Introduction to Systems SecurityLearning Objectives2010 Computer Crime and Security Survey (2010 CSI Security Report)2009 CSI Report: Types of attacks or Misuse in last 12 monthsCSI Survey: financial lossAttack TrendsCSI Survey: Security monitoringCSI Survey: Defense Technology2011 Sophos Security Threat ReportSlide 10Slide 11Slide 12Slide 13Other Empirical Attack DataSummary Questions (Part 1)Systems attackersSlide 17Slide 18Slide 19Slide 20Summary Questions (Part 2)Attacks preps: examining email headersSlide 23Slide 24Attacks preps: looking for targetsAttacks preps: identifying targetsFramework for AttacksDialog attack: EavesdroppingDialog attack: Message AlterationDialog attack: ImpersonationEncryption: Protecting against eavesdropping and message alterationAuthentication: Protecting against ImpersonationSecure Dialog System: Protecting against all dialog attacksBreak-in attackFlooding Denial-of-Service (DoS) attackFirewalls: Protecting against break-ins and DoSIntrusion Detection System (IDS): Protecting against break-ins and DoSSlide 38Other defense measuresSummary Questions (Part 3)Introduction to Systems Security(January 11, 2012)© Abdou Illia – Spring 20122Learning ObjectivesDiscuss main security threats Discuss types of systems’ attacksDiscuss types of defense systems32010 Computer Crime and Security Survey (2010 CSI Security Report)Survey conducted by the Computer Security Institute (http://www.gocsi.com).Copy of Survey report on course web siteBased on replies from 494 U.S. Computer Security Professionals.Survey Summary online42009 CSI Report: Types of attacks or Misuse in last 12 months5CSI Survey: financial loss2007: $66,930,950 reported by 194 respondents6Attack TrendsGrowing Incident Frequency until 2001Incidents reported to the Computer Emergency Response Team/Coordination Center1998 1999 2000 2001 2001- Present3,474 9,859 21,756 52,658 Decline in # of attacksGrowing Malevolence since 2000Most early attacks were not maliciousMalicious attacks are the norm today7CSI Survey: Security monitoring8CSI Survey: Defense Technology92011 Sophos Security Threat ReportReport focused on Sophos’ security softwareGeneral discovery* Infected USB drives take advantage of computers that have auto-run enabled, which allow the automated execution of code contained on the flash drive.*102011 Sophos Security Threat ReportMalware* hosted on websites* Malicious software112011 Sophos Security Threat ReportMalware hosting countries122011 Sophos Security Threat ReportSpam-relaying countriesClimbing the list year after year132011 Sophos Security Threat ReportWeb server’s software affectedAs of March 2010 Apache served 58% of all web serversApache available for Microsoft Windows, Novell NetWare and Unix-like OSWeb server softwareApache IIS SunONEOperating SystemComputer hardwareHDRAM chipProcessorWeb server computer14Other Empirical Attack DataSecurityFocusData from 10,000 firms in 2010Attack Targets31 million Windows-specific attacks22 million UNIX/LINUX attacks7 million Cisco IOS attacksAll operating systems are attacked!15Summary Questions (Part 1)1. What does malware refer to?2. Systems running Microsoft operating systems are more likely to be attacked than others. T F3. With Windows OS, you can use IIS or another web server software like Apache. T F4. What web server software is most affected by web threats today?5. What types of email-attached file could/could not hide a malware?6. Could USB drives be used as means for infecting a system with malware? How?16Systems attackersHacking intentional access without authorization or in excess of authorizationElite HackersCharacterized by technical expertise and dogged persistence, not just a bag of toolsUse attack scripts to automate actions, but this is not the essence of what they doCould hack to steal info, to do damage, or just to prove their statusAttackersElite HackersScript KiddiesVirus writers & releasersCorporate employeesCyber vandalsCyber terrorists17Systems attackersElite Hackers (cont.)Black hat hackers break in for their own purposesWhite hat hackers can mean multiple thingsStrictest: Hack only by invitation as part of vulnerability testingSome hack without permission but report vulnerabilities (not for pay)Ethical hackersHired by organizations to perform hacking activities in order toTest the performance of systems’ securityDevelop/propose solutions18Systems attackersScript Kiddies“Kids” that use pre-written attack scripts (kiddie scripts)Called “lamers” by elite hackersTheir large number makes them dangerousNoise of kiddie script attacks masks more sophisticated attacksAttackersElite HackersScript KiddiesVirus writers & releasersCorporate employeesCyber vandalsCyber terrorists19Systems attackersVirus Writers and ReleasersVirus writers versus virus releasersWriting virus code is not a crimeOnly releasing viruses is punishableAttackersElite HackersScript KiddiesVirus writers & releasersCorporate employeesCyber vandalsCyber terrorists20Systems attackersCyber vandalsUse networks to harm companies’ IT infrastructureCould shut down servers, slowdown eBusiness systemsCyber warriorsMassive attacks* by governments on a country’s IT infrastructureCyber terroristsMassive attacks* by nongovernmental groups on a country’s IT infrastructureHackivistsHacking for political motivation* Multi-pronged attacks: release virus, active hacking, attacking Internet routers, etc.AttackersElite HackersScript KiddiesVirus writers & releasersCorporate employeesCyber vandalsCyber terrorists21Summary Questions (Part 2)1. What is meant by elite hacker, white hat hacker, ethical hacker?2. What is the difference between script kiddies and elite hackers?3. Is releasing a virus a crime in the U.S.?4. What is the difference between cyber war and cyber terrorism?22Attacks preps: examining email headersReceived: from hotmail.com (bay103-f21.bay103.hotmail.com [65.54.174.31]) by barracuda1.eiu.edu (Spam Firewall) with ESMTP id B10BA1F52DC for <[email protected]>; Wed, 8 Feb 2006 18:14:59 -0600 (CST)Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 8 Feb 2006 16:14:58 -0800Message-ID: <[email protected]>Received: from 65.54.174.200 by by103fd.bay103.hotmail.msn.com with HTTP; Thu, 09 Feb 2006 00:14:58