1
Q
Why security is important?
A
- Information systems can be attacked without attackers being physically present
- Consequences:
- Financial loss: money stolen or value of shares decreased or fines by authorities
- Recovery cost: making the system operational again and improving it to avoid attacks is costly
- Productivity loss: all processed are stopped to deal with the security issue → no more product features.
- Business disrution: lack of trust in the company, users may want to choose a competitor or may have to use a competitor since the company product could be unsable for some time.
2
Q
Complexity is the enemy of security
A
- FIRST AXIOM OF ENGINEERING: The more complex a system is, the more difficult its correctness verification will be (implementation, management, operation)
- Since the current ICT scenario is full of interconnected products we are not very well positioned on the security side of things.
Keep It Simple Stupid
3
Q
Definition: ICT security
A
- Set of products, services, organizational rules and behaviours that protect ICT systems.
- Has duty to offer these characteristics to the system (C.I.A.)
- protected from undesired access (Cofidentiality)
- guarantee privacy of information (Integrity)
- ensure service operation and availability even in unpredictable circumstance. (Availability)
4
Q
Risk estimation
A
- Understand the assets needed for a service to work:
- Data, human resources, ICT resources, location
- Asses the vulnerabilities associated with each asset:
- weak passwords, location sensible to flooding, corruptible humans, non-encrypted data
- Vulnerabilities that are not mitigated become a security threat to the service.
- An attack is the occurrece of a threat that is deliberate.
- An event is the occurence of a threat that is accidental.
The risk is estimated by considering the impact of an event/attack and the probability of that event/attack happening.
5
Q
System development lifecycle | Security Dev. lifecycle
A
Security must be addressed at each step of the development.
6
Q
Definition: Incident
A
A security event that compromises integrity, confidentiality or availability of an information asset.
7
Q
Definition: Breach
A
(Data) breach: an incident tha exposes or potentially exposes data.
8
Q
Definition: Disclosure
A
(Data) disclosure: a breach with confirmation that the data was disclosed by an unauthorized party. (Another entity has the data an knows it
9
Q
Definition: Window of Exposure (WoE)
A
The period from the discovery of the vulnerability to the installation of the protection measure.
10
Q
WoE: responsible disclosure
A
Security researchers will wait for some days to make public a vulnerability to make sure the developer can fix the vulnerability.
Example of flow:
- Sec. res. reports vulnerability to vendor; vendor acknowledges report.
- Vendor verified reproducibility, and confirms it with sec. res.
- Vendor reports an issue with the fix and that the fix might not make it to production before the vulnerability disclousure deadline.
- Sec. res. cautions potential 0-day.
- Vendor confirms the vulnerability will not be patched before deadline.
- Sec. res. confirms the intention to 0-day on the date of the deadline.
11
Q
Bruce Schneier on Computer Security: Will We Ever Learn?
A
- Computer security flaws are inevitable.
- Systems break, vulnerabilities are reported to the press.
- People put faith in the future: this time is different, the next release will fix all problems.
- Key takeaway: security is a process, not a product: processes that are put in place to rocognize insecurities will do so.
- The trick is to reduce your risk of exposure regardless of the products or patches.
12
Q
Security principles:
A
- Security in-depth
- Security by design
- Security by default
- Least privilege
- Need-to-know
13
Q
Security in-depth
A
Do not rely on a single protection, if that fails you are vulnerable. Put in place secondary measures.
14
Q
Security by design
A
Start the project/feature with security in mind. Build the project/feature around security.
Don’t add security at the end or “if there’s time.”
15
Q
Least privilege
A
Assign to the entity that needs privileges the lowest one that allows it to achives its task.
16
Q
Need-to-kwow
A
Similar to least privilege. Only show/transmit the data that the entity strictly-needs to accomplish the task it requested the data for.
17
Q
Security by default
A
Allow security options by default.
E.g. users have to opt-out of security features if they don’t want them.
18
Q
European Central Bank security recommendations
A
- These recommendations apply to:
- Payment schemes governance authorities
- payment services providers
- merchants
- Recommendations:
- Use strong customer authentication to protect internet payment initiation and sensitive payment data.
- Limit number of log-in/auth. attempts, define rules for internet payment services session “time out” and set time limits for validity of authentication.
- Establish transaction tracking to:
- prevent
- detect
- and block fraudolent transactions.
- Provide assistance and guidance to customers about security best practices; set up alerts and provide tools to monitor transactions.
