Fluent Essays

Read Chapter  1 and 2 of your textbook and reputable resources and write 2/3 page summary and describe the following: What is risk analysis and threat definition? Explain What is being protected? What are the threats? Where are the weaknesses that may be exploited? Explain at least three(3) types of attacks  and how they impact organizational data/resources?. 1 INST569: Data and System Security Lecture 1 Copyright © 2013 University of North America. All rights reserved. Copyright © 2013 University of North America. All rights reserved. Disciplines in Security Management Security Architectures & Models Applications & Systems Development Security Operations Security Physical Security Telecommunications & Network Security Security Management Laws, Investigations & Ethics Business Continuity Planning Cryptography Access Control Systems & Methodologies Copyright © 2013 University of North America. All rights reserved. 2 Security Management Security Management is defined as? Identification of an organization’s information assets Development, documentation and implementation Align people, process and technology to meet organization’s confidentiality, integrity and availability objectives Technology People Process Balanced Aligned Applied Copyright © 2013 University of North America. All rights reserved. 3 Security Management - Objectives Key Objective Reduce the effects of security threats and vulnerabilities to a level that is tolerable All levels of the organization (personnel) understand their security-related responsibilities Access controls should support the principles of least privilege and separation of duties Emerging Objectives Demonstrate due diligence and support objective oversight over information processes and electronic evidence. Support the extension of the organization’s capabilities to address needs and opportunities Copyright © 2013 University of North America. All rights reserved. 4 Security Management - Concepts Key Requirements Confidentiality Integrity Availability Related Concepts Privacy Identification Authentication Authorization Accountability Non-repudiation Documentation Conflicts of Interest Due Diligence Threat Vulnerability Risk Copyright © 2013 University of North America. All rights reserved. 5 Security Management – Concepts (cont.) Separation/Segregation of Duties The principle of separating of duties is that an organization should carefully separate duties, so that people involved in checking for inappropriate use are not also capable of make such inappropriate use. Least-Privileges The principle of least privilege is that users should not have access to information or capabilities beyond those requirement to complete their function. What does this mean in practice? No person should be responsible for completing a task involving sensitive, valuable or critical information from beginning to end. Likewise, a single person must not be responsible for approving their own work. No person should have more access then they require. Copyright © 2013 University of North America. All rights reserved. 6 Security Management – Concepts (cont.) Functional Separation Sales/Engineering Design/Development Development/Production Development/Test Security/Audit Accounts Payable/Accounts Receivable Encryption Key Management/Changing of Keys Split Knowledge Encryption keys are separated into two components, each of which does not reveal the other Copyright © 2013 University of North America. All rights reserved. 7 General Roles Executive Management Have overall responsibility for security. Chief Information Security Officer Responsible for the overall security infrastructure including strategy, design, implementation and support. Information Systems Security Professionals Responsible for design, implementation, management, and review of the organization’s security policy, standards, measures, practices, procedures and controls Data Owners Responsible for determining sensitivity or classification levels of the data as well as maintaining accuracy and integrity of the data resident on the information system. Copyright © 2013 University of North America. All rights reserved. 8 General Roles (cont.) Process Owners Responsible for ensuring the appropriate security, consistent with the security policy, is embedded in their info systems. Technology Providers Responsible for assisting with the implementation of information security. Users Responsible for following the policies and procedures set out in the organization’s security policy. Information Systems Auditors Responsible to provide independent assurance to management on the appropriateness of the security objectives, and on whether the security policies, standards, measures, practices, and procedures are appropriate and comply with the company’s security objectives Copyright © 2013 University of North America. All rights reserved. 