Introduction to ICT security

Transcript

(intro - set'16)
Introduction to the security of
ICT systems
Antonio Lioy
< lioy @ polito.it >
Politecnico di Torino
Dip. Automatica e Informatica
Agenda

introduction to information security:
 evolution of ICT systems and the security problem
 problems and vocabulary of ICT security
 technological attacks (sniffing, spoofing, …)
 non-technological attacks (social engineering)
© Antonio Lioy - Politecnico di Torino (2005-2016)
1
(intro - set'16)
Why security is “hot” today?
Traditional paradigms



centralised information and processing
access to data from “dumb” terminals
“unicast” communication over dedicated lines
EDP center
concentrator
terminals
2
(intro - set'16)
New paradigms




distributed information and processing
access from distributed intelligent terminals
“broadcast” communication and/or shared lines
new application paradigms (web, SMS, …)
WAN
LAN
Technology as innovation engine
personal
devices
(PC, tablet, …)
communication
network
INNOVATION
security
3
(intro - set'16)
A definition of ICT security
It is the set of products, services, organization rules and
individual behaviours that protect the ICT system of a
company.
It has the duty to protect the resources from undesired
access, guarantee the privacy of information, ensure the
service operation and availability in case of unpredictable
events (C.I.A. = Confidentiality, Integrity, Availability).
The objective is to guard the information with the same
professionalism and attention as for the jewels and
deposit certificates stored in a bank caveau.
The ICT system is the safe of our most valuable
information; ICT security is the equivalent of the locks,
combinations and keys required to protect it.
SERVICE
Risk estimation
ASSET
data
ICT resources
human
resources
location
EVENTS
vulnerabilities
impact
threats
event
probability
RISK ESTIMATION
4
(intro - set'16)
Terms





ASSET = the set of goods, data and people needed
for an IT service
VULNERABILITY = weakness of an asset
 e.g. pwd = login; sensible to flooding
THREAT = deliberate action / accidental event that
can produce the loss of a security property
exploiting a vulnerability
ATTACK = threat occurrence (deliberate action)
(NEGATIVE) EVENT = threat occurrence
(accidental event)
Analysis and management of security
analysis
vulnerabilities
asset
risks
select
countermeasures
threats
management
implement
countermeasures
audit
5
(intro - set'16)
Security in the lifecycle of a system
requirements
analysis
technical
options
design
develop
test
implement
live
system
risk
assessment
identify
security
products
design
security
services
integrate
security
test
security
set-up
security
manage
security
security
policy &
procedures
Relations in the security field
threats
security
control
reduce
security
requirements
exploit
security risks
underwrite
vulnerabilities
devalue
assets
asset values
and potential
impacts
6
(intro - set'16)
Window of exposure
risk
vendor informed
of vulnerability
vendor notifies
its customers
(sometimes)
security tools updated
(e.g. IDS signatures)
a patch
is published
new vulnerability
discovered
patch is
widely
known
vulnerability
is made public
exploit (!)
discovery
patch
installed
publication
protection
window of exposure
t
WOE: average value for browser 2008-10
http://www.symantec.com/threatreport/topic.jsp?
id=vulnerability_trends&aid=browser_window_of_exposure
7
(intro - set'16)
WOE: server web (2010)
What is security?
Security is a process,
not a product
(Bruce Schneier, Crypto-Gram, May 2005)
Computer Security: Will We Ever Learn?
If we've learned anything from the past couple of years, it’s that computer security flaws
are inevitable. Systems break, vulnerabilities are reported in the press, and still many
people put their faith in the next product, or the next upgrade, or the next patch. “This
time it’s secure,” they say. So far, it hasn’t been.
Security is a process, not a product. Products provide some protection, but the only way
to effectively do business in an insecure world is to put processes in place that recognize
the inherent insecurity in the products. The trick is to reduce your risk of exposure
regardless of the products or patches.
8
(intro - set'16)
European Central Bank



