CSS 211 - Introduction to Network Security

Lesson 1 - Introduction to Security; System Threats and Risks

Objectives:

This lesson introduces the student to basic concepts about the need for computer system security. Objectives important to this lesson:

  1. Securing information
  2. Definition of terms
  3. Types of attackers
  4. Formal structure of an attack
  5. Five classic defense methods
  6. Information security careers
  7. Information about Security+ certification
  8. Types of software attacks
  9. Types of hardware attacks
  10. Virtualization
  11. Attacks on virtual systems
Concepts:

Chapter 1 begins with some anecdotes about security issues to impress the student with the need for information system security. We might presume that someone who signs up for this class has the idea that such needs exist already. The author presents examples of several ways a computer system might be attacked, compromised, or otherwise damaged:

  • A virus or malware program might be placed in some electronic device that you would not normally consider a threat, so that it could infect USB sticks that accessed it, making the USB stick a carrier of the virus for any computer it was plugged into later
  • The text discusses a classic "Nigerian email" scam, also known as the Nigerian General or the Nigerian Bank Manager scam. Current events being what they are (changes of leadership in other countries, second half of 2011), I would expect variations on this scam to include Libyan and Egyptian themes sooner or later.
  • The text discusses booby trapped web pages; These do not always wait for unwary web surfers, links to them are often included in emails to potential marks (scam victims). Web browsers and personal security programs are including protection from such things, but they are a moving target.
  • Specific web based scams use phishing sites. The idea is to get an email recipient to go to a web page, or use email to send sensitive information like login ID and password to the scammer. The mark is supposed to believe that the scammer is actually a trusted authority, like a bank, utility company, or other service vendor. The web addresses used for these sites are often meant to be temporary, so a definitive list must always be changing.
  • Customer data is always at risk of being stolen by system break ins. Watch the news for new developments.
  • Identity theft is a common fear: you can get a rider for it on your homeowner insurance.
  • Theft of laptops holding secure information results in a much worse loss than losing the hardware itself.

Some types of attacks are hard to defend against, according to the chart on page 7. Reasons why:

  • Speed of attack - interconnected computers pass viruses and worms faster and faster
  • Sophistication - attack traffic on a network can look like any other traffic, the attack can morph (change) so it looks different as time goes by
  • Simple tools - attack tools are easily available and easy to use: better tools means you don't have to be a good hacker to attack a system well
  • Vulnerabilities detected and acted upon - zero day attacks: an attack on a system based on a newly discovered method or newly uncovered vulnerability
    Almost all viruses start out this way. Antivirus programs provide no protection against new viruses until the analysts who write protection and cleaning algorithms know about the virus.
  • Lack of timely patching - Delays in patching know issues in software and firmware. Have you noticed that Microsoft, for example, tends to put out patches and updates the 2nd Tuesday of every month? How does that schedule strike you? Often enough, not often enough, or too often?
  • Distributed attacks - attacks that take place from many computers at once, typically from already infected or compromised machines.
  • User confusion - the average user does not have a clue whether a security question on a screen is important, much less what the right answer to it might be (The current process is trying to make a change to your system. Do you want to permit this?)

The text turns to a series of definitions that may not seem to apply to all cases. That may be true, but they are general definitions, a starting point to consider what we are working with and working toward.

  • information security - the text starts by saying this means guarding digital information. We should remember that some information is also stored on paper, in photographs, and in other media that also need to be protected. The focus of this text seems to be digital information, but the author would surely agree the other media should be secure as well.

The author discusses the idea that a security program cannot guarantee freedom from attack. The goal is to eliminate or minimize damage from attacks that take place. He provides a justification for providing such protection: to maintain the value of information. He says that there are three aspects of information that are typically protected:

  • confidentiality - information is accessed only by those who are meant to access it
  • integrity - information is correct, and has not been altered except by authorized persons
  • availability - information is accessible when needed

The rather long formal definition of information security that appears on page 10 adds three more concepts: products, people, and procedures are what provide the protection. Products refers to hardware and software such as firewall devices and authentication software. People would primarily be whoever installs and uses security products. Procedures means plans, policies, and actual steps carried out by those who use information, as well as by those who protect it. I think it is a bit of a reach to have the formal definition include three attributes of information, three ways it is used in a system, and three entities that protect it. This is likely one of those certification question points that we just have to accept as worded the way it is worded, and we aren't allowed to improve it.

