1 / 35

Introduction to Computer Security

Introduction to Computer Security. John Haggerty School of Computing and Mathematical Sciences Liverpool John Moores University J.Haggerty@livjm.ac.uk http://www.livjm.ac.uk/cmsjhagg. Outline of talk. Introduction Information and information security Security and the security goals

leora
Download Presentation

Introduction to Computer Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Computer Security John Haggerty School of Computing and Mathematical Sciences Liverpool John Moores University J.Haggerty@livjm.ac.uk http://www.livjm.ac.uk/cmsjhagg Contemporay issues in IT CB3005p/Lecture 1

  2. Outline of talk • Introduction • Information and information security • Security and the security goals • Who is the attacker? • Attack costs • Computer targets • Case study • Summary Contemporay issues in IT CB3005p/Lecture 1

  3. Computer Security “Attempting to redress the inbalance of inherent lack of security within a networked, interactive world” “In the faceless transactions of e-commerce not everyone is as trustworthy as we are” Contemporay issues in IT CB3005p/Lecture 1

  4. What is information? informationn. knowledge acquired through experience or study. 2. knowledge of specific and timely events or situations; news. 3. the act of informing or the condition of being informed.4. a. an office, agency, etc. providing information. b. (as modifier) information service. 5. a charge or complaint made before justices of the peace, usually on oath, to institute summary criminal proceedings. 6.Computers.a. the meaning given to data by the way that it is interpreted. b. another word for data.1 Contemporay issues in IT CB3005p/Lecture 1 1Collins Concise English Dictionary

  5. Information examples • A printed sheet containing details of flights • Records stored in a database of employees • Personal information (such as letters, CV’s, etc.) stored on a home computer • Information recorded in your computer’s cache memory • Data used in message headers to route traffic around the Internet • The payload of a malicious packet, .eg. Code Red, Nimda, etc. • Implicit information - traffic analysis Contemporay issues in IT CB3005p/Lecture 1

  6. Information security – a new thing? • The need for information security thousands of years old – the Caesar Code • Rise in computing fed by information requirement • 1960’s - ARPANET • 1970’s - Security becomes an issue • 1980’s – “UNIX OS System Security” (Grampp & Morris, 1984) • 1990’s – WWW and the Internet, millions online • 2000 and beyond – mobile security Contemporay issues in IT CB3005p/Lecture 1

  7. A B Interruption Threats • Interruption: • system asset becomes lost, unavailable, or unusable, e.g. • malicious hardware destruction • program erasure • data erasure Contemporay issues in IT CB3005p/Lecture 1

  8. A B Interception C Threats • Interception: • means by unauthorised person gains access to a system asset • Program, person, or computer system, e.g. • illicit program copying • wiretapping Contemporay issues in IT CB3005p/Lecture 1

  9. A B Modification C Threats • Modification • Interception combined with tampering • changing values in a database • alter program • modify data sent electronically Contemporay issues in IT CB3005p/Lecture 1

  10. A B Fabrication C Threats • Fabrication • counterfeit objects on a system • inserting spurious network transactions • add records to a database Contemporay issues in IT CB3005p/Lecture 1

  11. TIME THREAT VULNERABILITY INTERDEPENDENCE JIT OPERATION QUASI-STANDARDISATION OF INTERFACES ATTACK CAPABILITY INTERCONNECTIVITY PEOPLE WITH ATTACK SKILLS ATTACKER’S PROCESSING POWER Security Threat Trends Contemporay issues in IT CB3005p/Lecture 1

  12. Security • Computer security relies on the convergence of a number of fields: • Physical security • Personal security • Operations security • Communications security • Network security • Information security • Think holistically! Contemporay issues in IT CB3005p/Lecture 1

  13. Security goals • Confidentiality: can only be accessed by those authorised • Integrity: ensure that system assets can only be modified by authorised parties only in prescribed ways • Availability: ensuring data and services are accessible to legitimate users when needed • Goals have been broadened to include: access controls, authentication, authorisation, non-repudiation, accuracy, authenticity, and audit. Contemporay issues in IT CB3005p/Lecture 1

  14. Who is the attacker? Contemporay issues in IT CB3005p/Lecture 1

  15. Who is the attacker? • The “Insider” • CSI/FBI survey 2000: 38% cited internal systems as frequent point of attack • BUT…. • 71% detected unauthorised access by insiders Contemporay issues in IT CB3005p/Lecture 1

  16. Who is the attacker? • The “Outsider” • CSI/FBI survey 2000: 59% cited Internet as frequent point of attack • AND…. • 25% detected system penetration from outside • 27% detected denial of service Contemporay issues in IT CB3005p/Lecture 1

  17. Attack costs Costs $ millions Contemporay issues in IT CB3005p/Lecture 1 Source: CSI/FBI Survey 1999

  18. Interruption (denial of service) Interception (theft) Interruption (deletion) HARDWARE Interruption (loss) Interception SOFTWARE DATA Interception Modification Modification Fabrication Computer Targets • Target may be any piece of computing system • Computing system = collection of hardware, software, storage media, data, and people • The weakest link Contemporay issues in IT CB3005p/Lecture 1

