Introduction to InfoSec, Examining the Threat Environment
Introduction to InfoSec, Examining the Threat Environment INFOSYS 6828
Popular in Principles of Information Security
Popular in Information technology
This 10 page Class Notes was uploaded by Frederick Notetaker on Tuesday January 26, 2016. The Class Notes belongs to INFOSYS 6828 at University of Missouri - St. Louis taught by Dr. Shaji Khan in Spring 2016. Since its upload, it has received 69 views. For similar materials see Principles of Information Security in Information technology at University of Missouri - St. Louis.
Reviews for Introduction to InfoSec, Examining the Threat Environment
Report this Material
What is Karma?
Karma is the currency of StudySoup.
Date Created: 01/26/16
Exploring the threat landscape (an overview) CIA Confidentiality Avalibility Integrity Control = countermeasure Security is messy, cumbersome, and ineffective when implemented as an afterthought! (well intentioned) security resources are often misplaced… - Security investments often provide a false sense of security… Security is hard! THERE IS NO SUCH THING AS 100% SECURITY! Why are Information Systems Vulnerable? Information Systems and Threats The Threat Environment Attacks Types of Attacks Attacks targeted at individuals Types of Attackers Accidents and Natural Disasters Bottom Line: Systems connected to a network are vulnerable. Connectivity exposes systems to the outside world. Trends in security vulnerabilities suggest that even “offline” systems are at risk. http://www.youtube.com/watch?v=cf0jlzVCyOI Industry and academia agree that “there is no such thing as 100% secure systems” Security breaches are costly! Estimates suggest cyber-crime costs $1 trillion to the global economy (http://www.networkworld.com/news/2011/091411-cyberattack-250902.html) Information Systems (IS) are combinations of hardware, software, and telecommunications networks that people build and use to collect, create, and distribute useful data, typically in organizational settings. This means things can go wrong with any of these components but more importantly at the intersection of two or more of these components. Malware Malware short for Malicious Software. A general name for “evil” or “bad” SOFTWARE Includes such things as viruses, worms, Trojan horses, spyware, … Most common type of attack. Nearly every organization gets attacked Malware includes: Viruses Worms Trojan Horses Spyware Root Kits Key Loggers …Vulnerability Specific Malware: Works by exploiting known vulnerabilities in software “Zero-Day” attacks: exploit vulnerabilities in software before a software vendor is able to release a “patch” for that vulnerability OR before a user/organization has applied that patch. Attack Vectors (for malware): These are the means or methods by which the malware “infects” or “propagates” / “spreads” The term is borrowed from Epidemiology. VIRUSES: A program that is written to alter the way a computer operates, without the permission or knowledge of the user. A computer virus attaches itself to a program or file so it can spread from one computer to another. Viruses leave infections as they travel. Most viruses are attached to executable files. The virus may exist on a computer but it cannot infect a computer unless you run the program. Typically, a virus cannot spread without a human action, such as running an infected program. WORMS: Programs that replicate themselves from system to system without the use of a host file. This technique is in contrast to viruses, which require the spreading of an infected host file. A worm is similar to a virus by its design, and is considered to be a subclass of a virus. The biggest danger with a worm is its ability to replicate itself on a system. A worm can send out hundreds or thousands of copies of itself to create a devastating effect. Trojan Horse: Software program that appears legitimate but is actually malicious. Trojan horses contain malicious code which, when triggered, causes loss or theft of data. For a Trojan horse to spread, you must invite these programs onto your computer; for example, by opening an email attachment. Trojan horses are also known to create a back door on a computer. The back door gives another user access to a system, and possibly allows confidential or personal information to be compromised. Unlike viruses and worms, Trojan horses neither reproduce by infecting other files, nor do they self-replicate Spyware: A general term that is used for the programs that covertly monitor your activity on your computer. Spyware programs gather personal information like user names, passwords, account numbers... Some spyware focuses on monitoring a person’s Internet behavior. This type of spyware often tracks the places you visit and things you do on the Web. The spyware then transmits that information to another computer, usually for advertising purposes. While a firewall can block the online transactions of a spyware program, an antivirus program can typically identify and remove this threat. Unauthorized Access (hacking) Hacking: Intentionally using a computer resource without authorization or in excess of authorization. Traditional hacking proceeds as follows: Scan networks for computers which may have vulnerabilities Once a computer or server is found use an “exploit” (software based attack method) to break-in. After break-in, install “hacker tool-kit” (software that typically automates many hacking tasks!) Delete log files, make hacker an Admin user, install other “root kits”, create a back- door so that they can return anytime! Denial-of-Service Attacks (DoS and DDoS) A method that hackers use to prevent or deny legitimate users access to a computer. DoS attacks are typically executed using the DoS tools that send many request packets to a targeted