Beruflich Dokumente
Kultur Dokumente
BASIC COMPONENTS
Confidentiality
: keep data and resource
hidden
Integrity
: prevent unauthorized modification
Availability : Enabling access to data and resources
THREAT
Definition:
A potential violation of security that can affect the
assets & resources associated with computer system.
E.g.: Virus
Classes of Threat:
Disclosure - unauthorized access to information
E.g.: snooping, wiretapping (Confidentiality)
Deception - acceptance of false data
E.g.: spoofing, denial of receipt (Integrity)
Disruption - interruption of correct operation
E.g.: modification (Integrity)
Usurpation- unauthorized control of some systems
part
E.g.: modification, denial of service
(Availability)
Areas of Threat:
Confidentiality threat - masquerade as recipient and
view message.
Integrity threat
hacker
accesses
the bank
computer system
compromising the integrity of the
record.
Availability threat - Spamming and causing server to
crashed.
ATTACK
Definition:
A threat executed by an attacker that exploits
vulnerabilities to cause threat to occur. E.g.: Hacking
into the network
SECURITY POLICY
A statement of what is or isnt allowed
Types:
Military - primarily protecting confidentiality
Commercial - primarily protecting integrity
Confidentiality - protecting only confidentiality
Integrity - protecting only integrity
SECURITY MECHANISMS
A method, tool, or procedure for enforcing a security
policy.
GOAL OF SECURITY
Prevention - stop attackers from violate security policy
Detection - discover attackers violation of security
policy
Recovery - prevent attack and repair damage
INTEGRITY POLICY
Biba Integrity Model
CLARK-WILSON
2 levels:
Object - CDI / UDI
Subjects - TP & others
Explicit requirements that
actions must meet
Trusted entity must certify
method to upgrade untrusted data
IDENTITY MANAGEMENT
A set of properties assigned to a given object.
- Creation & deletion of identity
- Management of properties assigned to identity
- Secure storage of identity
- Secure handling of queries regarding identity & their
property
LIGHTWIEGHT DIRECTORY ACCESS PROTOCOL
(LDAP)
A directory is a specialized database optimized for
searching and browsing.
LDAP entries are collections of attributes identified
by a unique distinguished name (dn).
Entries are characterized by types that determine
their format and syntax (e.g. ou = Organisational
Unit).
Entries are stored in a hierarchy. A relative
distinguished name defines a search path to an
entry.
Applications: User account management, Address
book (Outlook)
USER AUTHENTICATION
- Something you know: passwords
- Something you have: smart cards
- Something you are: biometrics, voice print
PASSWORDS
Maintenance:
- Generation & distribution
- Password synchronization
- Forgotten passwords; password reset
Threats:
- Brute force search
- Guessing
- Keylogging
- Shoulder surfing
- Identity spoofing / phishing
ACCESS CONTROL
Access control is the collection of mechanisms that
permits management to specify what users can do,
which resources they can access, and what operations
they can perform on a system.
ACCESS CONTROL MATRIX (ACM)
Advantage:
- Clarify of definition
- Easy to verify
Disadvantage:
- Poor scalability
- Poor handling of changes
ACCESS CONTROL LIST (ACL)
Advantage:
- Easy for administrator to see access rights for given
resource.
- Relative easiness of management using abstraction.
Disadvantage:
- Poor overview of access rights per subject
- Difficulty of renovation
- Difficulty of sharing
CAPABILITIES
- A piece of data possession which proves
authorization to access resource.
- Advantage: May be transferred offline between users.
Alice
: {edit.exe: execute}, {fun.com: execute,
read}
Bob : {bill.doc: read, write}, {edit.exe: execute},
{fun.com: execute, read, write}
Columns of Access Control Matrix
file1
file2
Andy
rx
r
Betty
rwxo
r
Charlie
rx
rwo
file3
rwo
w
Advantages:
- Simple & efficient access rights management
- Scalability
Disadvantages:
- Intentional abuse of access rights
- No control over information flow
Mandatory Access Control (MAC)
Advantages:
- Strict control over information flow
- Strong exploit containment
Disadvantages:
- Major usability problems
- Cumbersome administration
Role Based Access Control (RBAC)
RBAC uses a centrally administered set of controls
to determine how subjects & objects interact.