The text moves on to discuss more vocabulary, illustrated by a story about a woman who wants to put a new stereo system in her car. The story is useful, but not necessary to understand the terms.

  • asset - information that we care about
  • threat - a potential form of loss or damage; many threats are only potential threats
  • threat agent - a vector for the threat, a way for the threat to occur; could be a person, an event, or a program running an attack
  • vulnerability - a weak spot where an attack is more likely to succeed
  • exploit - a method of attack
  • risk - the probability of a loss; the text has this right on page 12, but the chart on page 13 is wrong. The chart is not showing how likely a loss is, it shows how to mitigate (reduce) a risk.

The next section of the text lists several goals of information security that could also be considered as benefits of it.

  • preventing data theft - prevention of loss is an obvious benefit of a working security system
  • preventing identity theft - this is not necessarily different from the first bullet, since identity information is one kind of data; stolen identity information, however, has a more personal effect on the victims than the simple theft of other corporate data, and provides a means to defraud each victim multiple times
  • avoiding legal consequences - those who do not protect their data may be subject to legal charges; the text has a list of several applicable state and federal acts in the US:
    • HIPAA (Health Insurance Portability and Accountability Act), prohibits disclosure of protected health data, with penalties up to $250,000 and 10 years in prison for trying to sell it
    • Sarbox (Sarbanes-Oxley Act of 2002), a reaction to corporate fraud and corruption. provides penalties up to $5,000,000 and 20 years in prison for officers who file false corporate reports
    • GLBA (Gramm-Leach-Bliley Act), protects consumer data at banks and financial institutions, provides penalties up to $500,000 for unauthorized disclosure
    • USA Patriot Act of 2001, authorized law enforcement agencies to obtain documents and data if they have a court order, subpoena, or other authorization; provides several penalties for non-compliance
    • California Database Security Breach Act of 2003, the first state law requiring that businesses notify state residents within 48 hours of experiencing a data breach of specific personal information data (other states have enacted similar laws)
    • COPPA (Children's Online Privacy Act of 1998), federal act that requires entities to get parental permission before collecting, using, disclosing, or displaying data about children under 13 (no penalties stated in the text)
  • maintaining productivity - prevention saves the effort (time and cost) that a successful attack would incur
    The text implies that in the case of an attack, you should estimate that it will take about 1% of your total staff to combat the attack.
    The cost of virus attacks includes cleaning cost, loss of productivity, and loss of revenue. Follow this link to a list of ten famous and expensive viruses.
  • foiling cyberterrorism - the potential for terrorists to disrupt a national infrastructure includes disruption of health and emergency services, power, communications, and commerce.

The text discusses some categories used to classify attackers:

  • hackers - One of the buzzwords of computer system geeks, this one can mean anything; it is generally accepted to mean someone with more skill than an average user, may be a white hat (good guy) or black hat (bad guy). A hacker may break in to a system for a thrill, to show off, or to cause some kind of damage.
  • script kiddies - attackers who use hacking tools that they don't really understand
  • spies - computer attackers who are looking for specific data from specific systems
  • employees - Computer security includes the concept of protecting data from people who aren't authorized to access it. What about protecting it from authorized users who want to give or sell it to someone else? What about authorized users who give out their password because someone asks for it? What about users who are no good at protecting their secrets?
  • cybercriminals - The text has a longer discussion of this category. The bottom line is that they are after some financial gain. This could be data they can sell, actual fund transfers, or theft of financial instruments.
  • cyberterrorists - A cyberterrorist is defined as a system attacker whose motivations are ideological.

The text lists five steps that an attacker may follow in preparing for and carrying out a computer system attack:

  1. Probe for information - look over the target and find potential weak spots; for example, look for open ports on servers
  2. Penetrate defenses - actually stage the attack, whether by email, attempted login, or other means
  3. Modify security settings - open another means of access for later entry
  4. Circulate to other systems - try to get access to other systems, such as those that list this system as "trusted"
  5. Paralyze networks and devices - an attack, in and of itself, does not necessarily damage the system being attacked; at this stage, damage is done by attackers who choose to do so

Consider that not all attackers will follow all five of these steps. Some would damage a system without making a back door for later, some would explore a system but never damage it, and others might steal data to make public what the data owners would rather be secret.

