Data and Computer Communications

Ninth Edition

by William Stallings

Chapter 23 – Computer and Network Security Threats

Data and Computer Communications, Ninth Edition by William Stallings, (c) Pearson

Education - Prentice Hall, 2011

Computer and Network Security Threats

The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the change of his not attacking, but rather on the fact that we have made our position unassailable.

  —The Art of War.

Sun Tzu

Computer Security

Key objectives: confidentiality integrity availability

Confidentiality term covers two related concepts:

Data• assures that private or confidential information is

not made available or disclosed to unauthorized individuals

Privacy• assures that individuals control or influence what

information related to them may be collected and stored and by whom and to whom that information may be disclosed

Integrity

term covers two related concepts: Data integrity

• assures that information and programs are changed only in a specified and authorized manner

System integrity• assures that a system performs its intended

function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system

Availability

Loss of Security

FIPS PUB 199 identifies the loss of security in each category: Confidentiality

• unauthorized disclosure of information Integrity

• unauthorized modification or destruction of information

Availability• disruption of access to or use of information or an

information system

Additional Security Objectives

Some information security professionals feel that two more objectives need to be added:

Threats and

Attacks

Computer and Network Assets, with Examples of Threats

Availability Confidentiality Integrity

Hardware Equipment is stolen or disabled, thus denying service.

Software Programs are deleted, denying access to users.

An unauthorized copy of software is made.

A working program is modified, either to cause it to fail during execution or to cause it to do some unintended task.

Data Files are deleted, denying access to users.

An unauthorized read of data is performed. An analysis of statistical data reveals underlying data.

Existing files are modified or new files are fabricated.

Communication Lines

Messages are destroyed or deleted. Communication lines or networks are rendered unavailable.

Messages are read. The traffic pattern of messages is observed.

Messages are modified, delayed, reordered, or duplicated. False messages are fabricated.

Scope of System Security

Hardware

most vulnerable to attack least susceptible to automated controls threats

accidental damage intentional damage theft

Software

includes operating system, utilities and application programs

key threats:

Data

security concerns with respect to data are broad, encompassing: availability secrecy integrity

major concerns with data have to do with:

Communication Lines & Networks

Network Security attack classification:

Active Attacks

Classes of Intruders

Masquerader – usually outsider penetrates a real users account by pretending

to be them Misfeasor – usually insider

legitimate user who accesses unauthorized areas

Clandestine User – outsider or insider user who seizes supervisory control of a

system in order to avoid prevention, access and detection controls

Behavior Patterns of Intruders:Hackers and Criminals

Hackers usually high level of competence share their findings look for targets of opportunity

Criminals organized groups of hackers are a common

modern threat typically young usually have specific targets

Behavior Patterns of Intruders:Insiders

Intrusion Techniques

Malicious Software

Categories of Malicious Software

parasitic fragments of programs that cannot exist

independently of some actual application program, utility, or system program• viruses, logic bombs, backdoors

independent self-contained programs that can be

scheduled and run by the operating system• worms, bots

Terminology

of Malicious Programs

Name Description

Virus Malware that, when executed, tries to replicate itself into other executable code; when it succeeds the code is said to be infected. When the infected code is executed, the virus also executes.

Worm A computer program that can run independently and can propagate a complete working version of itself onto other hosts on a network.

Logic bomb A program inserted into software by an intruder. A logic bomb lies dormant until a predefined condition is met; the program then triggers an unauthorized act.

Trojan horse A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the Trojan horse program.

Backdoor (trapdoor) Any mechanisms that bypasses a normal security check; it may allow unauthorized access to functionality.

Mobile code Software (e.g., script, macro, or other portable instruction) that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics.

Exploits Code specific to a single vulnerability or set of vulnerabilities.

Downloaders Program that installs other items on a machine that is under attack. Usually, a downloader is sent in an e-mail.

Auto-rooter Malicious hacker tools used to break into new machines remotely.

