5mmssi - information systems security 0 - introduction · 2011. 9. 21. · 10[wired 2011] crime,...
TRANSCRIPT
Your lecturersPedagogic contract
Security?
5MMSSI - Information Systems Security0 - Introduction
Fabien Duchene1
Karim Hossen1
1Laboratoire d’Informatique de Grenoble, VASCO teamGrenoble Institute of Technology - Ensimag
2011-2012Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 1/39
Your lecturersPedagogic contract
Security?
Outline
Your lecturersFabien DucheneKarim Hossen
Pedagogic contractAfter that course...EthicsWhat is expected from you?Resources
Security?Why?What?Basic definitions
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 2/39
Your lecturersPedagogic contract
Security?Fabien DucheneKarim Hossen
Fabien DucheneInformation Security
I 2011: PhD student, LIG, FranceI 2010: Implementer, Pentester, Trainer Sogeti-ESEC, FranceI 2009: Security Engineering Intern, Microsoft, France
TeachingI 2010-2011: 4MMSR-Network Security, Ensimag, FranceI 2011: MS PKI ADCS 2008 R2, Sogeti-ESEC, FranceI 2010: Forefront, Microsoft TechDays 2010, Paris, France
http://car-online.fr/en/spaces/fabien duchene/PGP fingerprint: 8C16 9A97 BD01 19DC BA51 7361 60AC 98E9 E77D 3800
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 3/39
Your lecturersPedagogic contract
Security?Fabien DucheneKarim Hossen
Karim Hossen
CareerI 2011: PhD student, LIG, FranceI 2010: *** confidential ***I 2009: Automatic differentiation, INRIA, TROPICS
TeachingI 2010-2011: 4MMCAWEB - conceiving web application,
Ensimag
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 4/39
Your lecturersPedagogic contract
Security?
After that course...EthicsWhat is expected from you?Resources
After that course...You will be able to (non exhaustive list):
I find and exploit basic vulnerabilities in an application (eg:Android, web, ...)
I quote some legal issues regarding IT securityI perform a risk analysis with methods such as EBIOS or
MEHARII discuss and manipulate various security topics: Identity
Federation, Wireless security, three factors authentication,role-based access control, encryption, ddos, html5, ipsec...
I perform forensics and reverse engineering on systemsI explain how iOS does prevent applications not from the Apple
Store to be loadedI apprehend new IT security concepts in a large distributed
corporate environmentFabien Duchene, Karim Hossen 5MMSSI-0-Introduction 5/39
Your lecturersPedagogic contract
Security?
After that course...EthicsWhat is expected from you?Resources
Ethics
If you find a vulnerability in an application/system/network that isNOT yours
I Do not exploit it (prosecution)I Report it responsiblyI Be patient and comprehensive. Patching or correcting a
configuration is a matter of risk management
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 6/39
Your lecturersPedagogic contract
Security?
After that course...EthicsWhat is expected from you?Resources
Review the courses
Requirements:I operating systems (4MMSEPS2 ”Systeme d’exploitation et
programmation concurrente”)I networks and protocols (3MMRTEL ”Introduction aux
Reseaux de Communication”)I applied probability (3MMPA1 ”Probabilites appliquees”)I assembly software (3MMCEP ”Conception et exploitation des
processeurs” / ”Logiciel de base”)
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 7/39
Your lecturersPedagogic contract
Security?
After that course...EthicsWhat is expected from you?Resources
What is expected from you?I BEFORE a lecture: (30 min / week)
I read and understand the slides (prepare questions)I read some IT security news
I DURING: actively and efficiently participateI take notes (some content is missing in your slide version)I ask questions ... but also provide answers!
I AFTER: (2H/week)I memorize and perform oral feedback ... both the very same
day we had lecture!I ExercisesI Practical assessments: 5/20 (1H30/week) (2 p./group) 1
I Final examination 2
I Final challenge: 5/20 3 (individual mark)I Written examination: 10/20
1Correction: the very next session by a randomly chosen student group2documents: only 1 two-sided A4 page allowed3knowledge from the practical assessments required
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 8/39
Your lecturersPedagogic contract
Security?
After that course...EthicsWhat is expected from you?Resources
ResourcesAt Ensimag
I Your lecturersI Ensiwiki:
I 5MMSSII SecurIMAGI A career in information security
Several tools / information sources
I HacktualitiesI “MISC” french infosec magazineI RSS, twitter (watch out selecting feeds you trust...)I a feed Fabien likes: http://paper.li/corelanc0d3r
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 9/39
Your lecturersPedagogic contract
Security?
