System Security
System Security
System Security
By : Sourabh Arora
Include:
Telecommunications Electrical power systems Water supply systems Gas and oil pipelines Transportation Government services Emergency services Banking and finance
Threats - examples Viruses, trojan horses, etc. Denial of Service Stolen Customer Data Modified Databases Identity Theft and other threats to personal privacy Equipment Theft Espionage in cyberspace Hack-tivism Cyberterrorism
CIA Confidentiality: Who is authorized to use data? Integrity: Is data good? Availability: Can access data whenever need it? CIA or CIAAAN (other security components added to CIA) Authentication Authorization Non-repudiation
S
A S = Secure
Example 1:
C vs. I+A
Disconnect computer from Internet to increase confidentiality Availability suffers, integrity suffers due to lost updates
Example 2:
I vs. C+A
Have extensive data checks by different people/systems to increase integrity Confidentiality suffers as more people see data, availability suffers due to locks on data under verification)
Confidentiality
Concealment of information or resources
How do we know who needs what data? Approach: access control specifies who can access what How do we know a user is the person she claims to be? Need her identity and need to verify this identity Approach: identification and authentication
Confidentiality is:
Integrity
Trustworthiness of the Data or the Source
Types of integrity Data Integrity (the content of the information) Origin Integrity (source of data, often called authentication) Integrity Check Mechanisms Prevention Mechanisms blocking any unauthorized attempts to change the data or any attempts to change the data in unauthorized ways Detection Mechanisms they simply report that the data's integrity is no longer trustworthy Evaluating integrity is very difficult relies on assumptions about the source of the data and about trust in that source
Availability
Ability to use the information or resource desired
System designs assume a statistical model to analyze expected patterns of use, and mechanisms ensure availability when that statistical model holds If someone manipulates use (or parameters that control use, such as network traffic) so that the assumptions of the statistical model are no longer valid then Non Available
Availability
Timely request response Fair allocation of resources (no starvation!) Fault tolerant (no total breakdown) Easy to use in the intended way Provides controlled concurrency (concurrency control, deadlock control, ...)
10
Vulnerability = a weakness in a security system Threat = circumstances that have a potential to cause harm Controls = means and ways to block a threat, which tries to exploit one or more vulnerabilities
Q: What were city vulnerabilities, threats, and controls? A: Vulnerabilities: location below water level, geographical location in hurricane area, Threats: hurricane, dam damage, terrorist attack, Controls: dams and other civil infrastructures, emergency response plan,
11
Attack (materialization of a vulnerability/threat combination) = Exploitation of one or more vulnerabilities by a threat; tries to defeat controls Attack may be: Successful (a.k.a. an exploit) resulting in a breach of security, a system penetration, etc. Unsuccessful when controls block a threat trying to exploit a vulnerability
12
Threat Spectrum
Local threats Recreational hackers Institutional hackers Shared threats Organized crime Industrial espionage Terrorism National security threats National intelligence Info warriors
13
Kinds of Threats
Kinds of threats:
Disclosure an unauthorized party (human or not) gains access to an asset/information Interruption an asset becomes lost, unavailable, or unusable Modification an unauthorized party changes the state of an asset Fabrication an unauthorized party counterfeits an asset Examples?
14
15
Add / remove a h/w device Ex: Snooping, wiretapping (passive) Ex: Modification, alteration of a system (active) Ex: Masquerading or Spoofing (active) ...
Physical attacks on h/w => need physical security: locks and guards Accidental (dropped PC box) or voluntary (bombing a computer room) Theft / destruction Damage the machine (spilled coffe, mice, real bugs) Steal the machine Machinicide: Axe / hammer the machine ...
16
Wardriving/warwalking -- driving/walking around with a wireless-enabled notebook looking for unsecured wireless LANs Warchalking -- using chalk markings to show the presence and vulnerabilities of wireless networks nearby E.g., a circled "W -- indicates a WLAN protected by Wired Equivalent Privacy (WEP) encryption
17
Software Deletion Easy to delete needed software by mistake To prevent this: use configuration management software Software Modification Trojan Horses, , Viruses, Logic Bombs, Trapdoors, Information Leaks (via covert channels), ... Software Theft Unauthorized copying via P2P, etc.
18
Trojan horse - A computer program that appears to have a useful function, but also has a
hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.
Virus - A hidden, self-replicating section of computer software, usually malicious logic, that
propagates by infecting (i.e., inserting a copy of itself into and becoming part of) another program. A virus cannot run by itself; it requires that its host program be run to make the virus active.
Worm - A computer program that can run independently, can propagate a complete working
version of itself onto other hosts on a network, and may consume computer resources destructively.
[cf. http://www.ietf.org/rfc/rfc2828.txt]
How valuable is your data? Credit card info vs. your home phone number Source code Visible data vs. context 2345 -> Phone extension or a part of SSN?