I am getting the feeling that the author of this text is obsessed with symmetry. He gave us five steps in an attack scenario, so he also gives us five defenses against attacks.

  • layering - the author spends more time with metaphors than with examples; the point is just that a security solution will have multiple layers, requiring an attacker to get through several kinds of protection before accessing data
  • limiting - it is a standard feature of most databases that the designer can restrict users to specific views of the data, letting them see only what their role requires, letting only specific authenticated users modify or add information to the data files; network security can be like this as well, offering only role or user specific views of data, only allowing limited changes by specific users
  • diversity - diversity should be part of the layering concept, but that would mean we would need another bullet; diversity means that each layer of security is different in some way from the other layers, so an attacker will not be able to use the same exploit to get through all the layers
  • obscurity - this means that the inner workings of the system should not be described or stated where a potential attacker could access that information; As a network system user, this is one of the more irritating aspects to me. Consider passwords. The network tells me my password will expire, and offers me a chance to change it now. I offer it a new password, and it replies that the new password is too short. I offer another one, and it tells me I haven't used enough complexity (upper case, lower case, numbers, and symbols: use at least one from at least three types). I offer another, and it tells me I can't use a password I used as recently as 10 changes ago. You see the pattern? Let there be rules for using the system, but the user is not made aware of the rule until it is violated. In the case of securing the system from attackers, the attacker is not told any of these rules when they are trying to guess a password.
  • simplicity - let the system be simple to administer, but hard to hack

The text moves on to discuss types of jobs commonly associated with information system security. It makes a distinction between jobs about Information Security (as it has been discussing) and jobs about Information Assurance, which would also have to do with disaster recovery, business continuity, and major planning for the business enterprise.

Within Information Security, the text says that jobs typically relate to administrative, planning, and policy roles, or they relate to technical functions like installation, operation, and maintenance.

The text offers a table on page 23 which you should study to be aware of the job functions for four job titles: Chief Information Security Officer, Security Manager, Security Administrator, and Security Technician. (This is their order in terms of descending levels of authority.)

The content section of the chapter ends with a few words about the CompTIA Security+ certification, which is meant to be a vendor neutral certification of knowledge about the subject area. Links are provided on the menu page for this course to the CompTIA web site, and others, so you can get up to date information about testing for this certification. The certification test for Security+ covers six domains (areas of knowledge):

  • systems security
  • network infrastructure
  • access control
  • assessments and audits
  • cryptography
  • organizational security

Chapter 2 is titled System Threats and Risks. It begins with two unrelated articles, one about using spam detection algorithms to detect HIV activity, and the other about users being a weak point in Information Security schemes. Both raise interesting points, but they seem unrelated to the focus of the chapter.

In the previous chapter, spam was mentioned as a major loss point for productivity. This seems less likely now. Gmail, for example, is very good at removing spam from a regular mail folder, and it does not take long to examine and empty the spam folder periodically. It seems more likely that virus laden spam would be the greater problem. The text says that Postini, an email and web security service, estimated that two thirds of email is unsolicited. That does not seem extreme to me. Of course, most of it unsolicited, how often do you solicit email? (Note: Google bought Postini in 2007.)

The chapter begins its discussion of software based attacks on page 41. The term malware is introduced, meaning any software that does something harmful to a system. The text breaks malware in to three types, based on which of three objectives the malware follows: infecting a system, concealing its actions, or bringing profit from its actions.