Why?What?Basic definitions
Cyberwarfare
4
I suspected chinese attack for Paris G20 files 5
I 200+ non-legitimate certificates certificates issued byDiginotar CAs 6 7
I Stuxnet targeted industrial iranian nuclear plants 8 9
4[Wikipedia 2011a] cyberwarfare5[BBC 2011] Cyber attack on France targeted Paris G20 files6[F-Secure 2011] DigiNotar Hacked by Black.Spook and Iranian Hackers7[community 2011] Chromium Code Reviews8[Wikipedia 2011b] Stuxnet9[Nicolas Falliere and (Symantec) 2011] W32.Stuxnet Dossier
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 10/39
Your lecturersPedagogic contract
Security?
Why?What?Basic definitions
Underground economy I
10
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 11/39
Your lecturersPedagogic contract
Security?
Why?What?Basic definitions
Underground economy II“Cybercrime is costing more than the drugs trade” 11
I cybercrime in 2011I worldwide: $114 billion ; 431 million victimsI USA: $32 billion, china: $25 billionI France e1 billion (9 million victims)
I porn:I botnet: . 9,4 million USD for the Zeus botnet 12 Such
botnets usually combine spam and phishing.
10[Wired 2011] Crime, organized11[Symantec 2011] Norton Cybercrime report 201112[CLUSIF 2011] Panorama de la Cyber-criminalite - Annee 2010
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 12/39
Your lecturersPedagogic contract
Security?
Why?What?Basic definitions
Business survivability I
Threats to business reputation
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 13/39
Your lecturersPedagogic contract
Security?
Why?What?Basic definitions
Business survivability III Sony Pictures: Lulzsec published usernames, passwordsI Yale university got 43.000 social security number stolen
Figure: Average number of identities exposed per data breach
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 14/39
Your lecturersPedagogic contract
Security?
Why?What?Basic definitions
Business survivability IIIRevenge
I Employes: fired ones, hating their boss
LegalsI PCI-DSS: electronic transactions 13
I Sarbanes-Oxley act14: auditor independenceI California law15 : notify individual when Personally
Identifiable Information know or believed to have been stolen
13[LLC 2010] PCI-DSS v214[Sarbanes-Oxley Act] Sarbanes-Oxley Act15[Senator 2002] California law - amending SB 1386
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 15/39
Your lecturersPedagogic contract
Security?
Why?What?Basic definitions
Hacktivism I16
Some actions (2009..2011)
I Wikileaks:I Anonymous: 17
I DDoS: paypal, mastercard, twitter, Tunisian gvtI RiotsI Information release “leakflood”
I Lulzsec: CIA website DDos, Sony passwords leakage (APT +SQLi), Nintendo, X-Factor, pron.com
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 16/39
Your lecturersPedagogic contract
Security?
Why?What?Basic definitions
Hacktivism II
18
Is this bad?I Militantism, protestsI Dangerous by some aspects:
I some actions considered as cyber-criminalityI governments fear civil disobedience
16[Hacktivism] Hacktivism17[Anonymous (hacktivist group)] Anonymous (hacktivist group)18[CLUSIF 2011] Panorama de la Cyber-criminalite - Annee 2010Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 17/39
Your lecturersPedagogic contract
Security?
Why?What?Basic definitions
Security? I
Some security definitionsI “situation in which sbdy feels protected from dangerousness”
... relative!I absolute security does not existI “security is a journey not a destination”I “”I “The only truly secure system is one that is powered off, cast
in a block of concrete and sealed in a lead-lined room witharmed guards - and even then I have my doubts” 19
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 18/39
Your lecturersPedagogic contract
Security?
Why?What?Basic definitions
Security? II
Security is not about technologies ONLY[(Microsoft) 2004] Notions fondamentales desecurite
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 19/39
Your lecturersPedagogic contract
Security?
Why?What?Basic definitions
Security? IIIThe attacker vs defender unevenness
I 1. The defender has to protect all assets ; the attacker is freeto choose the weakest one
I 2. the defender can only protect what he knows / is aware of ;the attacker can search for any vulnerable assets
I 3. the defender has to be constantly vigilante ; the attackercan attack at any time
I 4. the defender has to respect the rules (esp. law, moneylimits) ; the attacker can do anything
19[Spafford 1989] Quotable SpafFabien Duchene, Karim Hossen 5MMSSI-0-Introduction 20/39
Your lecturersPedagogic contract
Security?
