IT Security and Forensics
Dr. Fred Mtenzi
IT Security and Forensics
Course Outline z
Conventional Encryption: –
z
Classical Techniques, Modern Techniques, Algorithms.
Public-Key Encryption and hash Functions –
Public-Key Cryptography, Message Authentication and Hash Functions.
Course Outline z
Network Security Practice –
z
Authentication Applications, Electronic Mail Security.
System Security –
Intruders, Viruses, and Worms.
Course Outline z
Admissibility of Electronic Evidence –
z
Forensic Evidence and Crime investigation, Computer Forensics and Digital Detective Work.
Forensics Examination of Computers and Digital and Electronic Media – – –
Operating Systems and Data Transmission basics for Digital Investigations Investigating Windows, Linux and Graphics files. E-mail and Webmail Forensics.
Course Outline z
Security Policies –
–
Security policy documents and organizational security policies Regulatory Compliance
Time table z
Lecture –
Thur 19.00 – 22.00 pm (A26)
Assessment methods z z
Written examination – 50% Continuous assessment – 50% – –
Case study - 25%. Group Project - 25%.
References z
z
z
Cryptography and Network Security : Principles and Practices, 4th Ed, Williams Stallings (2006) Prentice Hall. Network Security Essentials: Applications and Standards, 3rd Ed, William Stallings (2007), Prentice Hall. Network perimeter Security: Building Defense In-Depth, Cliff Riggs (2003), Auerbach Publications.
References z z z
Warren G. Kruse II, Jay G. Heiser, 2001, Computer Forensics: Incident Response Essentials, Addison-Wesley Professional C. Davis, A. Philipp and D. Cowen, 2004, Hacking Exposed Computer Forensics, McGraw-Hill Osborne Media E. Casey, 2001, Handbook of Computer Crime Investigation: Forensic Tools & Technology, (Ed.), Academic Press
References z z z z z z
Corporate Computer and Network Security, Raymond R. Panko (2004), Prentice Hall (Pearson International Edition). Practical Cryptography, Niels Ferguson and Bruce Schneier (2003), John Wiley and Sons Computer Security Handbook, Edited by Seymour Bosworth and M.E. Kabay (2002), 4th Edition, John Wiley and Sons. Security Policies and Procedures: Principles and Practices, Sari Stern Greene (2006), Prentice hall. Any Book on Security and Cryptography Web
References z
z z z
Keith J. Jones, Richard Bejtlich, Curtis W. Rose, 2005, Real Digital Forensics : Computer Security and Incident Response, Addison-Wesley Professional Brian Carrier, 2005, File System Forensic Analysis, AddisonWesley Professional. Eoghan Casey, 2004, Digital Evidence and Computer Crime, Academic Press Denis Kelleher and Karen Murray, 1997, Information Technology Law in Ireland, Butterworths.
The Internet has Become Indispensable to in our everyday lives zThe
Internet allows organizations to:
–conduct
electronic commerce –provide better customer service –collaborate with partners –reduce communications costs –improve internal communication –access needed information rapidly
The Risks
zWhile
computer networks revolutionize the way you do business, the risks computer networks introduce can be fatal to a business. zNetwork attacks lead to lost: – money – time – products – reputation – lives – sensitive
information
How Did We Get Here?
The Problem zIn
the rush to benefit from using the Internet, organizations often overlook significant risks. – the
engineering practices and technology used by system providers do not produce systems that are immune to attack
– network
and system operators do not have the people and practices to defend against attacks and minimize damage
– policy
and law in cyber-space are immature and lag the pace of change
Strain on System Administrators - 1
zThere
is continued movement to complex,client-server and heterogeneous configurations with distributed management.
zThere
is little evidence of security improvements in most products; new vulnerabilities are found routinely.
zComprehensive
security solutions are lacking; current tools address only parts of the problem.
Strain on System Administrators - 2 Engineering for ease of use has not been matched by engineering for ease of secure administration •ease of use and increased utility are driving a dramatic explosion in use •system administration and security administration are more difficult than a decade ago •this growing gap brings increased vulnerability
Other Reasons for Concern Many security audits and evaluations only skim the surface of the organization and its technology; major risks are often overlooked. Lack of understanding leads to reliance on partial solutions.
More Sophisticated Intruders Intruders are •building technical knowledge and skills •gaining leverage through automation •exploiting network interconnections and moving easily through the infrastructure •becoming more skilled at masking their behavior
Attack Sophistication vs. Intruder Technical Knowledge Tools
“stealth” / advanced scanning techniques
High
packet spoofing denial of service DDOS attacks
sniffers Intruder Knowledge
www attacks automated probes/scans GUI
sweepers
back doors disabling audits
Attack Sophistication
network mgmt. diagnostics
hijacking burglaries sessions exploiting known vulnerabilities password cracking self-replicating code
Attackers
password guessing
Low 1980
1985
1990
1995
2000
Vulnerability Exploit Cycle Novice Intruders Use Crude Exploit Tools Crude Exploit Tools Distributed
Advanced Intruders Discover Vulnerability
Automated Scanning/Exploit Tools Developed Widespread Use of Automated Scanning/Exploit Tools
Intruders Begin Using New Types of Exploits
Vulnerability Trends zFlaws
can be found without source code
–common:
system call trace –new: subroutine call trace –protocols can be examined for vulnerabilities –program instabilities (buffer overflow, etc.) zGood
news — the public & vendors becoming more security conscious zPatches now being released via Internet zStill untested — product liability
Security Threats z z z z z z z
Spyware and Ad ware Viruses Phishing and Pharming Bots Worms SQL injection etc
Security Certification z z z z z
International Information Systems Security Certification Consortium (ISC)2 Certified Information System Security Professional (CISSP) Global Information Assurance Certification Cisco Certified Security Professional (CCSP) etc
Professional Association Meeting z z z z
Information Systems Security Association (ISSA) Ireland Chapter Infosecurity Europe April 2008 SecurityExpoIreland Discussion groups –
Security focus
So What?
