CP5603 E-Security

Lecture 11 Revision Tuesday 27 September 2011

Final Exam
Last lecture is only revision, will be quick.
Final exam! Check the exam timetable.

Internet History
1957: Russia launches Sputnik. U.S. Government creates the Defense Advanced Research Projects Agency (DARPA). 1967: starts to develop a data network that can survive a nuclear war. A mesh of connections

so that as bases get nuked, network traffic can travel around the damage.

Key Security Concepts

The CIA Triad

If its secret, you cant get to it or change it. If you can get to it or change it, its not secret.

Balancing Security and Access

5 Most Common Passwords

0.25
0.2 0.15 0.1 0.05 0

% of all accounts

Passwords Are Encrypted

Encryption: the original password gets messed up, so nobody can read it.

This happens when a password is saved to disk or sent over a network.

Sniffing Encrypted Passwords

Intruder
Encrypted Password Encrypted Password

Internet Bank User

Internet Bank Web Site

What Is IP Spoofing?
To spoof = to pretend to be someone else. IP spoofing you pretend to be another computer, take over their IP number.
Pretend to be 2 other computers. All traffic between the two computers can be routed through your computer. Example: firewall and the email server so you can read emails.

Source: www.ethereal.com

Dictionary-Based Password Crackers

No way to turn an encrypted password back into the password. But you can encrypt any word
encrypted word = encrypted password?

Encrypt every word in the dictionary!

There is free software to do this. Then compare encrypted password to encrypted dictionary word. If you find a match, you are in!

Dictionary-Based Password Crackers

Encrypted password: A5Ibo25Gj Encrypt every word in the dictionary!

Aardman Y5iR4Bz2 Aardvark 8Ip5TyUkl Abba tL519vh59 Abcama Q0h2nv8s Petunia A5Ibo25Gj

Yes!

Dictionary-Based Password Crackers

Word lists can be from:

A dictionary. List of names of people and places. All the words on the victims hard drive.

Software will also:

Add numbers to the front back of each word. Do upper / lower case. petunia, petunia1, 1petunia, Petunia1, 1Petunia, etc. and

Petunia,

FBI Dictionary-Based Cracker The FBI has a program for finding passwords:
Uses all the words on the victims criminals hard drive. Has a 50% success rate. Runs as a screensaver, so all the idle office PCs are running it.

So dont use a password similar to any word in file or email.

that is in any

Threats and Attacks

Threats
Threat: an object, person, or other entity that represents a constant danger to an asset Management must be informed of the different threats facing the organization The 2006 CSI/FBI survey found:
72 percent of organizations reported cyber security breaches within the last 12 months 52 percent of respondents identified unauthorized computer use
16

Threats to Information Security

17

Figure 2-1 Acts of Human Error or Failure

18

New York City with no electricity

19

Attacks
Act or action that exploits a vulnerability (i.e., a weakness) in a controlled system

Accomplished by a threat agent that damages or steals the organizations information

20

Types of Attacks
We can distinguish 2 types of attacks: Active attack: attempts to alter system resources or affect their operation Passive attack: attempts to learn or make use of information from the system, but does not change a system Can also classify attacks by their origin: Inside attack: Initiated by an entity inside the organization (an "insider). Outside attack: Initiated from outside the organization (an outsider).

A Passive Attack: the USS Jimmy Carter

USS Jimmy Carter

A submarine with a gap in the pressure hull. Lets it land on top of an undersea cable and pull the cable inside, to attach a listening device to the cable.

http://news.zdnet.com/2100-9595_22-529826.html

How legal is this? Should you go to jail copying DVDs? for

24

Figure 2-9 - Denial-of-Service Attacks

25

26

Figure 2-11 - Man-in-the-Middle

27

Laws, Ethics, Policies

The Differences Between Laws and Ethics

1. Laws: rules that mandate or prohibit certain actions or behaviours.

Enforced by violence! Even if you didnt know the law.

2. Ethics: define socially acceptable behavior.

Not really enforced. Except by social pressure. You might not be invited to the best dinners.
29

The Differences Between Policy and Law

Another difference:

Law if you didnt know the law, you still go to prison. Policy if you didnt know the policy, its okay.