  19. Case study Dealing with complexity: a real-life study of a network attack Contemporay issues in IT CB3005p/Lecture 1

  20. Case study • Network monitoring period of 4 weeks • Choice of Operating System to fit in with network • Forced choice of Intrusion Detection System (IDS) used • Limitation of IDS encountered – required additional software to read logs • All reported attackers generating suspicious traffic were recorded Contemporay issues in IT CB3005p/Lecture 1

  21. Case study • Monitor networks for attacks. • BlackICE Defender used. Contemporay issues in IT CB3005p/Lecture 1

  22. Case study • 1493 attacks recorded against target computer over 4 week period: • 1084 false positives • 409 positives • 8 types of attack • 20 attackers • IDS identify Events of Interest (EOI) within the system. • 3 issues surround EOIs: • Balance false positives and false positives • Ensuring EOIs are detected • Limits on the ability to detect attacks • Positives and false positives were identified. • Positive – a malicious event. • False Positive – recorded as malicious event by IDS but not a malicious event. Contemporay issues in IT CB3005p/Lecture 1

  23. Case study Contemporay issues in IT CB3005p/Lecture 1

  24. Case study • Variety of attacks were reported. • HTTP probe and TCP scan were most popular. • Attacks reported: • UDP probe • SNMP probe • SNMP discovery broadcast • TCP scan • TCP probe • HTTP probe • Telnet probe • Suspicious duplicate address Contemporay issues in IT CB3005p/Lecture 1

  25. Case study Contemporay issues in IT CB3005p/Lecture 1

  26. Case study • Many security incidents were not security incidents. • Identified need for both system and analysts to have understanding of system IDS is protecting. • Servers routinely sent traffic that were reported as attacks but were not. • For example, server hpov reported as generating SNMP, UDP port scans and TCP port scans. • Problem of SNMP traffic and the IDS on an internal network. Contemporay issues in IT CB3005p/Lecture 1

  27. Case study • Code Red identified by network signature -matching different from virus detection. • Early identification of worm presence seen through network monitoring. • Combination of signatures indicates worm infection. • 3 key network signatures identified: • Traffic increase and HTTP port requests • Uniform packet size • Randomised ports Contemporay issues in IT CB3005p/Lecture 1

  28. Case study • Code Red caused large traffic increase Contemporay issues in IT CB3005p/Lecture 1

  29. Logged packet (highlighted) frame size – CODE RED Logged packet (highlighted) frame size - NORMAL Case study • Uniform packet size Contemporay issues in IT CB3005p/Lecture 1

  30. Case study • Randomised port attacks Contemporay issues in IT CB3005p/Lecture 1

  31. Case study • Two Code Red infections observed. Second infection caused major network disruption despite lower traffic levels. • Traffic sent to main network firewall. No traffic forwarded but traffic recorded as suspicious. • Firewall hard disks filled due to audit information and caused further network disruptions. • Firewall crashed due to 2 possible reasons: large amount of traffic, or lack of audit information log rotation/deletion. • Data grew to fill hard disks. Contemporay issues in IT CB3005p/Lecture 1

  32. Case study – lessons learned • All sorts of information can be used (both by malicious people and those trying to stop them!) • Patches • Attack escalation • Policies and planning • Key targets • Firewall configuration • Insider threat Contemporay issues in IT CB3005p/Lecture 1

  33. Summary • Security of corporate computing assets is a sizeable problem • There are various targets for an attacker and 4 ways that security can be compromised • The goals of security are to ensure confidentiality, integrity and availability • The case study demonstrates the complexity of securing systems in a networked environment • AND…. Contemporay issues in IT CB3005p/Lecture 1

  34. FINALLY... “There is no such thing as a totally secure system” Next week: Protecting the Corporate Network Contemporay issues in IT CB3005p/Lecture 1

  35. Further reading Haggerty, J., Shi, Q. & Merabti, M. (2002), "The Threat from Within: An Analysis of Attacks on an Internal Network," in Ghonaimy, M. A., El-Hadidi, M. T., & Aslan, H. K. (eds.) Security in the Information Society - Visions and Perspectives, pp. 133-146, Kluwer Academic Press/IFIP. Hassler, V. (2001), Security Fundamentals for E-Commerce, Artech House Pfleeger, C.P. & Pfleeger, S. (2002), Security in Computing 3rd Ed., Prentice-Hall International Power, R. (2001), The 2001 CSI/FBI Computer Crime and Security Survey, vol. 7 no. 1, CSI/FBI Stallings, W. (2002), Network Security Essentials 2nd Ed., Prentice Hall Whitman, M.E. & Mattord, H.J. (2003), Principles of Information Security, Thomson Course Technology Contemporay issues in IT CB3005p/Lecture 1

More Related