1. Introduction to Security
Security
refers to any measures taken to protect something. Examples of security in the
real world include locks on doors, alarms in our cars, police officers.
Computer security is a field of computer science concerned
with the control of risks related to computer use. It describe the methods of protecting the integrity of data stored
on a computer.In
computer security the measures taken are focused on securing individual
computer hosts.
Network security consists of the provisions made in an underlying
computer network infrastructure, policies adopted by the network administrator
to protect the network and the network-accessible resources from unauthorized
access and the effectiveness (or lack) of these measures combined together. It starts
from authenticating any user. Once authenticated, firewall enforces access
policies such as what services are allowed to be accessed by the network users.
Even though it prevents unauthorized access, it prevents harmful contents such
as computer worms being transmitted over the network. An intrusion prevention
system (IPS) helps detect and prevent such malware.
1.1 Threats in Network Security
The following describe the
general threats to the security of the distributed systems
Disclosure of information
Organizations maintain valuable information on
their computer systems. This information may be used by other parties in such a
way as to damage the interest of the organization owning the information.
Therefore information stored on or processed by computer systems must be
protected against disclosure both internal and external to the user
organization.
Contamination of information
Valuable information may become worthless if
unauthorized information is mixed with it. The damage may be as great as the
damage through information disclosure.
Unauthorized use of resources
Unauthorized use of resources may lead to
destruction, modification, loss of integrity etc. of resources and thus the authorization
of individual users will be limited.
Misuse of resources
Authorized use of resources may give authorized
individuals the opportunity to perform activities that are harmful to the organization.
Misuse of resources, intentional or accidental, may be harmful to the organization
through corruption, destruction, disclosure, loss or removal of resources. Such
misuse may affect the liability of an organization for information entrusted to
it or for transactions and information exchanged with other organizations.
Unauthorized information flow
In a distributed system, information flow must be
controlled not only between users of end-systems but also between end-systems.
Depending on the prevailing security policy information flow restrictions may
be applied to the basis of classification of data objects and end-systems, user
clearances, etc.
Repudiation of information flow
Repudiation of information flow involves denial
of transmission or receipt of messages. Since such messages may carry
purchasing agreement, instructions for payment etc., the scope for criminal
repudiation of such messages is considerable.
Denial of service
Because of the wide range of services performed
with the aid of computer systems, denial of service may significantly affect
the capability of a user organisation to perform its functions and to fulfill
its obligations. Detection and prevention of denial of service must be
considered as part of any security policy.
1.2 Security Services
In order to protect against perceived threats, various security services
need to be provided, the main security services are:
Authentication
Authentication
is the process of proving the identity of a user of a system by means of a set
of credentials. Credentials are the required proof needed by the system to
validate the identity of the user. The user can be the actual customer, a
process, or even another system. A person is a validated through a credential.
The identity is who the person is. If a person has been validated through a
credential, such as attaching a name to a face, the name becomes a principal.
An authentication
service is concerned with assuring that the communication is authentic. In the
case of a single message, such as warning or alarm signal, the function of the
authentication service is to assure the recipient that the message is from the
source that it claims to be from. In the case of an ongoing interaction, such
as the connection of a terminal to a host, two aspects are involved. First, at
the time of connection initiation, the service assures that the two entities
are authentic, that is, that each is the entity that it claims to be. Second,
the service must assure that the connection is not interfered with in such a
way that a third party can masquerade as one of the two legitimate parties for
the purpose of unauthorized transmission or reception.
Authorization
The process by which a user is
given access to a system resource is known as authorization. The authorization
process is the check by the organization’s system to see whether the user
should be granted access to the user’s record. The user has logged in to the
system, but he still may not have the permission necessary from the system to
access the records.
When deploying a system, access to
system resources should also be mapped out. Security documents that detail the
rights of individuals to specific resources must be developed. These documents
must distinguish between the owners and the users of resources as well as read,
write, delete, and execute privileges.
Confidentiality is the
protection of transmitted data from passive attack. With respect to the release
of message contents, several levels of protection can be identified. The
broadest service protects all user data transmitted between two users over a
period of time. Narrower forms of this service can also be defined, including
the protection of single message or even a specific fields within a message. The
other aspect of confidentiality is the protection of traffic flow from
analysis. This requires the prevention of the attacker from observing
destination, frequency, length, or other characteristics of the traffic on a
communications facility.
