ICT SEcurity BASICS. Course: Software Defined Radio. Angelo Liguori. SP4TE lab.

Transcription

1 Course: Software Defined Radio ICT SEcurity BASICS Angelo Liguori SP4TE lab 1

2 Some Definition Security Properties Threath, Attack, Vulnerabiity Attacks trend and examples Countermeasures Multilevel Security 2

3 Information Security Processes and methodologies which are designed and implemented to protect any form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, modification, or disruption. ICT Security source: 3

4 Security Properties (CIA) CONFIDENTIALITY AVAILABILITY INTEGRITY 2014 Ing. A.A. Liguori, lab -- University University Roma 2014 Ing. Liguori,SP4TE SP4TE lab Roma TreTre 4

5 Other Properties Authenticity Non-Repudation Identification Authentication Authorization Accountability Privacy 5

6 Other Definitions Threat: a specific means by which a risk can be realized by an aversary Vulnerability: a systematic artifact that exposes the user, data, or system to a threat Attack: occurs when someone attemps to exploit a vulnerability 6

7 W h o n e e d s Generic user (me, you, houswifes?): social network, e-banking, electronic mails, pc, smartphone smart appliances Industry: web-server, remote access, intellectual property (industrial espionage) critical infrastructures Public Administration: services to citizens, privacy Defence: classified data relating to Government security, coalition networks (Network Centric Warfare) I T S e c u r i t y? 7

8 Intruder Knowledge vs. Attack Sophistication source: Allen H. Julia: Information Security as an Institutional Priority, Carnegie Mellon University 8

9 Security Incidents 9

10 Malware Virus: a program that can infect other programs by modifying them to include a, possibly evolved, version of itself Worm: a self-replicating computer program. It uses a network to send copies of itself to other nodes and do so without any user intervention Backdoor: a means of access to a computer program that bypasses security mechanisms Trojan horse: class of malware that appears to perform a desirable function but in fact performs undisclosed malicious functions that allow unauthorized access to the victim computer Rootkit: a component that uses stealth to maintain a persistent and undetectable presence on the machine Scareware: type of malware designed to trick victims into purchasing and downloading useless and potentially dangerous software Ransomware: type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back. Some ransomware encrypts files (called Cryptolocker) 10

11 Spear Phishing 11

12 DNS Poisoning 12

13 Advanced Persistent Threat - APT 1. Recognition 2. Network intrusion 3. Backdoor set-up 4. Gaining user credentials 5. Malware installation 6. Priviledge escalation, data disclosure 7. Mantaining access 13

14 Man-in-the-Middle - MitM 14

15 DoS - DDoS Ping of death - An oversized ICMP datagram can crash IP devices that were made before Smurf - An attack where a ping request is sent to a broadcast network address with the sending address spoofed so many ping replies will come back to the victim and overload the ability of the victim to process the replies. 15

16 Mobile Device source: KASPERSKY 16

17 A simple QR code? 17

18 How many attacks per day? Which origins? Which targets? 18

19 Countemeasures Physical controls: fences, doors, locks and fire extinguishers Procedural controls: incident response processes, management oversight, security awareness and training Technical controls: user authentication (login) and logical access controls, antivirus software, firewalls Legal and regulatory or compliance controls: privacy laws, policies and clauses 19

20 Cost Function 20

21 A c c e s s C o n t r o l Access control is a system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system. In computer security, access control includes identification, authentication, authorization and accountability. Authenticators are commonly based on the following factors: something you know something you have something you are where you are i.e. Kerberos 21

22 C o n f i d e n t i a l i t y When we talk about confidentiality of information, we are talking about protecting the information from disclosure to unauthorized parties. Cryptography: mathematical manipulation of information that prevents the information being disclosed or altered Cryptanalysis: defeating the protected mechanisms of cryptography Cryptology: study of Cryptography and Cryptanalysis 22

23 symmetric encryption C o n f i d e n t i a l i t y Plaintext X / Cyphertext Y Encryption / Decryption Algorithm E/D Symmetric Encryption Key K Y = EK(X) X = DK(Y) i.e.: AES source: Microsoft 23

24 asymmetric encryption C o n f i d e n t i a l i t y Plaintext X / Cyphertext Y Encryption / Decryption Algorithm E/D Public Key KP Private Key KS Y = EKP(X) X = DKS(Y) i.e.: RSA source: Microsoft 24

25 Digital signature N o n R e p u d a t i o n Plaintext X / Cyphertext Y Encryption / Decryption Algorithm E/D Public Key KP Private Key KS Y = EKS(X) X = DKP(Y) 25

26 Hash functions Integrity of information refers to protecting information from being modified by unauthorized parties. One-way function: I n t e g r i t y it is easy to compute the hash value for any given message it is infeasible to generate a message from its hash it is infeasible to modify a message without changing the hash it is infeasible to find two different messages with the same hash. source: Cisco i.e.: SHA 26

27 Availability of information refers to ensure that authorized parties are able to access the information when needed A v a i l a b i l i t y Redundancy Access lists Reverse Proxy Backups 27

