Security Engineering Lecture 8

Security challenges have increased with the rise of the internet.
Secure system design must consider malicious attacks and accidental errors.
Three key dimensions for secure systems are confidentiality, integrity, and availability.

Confidentiality: Protecting sensitive information from unauthorized access. Examples include preventing credit card theft.
Integrity: Ensuring information remains accurate and reliable. A worm corrupting data is an example.
Availability: Maintaining access to systems and data. A denial-of-service attack can make a system unavailable.
These dimensions are interconnected and addressing them is crucial for dependable systems. If one dimension is compromised, it can impact the others.

Security should be addressed at three levels: infrastructure, application, and operational.
Infrastructure Security: Protects systems and networks that provide essential services to the organization.
Application Security: Ensures the security of applications or groups of related systems.
Operational Security: Secures the day-to-day operations and usage of the organization's systems.

Application systems rely on a supporting infrastructure of various software and hardware layers.
These layers include operating systems, generic applications, database management systems, middleware, and libraries of reusable components.
Network systems are vulnerable to security threats. Web browsers are common targets for attacks.
Systems need robust security measures.

Infrastructure Security: Often a management issue concerning configuration of systems to resist attacks. Key activities include User and Permission Management, System Software Deployment and Maintenance, Attack Monitoring and Recovery.
Operational Security: Focuses on human behavior, ensuring users are aware of and not compromising security.
Security and dependability attributes are closely linked.

Security is a crucial attribute of any system, protecting from threats from inside and out. Common attack methods include viruses, Trojan horses, unauthorized use, and altering system data.
Maintaining complete system offline is a potential solution, but it's often impractical for most systems.
Robust security measures are important for maintaining system dependability, particularly in contexts like airline reservations.
System vulnerabilities can arise from requirements, design, implementation issues, and human, social, or organizational factors.
Human errors, such as weak passwords and failing to install protection software, may highlight poor system design.
Strategies to refine system design and improve user practices can enhance security.

Asset: Anything valuable that needs protection (data or a system).
Attack: An attempt to exploit a vulnerability to damage system assets; attacks can be external or internal.
Control: A protective measure to reduce vulnerabilities.
Exposure: Potential loss or damage from a system security breach.
Threat: A circumstance that could cause loss or harm, representing a security vulnerability.
Vulnerability: A weakness in a system that can be exploited to cause damage or loss.

A criminal gained unauthorized access to the Mentcare system to gain illegal information.
They impersonated a concerned relative and gained information about users.
By checking names and systematically guessing passwords, the criminal was able to gain access.

Interception Threats: Accessing valuable assets.
Interruption Threats: Parts of the system become unavailable (e.g., DoS attack).
Modification Threats: Altering or destroying data or system assets.
Fabrication Threats: Inserting false information in a system (e.g., in a bank).

Vulnerability Avoidance: Prevent attacks by careful system design.
Attack Detection and Neutralization: Monitor for unusual activities and respond to attacks.
Exposure Limitation and Recovery: Implement controls for incident recovery.

Security and Reliability: Attacks that corrupt data can cause system failures.
Security and Availability: Denial-of-service attacks.
Security and Safety: Safety is important to consider when discussing security in the context of system behavior.
Security and Resilience: The ability of a system to recover from damaging events such as attacks is essential.

Building secure systems is challenging due to costs and uncertainties.
Organizations might choose lower security measures instead of high-investment strategies.
Establishing a policy with clear definitions of protected assets, protection levels, and user responsibilities is essential. This includes defining existing procedures.

Evaluating risks to information assets (e.g., systems and data) is crucial for organizations.
Generic assessments are sometimes used due to practicality concerns, but individual assessments are important for new systems.
Risk assessment is often more about organizational vulnerabilities than just technological ones (e.g., supplier interactions).

Preliminary Risk Assessment: Identify generic risks and determine if security can be achieved cost-effectively.
Design Risk Assessment: Assessing risks during development, including design and implementation decisions.
Operational Risk Assessment: Evaluate risks in operational environments, such as unattended use.

Security requirements are similar to safety requirements but more complex due to hostile environments.
Security requires root cause analysis, as breaches can be concealed.
System downtime is generally not acceptable in response to security attacks.

Risk avoidance, detection, and mitigation are important risk management strategies.
Security requirements must be derived through a detailed process, such as a risk-driven process. Includes asset identification, value assessments, exposure assessments, and threat identification.

Patient data must be downloaded to a secured area at the start of a session.
All patient data in the system should be encrypted for protection from outside access.
A log of all changes to the database system must be kept on a server separate from the database server.

Misuse cases illustrate potential malicious interactions with a system.
Misuse cases are helpful for security requirements analysis and for identifying potential risks.
Misuse cases complement traditional use cases by depicting attacks and interactions. They can be included in use case diagrams but must include detailed textual descriptions.