Internet server (usually Web, FTP, or Mail server). The attack floods the server's resources and makes the system unusable. Any system that is connected to the Internet and is equipped with TCP-based network services is subject to attack. Zombie computers or Bot-nets Hackers use viruses, worms, trojans, to gain control over a large number of computers Then, they send commands to these “bots” or “zombie” computers to send data traffic to a target server Are used to carry out Distributed Denial of Service Attacks (DDoS) A few hundred to tens of thousands of computers may be involved All major commercial and government web sites have been a victim Attacks Targeted Toward Individuals: Social Engineering Social Engineering: Tricking/manipulating victims into performing actions or divulging confidential information. May be technology based. “Phishing”: A type of social engineering attack in which an email or message is sent with a link to an authentic looking (but fake) web site where users are asked to enter confidential information. Many other types: Pretexting, baiting, … Types of “Attackers” Hackers Generic term used to denote individuals engaging in Hacking (as defined earlier). Not all “hackers” are alike! The “good guys” and the “bad guys” Hackers (good) vs Crackers (bad) “White Hat” (good) vs “Black Hat” (bad) Blue Team vs. Red Team (here both are good guys but Reds attack and Blues defend) “Script Kiddies”: These are inexperienced individuals trying to become hackers by using readily available scripts and tools to carry out hacking activities. They are dangerous because there are too many “wannabe” hackers… Criminal Hackers: Most active today and represent the majority of threats. Motivation is typically money. Steal credit card information, identities, extortion (hack a firm and demand ransom), steal trade secrets and sell to competitors etc. “Hactivism”: Hacking as activism. Targets typically include governments and large organizations. Famous hactivist groups include “Anonymous” and “Lulz-sec” Disgruntled Employees / Ex-Employees Disgruntled employees or disgruntled former employees can cause great damage as: They are familiar with systems and possible vulnerabilities Have access Know what can cause the greatest damage Disgruntled IT staff, particularly those in networking, software development, and IT security, could be truly disruptive Other organizations, terrorists, even other countries Organizations are known to engage in espionage and IT based intrusions. Steal intellectual property, trade secrets etc. National Governments: Countries are also known to routinely spy on each other. Such large scale sophisticated operations are known as “Advanced Persistent Threats (APTs)” THIS IS A MAJOR CONCERN Natural Disasters can cause major disruptions to telecommunication networks and organizational data. Business Continuity Planning: Outlines procedures for keeping an organization operational in the event of a natural disaster. Info Tech. is an important component in this. A growing concern among organizations. One reason organizations are looking to the “cloud” (but cloud presents a different set of problems). An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives. Chapter 1 http://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c01.pdf https://en.wikipedia.org/wiki/Information_security till basic security http://www.cio.com/article/2425824/it-strategy/when-rogue-it-staffers-attack--8- organizations-that-got-burned.html#slideshow security report http://www.microsoft.com/security/sir/default.aspx consequences of breaches http://www2.ca3.uscourts.gov/opinarch/143514p.pdf Introduction to Information Security – Discussion / Notes What is Security? This question is rather difficult to answer given the myriad of ways people perceive it. What is security for one person may not be compatible with what is security for another. This has profound implications for security professionals but we will not consider such nuances in this course. So what is security? – Let’s look at the dictionary. SECURITY: THE QUALITY OR STATE OF BEING PROTECTED OR SAFE FROM HARM OR DANGER (Merriam-Webster Dictionary, http://www.merriam- webster.com/dictionary/security?show=0&t=1390781187). • The above meaning is sufficient for our purposes. • The above implies that security is a concern when we have something valuable to protect – whatever it maybe… • Security has been a concern since time immemorial! History tells us that civilizations prospered by ensuring security and often crumbled due to breaches in security o Think forts and castles… the Great Wall of China... etc. • Finally, also realize that security is a concern because people across time tend to act in “deviant” ways! (by deviant I mean different from what is considered “normal” or “morally” correct – the accepted norm) o People also cause security problems without intentionally being deviant o Of course other than people we must protect against acts of nature and so on… IMPORTANT: Terminology wise, security also refers to the measures taken to ensure we are safe. It also refers to the department or organization whose task is security… as in “Someone, please call security!” http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf What is Information Security (InfoSec)? ONE INFORMATION SECURITY DEFINITION: THE PROTECTION OF INFORMATION AND INFORMATION SYSTEMS FROM UNAUTHORIZED ACCESS, USE, DISCLOSURE, DISRUPTION, MODIFICATION, OR DESTRUCTION IN ORDER TO PROVIDE CONFIDENTIALITY, INTEGRITY, AND AVAILABILITY. (Source: NIST – Glossary of Information Security Terms: http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf ) • Just one of the many definitions out there… but this is sufficient for us in order to get going. (See Wikipedia entry on “Information Security” for more variations). • Points