ECB Recommendations for the security of Internet
payments (31//12013)
application to:
 payment schemes governance authorities
 payment service providers (PSP)
 merchants (optional)
main reccomendations:
 protect the initiation of internet payments, as well
as access to sensitive payment data, by strong
customer authentication
 (continue)
European Central Bank




limit the number of log-in or authentication
attempts, define rules for Internet payment services
session “time out” and set time limits for the validity
of authentication
establish transaction monitoring mechanisms
designed to prevent, detect and block fraudulent
payment transactions
implement multiple layers of security defences in
order to mitigate identified risks;
provide assistance and guidance to customers
about best online security practices, set up alerts
and provide tools to help customers monitor
transactions
9
(intro - set'16)
(abstract) security properties
autenticazione
( semplice / mutua )
authentication ( simple / mutual )
autenticazione della
controparte
peer authentication
autenticazione dei dati
data / origin authentication
autorizzazione,
controllo accessi
authorization,
access control
integrità
integrity
riservatezza, confidenzialità confidentiality, privacy, secrecy
non ripudio
non repudiation
disponibilità
availability
tracciabilità
accountability
Peer authentication
Hi, I’m Alice
Prove it!
Barbara
10
(intro - set'16)
Mutual peer authentication
Hi, I’m Barbara
Hi Barbara, nice to
meet you!
Is that my
e-bank?
Sure!
How can you doubt?
Steal & Rob Ltd.
Barbara
Data authentication
Increase by 30% the
salary of Prof. Lioy
The Dean
11
(intro - set'16)
Non repudiation


formal proof – acceptable by a court of justice –
that gives undeniable evidence of the data creator
several facets:
 (sender/author) authentication
 integrity
 (sender/author) identification
 ...
Non repudiation - example

let’s consider non-repudiation of an electronic
signature:
 syntax (is that your signature?)
 semantics (did you understand what you were
signing?)
 will (have you signed voluntarily?)
 identification (was really YOU the signer?)
 time (when did you sign?)
 place (where did you sign?)
12
(intro - set'16)
Authorization (access control)
Gimme Alice’s car!
Did she authorized
you to borrow it?
Barbara
Pyramid of security
$$$
$$$
log
log
integrity
integrity
privacy
privacy
authorization
authorization
authentication
auth.
13
(intro - set'16)
Privacy (communication)
Do you know that Laura
is NOT a natural blonde?
What a shame!
Bloody *?%$#”!
Laura
Privacy (data, actions, position)
www.playboy.com
black_money.xls
Torino, cell 2455
14
(intro - set'16)
Integrity (data modification)
Pay 1,000 Euro
to Antonio Lioy
computer
network
Pay 10,000 Euro
to Antonio Lioy
Integrity (data filtering)
Transfer 2500 Euro from Antonio
Lioy’s account to the Rolex’s one
computer
network
15
(intro - set'16)
Replay attack
Pay 1,000 EURO
to Antonio Lioy
Pay 1,000 EURO
to Antonio Lioy.
Pay 1,000 EURO
to Antonio Lioy.
Pay 1,000 EURO
to Antonio Lioy.
computer
network
Where is the enemy?




outside our organization
 boundary / perimeter defence (firewall)
outside our organization, with the exception of our
partners
 Extranet protection (VPN)
inside our organization
 LAN / Intranet protection (?!)
everywhere!
 application-level protection
 data protection
16
(intro - set'16)
Attack origin (2016)

percentage of external / internal attacks:
 internal 20%
 external 80%
 note: biased statistics due to the type of survey, the
CSI/FBI one (last published on 2011) had more
internal attacks
(from Verizon Data Breach Investigation Report 2016)
Temporal evolution
of the main attacks
listed in the annual
CSI/FBI survey
17
(intro - set'16)
Stolen laptop / smartphone



not only an economic loss to replace the stolen
device …
but also the loss of data that become unavailable
(backup?) …
or the spreading of restricted information
Scoop of a Global Post reporter in the town between Pakistan
and Afghanistan
US PCs sold at the Peshàwar market
Computers of the US army with restricted data sold for 650$
along the road where Nato troops are attacked by the talebans.
… Still full of classified informations, such as names, sites, and
weak points.
(corriere.it, 9/2/09)
Insecurity: the deep roots (I)




