Modern Symmetric Cryptography PDF
Document Details
Uploaded by MightyFigTree
André Zúquete
Tags
Summary
This document provides a basic introduction to modern symmetric cryptography, including terminology, how it works, and some use cases. It covers the goals of cryptanalysis and different attacks. The document also introduces computer ciphers, stream ciphers, and block ciphers, as well as their strategies.
Full Transcript
Modern Symmetric Cryptography SIO André Zúquete Terminology Cryptography ꟷ Art or science of hidden writing (confidential writing) From Gr. kryptós, hidden + graph, r. de graphein, to write ꟷ Initially used to enforce the confidentiality of information ꟷ Steg...
Modern Symmetric Cryptography SIO André Zúquete Terminology Cryptography ꟷ Art or science of hidden writing (confidential writing) From Gr. kryptós, hidden + graph, r. de graphein, to write ꟷ Initially used to enforce the confidentiality of information ꟷ Steganography: art of concealing data From Gr. steganós, hidden + graph, r. de graphein, to write Cryptanalysis ꟷ Art or science of breaking cryptographic systems or encrypted information Cryptology ꟷ Cryptography + cryptanalysis João Paulo Barraca, André Zúquete SIO 2 Cryptography: how does it work? Usually, information that follows some well-know format Select a cipher (or cipher algorithm) plaintext ꟷ Specific cryptographic technique Apply the cipher with a key ꟷ Encryption: original information → cryptogram Key(s) ꟷ Decryption: cryptogram → original information decrypt() encrypt() ꟷ Key: algorithm parameter Influences algorithm execution ciphertext ꟷ Original information aka plaintext or cleartext Looks like a random ꟷ Cryptogram aka ciphertext sequence of symbols João Paulo Barraca, André Zúquete SIO 3 Use cases for (symmetric) ciphers Self protection with secret key K ꟷ Alice encrypts plaintext P with key K → Alice: C = {P}k ꟷ Alice decrypts ciphertext C with key K → Alice: P'= {C}k ꟷ P' should be equal to P (requires checking) ꟷ Only Alice needs to know K Secure communication with secret key K ꟷ Alice encrypts plaintext P with key K → Alice: C = {P}k ꟷ Bob decrypts cyphertext C with key K → Bob: P'= {C}k ꟷ P' should be equal to P (requires checking) ꟷ K needs to be known by Alice & Bob João Paulo Barraca, André Zúquete SIO 4 Goals of cryptanalysis Reveal the plaintext hidden in a ciphertext ꟷ Usually requires discovering the key the produced the cyphertext Sometimes requires discovering the cipher algorithm ꟷ Usually algorithms are not secret, but there are exceptions ꟷ Sometimes using reverse engineering ꟷ Lorenz, A5 (GSM), RC4 (WEP) , Crypto-1 (Mifare) ꟷ Algorithms for DRM (Digital Rights Management) João Paulo Barraca, André Zúquete SIO 5 Cryptanalysis attacks Brute force ꟷ Exhaustive search of the key space until finding a match GPUs are great for this! ꟷ Usually unfeasible for large key spaces Key space: set of all possible keys with the same size e.g., 128-bit keys allow a key space of 2128 values ꟷ Key randomness is fundamental! Means that any key as the same probability of being the right one Clever attacks ꟷ Reduce the search space to a smaller set of potential candidates Words, numbers, restricted size or alphabet ꟷ Identify patterns in different operations, etc. João Paulo Barraca, André Zúquete SIO 6 Computer ciphers Operate by making substitutions ꟷ Original information is a sequence of symbols ꟷ Each symbol is replaced by a substitution symbol