Operation Security Understand the core of

Скачать презентацию Operation Security   Understand the core of Скачать презентацию Operation Security Understand the core of

lecture_4-5.ppt

  • Размер: 541.0 Кб
  • Автор:
  • Количество слайдов: 57

Описание презентации Operation Security Understand the core of по слайдам

Operation Security Operation Security

 • Understand the core of Operations Security (OPSEC) • Define & identify targets • Understand the core of Operations Security (OPSEC) • Define & identify targets and threats • Establish countermeasures • Identify the Critical Information Commandments • Decipher the value of information Objective

What is Operation Security…?  • Have you ever taken precautions against Someone… •What is Operation Security…? • Have you ever taken precautions against Someone… • … breaking into your house while you’re on vacation? • … stealing your purse? • … stealing packages from your car while your shopping? • … fraudulently using your credit card? Then you have used OPSEC!

 • OPSEC is a risk management instrument that enables a manager or commander • OPSEC is a risk management instrument that enables a manager or commander to view an operation or activity from the perspective of an adversary. It is a process of identifying, analyzing and controlling critical information. What is Operation Security …?

 • Identify Critical Information • Analyze Threats • Discover Vulnerabilities • Assess Risks • Identify Critical Information • Analyze Threats • Discover Vulnerabilities • Assess Risks • Develop Countermeasures What is Operation Security …?

 • Identify Critical Information:  • Credit card numbers, travel dates, itineraries, passwords, • Identify Critical Information: • Credit card numbers, travel dates, itineraries, passwords, patterns, changes in patterns, inspection results, information base systems, etc. . • Analyze Threat: • Adversaries, Intelligence agencies – Open source information, corporate/state sponsored spies, eavesdropping, photographing, etc… What is Operation Security …?

 • Discover Vulnerabilities:  • Flow of information, operations, timing of events, how • Discover Vulnerabilities: • Flow of information, operations, timing of events, how an adversary would acquire the information, etc… – How would the loss of such data impact the organization? • Assess Risks: • Estimated loss $ x impact of risk x likelihood of risk = $ Does the solution outweigh the loss? What is Operation Security …?

 • Develop Countermeasures: – are based on the vulnerabilities and inherent risks. • Develop Countermeasures: – are based on the vulnerabilities and inherent risks. • Are dictated by cost, timing, feasibility, and imagination of involved personnel. Simplicity, straightforwardness, and inexpensiveness are key to the most effective countermeasure solutions. OPSEC is a DIFFERENT WAY of SEEINGWhat is Operation Security …?

Critical Information Commandments… 1. Must protect the information that the adversary needs to accomplishCritical Information Commandments… 1. Must protect the information that the adversary needs to accomplish his mission. 2. Will not try to protect everything. 3. Consider who thy adversaries are and what information they require to inflict harm to you. 4. Consult all sources of information to determine what your enemies know about you. 5. Once you has determined what information is critical, determine if that information is associated with your activities.

Malicious Software Malicious Software

Viruses and Other Malicious Content • computer viruses have got a lot of publicityViruses and Other Malicious Content • computer viruses have got a lot of publicity • one of a family of malicious software • effects usually obvious • have figured in news reports, fiction, movies (often exaggerated) • getting more attention than deserve • are a concern though

The Most Common Types Of Program To Be Infected by A Virus • exeThe Most Common Types Of Program To Be Infected by A Virus • exe • com • vbs • mp 3 • drv • bin • script files • macros

 Cryptography and Network Security 14 Malicious Software Cryptography and Network Security 14 Malicious Software

Trapdoors • secret entry point into a program • allows those who know accessTrapdoors • secret entry point into a program • allows those who know access bypassing usual security procedures • have been commonly used by developers • a threat when left in production programs allowing exploited by attackers • very hard to block in O/S • requires good s/w development & update

Logic Bomb • one of oldest types of malicious software • code embedded inLogic Bomb • one of oldest types of malicious software • code embedded in legitimate program • activated when specified conditions met – eg presence/absence of some file – particular date/time – particular user • when triggered typically damage system – modify/delete files/disks

Trojan Horse • program with hidden side-effects  • which is usually superficially attractiveTrojan Horse • program with hidden side-effects • which is usually superficially attractive – eg game, s/w upgrade etc • when run performs some additional tasks – allows attacker to indirectly gain access they do not have directly • often used to propagate a virus/worm or install a backdoor • or simply to destroy data

