1 of 95

20CS17 – INFORMATION SECURITY

LAKIREDDY BALI REDDY COLLEGE OF ENGINEERING (AUTONOMOUS) Accredited by NAAC & NBA (Under Tier - I) ISO 9001:2015 Certified Institution Approved by AICTE, New Delhi. and Affiliated to JNTUK, Kakinada L.B. REDDY NAGAR, MYLAVARAM, KRISHNA DIST., A.P.-521 230. DEPARTMENT OF INFORMATION TECHNOLOGY

INTRUDERS

Program & Semester: B.Tech & VI SEM

Section: IT-A

Academic Year: 2024 - 25

By

Mr. M. Vijay Kumar

Sr Assistant Professor

Dept.of IT, LBRCE

2 of 95

Intruders

significant issue for networked systems is hostile or unwanted access
either via network or local
can identify classes of intruders:

Masquerader
Misfeasor
clandestine user

varying levels of competence

A significant security problem for networked systems is hostile, or at least unwanted, trespass being unauthorized login or use of a system, by local or remote users; or by software such as a virus, worm, or Trojan horse.

One of the two most publicized threats to security is the intruder (or hacker or cracker), which Anderson identified three classes of:

• Masquerader: An individual who is not authorized to use the computer (outsider)

• Misfeasor: A legitimate user who accesses unauthorized data, programs, or resources (insider)

• Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection (either)

Intruder attacks range from the benign (simply exploring net to see what is there); to the serious (who attempt to read privileged data, perform unauthorized modifications, or disrupt system)

3 of 95

Intruders

4 of 95

.

5 of 95

Intrusion Techniques

aim to gain access and/or increase privileges on a system
basic attack methodology

target acquisition and information gathering
initial access
privilege escalation
covering tracks

key goal often is to acquire passwords
so then exercise access rights of owner

6 of 95

Password Guessing

one of the most common attacks
attacker knows a login (from email/web page etc)
then attempts to guess password for it

defaults, short passwords, common word searches
user info (variations on names, birthday, phone, common words/interests)
exhaustively searching all possible passwords

check by login or against stolen password file
success depends on password chosen by user
surveys show many users choose poorly

7 of 95

Password Capture

another attack involves password capture

watching over shoulder as password is entered
using a trojan horse program to collect
monitoring an insecure network login

eg. telnet, FTP, web, email

extracting recorded info after successful login (web history/cache, last number dialed etc)

using valid login/password can impersonate user
users need to be educated to use suitable precautions/countermeasures

8 of 95

Intrusion Detection

inevitably will have security failures
so need also to detect intrusions so can

block if detected quickly
act as deterrent
collect info to improve security

assume intruder will behave differently to a legitimate user

but will have imperfect distinction between

9 of 95

Approaches to Intrusion Detection

statistical anomaly detection

threshold
profile based

rule-based detection

anomaly
penetration identification

10 of 95

Audit Records

fundamental tool for intrusion detection
native audit records

part of all common multi-user O/S
already present for use
may not have info wanted in desired form

detection-specific audit records

created specifically to collect wanted info
at cost of additional overhead on system

11 of 95

Statistical Anomaly Detection

threshold detection

count occurrences of specific event over time
if exceed reasonable value assume intrusion
alone is a crude & ineffective detector

profile based

characterize past behavior of users
detect significant deviations from this
profile usually multi-parameter

12 of 95

Audit Record Analysis

foundation of statistical approaches
analyze records to get metrics over time

counter, gauge, interval timer, resource use

use various tests on these to determine if current behavior is acceptable

mean & standard deviation, multivariate, markov process, time series, operational

key advantage is no prior knowledge used

An analysis of audit records over a period of time can be used to determine the activity profile of the average user. Then current audit records are used as input to detect intrusion, by analyzing incoming audit records to determine deviation from average behavior. Examples of metrics that are useful for profile-based intrusion detection are: counter, gauge, interval timer, resource use. Given these general metrics, various tests can be performed to determine whether current activity fits within acceptable limits, such as: Mean and standard deviation, Multivariate, Markov process, Time series, Operational; as discussed in the text.

Stallings Table18.1 shows various measures considered or tested for the Stanford Research Institute (SRI) intrusion detection system.

The main advantage of the use of statistical profiles is that a prior knowledge of security flaws is not required. Thus it should be readily portable among a variety of systems.

