Midterm Review Flashcards
Vulnerability
System weakness vulnerable to a threat
Categories of vulnerabilities
- Corruption (Integrity)
- Leakiness (Confidentiality)
- Unavailability or very slow responsiveness (Availability)
CIA Triad
- Confidentiality
- Integrity
- Availability
Confidentiality
- Keeping data and resources hidden
- “Need to know”, personnel records, trade secrets
- Often, organizations want to protect system configuration and network topology info (resources) as well
Integrity
- Data integrity (trustworthiness) - data protected against unauthorized change
- Origin integrity (authentication)
- Mechanisms fall into two classes
- Prevention
- Detection
Availability
- Ability to use data and resources
- Denial of service attacks are designed to prevent access
Prevention
- Prevent attackers from violating security policy
- Typically done by employing mechanisms users cannot override
- Mechanisms can be cumbersome for users
Detection
- Detect attackers’ violation of security policy
- Also an indicator of the effectiveness of prevention mechanisms
Recovery
- Stop attack, assess and repair damage
- Continue to function correctly even if the attack succeeds
- Difficult to implement
- Typically only used in safety-critical systems
Security Policy
A formal statement of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources
Security Implementation
- Prevention
- Detection
- Response
- Recovery
Assurance
The degree of confidence one has that the security measures, both technical and operational, work as intended to protect the system and the information it processes
Evaluation
Process of examining a computer product or system with respect to certain criteria
The ideal solution to malware
Prevention
Main elements of prevention
- Policy
- Awareness
- Vulnerability
- Threat mitigation
If prevention fails, what mechanisms can be used to mitigate the threat?
- Detection
- Identification
- Removal
Worm defense approaches
- Signature-based worm scan filtering
- Filter-based worm containment
- Payload-classification-based worm containment
- Threshold random walk (TRW) scan detection
- Rate limiting
- Rate halting
Policy
Says what is and is not allowed. Defines security for the site/system/etc.
Security Mechanisms
Enforces policy
Virus
Piece of software that infects programs
Virus Actions
- Modifies them to include a copy of the virus
- Replicates and goes on to infect other content
- Easily spread through network environments
Virus Components
- Infection mechanism
- Trigger
- Payload
Infection Mechanism
- Means by which a virus spreads or propagates
- Also referred to as the infection vector
Trigger
- Event or condition that determines when the payload is activated or delivered
- Sometimes known as a logic bomb
Payload
- What the virus does (besides spreading)
- May involve damage or benign but noticeable activity
Virus Phases
- Dormant phase
- Triggering phase
- Propagation phase
- Execution phase
Dormant Phase
- Virus is idle
- Will eventually be activated by some event
- Not all viruses have this stage
Triggering Phase
- Virus is activated to perform the function for which it was intended
- Can be caused by a variety of system events
Propagation Phase
- Virus places a copy of itself into other programs or into certain system areas on the disk
- May not be identical to the propagation version
- Each infected program will now contain a clone of the virus which will itself enter a propagation phase
Execution Phase
- Function is performed
- May be harmless or damaging
Virus Classifications
- Classification by target
- Classification by concealment strategy
Classification by Target
- Boot sector infector
- File infector
- Macro virus
- Multipartite virus
Classification by Concealment Strategy
- Encrypted virus
- Stealth virus
- Polymorphic virus
- Metamorphic virus
Boot sector infector
Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus
File infector
Infects files that the operating system or shell considers to be executable
Macro virus
Infects files with macro or scripting code that is interpreted by an application
Multipartite virus
Infects files in multiple ways
Encrypted virus
A portion of the virus creates a random encryption key and encrypts the remainder of the virus
Stealth virus
A form of virus explicitly designed to hide from detection by anti-virus software
Polymorphic virus
A virus that mutates with every infection
Metamorphic virus
A virus that mutates and rewrites itself completely at each iteration and may change behavior as well as appearance
Worm
A program that actively seeks out more machines to infect and each infected machine serves as an automated launching pad for attacks on other machines
Worm Replication
- Electronic mail or instant messenger facility
- File sharing
- Remote execution capability
- Remote file access or transfer capability
- Remote login capability
Electronic mail or instant messenger facility
- Worm emails a copy of itself to other systems
- Sends itself as an attachment via an instant message service
File sharing
Creates a copy of itself or infects a file as a virus on removable media
Remote execution capability
Worm executes a copy of itself on another system
Remote file access or transfer capability
The worm uses remote file access or transfer service to copy itself from one system to the other
Remote login capability
Worm logs onto a remote system as a user and then sues commands to copy itself from one system to the other
Scanning (or fingerprinting)
- First function in the propagation phase for a network worm
- Searches for other systems to infect
Worm Scanning Strategies
- Random
- Hit-list
- Topological
- Local subnet
Random Scanning
- Each compromised host probes random addresses in the IP address space using a different seed
- This produces a high volume of Internet traffic which may cause generalized disruption even before the actual attack is launched
Hit-list
The attacker first compiles a long list of potentially vulnerable machines. Once the list is compiled the attacker begins infecting machines on the list. Each infected machine is provided with a portion of the list to scan. This results in a very short scanning period which may make it difficult to detect that infection is taking place.
