ch21-网络安全(1)-网络安全风险

第21章网络安全南京大学计算机系黄皓教授2007年12月4日星期二南京大学计算机系讲义2References„CharlesP.Pfleeger,ShariLawrencePfleeger.SecurityinComputing.PearsonEducationAsiaLimitedandChinaMachinePress，2004.(李毅超等译。信息安全原理与应用。电子工业出版社，2004年7月第1版。)南京大学计算机系讲义3ThreatsinNetworks(1)WhatMakesaNetworkVulnerable(2)WhoAttacksNetworks(3)ThreatPrecursors(4)ThreatsinTransit(5)Impersonation(6)Spoofing(7)MessageConfidentialityThreats(8)MessageIntegrityThreats南京大学计算机系讲义4WhatMakesaNetworkVulnerable„Anonymity…Anattackercanmountanattackfromthousandsofmilesawayandnevercomeintodirectcontactwiththesystem，itsadministrators，orusers．…Thepotentialattackeristhussafebehindanelectronicshield．…Disguisetheattack’sorigin.„Manypointsofattack…Onehost’sadministratormayenforcerigoroussecuritypolicies，butthatadministratorhasnocontroloverotherhostsinthenetwork．…Anattackcancomefromanyhosttoanyhost，sothatalargenetworkoffersmanypointsofvulnerability．南京大学计算机系讲义5WhatMakesaNetworkVulnerable„Sharing…Accesscontrolsforsinglesystemsmaybejnadequateinnetworks．„Complexityofsystem…Anetworkoperating/controlsystemislikelytobemorecomplexthananoperatingsystemforasinglecomputingsystem．…Theattackercanusethegreatercomputingpowertoadvantagebycausingthevictim’scomputertoperformpartoftheattack’scomputation．…Mostusersdonotknowwhattheircomputersarereallydoingatanymoment.南京大学计算机系讲义6WhatMakesaNetworkVulnerable„Unknownperimeter…Anetwork’sexpandabilityalsoimpliesuncertaintyaboutthenetworkboundary．…Resourcesononenetworkareaccessibletotheusersoftheothernetworkaswell．„Unknownpath…AuseronhostAwantstosendamessagetoauseronhostB.ThatmessagemightberoutedthroughhostsCorDbeforearrivingathostB.HostCmayprovideacceptablesecurity，butnotD．…Networkusersseldomhavecontrolovertheroutingoftheirmessages．南京大学计算机系讲义7WhoAttacksNetworks„Challenge…Whydopeopledodangerousordauntingthings，likeclimbmountainsorswimacrosstheEnglishChannelorengageinextremesports?Becauseofthechallenge．…Thesinglemostsignificantmotivationforanetworkattackeristheintellectualchallenge：„HeorsheisintriguedwithknowingtheanswerstoCanIdefeatthisnetwork?„WhatwouldhappenifItriedthisapproachorthattechnique?„RobertMorrisattackedsupposedlyasanexperimenttoseeifhecouldexploitaparticularvulnerability．„Otherattackers，suchastheCultoftheDeadCow,seektodemonstrateweaknessesinsecuritydefensessothatotherswillpayattentiontostrengtheningsecurity.„Stillotherunknownindividualsworkingpersistentlyjusttoseehowfartheycangoinperformingunwelcomeactivities.南京大学计算机系讲义8WhoAttacksNetworks„Fame…Someattackersseekrecognitionfortheiractivities．…Thatis，partofthechallengeisdoingthedeed，allotherpartistakingcreditforit．…Theymaynotbeabletobragtooopenly，buttheyenjoythepersonalthrillofseeingtheirattackswrittenupinthenewsmedia．南京大学计算机系讲义9WhoAttacksNetworks„MoneyandEspionage…Asinothersettings．financialrewardmotivatesattackers，too.…Industrialespionageisillegal,butitoccurs,inpartbecausegain.Itsexistenceandconsequencescanbeembarrassingforthetargetcompanies.…Thus,manyincidentsgounreported,andtherearefewreliablestatisticsonhowmuchindustrialespionageand“dirtytricks”goon.…Inaddition，38percentto53percentreportedtheywereattackedbyaU.S.competitorand23percentto31percentbyaforeigncorporation.…Notallsecurityattackscomefromindividualhackers.南京大学计算机系讲义10WhoAttacksNetworks„Ideology…Hactivism:usehackingtechniquesagainstatarget’snetworkwiththeintentofdisruptingnormaloperationsbutnotcausingseriousdamage．…Cyberterrorism:politicallymotivatedhackingoperationsintendedtocausegraveharmsuchaslossoflifeorsevereeconomicdamage.南京大学计算机系讲义11ThreatPrecursors„PortScan…Aneasywaytogathernetworkinformationistouseaportscan，aprogramthat，foraparticularIPaddress，reportswhichportsrespondtomessagesandwhichofseveralknownvulnerabilitiesseemtobepresent．…whichstandardportsorservicesarerunningandrespondingonthetargetsystem.…whatoperatingsystemisinstalledonthetargetsystem，…whatapplicationsandversionsofapplicationsarepresent．…Thisinformationisreadilyavailablefortheaskingfromanetworkedsystem；itcanbeobtainedquietly，anonymously，withoutidentificationorauthentication，drawinglittleornoattentiontothescan．南京大学计算机系讲义12ThreatPrecursors„SocialEngineering…“Hello．thisisJohnDavisfromITsupport．Weneedtotestsomeconnectionsontheinternalnetwork．Couldyoupleaserunthecommandipconfig/allonyourworkstationandreadtometheaddressesitdisplays?”„Reconnaissance…Onecommonlyusedreconnaissancetechniqueiscalled“dumpsterdiving”…Reconnaissancemayalsoinvolveeavesdropping．…Collectingbackgroundinformationyieldsabigpayoff．南京大学计算机系讲义13ThreatPrecursors„OperatingSystemandApplicationFingerprinting…Eachvendor’scodeisimplementedindependently．Sotheremaybeminorvariationsininterpretationandbehavior．Thevariationsdonotmakethesoftwarenoncompliantwiththestandard，buttheyaredifferentenoughtomakeeachversiondistinctive．…Forexample．eachversionmayhavedifferentsequencenumbers，TCPflags，andnewoptions．Forexample:Server:Netscape-Commerce/1.12Yourbrowsersentanon-HTTPcompliantmessage．MicrosoftESMTPMAILService,Version：5.0,2195.3779南京大学计算机系讲义14ThreatPrecursors„BulletinBoardsandChats„AvailabilityofDocumentation南京大学计算机系讲义15ToCatcha