13 of 95

Rule-Based Intrusion Detection

observe events on system & apply rules to decide if activity is suspicious or not
rule-based anomaly detection

analyze historical audit records to identify usage patterns & auto-generate rules for them
then observe current behavior & match against rules to see if conforms
like statistical anomaly detection does not require prior knowledge of security flaws

Rule-based techniques detect intrusion by observing events in the system and applying a set of rules that lead to a decision regarding whether a given pattern of activity is or is not suspicious. Can characterize approaches as either anomaly detection or penetration identification, although there is overlap. Rule-based anomaly detection is similar in terms of its approach and strengths to statistical anomaly detection. Historical audit records are analyzed to identify usage patterns and to automatically generate rules that describe those patterns. Current behavior is then observed and matched against the set of rules to see if it conforms to any historically observed pattern of behavior. As with statistical anomaly detection, rule-based anomaly detection does not require knowledge of security vulnerabilities within the system.

14 of 95

Rule-Based Intrusion Detection

rule-based penetration identification

uses expert systems technology
with rules identifying known penetration, weakness patterns, or suspicious behavior
compare audit records or states against rules
rules usually machine & O/S specific
rules are generated by experts who interview & codify knowledge of security admins
quality depends on how well this is done

15 of 95

Base-Rate Fallacy

practically an intrusion detection system needs to detect a substantial percentage of intrusions with few false alarms

if too few intrusions detected -> false security
if too many false alarms -> ignore / waste time

this is very hard to do
existing systems seem not to have a good record

To be of practical use, an intrusion detection system should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level. If only a modest percentage of actual intrusions are detected, the system provides a false sense of security. On the other hand, if the system frequently triggers an alert when there is no intrusion (a false alarm), then either system managers will begin to ignore the alarms, or much time will be wasted analyzing the false alarms. Unfortunately, because of the nature of the probabilities involved, it is very difficult to meet the standard of high rate of detections with a low rate of false alarms. A study of existing intrusion detection systems indicated that current systems have not overcome the problem of the base-rate fallacy.

16 of 95

Distributed Intrusion Detection

traditional focus is on single systems
but typically, have networked systems
more effective defense has these working together to detect intrusions
issues

dealing with varying audit record formats
integrity & confidentiality of networked data
centralized or decentralized architecture

Until recently, work on intrusion detection systems focused on single-system standalone facilities. The typical organization, however, needs to defend a distributed collection of hosts supported by a LAN or internetwork, where a more effective defense can be achieved by coordination and cooperation among intrusion detection systems across the network.

Porras points out the following major issues in the design of a distributed IDS:

• A distributed intrusion detection system may need to deal with different audit record formats

• One or more nodes in the network will serve as collection and analysis points for the data, which must be securely transmitted to them

• Either a centralized (single point, easier but bottleneck) or decentralized (multiple centers must coordinate) architecture can be used.

17 of 95

Distributed Intrusion Detection - Architecture

18 of 95

Distributed Intrusion Detection – Agent Implementation

19 of 95

.

20 of 95

Honeypots

decoy systems to lure attackers

away from accessing critical systems
to collect information of their activities
to encourage attacker to stay on system so administrator can respond

are filled with fabricated information
instrumented to collect detailed information on attackers activities
single or multiple networked systems

Honeypots are decoy systems, designed to lure a potential attacker away from critical systems, and:

• divert an attacker from accessing critical systems

• collect information about the attacker’s activity

• encourage the attacker to stay on the system long enough for administrators to respond

These systems are filled with fabricated information designed to appear valuable but which any legitimate user of the system wouldn’t access, thus, any access is suspect.

They are instrumented with sensitive monitors and event loggers that detect these accesses and collect information about the attacker’s activities.

Have seen evolution from single host honeypots to honeynets of multiple dispersed systems.

The IETF Intrusion Detection Working Group is currently drafting standards to support interoperability of IDS info (both honeypot and normal IDS) over a wide range of systems & O/S’s.

21 of 95

Password Management

front-line defense against intruders
users supply both:

login – determines privileges of that user
password – to identify them

passwords often stored encrypted

Unix uses multiple DES (variant with salt)
more recent systems use crypto hash function

should protect password file on system

22 of 95

Password Studies

Purdue 1992 - many short passwords
Klein 1990 - many guessable passwords
conclusion is that users choose poor passwords too often
need some approach to counter this

23 of 95

Managing Passwords - Education

can use policies and good user education
educate on importance of good passwords
give guidelines for good passwords

minimum length (>6)
require a mix of upper & lower case letters, numbers, punctuation
not dictionary words

but likely to be ignored by many users

24 of 95

Managing Passwords - Computer Generated

let computer create passwords
if random likely not memorisable, so will be written down (sticky label syndrome)
even pronounceable not remembered
have history of poor user acceptance
FIPS PUB 181 one of best generators

has both description & sample code
generates words from concatenating random pronounceable syllables

25 of 95

Managing Passwords - Reactive Checking

reactively run password guessing tools

note that good dictionaries exist for almost any language/interest group

cracked passwords are disabled
but is resource intensive
bad passwords are vulnerable till found

26 of 95

Managing Passwords - Proactive Checking

most promising approach to improving password security
allow users to select own password
but have system verify it is acceptable

simple rule enforcement (see earlier slide)
compare against dictionary of bad passwords
use algorithmic (markov model or bloom filter) to detect poor choices

The most promising approach to improved password security is a proactive password checker, where a user is allowed to select his or her own password, but the system checks to see if it is allowable and rejects it if not. The trick is to strike a balance between user acceptability and strength.

