ECE509 Cyber Security : Concept, Theory, and Practice

Transcription

1 ECE509 Cyber Security : Concept, Theory, and Practice Introduction Spring 2014

2 Meet Thursday 4:00pm 6:50 pm, ECE Bldg, Room 258 ACL lab is ECE251 Office hours: 11:00 AM - 12:00 PM Th in ECE356p Questions via are encouraged [email protected] Web site

3 Topics Fundamentals of Cyber Security Network Security, Risk Models and Assessments Understand Network Attacks Scanning / Probe DoS / DDoS attack Worm / Virus / Trojans Spam / Botnet / phishing Insider Attacks Hardware/Software Security Technologies Encryption / Authorization/Authentication Access Control Matrix, Firewall, IDS/IPS, IPSec, Honeypot, etc

4 More Topics Network Security Monitoring (NSM) Payload / Session / Connection Level Active / Passive Vulnerability Analysis Operation System IPv4/v6 Wireless Network Layer 2(ARP) Application (Web, Database)

5 More Topics Defensive system design Security architectures Penetration testing Labs Network Scanning Network Security Monitoring Firewalls/IDS

6 Recommended References Stallings, William; Brown, Lawrie. Computer Security: Principles and Practice (2nd Edition) Pfleeger, Charles P.; Pfleeger, Shari Lawrence. Security in Computing (4th Edition) Katz, Jonathan; Lindell, Yehuda. Introduction to Modern Cryptography Qian, Yi; Tipper, David; Krishnamurthy, Prashant; Joshi, James. Information Assurance: Dependability and Security in Networked Systems

7 Course Grading Homework and Assignments: 25% Midterm Exam: 10% Term paper + Presentation: 25% Term project: 25% Final Exam: 15%

8 Note All information contained in this course information sheet, other than grading policy, may be subject to change.

9 Important Dates Abstracts for projects and term paper Feb. 6, 2014 Midterm Mar. 13, 2014 Term paper and presentation Apr. 24, 2014 Project Report May 1, 2014 Final Exam (24 hour take home exam) May 1, 2014

10 Questions for the class Are you comfortable with C, C++, and/or Java?

11 Questions for the class Are you familiar with IP networking?

12 Questions for the class Are you familiar with Operating System? Linux and/or Windows?

13 Questions for the class What is your goal of this class?

14 Prohibited Conduct Students enrolled in academic credit bearing courses are subject to this Code. Conduct prohibited by this Code consists of all forms of academic dishonesty, including, but not limited to: 1. Cheating, fabrication, facilitating academic dishonesty, and plagiarism as set out and defined in the Student Code of Conduct, ABOR Policy E.10, and F.1 2. Submitting an item of academic work that has previously been submitted or simultaneously submitted without fair citation of the original work or authorization by the faculty member supervising the work. 3. Violating required disciplinary and professional ethics rules contained or referenced in the student handbooks (hardcopy or online) of undergraduate or graduate programs, or professional colleges. Source:

15 Prohibited Conduct 4. Violating discipline specific health, safety or ethical requirements to gain any unfair advantage in lab(s) or clinical assignments. 5. Failing to observe rules of academic integrity established by a faculty member for a particular course. 6. Attempting to commit an act prohibited by this Code. Any attempt to commit an act prohibited by these rules shall be subject to sanctions to the same extent as completed acts. 7. Assisting or attempting to assist another to violate this Code. Source:

16 The Average Individual Cost due to Cyber Attack According to 2013 s Consumer Security Risks Survey, conducted by B2B International and Kaspersky Lab, the average cost of multimedia files that a user might lose as a result of a cyber attack or other damage is estimated at $418. According to the same survey, over 60% of users who were victims of malware that either damaged or destroyed data admitted that they had not been able to fully restore their files. in the age group would face an average loss of $670, while those in the group would incur an average loss of $455; users aged 45 and older would lose an average of $227.

17 Cyber attacks cost for US Organizations The Ponemon Institute sponsored by HP Enterprise Security Products conducted the 2013 Cost of Cyber Crime Study that showed the average annualized cost of cybercrime incurred by a benchmark sample of US organizations was $11.56 million, with a range of $1.3 million to $58 million. That represent a 78% increase since the initial study was conducted four years ago and an increase of 26%, or $2.6 million, over the average cost reported in Source:

18 Cyber attacks cost for US Organizations It also stated: the time it takes to resolve a cyber-attack has increased by nearly 130% during this same period. The average time to resolve a cyber-attack is 32 days, with an average cost incurred during the resolution period of $1,035,769, or $32,469 per day a 55% increase over last year s estimated average cost of $591,780 for a 24-day period. Source:

19 Cyber attacks cost for US Organizations Overall, organizations experience an average of 122 successful attacks per week, up from 102 attacks per week in Cybercrime cost varies by company size, but smaller organizations incur a significantly higher per-capita cost than larger organizations. Organizations in financial services, defense, and energy and utilities also experience substantially higher cybercrime costs than those in retail, hospitality and consumer products. Source:

20 Small Businesses Forty-four percent say they have been the victim of a cyberattack that s high, and really concerning, says Molly Brogan, the director of communications for the NSBA. Of the 44% of businesses that had experienced an attack, 59% say they incurred service interruptions, and 35% say information was falsely sent from their domain names. Nineteen percent say their website was taken down, and 5% say sensitive information and data was stolen. The NSBA s 2013 Small Business Technology Survey was conducted in August and surveyed 845 small-business owners, including both NSBA members and non-members. Source:

21

22 Cloud Attacks On Oct. 3, 2013, Adobe announced that their Creative Cloud customers database has been the target of a cyber attack which may have compromised the data of some 2.9 million Creative Cloud customers.

