MASTER - Advanced Techniques for Information Processing

Security Through Diversity

 Security Through Diversity

Security through diversity is a calculated and measured

response to attacks against the mainstream and is usually used
to survive and withstand uniform attacks.

This response involves intentionally making things slightly

different to completely different, forcing an attacker to alter a
standard attack vector, tactics, and methodology. It can also be
a matter of survival; having very different environments from
everyone else might keep you operational.
 Security Through Diversity

1.UBIQUITY
Most modern attacks take advantage of the fact that the
majority of personal computers on the Internet are quite nearly
in the same state.
Ubiquitous systems are good, cheap, replaceable, and
reliable — until mass failure occurs. It certainly pays to know
that ubiquity and uniformity are the absolute right choices in
the absence of threats.
It is certain that as a given computer system moves away
from the densest pool of common systems, an attacker needs to
work harder to accommodate the difference, which thus can
reduce the likelihood of compromise.
 Security Through Diversity

Businesses with real bricks-and-mortar locations in addition to

selling goods and services over the Internet can survive a
sustainable denial-of service (DDoS) attack against the Internet
based business because the bricks-and-mortar transactions can
carry the company’s survival.
Inversely, businesses with the ubiquitous use of credit cards
that require the merchant authorization process can suffer when
the point of- sale system can’t process credit cards. That business
will simply and routinely have to turn away customers who can
only pay by credit card. Yet a business with both a strong
Internet and a solid bricks-and-mortar presence can survive an
outage through diversity.
 Security Through Diversity

Denial of Service (DoS) is a simple and straightforward attack

that involves an attacker making enough requests to saturate your
network or service to the point at which legitimate business and
communications fails. The distributed denial-of service (DDoS)
attack is the same type of attack against a uniform presence in the
Internet space but with many attacking hosts operating in unison
against a site or service.
Though the DDoS attack represents the most simplistic and
basic attack against an Internet-based institution, it does require
an attacker to use enough resources against a given target to
achieve bottlenecking or saturation. This represents the
immediate and intentional attack, with one or more attackers
making a concentrated effort against a target.
 Security Through Diversity
2. ATTACKING UBIQUITY WITH ANTIVIRUS TOOLS
Attackers use obfuscation, encryption, and compression to
install malicious code such as viruses, worms, and Trojans. These
techniques are tactical responses to bypass common antivirus
solutions deployed by just about everyone.
The number of permutations possible on a single executable
file while retaining functionality is on the order of tens of
thousands, and these changes create just enough diversity in each
iteration to achieve a successful infection. An attacker needs to
mutate an executable only enough to bypass detection from a
signature-based antivirus tools, the most common antivirus
solutions deployed.
 Security Through Diversity

3. AUTOMATED NETWORK DEFENSE

Computer systems that transact information at great speed have
similar properties to chemical reactions that, once started, are
quite difficult or impossible to stop. Though an IPS will trade
speed for security, it ultimately tries not to impede the traffic
overall and has a default threshold for when to allow traffic
unabated. This seems to be a default objective for IPSs — trying
to keep out most of the bad things while allowing everything else
to traverse without interference, reflecting customer demand.
 Security Through Diversity

If an IPS took time to inspect every anomaly to the point where

overall traffic performance were degraded, it would be
advantageous for an attacker to exploit the heavy inspection
process to create a performance issue up to the point of denying
service. This very consideration causes both the default policies
on IPS and IPS customers to acquiesce and to allow a percentage
of bad traffic as a trade for performance or connectivity in
general.
 Security Through Diversity

Of all the security diversity solutions available, perhaps having

a skilled and adaptable workforce trained in all the fundamental
aspects of computer security offers the best solution. The
simplistic statement of “ the best defense is a good offense ”
means that security professionals should be able to defend from
attacks, understand attacks, and be prepared to perform the
forensic analysis and reverse-engineering needed to understand
attacks.
Having both an archive of skills and knowledge along with just-
in-time knowledge is the true application of diversity in a
security situation.
MASTER - Advanced Techniques for Information Processing

Content Filtering
 Content Filtering

Content filtering is a powerful tool that, properly deployed,

can offer parents, companies, and local, state, and federal
governments protection from Internet-based content. It is
disparaged as Orwellian and simultaneously embraced as a short-
term positive ROI project, depending on who you are and how it
affects your online behavior.
Content filtering is straightforward to deploy, and license costs
are so reasonable they can offer extremely fast return on
investment while providing a very effective risk reduction
strategy.
 Content Filtering

