week 9 session 18

1

1

Introduction to Security

2

Internal Threats

Human Error

Dishonest / disgruntled employees

Technical Sabotage

External Threats

Virus

Trojans / Worms / Malicious Code

Hackers / Intruders

What are Threats ?

2

3

Countermeasures

Patch Management System

Intrusion Prevention Systems

Intrusion Detection Systems

Anti-Virus

Content Management

Firewalls

VPN

PKI

4

The need for Security ?

InternetWeek: 50% of Corporations have had 30 or more penetrations, 60% lost up to $200K/intrusion

Federal Computing World: Over 50% of Federal agencies report unauthorized access (some are massive numbers)

FBI/Computer Security Institute: 48% of all attacks originated from within the organization

WarRoom Research Survey: 90% of Fortune 500 companies surveyed admitted to inside security breaches

3

5

Common IT Security Shortcomings

Enterprise wide patch management system

Intrusion Detection systems on both inside and outside of the perimeter

No firewalls / weak firewalls in place

All / few servers directly open to the internet

Outgoing email server doesnt require authentication

Partial Content management / prevention solution

Outdated / un-patched mail servers

6

Patch Management :Why reaction time matters

Reaction time is critical in preventing viruses and worms, which can cost organizations billions.

Forrester says that organizations typically require more than 300 days to fully deploy patches for most of these issues after the fix is available.

The race begins when the technical details of an issue (such as a security bulletin or release of exploit code) are made public.

Worm Number of days from release of exploit to worm appearance

Scalper (2002, FreeBSD)

(*early disclosure)11 days

Blaster (2003, Windows) 16 days

Code Red (2001, Windows) 24 days

Lion (2001, Linux) 53 days

Slapper (2002, Linux) 58 days

Melissa (1999, Windows) 64 days

Nimda (2001, Windows) 172 days

Slammer (2003, Windows) 180 days

Ramen (2001, Linux) 208 days

4

7

The SQL Slammer Worm:What Happened??

- MS SQL Vulnerability and patch released July, 2002

- Worm Released at 5:30 GMT,January 25, 2003

- Saturation point reached within 2 hours of start of infection

- 250,000 300,000 hosts infected

- Internet Connectivity affected worldwide

- Not easily detected by anti-virus since it did not write itself to disk

8

The SQL Slammer Worm:30 Minutes After Release

- Infections doubled every 8.5 seconds- Spread 100X faster than code red- At peak, scanned 55 million hosts per second.

5

9

The RPC Blaster Worm:What Happened??

- RPC Vulnerability and patch published by Microsoft on July 16th, 2003.

- Vulnerability affects NT 4.0, WinXP, Win2000, and Win2003 Server.

- Blaster worm released Monday August 11, 2003 Main target is only WinXP, Win2000.

- +330,000 hosts infected in less than a week

- Worm Variants AppearingLovsan.B, Lovsan.C

10

Lessons Learned

Applying patches must be done quickly and thoroughly

If vulnerability applies to clients these must be patched

One infected machine can scan and infect 1000s of victims

The network must be configured with QOS and have the intelligence to filter and control traffic when needed

Complements to patches such as Host-Based Security Agents must be considered

6

11

Electronic Commerce - Security

Securing the Internet Commerce is akin to Securing your business secrets and activities in real life

Security Concern have to be addressed at three levels

Security of the Host ( Where the business is hosted)

Security of the Server providing the service ( HTTP/Web Server)

Communication Environment

Network Environment

Transaction Security

Prof. Bharat Bhasker, Indian Institute of Management Lucknow -

12

Electronic Commerce - Host Security

Site Security Handbook - RFC 1244 details-- How to secure a Host computer from break-in

Seven Critical Principles--

Parsimony ( Simplest possible)

Remove services that are not required (HTTP,SMTP,POP3,IMAP...)

Remove all things from host that are not required

Compilers, NFS Daemons, Interpreters, Shells

Superuser (Root) privileges

Access Control ( Authentication, privilege system)

Accountability (Securely log actions for Ids)

Audit & Auditability ( Any change anywhere is the systems)

COPS, TAMU, TripWire

Notification ( CERTY, CIAC, Alarm Systems)

Recovery ( It may happen, How to cope on morning-after?)


7

13

Network Security -- Sniffing

On the wire messages can be read by

Sniffers and Network Analyzers - to monitor an area of ethernet that remains too busy. Traffic patterns, and network problems

Examples

esniff.c 300 line program, captures Userid Passwords on telnet and ftp sessions

TCPDump.c -- widely available public utility

Netman - various utilities for Net management available via anonymous ftp site.