When the
information is in a protected form, it is called a cipher text. Cipher text
uses a cipher, which changes the plaintext into cipher text. The cipher
requires keys to change the information from one form to the other.
Integrity
During
the transmission or storage of data, information can be corrupted or changed,
maliciously or otherwise, by a user. Validation is the process of ensuring data
integrity. When data has integrity, it means that the data has not been
modified or corrupted. One technique for ensuring data integrity is called data
hashing.
Integrity can apply to a stream
of messages, a single message, or selected fields within a message. Again the
most useful and straightforward approach is total stream protection. A
connection-oriented integrity service, one that deals with a stream of
messages, assures that messages are received as sent, with no duplication,
insertion, modification, reordering or replay. The destruction of data is also
covered under this service. Thus, the connection-oriented integrity service
addresses both message stream modification and denial of service. On the other
hand, a connection-less integrity service, one that deals with individual
messages only without regard to any larger context, generally provides
protection against message modification only.
Non-repudiation
Non
repudiation prevents either sender or receiver from denying a transmitted
message. Thus, when a message is sent, the receiver can prove that the message
was in fact sent by the alleged sender. Similarly, when a message is received,
the sender can prove that the message was in fact received by the alleged
receiver. In other words,
non-repudiation of origin proves that data has been sent, and
non-repudiation of delivery proves it has been received.
Access Control
Access control is the ability to
limit and control the access to host systems and applications links. To achieve
this control, each entity trying to gain access must first be identified, or
authenticated. The goal of access control is to be able to specify and restrict
access to subjects and resources to those users and processes which have the
appropriate permission. Access control is implemented according to a policy
that defines methods for both authentication and authorization, and applies to
a security domain.
Availability
A variety of attacks can result
in a form of reduction in availability. Some of these attacks are amenable to
automated countermeasures, such as authentication and encryption, whereas
others require some sort of physical action to prevent or recover from loss of
availability of elements of a distributed system.
1.3 Security Mechanism
A mechanism that
is designed to detect, prevent, or recover from a security attack. No single
mechanism will support all required functions. Cryptography is one of the
security mechanisms. Some of the common
security mechanisms are:
·
Encryption
·
Digital padding
·
Traffic padding
·
Routing control
·
Trusted functionality
·
Security labels
·
Access controls
·
Event detection
·
Audit trials
1.4 Security
Attacks
Any action that compromises
security of information is called a security attack. Some of the common
security attacks are given below.
Ref: http://www.cse.ohio-state.edu/~anish/694KNotes/694Lecture0.ppt#473,9,Security
Attacks
Attacks can be
active or passive
Passive Attacks
- Learn or make use of information from system, but does not affect system resources.
- Intercept or read data without changing it.
- Goal of opponent is to obtain information that is being transmitted.
- This type of attack has been perpetrated against communication systems ever since the invention of the electric telegraph.
- Two types of passive attacks are release of message contents and traffic analysis (masking the content of message. e.g. Encryption).
- Difficult to detect, because no alteration of data. Normally done using encryption.
Active Attacks
- Involve modification of data stream or creation of a false stream.
- The active threat is potentially far more serious.
- Use of encryption can protect against alteration of the data by arranging that the encrypted data is structured in such a way that meaningful alteration cannot take place without cryptanalysis.
- Subdivided into four categories: masquerade, replay, modification of messages, and denial of service.
Masquerade: One entity pretends to be a
different entity. e.g., Authentication
sequences can be captured and replayed after a valid authentication sequence
takes place.
Replay: Passive capture of data unit and
its subsequence retransmission to produce an unauthorized effect.
Modification of message: Some portion of
message altered, or delayed or reordered.
Denial of Service: Prevents normal use
or management of communication facilities.
e.g., suppressing
all messages directed to a particular destination.
Other active attacks
include:
·
Flooding
·
Jamming
·
Routing attacks: False routes, Configuration
changes
·
Trap doors, Logic bombs etc,
·
Remote arbitrary code execution via., worms and
viruses.
1.5 Hackers
and Crackers
A hacker (also
called a White Hat) is often someone who creates and modifies computer
software and computer hardware, including computer programming, administration,
and security-related items. A hacker is also someone who modifies electronics,
for example, ham radio transceivers, printers or even home sprinkler systems to
get extra functionality or performance.