23 Healthcare A top Homeland Security Department official testified Wednesday that there have been approximately 16 cyberattacks on the HealthCare.gov website and one denial of service attack that was unsuccessful. Source: healthcaregov-targeted-about-16-times-by-cyberattacks-dhs-officialsays

24 Source: Oct. 2013

25 Source: Oct. 2013

26 Source: Oct. 2013

27 Source: Oct. 2013

28 Why Internet Security Internet attacks are increasing in frequency, severity and sophistication Security has become one of the hottest jobs even with downturn of economy

29 Why Internet Security (cont d) Virus and worms Melissa, Nimda, Code Red, Code Red II, Slammer Cause over $28 billion in economic losses in 2003, growing to over $75 billion in economic losses by Code Red (2001): 13 hours infected >360K machines - $2.4 billion loss Slammer (2003): 10 minutes infected > 75K machines - $1 billion loss

30 U.S. National Cybersecurity Martin Casado Keith Coleman Sponsored by William J. Perry MS&E 91SI Fall 2006 Stanford University

31 Why are we talking about cybersecurity?

32 Case 1: Blue Security DoS May 2006, anti-spam company Blue Security attacked by PharmaMaster PharmaMaster bribed a top-tier ISP's staff member into black holing Blue Security's former IP address ( ) at internet backbone routers. Attack disrupts the operations of five top-tier hosting providers in the US and Canada, as well as a major DNS provider for several hours. Blue security operation was disrupted, and they had to shutdown their service.

33 Case 2: Slammer Worm January 2003 Infects 90% of vulnerable computers within 10 minutes Effect of the Worm - Interference with elections - Cancelled airline flights emergency systems affected in Seattle - 13,000 Bank of America ATMs failed No malicious payload! Estimated ~$1 Billion in productivity loss

34 Case 3: WorldCom July 2002 WorldCom declares bankruptcy Problem WorldCom carries 13% - 50% of global internet traffic. About 40% of Internet traffic uses WorldCom s network at some point October 2002 Outage affecting only 20% of WorldCom users snarls traffic around the globe Congressional Hearings Congress considers, but rejects, extension of FCC regulatory powers to prevent WorldCom shutdown Vulnerabilities are not just technical

35 Case 4: Titan Rain Successful network intrusions on U.S. military installations Increasing in frequency since 2003 Originating from China Successful intrusion into U.S. Army Information Systems Engineering Command at Fort Huachuca, Arizona Defense Information Systems Agency in Arlington, Virginia Naval Ocean Systems Center in San Diego, California United States Army Space and Strategic Defense installation in Huntsville, Alabama more

36 Increasing Dependence Communication ( , IM, VoIP) Commerce (business, banking, e-commerce, etc) Control systems (public utilities, etc) Information and entertainment Sensitive data stored on the Internet e.g. Biz, Edu, Gov have permanently replaced physical/manual processes with Internetbased processes Navy command dissemination?

37 Security Initially Not a Priority Other design priorities often trump security: Cost Speed Convenience Open Architecture Backwards Compatibility

38 And It s Really Hard Hard to retrofit security fixes No metrics to measure (in)security Internet is inherently international (no real boundaries) Private sector owns most of the infrastructure Cybersecurity Gap : a cost/incentive disconnect? Businesses will pay to meet business imperatives Who s going to pay to meet national security imperatives?

39 An Achilles Heel? This level of dependence makes the Internet a target for asymmetric attack Cyberwarfare Cyberterrorism Cyberhooliganism* and a weak spot for accidents and failures * Coined by Bruce Schneier, Counterpane

40 The Challenge Clearly not just a technical problem. Requires consideration of economic factors, public policy, legal issues, social issues etc. That s what this class is about.

41 What is cybersecurity?

42 Some Definitions According to the U.S. Dept of Commerce: n. cybersecurity: See information security n. information security: The protection of information against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional.

43 Some Definitions According to S Cybersecurity Research and Education Act of 2002 : cybersecurity: information assurance, including scientific, technical, management, or any other relevant disciplines required to ensure computer and network security, including, but not limited to, a discipline related to the following functions: (A) Secure System and network administration and operations. (B) Systems security engineering. (C) Information assurance systems and product acquisition. (D) Cryptography. (E) Threat and vulnerability assessment, including risk management. (F) Web security. (G) Operations of computer emergency response teams. (H) Cybersecurity training, education, and management. (I) Computer forensics. (J) Defensive information operations.