19
Q
Security Properties:
A
- Authentication (simple/mutual)
- Peer authentication
- Data / origin authentication
- Authorization, control access
- Integrity
- Confidentiality, privacy, secrecy
- Non repudiation
- Availability
- Traceability, accountability
20
Q
Peer authentication
A
Only one entity asks for proof of authentication.
Example: computer asks username/password to user.
User doesn’t ask the computer to authenticate itself.
21
Q
Mutual authentication
A
Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time, being a default mode of authentication in some protocols.
22
Q
Data authentication
A
Data authentication is the process of confirming the origin and integrity of data.
23
Q
Non repudiation
A
Non-repudiation refers to a situation where a statement’s author cannot successfully dispute its authorship or the validity of an associated contract.
In digital security, non-repudiation means:
- A service that provides proof of the integrity and origin of data.
- An authentication that can be said to be genuine with high confidence.
24
Q
Authorization
A
The system must be able to ask the following question and gives itself an answer:
does the following entity have permission to do what it’s asking me to do?
Example: can Barbara borrow Alice’s car?
25
Security pyramid: Theory vs. Reality
Authentication should be very strong.
Valueable assets should be the least accessible part.
26
Privacy
Can be grouped in 3 categories;
* Data: can someone access data that should be private?
* Actions: can someone see the private actions that somebody performed? (e.g. who visited wikileaks.org)
* Position: Can someone track where a private citized has been in the last month?
27
Integrity
Integer data can't be afflicted by these actions:
* Data modification: modify packet.
* Data cancelation/filtering: cancel a packet containing a certain address.
* Replay attack: send multiple times a packet that each time results in the same action being applied to the system. (e.g. send 50 euros multiple times to the same entity by simply replaying the packet.)
28
Data protection: when should it be done?
In transit: when data is being transmitted on a communcation channel
At rest: when data is stored in a memory device.
29
Enemy: where is it?
* The enemy should be considered to be at every level of the system:
* Outside org.: boundary/perimeter defence → Firewall
* Outside org., partners that have access to intranet: (Extranet protection) → VPN
* Insider organization→ LAN/Intranet Protection (authorization)
* Everywhere → application level protection, data protection
30
Stolen hardware value
Value of product + value of data inside.
Classified informations should be protected very well and backed-up.
31
Insecurity Deep Roots:
Why the bad guys are advantaged?
* **Attack** technology is developing in **open-source** env. and **evolving rapidly**.
* **Defenses** are usually **not proactive**, but **reactionary**.
* Millions of **weak systems** are connected/**exposed** to the **internet**.
* Average level of system administrators has decreased dramatically:
* Too many technologies, technicians have broad understanding but not deep.
* Courses just make them learn tools, not theoretical concepts behind them.
* Complex code is written by programmers that don't know security concepts.
* Attacks and attack tools are shared on the internet: easily ditributed, hard to inercept.
* It's difficult to prosecute computer criminals due to complexity of international law.
32
Basic source of problems (tech):
* Insecure networks:
* communcations in clear
* LAN's broadcast mode
* geographical connections are made through shared lines and third party routers (can you trust other nations / third parties?)
* Weak user authentication (password-based)
* No server authentication (How can a user trust their bank's website?)
* Software has bugs.
33
Some classes of attacks:
* IP spoofing / shadow server
* Packet sniffing
* connection hijacking / data spoofing
* denial-of-service (distributed DoS)
34
IP spoofing / shadow server
Part of some basic attacks.
Someone uses address of another host to take its place as a client (and hide its actions) or as a server.
Attacks:
* Data forging
* unathorized access to systems
Example: use another ip address to hack the bank then the fault will be reconducted to another user.
Countermeasure: never use addressed-based authentication.
35
Packet sniffing
Part of some basic attacks.
Attack: content of network packets (e.g. passwords or sensitive data) is read by third parties.
Easy to do in broadcast networks (e.g. LAN) or the switching nodes (e.g. router)
Countermeasures:
* using non broadcast networks
* encryption of payload
36
connection hijacking / MITM
Part of some basic attacks.
Also known as **data spoofing**.
Insert/modify/cancel data during transmission (as a logical or physical man in the middle).
Attacks:
* reading, insertion of false data and modification of data exchanged between two parties.
Countermeasure: authentication, integrity, and serializaiton (put unique id) of each packet in the network.
37
denial-of-service (distributed DoS)
Part of some basic attacks.
Keep the host from serving all the requests by occupying those resources in some way.
Examples:
* email/log saturation
* ping flooding (ping bombing)
* SYN attack (open many TCP 3-way handshake connections simulataneosly without sending ACK → no more users can connect
Attack: block use of system/service.
