Understanding Computer Security Systems and Malicious Software

1. Kingdom of Saudi Arabia Ministry of Education Umm Al-Qura University Adham University College Computer Science Department ةيبرعلا ةكلمملا ةيدوعسلا ميلعتلا ةرازو ىرقلا مأ ةعماج مضأب ةيعماجلا ةيلكلا يللآا بساحلا مسق Computer Security Systems 6803532-3 T.Mariah Khayat

2. Main Reference: • Network Security Essentials, Fourth Edition, William Stallings. 2

3. Chapter Nine Intruders Intruders 3

4. Intruders significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders: •masquerader •misfeasor •clandestine user varying levels of competence 4

5. Intruders range •benign: explore, still costs resources •serious: access/modify data, disrupt system led to the development of CERTs intruder techniques & behavior patterns constantly shifting, have common features 5

6. Examples of Intrusion •remote root compromise •web server defacement •guessing / cracking passwords •copying viewing sensitive data / databases •running a packet sniffer •distributing pirated software •using an unsecured modem to access net •impersonating a user to reset password •using an unattended workstation 6

7. Hackers motivated by thrill of access and status •hacking community a strong meritocracy •status is determined by level of competence benign intruders might be tolerable •do consume resources and may slow performance •can’t know in advance whether benign or malign IDS / IPS / VPNs can help counter awareness led to establishment of CERTs •collect / disseminate vulnerability info / responses 7

8. Hacker Behavior Example 1. brute force (guess) passwords. 2. wait for admin to log on and capture password. 8

9. Intrusion Techniques aim to gain access and/or increase privileges on a system often use system / software vulnerabilities key goal often is to acquire passwords •so then exercise access rights of owner basic attack methodology •target acquisition and information gathering •initial access •privilege escalation •covering tracks 9

10. Password Guessing one of the most common attacks attacker knows a login (from email/web page etc) then attempts to guess password for it • defaults, short passwords, common word searches • user info (variations on names, birthday, phone, common words/interests) • exhaustively searching all possible passwords check by login or against stolen password file success depends on password chosen by user surveys show many users choose poorly 10

11. Intrusion Detection inevitably will have security failures so need also to detect intrusions so can •block if detected quickly •act as deterrent •collect info to improve security assume intruder will behave differently to a legitimate user •but will have imperfect distinction between 11

12. Chapter Ten Malicious Software Malicious Software 12

13. Malicious Software What is the concept of defense: The parrying of a blow. What is its characteristic feature: Awaiting the blow. —On War, Carl Von Clausewitz 13

14. Viruses and Other Malicious Content •computer viruses have got a lot of publicity •one of a family of malicious software •effects usually obvious •have figured in news reports, fiction, movies (often exaggerated) •getting more attention than deserve •are a concern though 14

15. Malicious Software Malicious Programs Need a Host Program Independent Viruses Trapdoors Logic Bombs Trojan Horses Worm Zombie Replicates 15

16. Backdoor or Trapdoor •secret entry point into a program •allows those who know access bypassing usual security procedures •have been commonly used by developers •a threat when left in production programs allowing exploited by attackers •very hard to block in O/S •requires good s/w development & update 16

17. Logic Bomb one of oldest types of malicious software code embedded in legitimate program activated when specified conditions met •eg presence/absence of some file •particular date/time •particular user when triggered typically damage system •modify/delete files/disks, halt machine, etc 17

18. Trojan Horse program with hidden side-effects which is usually superficially attractive •eg game, s/w upgrade etc when run performs some additional tasks •allows attacker to indirectly gain access they do not have directly often used to propagate a virus/worm or install a backdoor or simply to destroy data 18

19. Viruses piece of software that infects programs •modifying them to include a copy of the virus •so it executes secretly when host program is run specific to operating system and hardware •taking advantage of their details and weaknesses a typical virus goes through phases of: •dormant •propagation •triggering •execution 19

20. Virus Structure components: •infection mechanism - enables replication •trigger - event that makes payload activate •payload - what it does, malicious or benign when infected program invoked, executes virus code then original program code can block initial infection (difficult) or propagation (with access controls) 20

