1 cs691 chow C. Edward Chow Overview of Computer Security CS691 – Chapter 1 of Matt Bishop
2 cs691 chow Outline of the Talk Definitions Three Basic Security Services Threats Policy and Mechanism Assumptions and Trust Assurance Operational Issues Human Issues Definitions Three Basic Security Services Threats Policy and Mechanism Assumptions and Trust Assurance Operational Issues Human Issues
3 cs691 chow Computer Security Security: 1. a feeling secure; freedom from fear, doubt, etc. 2. protection; safeguard 3. something given as a pledge of repayment, etc. 4. [pl.] bonds, stocks, etc. Secure 1. [Firm] fastened, bound, adjusted 2. [Safe] guarded, unharmed, defended 3. [Self-confident] assured, stable, determined Above from Webster’s New World Dictionary Computer Security: issues, theories, techniques, and tools that deals with the protection and safeguard of computer systems. Security: 1. a feeling secure; freedom from fear, doubt, etc. 2. protection; safeguard 3. something given as a pledge of repayment, etc. 4. [pl.] bonds, stocks, etc. Secure 1. [Firm] fastened, bound, adjusted 2. [Safe] guarded, unharmed, defended 3. [Self-confident] assured, stable, determined Above from Webster’s New World Dictionary Computer Security: issues, theories, techniques, and tools that deals with the protection and safeguard of computer systems.
4 cs691 chow Three Basic Security Services Confidentiality: the concealment of information or resources. Integrity: the trustworthiness of data and resources Availability: the ability to use the information or resources desired. Confidentiality: the concealment of information or resources. Integrity: the trustworthiness of data and resources Availability: the ability to use the information or resources desired.
5 cs691 chow Confidentiality The need for keeping information secret arises from: Enforcing the “need to know” principle in military and civilian government agencies. Protecting proprietary designs from competitors Protecting a company’s personnel records Protecting personal financial/ID info against ID theft. Apply to existence of data or traffic pattern Apply to resource hiding System configuration data Systems/Equipment/Service Provider used. The need for keeping information secret arises from: Enforcing the “need to know” principle in military and civilian government agencies. Protecting proprietary designs from competitors Protecting a company’s personnel records Protecting personal financial/ID info against ID theft. Apply to existence of data or traffic pattern Apply to resource hiding System configuration data Systems/Equipment/Service Provider used.
6 cs691 chow Support for Confidentiality Access control mechanisms support confidentiality. For example, Cryptography File access control –but when it fails, data is not protected –How the file access control protects the existence of data? These mechanisms requires supporting services from system kernel, and agents to provide correct data. Assumptions and trust underlie confidentiality mechanisms. E.g., openssl crypto library trustworthy? Access control mechanisms support confidentiality. For example, Cryptography File access control –but when it fails, data is not protected –How the file access control protects the existence of data? These mechanisms requires supporting services from system kernel, and agents to provide correct data. Assumptions and trust underlie confidentiality mechanisms. E.g., openssl crypto library trustworthy?
7 cs691 chow Integrity Preventing improper or unauthorized change. Two types of integrity: Data integrity (content of information) Origin integrity (source of the data, related to authentication) significant bearing on the credibility and trust of the people who creates the info. Example: newspaper print info from a leak at White House but attribute it to the wrong source. What integrity got violated? Preventing improper or unauthorized change. Two types of integrity: Data integrity (content of information) Origin integrity (source of the data, related to authentication) significant bearing on the credibility and trust of the people who creates the info. Example: newspaper print info from a leak at White House but attribute it to the wrong source. What integrity got violated?
8 cs691 chow Integrity Mechanisms Prevention mechanisms: They seek to maintain the integrity of the data by blocking any unauthorized attempts to change the data, or –e.g., intrusion –Protect with adequate authentication and access controls Any attempts to change the data in unauthorized ways, e.g., embezzlement such Enron? –Protect with (independent) Auditing, persons with integrity (those three persons of the year in Time Detection mechanisms: report the data integrity is compromised, by analyzing system events or data itself. Prevention mechanisms: They seek to maintain the integrity of the data by blocking any unauthorized attempts to change the data, or –e.g., intrusion –Protect with adequate authentication and access controls Any attempts to change the data in unauthorized ways, e.g., embezzlement such Enron? –Protect with (independent) Auditing, persons with integrity (those three persons of the year in Time Detection mechanisms: report the data integrity is compromised, by analyzing system events or data itself.
9 cs691 chow Integrity vs. Confidentiality Which one is harder? Confidentiality work finds whether data is compromised. Integrity work includes checking the correctness and trustworthiness of the data. This includes the history of the data –Integrity of the origin of data –How it is arrived (transport channel integrity) –How well it is protected after it arrived. Which one is harder? Confidentiality work finds whether data is compromised. Integrity work includes checking the correctness and trustworthiness of the data. This includes the history of the data –Integrity of the origin of data –How it is arrived (transport channel integrity) –How well it is protected after it arrived.
