CRYPTOGRAPHY AND NETWORK SECURITY - SlideShare

Loading...
SlideShare Explore Search You

Upload Login Signup

Search

Submit Search

Home Explore Presentation Courses PowerPoint Courses by LinkedIn Learning Search Successfully reported this slideshow.

1 of 98

CRYPTOGRAPHY AND NETWORK SECURITY 2,957 views Share Like Download ...

UNIT - V System security – Intruders – Malicious software – viruses – Firewalls – Security Standards

M. N. M Jain Engineering College, Chennai Follow Published on Aug 25, 2015

System security – Intruders – Malicious software – viruses – Firewalls – ... Published in: Engineering 0 Comments 3 Likes Statistics Notes

Full Name Comment goes here. 12 hours ago Delete Reply Spam Block Are you sure you want to Yes No COMPUTER SECURITY CONCEPTS • Integrity - Assets can be modified by authorized parties only • Availability - Assets be avai... Your message goes here

Share your thoughts… Post Be the first to comment

Jayakrishna Naramalli , Asst.Prof at SRET at SRET 4 months ago

logesswari 1 year ago

soundarya sangyam , Student at vardhaman college of engineering 1 year ago THREATS AND ATTACKS No Downloads Views Total views 2,957 On SlideShare 0 From Embeds 0 Number of Embeds 10 Actions Shares 0 Downloads 100 Comments 0 Likes 3 Embeds 0 No embeds No notes for slide THREATS AND ASSETS

