Unit - 6
Security
On a computer network with different interconnected systems security is not only important, but also hard to achieve. Not only do we need to consider threats on our own (local) system but also on all systems connected to it, as well as the connections themselves.
Where we may have some trust in our own system, we likely will not trust all systems on the network and their users. The interests of the other parties on the network may be completely different than ours. As we have seen in our security analysis, connecting interests lead to (security) risks.
To secure the network we need to consider attacks at different layers Consider the network layer model for TCP/IP in below figure.
An application process will use the transport layer's connection service
To manage a connection with a remote process it wants to communicate with. But to do this (human understandable) addresses used by the application, such as www.tue.nl, need to be translated to IP addresses understood by the network layer using DNS.
An attacker may try to get the trace redirected to their IP address by disturbing this step (e.g., through DNS spoofing). Alternatively, the attacker could influence lower layers to achieve the same result. For example, an attacker could eavesdrop messages if she has access to the physical layer
Why(need) is security important
Below are the reasons why cyber security is so important in what’s become a predominant digital world: Cyber-attacks can be extremely expensive for businesses to endure.
In addition to financial damage suffered by the business, a data breach can also inflict untold reputational damage. Cyber attacks these days are becoming progressively destructive. Cybercriminals are using more sophisticated ways to initiate cyber attacks.
Regulations such as GDPR are forcing organizations into taking better care of the personal data they hold. Because of the above reasons, cyber security has become an important part of the business and the focus now is on developing appropriate response plans that minimize the damage in the event of a cyber attack. But an organization or an individual can develop a proper response plan only when he has a good grip on cyber security fundamentals.
Services fundamentals
Cyber security Fundamentals – Confidentiality: Confidentiality is about preventing the disclosure of data to unauthorized parties. It also means trying to keep the identity of authorized parties involved in sharing and holding data private and anonymous. Often confidentiality is compromised by cracking poorly encrypted data, Man-in-the-middle (MITM) attacks, disclosing sensitive data. Standard measures to establish confidentiality include:
Data encryption
Two-factor authentication
Biometric verification
Security tokens
Integrity
Integrity refers to protecting information from being modified by unauthorized parties.
Standard measures to guarantee integrity include: Cryptographic checksums
Using file permissions
Uninterrupted power supplies
Data backups
Availability is making sure that authorized parties are able to access the information when needed. Standard measures to guarantee availability include: Backing up data to external drives
Implementing firewalls
Having backup power supplies
Data redundancy
Types of Cyber Attacks
A cyber-attack is an exploitation of computer systems and networks. It uses malicious code to alter computer code, logic or data and lead to cybercrimes, such as information and identity theft.
Cyber-attacks can be classified into the following categories:
1) Web-based attacks
2) System-based attacks
Security Vulnerabilities, Threats and Attacks
Categories of vulnerabilities
Corrupted (Loss of integrity)
Leaky (Loss of confidentiality)
Unavailable or very slow (Loss of availability)
Threats represent potential security harm to an asset when vulnerabilities are exploited. Attacks are threats that have been carried out Passive Make use of information from the system without affecting system resources.
Active Alter system resources or affect operation
Insider Initiated by an entity inside the organization
Outsider Initiated from outside the perimeter
Computer criminals Computer criminals have access to enormous amounts of hardware, software, and data they have the potential to cripple much of effective business and government throughout the world.
In a sense, the purpose of computer security is to prevent these criminals from doing damage. We say computer crime is any crime involving a computer or aided by the use of one.
Although this definition is admittedly broad, it allows us to consider ways to protect ourselves, our businesses, and our communities against those who use computers maliciously.
One approach to prevention or moderation is to understand who commits these crimes and why. Many studies have attempted to determine the characteristics of computer criminals.
By studying those who have already used computers to commit crimes, we may be able in the future to spot likely criminals and prevent the crimes from occurring.
CIA Triad The CIA Triad is actually a security model that has been developed to help people think about various parts of IT security.
CIA triad broken down: Confidentiality It's crucial in today's world for people to protect their sensitive, private information from unauthorized access.