EthDump - Sniffer that runs under DOS anonFTP site

Security Threats

Passwords - encryption may not help (Replay attack)

Financial Accounts information

Private data - Cap Weinberger indicted based on email in Iran-Contra

Low level Protocol Information


14

Network Security -- Sniffing

Prevention

Network Segmentation Hubs -- Multi-port Repeaters

Switches

Bridges ( Filter traffic)

Router - Too radical for sniffing problem but helps by creating subnets

Trust Circles and Barriers between secure and insecure segments

Avoiding transmission of passwords --

Rlogin family of protocols -- .rhosts and /etc/hosts.equiv (prone to ARP & DNS spoofing)

Encryption with Time stamps

Challenge based Authentication

Entire Session/Connection encryption such as SSL

8

15

Network Security --Spoofing

Hardware Address - NIC has 48 bit unique card address Bridges examine the frames and can modify the source/destination address

PREVENTION - Intelligent Hubs in secure locations, Active/Filtering Hubs

Address Resolution Protocol (ARP) Spoofing- who own this IP address? Inadvertent (Two servers with same IP address alternatively come up)

malicious attacks - IP based authorization and trust, turn the m/c off and insert your laptop with the address.

PREVENTION

Stop using ARP - make all IP ether mappings permanent

Or, make important addresses permanent

arp -a lists arp cache on a m/c

arp -d delete from cahe

arp -s permanent entry

Hardware Barriers - Routers, trusted hosts on a separate subnet

Prof. Bharat Bhasker, Indian Institute of Management Lucknow - CSI-99

16

Network Security --Spoofing

ARP Spoofing- Detection

Network-Level Detection

Periodic polling against a standard database of IP, h/w address, name, location - raise alerts

SNMP agent based monitoring

RMON Protocol -- RFC 1271

BTNG ( Beholder the Next Gen) is an RMON agent- avail from Delft Univ

Ticklet an SNMP based monitoring and management system

arpmon (Ohio-state) , ArpWatch (lbl)

Prof. Bharat Bhasker, Indian Institute of Management Lucknow - CSI-

9

17

Electronic Commerce - Secure the Fort (Firewalls)

Digging a deep moat around your palace

Design forced everyone to entering or leaving the palace to pass through a single drawbridge.

Companies can have several LANs, but the connection to outside world is restricted through a limited doorways, called Firewalls

Firewalls have two components

Two routers

Application gateways

The route to outside world exist through this passageway.

First router is used for incoming packet filtering

The second internal router for outgoing packet filtering along with application gateway acts as additional screening for limited offered services


18

Firewalls

Packet Filter

Application Level Firewall

Packets from inside the network are passed outside unchanged

This makes a packet filter susceptible to spoofing

Packets passed through the firewall are rewritten with the firewalls IP address

All internal IP addresses are completely hidden


10

19

Firewalls

What Can a Firewall Do?

Control access based on:

Source , Destination ,Service (or Sub-Service), Time, Day, or Date, User

Audit Trails for security audits

Notification of events

Usually Real Time

Multi use passwords are a problem

Same password used every time

If guessed or stolen, the system will be compromised

Integration of strong authentication via one-time-use Password technology

A unique password is generated for each connection


20



11

21


22

Additional Measures

Good and effective Anti-Virus Server and Anti-Spam Server on the gateway

Install Intrusion Detection Software on the internal as well as external networks

Implement firewalls

Good Content Management as well as traffic management system

Network Monitoring and management software.

12

23

How do I achieve secure communications in a public network?

We use the Internet to . . .

Send email

Make purchases

Distribute software

Inventory control & order entry

But we have some concerns - How do we . . .

Know a person is who they claim to be?

Know Im connected to an authentic merchant?

Protect the privacy of my communications?

Know if information has been tampered with?

Prove later that someone sent me the message?

24

Four Security Needs for Network Communications

?ClaimsNot

SentNot

Received

Privacy / Confidentiality Integrity

Authentication Non-repudiation

Interception Modification

Fabrication

Is my communication private? Has my communication been altered?

Who am I dealing with? Who sent/received it and when?

13

25

How do we solve the 4 Security Needs?