“Attack technology is developing in a open-source
environment and is evolving rapidly”
“Defensive strategies are reactionary”
“Thousands - perhaps millions - of system with
weak security are connected to the Internet”
“The explosion in use of the Internet is straining
our scarce technical talent. The average level of
system administrators … has decreased
dramatically in the last 5 years”
18
(intro - set'16)
Insecurity: the deep roots (II)



“Increasingly complex sw is being written by
programmers who have no training in writing
secure code”
“Attacks and attack tools transcend geography
and national boundaries”
“The difficulty of criminal investigation of
cybercrime coupled with the complexity of
international law means that … prosecution of
computer crime is unlikely”
from “Roadmap for defeating DDOS attacks”
(feb. 2000, after Clinton meeting at White House)
updates on www.sans.org/dosstep/roadmap.php
Basic problems (technological)




the networks are insecure:
 (most) communications are made in clear
 LANs operate in broadcast
 geographical connections are NOT made through
end-to-end dedicated lines but:
 through shared lines
 through third-party routers
weak user authentication
(normally password-based)
there is no server authentication
the software contains many bugs!
19
(intro - set'16)
Some classes of attacks




IP spoofing / shadow server
someone takes the place of a (legitimate) host
packet sniffing
passwords and/or sensitive data are read by
(unauthorized) third parties
connection hijacking / data spoofing
data inserted / modified during their transmission
denial-of-service (distributed DoS)
the functionality of a service is limited or disrupted
(e.g. ping bombing)
IP spoofing (masquerading)





forging the source network address
typically the level 3 (IP) address is forged, but it is
equally easy to forge the level 2 address (e.g. ETH,
TR, ...)
a better name would be source address spoofing
attacks:
 data forging
 (unauthorized) access to systems
countermeasures:
 do NEVER use
address-based authentication
20
(intro - set'16)
Packet sniffing (eavesdropping)




reading the packets addressed to another network
node
easy to do in broadcast networks (e.g. LAN) or at
the switching nodes (e.g. router, switch)
attacks:
 allows to intercept anything (password, data, ...)
countermeasure:
 non-broadcast networks (!?)
 encryption of packet payload
1
00
011010
1001010
Denial-of-service (DoS)




keeping a host busy so that it can’t provide its
services
examples:
 mail / log saturation
 ping flooding (“ping bombing”)
 SYN attack
attacks:
 block the use of a system / service
countermeasures:
 none!
 monitoring and oversizing can mitigate the effects
21
(intro - set'16)
Distributed denial-of-service (DDOS)




software for DoS installed on many nodes (named
daemon, zombie or malbot) to create a Botnet
daemons remotely controlled by a master (often
via encrypted channels) and have auto-updating
feature
effect of the base DoS attack multiplied by the
number of daemons (and eventually by an
amplification factor, if servers are involved)
examples of DDoS attack networks:
 TrinOO
 TFN (Tribe Flood Network)
 Stacheldraht (=barbed wire)
DDoS attack
attacker
master
daemon
daemon
master
daemon
master
daemon
daemon
VICTIM
control
attack
22
(intro - set'16)
Feb 8th 2000, 10.30am (PST)
@ Yahoo Server Farm




“the initial flood of packets, which we later realized
was in excess of 1G bits/sec, took down one of our
routers …”
“… after the router recovered we lost all routing to
our upstream ISP …”
“… it was somewhat difficult to tell what was going
on, but at the very least we noticed lots of ICMP
traffic …”
“… at 1.30pm we got basic routing back up and
then realized that we were under a DDoS attack”
http://packetstorm.decepticons.org/distributed/yahoo.txt
The lawyer said ...
“There is a distinct probability that if your site
has been hijacked for a denial of service attack,
then you could be liable for damages.
I would definitely advise clients
they have grounds to sue.”
Nick Lockett,
e-commerce lawyer at Sidley & Austin
“Be Secure or Be Sued”
Silicon.com, 16 Nov 2000
http://www.silicon.com/a40900
23
(intro - set'16)
Shadow server





host that manages to show itself (to victims) as a
service provider without having the right to do so
requires address spoofing and packet sniffing
shadow server must be faster than the real one, or
the real one must be unable to respond (due to a
failure or because is under attack, e.g. DoS)
attacks:
 issue wrong answers, providing thus a “wrong”
service to victims instead of the real one
 capture victim’s data provided to the wrong service
countermeasures:
 server authentication
Connection hijacking / MITM





also named data spoofing
attacker takes control of a communication channel
to insert, delete, or manipulate the traffic
logical or physical MITM (Man In The Middle)
attacks:
 reading, insertion of false data and modification of
data exchanged between two parties
countermeasure:
 authentication, integrity and serialization of each
single network packet
24
(intro - set'16)
Trojan / MITB