28 Multilevel Security Capability of an ICT system to store and process information with different levels of security used by subjects characterized by different levels of clearances, authorizations and roles, enforcing the mandatory security policies aimed at their protection. 28

29 Security Levels Security Models: Bell-La Padula, Biba, etc. 29

30 Information Flows An information flow policy is typically designed to preserve: In the confidentiality and/or integrity of data within a computer system Multilevel important: Security systems is 1. to allow information flows between users of the system who have sufficient security clearances 2. to prevent flows to those that do not 30

31 Covert Channel If all possible information flows can be identified then these flows can be restricted such that the goals of the security policy are preserved. If it is not possible to identify all such flows then there is the potential for information to flow in an unauthorized manner. A channel can be defined as a communication path by which information can flow within a computer system. A Covert Channel is an enforced, illicit signalling channel that allows a user to surreptitiously contravene the multilevel separation policy and unobservability requirements of the TOE. source: 31

32 Covert Channel Taxonomy Storage Channel Timing Channel A system feature that enables one system entity to signal information to another entity by directly or indirectly writing a storage location that is later directly or indirectly read by the second entity. Covert storage channels typically involve a finite resource (e.g. sectors on a disk) that is shared by two subjects at different security levels A system feature that enables one system entity to signal information to another by modulating its own use of a system resource in such a way as to affect system response time observed by the second entity source: IETF RFC

33 Covert Channel Properties Transmission channel control Capacity Covertness Noisiness 33

34 Covert Channel Storage Covert Channel Local Remote Timing Covert Channel Active Passive 34

35 Covert Channels ACTIVE Generate additional traffic to transmit information Faster than passive channels Require a compromised machine PASSIVE Manipulate the timing of existing traffic More difficult to detect respect of active channels No known public implementation 35

36 Covert Channels LOCAL Used to share data among processes sited on the same system: Resource Manipulation Caching Alternate Data Stream (ADS) REMOTE Used to share data among processes sited on different systems: Focus has been on using common networking protocols (TCP/IP) Hide or embed information into unused or predictable fields in the header Ptunnel (ICMP packets) 36

37 Local Storage Covert Channels RESOURCE MANIPULATION 1. The sender fills kernel s process table to transmit 1, leaves it partially empty to transmit 0. The receiver tries to create process 2. The sender allocates 0MB of memory to transmit 00, 64MB to transmit 01, 128MB to transmit 10, 192MB to transmit 11 CACHING Hyper-Threading permits different threads to execute on a single core Virtualization permits different VMs to share the same HW Cache is shared among threads and VMs 37

38 Timing Covert Channels Simple ON-OFF Inter-packet gap Not-ACK CSMA/CD ISSUES Synchronization Noisiness 38

39 Remote Storage Covert Channels Embedding information in certain header fields that are either unused, immutable or mutable with certain predictability. The embedded information is carried out of the network with the intention of avoiding detection. 39

40 Storage Covert Channels Type Of Service (TOS) (8 bit) Timestamp (32 bit) Not-requested ACK Not-valid frames with wrong checksum Payload Tunnel (ICMP, HTTP ) 40

41 Timing Covert Channels Unintended information about data gets leaked through observing the timing of event. (i.e. ON-OFF timing covert channel) 41

42 Timing Covert Channels The sender/receiver agree beforehand on a timing interval and a starting protocol to signal the start of transmission The starting protocol may be a time or a network event, or a special packet could be used to signal transmission Once established if a packet is received within the time interval then this signifies a binary 1 and silence during the period signifies a 0 Rather than creating a continuous stream of bits one method could be to create a frame. This would consist of a pre-determined number of bits within each frame The capacity of the channel is determined by the timing interval chosen. The smaller the interval the higher the transmission rate 42

43 Examples - ADS Under NTFS, files can be hidden in Alternate Data Streams Originally put in place with NTFS to provide compatibility with Mac OS Allows multiple files (streams) to be attached to ANY file Regardless of ownership or permissions Windows does not come with default tools for listing ADS Files stored in an ADS will not show up in listings File size of carrier does not show an increase 43

44 Examples ADS LAB 1 44

45 Examples ADS 1/3 45

46 Examples ADS 2/3 46

47 Examples ADS 3/3 47

48 Examples Ping Tunnel 1/3 Ptunnel is an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request and reply packets, commonly known as ping requests and replies. FEATURES: Tunnel TCP using ICMP echo request and reply packets Connections are reliable (lost packets are resent as necessary) Handles multiple connections Acceptable bandwidth (150 kb/s downstream and about 50 kb/s upstream are the currently measured maximas for one tunnel) Authentication, to prevent just anyone from using your proxy 48

49 Examples Ping Tunnel 2/3 The proxy is the "endpoint" for our ping packets, i.e. the computer we send the ping packets to. The client is the computer we're trying to surf the net from, and the destination is the computer we would normally be trying to access over TCP 49

50 Webografia