to Note: o Both information and information systems NEED NOT BE computer based! So InfoSec is a general term that applies to protection of information regardless of where it is created, stored, communicated, and destroyed. o Of course, currently computers and computer based Information Systems are the primary contexts in which information resides. So, InfoSec subsumes Computer Security (a.k.a CompuSec). SOME KEY TERMS IN INFOSEC. • The CIA Triad: Notice the emphasis on Confidentiality, Integrity, and Availability in the definition of InfoSec above. These are commonly referred to as the CIA triad and considered as the “core attributes of information”, fundamental principles of InfoSec, core security goals, key characteristics of information and so on… o Overall, most view these as the attributes or characteristics of information that InfoSec is trying to protect! (IMPORTANT) o Confidentiality: a few definitions are below. Remember, that when we say confidentiality is a security goal we mean we are trying to protect the confidentiality of information. CONFIDENTIALITY DEFINITION: PRESERVING AUTHORIZED RESTRICTIONS ON INFORMATION ACCESS AND DISCLOSURE, INCLUDING MEANS FOR PROTECTING PERSONAL PRIVACY AND PROPRIETARY INFORMATION. • That is, only those with the right or authorization to access information are able to do so and when any entity (person, computer etc.) is able to access information that has not been authorized for that entity, then there has been a breach in confidentiality. • CAN YOU PROVIDE EXAMPLES OF BREACHES IN CONFIDENTIALITY? o Integrity: INTEGRITY DEFINITION: THE PROPERTY THAT DATA HAS NOT BEEN ALTERED IN AN UNAUTHORIZED MANNER. DATA INTEGRITY COVERS DATA IN STORAGE, DURING PROCESSING, AND WHILE IN TRANSIT. Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity (more on non- repudiation and authenticity later… also not everyone agrees that these belong here). CAN YOU THINK HOW INTEGRITY MAY BE BREACHED? o Availability: AVAILABILITY DEFINITION: ENSURING TIMELY AND RELIABLE ACCESS TO AND USE OF INFORMATION. • For any information system to serve its purpose, the information must be available when it is needed. IS AVAILABILITY IMPORTANT? CAN YOU THINK HOW AVAILABILITY MAY BE HAMPERED? • READ ARTICLE AND BE READY TO DISCUSS: http://www.wired.com/2015/12/the-cia-secret-to-cybersecurity-that-no-one-seems- to-get/? SOME OTHER KEY TERMS Authorization: Access privileges granted to a user, program, or process or the act of granting those privileges. Authentication: Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system Access: Ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of the information the system contains, or to control system components and functions. o Access could be available to a person or an object such as a computer system or application o Authorized users have legal access and unauthorized users (e.g., hackers) have illegal access o Access Controls (imposed by the entity trying to secure itself) are geared toward controlling access! Attack: An attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity. o Also, any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself o We will consider attacks in further detail in later weeks. Asset: Any organizational/personal resource that we are trying to protect. o Assets could be “logical” such as computer applications, databases, web sites etc. or assets could be “physical” such as a person, a computing device, or other tangibles. o Assets are the main focus in security efforts (remember “the something valuable to protect idea”) o InfoSec efforts are particularly geared toward protecting the following assets: Information– and anything related to it Information Systems –and anything related to them Controls: Security mechanisms, policies, or procedures that are designed and put in place (implemented) to counter attacks, reduce risk, resolve vulnerabilities, and overall improve the security within the organization (Whitman and Mattord, 2012). o There are many ways to think about controls… people have come up with many categories of controls depending on their role in security. We will tackle this in some depth throughout the semester. o Sometimes security controls are referred to as “countermeasures” Threat: threats are anything (e.g., object, person, acts of nature, or other entities) that are capable of acting against an asset in a manner that can result in harm. (we will explore details about this idea of threats in later weeks) Risk: is the likelihood (probability) that something bad will happen that causes harm to an informational asset (or the loss of the asset) Vulnerability: Weakness in an IS, system security procedures, internal controls, or implementation that could be exploited. o It is a weakness that could be used to endanger or cause harm to an information asset o There are many other perspectives on this… we will look at a few through this semester, especially when we discuss Web Application Security. Finally, see http://en.wikipedia.org/wiki/Threat_(computer)#Phenomenology for one view on how some of these things interact with each other (study figure and read the explanation. Also study the OWASP figure present on the same page. Most of these definitions come from NIST publications Referenced Book: Whitman, M.E. and Mattord, H.J. (2012) “Principles of Information Security, 4th edition”, Cengage Learning, Boston, MA. http://www.us-cert.gov/index.html (US - CERT) DHS CyberSecurity and Privacy http://www.dhs.gov/files/cybersecurity.shtm http://www.cybercrime.gov/index.html Advanced Persistent Threats http://en.wikipedia.org/wiki/Advanced_Persistent_Threat http://www.infoworld.com/d/security-central/five-security-trends-2011-and-beyond- 434?page=0,1 http://www.cio.com/article/504837/Why_Security_Matters_Now? page=1&taxonomyId=3089