The first approach is a simple system for rule enforcement, enforcing say guidelines from user education. May not be good enough. Another approach is to compile a large dictionary of possible “bad”passwords, and check user passwords against this disapproved list. But this can be very large & slow to search. A third approach is based on rejecting words using either a Markov model of guessable passwords, or a Bloom filter. Both attempt to identify good or bad passwords without keeping large dictionaries. See text for details.

27 of 95

Summary

have considered:

problem of intrusion
intrusion detection (statistical & rule-based)
password management

28 of 95

Viruses and Other Malicious Content

computer viruses have got a lot of publicity
one of a family of malicious software
effects usually obvious
have figured in news reports, fiction, movies (often exaggerated)
getting more attention than deserve
are a concern though

29 of 95

Malicious Software

30 of 95

Backdoor or Trapdoor

secret entry point into a program
allows those who know access bypassing usual security procedures
have been commonly used by developers
a threat when left in production programs allowing exploited by attackers
very hard to block in O/S
requires good s/w development & update

31 of 95

Logic Bomb

one of oldest types of malicious software
code embedded in legitimate program
activated when specified conditions met

eg presence/absence of some file
particular date/time
particular user

when triggered typically damage system

modify/delete files/disks, halt machine, etc

32 of 95

Trojan Horse

program with hidden side-effects
which is usually superficially attractive

eg game, s/w upgrade etc

when run performs some additional tasks

allows attacker to indirectly gain access they do not have directly

often used to propagate a virus/worm or install a backdoor
or simply to destroy data

33 of 95

Zombie

program which secretly takes over another networked computer
then uses it to indirectly launch attacks
often used to launch distributed denial of service (DDoS) attacks
exploits known flaws in network systems

34 of 95

Viruses

a piece of self-replicating code attached to some other code

cf biological virus

both propagates itself & carries a payload

carries code to make copies of itself
as well as code to perform some covert task

35 of 95

Virus Operation

virus phases:

dormant – waiting on trigger event
propagation – replicating to programs/disks
triggering – by event to execute payload
execution – of payload

details usually machine/OS specific

exploiting features/weaknesses

36 of 95

Virus Structure

program V :=

{goto main;

1234567;

subroutine infect-executable := {loop:

file := get-random-executable-file;

if (first-line-of-file = 1234567) then goto loop

else prepend V to file; }

subroutine do-damage := {whatever damage is to be done}

subroutine trigger-pulled := {return true if condition holds}

main: main-program := {infect-executable;

if trigger-pulled then do-damage;

goto next;}

Stallings Figure 19.1 shows a general depiction of virus structure. The virus code (V) is prepended to infected programs (assuming the entry point is the first line of the program). The first line of code jumps to the main virus program. The second line is a special marker for infected programs. The main virus program first seeks out uninfected executable files and infects them. Then it may perform some action, usually detrimental to the system, depending on some trigger. Finally, the virus transfers control to the original program. If the infection phase of the program is reasonably rapid, a user is unlikely to notice any difference between the execution of an infected and uninfected program. This type of virus can be detected because the length of the program changes. More sophisticated variants attempt to hide their presence better, by for example, compressing the original program.

37 of 95

Types of Viruses

can classify on basis of how they attack
parasitic virus
memory-resident virus
boot sector virus
stealth
polymorphic virus
metamorphic virus

There has been a continuous arms race between virus writers and writers of antivirus software, with the following categories being among the most significant types of viruses:

• Parasitic virus: traditional and still most common form of virus, it attaches itself to executable files and replicates when the infected program is executed

• Memory-resident virus: Lodges in main memory as part of a resident system program, and infects every program that executes

• Boot sector virus: Infects a master boot record and spreads when a system is booted from the disk containing the virus

• Stealth virus: a virus explicitly designed to hide itself from detection by antivirus software

• Polymorphic virus: mutates with every infection, making detection by the “signature”of the virus impossible.

• Metamorphic virus: mutates with every infection, rewriting itself completely at each iteration changing behavior and/or appearance, increasing the difficulty of detection.