Access to information and supplications on the Internet has

become a critical and integral part of modern personal and
business life as well as a national pastime for billions of users.
With millions of applications and worldwide access to
information, email, video, music, instant messaging (IM), Voice
over IP (VoIP), and more, the way we conduct business,
communicate, shop, and entertain is evolving rapidly. With all
the advancements of increased communications and productivity
comes a bad side with a tangle of security risks. Productivity,
accessibility, and conveniences of the World Wide Web have
also brought us spam, viruses, worms, Trojans, keystroke,
loggers, relentless joke forwarding, identity theft.
 Content Filtering

Accessing the Internet from the office is constantly presenting

new challenges to manage. Some of the negative impacts of doing
the wrong thing and going to the “ wrong places ” include:
● Lost productivity due to nonbusiness-related Internet use
● Higher costs as additional bandwidth is purchased to support legitimate and
illegitimate business applications
● Network congestion; valuable bandwidth is being used for nonbusiness
purposes, and legitimate business applications suffer
● Loss or exposure of confidential information through chat sites,
nonapproved email systems, IM, peer-topeer file sharing, etc.
● Infection and destruction of corporate information and computing resources
due to increased exposure to Web-based threats (viruses, worms, Trojans,
spyware, etc.) as employees surf nonbusiness-related Web sites.
 Content Filtering

1. CONTENT BLOCKING METHODS

There are many ways to block content. Most commercial
products use a number of these techniques together to optimize
their capability.
a) Banned Word Lists
This method allows the creation of a blacklist dictionary that contains words
or phrases. URLs and Web content are compared against the blacklist to block
unauthorized Web sites. In the beginning this technology was largely a
manual process, with vendors providing blacklists as starting points, requiring
customers to manually update/ tune the lists by adding or excluding keywords.
 Content Filtering

b) URL Block
The URL block method is a blacklist containing known bad or unauthorized
Web site URLs. Entire URLs can be added to the blacklist and exemptions can
usually be made to allow portions of the Web site through. Many vendors
provide URL blacklists with their products to simplify the technology, giving
the user the ability to add new sites and perform URL pattern matching. With
both banned word lists and URL block lists, a customer must perform manual
updates of the vendors ’ blacklists.
Depending on the frequency of the updates, the blacklists may fall out of
compliance with the corporate policy between updates.
 Content Filtering

c) Category Block
Category blocking is the latest Web content-filtering technology that greatly
simplifies the management process of Web inspection and content filtering.
Category blocking utilizes external services that help keep suspect Web sites
up to date, relying on Web category servers that contain the latest URL ratings
to perform Web filtering. With category blocking devices, there are no manual
lists to install or maintain. Web traffic is inspected against rating databases
installed on the category servers, and the results (good or bad sites) are cached
to increase performance. The advantage is up-to-date Web URL and category
information at all times, eliminating the need to manually manage and update
local blacklists.
 Content Filtering

d) Bayesian Filters
Particular words and phrases have probabilities of occurring on Web sites.
For example, most Web surfers users will frequently encounter the “ word ”
XXX on a porn Web site but seldom see it on other Web pages. The filter
doesn’t know these probabilities in advance and must first be trained so it can
build them up. To train the filter, the user or an external “ grader ” must
manually indicate whether a new Web site is a XXX porn site or not. For all
words on each page, the filter will adjust the probabilities that each word will
appear in porn Web pages versus legitimate Web sites in its database. For
instance, Bayesian content filters will typically have learned a very high
probability as porn content for the words big breasts and Paris Hilton sex tape
but a very low probability for words seen only on legitimate Web sites, such
as the names of companies and commercial products.
 Content Filtering

Content filtering is a fast-paced battle of new technologies and

the relentless trumping of these systems by subversion and
evasion.
Content filtering has three big objectives — accuracy,
scalability, and maintainability. Accurate blocking makes it hard
to scale and maintain, and easily scalable and maintainable
systems are not as accurate. Companies that make content-
filtering technology are attempting to make these challenges
easier to manage and maintain.
Content filtering is morphing and aggregating with other
technologies to address multifaceted threats.
MASTER - Advanced Techniques for Information Processing