CRYPTOGRAPHY AND NETWORK SECURITY 1. 1. IT2352 CRYPTOGRAPHY AND NETWORK SECURITY UNIT – V Dr.A.Kathirvel, Professor and Head, Dept of IT Anand Institute of Higher Technology, Chennai 2. 2. UNIT - V System security – Intruders – Malicious software – viruses – Firewalls – Security Standards 3. 3. COMPUTER SECURITY CONCEPTS • Integrity - Assets can be modified by authorized parties only • Availability - Assets be available to authorized parties • Confidentiality Requires information in a computer system only be accessible by authorized parties. Individuals set their own privacy requirements. Addl. requirements: • Authenticity - Requires that a computer system be able to verify the identity of a user • Accountability - Requires the detection and tracing of a security breach to a responsible party. Computer Security: The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (i.e. hardware, software, firmware, information/data, and telecommunications) 4. 4. THREATS AND ATTACKS 5. 5. THREATS AND ASSETS 6. 6. SECURITY THREATS TO ASSETS 7. 7. COMMUNICATION LINES AND NETWORKS Passive Attacks – Release of message contents - a telephone conversation, an electronic mail message, a transferred file, etc. – Traffic analysis - encryption can mask the contents but message size, transmission frequency, location and id of communicating hosts can still be extracted 8. 8. COMMUNICATION LINES AND NETWORKS Active Attacks – Replay : passive capture of a data unit and its retransmission to produce an unauthorized effect – Masquerade : one entity pretends to be a different entity (e.g. try to login as someone else) – Modification of messages some portion of a legitimate message is altered, or messages are delayed or reordered – Denial of service prevents or inhibits the normal use or management of communications facilities (Disable or overload with messages) 9. 9. INTRUDERS They agreed that Graham should set the test for Charles Mabledene. It was neither more nor less than that Dragon should get Stern's code. If he had the 'in' at Utting which he claimed to have this should be possible, only loyalty to Moscow Centre would prevent it. If he got the key to the code he would prove his loyalty to London Central beyond a doubt. —Talking to Strange Men, Ruth Rendell 10. 10. INTRUDERS • significant issue for networked systems is hostile or unwanted access • either via network or local • can identify classes of intruders: – masquerader – misfeasor – clandestine user • varying levels of competence 11. 11. INTRUDERS • clearly a growing publicized problem – from “Wily Hacker” in 1986/87 – to clearly escalating CERT stats • range – benign: explore, still costs resources – SECURITY THREATS TO ASSETS serious: access/modify data, disrupt system • led to the development of CERTs • intruder techniques & behavior patterns constantly shifting, have common features 12. 12. EXAMPLES OF INTRUSION remote root compromise web server defacement guessing / cracking passwords copying viewing sensitive data / databases running a packet sniffer distributing pirated software using an unsecured modem to access net impersonating a user to reset password using an unattended workstation 13. 13. HACKERS • motivated by thrill of access and status – hacking community a strong meritocracy – status is determined by level of competence • benign intruders might be tolerable – do consume resources and may slow performance – can’t know in advance whether benign or malign • IDS / IPS / VPNs can help counter • awareness led to establishment of CERTs – collect / disseminate vulnerability info / responses 14. 14. HACKER BEHAVIOR EXAMPLE 1. select target using IP lookup tools 2. map network for accessible services 3. identify potentially vulnerable services 4. brute force (guess) passwords 5. install remote administration tool 6. wait for admin to log on and capture password 7. use password to access remainder of network 15. 15. CRIMINAL ENTERPRISE • organized groups of hackers now a threat – corporation / government / loosely affiliated gangs – typically young – often Eastern European or Russian hackers – often target credit cards on e-commerce server • criminal hackers usually have specific targets • once penetrated act quickly and get out • IDS / IPS help but less effective • sensitive data needs strong protection 16. 16. CRIMINAL ENTERPRISE BEHAVIOR 1. act quickly and precisely to make their activities harder to detect 2. exploit perimeter via vulnerable ports 3. use trojan horses (hidden software) to leave back doors for re-entry 4. use sniffers to capture passwords 5. do not stick around until noticed 6. make few or no mistakes. 17. 17. INSIDER ATTACKS among most difficult to detect and prevent employees have access & systems knowledge may be motivated by revenge / entitlement when employment terminated taking customer data when move to competitor IDS / IPS may help but also need: least privilege, monitor logs, strong authentication, termination process to block access & mirror data 18. 18. INSIDER BEHAVIOR EXAMPLE 1. create network accounts for themselves and their friends 2. access accounts and applications they wouldn't normally use for their daily jobs 3. e-mail former and prospective employers 4. conduct furtive instant-messaging chats 5. visit web sites that cater to disgruntled employees, such as f'dcompany.com 6. perform large downloads and file copying 7. access the network during off hours. 19. 19. INTRUSION TECHNIQUES • aim to gain access and/or increase privileges on a system • often use system / software vulnerabilities • key goal often is to acquire passwords – so then exercise access rights of owner • basic attack methodology – target acquisition and information gathering – initial access – privilege escalation – covering tracks 20. 20. PASSWORD GUESSING one of the most common attacks attacker knows a login (from email/web page etc) then attempts to guess password for it defaults, short passwords, common word searches user info (variations on names, birthday, phone, common words/interests) exhaustively searching all possible passwords check by login or against stolen password file success depends on password chosen by user surveys show many users choose poorly COMMUNICATION LINES AND NETWORKS Passive Attacks – Release of message contents - a telephone conversation, an electronic m... 21. 21. PASSWORD CAPTURE another attack involves password capture watching over shoulder as password is entered using a trojan horse program to collect monitoring an insecure network login • eg. telnet, FTP, web, email extracting recorded info after successful login (web history/cache, last number dialed etc) using valid login/password can impersonate user users need to be educated to use suitable precautions/countermeasures 22. 22. INTRUSION DETECTION • inevitably will have security failures • so need also to detect intrusions so can – block if detected quickly – act as deterrent – collect info to improve security • assume intruder will behave differently to a legitimate user – but will have imperfect distinction between 23. 23. INTRUSION DETECTION 24. 24. APPROACHES TO INTRUSION DETECTION • statistical anomaly detection – attempts to define normal/expected behavior – threshold – profile based • rule-based detection – attempts to define proper behavior – anomaly – penetration identification 25. 