38 of 95

Macro Virus

macro code attached to some data file
interpreted by program using file

eg Word/Excel macros
esp. using auto command & command macros

code is now platform independent
is a major source of new viral infections
blur distinction between data and program files
classic trade-off: "ease of use" vs "security”
have improving security in Word etc
are no longer dominant virus threat

39 of 95

Email Virus

spread using email with attachment containing a macro virus

cf Melissa

triggered when user opens attachment
or worse even when mail viewed by using scripting features in mail agent
hence propagate very quickly
usually targeted at Microsoft Outlook mail agent & Word/Excel documents
need better O/S & application security

40 of 95

Worms

replicating but not infecting program
typically spreads over a network

cf Morris Internet Worm in 1988
led to creation of CERTs

using users distributed privileges or by exploiting system vulnerabilities
widely used by hackers to create zombie PC's, subsequently used for further attacks, esp DoS
major issue is lack of security of permanently connected systems, esp PC's

41 of 95

Worm Operation

worm phases like those of viruses:

dormant
propagation

search for other systems to infect
establish connection to target remote system
replicate self onto remote system

triggering
execution

42 of 95

Morris Worm

best known classic worm
released by Robert Morris in 1988
targeted Unix systems
using several propagation techniques

simple password cracking of local pw file
exploit bug in finger daemon
exploit debug trapdoor in sendmail daemon

if any attack succeeds then replicated self

43 of 95

Recent Worm Attacks

new spate of attacks from mid-2001
Code Red - used MS IIS bug

probes random IPs for systems running IIS
had trigger time for denial-of-service attack
2^nd wave infected 360000 servers in 14 hours

Code Red 2 - installed backdoor
Nimda - multiple infection mechanisms
SQL Slammer - attacked MS SQL server
Sobig.f - attacked open proxy servers
Mydoom - mass email worm + backdoor

The contemporary era of worm threats began with the release of the Code Red worm in July of 2001.

Code Red exploited a security hole in Microsoft Internet Information Server (IIS) to penetrate and spread, & also disabled the system file checker in Windows. It probed random IP addresses to spread to other hosts, & had a trigger time for a DDoS attack. It infected nearly 360,000 servers in 14 hours, & consumed enormous amounts of Internet capacity, disrupting service.

Code Red II is a variant that installed a backdoor allowing a hacker to direct activities of victim computers.

Nimda appeared in late 2001 & spreads by multiple mechanisms: email, shares, web client, IIS, Code Red 2 backdoor. It modifies Web documents & certain executable files and creates numerous copies of itself under various filenames.

SQL Slammer worm appeared in early 2003, exploiting a buffer overflow vulnerability in Microsoft SQL server. It was extremely compact and spread rapidly, infecting 90% of vulnerable hosts within 10 minutes.

Sobig.f worm appeared in late 2003, exploiting open proxy servers to turn infected machines into spam engines. At its peak, it accounted for one in every 17 messages and produced more than one million copies of itself within the first 24 hours.

Mydoom appeared in 2004 & is a mass-mailing e-mail worm that installed a backdoor in infected computers. It replicated up to 1000 times per minute and reportedly flooded the Internet with 100 million infected messages in 36 hours.

44 of 95

Worm Techology

multiplatform
multiexploit
ultrafast spreading
polymorphic
metamorphic
transport vehicles
zero-day exploit

45 of 95

Virus Countermeasures

best countermeasure is prevention
but in general not possible
hence need to do one or more of:

detection - of viruses in infected system
identification - of specific infecting virus
removeal - restoring system to clean state

46 of 95

Anti-Virus Software

first-generation

scanner uses virus signature to identify virus
or change in length of programs

second-generation

uses heuristic rules to spot viral infection
or uses crypto hash of program to spot changes

third-generation

memory-resident programs identify virus by actions

fourth-generation

packages with a variety of antivirus techniques
eg scanning & activity traps, access-controls

arms race continues

As the virus arms race has evolved,both viruses and, necessarily, antivirus software have grown more complex and sophisticated. See four generations of antivirus software:

• First generation: simple scanners use a virus signature to identify a virus, limited to known viruses; or use length of program to detect changes to it

• Second generation: heuristic scanners use rules to search for probable virus infection, eg for code fragments; or use crypto hash of programs to detect changes

• Third generation: activity traps which identify a virus by its actions rather than its structure

• Fourth generation: full-featured protection using packages consisting of a variety of antivirus techniques used in conjunction, including scanning and activity trap components

The arms race continues. With fourth-generation packages, a more comprehensive defense strategy is employed, broadening the scope of defense to more general purpose computer security measures.