The best system for an organization that has high
turnover.
Attempts to handle complexity of access control by
extensive used of abstractions (Data types;
Procedures; Roles; Hierarchy).
Allows
visitors
to
exchange
personal
information, free from the threat of interception or
tampering.
Organization
Certificates
are
used
by
corporate entities to identify employees for secure
e-mail and web-based transaction.
3.
Encryption and checking the integrity of data provide the receiver with the means to encode a
reply.
4.
Single Sign-On - It can be used to validate a
user and log them into various computer systems
without having to use a different password for each
system
PUBLIC & PRIVATE KEY
Comprises of two related cryptographic keys,
mathematically related, and only the corresponding
private key can decrypt their corresponding public key.
Public Key - made assessable to anyone
Private Key
- confidential to its respective owner
USAGE OF DIGITAL CERTIFICATION
1. Secure Socket Layer (SSL) developed by Netscape
Communications Corporation.
2. Secure Multipurpose Internet Mail Extensions
(S/MIME) Standard for securing email and electronic
data interchange (EDI).
3. Secure Electronic Transactions (SET) protocol for
securing electronic payments
4. Internet Protocol Secure Standard (IPSec) for
authenticating networking devices
ADVANTAGES OF DIGITAL CERTIFICATION
CHAPTER 4
UNIX SECURITY
Security was not a primary design goal of UNIX;
dominant goals were modularity, portability and
efficiency.
UNIX provides sufficient security mechanisms that
have to be properly configured and administered.
The main security strength of UNIX systems comes
from open source implementation which helps
improve its code base.
The main security weakness of UNIX systems
comes from open source implementation resulting
in a less professional code base.
USER ACCOUNT INFORMATION: /etc/passwd
Username: used when user logs in, 132 characters
long
Password: x indicates that encrypted password is
stored in /etc/shadow
User ID (UID):
0 reserved for root, 1-99 for
other predefined accounts, 100-999 for system
accounts/groups
Group ID (GID): the primary group ID
User ID Info: a comment field
Home directory: The absolute path to the directory
the user will be in when they log in
Command/shell: The absolute path of a command
or shell (/bin/bash)
ROOT PRIVILAGES
Almost no security checks:
o all access control mechanisms turned off
o can become an arbitrary user
o can change system clock
Some restrictions remain but can be overcome:
o cannot write to read-only file system but can
remount them as writable
o cannot decrypt passwords but can reset them
Any user name can be root!
SUBJECTS
Subjects in UNIX processes identified by a process ID
(PID)
New process creation:
fork: spawns a new child process which is an
identical process to the parent except for a new PID
vfork: the same as fork except that memory is
shared between the two processes
SUBJECTS
Subjects are active entities in OS primitives.
Windows subjects are processes and threads.
Security credentials for a subject are stored in a
token.
Tokens provide a principal/subject mapping and
may contain additional security attributes.
Tokens are inherited (possibly with restrictions)
during creation of new processes.
CHAPTER 5 - WATERMARKING
MALWARE
A malware is a set of instructions that run on your
computer and make your system do something that an
attacker wants it to do.
WATERMARKING
Resilience to attacks.
Capacity.
Stealth.
VIRUS
A program that can infect other programs by
modifying them to include a, possibly evolved, version
of itself
TYPES:
Polymorphic - uses a polymorphic engine to mutate
while keeping the original algorithm intact (packer)
Metamorphic - Change after each infection
TROJAN HORSE
A Trojan horse describes the class of malware that
appears to perform a desirable function but in fact
performs undisclosed malicious functions
ROOTKIT
A Rootkit is a component that uses stealth to maintain
a persistent and undetectable presence on the
machine
WORM
A computer worm is a self-replicating computer
program. It uses a network to send copies of itself to
other nodes and do so without any user intervention.
INFECTION METHODS
Overwritting, Prepending, Appending, Cavity, MultiCavity, and Document-based malware Micro virus - use
the built-in script engine
PROPAGATION VECTOR
Shared Folder, Email Propagation, Fake Antivirus,
Browser Hijacked, Fake Page!, P2P Files
MULTIMEDIA WATERMARKS
Visible (perceptible).
Invisible (imperceptible).
WATERMARKING APPLICATION
Proof of ownership.
Authentication.
Media Bridging.
