A Common Language - Lecture Slides | Network Security Fundamentals | TCOM 562, Study notes of Cryptography and System Security

Download A Common Language - Lecture Slides | Network Security Fundamentals | TCOM 562 and more Study notes Cryptography and System Security in PDF only on Docsity! TCOM 562 – Network Security Fundamentals Fall 05 Jerry Martin gmartin@gmu.edu General Information • Text book – Hackproofing Your Network • Course is overview • Lectures – attendance is important because I don’t believe in reading slides, slide bullets are talking points E-mail is preferred method of communication and is mandatory method for homework submission • Assignments • Case Studies (3) • Due approximately once a month (9/19, 10/11, 11/7) • Limited to 1 page, single spaced, if over 1½ pages, lose 1 point General Information • Tests • Midterm – 24 Oct, Final – 13 Dec • Format • 40 multiple choice, T/F; 4 short answer questions • Exam is 2 hours, NO lecture after test • Grading • Case studies (15%) – 5 points each • Paper (15%) – 30 points • Midterm (35%) – 100 points • Comprehensive Final (35%) – 100 points General Information • Flow for course • Common taxonomy, definition of terms • National policy and concerns • Threats • Defensive tools and measures • Continuity of operations/attack recovery • Legal and privacy issues and challenges THE WAY IT WAS THEN Thu map may be ottunedva anonymous Mp from Mp. Wc sky corcrechrnly tbls rectory INTERNATIONAL CONNECTIVITY ersion? - 99 I internet BB bitnet but not Intemet HB Email Onty (UUCP, FidoNet} Oo No Connectivity Go pyrlont a4 gad Larry Landweber and the Internet soclery. Uniimited permission to copy of use 1a hereby granted Subjectto Ineluaton thia copyright notlos. TODAY’S NETWORK ENVIRONMENT ”Interconnectivity” LANs File Server Other Networks Gateway Router Bridge Hosts Packet Switch Internet Dee RC Maes mally A Common Language • Terms key to entire course, use them extensively • For orderly examination, divided into four general categories • E – environment • G – government • U – underground • M – miscellaneous • Then look at Sandia Lab’s incident processing flow A Common Language • More government • CERT-CC (www.cert.org) • CIP • HSC • *PDD 63/HSPD-7 • CWIN • JTF-GNO • NIPP Understanding the Culture News Stories Defacement Mirrors Hacker Magazines (phrack, 2600) Hacker-oriented Internet Sites Internet Relay Chat Non-Profit and Commercial Computer “Security” Companies Hacking Conferences (“Cons”) “The internet is our playground, it’s our side of the tracks. When you step into it, claim your own corner of cyberspace, and put up your house... Don’t expect not to arouse our curiosity.” - United Loan Gunmen A Common Language • Underground • Hacker • Cracker • Blackhat • Miscreant • Script kiddie • Click kiddie • Nicks • Idents A Common Language • Still more underground mayhem • *DDoS • *Sploits • *Vulns • *Bot/botnet/botherd • Bounce • Proxy • Post docs • *Zombie/soldier • Bot • Phishing A Common Language • And now the rest… • White hat • Gray hat • *Paypal • “Cuckoo’s Egg” • Listserves • ISACs • *CCV • PGP • Fingerprint • Net flows A Common Language • More miscellaneous • ARIN • RIPE • APNIC • ICANN • IANA • FIRST • NANOG • Bugtraq • RFCs • Out of band • SCADA What is a taxonomy? A taxonomy is a classification scheme that partitions a body of knowledge and defines the relationship of the pieces. Must have these characteristics . . . + = Logically related columnsi ll l t l 11 22 33 44 55 11 22 33 11 22 33 44 Must be: Mutually exclusive Unambiguous Repeatable Accepted Useful Exhaustive Where to start? • For this reason several computer security taxonomies have already been developed • Currently in use at Carnegie Mellon’s CERT/CC • The inability to share data because of non- standard terminology is not unique • Most comprehensive study done by Sandia Labs in conjunction with Carnegie Mellon University • Sandia Report: “A Common Language for Computer Security Incidents”, John D. Howard and Thomas A. Longstaff (October 1998) Taxonomy applied Sandia Labs Network Based Taxonomy Action Probe Scan Flood Authenticate Bypass Spoof Read Copy Steal Modify Delete Target Account Process Data Component Computer Network Internetwork Event Unauthorized Result Increased Access Disclosure of Information Corruption of Information Denial of Service Theft of Resources Attack Vulnerability Design Implementation