Why?What?Basic definitions
The 10 security lawsI If a bad guy ... 20
I 1. can persuade you to run his program on...I 2. can alter the operating system on...I 3. has unrestricted physical access to ...I 4. can upload programs to
... your computer/website, it is not yours anymore!I 5: Weak passwords trump strong securityI 6: A computer is only as secure as the administrator is
trustworthyI 7: Encrypted data is only as (if not less) secure as the
decryption keyI 8: An out-of-date malware scanner is only marginally better
than no scanner at allI 9: Absolute anonymity isn’t practical, in real life or on the
WebI 10: Technology is not a panacea: ..people and procedures20[The 10 immuable security laws] The 10 immuable security lawsFabien Duchene, Karim Hossen 5MMSSI-0-Introduction 21/39
Your lecturersPedagogic contract
Security?
Why?What?Basic definitions
security goals/objectives/properties II confidentiality (data): 21
I availability (system):I integrity (data):I authenticity (data):I freshness (data):I traceability (action):I non-repudiation (action):I privacy (identity):
21[SPaCiOS 2011] Analysis of the relevant concepts used in the case studies:applicable security concepts, security goals and attack behaviors
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 22/39
Your lecturersPedagogic contract
Security?
Why?What?Basic definitions
threat related vocabulary
I threat: if happens invalidate at least one security goalI vulnerability: property of a system that permits a threat to
happenI exploit: of a vulnerabilityI attack: 1+ exploit(s)I countermeasure: protects from threatsI hardening: implementing countermeasures in a systemI security policy:
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 23/39
Your lecturersPedagogic contract
Security?
Why?What?Basic definitions
Vulnerabilities impact classificationFrom the STRIDE classification22 23 .. in terms of impact!
I spoofing: usurpation of a legitimate user credentialI tampering: alteration (modification or destruction) of data or
systemI repudiation: unability to prove that an action has been
performedI information disclosure: leak of information (data, or system
configuration)I denial of service: inability of the system to serve legitimate
usersI elevation of privilege: gain of additional rights allowing the
attacker to perform additional actions22STRIDE = enjambee23[Microsoft 2005] STRIDE threat model
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 24/39
AppendixReferences
Bonus slides0 - introduction summary5MMSSI - information systems security index
0 - introduction summary
I pedagogic contrat: student behavior, practical assessmentsI infosec motivations: cybercrime, cyberwar, competitors,
business reputation, hacktivismI security properties: confidentiality, integrity, availability,
freshness..I basic security definitions: security policy, threat,
vulnerability, exploit, attack ...
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 25/39
AppendixReferences
Bonus slides0 - introduction summary5MMSSI - information systems security index
“5MMSSI - information systems security” index
I 1 - Selection of vulnerabilities and attacksI 2 - Security management: risk, legals, ethicsI 3 - Cryptography and applicationsI 4 - Security testing techniquesI 5 - Diverse security mechanisms: end-point, network, servers
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 26/39
AppendixReferences
Bonus slides
Ari Takanen Jared DeMott, Charlie Miller (2008). Fuzzing forSoftware Security Testing and Quality Assurance.BBC (2011). Cyber attack on France targeted Paris G20 files.http://www.bbc.co.uk/news/business-12662596.CLUSIF (2011). Panorama de la Cyber-criminalite - Annee 2010.http://www.clusif.asso.fr/fr/production/ouvrages/pdf/CLUSIF-2011-Panorama-Cybercriminalite-annee-2010.pdf.community, Open source (2011). Chromium Code Reviews.http://codereview.chromium.org/7791032/diff/2001/net/base/x509_certificate.cc.Ensiwiki (2011). A career in information security.http://ensiwiki.ensimag.fr/index.php/A_career_in_Information_Security.
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 27/39
AppendixReferences
Bonus slides
F-Secure (2011). DigiNotar Hacked by Black.Spook and IranianHackers. http://www.f-secure.com/weblog/archives/00002228.html.LLC, PCI Security Standards Council (2010). PCI-DSS v2. https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf.Microsoft (2005). STRIDE threat model.http://msdn.microsoft.com/library/ms954176.aspx.(Microsoft), Cyril Voisin (2004). Notions fondamentales desecurite.(Microsoft), Technet. The 10 immuable security laws. http://technet.microsoft.com/en-us/library/cc722487.aspx.