Broadcast Monitoring.
Fingerprinting.
Secret Communications.
REQUIREMENT
Robust
survive
accidental
or
malicious attempts at removal.
Oblivious
or
Non-oblivious
Recoverable with or without access to original.
WATERMARKING ATTACKS
Active Attacks:
Steganalysis.
b.
PACKET SWITCHING
A methodology of implementing a network in which
divides
the
data
to
be
transmitted
into packets transmitted
through
the
network
independently. Packet switching shares available
network bandwidth between multiple communication
sessions.
TCP/IP ENCAPSULATION
When data moves from upper layer to lower level of
TCP/IP protocol stack (outgoing transmission) each
layer includes a bundle of relevant information called a
header along with the actual data. The data package
containing the header and the data from the upper
layer then becomes the data that is repackaged at the
next lower level with lower layer's header. This packing
of data at each layer is known as data encapsulation.
TCP CONNECTION SYNCHRONIZATION
To establish a connection, TCP uses a 3-way
handshake. Before a client attempts to connect with a
server, the server must first bind to a port to open it
up for connections: this is called a passive open. Once
the passive open is established, a client may initiate
an active open.
To establish a connection, the 3-way handshake
occurs:
a.
The active open is performed by
sending a SYN to the server.
b.
In response, the server replies with a
SYN-ACK.
c.
Finally the client sends an ACK back to
the server.
At this point, both the client and server have received
an acknowledgement of the connection.
TCP Connection Termination is implemented as follows:
One computer sends a FIN packet to the other
computer including an ACK for the last data received
(N).
a.
The other computer sends an ACK
number of N+1
PROBLEMS
Sniffing is "listening" to network traffic to collect
information. A common usage of sniffing is to listen to
network traffic to look for patterns of a worm
spreading itself.
Spoofing is sending network traffic that's pretending
to come from someone else. A common usage for
spoofing is sending an email message, but to reformat
the header.
Man-In-The-Middle is the type of attack where
attackers intrude into an existing connection to
intercept the exchanged data and inject false
information.
A denial-of-service (DoS attack) is an attempt to
make a computer resource unavailable to its intended
users.
TCP HIJACKING
TCP Hijacking is one of the Man-in-the-Middle attacks
in which an attacker can allow normal authentication
to proceed between the two hosts, and then seize
control of the connection.
There are two possible ways to do this: one is during
the TCP three-way handshake, and the other is in the
middle of an established connection.
SYN FLOOD
A form of denial-of-service attack in which an attacker
sends a succession of SYN requests to a target's
system.
One Security Association is used for processing outbound packets and other Security Association is used
for processing inbound packets.
Objective:
- Secure connectivity of branch offices
- Secure remote access
Advantages:
- Bypass resistence
- Transparency to endusers and applications
Disadvantages:
- Infrastructure support needed
- Performance degradation
AUTHENTICATION HEADER
AH provides data integrity, data origin authentication,
and optional anti-replay services to IP. AH does not
provide any data confidentiality (encryption), so there
is no need for an encryption algorithm.
ENCAPSULATED SECURITY PAYLOAD (ESP)
ESP protects the IP packet data from third party
interference, by encrypting the contents using
symmetric cryptography algorithms as Blowfish &
3DES.
IPSec MODES
Transport mode- The outer header determines the
IPsec policy that protects the inner IP packet.
Tunnel mode - The inner IP packet determines the
IPsec policy that protects its contents.
IPSec SECURITY ASSOCIATION (SA)
Security Association (SA) forms the basis of Internet
Protocol Security (IPSec).
A Security Association (SA) is a simplex (one-way
channel) and logical connection that provides
relationship between two or more systems to build a
unique secure connection.
CHAPTER 6 - IDPS
DEFINITION
Intrusions:
attempts
to
compromise
the
confidentiality, integrity, availability, or to bypass the
security mechanisms of a computer system or network
(illegal access).
Intrusion detection: is the process of monitoring the
events occurring in a computer system or network and
analyzing them for signs of possible intrusions
(incidents).
Intrusion Detection System (IDS): is software that
automates the intrusion detection process. The
primary responsibility of IDS is to detect unwanted and
malicious activities.
Intrusion Prevention System (IPS): is software that
has all the capabilities of an intrusion detection system
and can also attempt to stop possible incidents.