9 IS Responsibilities & Functions Establish & Maintain Security Program Develop/implement policies, procedures, guidelines and standards Maintain resource access controls Provide guidance on distributed processing & telecommunications security issues Conduct security awareness training Provide risk analysis services Support vulnerability management activities Support the investigation of incidents Provide EDP audit coordination Support Network/System/Application Design and Verification Process Manage Projects Prepare Business Cases Other areas to address: Employment practices Background investigations Hiring and Termination Practices Copyright © 2013 University of North America. All rights reserved. 10 Security Awareness People often the weakest link in security chain Must be driven from the top-down Must be comprehensive, all the way down to the floppy & hard copies Education Hard Copies Web-Based Training & Education Emerging Trend – Driven by Regulation - Continuous, Assessed and Verified - Others? Copyright © 2013 University of North America. All rights reserved. 11 IS Engineer Critical Success Factors Project Management Business Development IS Analyst Contemporary IS Organization Executive Management Stakeholders Copyright © 2013 University of North America. All rights reserved. 12 Primary Functions Security Policy Management (Governance) Risk Analysis Data/Information Classification Copyright © 2013 University of North America. All rights reserved. 13 Security Governance (Policy Management) Policies – High-level statements that provide broad direction and signify management’s goals and intentions Standards – More specific statements that represent a set of requirements needed to establish organizational controls (compulsory) Guidelines – Non-binding suggestions for compliance with standards (non-compulsory) Procedures – Step-by-step method to implement requirements of policies and standards (work instructions) Senior Management Statement of Policy General Organizational Policies Functional Policies Detailed Procedures Guidelines Standards Tech. Baselines Copyright © 2013 University of North America. All rights reserved. 14 Regulatory Requirements Legal issues often drive an organization’s Information Security practices. Three key pieces of legislation are as follows: Gramm-Leach-Bliley (GLB) Act (effective July 1, 2001), Privacy of Consumer Financial Information. This Act sets the restrictions for financial institutions on when they may disclose a consumers’ personal financial information to non-affiliated third parties. Health Insurance Portability and Accountability Act (HIPAA) of 1996 (Privacy compliance required by April 14, 2003; Security compliance required by April 20, 2005). This Act states that all healthcare providers must ensure the privacy of patient information; employ appropriate security controls to support confidentiality, integrity and availability. Sarbanes-Oxley Act (Section 404) of 2002. This act requires corporate management of publicly traded companies to issue a report on the adequacy and effectiveness of its internal controls, based on documentation and substantive testing/verification. Copyright © 2013 University of North America. All rights reserved. Common Standards & Criteria Framework FISCAM Clinger-Cohen COBIT ISO 900X ISO 17799 HIPAA GLB SOA FERC/NERC Copyright © 2013 University of North America. All rights reserved. Policy Implementation General Process Identify Purpose Set objectives Assign responsibility Provide resources Allocate staff Implement using standards, procedures & guidelines Types of Policies Access Controls Use Of Computing Resources Micro Computing Networking Telecommunications Safeguarding Sensitive Information Disaster Recovery Emergency Notification Records Retention Copying Copyrighted Publications/Software Data classification Media Disposal Other Activities? - Cost/Benefit/Impact Assessment - Enforcement Considerations - User Access and maintenance - Compliance Monitoring Copyright © 2013 University of North America. All rights reserved. 17 Security Governance Example Enterprise Systems Baselines Policies Standards Dev Exceptions Policy Management Policy Procedure Standards SOP’s TSR’s Compliance Monitoring Tool Intranet Update Process Remove, Add, Update Exception Handling Users Policy, Standards, TSR’s User Accounts, Roles and Access Web Standards Exception Management Access Management Control Criteria Copyright © 2013 University of North America. All rights reserved. 