The document discusses various topics related to computer security including threats, attacks, and security mechanisms. It defines key terms like intruder, threat, attack, and different types of security breaches. It describes common attack methods like masquerading, replay attacks, and man-in-the-middle attacks. It also discusses security mechanisms at the physical, human, operating system, and network levels and techniques for user authentication.
3. Protection is strictly an internal problem. But Security, on the other
hand, requires not only an adequate protection system but also
consideration of the external environment within which the system
operates.
We say that a system is Secure if its resources are used and
accessed as intended under all circumstances. Unfortunately total
security can not be achieved. Nonetheless, we must have
mechanisms to make security breaches a rare occurrence, rather
than a norm.
Security violations of the system can be categorized as –
Intentional
Accidental
It is easier to protect against accidental misuse than against
intentional misuse.
4. Intruder and Cracker: Those attempting to
breach the security.
Threat: The potential for a security violation
such as the discovery of a vulnerability.
Attack: The attempt to break security.
5. Breach of confidentiality: This type of violation involves
unauthorized reading of data or theft of information.
Capturing secret data from a system or a data stream, such
as credit card information or identity information for identity
theft can result directly in money for the intruder.
Breach of integrity: This violation involves unauthorized
modification of data. Such attacks can for example result in
passing of liability to an innocent party or modification of the
source code of an important commercial application.
6. Breach of availability: This violation involves unauthorized
destruction of data. Web-site defacement is a common
example of this type of security breach.
Theft of service: This violation involves unauthorized use
of resources.
Denial of service: This violation involves preventing
legitimate use of the system. These attacks are sometimes
accidental.
7. Attackers use several methods in their attempts to breach
security:
A. The most common is Masquerading, in which one participant in a
communication pretends to be someone else(another host or a
person).By masquerading, attackers breach authentication, the
correctness of identification; they can gain access that they would not
normally be allowed or escalate their privileges- obtain privileges to
which they would not normally be entitled.
B. Another common attack is to replay a captured exchange of data. A
Replay Attack consists of the malicious or fraudulent repeat of a valid
data transmission. Sometimes the replay comprises of the entire attack-
for example, in a repeat of a request to transfer money. But frequently it
is done along with message modification, again to escalate privileges.
C. Yet another kind of attack is the man-in-the-middle attack, in which the
attacker sits in the data flow of a communication, masquerading as the
sender to the receiver and vice versa. In a network communication, a
man in the middle attack may be preceded by a session hijacking in
which an active communication session is intercepted.
8.
9. 1)Physical:The site or sites containing the computer systems must
be physically secured against armed or superstitious entry by
intruders.
2)Human: Authorization must be done carefully to assure that
only appropriate users have access to the system.
3)Operating System: The system must protect itself from
accidental or purposeful security breaches.
4)Network: Much computer data in modern systems travels over
private leased lines, shared lines like the internet, wireless
connections, or dial-up lines. Intercepting these data could be
just as harmful as breaking into a computer and interruption of
communications could constitute a remote denial-of-service
attack, diminishing users' use of and trust in the system.
10. If a system can not authenticate a user then authenticating that a
message came from the user is pointless.Thus a major security
problem for operating systems is user authentication.
So how do we determine whether a user's identity is authentic?
Generally user authentication is based on one or more of three
things:
1)The user's possession of something- a card or a key.
2)The user's knowledge of something- a user identifier and a
password
3)An attribute of the user- fingerprint, retina pattern or signature.
11. The most commmon approach to authenticate a user identity
is the use of Passwords. When the user identifies himself by user
ID or account name, he is asked for a passowrd.If the user-
supplied password matches the password stored in the
system, the system assumes that the account is being accessed
by the owner of the account.
Different passwords may be associated with different access
rights. But in practice most systems require only one password
for a user to gain full rights.
12. Passwords may be associated with different access rights. But in
practice most systems require only one password for a user to gain
full rights.
Unfortunately, passwords can often be guessed, accidentally
exposed, sniffed or illegally transferred from an authorized user to
an unauthorized one.
13. There are three common ways to guess a password:
1. One way is for the intruder to know the user or to have information
about the user. All too frequently people use obvious information as
their passwords.
2. The other way is to use brute force, trying enumeration- or all
possible combinations of valid password characters until the
password is found. Short passwords are especially vulnerable to this
method.
Enumeration is less successful where systems allow longer passwords
that include both uppercase and lowercase letters along with all
numbers and punctuation characters.
3.Passwords can also be exposed as a result of visual or electronic
monitoring.
14. One problem with all these approaches is the difficulty of keeping
the passwords secret within the computer.
UNIX system uses encryption to avoid the necessity of keeping its
password list secret.
Each user has a password. The system contains a function that is
extremely difficult-impossible to invert but easy to compute. This
function is used to encode all the passwords. Only encoded
passwords are stored.
When a user presents a password, it is encoded and compared
against the stored encoded password. Even if the stored encoded
password be seen, it can not be decoded, so the password can't
be determined. Thus the password file does not need to be kept
secret.
