L2- Need for Security

Information Security Important Functions

1.Protect the organization's ability to function

2.Enable the safe operation of applications

3.Protect the data

4.Safeguard technology assets

Threats

an object, person, or other entity that presents an ongoing danger to an asset

Compromises to intellectual property

Threats to Information Security

Piracy, copyright infringement

Software attacks

Threats to Information Security

Viruses, worms, macros, DoS

Deviations in quality of service

Threats to Information Security

ISP, power, WAN service issues from service providers

Espionage or trespass

Threats to Information Security

Unauthorized access and/or data collection

Forces of nature

Threats to Information Security

Fire, flood, earthquake, lightning

Acts of human error or failure

Threats to Information Security

Accidents, employee mistakes

Information extortion

Threats to Information Security

Blackmail or information disclosure

Deliberate acts of theft

Threats to Information Security

Illegal confiscation of equipment or information

Missing, inadequate, or incomplete

Threats to Information Security

Loss of access to information systems due to disk drive failure, without proper backup and recovery plan

Missing, inadequate, or incomplete controls

Threats to Information Security

Network compromised because no firewall security controls

Sabotage or vandalism

Threats to Information Security

Destruction of systems or information

Theft

Threats to Information Security

Illegal confiscation of equipment or information

Technical hardware failures or errors

Threats to Information Security

Equipment failure

Technical hardware failures or errors

Threats to Information Security

Bugs, code problems, unknown loopholes

Technological obsolescence

Threats to Information Security

Antiquated or outdated technologies

Intellectual Property

•Trade secrets

•Copyrights

•Trademarks

•Patents

2 watch dog agencies

Intellectual Property

•Software and Information Industry Association

•Business Software Alliance

Most common breach

Intellectual Property

•Software piracy

•1/3 of all software in use is pirated

Intellectual Property

Breaches constitute a threat

Deliberate Software Attacks

•Malicious code

•Malicious software

•Malware

First business hacked out of existence

Deliberate Software Attacks

•Denial-of-service attack

•Cloudnine

•British Internet service provider

Virus

•Segments of code

•Attaches itself to existing program

•Takes control of program access

•Replication

Worms

•Malicious program

•Replicates constantly

•Doesn't require another program

•Can be initiated with or without the user download

Trojan Horse

•Hide their true nature

•Reveal the designed behavior only when activated

Back door or trap door

Allows access to system at will with special privileges

Polymorphism

•Changes it apparent shape over time

•Makes it undetectable by techniques that look for preconfigured signatures

Intelligence Gathering

Espionage or Trespass

•Legal - competitive intelligence

•Illegal - industrial espionage

•Thin line

•One technique - shoulder surfing

Trespass

Espionage or Trespass

Protect with

•Authentication

•Authorization

Experts

Hackers (2 levels)

•Develop software scripts

•Develop program exploits

Novice

Hackers (2 levels)

Script kiddie

•Use previously written software

Packet monkeys

•Use automated exploits

Crackers

System Rule Breakers

Individuals who crack or remove software protection designed to prevent unauthorized duplication