Cryptography

Secret Key

Public Key

Specialized uses of cryptography:

Digital Signature

Digital Certificates

Secret Public

Digital

Certificate

26

Secret Key Cryptography

Cryptography involves: encryption

decryption

Secret Key cryptography: Data is encrypted &

decrypted using the same Secret Key

Also known asSymmetric Key

DES is an example of a secret key algorithm

Secret

Secret Keyalgorithm

Secret

Secret Keyalgorithm

14

27

Secret Key Cryptography

Its fast, but . . .

How do I get my secret key to my recipient?

Do I have a different secret key for everyone with whom I communicate?

INTERNET

If one key is compromised, all copies of that key must be replaced

Does not scale well

28

Two keys = key pair Mathematically related,

but not identical, public & private key pairs

Public Keys are widely distributed

Private Keys are held securely by owners

Data encrypted with one key can be decrypted only with the other key of the pair

a.k.a. Asymmetric KeyRSA is an example of a public

key algorithm

Public Keyalgorithm

Private

Public Keyalgorithm

Public Key Cryptography

Public

15

29

Public Key Cryptography

Its slower, but . . .

I dont have to distribute a secret key because I have my Private Key

Everyone with whom I communicate can know my Public Key

INTERNET Theres only one copy of

the Private Key

Scales well

30

Digital Signature

Everyone has a Signature Key Pair

1) A provides copy of Public Key to B

2) A signs information using Private Key

3) B verifies signature using As Public Key

Public Key

Signed Data

A B

Private Key signs data

Public Key verifies signature on data

Public Key may be sent with the signed data

(either

method)

Public Network or Directory

16

31

A Closer Look atDigital Signature

Digital Signature: Electronic (digital) stamp

appended to data before sending The result of encrypting the Hash

of the data to be sent on the network Any change (to data or signature) will

cause the signature verification to fail

Hash - or Digest: Speeds up the signing (encrypting) process One-way conversion of the data to a fixed length field that

uniquely represents the original data

So, using a diagram . . .

Data with electronic stamp

32

ElectronicData

DigitalSignature

ElectronicData

HashFunction

SigningFunction

Hash Result

Private of A

Signed Data

Digital Signing of the Data

Only Private Key holder can sign

17

33

Anyone can verify

ElectronicData Hash

Function Hash Result

Valid compareYes / No ?

Signed Data

VerifyFunction

Hash ResultDigitalSignature

Publicof A

Digital Signature Verification

So the receiver can compare hashes to verify the signature

34

Security Solutions

Some security mechanisms: Secret Key encryption

Public Key encryption

Digital signature

Hashing

How can these security mechanisms solvethe four communications security needs?

Confidentiality

Integrity

Authentication

Non-repudiation

18

35

My Signature & Date

Confidentiality Integrity

AuthenticationNon-Repudiation

Digital

Signature

Encryption:

Secret key

Public key

Digital Signature???

Solving the 4 Security Needs

36

Authentication

Identification:

How you tell someone who you are

Authentication:

How you prove to someone you are who

you say you are

19

37

How Do I Solve Authentication?

Physical Solutions: Something you know

Password, combination to safe

Something you have Key, token, badge

Something you are Signature, iris pattern, fingerprint

Electronic Solution:

So, why does B trust

As Public Key?

Digital

Certificates

38

Digital Certificates

. . . Because a trusted third party has authenticated that the Public Key belongs to A:

Certification Authority (CA)

When A provides proof of identity,

the Certification Authority

creates a signed message

containing As name and

public key:

Digital Certificate

Signed Message

containing

As Name

&Public Key

20

39

Why trust a Digital Certificate?

A Digital Certificate becomes a

passport that proves your

identity and authenticates you

A passport is issued by a trusted Government -when another Government sees it, they trust it

A Digital Certificate issued by a

trusted CA, again licensed by the

government and can also be

trusted

40

Certification Authority

Certification Authority assumes the responsibility of authenticating Certificate identity information

Like a Government for passports

CA authentication techniques: Check against existing records

Employee databases

Examine typical identification Passport, license

Background check Government databases

CA authenticates, issues & manages Certificates

21

41

Information Checkpoint

My Signature & Date

Confidentiality Integrity

AuthenticationNon-Repudiation

Digital

Signature

Encryption:

Secret key

Public key

How do we solve the 4 security needs?

Digital Signature Digital Certificates

week 9 session 18

Documents

security bulletin

rpc blaster worm

worm number of days

days47the sql slammer

disk8the sql slammer

rpc vulnerability

ms sql vulnerability

hostbased security agents