SystemsSec 2016W Lecture 11: Difference between revisions

From Soma-notes
Line 30: Line 30:
How do we monitor what's happening?
How do we monitor what's happening?


*Ip addresses, Port checking, etc.: These are very noisy approaches, and will alert a system. an attacker will not do this more then absolutely necessary
*IP addresses, Port checking, etc.: These are very noisy approaches, and will alert a system. An attacker will not do this more then absolutely necessary


*Webserver status: 
*Monitoring the network: Is it possible to monitor this network from another machine?, An attacker may need to compromise another machine first!
**What code is running on the server?
**What version?
**Webserver will usually hand this out
 
*monitoring the network: Is it possible to monitor this network from another machine?, An attacker may need to compromise another machine first!
**This can be done by Wireshark
**This can be done by Wireshark


*Physical Surveillance:  
*Physical Surveillance:  
**Personel, Administrators: Do they have social media that can be accessed, and guess the password from info? **Set up account on another site: Can they convince an employee to make an account, they may use same password.  
**Personnel, Administrators: Do they have social media that can be accessed, and guess the password from info? **Set up account on another site: Can they convince an employee to make an account, they may use same password.  
**Forums: Have they posted about bugs or net problems?  
**Forums: Have they posted about bugs or net problems?  
**Wireless network: can they eavesdrop on a signal?
**Wireless network: can they eavesdrop on a signal?
What we really want to know in Surveillance step: What code is running on the server.


==Example attack==
==Example attack==

Revision as of 20:08, 13 February 2016

Sample Midterm Questions

  • What properties should a secure OS have? Why?
  • Why are production operating systems not constructed like ones designed for security first? Be specific
  • To what extent are security tools (for attack and defense) hard to use? Are these difficulties inherent to the technology or are other factors in play? Give examples from your personal experience.
  • Describe three threat models and explain what entities these threat models apply to.


Midterm Layout

  • Expect each question to be a small essay, that draws upon the information acquired through class, and through the readings to form a conclusion.
  • Expect 3-5 questions on the midterm.
  • This exam will be closed book. Email Anil if writing this midterm via computer is important to you.

Under construction

Model of a standard attack

   Let us look at a standard attack. An attacker will do the following:
  • Identify a target: An attacker will select a system or individual to attack
  • Surveillance: An attacker will study the target.
  • Get access ("The Attack"): An attacker at some point will access or breach the system.
  • Accomplish his goal: An attacker will gather what he came for (credit cards, passwords, bank transfer etc)
  • Cover his tracks: An attacker will not want to be identified. They will try to destroy system logs, and any evidence that could point to the attack ever happening. In this sense, the news only reports failed attacks, as the intrusion was detected.

Example attack Surveillance

Let's say we are attacking an Ubuntu machine.

How do we monitor what's happening?

  • IP addresses, Port checking, etc.: These are very noisy approaches, and will alert a system. An attacker will not do this more then absolutely necessary
  • Monitoring the network: Is it possible to monitor this network from another machine?, An attacker may need to compromise another machine first!
    • This can be done by Wireshark
  • Physical Surveillance:
    • Personnel, Administrators: Do they have social media that can be accessed, and guess the password from info? **Set up account on another site: Can they convince an employee to make an account, they may use same password.
    • Forums: Have they posted about bugs or net problems?
    • Wireless network: can they eavesdrop on a signal?

What we really want to know in Surveillance step: What code is running on the server.

Example attack

Let's say we know someone is running wordpress (wahoo, many exploits), and we know the exact version. We can get an exploit to use online.

The next step? Set up the same wordpress version, and test the exploit on our own systems. We don't want to be caught on a failed attempt. We can engineer the exploit to do it's intended goal, and test it's success, without fear of detection.

If we are not detected, this brings us to another type of attack:

  • Advanced Persistent threats: Breaking in, and modifying the system to infiltrate as needed.

As we can see it takes a fair bit of work to infiltrate a target. So why do we protection? The end result is if someone doesn't want to be caught, they need another machine. Or manay.

  • The most common threat scenario:
    • Being attacked, but you are not the target!
    • Targets become very broad: Anyone with windows, anyone with an RBC account etc.
    • Surveillence becomes less needed if you infect a trusted system.

Countermeasures

  • We can't stop surveillence, but we can mitigate it. This is the purpose of firewalls, they reduce infomation that can be obtained from the outside.
  • Having a custom OS would be very ideal, an attacker can't practice against a copy of your system. Live and noisy attacks become the only method of attacker. And the system targeted can attempt up it's security in response, or move data.
  • Under ideal conditions, the reference monitor of a system cannot be broken into. An attacker has to deal with the reference monitor's restrictions. They have to attack people and use the methods they would use to edit data. As a result, every user is a possible attacker. The access of every user, including root, must be limited.
  • Preventing an attacker from achieving their goals and covering their tracks are the most reliant countermeasures.
    • Logs that can't be tampered with by being placed on another system, or uneditable.
    • Information being withheld to even users
  • One problem. We can't make a perfect reference monitor.

Tools

  • NMAP: A tool designed to identify system and their versions, by analyzing the responses. Each system implements networks slightly differently, and this tool has a small database to compare to.