Introduction to Security

What are Threats ?

Internal Threats
Human Error
Dishonest / disgruntled employees
Technical Sabotage
External Threats
Virus
Trojans / Worms / Malicious Code
Hackers / Intruders

Countermeasures
Patch Management System
Intrusion Prevention Systems
Intrusion Detection Systems
Anti-Virus
Content Management
Firewalls
VPN
PKI

The need for Security ?

InternetWeek: 50% of Corporations have had 30 or
more penetrations, 60% lost up to $200K/intrusion
Federal Computing World: Over 50% of Federal
agencies report unauthorized access (some are
massive numbers)
FBI/Computer Security Institute: 48% of all attacks
originated from within the organization
WarRoom Research Survey: 90% of Fortune 500
companies surveyed admitted to inside security
breaches

Common IT Security Shortcomings

Enterprise wide patch management system
Intrusion Detection systems on both inside and
outside of the perimeter
No firewalls / weak firewalls in place
All / few servers directly open to the internet
Outgoing email server doesnt require authentication
Partial Content management / prevention solution
Outdated / un-patched mail servers

Patch Management :
Why reaction time matters
Worm

Number of days from

release of exploit to worm
appearance

Scalper (2002, FreeBSD)

(*early disclosure)

11 days

Blaster (2003, Windows)

16 days

Code Red (2001, Windows)

24 days

Lion (2001, Linux)

53 days

Slapper (2002, Linux)

58 days

Melissa (1999, Windows)

64 days

Nimda (2001, Windows)

172 days

Slammer (2003, Windows)

180 days

Ramen (2001, Linux)

208 days

Reaction time is critical in

preventing viruses and

worms, which can cost
organizations billions.
Forrester says that
organizations typically
require more than 300 days
to fully deploy patches for
most of these issues after
the fix is available.
The race begins when the
technical details of an issue
(such as a security bulletin
or release of exploit code)
are made public.

The SQL Slammer Worm:

What Happened??
-

MS SQL Vulnerability and patch

released July, 2002

Worm Released at 5:30 GMT,

January 25, 2003

Saturation point reached within 2 hours

of start of infection

250,000 300,000 hosts infected

Internet Connectivity affected

worldwide

Not easily detected by anti-virus since

it did not write itself to disk

The SQL Slammer Worm:

30 Minutes After Release

- Infections doubled every 8.5 seconds

- Spread 100X faster than code red
- At peak, scanned 55 million hosts per second.

The RPC Blaster Worm:

What Happened??
-

RPC Vulnerability and patch published

by Microsoft on July 16th, 2003.

Vulnerability affects NT 4.0, WinXP,

Win2000, and Win2003 Server.

Blaster worm released Monday

August 11, 2003 Main target is only
WinXP, Win2000.

+330,000 hosts infected

in less than a week

Worm Variants Appearing

Lovsan.B, Lovsan.C

Lessons Learned

Applying patches must be done quickly and

thoroughly
If vulnerability applies to clients these must be patched
One infected machine can scan and infect 1000s of victims

The network must be configured with QOS and have

the intelligence to filter and control traffic when
needed
Complements to patches such as Host-Based
Security Agents must be considered

10

Electronic Commerce - Security

Securing the Internet Commerce is akin to Securing your

business secrets and activities in real life

Security Concern have to be addressed at three levels

Security of the Host ( Where the business is hosted)
Security of the Server providing the service ( HTTP/Web
Server)
Communication Environment
Network Environment
Transaction Security

Prof. Bharat Bhasker, Indian Institute of Management Lucknow -

11

Electronic Commerce - Host Security

Site Security Handbook - RFC 1244 details-- How to secure a

Host computer from break-in
Seven Critical Principles- Parsimony ( Simplest possible)
Remove services that are not required
(HTTP,SMTP,POP3,IMAP...)
Remove all things from host that are not required
Compilers, NFS Daemons, Interpreters, Shells
Superuser (Root) privileges
Access Control ( Authentication, privilege system)
Accountability (Securely log actions for Ids)
Audit & Auditability ( Any change anywhere is the systems)
COPS, TAMU, TripWire
Notification ( CERTY, CIAC, Alarm Systems)
Recovery ( It may happen, How to cope on morning-after?)
Prof. Bharat Bhasker, Indian Institute of Management Lucknow -