Trojan (horse)
MITB = man-in-the-browser
network channels more protected …
… but user terminals less protected
 Smartphone, smart-TV, …
 IoT (Internet-of-Things)
 "ignorant" users
classic attack tools (e.g. keylogger as part of a
game) and modern ones (e.g. browser extension)
Zeus





also know as Zbot
currently a major malware + botnet
discovered (born?) on 2007, sold (?) on 2010
can be used:
 directly
(e.g. MITB for keylogging or form grabbing)
 indirectly, to load other malware
(e.g. the CryptoLocker ransomware)
very difficult to discover and remove
 hides itself with stealth techniques
 about 3.6 M active copies just in the USA
25
(intro - set'16)
Software bug



even the best software (either off-the-shelf or
custom) contains bugs that can be used for
various aims
easiest exploit: DoS
example: WinNT server (3.51, 4.0)
 telnet to TCP port 135
 send 10 random characters, then CR
 server unavailable!
(CPU load at 100% even though no
useful work is done)
 solution: install SP3
......
Some typical application-level problems




buffer overflow
 allows the execution of arbitrary code injected
through a specially crafted input
store sensible information in the cookies
 readable by third parties (in transit o locally on the
client)
store passwords in clear in a DB
 readable by third parties (e.g. backup operator)
“invent” a protection system
 risk of inadequate protection
26
(intro - set'16)
Virus & Co. (malware)





virus
 damages the target and replicates itself
 propagated by humans (involuntarily)
worm
 damages the target because replicates itself
(resource saturation)
 automatic propagation
Trojan (horse) = malware vector
backdoor = unauthorized access point
rootkit = privileged access tools, hidden (modified
program, library, driver, kernel module, hypervisor)
and stealth
Virus and worm (malware)


requires complicity (may be involuntary) from:
 the user (gratis, free, urgent, important, …)
 the sys manager (wrong configuration)
 the producer (automatic execution, trusted, …)
countermeasures:
 user awareness
 correct configuration / secure sw
 install antivirus (and keep updated!)
27
(intro - set'16)
Malware food chain
business opportunity
(vulnerability)
malicious code
Hall of fame
...
...
vulnerability
marketplace
malware toolkit
market
malware distributors
(spam, web, …)
VICTIM
Zeus
source: http://en.wikipedia.org/wiki/File:FBI_Fraud_Scheme_Zeus_Trojan.jpg
28
(intro - set'16)
29
(intro - set'16)
Basic problems (non technological)






low problem understanding (awareness)
mistakes of human beings (especially when
overloaded, stressed, …)
human beings have a natural tendency to trust
complex interfaces / architectures can mislead the
user and originate erroneous behaviours
performance decrease due to the application of
security measures
…
Social engineering




ask for the (involuntary) user’s participation to the
attack action
usually naive users are targeted (e.g. “do change
immediately your password with the following one,
because your PC is under attack”) ...
… but experienced users are targeted too (e.g. by
copying an authentic mail but changing its
attachment or URL)
via mail, phone or even paper
30
(intro - set'16)
Social engineering: examples



phishing (~ fishing):
 “dear Internet banking user, please fill in the
attached module and return it to us ASAP
according to the privacy law 675 …”
psychological pressure:
 “help me, otherwise I’ll be in troubles …”
 “do it, or I’ll report it to your boss …”
showing acquaintance with the company’s
procedures, habits and personnel helps in gaining
trust and make the target lower his defences
31
(intro - set'16)
A mail from CIA …
From: [email protected]
Date: Tue, 22 Nov 2005 17:51:14 UTC
X-Original-Message-ID: <[email protected]>
Subject: You_visit_illegal_websites
Dear Sir/Madam,
we have logged your IP-address on more than 30 illegal Websites.
Important: Please answer our questions!
The list of questions are attached.
Yours faithfully,
Steven Allison
++++
++++
++++
++++
++++
Central Intelligence Agency -CIAOffice of Public Affairs
Washington, D.C. 20505
phone: (703) 482-0623
7:00 a.m. to 5:00 p.m., US Eastern time
the attachment is
the SOBER worm!
Phishing