47 of 95

Advanced Anti-Virus Techniques

generic decryption

use CPU simulator to check program signature & behavior before actually running it

digital immune system (IBM)

general purpose emulation & virus detection
any virus entering org is captured, analyzed, detection/shielding created for it, removed

More sophisticated antivirus approaches and products continue to appear, such as:

Generic Decryption (GD) technology enables the antivirus program to easily detect even the most complex polymorphic viruses, while maintaining fast scanning speeds, using a CPU simulator to scan program for virus signatures & to monitor its behavior before actually running it. Have issue of how long to do this for.

The Digital Immune System from IBM is a comprehensive approach to virus protection, and provides a general purpose emulation and virus-detection system. When a new virus enters an organization, the immune system automatically captures it, analyzes it, adds detection and shielding for it, removes it, and passes information about that virus to systems running IBM AntiVirus so it can be detected before it is run elsewhere.

48 of 95

Digital Immune System

Stallings Figure19.4 illustrates the typical steps in digital immune system operation:

A monitoring program on each PC uses a variety of heuristics based on system behavior, suspicious changes to programs, or family signature to infer that a virus may be present, & forwards infected programs to an administrative machine

2. The administrative machine encrypts the sample and sends it to a central virus analysis machine

3. This machine creates an environment in which the infected program can be safely run for analysis to produces a prescription for identifying and removing the virus

4. The resulting prescription is sent back to the administrative machine

5. The administrative machine forwards the prescription to the infected client

6. The prescription is also forwarded to other clients in the organization

7. Subscribers around the world receive regular antivirus updates that protect them from the new virus.

49 of 95

Behavior-Blocking Software

integrated with host O/S
monitors program behavior in real-time

eg file access, disk format, executable mods, system settings changes, network access

for possibly malicious actions

if detected can block, terminate, or seek ok

has advantage over scanners
but malicious code runs before detection

Behavior-blocking software integrates with the operating system of a host computer and monitors program behavior in real-time for malicious actions. & blocks potentially malicious actions before they have a chance to affect the system. Monitored behaviors can include the following:

• Attempts to open, view, delete, and/or modify files

• Attempts to format disk drives and other unrecoverable disk operations

• Modifications to the logic of executable files or macros

• Modification of critical system settings,such as start-up settings

• Scripting of e-mail and instant messaging clients to send executable content

• Initiation of network communications.

If the behavior blocker detects that a program is initiating would-be malicious behaviors as it runs, it can block these behaviors in real-time and/or terminate the offending software.

The behavior blocker has a fundamental advantage over such established antivirus detection techniques since it can intercept all suspicious requests, & can identify and block malicious actions regardless of how obfuscated the program logic appears to be. But this does mean the malicious code must actually run on the target machine before all its behaviors can be identified.

50 of 95

Distributed Denial of Service Attacks (DDoS)

Distributed Denial of Service (DDoS) attacks form a significant security threat
making networked systems unavailable
by flooding with useless traffic
using large numbers of “zombies”
growing sophistication of attacks
defense technologies struggling to cope

51 of 95

Distributed Denial of Service Attacks (DDoS)

A DDoS attack attempts to consume the target’s resources so that it cannot provide service. One way to classify DDoS attacks is in terms of the type of resource that is consumed, either an internal host resource on the target system, or data transmission capacity in the target local network.

Stallings Figure19.5a shows an example of an internal resource attack - the SYN flood attack. 1. The attacker takes control of multiple hosts over the Internet 2. The slave hosts begin sending TCP/IP SYN (synchronize/initialization) packets, with erroneous return IP address information, to the target 3. For each such packet, the Web server responds with a SYN/ACK (synchronize/acknowledge) packet. The Web server maintains a data structure for each SYN request waiting for a response back and becomes bogged down as more traffic floods in.

Stallings Figure 19.5b illustrates an example of an attack that consumes data transmission resources. 1. The attacker takes control of multiple hosts over the Internet, instructing them to send ICMP ECHO packets with the target’s spoofed IP address to a group of hosts that act as reflectors 2. Nodes at the bounce site receive multiple spoofed requests and respond by sending echo reply packets to the target site. 3. The target’s router is flooded with packets from the bounce site, leaving no data transmission capacity for legitimate traffic.

52 of 95

Contructing the DDoS Attack Network

must infect large number of zombies
needs:
software to implement the DDoS attack
an unpatched vulnerability on many systems
scanning strategy to find vulnerable systems

random, hit-list, topological, local subnet

The first step in a DDoS attack is for the attacker to infect a number of machines with zombie software that will ultimately be used to carry out the attack. The essential ingredients are:

Software that can carry out the DDoS attack, runnable on a large number of machines, concealed, communicating with attacker or time-triggered, and can launch intended attack toward the target