Topological
This method uses information contained on an infected victim machine to find more hosts to scan
Local subnet
- If a host can be infected behind a firewall that host then looks for targets in its own local network
- The host uses the subnet address structure to find other hosts that would otherwise be protected by the firewall
Botnet
Collection of bots capable of acting in a coordinated manner
Attack Agent Bots (AAB)
Takes over another Internet attached computer and uses that computer to launch or manage attacks
AAB Uses
- Distributed denial of service (DDoS) attacks
- Spamming
- Sniffing traffic
- Keylogging
- Spreading new malware
- Installing advertisement add-ons and browser helper objects (BHOs)
- Attacking IRC chat networks
- Manipulating online polls/games
Remote Control Facility (RCF)
RCF is what distinguishes a bot from a worm
DDoS
An action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space.
DDoS Attack Resource Categories
- Network bandwidth
- System resources
- Application resources
Flooding ping command
- Classic DoS Attack
- Aim of this attack is to overwhelm the capacity of the network connection to the target organization
Distributed Denial of Services DDoS Attacks
- Use of multiple systems to generate attacks
- Attacker uses a flaw in the operating system or in a common application to gain access and installs their program on it (zombie)
- Large collections of such systems under the control of one attacker’s can be created, forming a botnet
DoS Attack Defenses
- These attacks cannot be prevented entirely
- High traffic volumes may be legitimate
Four lines of defense against DDoS attacks
- Attack prevention and preemption (before the attack)
- Attack detection and filtering (during the attack)
- Attack source traceback and identification (during and after the attack)
- Attack reaction (after the attack)
IP - Internet Protocol
IP has the task of delivering packets from the source host to the destination host solely based on the IP addresses in the packet headers.
TCP - Transmission Control Protocol
TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating via an IP network.
UDP - User Datagram Protocol
With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an IP network. Prior communications are not required in order to set up communication channels or data paths.
Virtualization
A technology that provides an abstraction of the resources used by some software which runs in a simulated environment called a virtual machine (VM)
Virtualization Benefits
Better efficiency in the use of the physical system resources
Virtualization Security Issues
- Guest OS Isolation
- Guest OS monitoring by the hypervisor
- Virtualized environment security
Access Control Principles
Measures that implement and assure security services in a computer system, particularly those that assure access control service.
Access Control Policies
- Discretionary access control (DAC)
- Mandatory access control (MAC)
- Role-based access control (RBAC)
- Attribute-based access control (ABAC)
Discretionary access control (DAC)
Controls access based on the identity of the requestor and on access rules (authorization) stating what requestors are (or are not) allowed to do
Mandatory access control (MAC)
Controls access based on comparing security labels with security clearances
Role-based access control (RBAC)
Controls access based on the rules that users have within the system and on rules stating what accesses are allowed to users in given rules
Attribute-based access control (ABAC)
Controls access based on attributes of the user, the resource to be accessed, and current environmental conditions
Subject
- An entity capable of accessing objects
- Three classes
- Owner
- Group
- World
Object
- A resource to which access is controlled
- Entity used to contain and/or receive information
Access right
- Describes the way in which a subject may access an object
- Could include:
- Read
- Write
- Execute
- Delete
- Create
- Search
- …