30

The Differences Between Policy and Law

Do you think its okay to go to jail for breaking a law you didnt know?

Every week, 50 pages of new laws are created in Australia.

31

Digital Millennium Copyright Act (DMCA)

A law from the U.S. Federal government.

Supposed to reduce piracy and copyright infringement.

32

Digital Millennium Copyright Act

In the U.S., its illegal to break technology-based protection. Even if bought a legal copy, you
Cant copy a DVD that you bought. Cant possess open-source software for playing a DVD that you bought. Cant play your legal DVD with Linux. Linux distributions used in the U.S. dont come with DVD playing software.

Is this fair?

Risk Control Strategies

Once ranked vulnerability risk worksheet complete, must choose one of four strategies to control each risk:
1. Apply safeguards (avoidance) 2. Transfer the risk (transference) 3. Reduce impact (mitigation)

4. Understand consequences and accept risk (acceptance)

34

1. Avoidance

Attempts to prevent exploitation of the vulnerability

Preferred approach; accomplished through countering threats, removing asset vulnerabilities, limiting asset access, and adding protective safeguards

Three common methods of risk avoidance:

1. Application of policy

2. Training and education

3. Applying technology
35

2. Transference

Control approach that attempts to shift risk to other assets, processes, or organizations

If lacking, organization should hire individuals/firms that provide security management and administration expertise
Organization may then transfer risk associated with management of complex systems to another organization experienced in dealing with those risks
36

3. Mitigation

Attempts to reduce impact of vulnerability exploitation through planning and preparation

Approach includes three types of plans:
Incident response plan (IRP)

Disaster recovery plan (DRP)

Business continuity plan (BCP)
37

3. Mitigation (continued)

DRP is most common mitigation procedure

The actions to take while incident is in progress is defined in IRP BCP encompasses continuation of business activities if catastrophic event occurs

38

4. Acceptance

Doing nothing to protect a vulnerability and accepting the outcome of its exploitation
Valid only when the particular function, service, information, or asset does not justify cost of protection use cost-benefit?

Risk appetite describes the degree to which organization is willing to accept risk as trade-off to the expense of applying controls
39

4. Acceptance: Dinosaurs and Meteors

There is a tiny chance that your nuclear reactor will destroy the city. Should you turn it off?

40

Acceptance: Risk Matrix

Frequency of Losses helps quantify probability

4 - Ca t a st ro ph ic

C D D D
1 - U nlik e ly

B C D D
2 - O c c a s ion a l

A B C D
3 - P ro ba b le

A A B C
4 - Fr e qu e nt

Incre asing C onseq uen ce

3 - C ritic a l

2 - M a rg ina l

1 - N e glig a ble

I n c re a s in g F re q u e n c y

EFU Risk Management

Key Technology Components

Firewall: device that selectively discriminates against information flowing into or out of organization Demilitarized Zone (DMZ): no-mans land between inside and outside networks where some organizations place Web servers Intrusion Detection Systems (IDSs): in effort to detect unauthorized activity within inner network, or on individual machines, organization may wish to implement an IDS

42

Figure 5-18 Key Components

43

44

137.219.16.23

45

Dual-Connection Routers

The filtering routers have 2 connections:

External filtering router:

Public IP address is 137.219.16.23 DMZ IP address is 10.10.10.2

Internal filtering router:

DMZ IP address is 10.10.10.3 Local IP address is 192.168.2.1

User PCs have addresses in 192.168.*.* with gateway 192.168.2.1 to the Internet.
46

 Port numbers go up to 65536. 1024 and above are open to any program.
Usually for replies from servers.
47

Network-Based IDPS (NIDPS)

Resides on a computer or appliance connected to segment of an organizations network.

Separate from any computer used for work.

Looks for signs of attacks When examining packets, the NIDPS looks for attack patterns. Installed at a place in the network where it watches traffic going in and out of particular segment.
e.g., between the web server and the gateway.
48

49

Access Control

Need 2 Or More Access Controls

Any single access control device can be defeated: Fingerprint: point a gun at their head and tell them to swipe their finger. Password can be copied. Security guard can be bribed. With 2 access control devices, then its much harder to defeat both of them at the same time.
51

Biometrics: Accuracy and Cost

Accurate results cost more money.