25. AUDIT RECORDS • fundamental tool for intrusion detection • native audit records – part of all common multi-user O/S – already present for use – may not have info wanted in desired form • detection-specific audit records – created specifically to collect wanted info – at cost of additional overhead on system 26. 26. STATISTICAL ANOMALY DETECTION • threshold detection – count occurrences of specific event over time – if exceed reasonable value assume intrusion – alone is a crude & ineffective detector • profile based – characterize past behavior of users – detect significant deviations from this – profile usually multi-parameter 27. 27. AUDIT RECORD ANALYSIS • foundation of statistical approaches • analyze records to get metrics over time – counter, gauge, interval timer, resource use • use various tests on these to determine if current behavior is acceptable – mean & standard deviation, multivariate, markov process, time series, operational • key advantage is no prior knowledge used 28. 28. RULE-BASED INTRUSION DETECTION • observe events on system & apply rules to decide if activity is suspicious or not • rule-based anomaly detection – analyze historical audit records to identify usage patterns & auto-generate rules for them – then observe current behavior & match against rules to see if conforms – like statistical anomaly detection does not require prior knowledge of security flaws 29. 29. RULE-BASED INTRUSION DETECTION rule-based penetration identification uses expert systems technology with rules identifying known penetration, weakness patterns, or suspicious behavior compare audit records or states against rules rules usually machine & O/S specific rules are generated by experts who interview & codify knowledge of security admins quality depends on how well this is done 30. 30. BASE-RATE FALLACY • practically an intrusion detection system needs to detect a substantial percentage of intrusions with few false alarms – if too few intrusions detected > false security – if too many false alarms -> ignore / waste time • this is very hard to do • existing systems seem not to have a good record 31. 31. DISTRIBUTED INTRUSION DETECTION • traditional focus is on single systems • but typically have networked systems • more effective defense has these working together COMMUNICATION LINES AND NETWORKS Active Attacks – Replay : passive capture of a data unit and its retransmission to produc... to detect intrusions • issues – dealing with varying audit record formats – integrity & confidentiality of networked data – centralized or decentralized architecture 32. 32. DISTRIBUTED INTRUSION DETECTION - ARCHITECTURE 33. 33. DISTRIBUTED INTRUSION DETECTION – AGENT IMPLEMENTATION 34. 34. HONEYPOTS decoy systems to lure attackers away from accessing critical systems to collect information of their activities to encourage attacker to stay on system so administrator can respond are filled with fabricated information instrumented to collect detailed information on attackers activities single or multiple networked systems cf IETF Intrusion Detection WG standards 35. 35. PASSWORD MANAGEMENT • front-line defense against intruders • users supply both: – login – determines privileges of that user – password – to identify them • passwords often stored encrypted – Unix uses multiple DES (variant with salt) – more recent systems use crypto hash function • should protect password file on system 36. 36. PASSWORD STUDIES Purdue 1992 - many short passwords Klein 1990 - many guessable passwords conclusion is that users choose poor passwords too often need some approach to counter this 37. 37. MANAGING PASSWORDS - EDUCATION can use policies and good user education educate on importance of good passwords give guidelines for good passwords minimum length (>6) require a mix of upper & lower case letters, numbers, punctuation not dictionary words but likely to be ignored by many users 38. 38. MANAGING PASSWORDS - COMPUTER GENERATED • let computer create passwords • if random likely not memorisable, so will be written down (sticky label syndrome) • even pronounceable not remembered • have history of poor user acceptance • FIPS PUB 181 one of best generators – has both description & sample code – generates words from concatenating random pronounceable syllables 39. 39. MANAGING PASSWORDS - REACTIVE CHECKING • reactively run password guessing tools – note that good dictionaries exist for almost any language/interest group • cracked passwords are disabled • but is resource intensive • bad passwords are vulnerable till found 40. 40. MANAGING PASSWORDS - PROACTIVE CHECKING • most promising approach to improving password security • allow users to select own password • but have system verify it is acceptable – simple rule enforcement (see earlier slide) – compare against dictionary of bad passwords – use algorithmic (markov model or bloom filter) to detect poor choices 41. 41. SUMMARY • have considered: – problem of intrusion, behavior and techniques – intrusion detection (statistical & rule-based) – password management 42. 42. 42 MALICIOUS SOFTWARE 43. 43. 43 BACKDOOR OR TRAPDOOR • secret entry point into a program • allows those who know access bypassing usual security procedures • have been commonly used by developers • a threat when left in production programs allowing exploited by attackers • very hard to block in O/S INTRUDERS They agreed that Graham should set the test for Charles Mabledene. It was neither more nor less than that Dragon... 44. 44. 44 LOGIC BOMB • one of oldest types of malicious software • code embedded in legitimate program • activated when specified conditions met – E.g., presence/absence of some file – particular date/time – particular user • when triggered typically damage system – modify/delete files/disks, halt machine, etc. 45. 45. 45 TROJAN HORSE • program with hidden side-effects • which is usually superficially attractive – E.g., game, s/w upgrade, etc. • when run performs some additional tasks – allows attacker to indirectly gain access they do not have directly • often used to propagate a virus/worm or install a backdoor • or simply to destroy data • Mail the password file. 46. 46. 46 ZOMBIE • program which secretly takes over another networked computer • then uses it to indirectly launch attacks (difficult to trace zombie’s creator) • often used to launch distributed denial of service (DDoS) attacks • exploits known flaws in network systems 47. 47. 47 VIRUSES • a piece of self-replicating code attached to some other code • attaches itself to another program and executes secretly when the host program is executed. • propagates itself & carries a payload – carries code to make copies of itself – as well as code to perform some covert task 48. 48. 48 VIRUS OPERATION • virus phases: – dormant – waiting on trigger event – propagation – replicating to programs/disks – triggering – by event to execute payload – execution – of payload • details usually machine/OS specific – exploiting features/weaknesses 49. 49. 49 VIRUS STRUCTURE program V := {goto main; 1234567; subroutine infect-executable := {loop: file := get-random-executable-file; if (first-line-of-file = 1234567) then goto loop else prepend V to file; } subroutine do-damage := {whatever damage is to be done} subroutine trigger-pulled := {return true if condition holds} main: main-program := {infectexecutable; if trigger-pulled then do-damage; goto next;} next: } 50. 50. 