19 Risk Management What is Risk Management? To mitigate risk which means reducing risk until it reaches an acceptable level. It is forward looking and serves to identify and assess potential threats to an organization and its information Who defines what an acceptable level of risk is? Can risk be eliminated or reduced completely? What are the main components of risk management? 1. Identification 2. Analysis 3. Control 4. Minimization of loss Copyright © 2013 University of North America. All rights reserved. 19 Key Risk Management Activities Risk Analysis Vulnerability Assessment Security Management Business Copyright © 2013 University of North America. All rights reserved. 20 Summary of Overall Approach Identify what you’re protecting yourself from; then select an appropriate security strategy A risk management answers fundamental questions: Identify assets - What I am trying to protect? Identify risks/threats - What do I need to protect against? Prioritize risks – Which risks are most critical to protect against? Measure/define impacts – What could happen if the risk materializes? Determine costs/benefits - How much time, effort & money am I willing to expend to obtain adequate protection? After risks are determined, develop/revise: the policies & procedures needed to support the reduction of risks define detective, preventive or corrective safeguards (controls) to mitigate the risk (high level) Identify solutions with high likelihood of success for the organization. Copyright © 2013 University of North America. All rights reserved. 21 Data/Information Classification What is a data classification? process driven activity that categorizes organizational information, for the purpose of managing and monitoring its usage, transmittal, storage and disposal, and the safeguards to ensure its protection. When is data or information classification necessary? prioritizes the data that needs to be protected authorized or unauthorized disclosure has an impact on the tangible or intangible assets of the organization or the mission it serves. What are data classification’s objectives? General Minimize information risks like destruction, alteration or disclosure Government Avoid unauthorized disclosure Comply with privacy law Commercial Maintain competitive edge Protect legal tactics Comply with laws Copyright © 2013 University of North America. All rights reserved. 22 Roles and Models Owners Responsible for security Determine sensitivity/criticality Custodians Possess information Implement/administer controls IAW owner’s instructions Users Access data Need to know basis Comply with controls Government: Top Secret Secret Confidential Unclassified Commercial: Eyes only For Internal Use Only Company confidential Public Copyright © 2013 University of North America. All rights reserved. Leading Practices – Security Management Keeping the business risks associated with information systems under control within an enterprise requires clear direction from executive management, allocation of adequate resources, effective arrangement for promoting good information security practices across the enterprise. Management Commitment Security policy Personnel policies Established security organization – with accountability Technical competency Routine and special security awareness and education program Data security and value classification Accountability/ownership assignment On-going risk analysis program Established and current standards, procedures Layered security architecture Complete physical protections Business continuity program Ongoing monitoring Management review and oversight Copyright © 2013 University of North America. All rights reserved. 24 Integrated Information Security Framework Copyright © 2013 University of North America. All rights reserved. 25 Information Security - Defined Information Security is ? Protection of classified information that is stored on computers or transmitted by radio, telephone teletype, or any other means. The protection of information against unauthorized disclosure, transfer modification, or destruction, whether accidental or intentional. The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats. Ideal Attributes (Good) Enabling, cost effective, contemporary Unfortunate Attributes (Bad) Cost of doing business, restrictive, overly complex, administratively burdensome Avoidable Attributes (Ugly) Ineffective, does not support business requirements What does business expect from information security? Copyright © 2013 University of North America. All rights reserved. Challenges and Barriers Where do security professionals typically fail? Understanding the impact and implication of security on business and operations Integrating the security engineering lifecycle with the IT development