Zombie • program which secretly takes over another networked computer • then uses itZombie • program which secretly takes over another networked computer • then uses it to indirectly launch attacks • often used to launch distributed denial of service (DDo. S) attacks • exploits known flaws in network systems

Viruses • a piece of self-replicating code attached to some other code – cfViruses • a piece of self-replicating code attached to some other code – cf biological virus • both propagates itself & carries a payload – carries code to make copies of itself – as well as code to perform some covert task

Virus Operation • virus phases: – dormant – waiting on trigger event – propagationVirus Operation • virus phases: – dormant – waiting on trigger event – propagation – replicating to programs/disks – triggering – by event to execute payload – execution – of payload • details usually machine/OS specific – exploiting features/weaknesses

Virus Structure program V : = {goto main; 1234567; subroutine infect-executable : = {loop:Virus Structure program V : = {goto main; 1234567; subroutine infect-executable : = {loop: file : = get-random-executable-file; if (first-line-of-file = 1234567) then goto loop else prepend V to file; } subroutine do-damage : = {whatever damage is to be done} subroutine trigger-pulled : = {return true if some condition holds} main: main-program : = {infect-executable; if trigger-pulled then do-damage; goto next; } next: }

Types of Viruses • can classify on basis of how they attack  •Types of Viruses • can classify on basis of how they attack • parasitic virus • memory-resident virus • boot sector virus • stealth • polymorphic virus • macro virus

Macro Virus • macro code attached to some data file  • interpreted byMacro Virus • macro code attached to some data file • interpreted by program using file – eg Word/Excel macros – esp. using auto command & command macros • code is now platform independent • is a major source of new viral infections • blurs distinction between data and program files making task of detection much harder • classic trade-off: «ease of use» vs «security»

Email Virus • spread using email with attachment containing a macro virus – cfEmail Virus • spread using email with attachment containing a macro virus – cf Melissa • triggered when user opens attachment • or worse even when mail viewed by using scripting features in mail agent • usually targeted at Microsoft Outlook mail agent & Word/Excel documents

Worms • replicating but not infecting program  • typically spreads over a networkWorms • replicating but not infecting program • typically spreads over a network – cf Morris Internet Worm in 1988 – led to creation of CERTs • using users distributed privileges or by exploiting system vulnerabilities • widely used by hackers to create zombie PC’s , subsequently used for further attacks, esp Do. S • major issue is lack of security of permanently connected systems, esp PC’s

Worm Operation • worm phases like those of viruses: – dormant – propagation •Worm Operation • worm phases like those of viruses: – dormant – propagation • search for other systems to infect • establish connection to target remote system • replicate self onto remote system – triggering – execution

Morris Worm • best known classic worm • released by Robert Morris in 1988Morris Worm • best known classic worm • released by Robert Morris in 1988 • targeted Unix systems • using several propagation techniques – simple password cracking of local pw file – exploit bug in finger daemon – exploit debug trapdoor in sendmail daemon • if any attack succeeds then replicated self

Recent Worm Attacks • new spate of attacks from mid-2001 • Code Red –Recent Worm Attacks • new spate of attacks from mid-2001 • Code Red – exploited bug in MS IIS to penetrate & spread – probes random IPs for systems running IIS – had trigger time for denial-of-service attack – 2 nd wave infected 360000 servers in 14 hours • Code Red 2 – had backdoor installed to allow remote control • Nimda – used multiple infection mechanisms • email, shares, web client, IIS, Code Red 2 backdoor

Virus Countermeasures • viral attacks exploit lack of integrity control on systems  •Virus Countermeasures • viral attacks exploit lack of integrity control on systems • to defend need to add such controls • typically by one or more of: – prevention — block virus infection mechanism – detection — of viruses in infected system – reaction — restoring system to clean state

Anti-Virus Software • first-generation – scanner uses virus signature to identify virus – orAnti-Virus Software • first-generation – scanner uses virus signature to identify virus – or change in length of programs • second-generation – uses heuristic rules to spot viral infection – or uses program checksums to spot changes • third-generation – memory-resident programs identify virus by actions • fourth-generation – packages with a variety of antivirus techniques – eg scanning & activity traps, access-controls