Infecting Malware

Infecting software is divided into viruses and worms. A virus typically requires a carrier to infect a system, like an email, an instant message, or a program that the user runs. A virus typically has two tasks: replicate and damage. Some viruses have historically been rather benign, just displaying a message to the user. The ones that cause damage to a system are categorized by the method they use or the damage they cause:

  • file infector - the virus attaches itself to an executable file; it is triggered when that file is run
  • resident (aka terminate and stay resident) virus - loads into RAM, then does its damage based on actions the user takes through the operating system
  • boot virus - infects the Master Boot Record of a hard disk, which means the virus will load and run the next time the hard drive is used to boot the computer; typically the virus will trash the hard drive
  • companion virus - found more on pre-Windows systems, loads a program with a name similar to that of a real program, but with a preferred extension so the companion (malware) program is run when the user tries to run the real program from a command line; this seems like it might have a resurgence in Windows Server 8 which has more command line features
  • macro virus - a script virus that is typically placed in a Microsoft Office file

Virus protection programs typically recognize viruses by signatures, the way they look. This recognition method is complicated by metamorphic viruses that change the way they look over time, and polymorphic viruses that change their signature and their encryption methods.

Worms are described on page 44. The text tells us a major difference between worms and viruses: once it is started, a worm can replicate itself across connected computer systems by itself. It does not need a carrier. A worm can attack any running computer that is connected to a network that an infected computer is on: it does not require cooperation from the user. Worms are more dangerous due to their self driven nature. Once a worm is detected in a system, each device on the network must be scanned for it, cleaned if necessary, and prevented from accessing the network until this is done.

Concealing Malware

The text lists four types of malware that are first concerned with remaining hidden from the user and from security personnel: trojan horses, rootkits, logic bombs (not a terribly accurate name), and privilege escalators.

Trojan horse programs are named for the myth of a wooden horse that was used to smuggle Greek soldiers inside the walls of Troy. A program of this sort has two aspects: what we are told it does, and what it actually does. In some cases, Trojans may do what they say, but they also have a hidden malicious purpose which is what puts them in this category. A classic ploy used by Trojans is to pretend not to be a program at all. The text gives an example of a file that has a .exe extension, but the characters .docx occur in the name immediately before it. If a Windows computer is using the default (idiotic!) configuration, the actual .exe extension will be hidden from the user, and the user may think it is only a Word document.

Students should become familiar with the methods to turn off "Hide extensions for known file types" in common versions of Windows.

The text continues to discuss rootkits. At first, the rootkit sounds like a resident virus that replaces operating system files with its own. There are similarities, but one difference is that a rootkit is much more extensive, and another is that the rootkit obtains elevated privileges to carry out its stealth actions. The resident virus may replace one program on the computer, which will then do some harm to the system. The rootkit opens a door for lots of malware. How?

Have you ever seen a movie about a robbery in which the robbers send false information to security staff (like a video loop) that shows all is well, while the robbers proceed to steal whatever they want? That's kind of what a rootkit does. The rootkit assumes the role of a trustworthy part of the operating system. It will stand between the user and security software on one side, and other malware doing whatever it wants on the other.

The intention of the rootkit programmer may not be malicious. The text discusses the example of Sony, who in 2005 installed a rootkit installer on their audio CDs which had the goal of preventing computer users from copying those CDs. Their intent was not malicious, but it changed a PC without the user's consent, and it made the PC vulnerable to security exploits. The first is just wrong, and the second is worse. As the saying goes, the road to hell is paved with good intentions.

Detection and removal of a rootkit can be difficult, but it is worth trying before following the text's scenario of formatting the hard drive and starting over. The Sophos company, for example, has a free download that is supposed to be good at finding and removing these problems. Here is another one from Kaspersky. Students should do an internet search for tools from the vendor of their choice.

A logic bomb is not a bomb. It is malware that waits for a logical condition to occur before it executes its mission. A classic case was the Michelangelo virus that only executed on the birthday of Michelangelo Buonarroti (which, as everyone knows, is March 6th). Other examples are given in the text. Some act like "dead man switches", where the malware engages if it is not regularly reset, or if a person's ID is removed from a network. A logic bomb can be hidden in a much larger program, making it difficult to find.

Privilege escalation is a technique, not a type. The technique is commonly use by system administrators. They log in to networks with an ID that has normal privileges on the system, but they execute administrative tasks with an ID that has elevated privileges. Of course, these are authorized users who are supposed to do such things. When malware does this, it may do it in one of two ways. It may use an exploit to escalate its own privileges, or it may access the privileges of another account which are greater than its own.