15. This approach can be generalized to the use of an algorithm as
a password. The algorithm might be an integer function, for
example. The system selects a random integer and presents it to
the user. The user applies a function and replies with the correct
result. The system also applies the same function. If the two
results match , access is allowed.
Yet another variation on the use of passwords for authentication
involves the use of biometric measures. Palm or hand readers are
commonly used to secure physical access. These readers match
stored parameters against what is being read from hand-reader
pads. The parameters can include temperature maps, finger
length, finger width and line patterns. But devices for biometric
measures are currently too large and expensive to be used for
normal computer authentication.
16.
17.
18. •A Trojan horse is a code segment that misuses its
environment.
•A Trojan, is a type of malware that masquerades as
a legitimate file or helpful program possibly with the
purpose of granting a hacker unauthorized access to
a computer.
• According to a survey conducted by BitDefender
from January to June 2009, "Trojan-type malware is
on the rise, accounting for 83-percent of the global
malware detected in the world."
19. • Long search paths, such as are
common on UNIX systems, exacerbate
the Trojan horse problem. For
instance, the use of “.” character in a
search path, tells the shell to include
the current directory in the search.
So, if an user A has “.” in his search
path, has set his current directory to
user B’s directory, and enters a normal
system command, the command
would be executed from user B’s
directory instead. The program would
run on user B’s domain, allowing the
program to do anything that the user is
allowed to do, including deleting files.
20. Use of the machine as part of a botnet (e.g. to
perform automated spamming or to distribute
Denial-of-Service attacks)
Electronic Money theft
Data Theft(e.g. retrieving passwords or credit card
information)
Installation of software, including third-party
malware
Downloading or uploading of files on the user's
computer
Modification deletion of files
Crashing the Computer
Anonymizing Internet Viewing
22. An unsuspecting user logs in at
a terminal and notices that he
has apparently mistyped his
password. He tries again and is
successful. What has happened
is that his authentication key
and password have been
stolen by the login emulator
that was left running on the
terminal by the thief. The
emulator stored away the
password, printed out a login
error message, and exited; the
user was then provided with a
genuine login prompt.
23.
24. Trap Door is a type of security breach where the designer of a
program or a system leaves a hole in the software that only he is
capable of using.
A Trap Door is a secret entry point into a program that allows
someone to gain access without normal methods of access
authentication.
Trapdoors can be included in the compiler as well. The compiler
could generate standard object code as well as a
trapdoor, regardless of the source code being compiled.
Trapdoors pose a difficult problem since to detect them we have
to analyze all the source code for all components of a system.
25. Programmers have been arrested for embezzling from banks by
including rounding errors in their code, and having the
occasional half cents credited to their accounts. This account
crediting can add up to a large sum of money, considering the
number of transactions that a large bank executes.
26.
27. Stack or buffer overflow is the most common way for an
attacker outside of the system, on a network or dial-up
connection to gain unauthorized access to the target system.
This be used by the unauthorised user for privilege escalation.
Buffer overflow attacks are especially pernicious as it can be
run within a system and travel over allowed communications
channels. They can even bypass the security added by firewalls.
28. The attacker exploits a bug in the program. The bug can be a
simple case of poor programming, in which the programmer
neglected to code bounds checking on an input field. In this
case, the attacker sends more data than the program was
expecting. Using trial and error, or by examination of the source
code of the attacked program if it is available, the attacker
determines the vulnerability and writes a program to do the
following:
1. Overflow an input field, command line argument, of input
buffer until it writes into the stack.
2. Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step.
3. Write a simple setoff code for the next space in the stack that
includes the commands that the attacker wishes to execute
(e.g. spawn a shell)
29.
30. A virus is a fragment of code embedded in a legitimate
program unlike a worm which is structured as a
complete, standalone program.
Spread Of Viruses
Viruses are spread by users downloading viral programs from
public bulletin boards or exchanging disks containing an
infection.
Exchange of Microsoft Office documents are a common form
of virus transmission these days because these documents
contain so-called macros which are Visual Basic programs.
31. The Creeper virus was
first detected on ARPANET.
Creeper was an experimental
self-replicating program
written by Bob Thomas at BBN
Technologies in 1971. Creeper
used the ARPANET to infect
DEC PDP-10 computers running
the TENEX operating system.
Creeper gained access via the
ARPANET and copied itself to
the remote system where the
message, "I'm the
creeper, catch me if you can!"
was displayed. The Reaper
program was created to
delete Creeper.
32. On March 6, 1992, the
517th birthday of
Michelangelo, the
Michelangelo virus was
scheduled to erase infected
hard disk files. But because of
the extensive popularity
surrounding the virus, most sites
had detected and destroyed
the virus before it was
activated, so it caused little or
no damage.
33. In 2000, the Love Bug became
very widespread. It appeared
to be a love note sent by the
friend of the receiver. Once
invoked, by opening the Virtual
Basic script, it propagated by
sending itself to the first users in
user’s email contact list. It just
clogged user’s inbox and email
systems, but was relatively
harmless.
34.
35. A worm is a process that uses the spawn mechanism to
clobber system performance.