Advanced Anti-Virus Techniques • generic decryption – use CPU simulator to check program signatureAdvanced Anti-Virus Techniques • generic decryption – use CPU simulator to check program signature & behavior before actually running it • digital immune system (IBM) – general purpose emulation & virus detection – any virus entering org is captured, analyzed, detection/shielding created for it, removed

Behavior-Blocking Software • integrated with host O/S • monitors program behavior in real-time –Behavior-Blocking Software • integrated with host O/S • monitors program behavior in real-time – eg file access, disk format, executable mods, system settings changes, network access • for possibly malicious actions – if detected can block, terminate, or seek ok • has advantage over scanners • but malicious code runs before detection

Summary • have considered: – various malicious programs – trapdoor, logic bomb, trojan horse,Summary • have considered: – various malicious programs – trapdoor, logic bomb, trojan horse, zombie – viruses – worms – countermeasures

Cryptography • Cryptography is the study of – Secret (crypto-) writing (-graphy)  •Cryptography • Cryptography is the study of – Secret (crypto-) writing (-graphy) • Concerned with developing algorithms: – Conceal the context of some message from all except the sender and recipient (privacy or secrecy), and/or – Verify the correctness of a message to the recipient ( authentication ) – Form the basis of many technological solutions to computer and communications security problems

Basic Concepts • Cryptography  – encompassing the principles and methods of transforming anBasic Concepts • Cryptography – encompassing the principles and methods of transforming an intelligible message into one that is unintelligible, and then retransforming that message back to its original form • Plaintext – The original intelligible message • Ciphertext – The transformed message • Message – Is treated as a non-negative integer hereafter

Basic Concepts • Cipher – An algorithm for transforming an intelligible message into unintelligibleBasic Concepts • Cipher – An algorithm for transforming an intelligible message into unintelligible by transposition and/or substitution, or some other techniques • Keys – Some critical information used by the cipher, known only to the sender and/or receiver • Encipher (encode) – The process of converting plaintext to ciphertext • Decipher (decode) – The process of converting ciphertext back into plaintext

Basic Concepts • cipher – an algorithm for encryption and decryption. The exact operationBasic Concepts • cipher – an algorithm for encryption and decryption. The exact operation of ciphers is normally controlled by a key — some secret piece of information that customizes how the ciphertext is produced • Protocols – specify the details of how ciphers (and other cryptographic primitives) are to be used to achieve specific tasks. – A suite of protocols, ciphers, key management, user-prescribed actions implemented together as a system constitute a cryptosystem ; – this is what an end-user interacts with, e. g. PGP

Encryption and Decryption Plaintext ciphertext Encipher C = E (K 1) (P) Decipher PEncryption and Decryption Plaintext ciphertext Encipher C = E (K 1) (P) Decipher P = D (K 2) (C) K 1, K 2: from keyspace These two keys could be different; could be difficult to get one from the other

What is Security?  • Two fundamentally different securities – Unconditional security • NoWhat is Security? • Two fundamentally different securities – Unconditional security • No matter how much computer power is available, the cipher cannot be broken • Using Shannon’s information theory – The entropy of the message I(M) is same as the entropy of the message I(M|C) when known the ciphertext (and possible more) – Computational security • Given limited computing resources (e. g time needed for calculations is greater than age of universe), the cipher cannot be broken – What do we mean “ broken ” ? • Proved by some complexity equivalence approach

Public key system Public key system

Public Key Encryption • Two difficult problems – Key distribution under conventional encryption –Public Key Encryption • Two difficult problems – Key distribution under conventional encryption – Digital signature • Diffie and Hellman, 1976 – Astonishing breakthrough – One key for encryption and the other related key for decryption – It is computationally infeasible to determine the decryption key using only the encryption key and the algorithm

Public Key Cryptosystem • Essential steps of public key cryptosystem – Each end generatesPublic Key Cryptosystem • Essential steps of public key cryptosystem – Each end generates a pair of keys • One for encryption and one for decryption – Each system publishes one key, called public key, and the companion key is kept secret – It A wants to send message to B • Encrypt it using B’s public key – When B receives the encrypted message • It decrypt it using its own private key