Kit (virus generator) Set of tools for generating new viruses automatically.

Spammer programs Used to send large volumes of unwanted e-mail.

Flooders Used to attack networked computer systems with a large volume of traffic to carry out a denial-of-service (DoS) attack.

Keyloggers Captures keystrokes on a compromised system.

Rootkit Set of hacker tools used after attacker has broken into a computer system and gained root-level access.

Zombie, bot Program activated on an infected machine that is activated to launch attacks on other machines.

Spyware Software that collects information from a computer and transmits it to another system.

Adware Advertising that is integrated into software. It can result in pop-up ads or redirection of a browser to a commercial site.

Backdoor

trapdoor is a secret entry point into a program that can

allow unauthorized access to the data backdoors are common among the programming

community and are used for a variety of maintenance tasks (maintenance hook)

it is important to not allow backdoors into production environments

Logic Bomb

predates viruses and worms code embedded in a legitimate program

that will “explode” at a given time or when certain conditions are met presence or absence of certain files particular day of the week or date particular user using the application

BOOM

BOOM

Trojan Horse

program that contains hidden code that, when invoked, causes harm to the system or system infrastructure it was launched from

Mobile Code

script, macro, or other portable instruction that can be shipped unchanged to a collection of platforms

transmitted from a remote system to a local system and then executed on the local system without the user’s explicit instruction mechanism for a virus, worm, or Trojan horse vulnerabilities such as unauthorized data

access

Multiple Threat Malware

multipartite – capable of infecting multiple types of files

blended attack – uses multiple methods of infection or transmission to maximize infection speed Nimda

• erroneously referred to as simply a worm• uses a combination of items like email, web

servers, web clients, etc. to propagate and infect

Viruses

can do anything other programs can do attaches itself to a program and executes

secretly once running it can perform any function

allowed by the current users rights

Virus Lifecycle

Virus Classification

by target

by concealment strategy

Target boot sector infector

infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus

file infector infects files that the operating system or shell

consider to be executable macro virus

infects files with macro code that is interpreted by an application

Concealment Strategy

E-Mail Viruses

a more recent development in malicious software Melissa

• E-mail virus sends itself to everyone on the mailing list in the user’s e-mail package

• virus does local damage on the user’s system

another virus appeared that activates by merely opening the e-mail that contains the virus rather than the attachment

Worms self replicating – usually very quickly usually performs some unwanted function actively seeks out more machines to infect

WormsIn the propagation phase the Worm will

Phases

Worm Technology

Multiplatform – variety of platforms Multi-Exploit – variety of penetration schemes Ultrafast Spreading – accelerated distribution Polymorphic – evades set signatures Metamorphic – evades anomaly detectors Transport Vehicles – used to spread other

distributed attack tools Zero Day – exploits a yet unknown vulnerability

Worm Propagation

Bots AKA – Zombie or Drone

secretly takes over an internet connected computer

launches attacks from that computer that are hard to trace back to the creator

Botnet collection of Bots that act in a coordinated

manner has 3 characteristics

• bot functionality• remote control facility• spreading mechanism

Bot Usage

Distributed Denial of Service Attack Spamming Sniffing Traffic Keylogging Spreading of new malware Installing Ads (Adware and SpyWare) Attacking IRC Chat networks Manipulation of online polls / games

Remote Control Facility

distinguishes a bot from a worm worm propagates itself, bot is controlled from

some central facility (initially) IRC server

all bots join a specific channel on this server and treat incoming messages as commands

control module activates the bots

Constructing the Attack Network

first step in a botnet attack is for the attacker to infect a number of machines with bot software that will be used to carry out the attack

essential ingredients software that can carry out the attack vulnerability in a large number of systems strategy for locating and identifying vulnerable

machines• scanning / fingerprinting

Summary

computer security concepts threats, attacks, and assets

hardware, software, data intruders

hackers, criminals, insiders malicious software

Trojan horse, malware viruses, worms, and bots