Usually with the same size Polyphonic substitution: several, larger substitution symbols for each original symbol ꟷ Substitution symbols are picked from a substitution alphabet Usual symbols ꟷ Bit ꟷ Block of bits Strategies ꟷ Monoalphabetic substitution: key → one substitution alphabet ꟷ Polyalphabetic substitution: key → several substitution alphabets (one for each symbol) João Paulo Barraca, André Zúquete SIO 7 Computer ciphers: stream ciphers plaintext Encrypt/decrypt by mixing streams ꟷ They consider the data to cipher or decipher as a bit stream ꟷ Each plaintext/ciphertext bit is XORed (⊕) with each keystream bit ꟷ Usually explored in low-level communication protocols keystream Polyalphabetic ciphers ꟷ Each bit (0 or 1) is not always encrypted the same way Keystream ciphertext ꟷ Randomly produced, as long as the processed data Vernam cipher (or one-time pad) The only perfect cipher (but rarely used, very unpractical) ꟷ Pseudo-randomly produced from a limited key Ordinary stream ciphers João Paulo Barraca, André Zúquete SIO 8 Computer ciphers: block ciphers block Encrypt/decrypt sequences of blocks ꟷ Symbols are fixed-length blocks of bits ꟷ Usually use byte blocks as symbols key decrypt() encrypt() Are monoalphabetic ciphers ꟷ Transform each symbol into another symbol ꟷ The key defines the transformation (substitution alphabet) block Some may be polyphonic ciphers ꟷ Ciphertext blocks longer than plaintext blocks larger block ꟷ Used in randomized ciphers João Paulo Barraca, André Zúquete SIO 9 Computer ciphers: symmetric plaintext Encrypt/decrypt with the same key ꟷ The oldest strategy Also called secret key ciphers same key decrypt() encrypt() Most common mechanism to provide confidentiality ꟷ Relatively simple to be implemented in software and hardware ciphertext ꟷ Very good performance ꟷ Widely available across systems and platforms João Paulo Barraca, André Zúquete SIO 10 Computer ciphers: asymmetric plaintext Encrypt/decrypt with two different keys ꟷ Key pair key pair Key Pair decrypt() private public encrypt() key key ꟷ Private component, public component ꟷ Public computed from private (or from secret data) An approach that was first proposed in 1978 ciphertext Different algorithms work in different ways João Paulo Barraca, André Zúquete SIO 11 Computer ciphers: combinations (Symmetric) stream ciphers ꟷ Polyalphabetic ciphers ꟷ Keystream defined by the key ꟷ Keystream and XOR implement a polyalphabetic transformation Symmetric block ciphers ꟷ Monoalphabetic ciphers ꟷ Substitution alphabet is defined by the algorithm & key Asymmetric (block) ciphers ꟷ Polyphonic ciphers Not by nature, but for security reasons ꟷ The functionalities of these ciphers are not homogeneous João Paulo Barraca, André Zúquete SIO 12 Techniques used by ciphers Confusion ꟷ Complex relationship between the key, plaintext and the ciphertext ꟷ Output bits (ciphertext) should depend on the input bits (plaintext + key) in a very complex way Diffusion ꟷ Plaintext statistics are dissipated in the ciphertext If one plaintext bit toggles, then the ciphertext changes substantially, in an unpredictable or pseudorandom manner ꟷ Avalanche effect João Paulo Barraca, André Zúquete SIO 13 (Symmetric) stream ciphers: examples A5/1, A5/2 ꟷ Cellular communications ꟷ Initially secret, reverse engineered ꟷ Explored in a weak fashion (64-bit keys w/ 10 bits stuck at zero) E0 ꟷ Bluetooth communications ꟷ Keys up to 128 bits RC4 