ITP 101 Intro to Information Technology. Security and Hackers

Transcription

1 ITP 101 Intro to Information Technology Security and Hackers

2 Overview What is security? Why do we need security? What is malware? What is phishing? What is an attack? Who is vulnerable? What is a hacker? Why hack? How do I protect myself? 2

3 What is security? Definition of security from Dictionary.com: 1. Freedom from risk or danger; safety. 2. Freedom from doubt, anxiety, or fear; confidence. 3. Something that gives or assures safety, as: 1. A group or department of private guards: Call building security if a visitor acts suspicious. 2. Measures adopted by a government to prevent espionage, sabotage, or attack. 3. Measures adopted, as by a business or homeowner, to prevent a crime such as burglary or assault: Security was lax at the firm's smaller plant. 3

4 Why do we need security? Protect vital information while still allowing access to those who need it Trade secrets, medical records, etc. Provide authentication and access control for resources Guarantee availability of resources Example: 5 9s (99.999% reliability) 4

5 Experienced Security Incident 5

6 Types of Attacks Experienced 6

7 What is malware? Any software program developed for the purpose of causing harm to a computer system (malicious software) First appearances in the 1970s All operating systems are susceptible (to some extent) Various types Trojan horse Virus Worm Spyware Adware 7

8 Types of Malware Trojan Horse A harmful piece of software that is disguised as legitimate software Typically used to steal information Pirated software is a good place to hide trojans Virus A program that spreads by inserting copies of itself into other executable code or documents (host dependent, replication) Requires the user to transmit infected file to other users Is often used as a collective term for malware 8

9 Types of Malware Worms A self-contained, self-replicating computer program Similar to a computer virus, but does not need a user to transmit an infected file First Internet worm in 1988 Spyware Software that collects and sends information about users or, more precisely, the results of their computer activity, without explicit notification Spyware usually works and spreads like Trojan horses Adware Advertising-supported software Some adware may come with spyware 9

10 What is phishing? The act of attempting to fraudulently acquire sensitive personal information (passwords, credit card details,...) with an legitimatelooking request for that information Typically an takes you to a webpage where you need to fill in details A phishing technique was described in detail in 1987, and the first recorded use of the term "phishing" was made in 1996 Most methods of phishing use some form of technical deception designed to make a link in an (and the spoofed website it leads to) appear to belong to the spoofed organization. Misspelled URLs or the use of subdomains are common tricks used by phishers Example: 10

11 What is an attack? An attack usually has a clearly identified target (e.g., a company, a server, a website) and has a goal (e.g., deface a web page, get system access, make server unavailable, steal documents) Attacks can employ malware Typical attacks Eavesdropping documents, messages, passwords,... Man-in-the-middle intercept communication link Tampering modify system, manipulate data Spoofing with wrong sender, phishing Hijacking hijack session (e.g. Telnet), hijack host (zombie) Capture replay capture and reply of command messages Denial of service crash or overload server with (e.g. malformed) requests Goal Confidentiality Integrity (+Authentication) Availability Attacks Eavesdropping Man-in-the-middle Hijacking Man-in-the-middle Hijacking Tampering Spoofing Capture-replay Denial of service 11

12 Who is vulnerable? Financial institutions and banks Internet service providers Pharmaceutical companies Government and defense agencies Contractors to various government agencies Multinational corporations Educational Institutions Basically ANYONE ON THE INTERNET 12

13 Percentage of IT Budget on Security 13

14 Types of Security Technology Used 14

15 Hacking throughout History 15

16 Who gets hacked? Everybody Government servers Swordfish Hugh Jackman s character hacked Department of Defense Live Free or Die Hard Timothy Olyphant s character hacked NORAD Banks, e-commerce sites Ebay!!! Educational institutions UCLA and USC 16

17 Hacking Today HOLY CRAP!!! 17

18 What is a hacker? Definition of hacker according to Wikipedia: Computer and network security expert One who specializes in access control mechanisms for computer and network systems 18

19 World s definition of a hacker Media definition of hacker = our definition of criminal hacker Someone who maliciously breaks into networks and systems for personal gain Crack (v) to break into a system with malicious intent 19

20 Who are these hackers? Internal threats (rogue insiders) Bored students Disgruntled employees External threats Bored people (lots of them out there worldwide!) Political action groups Crackers & hackers Ex-employees 20

