1 資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系
2 Outline Infosec, COMPUSEC, COMSEC, and Network Security Why do we need Infosec and COMSEC? Security Threats and Vulnerabilities Security Requirements How to secure networks and information systems? Security Trends Conclusion
3 Infosec, COMPUSEC, COMSEC, and Network Security
4 What is Infosec? Information security (Infosec) means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction information security, computer security and information assurance are frequently used interchangeably Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms
5 What is Computer Security? Computer security (COMPUSEC) is a branch of technology known as information security as applied to computers. Objectives of COMPUSEC: protection of information from theft or corruption preservation of availability
6 What is Communication Security? Communication Security (COMSEC) means measures and controls taken to deny unauthorized persons information derived from telecommunications and ensure the authenticity of such telecommunications.. COMSEC includes cryptosecurity, transmission security, emission security, traffic-flow security. and physical security of COMSEC equipment.
7 What is Network Security? Network security is concerned with the protection of resources on the network, in particular Transport (Backbone + Access) networks: transmission media, routers, switches, network management center Computer systems: PCs and Servers Data/Information
8 Why do we need Infosec and COMSEC?
9 Why do we need Security?(1) Computers and communications (C&C) are increasingly tying the nation s critical infrastructure together The reliance on C&C raises the vulnerability of the nation s critical infrastructure to cyber attacks Information Security is essential to --- Our national security Our nation s economic well-being Law enforcement/public safety Privacy Our overall strategic goal is to empower all citizens to secure their portions of cyberspace
10 Why do we need Security?(2) Information is a strategic resource A significant portion of organizational budget is spent on managing information There are many types of information Have several security related objectives confidentiality (secrecy) - protect info value integrity - protect info accuracy availability - ensure info delivery Threats to information security various surveys, with results of order: 55% human error 10% disgruntled employees 10% dishonest employees 10% outsider access
11 Security Threats and Vulnerabilities
12 Security Glossary and Interrelationship ( 安 全 術 語 和 互 動 關 係 ) Threat: a possible danger that might exploit a vulnerability Attack: An assault on system security that derives from an intelligent threat Vulnerability: an intrinsic weakness(e.g., system security procedures, system design, implementation, internal controls, etc) that is susceptible to attack Risk: An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result exploit launch cause Threat Vulnerability Attack Risk
13 Security Attack any action that compromises the security of information owned by an organization information security is about how to prevent attacks, or failing that, to detect attacks on information-based systems often threat & attack used to mean same thing have a wide range of attacks can focus of generic types of attacks passive active
14 Attack Types ( 攻 擊 類 別 ) 中 斷 (Interruption) 截 取 (Interception) 竄 改 (Modification) 偽 造 (Fabrication)
15 A Spectrum of Dangers ( 危 險 狀 態 譜 ) Low end: teenage joyriders Up the spectrum: individuals engaged in ID theft, fraud, extortion, and industrial espionage Nations engaged in espionage against U.S. companies and U.S. government Far end: nations building information warfare units
16 Cyber Security Threats (1) Threat Types( 安 全 類 別 ): Wiretapping( 竊 聽 ): to intercept communications Passive Wiretapping: just listening Active Wiretapping: injecting something into the communication Impersonation( 冒 充 ): pretending to be another person or process Message Confidentiality Violations( 違 反 信 息 的 隱 密 性 ) Exposure/Compromise Misdelivery Traffic Flow Analysis Integrity Violations ( 違 反 真 確 性 ) Corruption of data Web site defacement Falsification of Messages
17 Cyber Security Threats (2) Hacking( 駭 客 ) Code Integrity( 編 碼 真 確 性 ) : refers to damage to executable code Denial of Service( 拒 絕 服 務 ) Connectivity Flooding Routing problems Disruption of Service Privacy( 隱 私 性 ) Compromise information protected by privacy laws (e.g., European Union s Safe Harbor privacy laws, US DHHS s Health Insurance Portability & Accountability Act (HIPAA) for patient privacy and US FDIC s implementing Gramm-Leach- Bliley Act (GLBA) safeguarding customer information) Threat Agents( 威 脅 的 代 理 人 ): Malicious Hackers, Criminals, Industrial Spies
18 Cyber Vulnerabilities (1) Browser Vulnerability Complex software with many features to be exploited by hackers (e.g., download and run plug-ins, execution of remote Java applets) Plug-ins Security Implications Plug-ins have full access to all the data on the browser s machine Plug-ins are written and supplied by third parties Plug-ins may not be trustworthy (e.g., truly malicious plug-ins, compromised plug-ins, buggy plug-ins exploitable by hackers) Java Security Implications Flaws in Java language design (e.g., public variables should not be writable across name spaces) Java implementation errors (e.g., bugs with Java virtual machine that let programs violate Java s type system) Java security model is not formally specified
19 Cyber Vulnerabilities (2) Web Server Vulnerability Server host security failures Writing clever HTTP that exploits some bug in a Web server Exploiting a weakness in the CGI programs that are accessible through the Web server itself Communication Environment Vulnerability Lack of secure networking protocols Unencrypted Internet traffic are subject to eavesdropping and active wiretapping attacks
20 How Big is the Threat?(1) Per Computer Security Institute (CSI) and FBI 12 th Computer Crimes and Security Survey for 2007: The average annual loss reported in this year s survey shot up to $350,424 from $168,000 the previous year. Not since the 2004 report have average losses been this high. 18 percent of those respondents who suffered one or more kinds of security incident further said they d suffered a targeted attack, defined as a malware attack aimed exclusively at their organization Financial fraud overtook virus attacks as the source of the greatest financial losses; Virus losses fell to second place; Another significant cause of loss was system penetration by outsiders.