ꟷ Wi-Fi communications (WEP, deprecated) ꟷ Initially secret, reverse engineered, never officially published ꟷ Keys with 40 to 2048 bits Other ꟷ Salsa20, Chacha20, etc. João Paulo Barraca, André Zúquete SIO 14 (Symmetric) stream ciphers: approach Use a cryptographically secure, pseudo-random bit generator ꟷ This generator produces the keystream ꟷ The generator implements a state machine ꟷ The generator is usually controlled by two values: Initialization Vector (defines the initial state of the state machine) Key (defines how one state moves to the next to produce the keystream) Cryptographically secure, pseudo-random means: ꟷ Statistically, the keystream looks like a totally random sequence of zeros and ones ꟷ If an attacker learns a part of the keystream, it cannot infer: Past keystream values Future keystream values João Paulo Barraca, André Zúquete SIO 15 (Symmetric) stream ciphers: approach Key Initialization Vector (IV) generator generator plaintext stream ciphertext stream plaintext stream João Paulo Barraca, André Zúquete SIO 16 Stream ciphers: exploitation considerations No two messages (P1,P2) should be encrypted with the same key and IV ꟷ Because they will be encrypted with the same keystream (KS) ꟷ The knowledge about one message reveals the other C1 = P1 ⊕ KS C2 = P2 ⊕ KS P2 = C2 ⊕ KS = C2 ⊕ C1 ⊕ P1 ꟷ Knowledge about P1 => immediate knowledge about P2 ꟷ Known/chosen-plaintext attacks become very effective! Keystreams may be periodic (have a cycle) ꟷ Depends on the type and quality of the generator ꟷ Same problem as the one above (KS is reused) ꟷ Plaintext should be shorter than the period length João Paulo Barraca, André Zúquete SIO 17 Stream ciphers: exploitation considerations Ciphertexts can be deterministically manipulated ꟷ Stream ciphers are simple and have no capability to detect manipulation ꟷ Each cipher bit depends only on one plaintext bit C’ = C ⊕ ∆ => P’ = P ⊕ ∆ It is fundamental to have integrity control elements ꟷ In the ciphertext; or ꟷ In the plaintext ꟷ Objective is to detect accidental or malicious changes to P João Paulo Barraca, André Zúquete SIO 18 Symmetric Block ciphers: examples DES (Data Encryption Standard) ꟷ Proposed in 1974, standard in 1977, nowadays deprecated ꟷ Input/output: 64-bit blocks ꟷ Key: 56 bits AES (Advanced Encryption Standard) ꟷ Proposed in 1998 (Rijndael), standard since 2001 ꟷ Input/output: 128-bit blocks ꟷ Key: 128, 192 or 256 bits ꟷ Mosty commonly used symmetric cipher in applications Other ꟷ IDEA, CAST, Twofish, Blowfish, RC5, RC6, Kasumi, etc. João Paulo Barraca, André Zúquete SIO 19 Symmetric block ciphers: approach Use a pipeline of transformation rounds ꟷ Each round adds confusion and diffusion ꟷ Each round is usually controlled by a subkey plaintext key plaintext Aka key schedule A value derived from the encryption/decryption key Round 1 KS1 Round 1 Round 2 KS2 Round 2 Rounds need to be reversible ꟷ To allow decrypting what was encrypted Round n-1 KSn-1 Round n-1 ꟷ Make use of well-known structures: Feistel networks Round n KSn Round n Substitution-permutation networks ciphertext ciphertext João Paulo Barraca, André Zúquete SIO 20 Feistel network Li = Ri-1 Ri-1 = Li Ri = Li-1 f(Ri-1, Ki) Li-1 = Ri f(Li, Ki) Li-1 Ri-1 Li-1 Ri-1 f(KSi) f(KSi) Li Ri Li Ri The function f(KSi) doesn’t need to be reversible! João Paulo Barraca, André Zúquete SIO 21 Substitution-Permutation network input SBox – Substitution Box ꟷ Table with an output