It’s going to get worse - 1
zExplosive
growth of the Internet continues
–continues
to double in size every 10-12 months –where will all the capable system administrators come from? zMarket –time
growth will drive vendors
to market, features, performance, cost are primary –“invisible” quality features such as security are secondary
It’s going to get worse - 2
zMore
sensitive applications connected to the Internet –low
cost of communications, ease of connection, and power of products engineered for the Internet will drive out other forms of networking –hunger for data and benefits of electronic interaction will continue to push widespread use of information technology
It’s going to get worse - 3
zThe
death of the firewall
–traditional
approaches depend on complete administrative control and strong perimeter controls –today’s business practices and wide area networks violate these basic principles zno
central point of network control zmore interconnections with customers, suppliers, partners zmore network applications - “the network is the computer” zwho’s an “insider”and who’s an “outsider”
It’s going to get worse - 4 zBeware –the
of snake-oil
market for security products and services is growing faster than the supply of quality product and service providers –an informed consumer base needs understanding, not just awareness –sometimes the suppliers don’t understand either –“if you want it badly, you’ll get it badly”
Before it gets better - 1
zStrong
market for security professionals will eventually drive graduate and certificate programs.
zIncreased
understanding by technology users will build demand for quality security products; vendors will pay attention to the market.
zInsurance
industry will provide incentives for improved business security practices.
Before it gets better - 2
zTechnology
will continue to improve and we will figure out how to use it –encryption –strong
authentication –survivable systems zIncreased
collaboration across government and industry.
Good news
Our research has shown pay for information security and security jobs, skills and certifications have been above average for two years straight … The writing is on the wall: If you are not in that business, you might want to point your career toward that …. Security has not been a sexy place to work. It has not been funded well. But clearly when the smoke clears it will be funded, and it will be funded well. Source: David Foote – President and chief research officer at Foote partners (www.footepartners.com)
Introduction to Systems Security The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable. —The Art of War, Sun Tzu
Background z z z z
Information Security requirements have changed in recent times traditionally provided by physical and administrative mechanisms computer use requires automated tools to protect files and other stored information use of networks and communications links requires measures to protect data during transmission
Definitions z
z z
Computer Security - generic name for the collection of tools designed to protect data and to thwart hackers Network Security - measures to protect data during their transmission Internet Security - measures to protect data during their transmission over a collection of interconnected networks
Aim of Course z z
our focus is on Internet Security consists of measures to deter, prevent, detect, and correct security violations that involve the transmission of information
Services, Mechanisms, Attacks z z
need systematic way to define requirements consider three aspects of information security: – – –
z
security attack security mechanism security service
consider in reverse order
Security Service –
– – –
is something that enhances the security of the data processing systems and the information transfers of an organization intended to counter security attacks make use of one or more security mechanisms to provide the service replicate functions normally associated with physical documents z
eg. have signatures, dates; need protection from disclosure, tampering, or destruction; be notarized or witnessed; be recorded or licensed
Security Mechanism z z z
z
a mechanism that is designed to detect, prevent, or recover from a security attack no single mechanism that will support all functions required however one particular element underlies many of the security mechanisms in use: cryptographic techniques hence our focus on this area
Security Attack z z
z z z
any action that compromises the security of information owned by an organization information security is about how to prevent attacks, or failing that, to detect attacks on information-based systems have a wide range of attacks can focus of generic types of attacks note: often threat & attack mean same
OSI Security Architecture z z z
ITU-T X.800 Security Architecture for OSI defines a systematic way of defining and providing security requirements for us it provides a useful, if abstract, overview of concepts we will study
Security Services z
z
z
X.800 defines it as: a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers RFC 2828 defines it as: a processing or communication service provided by a system to give a specific kind of protection to system resources X.800 defines it in 5 major categories
Security Services (X.800) z z z z z
Authentication - assurance that the communicating entity is the one claimed Access Control - prevention of the unauthorized use of a resource Data Confidentiality –protection of data from unauthorized disclosure Data Integrity - assurance that data received is as sent by an authorized entity Non-Repudiation - protection against denial by one of the parties in a communication
Security Mechanisms (X.800) z
specific security mechanisms: –
z
encipherment, digital signatures, access controls, data integrity, authentication exchange, traffic padding, routing control, notarization
pervasive security mechanisms: –
trusted functionality, security labels, event detection, security audit trails, security recovery
Classify Security Attacks as z
passive attacks - eavesdropping on, or monitoring of, transmissions to: – –
z
obtain message contents, or monitor traffic flows
active attacks – modification of data stream to: – – – –
masquerade of one entity as some other replay previous messages modify messages in transit denial of service
Model for Network Security
Model for Network Security z
using this model requires us to: – – – –
design a suitable algorithm for the security transformation generate the secret information (keys) used by the algorithm develop methods to distribute and share the secret information specify a protocol enabling the principals to use the transformation and secret information for a security service
Model for Network Access Security
Model for Network Access Security z
using this model requires us to: –
–
z
select appropriate gatekeeper functions to identify users implement security controls to ensure only authorised users access designated information or resources
trusted computer systems can be used to implement this model
Summary z
have considered: – – – –
computer, network, internet security definitions security services, mechanisms, attacks X.800 standard models for network (access) security
Question z
In your opinion what do you think are going to be the major security threats in the future? To mitigate these threats how should the computer industry proceed? Society? and learning institutions?
Security z z z
Security is a process and not a product Security is attitude Security Culture
Security Statistics