Malware for Profit

The text discusses some major and minor types in this category. The first is spam, which was discussed briefly in chapter 1. Note that in chapter 1 the author told us that Postini (now Google) said that "over two-thirds of daily email messages are unsolicited". In this chapter, the author quotes the same source as saying one out of twelve emails is spam. Is this a contradiction?

As I noted above, the fact that an email is unsolicited is not very meaningful. The fact that it is an unsolicited sales pitch may be more meaningful. The fact that the spam sender (spammer) has no clue who you are or whether you will buy their product seems to be the most meaningful qualifier. The definition used for the word "spam" might be any of these or something else, as far as we know about the statistics we are given.

Spam that is sent for profit is sent to as many addresses as possible to maximize the potential of getting a sale. The text gives two scenarios that are meant to be examples of gauging how much it costs to be a spammer. They are not the only possibilities. The point is that the cost to the spammer is minimal (until they are arrested) and the returns are very large.

The text discusses some techniques to make a spam email that will get by spam filters in many security products:

  • image spam - words that would trigger spam filters are presented in images (graphic art) instead of in text to avoid alerting the spam filter that the email is about a trigger subject
  • GIF layering - the graphics that present the message are placed in the message in layers, so a human reader will see the intended message, but a spam filter will not notice the subject matter
  • word splitting - trigger words are shown as graphics, and the graphics have white (or other color) bars running through them to avoid optical character recognition, but still allow a human being to recognize the message
  • geometric variance - the background, the font, and other characteristics are varied from one spam message to another so the messages from the spammer are not recognized as identical messages

Spyware is described on page 51. It is defined as software that violates a user's security. More informatively, the text says that spyware typically has one of three missions: advertising, collection of personal information, or changing configuration settings. The text proposes that if other software did what spyware does with the user's permission, that software would not be spyware. So the issue is not what it does, as much as the fact that it is done in secret.

The chart on page 52 lists effects that spyware can have on a computer. Several of these items seem to be less related to spying than to leading the user to particular products and resources. As such, I would consider "spyware" to be an inappropriate label for the category. A better label is the subcategory the text talks about next, adware. As its name suggests, adware is concerned with presenting advertisements to the computer user. I will point out that the text makes this a subcategory of spyware, but I disagree with the logic of making it one.

Another subcategory of spyware is more appropriate. Keyloggers can be implemented through hardware or software. The idea is that the program (or device) captures every key press the user makes, which can be analyzed later for by someone who reads the key log. Obviously, capturing IDs and passwords would be one use of such a product. Keeping a log of all activity on a computer would be another. Some viruses contain a key logging function which sends its log to the virus originator.

A newer wrinkle in malware is the botnet. This has been around for a while, but it is a refinement and step back from the others at the same time. A botnet is a network of computers that have been infected, turned into robots (aka zombies), that can be used for any of several kinds of attacks listed on page 54. The refinement is the creation of a network of infected machines on one mission. The step back is the brute force aspect of the attacks. The attacker (the bot herder) does not depend on finesse or subtlety, he uses more points of attack to meet his goal.

Hardware-based attacks

Key loggers can be implemented through hardware, but there are several other hardware attack vectors you should know about.

All PCs have BIOS chips or chip sets. They control the computer hardware at a very basic level and are still important to computer systems. As the text explains, once upon a time (let's say the 1970s), BIOS chips were read only and had to be replaced if you were going to update them. The text reviews the history of BIOS chips becoming flashable (rewritable). A virus that overwrites the BIOS and the Master Boot Record of a computer has the potential to make the computer unusable until the BIOS is physically replaced. Other viruses will attack the BIOS and coopt it with malware or a rootkit. For these reasons, the text recommends setting the BIOS chip to be write protected.

The phrase USB device can mean any device that attaches through a USB port, but the text is concerned with those that contain memory chips or hard drives that could contain viruses. This is not to say that other devices can't be modified to become exploit devices. At the 2011 DEFCON conference, a pair of hackers demonstrated that they could rig a mouse to hold a USB stick that contained malware that could compromise a network. In a sense, this is just another instance of a hack involving a memory stick, but it is more in that most people can be made aware of the dangers of flash memory, and few would generalize that awareness to other devices that they would normally consider safe. The text lists three methods to disable USB devices:

  • disable the USB system in the computer's hardware (BIOS)
  • disable USB in the operating system by removing support files for USB
  • use third party software

Of the three, only the third is practical. How many of you connect a mouse or a printer by any means other than a USB port? A good security program can be configured to scan devices as they are attached or used to minimize this risk.