for an input (index) Sbox output = SBox[input] ꟷ SBoxes may be constant or key-dependent output DES and AES use constant Sboxes Blowfish and Twofish use variable, key-dependent SBoxes ꟷ In SP networks, SBoxes must be reversible x Bijective transformations y = SBox[x] x = SBox-1[y] Sbox y PBox – Permutation Box ꟷ Changes the positions of the input bits Sbox-1 Bits are not modified, only the position is modified x João Paulo Barraca, André Zúquete SIO 22 Substitution-Permutation network João Paulo Barraca, André Zúquete Credits: https://kevinliu.me/posts/linear-cryptanalysis/ SIO 23 AES algorithm round keys (128) input (128) key (128) (192) (256) pre-round K0 transformation round 1 K1 key expansion round 2 K2 key size rounds (N) K3 128 10 round 3 192 12 KN 256 14 round N output (128) João Paulo Barraca, André Zúquete SIO 24 AES (enccryption) round AddRoundKey ꟷ 128-bit XOR ꟷ Output is a 4x4 byte matrix SubBytes ꟷ 256-element S-box ꟷ Each matrix byte is substituted ShiftRows ꟷ Rows are rotated left ꟷ Byte shifts vary (0, 1, 2 & 3) MixColumns ꟷ Each column is transformed ꟷ Not performed in the last round https://aescryptography.blogspot.com João Paulo Barraca, André Zúquete SIO 25 AES in CPU instruction sets Intel AES New Instructions (AES-NI) ARMv8 Cryptographic Extension ꟷ … and other João Paulo Barraca, André Zúquete SIO 26 Cipher Modes: Electronic Code Book (ECB) Direct encryption of each block: Ci = EK(Pi) Direct decryption of each block: Pi = DK(Ci) Blocks are processed independently ꟷ Parallelism is possible ꟷ Uniform random access exists Problem: ꟷ Exposes patterns existing in the clear text ꟷ If Pi = Pj then Ci = Cj João Paulo Barraca, André Zúquete SIO 27 Cipher Modes: Cipher Block Chaining (CBC) Encrypt each block Ti combined with Ci-1: Ci = EK(Pi Ci-1) Decrypt each block Ci combined Ci-1: Pi = DK(Ci ) Ci-1 ꟷ Parallelism and uniform random access is possible First block uses an IV (Initialization Vector) ꟷ Better not reuse for the same key ꟷ Random value, sequence value, etc. ꟷ May be sent openly Polyalphabetic transformation ꟷ The feedback prevents equal blocks from being equally processed ꟷ Seems like we have a different key per block João Paulo Barraca, André Zúquete SIO 28 ECB vs CBC: pattern exposure João Paulo Barraca, André Zúquete SIO 29 ECB/CBC cipher modes: contents not block-aligned ECB and CBC require block-aligned inputs ꟷ Final sub-blocks need special treatment Alternatives ꟷ Padding Of last block, identifiable ꟷ Different processing for the sub-block Adds complexity, rarely used PKCS #7 padding ꟷ X = B – (M mod B) ꟷ X extra bytes, with the value X ꟷ PKCS #5: Equal to PKCS #7 with B = 8 ꟷ Drawback: perfectly aligned inputs get an extra padding block! João Paulo Barraca, André Zúquete SIO 30 Stream cipher modes Stream ciphers use a pseudorandom generator ꟷ There are multiple techniques to implement them ꟷ Some techniques are specially suited for hardware implementations Typically used in mobile, battery-powered devices ꟷ Other techniques are more suitable for CPU-based implementations f() Si+1 Stream cipher modes ꟷ They use a block cipher to implement a stream cipher generator Si ꟷ The fundamental idea is: The generator is a state machine with state Si on iteration i The output of the generator for state Si is Oi+1 = EK(Si) Ek() K The state Si is updated to Si+1 using some transformation function f S0 is defined by an IV Oi+1 ꟷ The generator only uses block cipher