Protecting confidentiality is dependent on being able to define and enforce certain access levels for information. In some cases, doing this involves separating informant
In some cases, doing this involves separating information into various collections that are organized by who needs access to the information and how sensitive that information actually is the amount of damage suffered if the confidentiality was breached.
Some of the most common means used to manage confidentiality include access control lists, volume and file encryption, and Unix file permissions.
Integrity Data integrity is what the "I" in CIA Triad stands for. This is an essential component of the CIA Triad and designed to protect data from deletion or modification from any unauthorized party, and it ensures that when an authorized person makes a change that should not have been made the damage can be reversed.
Availability This is the final component of the CIA Triad and refers to the actual availability of your data. Authentication mechanisms, access channels and systems all have to work properly for the information they protect and ensure it's available when it is needed.
Understanding the CIA triad The CIA Triad is all about information. While this is considered the core factor of the majority of IT security, it promotes a limited view of the security that ignores other important factors.
For example, even though availability may serve to make sure you don't lose access to resources needed to provide information when it is needed, thinking about information security in itself doesn't guarantee that someone else hasn't used your hardware resources without authorization.
It's important to understand what the CIA Triad is, how it is used to plan and also to implement a quality security policy while understanding the various principles behind it. It's also important to understand the limitations it presents.
When you are informed, you can utilize the CIA Triad for what it has to offer and avoid the consequences that may come along by not understanding it.
Assets and Threat What is an Asset: An asset is any data, device or other component of an organization’s systems that is valuable often because it contains sensitive data or can be used to access such information.
For example: An employee’s desktop computer, laptop or company phone would be considered an asset, as would applications on those devices. Likewise, critical infrastructure, such as servers and support systems, are assets.
An organization’s most common assets are information assets. These are things such as databases and physical files the sensitive data that you store.
What is a threat:
A threat is any incident that could negatively affect an asset for example, if it’s lost, knocked offline or accessed by an unauthorized party.
Threats can be categorized as circumstances that compromise the confidentiality, integrity or availability of an asset, and can either be intentional or accidental.
Intentional threats include things such as criminal hacking or a malicious insider stealing information, whereas accidental threats generally involve employee error, a technical malfunction or an event that causes physical damage, such as a fire or natural disaster
Types of Active attacks:
Masquerade: in this attack, the intruder pretends to be a particular user of a system to gain access or to gain greater privileges than they are authorized for.
A masquerade may be attempted through the use of stolen login IDs and passwords, through finding security gaps in programs or through bypassing the authentication mechanism.
Session replay: In this type of attack, a hacker steals an authorized user’s log in information by stealing the session ID. The intruder gains access and the ability to do anything the authorized user can do on the website.
Message modification: In this attack, an intruder alters packet header addresses to direct a message to a different destination or modify the data on a target machine. In a denial of service (DoS) attack, users are deprived of access to a network or web resource. This is generally accomplished by overwhelming the target with more traffic than it can handle.
In a distributed denial-of-service (DDoS) exploit, large numbers of compromised systems (sometimes called a botnet or zombie army) attack a single target.
Passive Attacks: Passive attacks are relatively scarce from a classification perspective, but can be carried out with relative ease, particularly if the traffic is not encrypted.
Types of Passive attacks: Eavesdropping (tapping): the attacker simply listens to messages exchanged by two entities. For the attack to be useful, the traffic must not be encrypted. Any unencrypted information, such as a password sent in response to an HTTP request, may be retrieved by the attacker.
Traffic analysis: the attacker looks at the metadata transmitted in traffic in order to deduce information relating to the exchange and the participating entities, e.g., the form of the exchanged traffic (rate, duration, etc.).
In the cases where encrypted data are used, traffic analysis can also lead to attacks by cryptanalysis, whereby the attacker may obtain information or succeed in un encrypting the traffic.
