Computer and Network Security

Introduction

Dr. Ron Rymon

Efi Arazi School of Computer Science
IDC, Herzliya. 2009/10
Today’s Lecture

 Introduction

 A Few Nightmare Scenarios

 Statistics and Impact

 Course Plan and Administrativia

 Models of Computer Security

What do we mean by
“Computer Security”?
 Our Security Needs/Threats
 Confidentiality of information stored on computers
 Confidentiality of information communications
 Control of our computers and networks
 Ensuring the integrity of information
 Identifying/authenticating communication partners
 Protecting information services (enterprise, www)
 Protecting information and people privacy
 Protecting digital rights and property
 Protecting computer-operated physical infrastructure

 … and more as computers take greater role in our lives

– hand-held devices, electronic voting, electronic payment, border
control, job entry, etc.
The Adversaries
 For Profit
– Organized crime
– Fraudsters
– Information thieves
– Marketers
– Spies (military, commercial)
– Enemy states & terrorists

 Vandals
– Commercial and political reasons
– Mostly, nut cases and irresponsible kids (“script kiddies”)

 Joy riders
– Technically skilled
– Psychologically challenged
– Again, mostly kids

 Insiders!

 Good hackers vs. Bad hackers (Crackers)

Their Tools of the Trade
 Viruses, worms, etc.
 Password cracking
 Intrusion and penetration attacks
 Eavesdropping attacks (esp. wireless)
 Communication hijacking attacks
 Denial of service attacks
 OS/Application vulnerability attacks
 Trojan horses, viruses/worms, spyware, keyloggers
 Server and access point impersonation
 Phishing and phraud
 Clickjacking
 Social Engineering
 More….
Our Tools of the Trade
 Encryption
 Anti-virus software
 Spam filters
 Firewalls
 Intrusion detection/prevention software
 Strong authentication
 Access control
 Authorization management
 Application security gateways and filters
 Patch management systems
 Electronic signatures
 Disaster Recovery
 … and more…

 EDUCATION!!
Security and People
 People, not technology, are often the weakest link
– Create awareness and educate people that security matters
– Create business processes that enhance security
• accurate provisioning, password mgmt, stronger authentication,
segregation of duty

 Security solutions shall be tied to business processes

– “Treat security as an important part of doing business. It is not less
important than features and performance” (Bill Gates)
– “The missing component in most security products is what Global 5000
buyers most want, the ability to manage business risk, innovation, and
agility. Despite this, security suppliers continue to focus their efforts on
honing technical access controls “ (Aberdeen, Mar 2004)

 Corporate governance: Security is as enterprise management issue

– New executives: Chief Security Officer & Chief Compliance Officer
– Business managers in all ranks are asked to assume security responsibility
A Few Nightmare Scenarios
Nightmare Scenario #1:
Information stolen from our systems
 2000 – hacker breaks CDUniverse, steals 300,000 credit card numbers
 2002 – hacker steals 1MM credit cards from merchants that didn’t patch
 2007 – hacker steals millions of credit cards & personal info from TJMaxx

 2001 – hacker pre-announces JDS earnings

 1/2002, hacker penetrates financial software maker Online Resources; then uses
this to hack into a NY bank and steal account data; then extorts the bank

 2004 – Code of Win2K and NT stolen from Microsoft partner

 2004 – Code of Cisco IOS stolen

 2006 - 25% of companies reported attempted penetration (really, close to 100%)

 2006 – 25% of computers believed infected

 2007 - Theft of laptops and PDAs is top security concern for CIOs
 2008 – Identity theft is top concern for individuals (1 in 6 Americans last year!)
 2009 – Data Leakage is a key concern for security and compliance officers

 70% of all cases are “internal work” – profit, revenge, and ignorance
Nightmare Scenario #2:
Our communication can be exposed
 In 16th century, Mary Queen of Scots loses her head when her coded
messages are deciphered

 In WWII, many German U-boats were destroyed once the British were
able to decipher their Enigma messages

 Today’s encryption mechanisms are very strong, reducing ROI of

eavesdropping and breaking into communication content

 Still, some cases surface from time to time

– Wi-Fi networks originally unsecured and being targeted
– US Carnivore/Echelon sift through millions of emails/phone calls
– Al-Qaeda members caught using Swisscom GSM chips
– Tempest attacks, capturing electromagnetic radiation
– Cloning encryption cards for satellite-based entertainment systems
– Chinese using supercomputers to break American satellite communication
Nightmare Scenario #3:
Control of our computers is taken
 First viruses (e.g., Jerusalem) were spreading slowly