using mail or IM to attract a network service user
to a fake server (shadow server) for:
 acquiring her authentication credentials or other
personal information
 persuading her to install a plugin or extension
which actually is a virus or a Trojan
specialized variants:
 spear phishing (include several personal data to
disguise the fake message as a good one, e.g. mail
address, name of Dept/Office, phone no.)
 whaling (targeted to VIP such as CEO or CIO, e.g.
the 20,000 hit on April 08 that then installed a
Trojan related to the servers of Piradius)
32
(intro - set'16)
Pharming



term of controversial use
set of several techniques to re-direct a user
towards a shadow server
 changing the "hosts" file at the client
 changing the nameserver pointers at the client
 changing the nameservers at a DHCP server (e.g.
an ADSL / wireless router)
 poisoning the cache of a nameserver
via:
 direct attack (vulnerability or malconfiguration)
 indirect attack (virus or worm)
Social engineering techniques







(74%) solicitation / bribery
(44%) pretexting
(16%) counterfeiting / forgery
(11%) *ing
(4%) hoax / scam
(4%) influence tactics
(3%) extortion / blackmail
Note: percentage of use in social engineering attacks
according to the Verizon/USSS 2011 survey.
33
(intro - set'16)
Social engineering channels
(78%) in-person
 (14%) documents
 (10%) e-mail
 (6%) web / Internet
 (5%) phone
 (4%) SMS / texting
Note:
 percentage of use in social engineering attacks
according to the Verizon/USSS 2011 survey
 new techniques are under development for the
future …

Report Verizon DBIR 2014


nine main categories:
 POS (point-of-sale) intrusions
 web app attacks
 insider and privilege misuse
 physical theft and loss
 miscellaneous errors
 crimeware
 payment card skimmers
 DoS attacks
 cyber-espionage
http://www.verizonenterprise.com/DBIR/2014/
34
(intro - set'16)
Report Verizon DBIR2014



incident
 a security event that compromises the integrity,
confidentiality, or availability of an information asset
(data) breach
 an incident that results in the disclosure or potential
exposure of data
(data) disclosure
 a breach for which it was confirmed that data was
actually disclosed (not just exposed) to an
unauthorized party
Report Verizon DBIR 2014 (fig.16)
35
(intro - set'16)
Report Verizon DBIR 201
DDOS attacks (fig.65)
year
bandwidth
(average)
packets
(average)
2011
4.7 Gbps
0.4 Mpps
2012
7.0 Gbps
2.6 Mpps
2013
10.0 Gbps
7.8 Mpps
2014
15-59 Gbps
3-15 Mpps
2015
5.5 Gbps
1.9 Mpps
T.J.Maxx attack (2007)






45 M credit/debit card numbers stolen
in a period of 18 months (up to January 2007)
a 10 M USD legal class action started by 300 banks
(e.g. Massachusetts Bankers Association, Maine
and Connecticut Associated Banks)
attack succeed due to use of WEP rather than WPA
attack performed by 10 people (3 USA, 3 UKR, 2
CHN, 1 BEL, 1 EST + "Delpiero")
one ex-cracker hired by the US secret service
blog.wired.com/27bstroke6/2008/08/11-charged-in-m.html
www.wired.com/politics/law/news/2007/06/secret_service#
36
(intro - set'16)
Phishing via Transformers3 (apr 2010)