encryptions (or decryptions) João Paulo Barraca, André Zúquete SIO 31 Stream cipher modes: n-bit OFB (Output Feedback) Ci = Ti EK(Si-1) Ti = Ci EK(Si-1) IV Si Si+1 = f(Si, EK(Si)) S0 = IV K E feedback n bits P C João Paulo Barraca, André Zúquete SIO 32 Stream cipher modes: n-bit CFB (Ciphertext Feedback) Ci = Ti EK(Si-1) Ti = Ci EK(Si-1) Si+1 = f(Si, Ci) S0 = IV IV Si IV Si K E K E n bits feedback n bits P C P João Paulo Barraca, André Zúquete SIO 33 Cipher modes: n-bit CTR (Counter) Ci = Ti EK(Si-1) Ti = Ci EK(Si-1) Si+1 = Si + 1 S0 = IV João Paulo Barraca, André Zúquete SIO 34 Stream cipher modes: Galois with Counter Mode (GCM) João Paulo Barraca, André Zúquete SIO 35 Cipher Modes: comparison Block Stream ECB CBC OFB CFB CTR GCM Input pattern hiding ✓ ✓ ✓ ✓ ✓ Same key for different messages ✓ ✓ other IV Tampering difficulty ✓ ✓ (...) (…) ✓ Pre-processing ✓ ✓ ✓ Parallel processing With ✓ decrypt decrypt ✓ ✓ Uniform random access pre-proc Cryptogram single bit error same same & a few next bits detected propagation on decryption block next block Capacity to recover from losses some some some detected João Paulo Barraca, André Zúquete SIO 36 Cipher Modes: multiple encryption Invented for extending the lifetime of DES ꟷ DES was never cryptanalyzed ꟷ But its key was too short (56 bits only) ꟷ Its key could be discovered by brute force Triple encryption EDE, or 3DES-EDE Ci = EK3(DK2 (EK1 (Pi))) Pi = DK1(EK2 (DK3 (Ci)) ꟷ With K1 ≠ K2 ≠ K3, it uses a 168-bit key ꟷ With K1 = K3 ≠ K2, it uses a 112-bit key ꟷ If K1 = K2 = K3 , then we get simple encryption ꟷ In all cases, 3 times slower than DES João Paulo Barraca, André Zúquete SIO 37 Cipher Modes: DESX Another solution for extending the lifetime of DES ꟷ Much faster than 3DES ꟷ Two extra keys are used to add confusion Before the cipher input After the cipher output Ci = EK(K1 Pi) K2 Pi = K1 DK(K2 Ci) The equivalent key length is 184 bits ꟷ 64 + 64 + 56 bits ꟷ More than with 3DES João Paulo Barraca, André Zúquete SIO 38 Digests, Integrity Control and Key Derivation SIO João Paulo Barraca Digest Functions Overview Produce a digital summary of data called a message digest ─ Data is a text or any binary information The message digest length is fixed ─ independently of the text length Both a 200 bytes and a 200 TB data items will result in a digest with the same length The message digest value strongly depends on the data Two digests are typically very different ─ Even if the original data is extremely similar João Paulo Barraca, André Zúquete SIO 2 Digest Functions Properties Preimage resistance ─ Given a digest, it is unfeasible to find an original text producing it ─ That is: we cannot go back from a digest to the data (we cannot “decrypt” it) 2nd-preimage resistance ─ Given a text, it is unfeasible to find another one with the same digest ─ That is: if we have a text, we cannot find another one with the same digest Collision resistance ─ It is unfeasible to find any two texts with the same digest ─ That is: given two unique texts, they will result in a different digest Relates to the Birthday paradox: Collision probability P = 2n/2 where the typical n is >=256 João Paulo Barraca, André Zúquete SIO 3 Digest Functions Lets check: Size independence Considering the similar, yet different texts: ─ T1: “Hello User_A!” ─ T2: “Hello User_XPTO! Welcome to this lecture” Different algorithms will create digests with different lengths, but independent from the