10 cs691 chow Availability Related to the reliability and system design Some may deliberately arrange to deny access to data or service by making it unavailable. The Attempts to block availability is called Denial of Service attacks. System designs usually assume a statistical model to analyze expected patterns of use. Those access patterns that follow the statistical model are allowed to use the services. How simple threshold-based related to this? How anomaly-based intrusion detection system (IDS) related to this? Deliberate attempt can “train” the IDS to treat attacks as atypical events. Related to the reliability and system design Some may deliberately arrange to deny access to data or service by making it unavailable. The Attempts to block availability is called Denial of Service attacks. System designs usually assume a statistical model to analyze expected patterns of use. Those access patterns that follow the statistical model are allowed to use the services. How simple threshold-based related to this? How anomaly-based intrusion detection system (IDS) related to this? Deliberate attempt can “train” the IDS to treat attacks as atypical events.
11 cs691 chow Threats Threat: Potential violation of security Violation need not actually occur for there to be a threat. Actions that could cause violation to occur must be guarded against, or prepared for. These actions are called attacks. Those who execute such actions, or cause them to be executed, are called attacker. Shirey [916] divided threats into four broad classes: Disclosure --- unauthorized access to information Deception – acceptance of false data Disruption – interruption or prevention of correct operation Usurpation – unauthorized control of some part of a system usurp – to take power by force [L usus a use rapere to seize] Threat: Potential violation of security Violation need not actually occur for there to be a threat. Actions that could cause violation to occur must be guarded against, or prepared for. These actions are called attacks. Those who execute such actions, or cause them to be executed, are called attacker. Shirey [916] divided threats into four broad classes: Disclosure --- unauthorized access to information Deception – acceptance of false data Disruption – interruption or prevention of correct operation Usurpation – unauthorized control of some part of a system usurp – to take power by force [L usus a use rapere to seize]
12 cs691 chow Examples of Threats Snooping: unauthorized interception of information, listen to communications, browse files/system info disclosure type, passive Confidentiality services counter this threat. Wiretapping or passive wiretapping: a form of snooping. Modification or alteration: unauthorized change of info. Deception, could lead to disruption or usurpation classes of threats if modified data control system operation. Active Active wiretapping: a form of modification, –e.g., Man-in-the-middle attack: intruder intercepts/modifies/relays the msg between sender/receiver. Integrity services counter this threat. Snooping: unauthorized interception of information, listen to communications, browse files/system info disclosure type, passive Confidentiality services counter this threat. Wiretapping or passive wiretapping: a form of snooping. Modification or alteration: unauthorized change of info. Deception, could lead to disruption or usurpation classes of threats if modified data control system operation. Active Active wiretapping: a form of modification, –e.g., Man-in-the-middle attack: intruder intercepts/modifies/relays the msg between sender/receiver. Integrity services counter this threat.
13 cs691 chow Examples of Threats Masquerading or spoofing: an impersonation of one entity by another. Deception and usurpation Pretend to be a site or deliver different file. integrity service (authentication services) counter this threat. Masquerading vs. delegation. What is the difference? Repudiation of origin: a false denial that an entity sent or created something. Deception Send order letter, then later deny the sending. integrity mechanisms cope with this threat. Denial of receipt: a false denial that an entity received some info or msg. Deception Deny receive payment or shipment. integrity and availability guard against such attacks. Masquerading or spoofing: an impersonation of one entity by another. Deception and usurpation Pretend to be a site or deliver different file. integrity service (authentication services) counter this threat. Masquerading vs. delegation. What is the difference? Repudiation of origin: a false denial that an entity sent or created something. Deception Send order letter, then later deny the sending. integrity mechanisms cope with this threat. Denial of receipt: a false denial that an entity received some info or msg. Deception Deny receive payment or shipment. integrity and availability guard against such attacks.
14 cs691 chow Examples of Threats Delay: a temporary inhibit of a service. Usurpation (can play supporting role of deception). Attacker force the delivery to take more time. Availability mechanisms can thwart this threat. Denial of Service: a long term inhibition of service Usurpation Attacker prevent server from providing a service. The denial may occur at the source, destination, or along intermediate path. Availability mechanisms counter this threat. It can come from non-security related problems. Delay: a temporary inhibit of a service. Usurpation (can play supporting role of deception). Attacker force the delivery to take more time. Availability mechanisms can thwart this threat. Denial of Service: a long term inhibition of service Usurpation Attacker prevent server from providing a service. The denial may occur at the source, destination, or along intermediate path. Availability mechanisms counter this threat. It can come from non-security related problems.
