Information Security: Prepared By: Waqas Ahmad Butt
Information Security: Prepared By: Waqas Ahmad Butt
Information Security: Prepared By: Waqas Ahmad Butt
Prepared By:
WAQAS AHMAD
BUTT
Agenda
My introduction
Course prerequisites
What is Information security ?
Course content
Course Code (SE - 321)
3
Introduction
People
Processes
Technology
Topics included (See Course Outline)
PKI
Key management
Email security (S/MIME, PGP)
Quantum cryptography
Hash Functions
Secure shell (SSH)
IPSEC
Firewalls
Intrusion Detection and Prevention System
Testing and Security
What is this course about?
Terminology
PREPARED BY:
WAQAS AHMAD BUTT
Objectives
Cryptography
From 1800 to
World War 2
Cryptography In
Renniasance Times
Middle Age
Cryptography
Classical
Cryptography
Classical Cryptography
k i l l k i n g
t o m o r r o w
m i d n i g h t
Encoded Message: ktm ioi lmd lon kri irg noh gwt
Greek and Roman Use Of Cryptography
As an example, we shall encrypt the plaintext "nice and simple" with the
keyword = example.
We get the ciphertext "53333211 315342 443341511211“. After decrypting the
ciphertext we will obtain plaintext.
The Romans knew something of cryptography (e.g., the
Caesar cipher and its variations).
The method is named after Julius Caesar, who used it to
communicate with his generals.
Caesar Cipher
Prepared By:
WAQAS AHMAD
BUTT
63
Basic Security Terminology
THE THREAT
ENVIRONMENT
Basic Security The threat environment
Terminology consists of the types of
attackers and attacks
that companies face
68
IS IT THE AMERICAN
What do you CENTRAL INTELLIGENCE
know about the AGENCY ???
CIA ?
69
C.I.A – The Security Goal
Security Goals
Corporations and subgroups in corporations have security goals –
conditions that the security staff wishes to achieve
Three common core goals are referred to as CIA:
Confidentiality
Integrity
Availability
70
Basic Security Terminology
Security Goals
Confidentiality
Security Goals
Integrity
Security Goals
Availability
Compromises
Successful attacks
Also called incidents
Also called breaches
Countermeasures
Tools used to thwart attacks
Also called safeguards, protections, and controls
Countermeasures can be technical, human, or a
mixture of the two.
77
Basic Security Terminology
Discovery
On December 18, 2006, TJX detected “suspicious software” on
its computer systems
Called in security experts who confirmed an intrusion and
probable data loss
Notified law enforcement immediately
Only notified consumers a month later to get time to fix system
and to allow law enforcement to investigate
82
The TJX Data Breach
Discovery
Two waves of attacks, in 2005 and 2006
Company estimated that 45.7 million records with
limited personal information included
Much more information was stolen on 455,000 of these
customers.
83
The TJX Data Breach
The Break-Ins
Broke into poorly protected wireless networks in retail
stores
Usedthis entry to break into central processing system in
Massachusetts
Not detected despite long presence, 80 GB data exfiltration
Canadian privacy commission: poor encryption, keeping
data that should not have been kept.
Understanding and Identifying the Insider Threat
Prepared By:
WAQAS AHMAD
BUTT
85
Insider
Unwitting/
Ex-employees unintentional
Exploited by others once insider
in post
Insider activities …..
Unauthorised
disclosure of
information
Theft of materials
Financial &
or information
Process
corruption
Motivations of Insiders?
• Financial gain
• Revenge
• Status/recognition
• Friendship/Loyalty
• Ideological
• Fear/coercion
91
Employee and Ex-Employee Threats
Employee Sabotage
Destruction of hardware, software, or data
Plant time bomb or logic bomb on computer
-Dan Goodin
98
Employee and Ex-Employee Threats
Employee Hacking
Hacking is intentionally accessing a computer resource without
authorization or in excess of authorization.