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 28/39
AppendixReferences
Bonus slides
Nicolas Falliere, Liam O Murchu and Eric Chien (Symantec)(2011). W32.Stuxnet Dossier. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf.Nikam, Rajesh (2011). Introduction to Malware & MalwareAnalysis. http://chmag.in/article/sep2011/introduction-malware-malware-analysis.Senator (2002). California law - amending SB 1386.http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html.SPaCiOS (2011). Analysis of the relevant concepts used in thecase studies: applicable security concepts, security goals and attackbehaviors. http://www.spacios.eu.Spafford, Eugene H. (1989). Quotable Spaf.http://spaf.cerias.purdue.edu/quotes.html.
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 29/39
AppendixReferences
Bonus slides
Symantec (2011). Norton Cybercrime report 2011.http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=threat_report_16.Wikipedia. Anonymous (hacktivist group).https://secure.wikimedia.org/wikipedia/en/wiki/Anonymous(group).wikipedia. Hacktivism. https://secure.wikimedia.org/wikipedia/en/wiki/Hacktivism.Wikipedia. Sarbanes-Oxley Act. https://secure.wikimedia.org/wikipedia/en/wiki/Sarbanes\OT1\textendashOxley_Act.— (2011a). cyberwarfare.https://secure.wikimedia.org/wikipedia/en/wiki/Cyberwarfare.
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 30/39
AppendixReferences
Bonus slides
Wikipedia (2011b). Stuxnet. https://secure.wikimedia.org/wikipedia/en/wiki/Stuxnet.Wired (2011). Crime, organized. Available at http://www.wired.com/magazine/2011/01/ff_orgchart_crime/.
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 31/39
AppendixReferences
Bonus slides
Some Information Security jobs
I hacker 24
I security researcher / vulnerability analystsI penetration tester / auditors 25
I software security testersI IT security:
I IT security mechanisms implementerI CISO (Chief Information Security Officer)
24[Ari Takanen 2008] Fuzzing for Software Security Testing and QualityAssurance
25[Ensiwiki 2011] A career in information securityFabien Duchene, Karim Hossen 5MMSSI-0-Introduction 32/39
AppendixReferences
Bonus slides
Phishing
(.. of course some kind of money benefit would then be derived)
some phishing examplesI email from the XXX bank you have to change your passwordI some welfare service sent you some money (eg: “french CAF”)I paypal urge you to log on to your account
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 33/39
AppendixReferences
Bonus slides
Spam
How they earn generate money?I promoting fake drugs, porn websitesI phishingI traffic broker to exploit vulnerabilities in browser (goal:
trojan installation for instance to participate in a botnet)
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 34/39
AppendixReferences
Bonus slides
Botnet
dd
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 35/39
AppendixReferences
Bonus slides
Scamming
I some rich guy from a far away country has no children andwants to give you 10 million USD but you first have to send100USD to him
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 36/39
AppendixReferences
Bonus slides
Common misconceptions - best dummies quotes
“Our corporation is secure because...”I firewall, IDS/IPSI checksums thus integrity guaranteedI no networks connected to the internet
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 37/39
AppendixReferences
Bonus slides
MALicious softWARES (malwares) categorization I26
I virus: self-replicating program injecting into a “host” (script,process...)
I worm: autonomous self-replicating programI trojan hose: apparently useful software but with hidden
malicious functionalitiesI spyware: gathers personal or confidential information without
the user consent and sends them to a remote serverI backdoor: permits remote code execution on the victim’s
computer and opens a communication channel to which theattacker connects
Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 38/39
AppendixReferences
Bonus slides
MALicious softWARES (malwares) categorization III hacktool: tools used by attackers to get access to the system.
hacktools try to exploit vulnerabilitiesI rootkit: actively hides from the OS, usually has the ability to
interact at a low level (I/O such as keyboard, mouse, display..)I rogue application: “fake” application which pose themselves
as security solutions (eg: faking malware detections). Usuallymislead user to pay for a pretended removal of malwares.
26[Nikam 2011] Introduction to Malware & Malware AnalysisFabien Duchene, Karim Hossen 5MMSSI-0-Introduction 39/39