lifecycle Positioning the need or case for change in terms that the business can understand Working with management to develop and implement the process for change Standard Conventions to dispel Information security viewed as a cost vs. enabler Approached as a ‘religion not a business-driven function Emphasis just on technology, less on people, organization and process Copyright © 2013 University of North America. All rights reserved. Approaches to Security There are many ways to address the application of security to contemporary organizations: the method or approach needs to be selected, one size does not fit all. There are approaches to address a security need or requirement that do not involve technology. The important aspect of this is understanding the implications of the approach to a particular business. In some regards, it is the difference between being a security professional and a security product/service vendor. Awareness and understanding of the scope of security have evolved over the past forty years. Each advancement added additional insights and features of security that addressed business and operational considerations. Copyright © 2013 University of North America. All rights reserved. Evolution of Information Security 1970 1980 1983 1988 1995 Computer Security Data Security Information Security Information System Security Enterprise Protection Industrial Security 1960 Communication Security 200X Enterprise Risk Management Copyright © 2013 University of North America. All rights reserved. 29 Evolution of Information Security There are now ten domains in the Common Body of Knowledge associated with Information Security. Information Security Management plays a central role in integrating the ten domains, but each domain has its specific characteristics and skill requirements. Most information security professionals enter the INFOSEC discipline through one or more areas, and dont typically get experience in integrating their skills until much later in their career. Copyright © 2013 University of North America. All rights reserved. 30 Information Security Disciplines Security Architectures & Models Applications & Systems Development Security Operations Security Physical Security Telecommunications & Network Security Information Security Management Laws, Investigations & Ethics Business Continuity Planning Cryptography Access Control Systems & Methodologies Copyright © 2013 University of North America. All rights reserved. 31 Purpose of Slide Graphically depict the 10 areas of study that will be covered during the next 8 weeks. Objectives/Discussion Points While the arraignment of the domains is somewhat arbitrary, the placement of security management in the center is accurate in illustrating the role, function and interaction of the information security management function. Ask the class – Have they experience in any one or more of the areas? And to specify. Ask the class – if applicable, what is/was the method for introduction or preparation? Ask the class – if applicable, what was the interaction between their area and other areas depicted? Most information security professionals enter the discipline through one or more areas, and don’t typically get experience with the majority until much later in their career. The benefit of this class is that it provides a wide or comprehensive look at the areas, similar to the preparation of a general practitioner in medicine. During the course of the class and the program, it is likely that the students will find one or more area that they wish to specialize in, either in a profession or advanced research. Key Points/Take-Aways or Summary The domains are presented separately, and the degree that the students can recognize and leverage the interactions and dependencies will play a direct role in how they are able to apply the knowledge. Transition to next slide: That said, lets start off the discussion with Security Management {next slide} Security Awareness Aspects of the Contemporary Security Awareness Program Key Points Policy based Mirror’s managements perspective regarding user’s responsibility Component of risk management program Contents Introduces security features and standards for the organization Acceptable Use and Disclosure/policies Addresses security responsibilities and reporting structures Identify and categorizes incidents Establishes reporting procedures Copyright © 2013 University of North America. All rights reserved. 32 Laws Related to Security Many types of legal systems exist Common law Religious law Civil law Common law of the US Three branches Legislative – make statutory laws Administrative – make administrative laws Judicial – make common laws found in courts Copyright © 2013 University of North America. All rights reserved. 