INTRODUCTION

Dr. Andy Wu

BCIS 4630 Fundamentals of IT Security

2

Introduction• What do we protect

– CIA• Know thy enemy

– Hackers– Script kiddies– Hacker motivation

• The battle field– Trend in attackers– Tough job for good guys

3

Price of Security Breaches• Loss of customer good will• Bad publicity• Interruption of production / downtime• Loss of sales/business• Litigation (wasting a lot of time and money)• Competitors taking upper hand• Etc., etc.• All means – loss of profit

4

Downtime Is CostlyBusiness Application Est. Outage Cost/Minute

Supply chain management $11,000E-Commerce $10,000Customer service $3,700ATM/POS/EFT $3,500Financial management $1,500Human capital management $1,000Messaging $1,000Infrastructure $700

Source: Shon Harris et al, Gray Hat Hacking

5

Information Is What We (They) Are After

• Information is a strategic asset to an organization.– IT enables organizations to transform business

practices and achieve competitive advantage.– IT is only the means to deliver information.

• In this course I will use the terms “information security”, “information systems security”, “IT security”, “computer security” interchangeably.– But bear in mind our ultimate goal is to protect valuable

information.

6

Confidentiality• The protection of information within systems

so that unauthorized people, programs, and processes cannot access that information.

• Sensitive information is protected against unauthorized disclosure.

• Encryption is a primary tool to ensure confidentiality.

7

Integrity• The protection of information or processes

from intentional or accidental unauthorized changes.

• Integrity ≠Business accuracy, logicalness, relevance, ethicalness, etc. of information

• Integrity = No unauthorized alteration

8

Protecting Integrity• Need to protect the process or program used to manipulate

information, e.g.,– Air traffic control systems– Social Security and welfare systems– Payroll systems

• Examples in database management systems– Entity integrity– Referential integrity– Transaction and rollback

• Cryptography (hash functions) is an important tool to verify integrity.

9

Availability• The assurance that information and systems are

accessible by authorized users whenever needed.– Protected against denial-of-service (DoS) attacks and

vandalism– Protected against losses stemming from natural

disasters or human errors and actions (this type probably is more common)

• Time can be of the essence for many information-related activities.

10

Availability (or Lack thereof)

11

Availability (or Lack thereof)

12

Availability (or Lack thereof)

13

Availability (or Lack thereof)

14

DAD Triad• Disclosure

– Unauthorized individuals gain access to confidential information

• Alteration– Data is modified through some unauthorized mechanism

• Denial– Authorized users cannot gain access to a system for

legitimate purposes• DAD activities may be malicious or accidental

15

Non-Repudiation• Prevents the parties to a transaction from

subsequently denying involvement in the transaction.

• Someone cannot deny that she did send a message, sign an electronic contract, etc.

• Public-key encryption (digital signature to be exact) is instrumental to achieving non-repudiation.

16

Hacking• The act of deliberately accessing computer

systems and networks without authorization is called “hacking”.

• The term may also be used to refer to the act of exceeding one’s authority in a system.

17

Typical Hacker• Young male in late 20s.• Dress is causal, intellectual or humorous slogan T-shirts,

jeans, running shoes, etc.– “Outdoorsy”: hiking boots, khakis, chamois shirts, etc.– Hates business attire.

• Reads Scientific American and Smithsonian• Attracted to ethnic, spicy, oriental, exotic foods• Anti-physical and avoid sports

– If any, almost always self-competitive and intellectual, involving concentration, stamina, and micro-motor skills

Source: Schell et al. The Hacking of America.

18

Hacker Myths and Truths• Myth: Hackers are computer addicts

– Truth: They’re more like “heavy users”• Myth: Hackers have odd sleeping patterns

– Truth: 79% sleep sometime 12AM-8AM, for an average of 6.26 hours

• Hackers communicate only with their computers, not with other people– Truth: Hackers spend considerable time during

the week communicating with their colleagues.Source: Schell et al. The Hacking of America.

19

Hacker Myths and Truths• Myth: Hackers are a threat to network

administrators– Truth: Hacker convention attendees have

considerable white hat skill sets.– Divided views on hiring hackers as security

professionals.• Myth: Hackers are creative.

– Truth: This seems to be true.

20

Script Kiddies• Download and run tools that others have developed.

– May not even know why and how the tools work.• Generally not as interested in attacking specific targets.• Look for any people or organizations that may not have patched

a newly discovered vulnerability.• At least 85 to 90% of the individuals conducting “unfriendly”

activities on the Internet are probably accomplished by these individuals.

• Do not underestimate the potential damage they can inflict despite their lower level of technical sophistication. These kids ain’t cute!

21

Traditional Hacker Motivations• Feeling of addiction• The urge of curiosity• Boredom with education system• Enjoyment of feeling of power• Peer recognition• Political acts• What is missing?Source: Taylor, Paul, Hackers: Crime in the Digital Sublime.

22

Hacker Motivation• “Sutton’s Law”• Alarming change: the serious attackers are

out for specific purposes with certain types of damage or fraud in mind.

• Some of them are becoming part of or are hired by the cyber-equivalent of the mafia.

23

Alarming Trend

Source: CERT

24

Change in Hacker Characteristics • A the level of sophistication of attacks has

increased, the level of knowledge necessary to exploit vulnerabilities has decreased.– The rise of non-affiliated intruders, including

“script-kiddies,” has greatly increased the number of individuals who probe organizations looking for vulnerabilities to exploit.

25

What Does It Take to Be Secure• Information security is more than a

technical issue. It also involves:– Human– Organization

• It is a lot more than what the IT department can handle alone.

26

Taking Perspective on Security• You have to be secure in all bases,

whereas an attacker only has to be real good at one thing to be successful.

• Your security is only as good as its weakest link.

• People is the weakest link in security.

27

Code-Red Worm (July 2001)• On July 19, 2001, over 350,000 computers

connected to the Internet were infected by the Code-Red worm. The incident took only 14 hours to occur.

• Damages caused by the worm (including variations of the worm released on later dates) exceeded $2.5 billion.

• The vulnerability exploited by the Code-Red worm had been known for a month.

28

Slammer Worm (January 2003)• It exploited a buffer-overflow vulnerability in

computers running Microsoft's SQL Server or Microsoft SQL Server Desktop Engine.

• This vulnerability was not new. It had been discovered in July 2002.

• Microsoft had released a patch for the vulnerability even before it was announced.

29

Security Is No Free Lunch• Security can be looked at as a tradeoff

between risks and benefits.– Cost of implementing the security mechanism

• Tradeoff involves security versus costs of implementation, user convenience, business goals, etc.

30

Security Doesn’t Get Invited for Parties

• An important tradeoff involves user convenience– People are not born security-minded. They may not

appreciate your help.– Security often is an inconvenience to users.– If your security measures inconvenience them

enough, they will bypass or even undermine them.– If users go out of their way to circumvent security, the

system may be even more vulnerable.