The text moves on to discuss two related systems: Network Attached Storage (NAS) and Storage Area Network (SAN). One version of a SAN is illustrated on page 57, showing a workstations and servers on a LAN (Local Area Network). The servers are also connected to a SAN, essentially a network of other servers dedicated to file storage. These servers will use different network protocols than devices on the same LAN.
The second illustration on the same page is a little less clear, but the explanation in the text explains the idea: a NAS device is simply that, a device "hung" on an existing network that provides additional storage beyond what it already on workstations and servers on the LAN. A NAS device is a member of your LAN, and it will use common network file protocols.

The distinction between the two systems is that NAS devices can be exploited and protected in the same way as hard drives on any other computer on your LAN. The text warns that using NAS devices on a network without high bandwidth connections to the NAS device can produce a service bottleneck.

The text turns to cell phones. The text describes how a cell system works: phones connect to cell towers (base stations) which connect to an MTSO (mobile telecommunications switching office), which connects to the wired telecommunications network. Cell phones are low power devices, so they have to switch from one base station to another as they move from the operational range of one to the next. That means that a cell phone in motion is constantly changing base stations, but it also means that each base station can use the same radio frequencies for the phones inside its cell. A few ideas about cell phone attacks are listed on page 59. None are very detailed.

Virtualized System Attacks

On page 59 the text defines virtualization as a functional presentation of computer resources, regardless of their location. The text offers the example of a set of storage devices that could be treated as one. Another example is running a version of a server operating system as a virtual machine (VM), a shell, inside the the memory of a server or workstation. We could have a workstation running Windows 7 that runs a virtual machine for Windows Server 2010. In this case the Windows 7 is the host system, and the Windows Server 2010 VM is a guest system. The chart on page 60 lists four variations on virtualization;

  • emulation - when a virtual machine simulates the hardware of a system and requires no modifications to the operating system being simulated
  • paravirtualization - the virtual machine does not simulate hardware and does require some operating system modifications
  • full virtualization - the virtual machine simulates some hardware so the guest operating system does not require modifications, but the guest system must be able to run on the same kind of processor as is running on the host system
  • operating system level virtualization - the host operating system kernal is used as part of the simulation, so each guest and host must be compatible with the same processor and hardware

This set of definitions left me wanting more. Try this short article on wikipedia.

The text explains that a selling point for running several virtual machines on a single server box is reduction in power and cooling costs over having to power and cool that many separate boxes. Virtual systems can be tested for the effect of patches and updates without having to sacrifice an entire computer to the test. Rolling back from a bad change is often quicker on a virtual machine than on regular hardware.

To a system attacker, virtualization also reduces costs: virtual machines mean being able to use tools for multiple operating systems on one computer. System defenders can use virtual machines to test attacks and defenses, using a virtual network, further reducing test lab costs.

After some repetition, the text discusses other advantages to using virtual machines. Live migration of virtual machines can greatly reduce down time, The virtual machine is essentially "saved" in a current state, reloaded on a separate host, then the original host can be taken down for maintenance without the down time that would normally occur. The same technique can be used to move the virtual machine to more or less powerful equipment, to balance loads as user demands increase and decrease,

A problem described in the text regarding these practices comes from security software not always working well with virtual machines, and security hardware sometimes only protecting one machine at a time. Also, a virtual machine may have no hardware protection at all between it and an attack from another virtual machine in the same host or same virtual network. Perhaps an obvious place to apply security is to the hypervisor (described on page 62), which is software that manages virtual machines. Whether it is an add on for the hypervisor or a patch for the program itself, the effect would be similar. It seems equally obvious that if it is not possible to run your security software as a virtual service/machine or to modify the hypervisor, then security measures should be installed on each virtual machine as you would any other piece of hardware.