Software Attacks: Malicious code (sometimes called malware) is a type of software designed to take over or damage a computer user's operating system, without the user's knowledge or approval. It can be very difficult to remove and very damaging. Common malware examples are listed in the following table:
Attack | Characteristics |
Virus | A virus is a program that attempts to damage a computer system and replicate itself to other computer systems. A virus:
|
Worm | A worm is a self-replicating program that can be designed to do any number of things, such as delete files or send documents via e-mail. A worm can negatively impact network traffic just in the process of replicating itself. A worm:
|
Trojan horse | A Trojan horse is a malicious program that is disguised as legitimate software. Discretionary environments are often more vulnerable and susceptible to Trojan horse attacks because security is user focused and user directed. Thus the compromise of a user account could lead to the compromise of the entire environment. A Trojan horse:
|
Logic bomb | A Logic Bomb is malware that lies dormant until triggered. A logic bomb is a specific example of an asynchronous attack.
|
Hardware Attacks:
Common hardware attacks include: Manufacturing backdoors, for malware or other penetrative purposes backdoors aren’t limited to software and hardware, but they also affect embedded radiofrequency identification (RFID) chips and memory.
Eavesdropping by gaining access to protected memory without opening other hardware
Inducing faults, causing the interruption of normal behavior
Hardware modification tampering with invasive operations.
Backdoor creation the presence of hidden methods for bypassing normal computer
Authentication systems Counterfeiting product assets that can produce extraordinary operations and those made to gain malicious access to systems
Osi Security Architecture ITU-T X.800 “Security architecture for osi” Defines a systematic way of defining and providing security requirements for us it provides a useful, if abstract, overview of concepts we will study.
Aspects of security Consider 3 aspects of information security
Security attack
Security mechanism
Security service
Security attack Any action that compromises the security of information owned by an organization Information security is about how to prevent attacks, or failing that, to detect attacks on information-based systems Often threat & attack used to mean same thing Have a wide range of attacks Can focus of generic types of attacks Passive and Active
Security Service
Enhance security of data processing systems and information transfers of an organization Intended to counter security attacks Using one or more security mechanisms Often replicates functions normally associated with physical documents.
Which, for example, have signatures, dates; need protection from disclosure, tampering, or destruction; be notarized or witnessed be recorded or licensed X.800: “a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers”
Rfc 2828: “a processing or communication service provided by a system to give a specific kind of protection to system resources”
Authentication assurance that the communicating entity is the one claimed.
Access control prevention of the unauthorized use of a resource Data. Confidentiality protection of data from unauthorized disclosure Data integrity assurance that data received is as sent by an authorized entity.
Non-repudiation protection against denial by one of the parties in a communication.
Requirements
Two requirements for secure use of symmetric encryption:
A strong encryption algorithm
A secret key known only to sender / receiver
Mathematically have:
y = ek(x)
x = dk(y)
Assume encryption algorithm is known Implies a secure channel to distribute key.
Cryptography
Characterize cryptographic system by:
Type of encryption operations used
• Substitution / transposition / product
Number of keys used
• Single-key or private / two-key or public
Way in which plaintext is processed
• Block / stream
Cryptanalysis
Objective to recover key not just message
General approaches:
Cryptanalytic attack
Brute-force attack
Cryptanalytic Attacks
Cipher text only
Only know algorithm & cipher text, is statistical, know or can identify plaintext.
Cryptography is a phenomenon in which a plain text is sent in
Network converting it into cipher text to prevent miss use of data while transmission in a network.
Cryptography
Symmetric
Private key Traditional private/secret/single key cryptography uses one key Shared by both sender and receiver
• If this key is disclosed communications are compromised
• Also is symmetric, parties are equal
• Hence does not protect sender from receiver forging a message & claiming is sent by sender
• Uses two keys
A public & a private key.
• Asymmetric since parties are not equal
• Uses clever application of number theoretic concepts to function
• Complements rather than replaces private key crypto • Developed to address two key issues:
Key distribution
How to have secure communications in general without having to trust a with your key
Digital signatures
How to verify a message comes intact from the claimed sender
Asymmetric cryptography involves the use of two keys:
A public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures
A private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures
• Is asymmetric because Those who encrypt messages or verify signatures cannot decrypt messages or create signature
TLS (transport layer security)
Ietf standard rfc 2246 similar to sslv3 with minor differences
In record format version number Uses hmac for mac
A pseudo-random function expands secrets Has additional alert codes Some changes in supported ciphers Changes in certificate types & negotiations Changesin crypto computations & padding
Application security
There are two components of security in mobile computing:
Security of devices and security in networks.