50 TYPES OF VIRUSES can classify on basis of how they attack • parasitic virus -attaches itself to executable files and replicates • memory-resident virus -lodges in the main memory and infects every program that executes. • boot sector virus -infects a boot record and spreads when the system is booted from the disk 51. 51. 51 TYPES OF VIRUSES… • Stealth -designed to hide itself from antivirus software • polymorphic virus -a virus that mutates with every infection, making detection very difficult • metamorphic virus -mutates with every infection, but rewrites itself completely every time. Making it extremely difficult to detect. 52. 52. 52 EMAIL VIRUS • spread using email with attachment containing a macro virus • triggered when user opens attachment • or worse even when mail viewed by using scripting features in mail agent • hence propagates very quickly • usually targeted at Microsoft Outlook mail agent & Word/Excel documents 53. 53. 53 WORMS • replicating but not infecting program (does not attach itself to a program) • typically spreads over a network – Morris Internet Worm in 1988 • using users distributed privileges or by exploiting system vulnerabilities • worms perform unwanted functions • widely used by hackers to create zombie PC's, subsequently used for further attacks, esp DoS • major issue is lack of security of permanently connected systems, esp PC's 54. 54. 54 WORM OPERATION • worm has phases like those of viruses: – dormant – propagation • search for other systems to infect • establish connection to target remote system • INTRUDERS • significant issue for networked systems is hostile or unwanted access • either via network or local • can iden... replicate self onto remote system – triggering – execution 55. 55. 55 MORRIS WORM • best known classic worm • released by Robert Morris in 1988 • targeted Unix systems • using several propagation techniques – simple password cracking of local pw file – exploit bug in finger daemon – exploit debug trapdoor in sendmail daemon • if any attack succeeds then replicated self 56. 56. 56 VIRUS COUNTERMEASURES • best countermeasure is prevention (do not allow a virus to get into the system in the first place.) • but in general not possible • hence need to do one or more of: – detection - of viruses in infected system – identification - of specific infecting virus – removeal - restoring system to clean state 57. 57. 57 ANTI-VIRUS SOFTWARE • first-generation – scanner uses virus signature to identify virus – or change in length of programs • second-generation – uses heuristic rules to spot viral infection – or uses crypto hash of program to spot changes • third-generation – memory-resident programs identify virus by actions • fourth-generation – packages with a variety of antivirus techniques – eg scanning & activity traps, access-controls • arms race continues 58. 58. INTRUSION DETECTION SYSTEMS (IDS) • Host-based IDS: Monitors the characteristics of a single host and the events occurring within that host for suspicious activity • Network-based IDS: Monitors network traffic for particular segments and analyzes network, transport, and application protocols to identify suspicious activity IDS comprises three logical components: • Sensors – to collect data. Input types: network packets, log files, sys. call traces • Analyzers – receive input from sensors. Responsible for intrusion detection • User interface – may be a manager, director, or console Basic Principles: • Early detection – very important to confine the damage • An effective IDS can serve as a deterrent (thus discouraging intrusion attempts) • Intrusion detection enables data collection about intrusion techniques which, in turn, can be used to strengthen intrusion prevention measures. 59. 59. INTRUSION DETECTION • Assumption: the behavior of the intruder differs from the legitimate user. • But, there is overlap. A loose interpretation of intruder may lead to false positives ; on the other hand, a tight interpretation may lead to false negatives (risky!) 60. 60. HOST-BASED INTRUSION DETECTION • Can detect both external and internal intrusions which is not possible with network-based IDSs or firewalls. General approaches: • Anomaly detection – Collect data related to the behavior of legitimate users over a period of time. Then, apply statistical tests to determine if the observed behavior is not legitimate –Threshold detection: defines thresholds for the freq. of occurrence for various events –Profile based: a profile of normal activity is developed for each user; used to detect changes • Signature detection: define a set of rules that applies to an intruder’s behavior Signature-based IDS monitors packets in the network, and compares them with pre-configured and predetermined attack patterns, known as signatures • Audit records –Native audit records • All OSs include accounting software that collects information on user activity –Detectionspecific audit records • Generate audit records containing only that information required by the IDS Disadvantage: two accounting packages run on the system 61. 61. MALWARE DEFENSE Antivirus Approaches – (1) Detection (2) Identification (3) Removal As virus arms race has evolved, antivirus software have grown more complex. Two sophisticated ones are: Generic Decryption and Digital Immune System Generic Decryption (GD) Contains three essential parts: • CPU emulator – Instructions in an executable file are interpreted by the emulator rather than the processor in a controlled environment. If the code includes a decryption routine, it is also interpreted and the virus is exposed. Virus INTRUDERS • clearly a growing publicized problem – from “Wily Hacker” in 1986/87 – to clearly escalating CERT stats • rang... itself does the decryption for the antivirus program (GD) • Virus signature scanner – Scan target code looking for known virus signatures • Emulation control module – Controls the execution of the target code. Periodically, it interrupts the interpretation to scan the target code for virus signatures 62. 62. DIGITAL IMMUNE SYSTEM • Developed by IBM (refined by Symantec) – general purpose emulation and virus detection system • Motivation: rising threat of Internet-based virus propagation – Integrated mail systems (e.g. MS Outlook, Lotus Notes) – Mobile-program system (e.g. Java and ActiveX allow programs to move on their own) 1.Each PC runs a monitoring program to detect unusual behavior 2.Encrypt the sample and forward to VAM 3.Analyze the sample in a safe environment via emulation 4.Prescription is sent back to Adm.Machine 5.-6. Forwarded to the infected client as well as the other PCs on the same network 7. All subscribers receive regular antivirus updates 63. 63. BEHAVIOR-BLOCKING SOFTWARE 64. 64. 64 BEHAVIOR-BLOCKING SOFTWARE • integrated with host O/S • monitors program behavior in real-time – eg file access, disk format, executable mods, system settings changes, network access • for possibly malicious actions – if detected can block, terminate, or seek ok • has advantage over scanners • but malicious code runs before detection 65. 65. 65 DISTRIBUTED DENIAL OF SERVICE ATTACKS (DDOS) • Distributed Denial of Service (DDoS) attacks form a significant security threat • making networked systems unavailable • by flooding with useless traffic • using large numbers of “zombies” • growing sophistication of attacks • defense technologies struggling to cope 66. 66. 66 DISTRIBUTED DENIAL OF SERVICE ATTACKS (DDOS) 67. 