2. A vulnerability in a large number of systems, that many system admins/users have failed to patch

3. A strategy for locating vulnerable machines, known as scanning, such as:

• Random: probe random IP addresses in the IP address space

• Hit-list: use a long list of potential vulnerable machines

• Topological: use info on infected victim machine to find more hosts

• Local subnet: look for targets in own local network

53 of 95

DDoS Countermeasures

three broad lines of defense:

attack prevention & preemption (before)
attack detection & filtering (during)
attack source traceback & ident (after)

huge range of attack possibilities
hence evolving countermeasures

54 of 95

Summary

have considered:

various malicious programs
trapdoor, logic bomb, trojan horse, zombie
viruses
worms
countermeasures
distributed denial of service attacks

55 of 95

Firewalls

The function of a strong position is to make the forces holding it practically unassailable

—On War, Carl Von Clausewitz

56 of 95

Introduction

seen evolution of information systems
now everyone want to be on the Internet
and to interconnect networks
has persistent security concerns

can’t easily secure every system in org

typically use a Firewall
to provide perimeter defence
as part of comprehensive security strategy

Information systems in corporations,government agencies,and other organizations have undergone a steady evolution from mainframes to LANs. Internet connectivity is no longer optional, with information and services essential to the organization. Moreover, individual users want and need Internet access. However, while Internet access provides benefits, it enables the outside world to reach and interact with local network assets, creating a threat to the organization. While it is possible to equip each workstation and server on the premises network with strong security features, this is not a practical approach in general. Firewalls can be an effective means of protecting a local system or network of systems from network-based security threats while at the same time affording access to the outside world via wide area networks and the Internet. However they need to be part of a wider security strategy including host security.

57 of 95

What is a Firewall?

a choke point of control and monitoring
interconnects networks with differing trust
imposes restrictions on network services

only authorized traffic is allowed

auditing and controlling access

can implement alarms for abnormal behavior

provide NAT & usage monitoring
implement VPNs using IPSec
must be immune to penetration

A firewall is inserted between the premises network and the Internet to establish a controlled link and to erect an outer security wall or perimeter, forming a single choke point where security and audit can be imposed. A firewall:

defines a single choke point that keeps unauthorized users out of the protected network, prohibits potentially vulnerable services from entering or leaving the network, and provides protection from various kinds of IP spoofing and routing attacks.

2. provides a location for monitoring security-related events

3. is a convenient platform for several Internet functions that are not security related, such as NAT and Internet usage audits or logs

4. A firewall can serve as the platform for IPSec to implement virtual private networks.

The firewall itself must be immune to penetration, since it will be a target of attack.

58 of 95

Firewall Limitations

cannot protect from attacks bypassing it

eg sneaker net, utility modems, trusted organisations, trusted services (eg SSL/SSH)

cannot protect against internal threats

eg disgruntled or colluding employees

cannot protect against transfer of all virus infected programs or files

because of huge range of O/S & file types

59 of 95

Firewalls – Packet Filters

simplest, fastest firewall component
foundation of any firewall system
examine each IP packet (no context) and permit or deny according to rules
hence restrict access to services (ports)
possible default policies

that not expressly permitted is prohibited
that not expressly prohibited is permitted

60 of 95

Firewalls – Packet Filters

61 of 95

Firewalls – Packet Filters

62 of 95

Attacks on Packet Filters

IP address spoofing

fake source address to be trusted
add filters on router to block

source routing attacks

attacker sets a route other than default
block source routed packets

tiny fragment attacks

split header info over several tiny packets
either discard or reassemble before check

63 of 95

Firewalls – Stateful Packet Filters

traditional packet filters do not examine higher layer context

ie matching return packets with outgoing flow

stateful packet filters address this need
they examine each IP packet in context

keep track of client-server sessions
check each packet validly belongs to one

hence are better able to detect bogus packets out of context

64 of 95

Firewalls - Application Level Gateway (or Proxy)

have application specific gateway / proxy
has full access to protocol

user requests service from proxy
proxy validates request as legal
then actions request and returns result to user
can log / audit traffic at application level

need separate proxies for each service

some services naturally support proxying
others are more problematic

65 of 95

Firewalls - Application Level Gateway (or Proxy)

66 of 95

Firewalls - Circuit Level Gateway

relays two TCP connections
imposes security by limiting which such connections are allowed
once created usually relays traffic without examining contents
typically used when trust internal users by allowing general outbound connections
SOCKS is commonly used

67 of 95

Firewalls - Circuit Level Gateway

68 of 95

Bastion Host

highly secure host system
runs circuit / application level gateways
or provides externally accessible services
potentially exposed to "hostile" elements
hence is secured to withstand this

hardened O/S, essential services, extra auth
proxies small, secure, independent, non-privileged

may support 2 or more net connections
may be trusted to enforce policy of trusted separation between these net connections