Authorization is the key
Employee Extortion
Perpetrator tries to obtain money or other goods by threatening to take actions
that would be against the victim’s interest
For example the employee might deploy a logic bomb on the company’s
computer.
Stealing Intellectual Property (IP) and demanding money for not passing
on the information is also extortion.
106
Employee and Ex-Employee Threats
Washington Leung left a firm and later logged into his ex-firm’s servers
using passwords given to him while employed there. He deleted over 900
files related to employee compensation. To frame a female co-worker, he
gave her a USD 40,000 annual raise, and a USD 100,000 bonus. He created
a hotmail account in the name of the female employee and sent senior
managers an email containing information from the deleted files.
http://www.cybercrimes.gov
107
Employee and Ex-Employee Threats
This type of behavior was detected in the 2008 Presidential election campaign
and in several celebrity hospitalizations
-Los Angeles Times, 2008
Carelessness
Loss of computers or data media containing sensitive information
Carelessness leading to the theft of such information
A Ponemon survey in 2008 found that 630,000 laptops are lost at airports
each year. Although only some of these are corporate computers, airports
are not the only place where laptops are lost, and lost media (US drives)
can be just as damaging.
-Ponemon Institute
110
Employee and Ex-Employee Threats
• Limit
• Prevent those
opportunity
with intent Robust pre- Comprehensive • Maximise
• Identify those employment on-going
deterrence
who could be screening security
• Provide means
vulnerable measures
to report
concerns
• Appreciate
• Reduce
threat & Strong Positive disaffection
responsibilities security management • Promote loyalty
• Compliance culture practices
& commitment
• Awareness to
• Address
signs
grievances
• Willing to
report
Traditional External Attackers
WAQAS AHMAD
BUTT
114
TRADITIONAL
EXTERNAL
Traditional ATTACKERS USE THE
INTERNET TO SEND
External MALWARE INTO
Attackers CORPORATIONS,
HACK INTO
CORPORATE
COMPUTER AND DO
OTHER DAMAGE.
What is a malware ?
Virus
Backdoor
Trojan horse
Rootkit
Scareware
Adware
Worm
Spam
RAT
118
Classic Malware: Viruses and Worms
Malware
Viruses
Spread today primarily by e-mail with infected attachments
Also by instant messaging, file transfers, file sharing programs,
downloads from malicious websites, etc
Worms
Full programs that do not attach themselves to other programs
Like viruses, can spread by e-mail, instant messaging, and file transfers
Direct-propagation Worms
Slammer Worm
On January 25, 2016, the Slammer worm exploded across the Internet. In
ten minutes, before a handful of people knew it existed, Slammer had
infected 90% of all vulnerable computers on the entire Internet. Although
Slammer did not erase hard-disks or do other damage, it caused massive
damage by spreading so quickly, it choked parts of the Internet. Around
the world, ATMs became unusable, police departments lost their ability to
communicate and most users in Korea lost their service.
125
Classic Malware: Viruses and Worms
Blended Threats
Malware propagates in several ways—like worms, viruses,
compromised webpages containing mobile code, etc.
Payloads
Pieces of code that do damage
Implemented by viruses and worms after propagation
Malicious payloads are designed to do heavy damage
Payloads
(http://www.mi2g.com)
130
Non-Mobile Malwares
Non-mobile Malware
Must be placed on the user’s computer through one of a growing
number of attack techniques
1. Placed on computer by hackers
2. Placed on computer by virus or worm as part of its payload
3. The victim can be enticed to download the program from a website
4. Mobile code executed on a webpage can download the non-mobile
malware
131
Trojan Horses and Rootkits
Trojan Horses
A program that replaces an existing system file, taking its name
Trojan Horses
Trojan Horses
Remote Access Trojans (RATs)
Remotely control the victim’s PC
Trojan Horses
Spyware
Programs that gather information about you and make it available to the
adversary
Trojan Horses
Spyware
Cookies that store too much sensitive personal information
Trojan Horses
Spyware
Keystroke loggers
Trojan Horses
Spyware
Password-stealing spyware
Tells you that you have been logged out of the server
you are visiting and asks you to retype your username
and password. If you do, the spyware sends the
username and password to the attacker.