A secure network access involves authentication between the device and the base stations or Web servers. This is to ensure that only authenticated devices can be connected to the network for obtaining the requested services.
No Malicious Code can impersonate the service provider to trick the device into doing something it does not mean to. Thus, the networks also play a crucial role in security of mobile devices.
Some eminent kinds of attacks to which mobile devices are subjected to are: push attacks, pull attacks and crash attacks.
Authentication services security is important given the typical attacks on mobile devices through wireless networks: Dos attacks, traffic analysis, eavesdropping, man-in-the-middle attacks and session hijacking.
Security measures in this scenario come from Wireless Application Protocols (WAPs), use of VPNs, media access control (MAC) address filtering and development in 802.xx standards.
S/MIME (SECURE/MULTIPURPOSE INTERNET MAIL EXTENSIONS)
Security enhancement to mime email original internet rfc822 email was text only Mime provided support for varying content types and multi part messages
With encoding of binary data to textual form S/mime added security enhancements Have s/mime support in many mail agents
Eg ms outlook, mozilla, mac mail etc.
S/MIME functions
Enveloped data
Encrypted content and associated keys
Signed data
Encoded message + signed digest
Clear-signed data
Clear text message + encoded signed digest
Signed & enveloped data
Nesting of signed & encrypted entities
S/MIME cryptographic algorithms
Digital signatures: dss & rsa Hash functions: sha-1 & md5
Session key encryption: elgamal & rsa Message encryption: aes, triple des, rc2/40 and others Mac: hmac with sha-1 Have process to decide which algorithms to use.
S/MIME messages
S/mime secures a mime entity with a signature, encryption, or both Forming a mime wrapped packets object Have a range of content types Enveloped data, Signed data, Clear-signed data,
Registration request, Certificate only message.
IP SECURITY
Have a range of application specific security mechanisms
Eg. S/mime, pgp, kerberos, ssl/https.
However, there are security concerns that cut across protocol layers Would like security implemented by the network for all applications
General ip security mechanisms Provides
Authentication
Confidentiality
Key management
Applicable to use over lans, across public & private wans, & for the internet.
Benefits of IPSEC
In a firewall/router provides strong security to all traffic crossing the perimeter
In a firewall/router is resistant to bypass
Is below transport layer, hence transparent to applications
Can be transparent to end users
Can provide security for individual users
Secures routing architecture
SSL (SECURE SOCKET LAYER)
Transport layer security service
Originally developed by Netscape
Version 3 designed with public input
Subsequently became internet standard known as tls (transport layer security)
Uses tcp to provide a reliable end-to-end service
Ssl has two layers of protocols
SSL Connection
A transient, peer-to-peer, communications link
Associated with 1 ssl session
SSL session
An association between client & server
Created by the handshake protocol
Define a set of cryptographic parameters
May be shared by multiple ssl connections
HTTPS stands for Hypertext Transfer Protocol Secure. It is the protocol where encrypted HTTP data is transferred over a secure connection. By using secure connection such as Transport Layer Security or Secure Sockets Layer, the privacy and integrity of data are maintained and authentication of websites is also validated.
What is a firewall
It is a choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services. Only authorized traffic is allowed Auditing and controlling access Can implement alarms for abnormal behavior Provide nat & usage monitoring Implement vpns using ipsec Must be immune to penetration.
Firewall limitations
Cannot protect from attacks bypassing it
Cannot protect against internal threats
Cannot protect against transfer of all virus infected programs or files
Because of huge range of o/s & file types
Firewalls packet filters
Simplest, fastest firewall component. Foundation of any firewall system
Examine each ip packet (no context) and permit or deny according to rules. Hence restrict access to services (ports) Possible default policies.
Various firewall configurations are shown below
Intrusion Detections
Significant issue for networked systems is hostile or unwanted access Either via network or local Can identify classes of intruders. Masquerader, Misfeasor, Clandestine user Varying levels of competence. Clearly a growing publicized problem.
Intrusion techniques
Aim to gain access and/or increase privileges on a system.