12

Network Security -- Sniffing

On the wire messages can be read by

Sniffers and Network Analyzers - to monitor an area of
ethernet that remains too busy. Traffic patterns, and network
problems
Examples
esniff.c 300 line program, captures Userid Passwords on
telnet and ftp sessions
TCPDump.c -- widely available public utility
Netman - various utilities for Net management available
via anonymous ftp site.
EthDump - Sniffer that runs under DOS anonFTP site
Security Threats
Passwords - encryption may not help (Replay attack)
Financial Accounts information
Private data - Cap Weinberger indicted based on email in
Iran-Contra
Low level Protocol Information
13
Prof. Bharat Bhasker, Indian Institute of Management Lucknow -

Network Security -- Sniffing

Prevention

Network Segmentation

Hubs -- Multi-port Repeaters

Switches
Bridges ( Filter traffic)
Router - Too radical for sniffing problem but helps by
creating subnets

Trust Circles and Barriers between secure and insecure

segments
Avoiding transmission of passwords - Rlogin family of protocols -- .rhosts and /etc/hosts.equiv
(prone to ARP & DNS spoofing)
Encryption with Time stamps
Challenge based Authentication
Entire Session/Connection encryption such as SSL
14

Network Security --Spoofing

Hardware Address - NIC has 48 bit unique card address
Bridges examine the frames and can modify the source/destination address
PREVENTION - Intelligent Hubs in secure locations, Active/Filtering Hubs

Address Resolution Protocol (ARP) Spoofing- who own this IP address?

Inadvertent (Two servers with same IP address alternatively come up)
malicious attacks - IP based authorization and trust, turn the m/c off and insert
your laptop with the address.
PREVENTION

Stop using ARP - make all IP <==> ether mappings permanent

Or, make important addresses permanent
arp -a
lists arp cache on a m/c
arp -d <ipaddress>
delete from cahe
arp -s <ipaddess> <eth> permanent entry
Hardware Barriers - Routers, trusted hosts on a separate subnet

Prof. Bharat Bhasker, Indian Institute of Management Lucknow - CSI-99 15

Network Security --Spoofing

ARP Spoofing- Detection

Network-Level Detection
Periodic polling against a standard database of IP,
h/w address, name, location - raise alerts
SNMP agent based monitoring
RMON Protocol -- RFC 1271
BTNG ( Beholder the Next Gen) is an RMON agent- avail
from Delft Univ
Ticklet an SNMP based monitoring and management
system
arpmon (Ohio-state) , ArpWatch (lbl)

16

Prof. Bharat Bhasker, Indian Institute of Management Lucknow - CSI-

Electronic Commerce - Secure the Fort (Firewalls)

Digging a deep moat around your palace

Design forced everyone to entering or leaving the palace to
pass through a single drawbridge.

Companies can have several LANs, but the connection to

outside world is restricted through a limited doorways, called

Firewalls
Firewalls have two components
Two routers
Application gateways
The route to outside world exist through this passageway.
First router is used for incoming packet filtering
The second internal router for outgoing packet filtering along
with application gateway acts as additional screening for
limited offered services
Prof. Bharat Bhasker, Indian Institute of Management Lucknow -

17

Firewalls

Packet Filter
Application Level Firewall
Packets from inside the network are passed outside
unchanged
This makes a packet filter susceptible to spoofing
Packets passed through the firewall are rewritten with the
firewalls IP address
All internal IP addresses are completely hidden

Prof. Bharat Bhasker, Indian Institute of Management Lucknow -

18

Firewalls

What Can a Firewall Do?

Control access based on:
Source , Destination ,Service (or Sub-Service), Time,
Day, or Date, User
Audit Trails for security audits
Notification of events
Usually Real Time
Multi use passwords are a problem
Same password used every time
If guessed or stolen, the system will be compromised
Integration of strong authentication via one-time-use
Password technology
A unique password is generated for each connection

Prof. Bharat Bhasker, Indian Institute of Management Lucknow -

19

Electronic Commerce - Secure the Fort (Firewalls)

Prof. Bharat Bhasker, Indian Institute of Management Lucknow -

20

10

Electronic Commerce - Secure the Fort (Firewalls)

21

Additional Measures
Good and effective Anti-Virus Server and Anti

Spam Server on the gateway

Install Intrusion Detection Software on the
internal as well as external networks
Implement firewalls
Good Content Management as well as traffic
management system
Network Monitoring and management software.

22

11

How do I achieve secure

communications in a public network?
We use the Internet to . . .

Send email
Make purchases
Distribute software
Inventory control & order entry

But we have some concerns - How do we . . .

Know a person is who they claim to be?

Know Im connected to an authentic merchant?
Protect the privacy of my communications?
Know if information has been tampered with?
Prove later that someone sent me the message?
23

Four Security Needs for

Network Communications
Privacy / Confidentiality

Integrity

Interception

Modification

Is my communication private?

Has my communication been altered?

Authentication

Non-repudiation

?
Fabrication

Who am I dealing with?