138
Trojan Horses and Rootkits
Trojan Horses
Spyware
Data mining spyware
Attack vector
Characteristics Payload
Spreading algorithm
What is social engineering?
Trojan Horses
Rootkits
Trojan Horses
Rootkits
Mobile Code
Mobile Code
Executable code on a webpage
Code is executed automatically when the webpage is downloaded
Hostile code that can do damage if computer has vulnerability
148
Other Malware Attacks
Phishing
Points to “bad” IP
Address!
153
Other Malware Attacks
In 2004 when phishing was fairly new but already well known
to consumers, a study showed consumers a group of email
messages and asked whether each email was a phishing attack
or not.
The sulfnbk.exe hoax told computers that a virus called AOL.exe was
travelling around the Internet. The hoax said that they should delete the
file sulfnbk.exe. Victims who did so were really deleting their AOL
access
Educate Yourself.
Be Aware Of The Information You’re Releasing.
Determine Which Of Your Assets Are Most Valuable To Criminals.
Write A Policy And Back It Up With Good Awareness Training.
Keep Your Software Up To Date.
Give Employees A Sense Of Ownership When It Comes To Security
When Asked For Information, Consider Whether The Person You’re Talking
To Deserves The Information They’re Asking About.
Watch For Questions That Don’t Fit The Pretext.
Stick To Your Guns.
162
McAfee Spam Checklist (Do…)
Traditional Hackers
Traditional Hackers
Motivated by thrill, validation of skills, sense of power
Motivated to increase reputation among other hackers
Often do damage as a byproduct
Often engage in petty crime
167
Traditional External Attackers: Hackers
Traditional Hackers
Anatomy of a Hack
Reconnaissance probes (see figure)
IP address scans to identify possible victims
Identify active hosts
ICMP Echo and Echo reply messages
Port scans (connection requests) to learn which services are open on each potential
victim host
Port 80 is the well known port for HTTP web servers. There are
many well known port numbers between 0 and 1023. each
indicates the presence of a particular type of application.
171
HACKER PSYCHOLOGY
Achievement
The Harder the Better
The Bigger the Better
Fame
How to be a Hacker
http://www.tuxedo.org/~esr/faqs/hacker-how
Recognition (Distrust) to.html
Respect (Fear)
Surprise
Creativity
Money*
Corporations
Governments
*Note: Hackers don’t make the Money – their Thrill is in the Game!
172
Popular View of Hackers
Probe and Exploit Attack Packets 173
2.
Port Scanning Packet
128.171.17.13 to Identify Running
Applications
3. Exploit or break-in
3.
Exploit
Packet
128.171.17.22
128.171.17.47 Corporate Site
2. Connection requests
On a particular port number
Copyright Pearson Prentice-Hall 2010
Source IP Address Spoofing 174
Attacker
1.