44 Some Definitions According to S Cyberterrorism Preparedness Act of 2002 : cybersecurity: information assurance, including information security, information technology disaster recovery, and information privacy.

45 One way to think about it cybersecurity = security of cyberspace

46 One way to think about it cybersecurity = security of cyberspace information systems and networks

47 One way to think about it cybersecurity = security of information systems and networks

48 One way to think about it cybersecurity = security of information systems and networks + with the goal of protecting operations and assets

49 One way to think about it cybersecurity = security of information systems and networks with the goal of protecting operations and assets

50 One way to think about it cybersecurity = security of information systems and networks with the goal of protecting operations and assets security in the face of attacks, accidents, and failures

51 One way to think about it cybersecurity = security of information systems and networks in the face of attacks, accidents, and failures with the goal of protecting operations and assets

52 One way to think about it cybersecurity = security of information systems and networks in the face of attacks, accidents and failures with the goal of protecting operations and assets availability, integrity, and secrecy

53 One way to think about it cybersecurity = availability, integrity and secrecy of information systems and networks in the face of attacks, accidents, and failures with the goal of protecting operations and assets (Still a work in progress comments?)

54 In Context corporate cybersecurity = availability, integrity and secrecy of information systems and networks in the face of attacks, accidents and failures with the goal of protecting a corporation s operations and assets national cybersecurity = availability, integrity and secrecy of the information systems and networks in the face of attacks, accidents and failures with the goal of protecting a nation s operations and assets

55 What is computer security? Why do we need?

56 Cybersecurity Questions How vulnerable is the United States to a cyberattack? Are we heading for an electronic pearl harbor? What areas of vulnerability require the greatest attention in order to improve our national cybersecurity? Is the Internet an appropriate platform upon which to operate infrastructure systems critical to US economic or government operation?

57 Cybersecurity Questions What characteristics would we want in an Ideal Internet? Can the current Internet evolve into a network with significantly improved security guarantees or will another system need to created? Does greater Internet security necessarily entail decreased online privacy?

58 information security triad (CIA) Confidentiality Integrity Availability

59 Confidentiality Prevent from unauthorized access Prevent from unauthorized disclosure Guarantee privacy

60 Integrity Prevent from unauthorized modifications to information

61 Availability Ensuring the availability of resources (System, Services, or Information) to users in a timely manner

62 CIA in action

63 Some of the methods used to protect the CIA of information Identification: Using unique naming to enforce access control and establish accountability Authentication Verification of the provided identification Authorization Define what actions the user, the system, or the process can perform on the information.

64 Accountability Tracing back actions and events back in time to the entity (User, System, Process) that invokes them.

65 Logs Ordered list (usually by time) of actions and events created by systems and applications to provide accountability. The term Audit trail is used when to distinguish low level actions or events.

66 Assurance Functionality vs. Assurance We are looking on Functionality and Assurance from security prospective The functionality of the system provides information about what the system can perform. The assurance of the system provides the information about what the system won t perform. Conservative System Holistic System Functionality

67 Privacy the state or condition of being free from being observed or disturbed by other people. New Oxford American Dictionary 3rd edition 2010, 2012 by Oxford University Press

68 System Resource (Asset) Information, Services, Functionalities, or Hardware. What about Network?

69 Threat Threat: Set of conditions that has the potential of causing a security breach that harm the system. Types of threat: Unauthorized Disclosure: Unauthorized access to data Deception: Acceptance of false data Disruption: Interruption or prevention of correct operation Usurpation: Unauthorized control of a system or part of it.

70 Which of the security CIA properties does each threat type affect?

71 Unauthorized Disclosure Exposure: Sensitive data is released to unauthorized entity Interception: Unauthorized entity directly gain data being transferred between authorized entities. Inference: Unauthorized entity get data indirectly Intrusion: Unauthorized entity gain data by cheating the security enforcement entities.

72 Deception Masquerade: Unauthorized entity perform an malicious activity as an authorized entity. Falsification: Providing false data Repudiation: An entity denies the occurrence of an event.

73 Disruption Incapacitation: interrupt operation by disabling some functionality Corruption: Change in system and data to interrupt the system s operation Obstruction: disallow system from providing services.

74 Usurpation Misappropriation: an unauthorized entity controls system s resources. Misuse: an unauthorized entity perform actions that reduce the system security.

75 Security Policy A set of rules that regulate how the system provides security services in order to protect its services or resources.

76 Vulnerability and Attack Vulnerability: A flaw in the system that could be exploited to violate the security policy. Attack: An exploit of a vulnerability. Adversary: the entity that is launching the attack

77 Risk and Countermeasure Risk: The probability that a certain threat will attack and cause a particular harmful result. Countermeasure: An action that reduces the risk or the harm by eliminating or preventing from certain threats or attacks.

78 Security Concepts Relations Adversary rise Owners impose Countermeasures reduce Increase Threat Wish to abuse or damage Risk to to Asset Stallings, William. Computer Security: Principles and Practice (2nd Edition)

79 Reading [ Read to end of page 10]