53

Encryption
Plaintext the original information. Ciphertext mixed up, to make it unreadable.
A cipher is another word for a code.

Encryption algorithms are complicated but you need a key to encrypt and a key to decrypt.
Sender Shared Secret-Key Receiver

Encryption plaintext ciphertext

Network
ciphertext

Decryption plaintext

Caesar Cipher A type of substitution cipher:

Each letter in the plaintext is replaced by a letter some fixed number of positions down the alphabet.

For example, with a shift (or key) of 3

AD BE C F and so on.
Plain: Cipher: ABCDEFGHIJKLMNOPQRSTUVWXYZ DEFGHIJKLMNOPQRSTUVWXYZABC Plaintext: THE QUICK BROWN FOX JUMPS OVER THE LAZY DOG Ciphertext: WKH TXLFN EURZQ IRA MXPSV RYHU WKH ODCB GRJ

Cipher Methods (continued)

Cryptosystems typically made up of algorithms, data handling techniques, and procedures

Substitution cipher: substitute one value for another

Monoalphabetic substitution: uses only one alphabet Polyalphabetic substitution: more advanced; uses two or more alphabets Vigenre cipher: advanced cipher type that uses simple polyalphabetic code; made up of 26 distinct cipher alphabets
56

 Vigenre cipher:

Uses all 26 possible substitutes.

Polyalphabetic A different one for each letter.

57

Encryption
The sender encrypts the messages using a key before sending them out to the network The receiver uses the corresponding key to decrypt. If the keys are secret, nobody else can read messages. Problem: how to distribute keys?
You need a trusted third party to send the keys.

Encryption/Decryption Keys
Public-key cipher two different keys:
A private key for you. A public key for everyone else.

Public-key encryption gets around the key problem! You never send the private key. Only send the public key.
You can tell everyone about the public key. Put it on your business card.

Public-Key Encryption/Decryption
Advantage
Easy to distribute public key More scalable with less keys, 2N keys for N users

Disadvantage
Complex algorithm (very CPU intensive, but not really a problem for modern computers) Still need authentication for the public key (phone to check)
To the public Sender Receivers Private Receiver plaintext Encryption ciphertext Receivers Public

Network

Decryption ciphertext plaintext

Public-Key Confidentiality
John sends to Sue encrypt with Sues public key. Sue use her private key to decrypt.

Public-Key Authentication
sent this message? 1. John encrypts a message using his private key.
i.e., John signs the message. Authentication how do you know that John really

2. John sends the encrypted message to Sue. 3. Sue decrypts the received message using Johns public key. Everyone can decrypt the message since Johns public key is known not confidential! Everyone knows that the message can only be sent by John, since only John knows his own

Authentication + Confidentiality
To provide both authentication and confidentiality, you need to encrypt twice. You use your private key and someone elses public key. Creates a unique shared key. Two ways to create the shared key.

Hybrid Cryptography Systems

Pure asymmetric key encryption not widely used

Use asymmetric encryption to share a unique, onceonly symetric key hybrid. Diffie-Hellman Key Exchange method:
most common hybrid system; provided foundation for subsequent developments in public-key encryption
64

Physical Security
Seven major sources of physical loss: 1. Extreme temperature (e.g., fires) 2. Gases 3. Liquids 4. Living organisms (insects, fungus) 5. Projectiles (e.g., bullets, falling objects)

6. Movement
7. Energy anomalies
65

This Happens More Often Than Crocodiles

The most common physical security problem.

66

Fire Security and Safety

Fires cause more property damage, personal injury, and death than any other physical threat. Not guns or flood or lightning or crocodiles.

67

Heating, Ventilation, and Air Conditioning

Areas within heating, ventilation, and air conditioning (HVAC) systems that can cause damage to information systems include: Temperature Filtration (e.g., dust) Humidity

Static electricity
68

Emergency Shutoff
Important physical security feature:

an off switch.
Most computer rooms and wiring closets have an emergency power off button.

69

Exam is something like this

15 multiple-choice questions 15 marks

10 short-answer questions 35 marks

120 minutes (plus 10 minutes for reading)

120 minutes 50 marks

= 2.4 minutes per mark.

Allow about 35 minutes for multiple choice and 85 minutes for the short answer.
70