Phreakers

System Rule Breakers

Use public networks to make free phone calls

Forces of Nature

•Pose some of most dangerous threats

•Unexpected and occur with little or no warning

•Fire

•Tornado

•Tsunami

•Electrostatic discharge

•Dust contamination

•Flood

•Earthquake

•Lightning

•Landslide

•Mudslide

•Hurricane/typhoon

Acts of Human Error or Failure

Acts performed without intent or malicious purpose by and authorized user

Acts of Human Error or Failure

•Greatest threat to org info security

•Organization's own employees

•Closest to the data

•Mistakes

•Revelation of classified data

•Entry of erroneous data

•Accidental deletion or modification of data

•Storage of data in unprotected areas

•Failure to protect information

Prevention

Acts of Human Error or Failure

•Training

•Ongoing awareness activities

•Controls

•Require user to type a critical command twice

•Verification of commands

Deliberate Acts

•Information Extortion

•Attacker or trusted insider steals information

•Demands compensation

•Agree not to disclose information

Missing, Inadequate or Incomplete Controls

•Security safeguards and information asset protection controls are

•Missing

•Misconfigured

•Antiquated

•Poorly designed or managed

•Make org more likely to suffer loss

Sabotage or Vandalism

•Deliberate sabotage of a computer system or business

•Acts to destroy an asset

•Damage to an image of an organization

•Hackterist or cyber activist

•Interfere with or disrupt systems

•Protest the operations, policies, or actions

•Cyber terrorism

•Theft

Theft

•Illegal taking of another's property

•Physical

•Electronic

•Intellectual

•Constant

•Problem - crime not always readily apparent

Technical Hardware Failures or Errors

Best known

•Intel Pentium II chip

•First ever chip recall

•Loss of over $475 million

Technology obsolescence

Technical Hardware Failures or Errors

Can lead to unreliable and untrustworthy systems

Technical Software Failures or Errors

•Large quantities of code written, published, and sold with bugs

•Bugs undetected and unresolved

•Combinations of software can cause issues

•Weekly patches

Technology Obsolescence

•Outdated hardware or software

•Reliability problems

•Management problem

•Should have plan in place

•Non-support of legacy systems

•Can be costly to resolve

IP scan and attack

Attacks

Infected system scans IP addresses and targets vulnerabilities

Web browsing

Attacks

Infects web content files infectious

Virus

Attacks

Infect other machines

Unprotected shares

Attacks

Infects any device that is unprotected

Mass mail

Attacks

e-mailing to all addresses in an address book

Simple Network

Management Protocol (SNMP

Attacks

Use common password employed in early versions of the protocol the attacking program can gain control of device

Hoaxes

METHODS OF ATTACKS

A more devious attack on computer systems is the transmission of a virus hoax with a real virus attached. When the attack is masked in a seemingly legitimate message, unsuspecting users more readily distribute it.

Backdoors

METHODS OF ATTACKS

Using a known or previously unknown and newly discovered access mechanism, an attacker can gain access to a system or network resource through a back door. Sometimes these entries are left behind by system designers or maintenance staff, and thus are called trap

Password Crack

METHODS OF ATTACKS

Attempting to reverse-calculate a password is often called cracking. A cracking attack is a component of many dictionary attacks . It is used when a copy of the Security Account Manager (SAM) data file, which contains hashed representation of the user's password, can be obtained. A password can be hashed using the same algorithm and compared to the hashed results. If they are the same, the password has been cracked.

Brute Force

METHODS OF ATTACKS

The application of computing and network resources to try every possible password combination is called a brute force attack. Since the brute force attack is often used to obtain passwords to commonly used accounts, it is sometimes called a password attack

Dictionary

METHODS OF ATTACKS

The dictionary attack is a variation of the brute force attack which narrows the field by selecting specific target accounts and using a list of commonly used passwords (the dictionary) instead of random combinations.

Denial-of-Service (DOS)

METHODS OF ATTACKS

In a denial-of-service (DoS) attack, the attacker sends a large number of connection or information requests to a target (see Figure 2-11). So many requests are made that the target system becomes overloaded and cannot respond to legitimate requests for service. The system may crash or simply become unable to perform ordinary functions

Distributed Denial-of-Service (DDOS

METHODS OF ATTACKS

•A distributed denialof-service (DDoS) is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.

•DDoS attacks are the most difficult to defend against, and there are presently no controls that any single organization can apply

Spoofing

METHODS OF ATTACKS

a technique used to gain unauthorized access to computers, wherein the intruder sends messages with a source IP address that has been forged to indicate that the messages are coming from a trusted host.

Man-in-the middle

METHODS OF ATTACKS

In the well-known ___________________ or TCP hijacking attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network. This type of attack uses IP spoofing to enable an attacker to impersonate another entity on the network. It allows the attacker to eavesdrop as well as to change, delete, reroute, add, forge, or divert data.39

Spam

METHODS OF ATTACKS

unsolicited commercial e-mail

Mail Bombing

METHODS OF ATTACKS

Another form of e-mail attack that is also a DoS is called a mail bomb, in which an attacker routes large quantities of e-mail to the target. This can be accomplished by means of social engineering (to be discussed shortly) or by exploiting various technical flaws in the Simple Mail Transport Protocol (SMTP).

Sniffers

METHODS OF ATTACKS

a program or device that can monitor data traveling over a network. Sniffers can be used both for legitimate network management functions and for stealing information. Unauthorized sniffers can be extremely dangerous to a network's security, because they are virtually impossible to detect and can be inserted almost anywhere

Social Engineering

METHODS OF ATTACKS

In the context of information security, _____________________ is the process of using social skills to convince people to reveal access credentials or other valuable information to the attacker.