67. 67 DDOS COUNTERMEASURES • three broad lines of defense: 1. attack prevention & preemption (before) 2. attack detection & filtering (during) 3. attack source traceback & identification (after) • huge range of attack possibilities • hence evolving countermeasures 68. 68. VIRUSES Program that can “infect” other programs by modifying them in such a way that the infected program can infect other programs Virus Stages • Dormant phase: Virus is idle • Propagation phase: Virus places an identical copy of itself into other programs or into certain system areas on the disk • Triggering phase: Virus is activated to perform the function (usually harmful) • Execution phase: Function is performed Macro Viruses • macro - an executable program embedded in a word document or other type of file • Easily spread; platform independent; infects documents, not the .exe E-mail Virus • Activated when recipient opens the e-mail attachment (e.g. Melissa virus). A new version that came out in 1999 was activated by opening the e-mail itself. • Sends itself to everyone on the mailing list of the infected user 69. 69. A SIMPLE VIRUS A COMPRESSION VIRUS 70. 70. VIRUSES Classification by Target •Boot sector infector - Infects boot record and spreads when system is booted from the disk containing the virus •File infector - Infects executable files •Macro virus - Infects files with macro code that is interpreted by an application 71. 71. Classification by concealment strategy • Encrypted virus – a portion of the virus encrypts its main body and stores the key with itself. When an infected program is executed, the virus decrypt itself and then replicates. At each replication, a different random key is selected making the detection more difficult. • Stealth - Designed to hide itself from detection by EXAMPLES OF INTRUSION remote root compromise web server defacement guessing / cracking passwords copying viewing s... antivirus software. May use compression • Polymorphic - Mutates with every infection, making detection by the “signature” of the virus impossible • Metamorphic – same as polymorphic, but rewrites itself completely making the detection even more difficult. May change functionality as well as appearance. zz 72. 72. TERMINOLOGY OF MALICIOUS PROGRAMS 73. 73. TERMINOLOGY OF MALICIOUS PROGRAMS 74. 74. • seen evolution of information systems • now everyone want to be on the Internet • and to interconnect networks • has persistent security concerns – can’t easily secure every system in org • typically use a Firewall • to provide perimeter defence • as part of comprehensive security strategy FIREWALLS 75. 75. WHAT IS A FIREWALL? • a choke point of control and monitoring • interconnects networks with differing trust • imposes restrictions on network services - only authorized traffic is allowed • auditing and controlling access - can implement alarms for abnormal behavior • provide NAT & usage monitoring • implement VPNs using IPSec • must be immune to penetration 76. 76. FIREWALL LIMITATIONS • cannot protect from attacks bypassing it – eg sneaker net, utility modems, trusted organisations, trusted services (eg SSL/SSH) • cannot protect against internal threats – eg disgruntled or colluding employees • cannot protect against access via WLAN – if improperly secured against external use • cannot protect against malware imported via laptop, PDA, storage infected outside 77. 77. FIREWALLS – PACKET FILTERS simplest, fastest firewall component foundation of any firewall system examine each IP packet (no context) and permit or deny according to rules hence restrict access to services (ports) possible default policies that not expressly permitted is prohibited that not expressly prohibited is permitted 78. 78. FIREWALLS – PACKET FILTERS 79. 79. FIREWALLS – PACKET FILTERS 80. 80. ATTACKS ON PACKET FILTERS • IP address spoofing – fake source address to be trusted – add filters on router to block • source routing attacks – attacker sets a route other than default – block source routed packets • tiny fragment attacks – split header info over several tiny packets – either discard or reassemble before check 81. 81. FIREWALLS – STATEFUL PACKET FILTERS • traditional packet filters do not examine higher layer context – ie matching return packets with outgoing flow • stateful packet filters address this need • they examine each IP packet in context – keep track of client-server sessions – check each packet validly belongs to one • hence are better able to detect bogus packets out of context • may even inspect limited application data 82. 82. FIREWALLS - APPLICATION LEVEL GATEWAY (OR PROXY) have application specific gateway / proxy has full access to protocol user requests service from proxy proxy validates request as legal then actions request and returns result to user can log / audit traffic at application level need separate proxies for each service some HACKERS • motivated by thrill of access and status – hacking community a strong meritocracy – status is determined by leve... services naturally support proxying others are more problematic 83. 83. FIREWALLS - APPLICATION LEVEL GATEWAY (OR PROXY) 84. 84. FIREWALLS - CIRCUIT LEVEL GATEWAY • relays two TCP connections • imposes security by limiting which such connections are allowed • once created usually relays traffic without examining contents • typically used when trust internal users by allowing general outbound connections • SOCKS is commonly used 85. 85. FIREWALLS - CIRCUIT LEVEL GATEWAY 86. 86. BASTION HOST highly secure host system runs circuit / application level gateways or provides externally accessible services potentially exposed to "hostile" elements hence is secured to withstand this hardened O/S, essential services, extra auth proxies small, secure, independent, non-privileged may support 2 or more net connections may be trusted to enforce policy of trusted separation between these net connections 87. 87. HOST-BASED FIREWALLS • s/w module used to secure individual host – available in many operating systems – or can be provided as an add-on package • often used on servers • advantages: – can tailor filtering rules to host environment – protection is provided independent of topology – provides an additional layer of protection 88. 88. PERSONAL FIREWALLS • controls traffic between PC/workstation and Internet or enterprise network • a software module on personal computer • or in home/office DSL/cable/ISP router • typically much less complex than other firewall types • primary role to deny unauthorized remote access to the computer • and monitor outgoing activity for malware 89. 89. PERSONAL FIREWALLS 90. 90. FIREWALL CONFIGURATIONS 91. 91. FIREWALL CONFIGURATIONS 92. 92. FIREWALL CONFIGURATIONS 93. 93. DMZ Networks 94. 94. VIRTUAL PRIVATE NETWORKS 95. 95. DISTRIBUTED FIREWALLS 96. 96. SUMMARY OF FIREWALL LOCATIONS AND TOPOLOGIES host-resident firewall screening router single bastion inline single bastion T double bastion inline double bastion T distributed firewall configuration 97. 97. SUMMARY • have considered: – firewalls – types of firewalls • packet-filter, stateful inspection, application proxy, circuit-level – basing • bastion, host, personal – location and configurations • DMZ, VPN, distributed, topologies HACKER BEHAVIOR EXAMPLE 1. select target using IP lookup tools 2. map network for accessible services 3. identify potentia... Recommended