21 Levels of Hackers Script kiddies/cyberpunks Novices Very little actual knowledge of what goes on behind the scenes. They simply find a cool tool on the net Media stereotype (pimply faced, lives in his mom s basement, etc) Sloppy, leave all sorts of digital evidence of their actions Most annoying and cause the most headaches Intermediate Hackers halfway hackers Know enough to cause serious damage Most want to be advanced (l33t), and will get there if they re not caught Advanced Hackers Criminal Experts Uber/l33t hackers These are the authors of the hacking tools, viruses, and malware They know enough to hide their tracks most of the time you won t even know that your system has been compromised 21

22 Why hack? Because they can! Curiosity, notoriety, fame Profit ($$$ or other gain) Hackers for Hire Korean National Police Agency busted the Internet s largest known organized hacking mafia 4,400 members!!!!! Sell people s personal information on the black market 22

23 Why hack? Underlying the psyche of the criminal hacker is a deep sense of inferiority Consequently, the mastery of computer technology, or the shut down of a major site, might give them a sense of power "Causing millions of dollars of damage is a real power trip Hacktivism hactivist.net Free Kevin messages that were put onto websites without the owner's permission Cyberterrorists Crash critical systems, bring down power grids & air traffic control towers US fights this through the Department of Homeland Security Customs (ICE), FBI, Secret Service, Local Police 23

24 Hacker Methodology 1. Gather target information 2. Identify services offered by target to the public (whether intentional or not) 3. Research the discovered services for known vulnerabilities 4. Attempt to exploit the services 5. Utilize exploited services to gain additional privileges from the target 6. Reiterate steps 1-5 until goals are achieved 24

25 Most notorious hacker ever was a USC Student!!! J Hacking is a noble, honorable art Kevin Mitnick 25

26 APT (Advanced Persistent Threat) Computer attacks usually sponsored by government agencies or terrorist organizations Originally used to classify persistent attacks against government and government contractors Now attacks directed at anyone with valuable information Advanced Operators of the attack are extremely capable (l33t) Individual components may not be advanced, but the combination and usage are Will utilize any and all tools and methodologies Persistent Operators are given a specific target, and will not move on to the next target until target is compromised Operators are guided by external entities Targets are chosen not for immediate financial gain Threat Extreme coordination of attacks among many operators if necessary Nothing is automated Operators are skilled, motivated, organized, and well funded Have a 100% success rate of penetration 26

27 How Widespread is the APT? 27

28 Where is the APT? 28

29 How do I protect myself? Use protection software "anti-virus software" and keep it up to date Don't open unknown, unscanned or unexpected attachments Use hard-to-guess passwords Protect your computer from Internet intruders and use "firewalls" Don't share access to your computers with anyone If you do, create different accounts and don't let anyone else have admin privileges 29

30 How do I make a good password? Passwords should contain at least 8 characters Use one of each of the following: Uppercase letters ( A-Z ) Lowercase letters ( a-z ) Numbers ( 0-9 ) Punctuation marks (!@#$%^&*()_+=- ) The license plate rule take a phrase and try to squeeze it into 8 characters Take the first letter of each word Replace letters with digits or special characters The best password is one that is totally random to anyone else except you 30

31 Password Examples kep*-h&y = keep your laser handy ycag5wyw = you can't always get what you want imcmit2s,ibl = if my car makes it through 2 semesters, I'll be lucky obgcat$7t = only Bill Gates could afford this $70.00 textbook WtimaciK2? = What time is my computer class in KAP 267? If33lg8! = I feel great! W1ldcatzR#1 = Wildcats are #1 d0lf1n sfan = Dolphins Fan Uc1@SuX! = UCLA Sucks! 31

32 Password Rules Don't use your name, your pet's name, your birth date or other information that is easy to get Don't use 'qwerty' or any word in the dictionary Never write down your password Never tell anyone your password Remember the key to security is embedded in the word security SEC - - Y 32

33 Resources Computer Security Institute Messagelabs Intelligence October Ponemon Institute 2009 Annual Study: Cost of a Data Breach US_Ponemon_CODB_09_012209_sec.pdf Symantec Global Internet Security Threat Report Verizon 2010 Data Breach Investigations Report 33

34 Security Administrator Careers Implements network security policies and procedures Average salary is $69,000 Web Security Administrator Develops, implements, and maintains firewall technologies that secure an organization's website Average salary is $79,000 IT Security Consultant Average salary is $106,000 34

35 Security at USC Introductory & Intermediate Classes ITP 125 From Hackers to CEOs: Introduction to Information Security ITP 325 Ethical Hacking and Systems Defense ITP 357 Enterprise Network Design ITP 375 Digital Forensics Minor in Applied Computer Security Minor in Computer & Digital Forensics New for Fall