Countermeasures:
* none!
* monitoring and oversizing can mitigate effects.
Distributed DoS: software installed on many nodes to create a botnet.
38
Making DDoS more powerful:
* Reflector:
* Used to hide attacker tracks and multiply the attackers (e.g. smurfing, fraggle)
* Use an amplificator factor N:1
* depends on the attack protocol used.
* look for reflector server with |response| \>\> |request|
* easy with datagram (ICMP, UDP) possible also with stream (e.g. self-attack HTTP).
* e.g. typical DNS amplification 70:1, but NTP 20-200:1
39
Trojan / MITB
MITB: Man In The Browser
If network channels are well protected, exploit vulnerabilites at the end-points to spoof data before it is encrypted.
Attack tools: keylogger installed with free/cracked software; browser extensions.
40
Shadow server
Part of some basic attacks.
Host that manages to show itself as a service provider without having the right to do so.
Techniques:
* Request sniffing and response spoofing (shadow server must be faster than real one, or the latter must be unable to responde, e.g. due to DDoS)
* Wrong mapping (router or DNS manipulation)
Attacks:
* issue wrong answers, providing a "wrong" service to victims instead of the real one.
* capture victim's data provided to the wrong service.
Countermeasure: server authentication.
41
Zeus
* aka Zbot
* major malware + botnet
* discovered in 2007
* used as:
* direct keylogger or form grabbing
* indirectly to load other malware
* Difficult to find and remove: uses stealth techniques.
42
Typical application-level problems
* Buffer overflow
* allows arbitrary code execution if the right input is given to the program
* Store sensible information in cookies
* readable by third parties that can exploit info to imperonsonate others or to steal info.
* store passwords in clear
* readable by third parties (backup operator) or in case of attacks.
* DYI protection systems: risk of inadequate protection.
43
Malware types
Virus:
* demages the target and replicates
* propagated by humans (involuntarily)
Worm:
* demanges the target replicating itself ( resource saturation )
* automatic propagation
Trojan (horse)
* malware vector: something that enables the installation of malware
Backdoor: unathorized access point put by someone that who developed the software or had unathorized access to it.
rootkit: tool to get priviled access, hidden (modified program, library, driver, kernel module, hypervisor) and stealth.
44
Virus and Worm
* Requires human error / complity, voluntary or otherwise, from:
* the user (free software)
* the sys manager (wrong config.)
* the producer ( automatic execution, trusted)
* Countermeasures:
* antivirus
* user-awareness
* correct config / non vulnerable software
45
Malware food chain
46
Ransomware
* Malware oriented to get a ransom
* content made unreadable on targeted devices
* attackers promise to unlock it upon paying some money.
* Ransomware-as-a-service: TOX malware (server in the TOR anonymous network)
* ask for the ransom and handles the payment
* the "customer"has only thethe task of distributing vector to victims
* Mitigating ransomware is not as easy as it sounds:
* backups are not always a solutions
* backups may be old
* backups may be also unreadable if the ransomware software has been working undetected for some time.
47
Non-tech basic problems
* Low awareness of the importance of security
* Human fallacies: enforced when overloading and stress and other conditions are met.
* Complex interfaces / architectures can mislead the user and cause errors
* Performance decrease due to application security may incentivize some users not to use security measures.
48
Social engineering
* The psychological manipulation of people into performing actions or divulging confidential information.
* Examples:
* Phishing: "email message crafted like bank email asking for credentials"
* Psychological pressure: e.g. "help me, I'm in trouble"
* Showing acquaintance with company's/institution's procedures to gain trust and make the target lower its defenses.
* Fake mails
* Fake SMS/IM
* Fake kidnapping alarm
* Pharming (controversial term): set of several techniques to re-direct user towards shadow server (directly or indirectly via virus or worm)
* changin hosts file
* changing nameserver pointers
* changing the nameserver of DHCP server
* poisoning cache of nameserver
49
Recent attacks:
* Stuxnet: cyber-physical systems
* worm + Windows virtus
* used 1 known and patched vuln. 1 known vuln (not patch) and 2 zero-day vulnerabilities.
* Used in Iran, India and Indonesia.
* * Black energy: critical infrastructure
* Advanced persistent thread: system compromised with sophisticated techniques, under continuos monitoring. Objective: remain undetected as long as possible.
* Used to attack energy providers in Ukraine.
* Mirai, BlueBorne, BrickerBot: IoT, automotive, home:
*
50
Cyber-intrusion kill chain of attacks
Information Systems Security
flashcards
Decks in class (7)
# Cards