A bastion host is a critical strong point in the network’s security, serving as a platform for an application-level or circuit-level gateway, or for external services. It is thus potentially exposed to "hostile" elements and must be secured to withstand this. Common characteristics of a bastion host include that it:

• executes a secure version of its O/S, making it a trusted system

• has only essential services installed on the bastion host

• may require additional authentication before a user is allowed access to the proxy services

• is configured to support only a subset of the standard application’s command set, with access only to specific hosts

• maintains detailed audit information by logging all traffic

• has each proxy module a very small software package specifically designed for network security

• has each proxy independent of other proxies on the bastion host

• have a proxy performs no disk access other than to read its initial configuration file

• have each proxy run as a nonprivileged user in a private and secured directory

A bastion host may have two or more network interfaces (or ports), and must be trusted to enforce trusted separation between these network connections, relaying traffic only according to policy.

69 of 95

Firewall Configurations

70 of 95

Firewall Configurations

71 of 95

Firewall Configurations

Stallings Figure 20.2c shows the “screened subnet firewall configuration”, being the most secure shown. It has two packet-filtering routers, one between the bastion host and the Internet and the other between the bastion host and the internal network, creating an isolated subnetwork. This may consist of simply the bastion host but may also include one or more information servers and modems for dial-in capability. Typically, both the Internet and the internal network have access to hosts on the screened subnet, but traffic across the screened subnet is blocked.

This configuration offers several advantages:

• There are now three levels of defense to thwart intruders

• The outside router advertises only the existence of the screened subnet to the Internet; therefore the internal network is invisible to the Internet

• Similarly, the inside router advertises only the existence of the screened subnet to the internal network; hence systems on the inside network cannot construct direct routes to the Internet

72 of 95

Access Control

given system has identified a user
determine what resources they can access
general model is that of access matrix with

subject - active entity (user, process)
object - passive entity (file or resource)
access right – way object can be accessed

can decompose by

columns as access control lists
rows as capability tickets

Following successful logon, a user has been granted access to one or a set of hosts and applications. Associated with each user there can be a profile that specifies permissible operations and file accesses, which the operating system can then enforce.

A general model of access control is that of an access matrix, the basic elements of which are:

• Subject: An entity (typically a process) capable of accessing objects

• Object: Anything to which access is controlled, eg files, portions of files, programs, memory segments

• Access right: The way in which an object is accessed by a subject, eg. read,write,and execute

One axis of an access matrix consists of identified subjects that may attempt data access, the other lists objects that may be accessed, & each entry in the matrix indicates the access rights of that subject for that object. In practice, an access matrix is usually sparse and is implemented by decomposition in one of two ways. If decomposed by columns, you have access control lists, which list users & their permitted access rights for each object. If decomposed by rows it yields capability tickets, which specify authorized objects & operations for a user.

73 of 95

Access Control Matrix

74 of 95

Trusted Computer Systems

information security is increasingly important
have varying degrees of sensitivity of information

cf military info classifications: confidential, secret etc

subjects (people or programs) have varying rights of access to objects (information)
known as multilevel security

subjects have maximum & current security level
objects have a fixed security level classification

want to consider ways of increasing confidence in systems to enforce these rights

75 of 95

Bell LaPadula (BLP) Model

one of the most famous security models
implemented as mandatory policies on system
has two key policies:
no read up (simple security property)

a subject can only read/write an object if the current security level of the subject dominates (>=) the classification of the object

no write down (*-property)

a subject can only append/write to an object if the current security level of the subject is dominated by (<=) the classification of the object

76 of 95

Reference Monitor

77 of 95

Evaluated Computer Systems

governments can evaluate IT systems
against a range of standards:

TCSEC, IPSEC and now Common Criteria

define a number of “levels” of evaluation with increasingly stringent checking
have published lists of evaluated products

though aimed at government/defense use
can be useful in industry also

Trusted systems need to be evaluated against a suitable set of criteria by an approved government agency. The original standard developed by the US DoD & NSA was TCSEC in the early 80’s. Later standards were developed by other countries, harmonized in the EU with IPSEC (which was also used in Australia), and now internationally with the Common Criteria. These standards define a number of “levels” of evaluation with increasingly stringent checking, to which an evaluation center evaluates commercially available products as meeting the security requirements specified, within a given functionality area. These evaluations are needed for Defense procurements but are published and freely available, & can serve as guidance to commercial customers for the purchase of commercially available,off-the-shelf equipment.