Phishing

METHODS OF ATTACKS

an attempt to gain personal or financial information from an individual, usually by posing as a legitimate entity. ____________ attacks gained national recognition with the AOL phishing attacks that were widely reported in the late 1990s, in which individuals posing as AOL technicians attempted to get logon credentials from AOL subscribers

spear phishing

METHODS OF ATTACKS

a label that applies to any highly targeted phishing attack. While normal phishing attacks target as many recipients as possible, a spear phisher sends a message that appears to be from an employer, a colleague, or other legitimate correspondent, to a small group or even one specific person. This attack is sometimes used to target those who use a certain product or Web site.

Phishing attacks

METHODS OF ATTACKS

use three primary techniques, often in combination with one another:

•URL manipulation,

•Web site forgery, and

•phone phishing.

URL manipulation

METHODS OF ATTACKS

attackers send an HTML embedded e-mail message, or a hyperlink whose HTML code opens a forged Web site. F

forged Web site

METHODS OF ATTACKS

the page looks legitimate; indeed, when users click on either of the bottom two buttons—Personal Banking Demo or Enroll in RegionsNet, they are directed to the authentic bank Web page

Phone phishing

METHODS OF ATTACKS

•pure social engineering. The attacker calls a victim on the telephone and pretends to be someone they are not (a practice sometimes called pretexting) in order to gain access to private or confidential information such as health or employment records or financial information. They may impersonate someone who is known to the potential victim only by reputation.

Pharming

METHODS OF ATTACKS

"the redirection of legitimate Web traffic (e.g., browser requests) to an illegitimate site for the purpose of obtaining private information. Pharming often uses Trojans, worms, or other virus technologies to attack the Internet browser's address bar so that the valid URL typed by the user is modified to that of the illegitimate Web site.

Timing Attack

METHODS OF ATTACKS

explores the contents of a Web browser's cache and stores a malicious cookie on the client's system.

Secure software development

The development of systems and the software they use is often accomplished using a methodology, such as the systems development life cycle (SDLC). Many organizations recognize the need to include planning for security objectives in the SDLC they use to create systems, and have put in place procedures to create software that is more able to be deployed in a secure fashion. This approach to software development is known as software assurance, or SA.

Command Injection

SOFTWARE DEVELOPMENT SECURITY PROBLEMS

problems occur when user input is passed directly to a compiler or interpreter. The underlying issue is the developer's failure to ensure that command input is validated before it is used in the program

•@echo off

•set /p myVar="Enter the string>"

•set someVar=%myVar%

•echo %somevar%

Cross site scripting (or XSS)

SOFTWARE DEVELOPMENT SECURITY PROBLEMS

occurs when an application running on a Web server gathers data from a user in order to steal it. An attacker can use weaknesses in the Web server environment to insert commands into a user's browser session

Failure to handle errors

SOFTWARE DEVELOPMENT SECURITY PROBLEMS

cause a variety of unexpected system behaviors. Programmers are expected to anticipate problems and prepare their application code to handle them.

Failure to Protect Network Traffic

SOFTWARE DEVELOPMENT SECURITY PROBLEMS

With the growing popularity of wireless networking comes a corresponding increase in the risk that wirelessly transmitted data will be intercepted. Without appropriate encryption (such as that afforded by WPA), attackers can intercept and view your data.

Failure to Store and Protect Data Securely

SOFTWARE DEVELOPMENT SECURITY PROBLEMS

Failure to properly implement sufficiently strong access controls makes the data vulnerable. Overly strict access controls hinder business users in the performance of their duties.

Failure to Use Cryptographically Strong Random Numbers

SOFTWARE DEVELOPMENT SECURITY PROBLEMS

These "random" number generators use a mathematical algorithm, based on a seed value and another other system component (such as the computer clock) to simulate a random number. Those who understand the workings of such a "random" number generator can predict particular values at particular times.

Format String Problems

SOFTWARE DEVELOPMENT SECURITY PROBLEMS

An attacker may embed characters that are meaningful as formatting directives (e.g., %x, %d, %p, etc.) into malicious input; if this input is then interpreted by the program as formatting directives (such as an argument to the C printf function), the attacker may be able to access information or overwrite very targeted portions of the program's stack with data of the attacker's choosing.

Neglecting Change Control

SOFTWARE DEVELOPMENT SECURITY PROBLEMS

Developers use a process known as change control to ensure that the working system delivered to users represents the intent of the developers. Early in the development process, change control ensures that developers do not work at cross purposes by altering the same programs or parts of programs at the same time. Once the system is in production, change control processes ensure that only authorized changes are introduced and that all changes are adequately tested before being released

Improper File Access

SOFTWARE DEVELOPMENT SECURITY PROBLEMS

If an attacker changes the expected location of a file by intercepting and modifying a program code call, the attacker can force a program to use files other than the ones the program is supposed to use. This type of attack could be used to either substitute a bogus file for a legitimate file (as in password files), or trick the system into running a malware executable.