The worm spawns copies of itself, using up system resources
and perhaps locking out system use by all other processes.
Worms Spread:
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a
specific security hole and copies itself to the new machine using
the security hole
36. Robert Tappan Morris is an
American computer scientist, best
known for creating the Morris Worm
in 1988, considered the first
computer worm on Internet - and
subsequently becoming the first
person convicted under Computer
Fraud and Abuse Act.
37.
38.
39. Denial of service does not involve stealing of resources or gaining
information, but rather disabling legitimate use of a system or facilty.
It
is easier than breaking into a machine.
They are network based.
They fall into 2 categories:
1. An attack that uses so many facility resources that, in essence, no
work can be done.
2. An attack that disrupts the network facility of the computer.
It is impossible to prevent Denial of Service attacks. Frequently it is
difficult to determine if a system slowdown is due to surge in use or an
attack.
40.
41. MAJOR Techniques
Defense in Depth
Security Policy
Vulnerability Assessment
Intrusion Detection
Virus Protection
42. Broadest security tool available
Source and destination of messages cannot be trusted
without
cryptography
Means to constrain potential senders (sources) and / or
receivers
(destinations) of messages
Based on secrets (keys)
Operating
Symmetric and Asymmetric Encryption.
43. A computer security policy defines the goals and elements of
an organization's computer systems. The definition can be highly
formal or informal. Security policies are enforced by organizational
policies or security mechanisms. A technical implementation
defines whether a computer system is secure or insecure. These
formal policy models can be categorized into the core security
principles of: Confidentiality, Integrity and Availability.
Formal policy models
Confidentiality policy model
Integrity policies model
Hybrid policy model
44. A vulnerability assessment is the process of
identifying, quantifying, and prioritizing (or ranking) the
vulnerabilities in a system. Examples of systems for which
vulnerability assessments are performed include, but are not
limited to, information technology systems, energy supply
systems, water supply systems, transportation systems, and
communication systems.
Assessments are typically performed according to the following
steps:
Cataloging assets and capabilities (resources) in a system.
Assigning quantifiable value (or at least rank order) and
importance to those resources.
Identifying the vulnerabilities or threats to each resource.
Mitigating or eliminating the most serious vulnerabilities for the
most valuable resources.
45. An intrusion detection system (IDS) is a device or software
application that monitors network or system activities for malicious
activities or policy violations and produces reports to a
Management Station.
Some systems may attempt to stop an intrusion attempt but
this is neither required nor expected of a monitoring system.
Intrusion detection and prevention systems (IDPS) are primarily
focused on identifying possible incidents, logging information
about them, and reporting attempts.
In addition, organizations use IDPSes for other
purposes, such as identifying problems with security
policies, documenting existing threats and deterring individuals
from violating security policies.
46. All Intrusion Detection Systems use one of two detection techniques:
Statistical anomaly-based IDS
A statistical anomaly-based IDS determines normal network activity like
what sort of bandwidth is generally used, what protocols are
used, what ports and devices generally connect to each other- and
alert the administrator or user when traffic is detected which is
anomalous(not normal).
Signature-based IDS
Signature based IDS monitors packets in the Network and compares
with pre-configured and pre-determined attack patterns known as
signatures. The issue is that there will be lag between the new threat
discovered and Signature being applied in IDS for detecting the
threat. During this lag time your IDS will be unable to identify the threat.
47. The problem of viruses can be dealt with by using
antivirus software. They work by searching all the
programs on a system for the specific pattern of
instructions known to make up a virus. When they find a
known pattern, they remove the
instructions, disinfecting the program.
The best protection against virus is the method of safe
computing : purchasing unopened software from
vendor and avoiding free or pirated copies from public
sources or disk exchange.
48. Protection
Antivirus software can provide real-time protection, meaning it can prevent
unwanted processes from accessing your computer while you surf the Internet.
Cleanup
Antivirus software allows you to scan your computer for viruses and other
unwanted programs, and provides you with the tools to get rid of them.
Alerts
Antivirus programs can alert you when something is trying to access your
computer, or when something in your computer is trying to access something on the
Internet.
Updates
Antivirus programs can update themselves, keeping your computer's
protection up to date without you having to manually update it.
Further Protection
If an antivirus software finds an infected file that cannot be deleted, it can
quarantine the file so that it cannot infect other files or programs on your computer.
49.
50. A choke point of control and monitoring
Interconnects networks with differing trust
Imposes restrictions on network services
• only authorized traffic is allowed
Auditing and controlling access
• can implement alarms for abnormal behavior
Itself immune to penetration
Provides perimeter defence
51.
52. Useless against attacks from the inside
• Evildoer exists on inside
• Malicious code is executed on an internal machine
Organizations with greater insider threat
• Banks and Military
Protection must exist at each layer
• Assess risks of threats at every layer
Cannot protect against transfer of all virus infected
programs or files
• because of huge range of O/S & file types
Can be spoofed and Tunneled.
53. Book : Operating System Concepts [Galvin, Silverschatz, Gagne]
Websites: www.google.com
www.wikipedia.com
Pictures : Google images