Spoofed Packet to 128.171.17.13
Source IP address = 128.171.17.47
Instead of 10.6.4.3 10.6.4.3
128.171.17.13
IP Address Spoofing
2. Hides the Attacker's Identity.
Reply goes to
Host 128.171.17.47 But Replies do Not Go to the Attacker,
So IP address Spoofing
Cannot be Used for All Purposes
128.171.17.47
Attack
Log In Log In Command
Attacker
Compromised Compromised Target Host
1.34.150.37
Attack Host Attack Host 60.168.47.47
3.35.126.7 123.125.33.101
Social Engineering
◦ Social engineering is often used in hacking
◦ Social engineering (as we saw earlier) is attempting to trick
users into doing something that goes against the interests of
security
◦ Often successful because it focuses on human weaknesses
instead of technological weaknesses
178
Social Engineering Attacks
Social Engineering
Call and ask for passwords and other confidential information
Social Engineering
E-mail attack messages with attractive subjects
Piggybacking
Shoulder surfing
Pretexting
IC M P e c h o (s p o o fe d s o u rc e a d d re s s o f v ic tim )
S e n t to IP b ro a d c a s t a d d re s s
IC M P e c h o re p ly
In te rn e t
P e rp e tra to r V ic tim
185
Distributed Denial-of-Service (DDoS) Flooding Attack
Bot
Attack
Command
Attack Packets
Attack
Command Attack Packets
Attacker
Bot Victim
Bots
Updatable attack programs ( see figure)
Botmaster can update the software to change the type of attack the bot
can do
May sell or lease the botnet to other criminals
Botmaster can update the bot to fix bugs
187
Fixing and Updating Bots
1.
DoS Attack Bot
Command
1.
DoS Attack Packets
2.
Software update
Botmaster for Spam
2.
Bot
Spam DOSVictim
E-Mail
3. 2.
Software update Spam
to fix bug in the E-Mail Spam Victims
attack software
Bot
188
Distributed Denial-of-Service (DDoS) Flooding Attack
To attack a server, the bots might flood the server with TCP connection-
opening requests (TCP SYN segments). A server reserves a certain amount
of capacity each time it receives a SYN segment. By flooding a computer
with SYN segments, the attacker can cause the server to run out of
resources and therefore crash.
Distributed DoS Example
190
Other Security Attacks
Skill Levels
Expert attackers are characterized by strong technical skills and dogged
persistence
Expert attackers create hacker scripts to automate some of their work
Scripts are also available for writing viruses and other malicious software
Today’s hacker scripts often have easy to use graphical user interfaces and
look like commercial products. Many scripts are available on the
Internet…These easy to use scripts have created a new type of hacker “the
script kiddie”
193
Traditional External Attackers: Hackers
Skill Levels
Script kiddies use these scripts to make attacks
Script kiddies have low technical skills
Script kiddies are dangerous because of their large numbers
Skill Levels
WAQAS AHMAD
BUTT
Cryptography
Definitions and Concepts
Sender
When the algorithm needs to generate a new key, it uses random values
from this keyspace.
Key Size (bits) Number of Alternative Time required at 1 Time required at 106
Keys decryption/µs decryptions/µs
128 2128 = 3.4 1038 2127 µs = 5.4 1024 5.4 1018 years
years
168 2168 = 3.7 1050 2167 µs = 5.9 1036 5.9 1030 years
years
26 characters 26! = 4 1026 2 1026 µs = 6.4 6.4 106 years
(permutation) 1012 years
Major Symmetric Key Encryption Ciphers
Confidentiality
Integrity
Authentication
Authorization
Nonrepudiation
Access Control
Services of Cryptosystems
Confidentiality
Renders the information unintelligible except by authorized entities
Integrity
Data has not been altered in an unauthorized manner since it was created,
transmitted, or stored
Authentication
Verifies the identity of the user or system that created information
Authorization
Upon proving identity, the individual is then provided with the key or password
that will allow access to some resource
Nonrepudiation
Ensures that the sender cannot deny sending the message.
If David sends a message and then later claims he did not
send it, this is an act of repudiation. When a cryptography
mechanism provides non-repudiation, the sender cannot
later deny he sent the message.
(He can try to deny it, but the cryptosystem proves
otherwise)
Suppose your boss sends you a message telling you that you will be
receiving a raise that doubles your salary.
•The message is encrypted, so you can be sure it really came from your
boss (authenticity)
•Someone did not alter it before it arrived at your computer (integrity)
•No one else was able to read it as it traveled over the network
(confidentiality)
•Your boss cannot deny sending it later when he comes to his senses
(non-repudiation)
Military and intelligence agencies are very concerned about keeping
information confidential, so they would choose encryption mechanisms
that provide a high degree of secrecy.