33 Compilation of Statutory Law Statutory laws are collected as session laws which are arranged in order of enactment, or as codes that arrange the law according to subject matter. In US law (state and federal), session laws are found in the Statutes at Large (Stat.) and statutory codes are held in the United States Code (U.S.C.). Copyright © 2013 University of North America. All rights reserved. 34 United States Code The USC contains the following elements Code title number Abbreviation for the code (U.S.C.) Statutory section number Date of the edition or supplement Example: “18 U.S.C. § 1001 (1992)” Section 1001 of title 18 in the United States Code is Crimes and Crimial Procedures that many computer crimes are prosecuted under. Computer Fraud and Abuse Act – “18 U.S.C. § 1030 (1986)” Copyright © 2013 University of North America. All rights reserved. 35 Compilation of Administrative Law Arranged chronologically in administrative registers or by subject matter in administrative codes. Federal Register (Fed. Reg.) Code of Federal Regulations (C.F.R.) C.F.R. citations contain Number of C.F.R. title Abbreviation of the code Section number Year of publication Example: “12 C.F.R § 100.4 (1992)” Copyright © 2013 University of North America. All rights reserved. 36 Common Law System Categories Criminal Law – covers crime that violates government laws enacted for the protection of the public. Punishment can be financial penalties and imprisonment. Civil Law – covers crime that results in damage or loss to individuals or organizations. Financial punishment can be inflicted for punitive, compensatory, or statutory damages. Administrative Law – Standards for performance and conduct by government agencies. Punishment can be financial penalties and imprisonment. Copyright © 2013 University of North America. All rights reserved. 37 Common Law Other Categories Intellectual Property Law Patent – legally enforceable right to prevent others from practicing the invention for a period of time (17 years in the US) Copyright – protects ‘original works of authorship’ from reproduction, adaptation, public distribution, and performances of the work. Trade Secret – secures and maintains confidentiality of proprietary technical or business information. Trademark – Establishes a word, name, symbol, etc. to identify goods and distinguish them from others. Information Privacy Law Protection of information about private individuals from disclosure or misuse. Copyright © 2013 University of North America. All rights reserved. 38 Common Law Intellectual property rights Security Techniques to Protect Trade Secrets Numbering Copies Logging Document Issuance Checking Files & Workstations Secure Storage Controlled Distribution Limitations on Copying Contractual Commitments to Protect Proprietary Rights Licensing Agreements with Vendors Liability for Compliance Copyright © 2013 University of North America. All rights reserved. 39 Common Law Information Privacy Law EU law is more strict than US law Principles Data should be collected in accordance with the law Information about an individual cannot be disclosed without permission of the law or individual Records kept should be accurate and up to date Individuals can correct errors in their personal data Individuals can receive a report of data held on them Personal information can only be transferred to locations where equivalent data protection is in place. Copyright © 2013 University of North America. All rights reserved. 40 Common Law Information Privacy (cont) Example: private medical information Healthcare security issues Access controls need more granularity and least privilege Most applications do not incorporate adequate security controls Systems must be accessible to outside partners and members Providing internet access to records Criminal and Civil penalties can be imposed Misuse of information can lead to public perception changing about an organization Copyright © 2013 University of North America. All rights reserved. 41 Common Law Information Privacy (cont) Health Insurance Portability and Accountability Act (HIPAA ) August 21, 1996 Addresses issues of health care privacy in the US. Rights that an individual who is a subject of individually identifiable health information should have Procedures that should be established for the exercise of such rights Uses and disclosures of information that should be authorized or required Copyright © 2013 University of North America. All rights reserved. 42 Common Law Electronic Monitoring Must be conducted in a lawful manner Must be applied in a consistent fashion Enticement – occurs after unauthorized access is gained (honeypot) Entrapment – encourages commission of a crime. Copyright © 2013 University of North America. All rights reserved. 