Basic attack methodology Target acquisition and information gathering’
Initial access
Privilege escalation
Covering tracks
Key goal often is to acquire passwords
So then exercise access rights of owner
Password guessing
One of the most common attacks Attacker knows a login (from email/web page etc.) Then attempts to guess password for it
Defaults, short passwords, common word searches User info (variations on names, birthday, phone, common words/interests) Exhaustively searching all possible passwords Check by login or against stolen password fill Success depends on password chosen by user
Surveys show many users choose poorly
Password capture
Another attack involves password capture Watching over shoulder as password is entered Using a trojan horse program to collect
Monitoring an insecure network login
Eg. Telnet, ftp, web, email
Extracting recorded info after successful login (web history/cache, last number dialled etc.) Using valid login/password can impersonate user
Users need to be educated to use suitable precautions/countermeasures
Intrusion detection.
Inevitably will have security failures So need also to detect intrusions so can Block if detected quickly Act as deterrent Collect info to improve security Assume intruder will behave differently to a legitimate user
But will have imperfect distinction between.
Approaches to intrusion detection
Statistical anomaly detection
Threshold
Profile based
Rule-based detection
Anomaly
Penetration identification
The first part of the lab introduces packet sniffer, Wireshark. Wireshark is a free open-source network protocol analyzer. It is used for network troubleshooting and communication protocol analysis. Wireshark captures network packets in real time and display them in human readable format. It provides many advanced features including live capture and offline analysis, three-pane packet browser, coloring rules for analysis.
This document uses Wireshark for the experiments, and it covers Wireshark installation, packet capturing, and protocol analysis.
Fig-Wireshark
Working of Wireshark for network security
After you select the interface, you can click start to capture the packets as shown in Figure.
The Wireshark interface has five major components which is used for
Network security purpose
The command menus are standard pulldown menus located at the top of the window. Of interest to us now is the File and Capture menus. The File menu allows you to save captured packet data or open a file containing previously captured packet data, and exit the Wireshark application.
The Capture menu allows you to begin packet capture. The packet-listing window displays a one-line summary for each packet captured, including the packet number (assigned by Wireshark; this is not a packet number contained in any protocol’s header), the time at which the packet was captured, the packet’s source and destination addresses, the protocol type, and protocol-specific information contained in the packet.
The packet listing can be sorted according to any of these categories by clicking on a column name. The protocol type field lists the highest-level protocol that sent or received this packet, i.e., the protocol that is the source or ultimate sink for this packet.
The packet-header details window provides details about the packet selected (highlighted) in the packet-listing window. (To select a packet in the packet-listing window, place the cursor over the packet’s one-line summary in the packet-listing window and click with the left mouse button.). These details include information about the Ethernet frame and IP datagram that contains this packet. The amount of Ethernet and IP-layer detail displayed can be expanded or minimized by clicking on the right pointing or down-pointing arrowhead to the left of the Ethernet frame or IP datagram line in the packet details window. If the packet has been carried over TCP or UDP, TCP or UDP details will also be displayed, which can similarly be expanded or minimized. Finally, details about the highest-level protocol that sent or received this packet are also provided.
The packet-contents window displays the entire contents of the captured frame, in both ASCII and hexadecimal format.
Towards the top of the Wireshark graphical user interface, is the packet display filter field, into which a protocol name or other information can be entered in order to filter the information displayed in the packet-listing window (and hence the packet-header and packet-contents windows). In the example below, we’ll use the packet-display filter field to have Wireshark hide (not display) packets except those that correspond to HTTP messages.
References:
1. Kurose, Ross, “Computer Networking a Top Down Approach Featuring the Internet”, Pearson, ISBN-10: 0132856204
2. L. Peterson and B. Davie, “Computer Networks: A Systems Approach”, 5th Edition, Morgan-Kaufmann, 2012.
3. Douglas E. Comer & M.S Narayanan, “Computer Network & Internet”, Pearson Education
4. William Stallings, “Cryptography and Network Security: Principles and Practice”, 4th Edition
5. Pachghare V. K., “Cryptography and Information Security”, 3rd Edition, PHI