21. Virus Structure 21

22. Compression Virus 22

23. Compression Virus 23

24. Virus Classification •boot sector •file infector •macro virus •encrypted virus •stealth virus •polymorphic virus •metamorphic virus 24

25. E-Mail Viruses more recent development e.g. Melissa •exploits MS Word macro in attached doc •if attachment opened, macro activates •sends email to all on users address list •and does local damage then saw versions triggered reading email hence much faster propagation 25

26. Virus Countermeasures prevention - ideal solution but difficult realistically need: •detection •identification •removal if detect but can’t identify or remove, must discard and replace infected program 26

27. Worms replicating program that propagates over net • using email, remote exec, remote login has phases like a virus: • dormant, propagation, triggering, execution • propagation phase: searches for other systems, connects to it, copies self to it and runs may disguise itself as a system process concept seen in Brunner’s “Shockwave Rider” implemented by Xerox Palo Alto labs in 1980’s 27

28. Worm Propagation Model 28

29. Proactive Worm Containment 29

30. Network Based Worm Defense 30

31. Distributed Denial of Service Attacks (DDoS) •Distributed Denial of Service (DDoS) attacks form a significant security threat •making networked systems unavailable •by flooding with useless traffic •using large numbers of “zombies” •growing sophistication of attacks •defense technologies struggling to cope 31

32. Distributed Denial of Service Attacks (DDoS) 32

33. DDoS Flood Types 33

34. Constructing an Attack Network • • 1. software to implement the DDoS attack 2. an unpatched vulnerability on many systems 3. scanning strategy to find vulnerable systems • random, hit-list, topological, local subnet must infect large number of zombies needs: 34

35. DDoS Countermeasures • three broad lines of defense: 1. attack prevention & preemption (before) 2. attack detection & filtering (during) 3. attack source traceback & ident (after) • huge range of attack possibilities • hence evolving countermeasures 35

36. Summary have considered: •various malicious programs •trapdoor, logic bomb, trojan horse, zombie •viruses •worms •distributed denial of service attacks 36

37. Chapter Eleven Firewalls Firewalls 37

38. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent security concerns •can’t easily secure every system in org typically use a Firewall to provide perimeter defence as part of comprehensive security strategy 38

39. What is a Firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions on network services •only authorized traffic is allowed auditing and controlling access •can implement alarms for abnormal behavior provide NAT & usage monitoring implement VPNs using IPSec must be immune to penetration 39

40. What is a Firewall? 40

41. Firewall Limitations cannot protect from attacks bypassing it •eg sneaker net, utility modems, trusted organisations, trusted services (eg SSL/SSH) cannot protect against internal threats •eg disgruntled or colluding employees cannot protect against access via WLAN •if improperly secured against external use cannot protect against malware imported via laptop, PDA, storage infected outside 41

42. Firewalls – Packet Filters simplest, fastest firewall component foundation of any firewall system examine each IP packet (no context) and permit or deny according to rules hence restrict access to services (ports) possible default policies •that not expressly permitted is prohibited •that not expressly prohibited is permitted 42

43. Firewalls – Packet Filters 43

44. Firewalls – Packet Filters 44

45. Attacks on Packet Filters IP address spoofing •fake source address to be trusted •add filters on router to block source routing attacks •attacker sets a route other than default •block source routed packets tiny fragment attacks •split header info over several tiny packets •either discard or reassemble before check 45

46. ةيدوعسلا ةيبرعلا ةكلمملا ميلعتلا ةرازو ىرقلا مأ ةعماج مضأب ةيعماجلا ةيلكلا يللآا بساحلا مسق هقيفوتو الله دمحب مت 46

47. ةيدوعسلا ةيبرعلا ةكلمملا ميلعتلا ةرازو ىرقلا مأ ةعماج مضأب ةيعماجلا ةيلكلا يللآا بساحلا مسق دمحم انّيبن ىلع كرابو الله ىّلصو The End Summary of Chapters: Nine, Ten and Eleven T.Mariah Khayat طايخ ةيرام Adham University College مضأب ةيعماجلا ةيلكلا / ةذاتسلأ ا mskhayat@uqu.edu.sa 47