A hacker obtains advanced knowledge of
operating systems and programming languages. They may know the holes within
systems and the reasons for such holes. Hackers constantly seek further
knowledge, freely share what they have discovered, and never, ever
intentionally damage data.
For further reading: http://en.wikipedia.org/wiki/Hacker
A cracker (also called a Black Hat) is a person who uses their skills with
computers and other technological items in a malicious or criminal manner.
He breaks into or otherwise violates the system integrity of remote machines,
with malicious intent. Crackers, having gained unauthorized access, destroy
vital data, deny legitimate users service, or basically cause problems for
their targets. Usually a Black Hat
is a person who uses their knowledge of vulnerabilities and exploits for
private gain, rather than revealing them either to the general public or the
manufacturer for correction.
For further
reading: http://en.wikipedia.org/wiki/Cracker_%28computing%29
1.6 Common
Intrusion Techniques
Virus
In computer security technology, a virus
is a self-replicating program that spreads by inserting copies of itself into
other executable code or documents. A virus is a program that can copy
itself and infect various parts of your computer, such as documents, programs,
and parts of your operating system. Most viruses attach themselves to a file or
part of your hard disk and then copy themselves to other places within the
operating system. Some viruses contain code that inflicts extra damage by
deleting files or lowering your security settings, inviting further attacks.
Usually to avoid detection, a virus disguises itself as a legitimate program
that a user would not normally suspect to be a virus. Viruses are designed to
corrupt or delete date on the hard disk, i.e. on the FAT (File Allocation
Table).
A computer virus behaves in a way similar
to a biological virus, which spreads by inserting itself into living cells.
Extending the analogy, the insertion of the virus into a program is termed infection,
and the infected file (or executable code that is not part of a file) is called
a host. Viruses are one of the several types of malware or malicious
software. Computer viruses cannot directly damage hardware, only software is
damaged directly. The software in the hardware however may be damaged.
Types
of Viruses
System
or Boot Sector Virus
System
sectors are special areas on the disk containing programs that are executed
when we boot (start) the PC. Every disk (even if it only contains data) has a
system sector of some sort. System
sector viruses infect executable code found in certain system areas on a
disk. There are boot-sector viruses, which infect only the DOS boot
sector, this kind of virus can prevent us from being able to boot the hard
disk. All common boot sector and MBR viruses are memory resident. System sector
viruses spread easily via floppy disk infections and, in some cases, by cross
infecting files which then drop system sector viruses when run on clean
computers.
File
or Program Virus
These
viruses infect applications. These viruses usually infect COM and/or EXE
programs, though some can infect any program for which execution or
interpretation is requested, such as SYS, OVL, OBJ, PRG, MNU and BAT files. The
simplest file virus work by locating a type of file they know how to infect
(usually a file name ending in .COM or .EXE) and overwriting part of the
program they are infecting. When this program is executed, the virus code
executes and infects more files. The more sophisticated file viruses save
(rather than overwrite) the original instructions when they insert their code
into the program. This allows them to execute the original program after the
virus finishes so that everything appears normal.
File
viruses have a wide variety of infection techniques and infect a large number
of file types, but are not the most widely found in the wild.
Macro Virus
These are the most common viruses striking
computers today. While some can be destructive, most just do annoying things,
such as changing your word processing documents into templates or randomly
placing a word such as "Wazoo" throughout a document. While these
actions may not permanently damage data, they can hurt productivity. The
reasons these viruses have become so widespread, and the reasons they are so
troublesome, are twofold: They are easy to write, and they exist in programs
created for sharing.
It
is a program or code segment written in the internal macro language of an
application and attached to a document file (such as Word or Excel). It infects
files you might think of as data files. But, because they contain macro
programs they can be infected.
When
a document or template containing the macro virus is opened in the target
application, the virus runs, does its damage and copies itself into other
documents. Continual use of the program results in the spread of the virus.
Some macros replicate, while others infect documents.
Stealth
Viruses
These viruses
are stealthy in nature and use various methods to hide themselves to avoid
detection. They sometimes remove themselves from the memory temporarily to
avoid detection and hide from virus scanners. Some can also redirect the disk
head to read another sector instead of the sector in which they reside. Some
stealth viruses conceal the increase in the length of the infected file and
display the original length by reducing the size by the same amount as that of
that of the increase, so as to avoid detection from scanners, making them
difficult to detect.