Data Loss Protection

 Data Loss Protection
Some of the most challenging issues facing IT professionals
today are securing communications and complying with the vast
number of data privacy regulations.
Secure communications must protect the organization against
spam, viruses, and worms; securing outbound traffic; guaranteeing
the availability and continuity of the core business systems (such
as corporate email, Internet connectivity, and phone systems), all
while facing an increasing workload with the same workforce. In
addition, many organizations face challenges in meeting
compliance goals, contingency plans for disasters, detecting and/or
preventing data misappropriation, and dealing with hacking, both
internally and externally.
 Data Loss Protection
1. PRECURSORS OF DLP
Once IT organizations noticed they were at risk, they immediately
started focusing on creating impenetrable moats to surround the
“ IT castle. ”Some common technologies that protect TCP/IP
networks from external threats are:
● Firewalls. Inspect network traffic passing through it, and denies or permits
passage based on a set of rules.
● Intrusion detection systems (IDSs). Sensors log potential suspicious activity
and allow for the remediation of the issue.
● Intrusion prevention systems (IPSs). React to suspicious activity by
automatically performing a reset to the connection or by adjusting the firewall
to block network traffic from the suspected malicious source.
● Antivirus protection. Attempts to identify, neutralize, or eliminate malicious
software.
● Antispam technology. Attempts to let in “ good ” emails and keep out “ bad ”
emails.
 Data Loss Protection
The next wave of technologies that IT organizations started to
address dealt with the “ inside man ” issue. Some examples of
these types of technologies include:
● Web filtering. Can allow/deny content to a user, especially when it is used to
restrict material delivered over the Web.
● Proxy servers. Services the requests of its clients by forwarding requests to
other servers and may block entire functionality such as Internet
messaging/chat, Web email, and peer-to-peer file sharing programs.
● Audit systems (both manual and automated). Technology that records every
packet of data that enters/leave the organization’s network. Can be thought of as
a network “ VCR. ” Automated appliances feature post-event investigative
reports. Manual systems might just use open-source packet-capture technologies
writing to a disk for a record of network events.
 Data Loss Protection
● Computer forensic systems. Is a branch of forensic science pertaining to legal
evidence found in computers and digital storage media. Computer forensics
adheres to standards of evidence admissible in a court of law. Computer
forensics experts investigate data storage devices (such as hard drives, USB
drives, CD-ROMs, floppy disks, tape drives, etc.), identifying, preserving, and
then analyzing sources of documentary or other digital evidence.
● Data stores for email governance.
● IM- and chat-monitoring services. The adoption of IM across corporate
networks outside the control of IT organizations creates risks and liabilities for
companies who do not effectively manage and support IM use. Companies
implement specialized IM archiving and security products and services to
mitigate these risks and provide safe, secure, productive instant-messaging
capabilities to their employees.
● Document management systems. A computer system (or set of computer
programs) used to track and store electronic documents and/or images of paper
documents.
 Data Loss Protection
DLP (Data Loss Protection) is an automated system to identify
anything that leaves the organization that could harm the
organization.
DLP applications try to move away from the point or niche
application and give a more holistic approach to coverage,
remediation and reporting of data issues.
One way of evaluating an organization’s level of risk is to look
around in an unbiased fashion. The most benign communication
technologies could be used against the organization and cause
harm.
 Data Loss Protection
The way that most DLP applications capture interesting events is
through different kinds of analysis engines. Most support simple
keyword matching. Keywords can be grouped and joined.
Regular expression (RegEx) support is featured in most of
today’s DLP applications. Regular expressions provide a concise
and flexible means for identifying strings of text of interest, such
as particular characters, words, or patterns of characters.
Regular expressions are written in a formal language that can be
interpreted by a regular expression processor, a program that either
serves as a parser generator or examines text and identifies parts
that match the provided specification.
 Data Loss Protection
DLP is an important tool that should at least be evaluated by
organizations that are looking to protect their employees,
customers, and stakeholders. An effectively implemented DLP
application can augment current security safeguards.
A holistic approach will help foster a successful
implementation that is supported by the DLP vendor and other
departments, and ultimately the employees should improve the
data risk profile of an organization. The main goal is to keep the
brand name and reputation of the organization safe and to continue
to operate with minimal data security interruptions.