Which is the Cuckoo's Egg?

$45 million Quebec Drug arrest Hacking scam Poland, Brazil, Manitoba, and the United States Age 17 to 26 Computer network

Computer Science and Engineering

Cuckoo's Egg
Drug arrest Canada: police have broken up a major international computer-hacking network Target: unprotected personal computers around the world Police arrested 16 people age between 17 and 26 Online to attack and gain control of as many as one million computers worldwide

Computer Science and Engineering

Csilla Farkas
Associate Professor
Dept. of Computer Science and Engineering University of South Carolina farkas@cse.sc.edu http://www.cse.sc.edu/~farkas

Computer Science and Engineering

Financial Loss
Dollar Amount Losses by Type

Total Loss (2006): $53,494,290

Computer Science and Engineering

CSI/FBI Computer Crime and Security Survey Computer Security Institute

4

Security Protection
Percentage of IT Budget Spent on Security Percentage of Organizations Using ROI, NPV, or IRR Metrics

CSI/FBI Computer Crime and Security Survey Computer Security Institute

Computer Science and Engineering

What is Wrong with the Following Specification?

The CEO of ReallySecure Inc. instructed the system administrator of the organizations computing resources to implement security mechanisms, including Hardware firewall Authentication mechanisms Access control Secure communication Encryption capabilities

Computer Science and Engineering

Risk Management Framework (Business Context)

Understand Business Context Identify Business and Technical Risks Synthesize and Rank Risks Carry Out Fixes and Validate Define Risk Mitigation Strategy

Measurement and Reporting

Computer Science and Engineering

Understand the Business Context

Who cares? Identify business goals, priorities and circumstances, e.g., Increasing revenue Meeting service-level agreements Reducing development cost Generating high return investment Identify security risk to consider

Computer Science and Engineering

Identify Business and Technical Risks

Why should business care? Business risk Direct threat Indirect threat Consequences Financial loss Loss of reputation Violation of customer or regulatory constraints Liability Tying technical risks to the business context in a meaningful way
Computer Science and Engineering

Synthesize and Rank the Risks

What should be done first? Prioritization of identified risks based on business goals Allocating resources Risk metrics: Risk likelihood Risk impact Risk severity Number of emerging risks

Computer Science and Engineering

10

Define the Risk Mitigation Strategy

How to mitigate risks? Available technology and resources Constrained by the business context: what can the organization afford, integrate, and understand Need validation techniques

Computer Science and Engineering

11

Carry Out Fixes and Validate

Perform actions defined in the previous stage Measure completeness against the risk mitigation strategy Progress against risk Remaining risks Assurance of mechanisms Testing

Computer Science and Engineering

12

Measuring and Reporting

Continuous and consistent identification and storage of risk information over time Maintain risk information at all stages of risk management Establish measurements, e.g., Number of risks, severity of risks, cost of mitigation, etc.

Computer Science and Engineering

13

What is Being Protected, Why, and How?

Risk assessment
Threats

RISK

Vulnerabilities

Consequences

Computer Science and Engineering

14

Security Objectives
Prevent/detect/deter improper Disclosure of information Prevent/detect/deter Improper modification of information

Secrecy

Integrity Availability
Prevent/detect/deter improper Denial of access to services

Computer Science and Engineering

15

Security Tradeoffs
Security
COST

Functionality

Ease of Use
Computer Science and Engineering
16

Achieving Security


Policy  What to protect?  Mechanism  How to protect?  Assurance  How good is the protection?

Computer Science and Engineering

17

Policy
Organizational policy

Information systems policy

Computer Science and Engineering

18

Security by Obscurity
Hide inner working of the system Bad idea! Vendor independent open standard Widespread computer knowledge

Computer Science and Engineering

19

Security by Legislation
Instruct users how to behave Not good enough! Important Only enhance security Targets only some of the security problems

Computer Science and Engineering

20

Security Mechanism
Prevention Detection Tolerance and Recovery

Computer Science and Engineering

21

Identification Authentication

Computer Science and Engineering

22

Authentication
Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose identity is verified reveals knowledge of some secret S to the verifier Strong authentication: the entity reveals knowledge of S to the verifier without revealing S to the verifier

Computer Science and Engineering

23

User Authentication
What the user knows Password, personal information What the user possesses Physical key, ticket, passport, token, smart card What the user is (biometrics) Fingerprints, voiceprint, signature dynamics

Computer Science and Engineering

24

Access Control

Computer Science and Engineering

25

Access Control
Protection objects: system resources for which protection is desirable Memory, file, directory, hardware resource, software resources, etc. Subjects: active entities requesting accesses to resources User, owner, program, etc. Access mode: type of access Read, write, execute

Computer Science and Engineering

26

Access Control
Access control components: Access control policy: specifies the authorized accesses of a system Access control mechanism: implements and enforces the policy Separation of components allows to: Define access requirements independently from implementation Compare different policies Implement mechanisms that can enforce a wide range of policies

Computer Science and Engineering

27

Closed v.s. Open Systems

Closed system
(minimum privilege) Access requ.

Open System
(maximum privilege) Access requ.

Exists Rule?

Allowed accesses

Exists Rule?