43 Computer Crime Laws Federal Computer Fraud and Abuse Act (Title 18, U.S. Code, 1030) prosecutes for: *Accessing Federal Interest Computer (FIC) to acquire national defense information Accessing an FIC to obtain financial information Accessing an FIC to deny the use of the computer *Accessing an FIC to affect a fraud *Damaging or denying use of an FIC thru transmission of code, program, information or command Furthering a fraud by trafficking in passwords Copyright © 2013 University of North America. All rights reserved. 44 Computer Crime Laws Federal Economic Espionage Act of 1996: Obtaining trade secrets to benefit a foreign entity Electronic Funds Transfer Act: Covers use, transport, sell, receive or furnish counterfeit, altered, lost, stolen, or fraudulently obtained debit instruments in interstate or foreign commerce. Child Pornography Prevention Act of 1996 (CPPA): Prohibits use of computer technology to produce child pornography. Computer Security Act of 1987: Requires Federal Executive agencies to Establish Computer Security Programs. Copyright © 2013 University of North America. All rights reserved. 45 Federal Computer Crime Laws (cont) Electronic Communications Privacy Act (ECPA): Prohibits unauthorized interception or retrieval of electronic communications Fair Credit Reporting Act: Governs types of data that companies may be collected on private citizens & how it may be used. Foreign Corrupt Practices Act: Covers improper foreign operations, but applies to all companies registered with the SEC, and requires companies to institute security programs. Freedom of Information Act: Permits public access to information collected by the Federal Executive Branch. Copyright © 2013 University of North America. All rights reserved. 46 Computer Laws (continued) Civil Law (Tort Law)- Getting sued for damages Damage/Loss to an Individual or Business Type of Punishment Different: No Incarceration Primary Purpose is Financial Restitution Compensatory Damages: Actual Damages, Attorney Fees, Lost Profits, Investigation Costs Punitive Damages: Set by Jury to Punish Offender Statutory Damages: Established by Law Easier to Obtain Conviction: Preponderance of Evidence Impoundment Orders/Writs of Possession: Equivalent to Search Warrant Copyright © 2013 University of North America. All rights reserved. 47 Compensatory - Actual damages, attorney fees, lost profits, investigation costs Punitive - Set by Jury, punish offender Statutory - Damages established by law, violation entitles victim Computer Laws (continued) International Law: Lots of Problems Lack of Universal Cooperation Differences in Interpretations of Laws Outdated Laws Against Fraud Problems with Evidence Admissibility Extradition Low Priority Copyright © 2013 University of North America. All rights reserved. 48 Computer Crime Computer Crime has to be treated as a Separate Category because ordinary rules don’t or can’t apply. Rules of Property: Lack of Tangible Assets Rules of Evidence: Lack of Original Documents Threats to Integrity and Confidentiality: Goes beyond normal definition of a loss Value of Data: Difficult to Measure. Cases of Restitution only for Media Terminology: Statues have not kept pace. Is Computer Hardware “Machinery”? Does Software quality as “Supplies”. Copyright © 2013 University of North America. All rights reserved. 49 Computer Crime (continued) Difficulties in Prosecution Understanding of computer issues: Judges, Lawyers, Police, Jurors Evidence: Lack of Tangible Evidence Forms of Assets: e.g., Magnetic Particles, Computer Time Juveniles: Many Perpetrators are Juveniles Adults Don’t Take Juvenile Crime Seriously Copyright © 2013 University of North America. All rights reserved. 50 Protection for Computer Objects Hardware - Patents Firmware Patents for Physical Devices Trade Secret Protection for Code Object Code Software - Copyrights Source Code Software - Trade Secrets Documentation - Copyrights Copyright © 2013 University of North America. All rights reserved. 51 Corporate Record keeping Accuracy of Computer Records: Potential Use in Court IRS Rules: Inadequate Controls May Impact Audit Findings Labor and Management Relations Collective Bargaining: Disciplinary Actions, Workplace Rules Work Stoppage Limitations on Background Investigations Limitations on Drug and Polygraph Testing Disgruntled Employees Non-Disclosure Requirements Immigration Laws Establishment and Enforcement of Security Rules Management Problems Copyright © 2013 University of North America. All rights reserved. 