Polymorphic
Viruses
They are the
most difficult viruses to detect. They have the ability to mutate implying that
they change the viral code known as the signature (A signature is a
characteristic byte-pattern that is part of a certain virus or family of
viruses) each time they spread or infect. Thus, anti-viruses which look for
specific virus codes are not able to detect such viruses. Just like regular
encrypted viruses, a polymorphic virus infects files with an encrypted copy of
itself, which is decoded by a decryption module. In the case of polymorphic
viruses however, this decryption module is also modified on each infection.
A well-written polymorphic virus therefore has no parts that stay the same on
each infection, making it impossible to detect directly using signatures.
Examples
Brain virus
The first computer
virus for Microsoft DOS was apparently written in 1986 and contains unencrypted
text with the name, address, and telephone number of Brain Computer Services, a
store in Lahore , Pakistan
Pathogen Virus
In April 1994,
the Pathogen computer virus was released in the United Kingdom , by uploading
an infected file to a computer bulletin board, where victims could
download a copy of the file.
The Pathogen
virus counted the number of executable (e.g., *.EXE
and *.COM) files that it
infected. When the virus had infected 32 files, and an infected file was
executed between 17:00 and 18:00 on a Monday:
For further reading: http://en.wikipedia.org/wiki/Computer_virus
Worm
A worm is a self-replicating computer
program. It uses a network to send copies of itself to other nodes (computer
terminals on the network) and it may do so without any user intervention. A worm
is self-contained and unlike a virus, it does not need to be part of another
program to propagate itself. They are often designed to exploit the file
transmission capabilities found on many computers.Worms always harm the network (if only by
consuming bandwidth), whereas viruses always infect or corrupt files on a
targeted computer.
In addition to replication, a worm may be
designed to do any number of things, such as delete files on a host system or
send documents via email. More recent worms may be multi-headed and carry other
executables as a payload. However, even in the absence of such a payload, a
worm can wreak havoc just with the network traffic generated by its
reproduction.
For further reading: http://en.wikipedia.org/wiki/Computer_worm
Trojan
horse
A Trojan horse
is a program that masquerades as another common program in an attempt to
receive information. It is a harmless-looking program designed to trick you
into thinking it is something you want, but which performs harmful acts when it
runs. It is typically received through downloads from the Internet. Trojan
horses do not spread by themselves like viruses and worms. In practice, Trojan
Horses in the wild often contain spying functions or backdoor functions that
allow a computer, to be remotely controlled from the network, creating a zombie
computer.
There are two common types of Trojan horses. One,
is otherwise useful software that has been corrupted by a cracker inserting
malicious code that executes while the program is used. Examples include
various implementations of weather alerting programs, computer clock setting
software, and peer to peer file sharing utilities. The other type is a
standalone program that masquerades as something else, like a game or image
file, in order to trick the user into some misdirected complicity that is
needed to carry out the program's objectives.
The basic
difference from computer viruses is: a Trojan horse is technically a normal
computer program and does not possess the means to spread itself. Originally
Trojan horses were not designed to spread themselves. They relied on fooling
people to allow the program to perform actions that they would otherwise not
have voluntarily performed. Trojans of recent times also contain functions and
strategies that enable their spreading. This moves them closer to the
definition of computer viruses, and it becomes difficult to clearly distinguish
such mixed programs between Trojan horses and viruses.
Probably
the most famous Trojan horse is a program called "back orifice" which
is an unsubtle play on words on Microsoft's Back Office suite of programs for
NT server. This program will allow anybody to have complete control over the
computer or server it occupies.
For further reading: http://en.wikipedia.org/wiki/Trojan_horse_(computing)
Logic Bomb
A logic bomb is a piece of code
intentionally inserted into a software system that will set off a malicious
function when specified conditions are met. They are viruses having a delayed payload,
which is sometimes called a bomb. For example, a virus might display a message
on a specific day or wait until it has infected a certain number of hosts. A
logic bomb occurs when the user of a computer takes an action that triggers the
bomb.
For further reading: http://en.wikipedia.org/wiki/Logic_bomb
Posts
0 comments:
Post a Comment