Disallowed accesses

yes
Access permitted

no
Access denied

no
Access permitted

yes
Access denied

Computer Science and Engineering

28

Firewalls

Computer Science and Engineering

29

Traffic Control Firewall

Private Network
Firewall

security wall between private (protected) network and outside word

External Network
Computer Science and Engineering

30

Firewall Objectives
Keep intruders, malicious code and unwanted traffic or information out


Private Network
Proprietary data

Keep proprietary and sensitive information in

External attacks

External Network
Computer Science and Engineering
31

Cryptography
- Secret-Key Encryption - Public-Key Encryption - Cryptographic Protocols

Computer Science and Engineering

32

Insecure communications
Snooper

Confidential

Insecure channel Sender Recipient

Computer Science and Engineering

33

Encryption and Decryption

Plaintext

Encryption

Ciphertext

Decryption

Plaintext

Computer Science and Engineering

34

Conventional (Secret Key) Cryptosystem

Plaintext Encryption

Ciphertext Decryption

Plaintext

Sender

Recipient

C=E(K,M) M=D(K,C)
Computer Science and Engineering

K
K needs secure channel

35

Public Key Cryptosystem

Recipients public Key (Kpub) Plaintext Encryption Recipients private Key (Kpriv) Plaintext Decryption

Ciphertext

Sender

Recipient

C=E(Kpub,M) M=D(Kpriv,C)
Computer Science and Engineering
36

Kpub needs

reliable channel

Cryptographic Protocols
      Messages should be transmitted to destination Only the recipient should see it Only the recipient should get it Proof of the senders identity Message shouldnt be corrupted in transit Message should be sent/received once only

Computer Science and Engineering

37

Detection/Response

Computer Science and Engineering

38

Misuse Prevention
Prevention techniques: first line of defense Secure local and network resources Techniques: cryptography, identification, authentication, authorization, access control, security filters, etc.

Problem: Losses occur!

Computer Science and Engineering

39

Intrusion Management
Intrusion Prevention: protect system resources  Intrusion Detection: (second line of defense) discriminate intrusion attempts from normal system usage
 

Intrusion Recovery: cost effective recovery models

Computer Science and Engineering

40

Anomaly versus Misuse

Non-intrusive use Intrusive use
False negative Non-anomalous but Intrusive activities Looks like NORMAL behavior

False positive Non-intrusive but Anomalous activities

Does NOT look Like NORMAL behavior like

Computer Science and Engineering

41

Malicious Code Detection

Virus and Worm Programming Flaws Application Specific Code Distributed, heterogeneous platforms Complex applications Security Applications vs. Secure Applications Build security into the system

Computer Science and Engineering

42

Response/Tolerance

Computer Science and Engineering

43

Incident Response
Federal Communications Commission: Computer
Security Incident Response Guide, 2001, http://csrc.nist.gov/fasp/FASPDocs/incidentresponse/Incident-Response-Guide.pdf Incident Response Team, R. Nellis, http://www.rochissa.org/downloads/presentations/Inci dence%20Response%20Teams.ppt NIST special publications, http://csrc.nist.gov/publications/nistpubs/index.html
Computer Science and Engineering
44

Intrusion Recovery
Actions to avoid further loss from intrusion Terminate intrusion and protect against reoccurrence Law enforcement Enhance defensive security Reconstructive methods based on: Time period of intrusion Changes made by legitimate users during the effected period Regular backups, audit trail based detection of effected components, semantic based recovery, minimal rollback for recovery
45

Computer Science and Engineering

What is Survivability?
To decide whether a computer system is survivable, you must first decide what survivable means.

Computer Science and Engineering

46

Effect Modeling and Vulnerability Detection

Seriously effected components Weakly effected component

Cascading effects

Not effected components

Computer Science and Engineering

47

Due Care and Liability

Organizational liability for misuse US Federal Sentencing Guidelines: chief executive officer and top management are responsible for fraud, theft, and antivirus violations committed by insiders or outsiders using the companys resources. Fines and penalties Base fine Culpability score (95%-400%) Good faith efforts: written policies, procedures, security awareness program, disciplinary standards, monitoring and auditing, reporting, and cooperation with investigations
Computer Science and Engineering
48

How to Respond?

Computer Science and Engineering

49

How to Respond?

Computer Science and Engineering

50

How to Respond?

Computer Science and Engineering

51

Roles and Responsibilities

User: Vigilant for unusual behavior Report incidents Manager: Awareness training Policies and procedures System administration: Install safeguards Monitor system Respond to incidents, including preservation of evidences

Computer Science and Engineering

52

Computer Incident Response Team

Assist in handling security incidents Formal Informal Incident reporting and dissemination of incident information Computer Security Officer Coordinate computer security efforts Others: law enforcement coordinator, investigative support, media relations, etc.
Computer Science and Engineering

53

Incident Response Process 1.

Preparation Baseline Protection Planning and guidance Roles and Responsibilities Training Incident response team

Computer Science and Engineering

54

Incident Response Process 2.

Identification and assessment Symptoms Nature of incident
Identify perpetrator, origin and extent of attack Can be done during attack or after the attack Key stroke monitoring, honey nets, system logs, network traffic, etc. Legislations on Monitoring!

Gather evidences

Report on preliminary findings

Computer Science and Engineering

55

Incident Response Process 3.

Containment Reduce the chance of spread of incident Determine sensitive data Terminate suspicious connections, personnel, applications, etc. Move critical computing services Handle human aspects, e.g., perception management, panic, etc.

Computer Science and Engineering

56

Incident Response Process 4.

Eradication Determine and remove cause of incident if economically feasible Improve defenses, software, hardware, middleware, physical security, etc. Increase awareness and training Perform vulnerability analysis

Computer Science and Engineering

57

Incident Response Process 5.

Recovery Determine course of action Reestablish system functionality Reporting and notifications Documentation of incident handling and evidence preservation

Computer Science and Engineering

58

Follow Up Procedures
Incident evaluation: Quality of incident (preparation, time to response, tools used, evaluation of response, etc.) Cost of incident (monetary cost, disruption, lost data, hardware damage, etc.) Preparing report Revise policies and procedures

Computer Science and Engineering

59

Questions?

Computer Science and Engineering

60