
Does Release of Defensive Information Help the Attackers?
Is Cyber Warfare Only a Military Problem?
Possible Examples of Cyber Warfare
• Estonia
• Beginning in April 2007, the websites of a variety of Estonian government departments were shut down
by multiple DDoS attacks immediately after a political altercation with Russia.
• Iran
• The Stuxnet worm attacked a particular model of computer used for many production control systems,
and all the infections could be traced back to domains within Iran linked to industrial processing.
• Israel and Syria
• Missiles fired in 2007 by Israeli planes did not show up on Syrian radar screens because software had
replaced live images with fake, benign ones.
• Canada
• In January 2011, the Canadian government revealed that several of its national departments had been
the victims of a cyber attack traced back to servers in China.
• Russia
• According to the New York Times, Russian hackers infiltrated the computers of various national
governments, NATO, and the Ukraine.
Summary
• Vulnerabilities are weaknesses in a system; threats exploit those weaknesses; controls
protect those weaknesses from exploitation.
• Confidentiality, integrity, and availability are the three basic security primitives.
• Different attackers pose different kinds of threats based on their capabilities and motivations.
• Different controls address different threats; controls come in many flavors and can exist at
various points in the system.
• The IoT has resulted in a flood of new devices connecting our private and personal lives to
the Internet but is far from mature from a security and privacy perspective.
• Cybersecurity investment decision making remains challenged by our inability to accurately
measure risk and vulnerability.
• After over a decade of research and practice, electronic voting remains an unsolved research
problem.
• Cyber warfare continues to lack clear definition and presents critical challenges, including
attribution.
Emerging Topics
Sample questions
• What is IoT?
a) IoT devices use the internet for collecting and sharing data
b) IoT devices need microcontrollers
c) IoT devices use wireless technology
d) IoT devices are completely safe
• Which of the following is not an IoT platform?
a) Application layer
b) Network layer
c) Data link layer
d) Transport layer
• What is the full form of IIOT?
a) HTTP
b) UDP
c) Network
d) TCP/IP
• What is the component of an IoT system that executes a program?
a) A sensor
b) A microcontroller
c) An actuator
d) A digital to analog converter
1. Who has devised the EVMs?
2. How can EVMs be used in areas where there is no electricity?
3. What is the maximum number of votes, which can be cast in
EVMs?
4. What is the maximum number of candidates, which EVMs can
cater to?
• What are the most common targets of cyberwarfare
attacks?
• What are the most common kinds of cyberwar attacks and
how do they work?