 Code Red (2001) leaves back door on infected machines

– infected 359,000 IIS servers in 14 hours, 2000 per minute at the peak

 SQL Slammer (2003) generated huge traffic from infected network

 In 2004, there were 112,000 known viruses

 Today, most malware is commercially motivated

– Professional and uses multiple infection mechanisms (“time to infection”
is down to FIVE minutes in 2008)
– Soldiers in the botnets army… (~25% of all computers are infected)
– Steal information, e.g., identity, passwords, credit cards…
– Serve for commercial spam

 Many recent attacks aimed at virtualization platforms

 Next, significant risk to mobile devices
Nightmare Scenario #4:
Website defacing
 Some are political protests
– 2000 - Pro-Israeli and Pro-Palestinian (e-Jihad) hackers deface sites
– 2000 - Hamas site and Al Qaeda site visitors diverted to porn sites
– 2001 - Chinese posted picture of downed pilot on US Govt sites
– 2003 - web sites defaced by anti/pro war in Iraq
– 2008 – CERN site was defaced after the big bang experiment

 Businesses are also affected

– 1999 - NASDAQ and AMEX sites are defaced
– 2001 - British Telecom defaced by hackers complaining about service
– 2002 – RIAA site is defaced and provides pirated music for download

 Massive defacing
– 2001- hacker group defaces 679 sites in 1 minute
– 2003 - Blackhat defacing competition: winner must deface 6000 sites asap

 2007 – US government sites pointing to Viagra and porn sites

Nightmare Scenario #5:
Service interruptions
 1996 - Panix (ISP) suffers a DoS SYN attack
 1999 - Melissa crashes e-mail servers (replicates to Outlook contacts)
 2000 - Mafiaboy attack crashes Yahoo, CNN, Amazon for 3 hours
 2003 - RIAA site is attacked
 2004 - MyDoom (email virus) attacks Microsoft, SCO sites
 2007 - Estonia infrastructure attacked by Russian hackers

 27% of companies running web services reported DoS attacks

 The Knesset, Israeli PM and other ministries are constantly attacked

 Today, the main concern is around VoIP, wireless infrastructure.

 What is next? Power plants? Other forms of Cyber-Terrorism?

Nightmare Scenario #6:
Fraud and Identity Theft
 FTC Survey (2003)
– 4.6% of consumers defrauded in 2003 (12.7% in past 5 years)
– Mostly credit cards, but also bank accounts, loans, mortgage apps...
– Total ID Fraud estimated at $50B a year

 Internet payment fraud is rampant

– 20 times the “normal” rate; typically identity theft
– Used to be easy to change fields (e.g. price) in web forms

 Fraudulent merchants and con-artists defraud users

– Phishing rampant everywhere
– Fraudulent porn services “re-used” credit card numbers

 Identity theft becomes one of biggest problems (2007)

– Fraudsters and mafia stealing “whole identities”
– Use to buy, take loans, sell houses, etc., ruining victim’s credit history

 Who is that merchant I intend to buy from? difficult to authenticate…

Nightmare Scenario #7:
E-Mail Blues
 Many forms of viruses. Worms, Trojans spread via mail
– Attract download software/applet (some pretend to help against a virus)
– Phishing grows quickly
– Spoof sender address and identity
– Huge economic cost due to destruction, traffic, cleanup costs
– At its peak, 8% of emails were MyDoom

 Spam makes up >80% of email traffic

– Started with Internet – economic model of direct marketing fails
– Spoofing mail address, headers, names, etc
– Cause significant economic damage

 Unprotected e-mail became almost unusable for simple e-mail users

 Proposed solutions are both technological and legal

– New comprehensive email solutions include: anti-virus/worms, fraud,
spam, content policy, privacy, and confidentiality
– Microsoft initiative, Challenge-response mechanisms, Caller-ID
Current Statistics and Impact
Security Incidents and Reporting
9000
8000
7000
6000
5000
4000
3000
2000
1000
0
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006

# of incidents and # reported (CERT)

Vulnerability disclosures (IBM)

Security Threats (2008)
What? How? Who?