Configuration Tool Physical Force Information Exchange User Command Script or Program Autonomous Agent Toolkit Distributed Tool Data Tap Intrusion Intruders Objectives o fi tUs Com and ut Ac o t IncreAc e Intrusion 1 Conceptual Action Probe Scan Flood Authenticate Bypass Spoof Read Copy Steal Modify Delete Target Account Process Data Component Computer Network Internetwork Unauthorized Result Increased Access Disclosure of Information Corruption of Information Denial of Service Theft of Resources Vulnerability Design Implementation Configuration Tool Physical Force Information Exchange User Command Script or Program Autonomous Agent Toolkit Distributed Tool Data Tap Intrusion 1 - Increased Acess Intruders Objectives Intrusion 2 Us r Com nd De ign Byp s Proc s Root Ac s Conceptual Action Probe Scan Flood Authenticate Bypass Spoof Read Copy Steal Modify Delete Target Account Process Data Component Computer Network Internetwork Unauthorized Result Increased Access Disclosure of Information Corruption of Information Denial of Service Theft of Resources Vulnerability Design Implementation Configuration Tool Physical Force Information Exchange User Command Script or Program Autonomous Agent Toolkit Distributed Tool Data Tap Intrusion 1 - Increased Access Intrusion 2 - Root Level Access Intrusion 3 - Disclosure of Information Intruders Objectives Scri or Progra Imple e t tion Mod y Proc s Conceptual Den l of Ser i e Disclo of Infor n New definition: “Intrusion Set” Multiple related intrusions = “Intrusion Set” Multiple Events Tool Vulnerability UnauthorizedResultAction Target ObjectiveIntruder Conceptual Who? What? Why? • answer the what • Need more information to get to attribution • Need to know who? • Need to know why? Sandia Labs Network Based Taxonomy Action Probe Scan Flood Authenticate Bypass Spoof Read Copy Steal Modify Delete Target Account Process Data Component Computer Network Internetwork Incident Unauthorized Result Increased Access Disclosure of Information Corruption of Information Denial of Service Theft of Resources Objectives Challenge, Status, Thrills Damage Vulnerability Design Implementation Configuration Attackers Hackers Spies Terrorists Corporate Raiders Professional Criminals Vandals Voyeurs Intrusion Set In rud s Tool Physical Force Information Exchange User Command Script or Program Autonomous Agent Toolkit Distributed Tool Data Tap Group 1 Group 2 Group 3 Group 4 Conceptual ut Ac o t o fi tUs Com and r De ign Byp s Proc s Root Ac s To l it Ste l Data The of Reso rces Scri or Progra Imple e ion Mod y Den l of Ser i e Political Gain Financial Gain l nge, t t s, Thrill Pol/Mil Gain Indicates sophisticated, highly resourced intruder Probably GROUP THREE Conducting Espionage Damage Financial Gain Challenge, Status, Thrills Political Gain Financial Gain Damage ll , Status, Thrill Damage Financial gain Pol/Mil Gain Action Target Not every event? Ac ion Tar et What gets reported? Scan Flood Authenticate Bypass Spoof Read Copy Steal Modify Delete Process Data Component Computer Network Internetwork Implementation Configuration Information Exchange User Command Script or Program Autonomous Agent Toolkit Distributed Tool Data Tap Spies Terrorists Corporate Raiders Professional Criminals Vandals Voyeurs ObjectivesVulnerabilityToolAttackersIn rud s Probe Account Disclosure of Information Corruption of Information Denial of Service Theft of Resources Unauthorized Result Increased AccessDesign Physical ForceHackers Grou 1 Grou 2 Group 3 Group 4 i lt Must report all unaut horize d result s (Actua l or intend ed) nauthorized esult Including intrusion data Intrusion(s) Conceptual Sandia Labs Action Probe Scan Flood Authenticate Bypass Spoof Read Copy Steal Modify Delete Target Account Process Data Component Computer Network Internetwork Unauthorized Result Increased Access Disclosure of Information Corruption of Information Denial of Service Theft of Resources Challenge, Status, Thrills Political Gain Financial Gain Damage Vulnerability Design Implementation Configuration Tool Physical Force Information Exchange User Command Script or Program Autonomous Agent Toolkit Distributed Tool Data Tap Attackers Hackers Spies Terrorists Corporate Raiders Professional Criminals Vandals Voyeurs In rud ll , Status, Thrill Group 1 Group 2 Group 3 Group 4 Joint Databases needed Objectives Intrusions Pro cess Damage Financial gain Pol/Mil Gain