CRIMINAL ENTERPRISE • organized groups of hackers now a threat – corporation / government / loosely affiliated gangs – typ...

Learning Management Systems (LMS) Quick Start Online Course - LinkedIn Learning

CRIMINAL ENTERPRISE BEHAVIOR 1. act quickly and precisely to make their activities harder to detect 2. exploit perimeter v...

Betsy Corcoran on Choosing the Right Technology for Your School Online Course - LinkedIn Learning

INSIDER ATTACKS among most difficult to detect and prevent employees have access & systems knowledge may be motivate...

Learning Online Marketing INSIDER BEHAVIOR EXAMPLE 1. create network accounts for themselves and their friends 2. access accounts and applications t... Online Course - LinkedIn Learning

X.509 at the University of Michigan Rozy65

CRYPTOGRAPHY AND NETWORK SECURITY M. N. M Jain Engineering College, Chennai

Introduction to Cryptography Bharat Kumar Katur INTRUSION TECHNIQUES • aim to gain access and/or increase privileges on a system • often use system / software vulnerabili... CS6701 CRYPTOGRAPHY AND NETWORK SECURITY M. N. M Jain Engineering College, Chennai

CS6701 CRYPTOGRAPHY AND NETWORK SECURITY M. N. M Jain Engineering College, Chennai