15 cs691 chow Policy and Mechanism Security policy is a statement of what is, and what is not, allowed. Security mechanism is a method, tool, or procedure for enforcing a security policy. Security policy is a statement of what is, and what is not, allowed. Security mechanism is a method, tool, or procedure for enforcing a security policy.
16 cs691 chow Goals of Security Given a security policy’s spec of “ secure” and “nonsecure” actions. The security mechanisms can Prevent the attack. Implement mechanisms that attacker can not alter. Password protection; ingress filtering Detect the attack. Determine if attack is underway, has occurred, and report it. Monitor the attack activity, nature, severity and results. Log/report high # of incorrect password. Recover from the attack. 1. Stop attack, Assess and repair damages. (backup and recovery, identification and fixing the vulnerabilities, retaliation) 2. Continue to function while being attacked (fault tolerant design) Given a security policy’s spec of “ secure” and “nonsecure” actions. The security mechanisms can Prevent the attack. Implement mechanisms that attacker can not alter. Password protection; ingress filtering Detect the attack. Determine if attack is underway, has occurred, and report it. Monitor the attack activity, nature, severity and results. Log/report high # of incorrect password. Recover from the attack. 1. Stop attack, Assess and repair damages. (backup and recovery, identification and fixing the vulnerabilities, retaliation) 2. Continue to function while being attacked (fault tolerant design)
17 cs691 chow Assumptions and Trust A policy consists of a set of Axioms that policy makers believe can be enforced. Designer of policies always make two asumptions: 1. The policy correctly and unambigously partitions the set of system states into “secure” and “nonsecure” 2. The security mechanisms prevent the system from entering a “nonsecure” state. A policy consists of a set of Axioms that policy makers believe can be enforced. Designer of policies always make two asumptions: 1. The policy correctly and unambigously partitions the set of system states into “secure” and “nonsecure” 2. The security mechanisms prevent the system from entering a “nonsecure” state.
18 cs691 chow Secure, Precise, Broad Let P be the set of all possible states. Let Q be the set of secure states as specified by the security policy. Let the security mechanisms restrict the system to some set of states, R (thus R P) A security mechanism is secure if R Q; It is precise if R = Q; and it is broad if there is a state r such that r R and r Q. Let P be the set of all possible states. Let Q be the set of secure states as specified by the security policy. Let the security mechanisms restrict the system to some set of states, R (thus R P) A security mechanism is secure if R Q; It is precise if R = Q; and it is broad if there is a state r such that r R and r Q.
19 cs691 chow Assumptions for trusting security mechanism works Each mechanism is designed to implement one or more parts of the security policy The union of the mechanisms implements all aspects of the security policy. The mechanisms are implemented correctly. The mechanisms are installed and administered correctly. Each mechanism is designed to implement one or more parts of the security policy The union of the mechanisms implements all aspects of the security policy. The mechanisms are implemented correctly. The mechanisms are installed and administered correctly.
20 cs691 chow Assurance System specification, design and implementation can provide a basis for determining “how much” to trust a system. This aspect of trust is called Assurance. It is an attempt to provide a basis for bolstering how much one can trust a system. Assurance steps: 1. Detailed spec of desired or undesired behavior 2. An analysis of the design of hw, sw, other componets to show the system will not violate the spec 3. Arguments or proofs that implementation, operating procedures, and maintenance procedures will produce the desired behavior. Definition: A system is said to satisfy a specification if the specification correctly states how the system will function. System specification, design and implementation can provide a basis for determining “how much” to trust a system. This aspect of trust is called Assurance. It is an attempt to provide a basis for bolstering how much one can trust a system. Assurance steps: 1. Detailed spec of desired or undesired behavior 2. An analysis of the design of hw, sw, other componets to show the system will not violate the spec 3. Arguments or proofs that implementation, operating procedures, and maintenance procedures will produce the desired behavior. Definition: A system is said to satisfy a specification if the specification correctly states how the system will function.
21 cs691 chow Operational Issues Cost-Benefit Analysis Risk Analysis Laws and Customs Cost-Benefit Analysis Risk Analysis Laws and Customs
22 cs691 chow Human Issues Organizational Problems No clear chains of responsibility and power Lack of trained computer security people. Knowledgeable people are overloaded. Treat security as secondary task. Lack of resource (time, money, computing resources, and training) People Problems Outsider: Insider: Untrained personnel. Social Engineering attack: Disguise VP to change password over phone. Misconfiguration problem with complexity of security related configuration files. Organizational Problems No clear chains of responsibility and power Lack of trained computer security people. Knowledgeable people are overloaded. Treat security as secondary task. Lack of resource (time, money, computing resources, and training) People Problems Outsider: Insider: Untrained personnel. Social Engineering attack: Disguise VP to change password over phone. Misconfiguration problem with complexity of security related configuration files.
23 cs691 chow Security Life Cycle Threats Policy Specification Design Implementation Operation and Maintenance