Improper Use of SSL

SOFTWARE DEVELOPMENT SECURITY PROBLEMS

While most programmers assume that using SSL guarantees security, unfortunately they more often than not mishandle this technology. SSL and its successor, Transport Layer Security (TLS), both need certificate validation to be truly secure. Failure to use Hypertext Transfer Protocol Secure (HTTPS), to validate the certificate authority and then validate the certificate itself, or to validate the information against a certificate revocation list (CRL), can compromise the security of SSL traffic.

Information Leakage

SOFTWARE DEVELOPMENT SECURITY PROBLEMS

•One of the most common methods of obtaining inside and classified information is directly or indirectly from an individual, usually an employee.

•By warning employees against disclosing information, organizations can protect the secrecy of their operation.

Race Conditions

SOFTWARE DEVELOPMENT SECURITY PROBLEMS

when a program creates a temporary file, and an attacker is able to replace it between the time it is created and the time it is used. A race condition can also occur when information is stored in multiple memory threads if one thread stores information in the wrong memory location, by accident or intent.

SQL Injection

SOFTWARE DEVELOPMENT SECURITY PROBLEMS

•occurs when developers fail to properly validate user input before using it to query a relational database. For example, a fairly innocuous program fragment expects the user to input a user ID and then perform a SQL query against the USERS table to retrieve the associated name:

Ex.

Accept USER-ID from console; SELECT USERID, NAME FROM USERS WHERE USERID = USER-ID;

Trusting Network Address Resolution

SOFTWARE DEVELOPMENT SECURITY PROBLEMS

In the last type of attack, if the attacker discovers a delay in a name server (or can introduce one, as in a denial of service attack) they can set up another server to respond as if it were the actual DNS server, before the real DNS server can.

Unauthenticated Key Exchange

SOFTWARE DEVELOPMENT SECURITY PROBLEMS

It is when an attacker writes a variant of a public key system and places it out as "freeware," or corrupts or intercepts the function of someone else's public key encryption system, perhaps by posing as a public key repository.

Use of Magic URLs and Hidden Forms

SOFTWARE DEVELOPMENT SECURITY PROBLEMS

Too often sensitive state information is simply included in a "magic" URL (for example, the authentication ID is passed as a parameter in the URL for the exchanges that will follow) or included in hidden form fields on the HTML page.

Use of Magic URLs and Hidden Forms

SOFTWARE DEVELOPMENT SECURITY PROBLEMS

If this information is stored as plain text, an attacker can harvest the information from a magic URL as it travels across the network, or use scripts on the client to modify information in hidden form fields.

Use of Weak Password-Based Systems

SOFTWARE DEVELOPMENT SECURITY PROBLEMS

•Failure to require sufficient password strength, and to control incorrect password entry, is a serious security issue.

•Systems that do not validate passwords, or store passwords in easy-to-access locations, are ripe for attack.

•the strength of a password determines its ability to withstand a brute force attack. Using non-standard password components (like the 8.3 rule—at least 8 characters, with at least one letter, number, and non-alphanumeric character) can greatly enhance the strength of the password.

Poor Usability

SOFTWARE DEVELOPMENT SECURITY PROBLEMS

•Employees prefer doing things the easy way. When faced with an "official way" of performing a task and an "unofficial way"—which is easier—they prefer the easier method. The only way to address this issue is to only provide one way—the secure way! Integrating security and usability, adding training and awareness, and ensuring solid controls all contribute to the security of information. Allowing users to default to easier, more usable solutions will inevitably lead to loss

Laws

•Rules that mandate or prohibit certain behavior

•Drawn from ethics

Ethics

Define socially acceptable behaviors

Liability

•Legal obligation of organization

•Extends beyond criminal or contract law

•Include legal obligation to restitution

•Employee acting with or without the authorization performs and illegal or unethical act that causes some degree of harm

•Employer can be held financially liable

Due care

•Organization makes sure that every employee knows what is acceptable or unacceptable

•Knows the consequences of illegal or unethical actions

Policies

•Guidelines that describe acceptable and unacceptable employee behaviors

•Functions as organizational laws

•Has penalties, judicial practices, and sanctions

Keys for a policy to be enforceable

•Dissemination

•Review

•Comprehension

•Compliance

•Uniform enforcement

Civil

Types of Law

govern a nation or state