Applications of PKC • Encryption/Decryption – The sender encrypts the message using the receiver’sApplications of PKC • Encryption/Decryption – The sender encrypts the message using the receiver’s public key • Q: Why not use the sender’s secret key? • Digital signature – The sender signs a message by encrypt the message or a transformation of the message using its own private key • Key exchange – Two sides cooperate to exchange a session key, typically for conventional encryption

Conditions of PKC • Computationally easy – To generate public and private key pairConditions of PKC • Computationally easy – To generate public and private key pair – To encrypt the message using encryption key – To decrypt the message using decryption key • Computational infeasible – To compute the private key using public key – To recover the plaintext using ciphertext and public key • The encryption and decryption can be applied in either order

One Way Function • PKC boils down to one way function – Maps aOne Way Function • PKC boils down to one way function – Maps a domain into a range with unique inverse – The calculation of the function is easy – The calculation of the inverse is infeasible • Easy – The problem can be solved in polynomial time • Infeasible – The effort to solve it grows faster than polynomial time – For example: 2 n – It requires infeasible for all inputs, not just worst case

Trapdoor One-way Function • Trapdoor one way function – Maps a domain into aTrapdoor One-way Function • Trapdoor one way function – Maps a domain into a range with unique inverse • Y=f k (X) – The calculation of the function is easy – The calculation of the inverse is infeasible if the key is not known – The calculation of the inverse is easy if the key is known

Possible Attacks • Brute force – Use large keys • Trade-off: speed (not linearlyPossible Attacks • Brute force – Use large keys • Trade-off: speed (not linearly depend on key size) • Confined to small data encryption: signature, key management • Compute the private key from public key – Not proven that is not feasible for most protocols! • Probable message attack – Encrypt all possible messages using encryption key – Compare with the ciphertext to find the matched one! – If data is small, feasible, regardless of key size of PK

History • http: //www. research. att. com/~smb/nsam-160/ • British • National Security Action MemorandumHistory • http: //www. research. att. com/~smb/nsam-160/ • British • National Security Action Memorandum 160 – Kennedy Nuclear Weapon – http: //www. research. att. com/~smb/nsam-160/pg 1. html

RSA Algorithm • R. Rivest, A. Shamir, L. Adleman (1977) – James Ellis cameRSA Algorithm • R. Rivest, A. Shamir, L. Adleman (1977) – James Ellis came up with the idea in 1970, and proved that it was theoretically possible. In 1973, Clifford Cocks a British mathematician invented a variant on RSA; a few months later, Malcom Williamson invented a Diffie-Hellman analog – Only revealed till 1997 • Patent expired on September 20, 2000. • Block cipher using integers 0 ~ n-1 – Thus block size k is less than log 2 n • Algorithm: – Encryption: C=M e mod n – Decryption: M=C d mod n • Both sender and the receiver know n

RSA (public key encryption) • Alice wants Bob to send her a message. She:RSA (public key encryption) • Alice wants Bob to send her a message. She: selects two (large) primes p , q , TOP SECRET, computes n = pq and ( n ) = ( p -1)( q -1), ( n ) also TOP SECRET, selects an integer e , 1 < e < ( n ), such that gcd( e , ( n )) = 1, computes d , such that de 1 (mod ( n )), d also TOP SECRET, gives public key ( e , n ), keeps private key ( d , n ).

Requirements • Possible to find e and d such that – M=M de modRequirements • Possible to find e and d such that – M=M de mod n for all message M • Easy to conduct encryption and decryption • Infeasible to compute d – Given n and e

RSA Example 1. Select primes:  p =17 & q =11 2. Compute RSA Example 1. Select primes: p =17 & q =11 2. Compute n = pq =17 × 11=187 3. Compute ( n )=( p– 1)( q- 1)=16 × 10=160 4. Select e : gcd(e, 160)=1; choose e =7 5. Determine d : de= 1 mod 160 and d < 160 Value is d=23 since 23 × 7=161= 10 × 160+1 6. Publish public key KU={7, 187} 7. Keep secret private key KR={23, 17 , 11}

RSA Example cont • sample RSA encryption/decryption is:  • given message M =RSA Example cont • sample RSA encryption/decryption is: • given message M = 88 (nb. 88<187 ) • encryption: C = 88 7 mod 187 = 11 • decryption: M = 11 23 mod 187 =

Q & A Questions ? Q & A Questions ?

End End