21 How Big is the Threat?(2) Insider abuse of network access or (such as trafficking in pornography or pirated software) edged out virus incidents as the most prevalent security problem, with 59 and 52 percent of respondents reporting each respectively. When asked generally whether they d suffered a security incident, 46 percent of respondents said yes, down from 53 percent last year and 56 percent the year before. The percentage of organizations reporting computer intrusions to law enforcement continued upward after reversing a multi-year decline over the past two years, standing now at 29 percent as compared to 25 percent in last year s report.
22 Types of Attacks or Misuse Detected in 2007
23 Top 10 Cyber Security Problems Lack of awareness of Internet threats and risks Lack of management support in handling security Weak site security safeguards Weak site security administration/management Many Internet sites allow wide-open Internet access Vast majority of Internet traffic is unencrypted Poor vendor supports on security Lack of security in TCP/IP protocol suite Exploitation of software (e.g., protocol implementation) bugs Cracker skills keep improving
24 Security Requirements
25 Security Requirements (1) Confidentiality Protection from disclosure to unauthorized persons Integrity Prevent data content modification by an unauthorized user and maintain data consistency Authentication Assurance of identity of person or originator of data Non-repudiation Originator or receiver of communications can t deny it later
26 Security Requirements (2) Availability Legitimate users have access when they need it Access control Unauthorized users are kept out These are often combined User authentication used for access control purposes Non-repudiation combined with authentication
27 The Cyber Security Requirements Securing the Web Server and the Data that is on it (e.g., cryptographically enabled web server, host security, server access methods, secure CGI/API programming) Securing the information that travels between the Web Server and the User (e.g., use of digital certificates and cryptography) Securing the Browser and User s own Computer (e.g., obtain a valid browser, proper security preference settings, separate execution contexts)
28 How to secure networks and information systems?
29 Cyber Security Challenges (1) Jurisdiction Internet and other computer systems do not recognize state or international boundaries Need cooperation with foreign law enforcement agencies in fighting computer crime Different legal systems and a significant disparity in technical expertise among foreign law enforcement agencies Identification Lack of identification mechanisms on global networks Individual can be anonymous or take on masked identities With the help of anonymous software, it is difficult or impossible to trace cybercriminals How to balance the need for accountability with the need for anonymity
30 Cyber Security Challenges(2) Evidentiary Issues Electronic data gathered by computers and Internet can be easily destroyed, deleted, or modified Identification and location of cybercriminals can be extremely difficult New technology, tools, capabilities, or legal authorities may be required for effective evidence-gathering, investigation, and prosecution of unlawful conducts
31 Cyber Security Challenges(3) Infrastructure Protection How to protect the systems and networks of this Nation that make our business run and operate our Nation s defenses? Because many of the Nation s infrastructure are in private hands, the private sector must take the steps necessary to prevent attacks against its systems Need for unprecedented cooperation between government agencies and private sector partners to address a variety of infrastructure assurance issues and confront cyberattacks on infrastruture
32 How to make Cyber Space more Secure?(1) Increased awareness of security risks and threats Creation of IETF, NIPC and other groups dedicated to Internet security issues Deploy available and affordable security solutions Security posture and monitoring tools Smartcards for storing user authentication Encryption to ensure data privacy and integrity Public Key Infrastructure to provide non-repudiation Access control to provide authorization and privilege management Firewalls to prevent intrusion
33 How to make Cyber Space more Secure?(2) Base network security on Risk Management rather than on Threat Avoidance Don t rely on preventive technology that will avoid the threat, but embrace sound processes that will manage the risks Implement active security monitoring to detect and respond to any insider or outsider attack Take proper network security insurance as the risk manager of last resort Prosecution and conviction of Internet criminals to turn the Internet into a lawful society
34 Security Trends
35 Security Trends (1)
36 Security Trends (2) Cracker skills keep improving, attacking tools with user friendly interfaces are easy to get and simple to launch attacks Network attacks usually starts by exploring the vulnerabilities of the weakest points and then using them as the springboards to bring down the whole network to its knees Many contemporary network attacks are now denial-ofservice attacks in nature instead of simple invasions Inadequate security in network communication equipments (e.g., routers and switches only inspect OSI Layer 3 information and most firewalls are packet-level filters) Anti-Virus software are no longer effective to recognize the prevailing network attacks
38 Conclusion Use Risk Management instead of relying on Threat Avoidance Implement active security monitoring to detect and respond to any insider or outsider attack Recommend to use standards for security products development and assessment to establish trust and manage risks