2008 Baseline Mag Security Survey

How Important Is IT Security?

Source: IBM Market Monitor, 2004

Course Plan and
Administrativia
Course Plan
 Cryptography
– history, conventional, public-key, key dist/mgmt
 Identity Authentication
– Signatures, challenge-response, identity authentication
 Securing Communications Protocols
– IPSec, VPNs, Web security (SSL), WiFi Security
 Access Control
– Kerberos, Firewalls, PKI
 Malicious Code and Intruders
– Viruses, Worms, Intrusion detection, Spyware
 Application Security
– Email security, Spam, VoIP, Cellphones
 Market Trends: Guest Presentations
Course Materials
 Course site
– http://www1.idc.ac.il/compsec

 Main Textbook
– “Network Security Essentials: Applications and Standards” /
William Stallings (old edition OK)

 Highly recommended
– Applied Cryptography / Bruce Schneier

 Most course material is from current sources

– News, Industry (analysts, conferences, vendors), Academic
– Subject-specific books
Administrativia
 Lecturer: Dr. Ron Rymon
 Teaching Assistant: TBD

 Lectures: Sunday 9:30-12noon, C109

 Secondary slot: Tue evening (if needed)

 Office Hours: by appointment

 Credits: 3
 Open to CS MSc, and BSc (2nd and 3rd year) students

 Grade: 70% exam, 30% other (project, in-class quizes, homework)

– Must pass the exam
– Must turn in all work, in time
Models of Computer Security
Secured Communication Model

Alice Bob
 Trusted Server
Example
ob) Pu
(B bK
m m
ob) (A
Co K(B lic
b e)
Pu
Alice Bob

Sign/ SignPrivK(Alice) (“Alice”)

Encrypt Decrypt
PrivK(Alice) SignPrivK(Bob) (“Bob”) Sign/ PrivK(Bob)
Decrypt
Encrypt
Gen Sess Key
EncPubK(Bob) (SessK)
Encrypt Decrypt
EncSessK(Message)
Encrypt Decrypt
Secured Access Model
 Identify and filter requests for information
Access Control Model
 Authentication
– Must provide credentials to access a resource
• E.g., password, fingerprint, identification card

 Authorization
– Must be authorized to gain access to specific data, other
computing resources.
• E.g., file systems, firewalls, application authorization model
• Various levels of granularity
ITU/IETF X.800: Security Threats,
Attacks, Services, and Mechanisms
 Security Threat: A potential attack on systems or on information
security needs

 Security Attack: An attempt to compromise the security of systems or

information
– Example: Eavesdropping on communication

 Security Service: Use of one or more mechanisms to enhance the

security of a system or application
– Example: Confidentiality of communications

 Security Mechanism: A specific method to detect, prevent, or recover

from an attack, and to provide the required service
– Example: Encryption software
Attacks: The X.800 Threat
Model
Security Attacks (Stallings)
Examples of Attacks
 Attacks can be Active, e.g., intrusion, or Passive, e.g,
eavesdropping

 Examples of attacks:
– Intrusion
– Eavesdropping
– Impersonation
– Viruses / Worms
– Denial of service
– Man-in-the-middle
– Reflection attack
– Replay attack
– Password cracking
– Data/code modification
– Fraudulent attribution
– Repudiation
X.800 Security Services
 Authentication
– Identify peers, Source authentication for data
 Access Control
– Who can access to what
 Data Confidentiality
– Connection, Connectionless (system), Traffic, Privacy
 Data Integrity
– With or without recovery
 Non-repudiation
– Origin, Destination, Both
 Availability
– A service on its own, or a property of other services
Security Mechanisms
 Specific use of certain algorithms, protocols, and procedures
to provide one or more security services

 Examples
– Authentication – use password, fingerprint, magnetic card
– Access Control – specify access rights based on the user id,
role/group to specific transactions and/or specific content
– Data Confidentiality – encrypt information using a specific algorithm
– Data Integrity – detect and prevent unauthorized change to content
– Non-Repudiation – use electronic signature to ensure authenticity
– Availability – increase resiliency, filter malicious traffic

 Many security mechanisms use Cryptography as an

underlying technology
Next Class:

Steganography and History of

Cryptography