USAGE OF IDPS
TYPES OF IDPS
NETWORK-BASED
It performs packet sniffing and analyzes network
traffic to identify and stop suspicious activity.
It allows some attacks such as network service
worms and viruses with easily recognizable
characteristics, to be detected on networks before
they reach their intended targets.
Network-based products might be able to detect
and stop some unknown threats
through
application protocol analysis.
Although poorly written signature triggers false
positives, it can block a new malware threat hours
before antivirus signatures become available.
However, network-based products are generally not
capable of stopping malicious mobile code or Trojan
horses.
Placement of Network-based IDPS
Outside / inside firewall
Behind remote access server
Between business units
Between corporate network and partner networks
In all switched network segments
HOST-BASED
Similar to network-based, except that a host-based
product monitors the characteristics of a single host
and the events occurring within that host such as
monitoring network traffic.
They often use a combination of attack signatures
and knowledge of expected or typical behavior to
identify known and unknown attacks on systems.
Host-based IDPSs are most commonly deployed on
critical hosts such as publicly accessible servers
and servers containing sensitive information.
Placement of Host-based IDPS
Key servers that contain mission-critical and sensitive
information, Web servers, FTP and DNS servers, Ecommerce database servers,, and Other high value
assets.
NETWORK BEHAVIOR ANALYSIS (NBA)
It examines network traffic to identify threats that
generate unusual traffic flows, such as denial of
service (DoS) and distributed denial of service
(DDoS) attacks.
NBA systems are most often deployed to monitor
flows on an organizations internal networks, and
are also deployed where they can monitor flows
WIRELESS
This type monitors wireless network traffic and
analyzes its wireless networking protocols to
identify suspicious activity involving the protocols
themselves.
It cannot identify suspicious activity in the
application or higher-layer network protocols (e.g.,
TCP, UDP) that the wireless network traffic is
transferring.
EVALUATING IDPS
o Organizations should consider using multiple types
of
IDPS
technologies
to
achieve
more
comprehensive and accurate detection and
prevention of malicious activity.
o For most environments, a combination of networkbased and host-based IDPSs is needed for an
effective IDPS solution.
o NBA technologies can also be deployed if
organizations
desire
additional
detection
capabilities for DoS & DDoS attacks, worms, and
other threats that NBAs are particularly good at
detecting.
o Wireless IDPSs may also be needed if the
organization determines that its wireless networks
need additional monitoring.
o Organizations
need
to
understand
the
characteristics of their system or network
environment before a compatible IDPS can be
selected.
o Organizations should articulate the goals and
objectives they wish to attain by using an IDPS such
as stopping common attacks or identifying
misconfigured wireless network devices, etc.
o Organizations should also review their existing
security policies, which serve as a specification for
many of the features that the IDPS products need
to provide.
o Organizations also need to define specialized sets
of requirements for the following:
Security capabilities
It is including information gathering, logging,
detection, and prevention.
Performance
It is including maximum capacity and performance
features
Management
It is including design and implementation
TC FUNDAMENTAL CONCEPTS
Software runs and communicates securely over
applications and servers
Use locked-down architecture - Hardware level
cryptographic keys for encryption and
authentication
Seal secure data within curtained memory
I/O communication path are encrypted
TC should be expected the computing behave the
way we wanted and do what we wanted securely
Trusted Computing Platform (TCP) has the following
three fundamental features:
Protected Capabilities
Integrity Capabilities
Integrity Reporting
Trusted Computing encompasses six key technology
concepts as required for a fully trusted system:
Endorsement key
Sealed storage
Remote attestation
Software side of TC
Sealed Storage
Remote Attestation
Nexus
o
Special kernel (core of the trusted
operating)
o
Goal: Isolate the process of normal
mode and trusted mode differently in memory
o
Functionality: Authenticate and protect
data (entered, stored, communicated, and
displayed) by data encryption
o
Nexus Computing Agent (NCA)
Normal Mode:
o
Un-protected environment
o
Same as our current Windows series
o
Fully Controlled by the users
Trusted Mode:
o
Protected environment
o
Users have no authorities to modify,
delete, or copy ANY content.
o
Implemented
TC:
Hardware
and
Software implementation
o
Fully Controlled by the computers
USES OF TC