CS6701 CRYPTOGRAPHY AND NETWORK SECURITY M. N. M Jain Engineering College, Chennai

CS6701 CRYPTOGRAPHY AND NETWORK SECURITY PASSWORD GUESSING one of the most common attacks attacker knows a login (from email/web page etc) then attempts to g... M. N. M Jain Engineering College, Chennai English Español Português Français Deutsch About Dev & API Blog Terms Privacy Copyright Support

LinkedIn Corporation © 2018 ×PASSWORD CAPTURE another attack involves password capture watching over shoulder as password is entered using a trojan... Share Clipboard × Email

Enter email addresses Add a message From



Send Email sent successfully.. Facebook Twitter LinkedIn Link Public clipboards featuring this slide INTRUSION DETECTION • inevitably will have security failures • so need also to detect intrusions so can – block if detecte... ×

INTRUSION DETECTION

No public clipboards found for this slide × APPROACHES TO INTRUSION DETECTION • statistical anomaly detection – attempts to define normal/expected behavior – threshol...

Save the most important slides with Clipping Clipping is a handy way to collect and organize the most important slides from a presentation. You can keep your great finds in clipboards organized around topics. Start clipping No thanks. Continue to download. Select another clipboard ×AUDIT RECORDS • fundamental tool for intrusion detection • native audit records – part of all common multi-user O/S – alre...

STATISTICAL ANOMALY DETECTION • threshold detection – count occurrences of specific event over time – if exceed reasonable...

Looks like you’ve clipped this slide to already. Search for a clipboard Create a clipboard

You just clipped your first slide! AUDIT RECORD ANALYSIS • foundation of statistical approaches • analyze records to get metrics over time – counter, gauge, ... Clipping is a handy way to collect important slides you want to go back to later. Now customize the name of a clipboard to store your clips. Name* Best of Slides



Description Add a brief description so others know what your Clipboard is about. Visibility Others can see my Clipboard Cancel Save Save this presentationTap To Close

RULE-BASED INTRUSION DETECTION • observe events on system & apply rules to decide if activity is suspicious or not • rule-...

RULE-BASED INTRUSION DETECTION rule-based penetration identification uses expert systems technology with rules identif...

BASE-RATE FALLACY • practically an intrusion detection system needs to detect a substantial percentage of intrusions with ...

DISTRIBUTED INTRUSION DETECTION • traditional focus is on single systems • but typically have networked systems • more eff...

DISTRIBUTED INTRUSION DETECTION - ARCHITECTURE

DISTRIBUTED INTRUSION DETECTION – AGENT IMPLEMENTATION

HONEYPOTS decoy systems to lure attackers away from accessing critical systems to collect information of their activit...

PASSWORD MANAGEMENT • front-line defense against intruders • users supply both: – login – determines privileges of that us...

PASSWORD STUDIES Purdue 1992 - many short passwords Klein 1990 - many guessable passwords conclusion is that users c...

MANAGING PASSWORDS - EDUCATION can use policies and good user education educate on importance of good passwords give...

MANAGING PASSWORDS - COMPUTER GENERATED • let computer create passwords • if random likely not memorisable, so will be wri...

MANAGING PASSWORDS - REACTIVE CHECKING • reactively run password guessing tools – note that good dictionaries exist for al...

MANAGING PASSWORDS - PROACTIVE CHECKING • most promising approach to improving password security • allow users to select o...

SUMMARY • have considered: – problem of intrusion, behavior and techniques – intrusion detection (statistical & rule-based...

42 MALICIOUS SOFTWARE

43 BACKDOOR OR TRAPDOOR • secret entry point into a program • allows those who know access bypassing usual security proced...

44 LOGIC BOMB • one of oldest types of malicious software • code embedded in legitimate program • activated when specified...

45 TROJAN HORSE • program with hidden side-effects • which is usually superficially attractive – E.g., game, s/w upgrade, ...

46 ZOMBIE • program which secretly takes over another networked computer • then uses it to indirectly launch attacks (diff...

47 VIRUSES • a piece of self-replicating code attached to some other code • attaches itself to another program and execute...

48 VIRUS OPERATION • virus phases: – dormant – waiting on trigger event – propagation – replicating to programs/disks – tr...

49 VIRUS STRUCTURE program V := {goto main; 1234567; subroutine infect-executable := {loop: file := get-random-executable-...

50 TYPES OF VIRUSES can classify on basis of how they attack • parasitic virus -attaches itself to executable files and re...

51 TYPES OF VIRUSES… • Stealth -designed to hide itself from antivirus software • polymorphic virus -a virus that mutates ...

52 EMAIL VIRUS • spread using email with attachment containing a macro virus • triggered when user opens attachment • or w...