Financial institutions care about confidentiality, but they also care about
the integrity of the data being transmitted, so the encryption mechanism
they would choose may differ from the military’s encryption methods
Legal agencies may care most about the authenticity of the
messages they receive.
If information received ever needed to be presented in a
court of law, its authenticity would certainly be questioned;
therefore, the encryption method used must ensure
authenticity, which confirms who sent the information.
Symmetric Cryptography
The receiver takes the first bit of the encrypted message and XORs it with
the first bit of the pad. This results in the plaintext value.
One-Time Pad Rules
Image of a tree. Removing all but the two least significant bits of each
color component produces an almost completely black image. Making that
image 85 times brighter produces the image of the cat.
Steganography
(a) Three zebras and a tree. (b) Three zebras, a tree, and the complete text
of five plays by William Shakespeare.
Digital Watermarking
Transposition
Substitution Ciphers
Substitution n 4 r
o 8 w
Cipher w 15 l
i 16 …
s 23 …
t 16 …
+4 h 3 …
e 9 …
n o p q r t 12 …
i 20 …
m 6 …
e 25 …
The key determines the positions the values are moved to,
as illustrated in the Figure in next slide.
This is a simplistic example of a transposition cipher and
only shows one way of performing transposition
Cipher-text = ALNISESTITPIMROOPASN
Encryption in Columnar Transposition
We first pick a keyword for our encryption. We write the plaintext out in a grid
where the number of columns is the number of letters in the keyword.
let's encrypt the message "The tomato is a plant in the nightshade family" using
the keyword tomato.
Final Cipher in CT Encryption
DECRYPTION
DECRYPTION
P O T A T O
4 2 5 1 6 3
P O T A T O
E S A R E I
N T H E N I
G H T S H A
D E F A M I
L Y A S W E
L L X X X X
WAQAS AHMAD
BUTT
Methods Of Encryption
Strengths
Much faster (less computationally intensive) than asymmetric systems
Hard to break if using a large key size
Weaknesses
Requires a secure mechanism to deliver keys properly
Each pair of users needs a unique key, so as the number of individuals
increases, so does the number of keys, possibly making key management
overwhelming
Provides confidentiality but not authenticity or non-repudiation
Examples of Symmetric Algorithms
Bob can encrypt data with his private key, and the receiver can then
decrypt it with Bob’s public key
By decrypting the message with Bob’s public key, the receiver can
be sure the message really came from Bob
This provides authentication, because Bob is the only one who is
supposed to have his private key
If the sender encrypted the data with the receiver’s public key,
authentication is not provided because this public key is available to
anyone.
Open Message Format
Bob can encrypt data with the receivers public key, and the receiver
can then decrypt it with his private key
By decrypting the message with his private key, the receiver can be
sure no one else can view this message
This provides confidentiality, because the receiver is the only one
who is supposed to have his private key
Public Key Encryption for Confidentiality
Secure Message Format
Strengths
Better key distribution than symmetric systems
Better scalability than symmetric systems
Can provide authentication and non-repudiation
Weaknesses
Works much more slowly than symmetric systems
Mathematically intensive tasks
Examples of Asymmetric Key Algorithms
RSA (Rivest-Shamir-Adleman)
Elliptic curve cryptosystem (ECC)
Diffie-Hellman Algorithm
El Gamal
Digital Signature Algorithm (DSA)
Merkle-Hellman Knapsack
Symmetric Vs. Asymmetric
Core Cryptographic Processes
Confidentiality Authentication
Symmetric Key Applicable. Sender Not applicable.
Encryption encrypts with key
shared with the
receiver.
Public Key Applicable. Sender Applicable. Sender
Encryption encrypts with (supplicant) encrypts with own
receiver’s public private key. Receiver (verifier)
key. Receiver decrypts with the public key of
decrypts with the the true party, usually obtained
receiver’s own from the true party’s digital
private key. certificate. Raymond R.
Panko