Andersen Air Force Base (Guam island)
ORE (Operational Readiness Exercise)
 phishing message
 “the movie Transformers-3 will be filmed on Guam”
 “looking for 20 airmen to be part of the movie”
 application required disclosing sensitive
information
 event leaked on the web because one airman
disclosed that on Transformer fans’ blog
 journalists called to confirm movie location
www.networkworld.com/news/2010/043010-us-air-force-phishing-test.html
Stuxnet (2010)



prototype of a new kind of attack
worm + virus for Windows
 attempt to propagate to other systems
 attempt to damage the SCADA systems (of a
specific manufacturer) attached to the infected
nodes
 malware for cyberphysical systems
attack and propagation vectors:
 1 known vulnerability (patch available)
 1 known vulnerability (no patch)
 2 “zero-day” vulnerabilities
37
(intro - set'16)
Stuxnet: timing and location






17/6/10 first encounter
24/6/10 noted use of a digital signature certificate
 revoked on 17/7/10
 … then a second certificate appears!
14-15-16/7/10 security advisories by CERT and MS
gradual release of various patches until October’10
self-stopped its propagation on 24/6/2012
geographic location:
 52% Iran
 17% Indonesia
 11% India
Stuxnet: mechanisms




distribution and propagation:
 USB key
 shared disks (network share)
 MS-RPC and MS-spool bugs
likely first infection vector a USB key of a
maintenance technician
disguised as a driver
 with a digital signature validated by Microsoft!!!
 uses two different certificates
access from the infected node to the back-end DB
thanks to a shared default pwd on every node
38
(intro - set'16)
Stuxnet: lessons learnt



systems protected with physical separation
(air gap) ... but without other standard protections:
 no anti-virus
 no patch
 no firewall
unnecessary services active:
 MS-RPC
 shared network print queues
 shared network disks
validation list for sw to be installed
Stuxnet's brothers



same development platform (tilded)
Duqu (sep'11)
 not a worm or virus
 gathers and send system info for attack preparation
(reconnaissance & intelligence)
Flame (may'12)
 system spyware (may record network traffic, audio,
video, keyboard)
 spreads via USB or network, no physical damage
 backdoor (remote configuration and update)
 active since two years before its recognition
39
(intro - set'16)
The three pillars of security
0. Planning
(security policy, …)
1. Avoidance
(FW, VPN, PKI, …)
3. Investigation
(forensic analysis,
internal audit, …)
2. Detection
(IDS, monitor, …)
Hacker & C.
hacker
cracker
script kiddie
wannabe lamer
40
(intro - set'16)
Hacker (I)
hacker: /n./ [originally, someone who makes
furniture with an axe]
1. A person who enjoys exploring the details of
programmable systems and how to stretch their
capabilities, as opposed to most users, who prefer
to learn only the minimum necessary.
2. One who programs enthusiastically (even
obsessively) or who enjoys programming rather
than just theorizing about programming.
3. A person capable of appreciating {hack value}.
4. A person who is good at programming quickly.
Hacker (II)
5. An expert at a particular program, or one who
frequently does work using it or on it; as in “a Unix
hacker”. (Definitions 1 through 5 are correlated, and
people who fit them congregate.)
6. An expert or enthusiast of any kind. One might be
an astronomy hacker, for example.
7. One who enjoys the intellectual challenge of
creatively overcoming or circumventing limitations.
8. [deprecated] A malicious meddler who tries to
discover sensitive information by poking around.
Hence “password hacker”, “network hacker”. The
correct term for this sense is {cracker}.
41
(intro - set'16)
Cracker
cracker: /n./ One who breaks security on a system.
Coined ca. 1985 by hackers in defense against
journalistic misuse of {hacker} (q.v., sense 8).
An earlier attempt to establish “worm” in this
sense around 1981-82 on Usenet was largely
a failure.
Kevin Siers, NC, USA (cartoon from the Charlotte Observer)
42

Introduction to ICT security

Transcript

Documenti analoghi

E-mail security - Politecnico di Torino

Evolution and development of the cerebral cortex

POLITECNICO DI TORINO NOV. 19th, 2015 01

The European Network ESEP-N and the Energy Center in Turin

mus ic sweetmus ic

Versione INGLESE

TORI O216

what are the future horizons in the space exploration and

Registration of Functional Data: Aligning Inner Carotid Artery

Progress in Determining the Boltzmann Constant

ENGINE

Enciclopedia del vino B - Alta Scuola Politecnica

Style Makers

EU-line ICT in Youth work

Hackers Built the Internet

ministry of education, malaysia