53 WORMS • replicating but not infecting program (does not attach itself to a program) • typically spreads over a network ...

54 WORM OPERATION • worm has phases like those of viruses: – dormant – propagation • search for other systems to infect • ...

55 MORRIS WORM • best known classic worm • released by Robert Morris in 1988 • targeted Unix systems • using several propa...

56 VIRUS COUNTERMEASURES • best countermeasure is prevention (do not allow a virus to get into the system in the first pla...

57 ANTI-VIRUS SOFTWARE • first-generation – scanner uses virus signature to identify virus – or change in length of progra...

INTRUSION DETECTION SYSTEMS (IDS) • Host-based IDS: Monitors the characteristics of a single host and the events occurring...

INTRUSION DETECTION • Assumption: the behavior of the intruder differs from the legitimate user. • But, there is overlap. ...

HOST-BASED INTRUSION DETECTION • Can detect both external and internal intrusions which is not possible with network-based...

MALWARE DEFENSE Antivirus Approaches – (1) Detection (2) Identification (3) Removal As virus arms race has evolved, antivi...

DIGITAL IMMUNE SYSTEM • Developed by IBM (refined by Symantec) – general purpose emulation and virus detection system • Mo...

BEHAVIOR-BLOCKING SOFTWARE

64 BEHAVIOR-BLOCKING SOFTWARE • integrated with host O/S • monitors program behavior in real-time – eg file access, disk f...

65 DISTRIBUTED DENIAL OF SERVICE ATTACKS (DDOS) • Distributed Denial of Service (DDoS) attacks form a significant security...

66 DISTRIBUTED DENIAL OF SERVICE ATTACKS (DDOS)

67 DDOS COUNTERMEASURES • three broad lines of defense: 1. attack prevention & preemption (before) 2. attack detection & f...

VIRUSES Program that can “infect” other programs by modifying them in such a way that the infected program can infect othe...

A SIMPLE VIRUS A COMPRESSION VIRUS

VIRUSES Classification by Target •Boot sector infector - Infects boot record and spreads when system is booted from the di...

Classification by concealment strategy • Encrypted virus – a portion of the virus encrypts its main body and stores the ke...

TERMINOLOGY OF MALICIOUS PROGRAMS

TERMINOLOGY OF MALICIOUS PROGRAMS

• seen evolution of information systems • now everyone want to be on the Internet • and to interconnect networks • has per...

WHAT IS A FIREWALL? • a choke point of control and monitoring • interconnects networks with differing trust • imposes rest...

FIREWALL LIMITATIONS • cannot protect from attacks bypassing it – eg sneaker net, utility modems, trusted organisations, t...

FIREWALLS – PACKET FILTERS simplest, fastest firewall component foundation of any firewall system examine each IP pa...

FIREWALLS – PACKET FILTERS

FIREWALLS – PACKET FILTERS

ATTACKS ON PACKET FILTERS • IP address spoofing – fake source address to be trusted – add filters on router to block • sou...

FIREWALLS – STATEFUL PACKET FILTERS • traditional packet filters do not examine higher layer context – ie matching return ...

FIREWALLS - APPLICATION LEVEL GATEWAY (OR PROXY) have application specific gateway / proxy has full access to protocol...

FIREWALLS - APPLICATION LEVEL GATEWAY (OR PROXY)

FIREWALLS - CIRCUIT LEVEL GATEWAY • relays two TCP connections • imposes security by limiting which such connections are a...

FIREWALLS - CIRCUIT LEVEL GATEWAY

BASTION HOST highly secure host system runs circuit / application level gateways or provides externally accessible s...

HOST-BASED FIREWALLS • s/w module used to secure individual host – available in many operating systems – or can be provide...

PERSONAL FIREWALLS • controls traffic between PC/workstation and Internet or enterprise network • a software module on per...

PERSONAL FIREWALLS

FIREWALL CONFIGURATIONS

FIREWALL CONFIGURATIONS

FIREWALL CONFIGURATIONS

DMZ Networks

VIRTUAL PRIVATE NETWORKS

DISTRIBUTED FIREWALLS

SUMMARY OF FIREWALL LOCATIONS AND TOPOLOGIES host-resident firewall screening router single bastion inline single ...

SUMMARY • have considered: – firewalls – types of firewalls • packet-filter, stateful inspection, application proxy, circu...

CRYPTOGRAPHY AND NETWORK SECURITY

Upcoming SlideShare

Loading in …5

×

Loading...

CRYPTOGRAPHY AND NETWORK SECURITY - SlideShare

SlideShare Explore Search You Upload Login Signup Search Submit Search Home Explore Presentation Courses PowerPoint Courses by LinkedIn Learning ...

493KB Sizes 4 Downloads 46 Views

Recommend Documents

No documents