78 of 95

Common Criteria

international initiative specifying security requirements & defining evaluation criteria
incorporates earlier standards

eg CSEC, ITSEC, CTCPEC (Canadian), Federal (US)

specifies standards for

evaluation criteria
methodology for application of criteria
administrative procedures for evaluation, certification and accreditation schemes

79 of 95

Common Criteria

defines set of security requirements
have a Target Of Evaluation (TOE)
requirements fall in two categories

functional
assurance

both organised in classes of families & components

The CC defines a common set of potential security requirements for use in evaluation. The term target of evaluation (TOE) refers to that part of the product or system that is subject to evaluation. The requirements fall in two categories:

• Functional requirements: define desired security behavior, have a set of security functional components that provide a standard way of expressing the security functional requirements for a TOE

• Assurance requirements: basis for gaining confidence that the claimed security measures are effective and implemented correctly

Both functional requirements and assurance requirements are organized into classes, being a collection of requirements that share a common focus or intent. Each of these classes contains a number of families which share security objectives, & in turn contain one or more components.

80 of 95

Common Criteria Requirements

Functional Requirements

security audit, crypto support, communications, user data protection, identification & authentication, security management, privacy, protection of trusted security functions, resource utilization, TOE access, trusted path

Assurance Requirements

configuration management, delivery & operation, development, guidance documents, life cycle support, tests, vulnerability assessment, assurance maintenance

81 of 95

Common Criteria

82 of 95

Common Criteria

83 of 95

Summary

have considered:

firewalls
types of firewalls
configurations
access control
trusted systems
common criteria

84 of 95

Introduction to Database Security Issues

Types of Security

Legal and ethical issues
Policy issues
System-related issues
The need to identify multiple security levels

84

85 of 95

Three Basic Concepts

Authentication: a mechanism that determines whether a user is who he or she claims to be
Authorization: the granting of a right or privilege, which enables a subject to legitimately have access to a system or a system’s objects
Access Control: a security mechanism (of a DBMS) for restricting access to a system’s objects (the database) as a whole

85

86 of 95

Introduction to Database Security Issue(2)

Threats

Any situation or event, whether intentional or unintentional, that will adversely affect a system and consequently an organization
Threats to:

Computer systems
Databases

86

87 of 95

Threats to Computer Systems

87

88 of 95

Scope of Data Security Needs

88

Must protect databases & the servers on which they reside
Must administer & protect the rights of internal database users
Must guarantee the confidentiality of ecommerce customers as they access the database
With the Internet continually growing, the threat to data traveling over the network increases exponentially

89 of 95

Introduction to Database Security Issues (3)

Threats to databases

Loss of integrity
Loss of availability
Loss of confidentiality

To protect databases against these types of threats four kinds of countermeasures can be implemented:

Access control
Inference control
Flow control
Encryption

89

90 of 95

Introduction to Database Security Issues (4)

A DBMS typically includes a database security and authorization subsystem that is responsible for ensuring the security portions of a database against unauthorized access.

Two types of database security mechanisms:

Discretionary security mechanisms
Mandatory security mechanisms

90

91 of 95

Introduction to Database Security Issues 5)

The security mechanism of a DBMS must include provisions for restricting access to the database as a whole

This function is called access control and is handled by creating user accounts and passwords to control login process by the DBMS.

91

92 of 95

Introduction to Database Security Issues (6)

The security problem associated with databases is that of controlling the access to a statistical database, which is used to provide statistical information or summaries of values based on various criteria.

The countermeasures to statistical database security problem is called inference control measures.

92

93 of 95

Introduction to Database Security Issues (7)

Another security is that of flow control, which prevents information from flowing in such a way that it reaches unauthorized users.

Channels that are pathways for information to flow implicitly in ways that violate the security policy of an organization are called covert channels.

93

94 of 95

Introduction to Database Security Issues (8)

A final security issue is data encryption, which is used to protect sensitive data (such as credit card numbers) that is being transmitted via some type communication network.
The data is encoded using some encoding algorithm.

An unauthorized user who access encoded data will have difficulty deciphering it, but authorized users are given decoding or decrypting algorithms (or keys) to decipher data.

94

95 of 95

��Database Authorization

Authorization

Authorization is a privilege provided by the Database Administer. Users of the database can only view the contents they are authorized to view. The rest of the database is out of bounds to them.
The different permissions for authorizations available are:
Primary Permission - This is granted to users publicly and directly.
Secondary Permission - This is granted to groups and automatically awarded to a user if he is a member of the group.
Public Permission - This is publicly granted to all the users.
Context sensitive permission - This is related to sensitive content and only granted to a select users.
The categories of authorization that can be given to users are:
System Administrator - This is the highest administrative authorization for a user. Users with this authorization can also execute some database administrator commands such as restore or upgrade a database.
System Control - This is the highest control authorization for a user. This allows maintenance operations on the database but not direct access to data.
System Maintenance - This is the lower level of system control authority. It also allows users to maintain the database but within a database manager instance.
System Monitor - Using this authority, the user can monitor the database and take snapshots of it.