52 Management Problems (cont) Data Communications: Disclosure through - Eavesdropping and Interception Loss of Confidential Information Outsourcing Issues Contract Review Review of Contractor’s Capabilities Impact of Downsizing Contractor Use of Proprietary Software Copyright … Chapter 2 Risk Analysis Copyright © 2014 by McGraw-Hill Education. Introduction The objective of a security program is to mitigate risks. Mitigating risks does not mean eliminating them; it means reducing them to an acceptable level. What is being protected? What are the threats? Where are the weaknesses that may be exploited? Copyright © 2014 by McGraw-Hill Education. Threat Definition Threat vectors Threat sources and targets Types of attacks Malicious mobile code Advanced Persistent Threats (APTs) Manual attacks Copyright © 2014 by McGraw-Hill Education. Threat Sources Insider threats should be an important consideration in any security program. Security professionals know that many real-world threats come from inside the organization, which is why just building a wall around your trusted interior is not good enough. Copyright © 2014 by McGraw-Hill Education. Threat Vectors Sources Threats Targets Employees Contractors Consultants System integrators Service providers Resellers Vendors Cleaning staff Third-party support Competitors Insiders Terrorists Internet attackers Software Malware Software bugs Accidents Weather Natural causes Theft Loss Exposure Unauthorized changes Deletion (complete) Deletion (partial) Unauthorized addition Fraud Impersonation Harassment Espionage Denial of service Malfunction Corruption Misuse Errors Outages Physical hazards Injury Intellectual property Trade secrets Personally identifiable information Protected health information Financial data Credit card numbers Social Security numbers Documents Computers Peripherals Storage Networks Operating systems E-mail Voice communications Applications Privacy Productivity Health and safety A threat vector is a term used to describe where a threat originates and the path it takes to reach a target. Copyright © 2014 by McGraw-Hill Education. Types of Attacks Threats found in the real world Copyright © 2014 by McGraw-Hill Education. Types of Security Controls Preventative: Block security threats before they can exploit a vulnerability. Detective: Discover and provide notification of attacks or misuse when they happen. Deterrent: Stop people from wanting to violate policy. Corrective: Restore the integrity of data or another asset. Recovery: Restore the availability of a service. Compensative: In a layered security strategy, provide protection even when another control fails. Copyright © 2014 by McGraw-Hill Education. Types of Attacks Malicious Mobile Code Computer viruses Computer worms e-mail worms Trojans Remote access Trojans Zombie Trojans and DDoS attacks Malicious HTML Advanced Persistent Threats (APTs) Manual Attacks Physical attacks Network-layer attacks Application-layer attacks Copyright © 2014 by McGraw-Hill Education. Malicious Mobile Code There are three generally recognized variants of malicious mobile code: viruses, worms, and Trojans. In addition, many malware programs have components that act like two or more of these types, which are called hybrid threats or mixed threats. Lifecycle of malicious mobile code: Find Exploit Infect Repeat Copyright © 2014 by McGraw-Hill Education. Computer Viruses A virus is a self-replicating program that uses other host files or code to replicate. Anatomy of a Virus The damage routine of a virus (or really of any malware program) is called the payload. Payloads can be intentionally destructive, deleting files, corrupting data, copying confidential information, formatting hard drives, and removing security settings. Copyright © 2014 by McGraw-Hill Education. Types of Viruses If the virus overwrites the host code with its own code, effectively destroying much of the original content, it is called an overwriting virus. If the virus inserts itself into the host code, moving the original code around so the host programming still remains and is executed after the virus code, the virus is called a parasitic virus. Viruses that copy themselves to the beginning of the file are called prepending viruses. Viruses that place themselves at the end of a file are called appending viruses. Viruses that appear in the middle of a host file are labeled mid-infecting viruses. Copyright © 2014 by McGraw-Hill Education. Example of an Overwriting Virus Copyright © 2014 by McGraw-Hill Education. Example of a Prepending Parasitic Virus Copyright © 2014 by McGraw-Hill Education. Computer Worms A computer worm uses its own coding to replicate, although it may rely on the existence of other related code to do so. The key to a worm is that it does