Adequate protection Cryptography Good if intractable for a long time Threat of Identity Theft Cf. Federal Trade Commission: http://www.consumer.gov/idtheft/ \
20
Disclosure Attack on data confidentiality Unauthorized modification / deception E.g., providing wrong data (attack on data integrity) Disruption DoS (attack on data availability) Usurpation Unauthorized use of services (attack on data confidentiality, integrity or availability)
21
Examples of Attacks on Data Confidentiality Tapping / snooping Examples of Attacks on Data Integrity Modification: salami attack -> little bits add up E.g/ shave off the fractions of cents after interest calculations Fabrication: replay data -> send the same thing again E.g., a computer criminal replays a salary deposit to his account Examples of Attacks on Data Availability Delay vs. full DoS Examples of Repudiation Attacks on Data: Data origin repudiation: I never sent it Repudiation = refusal to acknowledge or pay a debt or honor a contract (especially by public authorities). [http://www.onelook.com] Data receipt repudiation: I never got it
22
Network vulnerabilities / threats Networks multiply vulnerabilties and threats, due to: their complexity => easier to make design/implem./usage mistakes bringing close physically distant attackers Esp. wireless (sub)networks Access vulnerabilities / threats Stealing cycles, bandwidth Malicious physical access Denial of access to legitimate users People vulnerabilities / threats Crucial weak points in security too often, the weakest links in a security chain Honest insiders subjected to skillful social engineering Disgruntled employees
23
5. Attackers
Attackers need MOM Method Skill, knowledge, tools, etc. with which to pull off an attack Opportunity Time and access to accomplish an attack Motive Reason to perform an attack
24
Types of Attackers
Types of Attackers - Classification 1 Amateurs Opportunistic attackers (use a password they found) Script kiddies Hackers - nonmalicious In broad use beyond security community: also malicious Crackers malicious Career criminals State-supported spies and information warriors Types of Attackers - Classification 2 (cf. before) Recreational hackers / Institutional hackers Organized criminals / Industrial spies / Terrorists National intelligence gatherers / Info warriors
25
6. Methods of Defense
Five basic approaches to defense of computing systems Prevent attack Block attack / Close vulnerability
Deter attack Make attack harder (cant make it impossible ) Deflect attack Make another target more attractive than this target
28
A) Controls
Computers Today
Location with natural obstacles Surrounding moat Drawbridge Heavy walls Arrow slits Crenellations Strong gate Tower Guards / passwords
Physical controls
29
Medieval castles location (steep hill, island, etc.) moat / drawbridge / walls / gate / guards /passwords another wall / gate / guards /passwords yet another wall / gate / guards /passwords tower / ladders up
Multiple controls in computing systems can include: system perimeter defines inside/outside preemption attacker scared away deterrence attacker could not overcome defenses faux environment (e.g. honeypot, sandbox) attack deflected towards a worthless target (but the attacker doesnt know about it!) Note layered defense / multilevel defense / defense in depth (ideal!)
30
Protects CIA:
31
Secondary controls second only to encryption Software/program controls include: OS and network controls E.g. OS: Sandbox / virtual machine Logs/firewalls, OS/net virus scans, recorders independent control programs (whole programs) E.g. password checker, virus scanner, IDS (intrusion detection system) internal program controls (part of a program) E.g. read/write controls in DBMSs development controls E.g. quality standards followed by developers incl. testing
32
Considerations for Software Controls: Impact on users interface and workflow E.g. Asking for a password too often?
33
Hardware devices to provide higher degree of security Locks and cables (for notebooks) Smart cards, dongles, hadware keys, ... ...
34
Policy vs. Procedure Policy: What is/what is not allowed Procedure: How you enforce policy Advantages of policy/procedure controls: Can replace hardware/software controls Can be least expensive Be careful to consider all costs E.g. help desk costs often ignored for for passwords (=> look cheap but migh be expensive)
35
Policy - must consider: Alignment with users legal and ethical standards
Probability of use (e.g. due to inconvenience) Inconvenient: 200 character password, change password every week (Can be) good: biometrics replacing passwords
36
Walls, locks Guards, security cameras Backup copies and archives Cables an locks (e.g., for notebooks) Natural and man-made disaster protection Fire, flood, and earthquake protection Accident and terrorism protection ...
37
B) Effectiveness of Controls
Awareness of problem People convined of the need for these controls Likelihood of use Too complex/intrusive security tools are often disabled Overlapping controls >1 control for a given vulnerability To provide layered defense the next layer compensates for a failure of the previous layer Periodic reviews A given control usually becomess less effective with time Need to replace ineffective/inefficient controls with better ones
38
Principle of Easiest Penetration An intruder must be expected to use any available means of penetration. The penetration may not necessarily be by the most obvious means, nor is it necessarily the one against which the most solid defense has been installed. Principle of Adequate Protection Computer items must be protected to a degree consistent with their value and only until they lose their value.
39
Principle of Effectiveness Controls must be usedand used properlyto be effective. They must be efficient, easy to use, and appropriate. Principle of Weakest Link Security can be no stronger than its weakest link. Whether it is the power supply that powers the firewall or the operating system under the security application or the human, who plans, implements, and administers controls, a failure of any control can lead to a security failure.
40