Not
Sent

Claims

Not
Received

Who sent/received it and when?

24

12

How do we solve the

4 Security Needs?
Cryptography

Secret

Public

Secret Key
Public Key
Specialized uses of cryptography:

Digital Signature
Digital Certificates

Digital
Certificate

25

Secret Key Cryptography

Secret

Cryptography involves:
encryption
decryption

Secret Key
algorithm

Secret Key
algorithm

Secret

Secret Key cryptography:

Data is encrypted &
decrypted using the same
Secret Key
Also known as
Symmetric Key
DES is an example of a secret
key algorithm
26

13

Secret Key Cryptography

Its fast, but . . .
How do I get my secret key to my recipient?
Do I have a different secret key for everyone with
whom I communicate?
If one key is
compromised, all
copies of that key must
be replaced

INTERNET

Does not scale well

27

Public Key Cryptography

Public

Public Key
algorithm

Public Key
algorithm

Private

Two keys = key pair

Mathematically related,

but not identical,

public & private key pairs
Public Keys are widely
distributed
Private Keys are held
securely by owners
Data encrypted with one key
can be decrypted only with
the other key of the pair
a.k.a. Asymmetric Key
RSA is an example of a public
key algorithm
28

14

Public Key Cryptography

Its slower, but . . .
I dont have to distribute a secret key because I have
my Private Key
Everyone with whom I communicate can know my
Public Key

Theres only one copy of

INTERNET

the Private Key

Scales well

29

Digital Signature
Everyone has a Signature Key Pair

Public Network
or Directory

1) A provides
copy of Public
Key to B
2) A signs
information
using Private
Key

(either
method)
Public Key
Signed Data

3) B verifies
signature using
As Public Key

Private Key signs data

Public Key verifies signature on data
Public Key may be sent with the signed data
30

15

A Closer Look at
Digital Signature
Digital Signature:
Electronic (digital) stamp
appended to data before sending
The result of encrypting the Hash
of the data to be sent on the network
Any change (to data or signature) will
cause the signature verification to fail

Data with
electronic
stamp

Hash - or Digest:
Speeds up the signing (encrypting) process
One-way conversion of the data to a fixed length field that
uniquely represents the original data

So, using a diagram . . .

31

Digital Signing of the Data

Electronic
Data
Electronic
Data

Hash
Function

Hash Result

Signing
Function

Digital
Signature

Signed Data

Private
of A

Only Private Key

holder can sign

32

16

Digital Signature Verification

Electronic
Data

Digital
Signature

Hash
Function

Hash Result

Verify
Function

Hash Result

So the receiver
can compare
hashes to
verify the
signature

Valid compare
Yes / No ?

Signed Data
Public
of A

Anyone can verify

33

Security Solutions
Some security mechanisms:
Secret Key encryption
Public Key encryption
Digital signature
Hashing

How can these security mechanisms solve

the four communications security needs?

Confidentiality
Integrity
Authentication
Non-repudiation
34

17

Solving the 4 Security Needs

Confidentiality
Encryption:
Secret key
Public key

Non-Repudiation
Digital Signature

Integrity
Digital
Signature

Authentication
???

My Signature & Date

35

Authentication
Identification:
How you tell someone who you are
Authentication:
How you prove to someone you are who
you say you are

36

18

How Do I Solve Authentication?

Physical Solutions:
Something you know
Password,
combination to safe
Something you have
Key, token, badge
Something you are
Signature, iris pattern, fingerprint

Electronic Solution:
Digital
Certificates

So, why does B trust

As Public Key?
37

Digital Certificates
. . . Because a trusted third party has authenticated
that the Public Key belongs to A:
Certification Authority (CA)

When A provides proof of identity,

the Certification Authority
creates a signed message
containing As name and
public key:

Signed Message
containing
As Name
&
Public Key

Digital Certificate
38

19

Why trust a Digital Certificate?

A Digital Certificate becomes a
passport that proves your
identity and authenticates you
A passport is issued by a
trusted Government when another Government
sees it, they trust it

A Digital Certificate issued by a

trusted CA, again licensed by the
government and can also be
trusted
39

Certification Authority
Certification Authority assumes the responsibility of
authenticating Certificate identity information
Like a Government for passports

CA authentication techniques:
Check against existing records
Employee databases

Examine typical identification

Passport, license

Background check
Government databases

CA authenticates, issues & manages Certificates

40

20

Information Checkpoint
How do we solve the 4 security needs?
Confidentiality
Encryption:
Secret key
Public key

Non-Repudiation
Digital Signature

Integrity
Digital
Signature

Authentication
Digital Certificates

My Signature & Date

41

21