not directly modify other host code to replicate. Copyright © 2014 by McGraw-Hill Education. E-mail Worms Originates from e-mail The worm first modifies the PC in such a way that it makes sure it is always loaded into memory when the machine starts. Then it looks for additional e-mail addresses to send itself to. Copyright © 2014 by McGraw-Hill Education. Trojans Trojan horse programs, or Trojans, work by posing as legitimate programs that are activated by an unsuspecting user. Copyright © 2014 by McGraw-Hill Education. Remote Access Trojans A RAT becomes a back door into the compromised system and allows the remote attacker to do virtually anything he or she wants to the compromised PC. Copyright © 2014 by McGraw-Hill Education. Zombie Trojans Zombie Trojans infect a host and wait for their originating attacker’s commands telling them to attack other hosts. Copyright © 2014 by McGraw-Hill Education. Malicious HTML Pure HTML coding can be malicious when it breaks browser security zones or when it can access local system files. Copyright © 2014 by McGraw-Hill Education. Advanced Persistent Threats (APTs) The use of sophisticated malware for targeted cybercrime is known as advanced persistent threats (APTs). Usually targeted at businesses and governments Begins with a simple malware attack. “Phones home” to download further malware—reaches out to a command and control server (CnC server) to bring down rootkits, Trojans, RATs, and other sophisticated malware. The RATs open up connections to their CnC servers to be used by their human controllers. Copyright © 2014 by McGraw-Hill Education. Manual Attacks Typical Attacker Scenarios Port-scanning a particular IP subnet, looking for open TCP/IP ports Attempting to identify the host or service by using fingerprinting mechanisms Attempting to compromise the system in such a way as to gain the highest privileged access to the computer Copyright © 2014 by McGraw-Hill Education. Physical Attacks If an attacker can physically access a computer, it’s game over. Copyright © 2014 by McGraw-Hill Education. Network-Layer Attacks Packet Sniffing =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= 08/02-12:00:44 0:60:8:26:85:D -> 0:40:10:C:9D:D type:0x800 len:0x43 x.x.x.x:1873->x.x.x.x:21 TCP TTL:128 TOS:0x0 ID:53973 IpLen:20 DgmLen:53 DF ***AP*** Seq: 0x1C88EB9C Ack: 0xF308B9B7 Win: 0xFFCD TcpLen: 20 55 53 45 52 20 72 6F 67 65 72 67 0D 0A USER rogerg.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= 08/02-12:00:46 0:60:8:26:85:D->0:40:10:C:9D:D type:0x800 len:0x43 x.x.x.x:1873->x.x.x.x:21 TCP TTL:128 TOS:0x0 ID:53978 IpLen:20 DgmLen:53 DF ***AP*** Seq: 0x1C88EBA9 Ack: 0xF308B9DA Win: 0xFFAA TcpLen: 20 50 41 53 53 20 70 61 72 72 6F 74 0D 0A PASS parrot.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= Copyright © 2014 by McGraw-Hill Education. Protocol-Anomaly Attacks Network packets that do not follow the intended format and purpose of the protocol. The attacker can either compromise a remote host or network or compromise a confidential network data stream. Network-layer attacks are most often used to get past firewalls and to cause DoS attacks. Copyright © 2014 by McGraw-Hill Education. Application-Layer Attacks Content attacks Buffer overflows Password cracking P2P attacks Man-in-the-middle attacks ARP poisoning MAC flooding DHCP poisoning DNS spoofing ICMP poisoning Wireless attacks Copyright © 2014 by McGraw-Hill Education. Risk Assessment Analyze and categorize the things to be protected and avoided. Facilitate the identification and prioritization of protective elements. Provide a means to measure the effectiveness of the overall security architecture. Copyright © 2014 by McGraw-Hill Education. The Definition of Risk Risk is the probability of an undesired event (a threat) exploiting a vulnerability to cause an undesired result to an asset. Risk = Probability (Threat + Exploit of Vulnerability) × Cost of Asset Damage Annualized Loss (ALE) = Single Loss (SLE) × Annualized Rate (ARO) Copyright © 2014 by McGraw-Hill Education. Summary Threat definition and risk assessment are necessary to focus the security program on the areas that are most important and relevant to the environment. Threat definition should take into account threat vectors that represent the greatest potential harm. Many threat sources and targets need to be considered: Malicious mobile code Advanced persistent threats Manual attacks Once the threats are identified, risks should be analyzed. Risk is a combination of the threats, exploitation of vulnerabilities, and the resulting cost of damage. Based on this analysis, the proper defensive, detective, and deterrent controls can be applied. Copyright © 2014 by McGraw-Hill Education.