dimension of the text ─ MD5 (128 bits): T1: 70df836fdaf02e0dfc990f9139762541 T2: 18f12f09c45d880ce738afe4780c2f3e ─ SHA-1 (160 bits): T1: f591aa1eabcc97fb39c5f422b370ddf8cb880fde T2: 622f7832e204f2d70161cf42480c4bf0f13e7324 ─ SHA-256 (256 bits): T1: 9649d8c0d25515a239ec8ec94b293c8868e931ad318df4ccd0dffd67aff89905 T2: 6453be3f643d0a7e9b5890eed76bb63df8b6b071b30d5f97269a530c289b9839 João Paulo Barraca, André Zúquete SIO 4 Digest Functions Lets check: Content dependency Considering the similar, yet different texts (1 bit difference ‘B’ -> ‘C’): ─ T1: “Hello User_B!”, [0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x20, 0x55, 0x73, 0x65, 0x72, 0x5f, 0x42, 0x21] ─ T2: “Hello User_C!”, [0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x20, 0x55, 0x73, 0x65, 0x72, 0x5f, 0x43, 0x21] A small difference in the text (1 bit) results in a completely different digest ─ MD5: T1: c32e0f62a7c9c815063d373acac80c37 T2: 324a1bfc3041259480c6ad164cf0529f ─ SHA-1: T1: bab31eb62f961266758524071a7ad8221bc8700b T2: bd758d82899d132cd2af66dc3402b948d98de62d ─ SHA-256: T1: e663a01d3bec4f35a470aba4baccece79bf484b5d0bffa88b59a9bb08707758a T2: 69f78345da90c6b8d4785b769cd6ae09e0531716fe5f5a392fde1bdc70a2bb7d João Paulo Barraca, André Zúquete SIO 5 Digest Functions Approaches Merkle-Damgård construction ─ Collision-resistant, one-way compression functions Can be a block cipher! T1 Tn ─ Iterative compression ─ Length padding ─ Digest size is the last block IV ─ Can be resumed! Digest is the state at Tn Digest ─ Algorithms: MD5, SHA1, SHA2 compression function João Paulo Barraca, André Zúquete SIO 6 Digest Functions Approaches Sponge functions ─ Data split in r sized blocks ─ Absorbing phase: chained f(r) calls ─ Squeezing: extract bits for digest value ─ Algorithms: SHA3 João Paulo Barraca, André Zúquete SIO 7 Message Integrity Code (MIC) Provide the capability to detect arbitrary changes to data ꟷ Communication/storage errors from a random process or without integrity control ꟷ Humans/Attackers can change the Text and calculate a new MIC! MIC is a simple calculation of a digest over some data: MIC=H(T) ꟷ Sender calculates MIC and sends along with the Text ꟷ Receiver calculates new MIC’ from received message (T’) and compares it with MIC Validator Text Text’ MIC Creator H(Text’) H(Text) Text MIC MIC’ equals? MIC João Paulo Barraca, André Zúquete SIO 8 Example usage at kernel.org to validate file integrity João Paulo Barraca, André Zúquete SIO 9 Message Authentication Code (MAC) Provide the capability to detect deliberate changes to data ꟷ Any change to data, even if from attackers! MAC is a keyed calculation of a digest over some data: MIC=H(T, K) ꟷ Parties agree with Key K, which is kept private to participants ꟷ Sender calculates MAC using K and sends along with the Text ꟷ Receiver calculates new MAC from received message (T’) and K and compares it with MAC Validator Text Text’ MAC Creator H(Text’, K) H(Text, K) Text MAC MAC’ equals? MAC João Paulo Barraca, André Zúquete SIO 10 Example usage in JWT Algorithm Cookie provided Data in cookie in webpage to Clients Clients cannot change Cookie due to MAC MAC calculated with secret_key. Key is private to server https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ._sytI9TdagSl-vSnVExnCuD46OQVKX7BxQR1YomY9cA João Paulo Barraca, André Zúquete SIO 11 Message Authentication Code (MAC) Approaches Encryption of an ordinary digest (e.g. from SHA3) ─ Using, for instance, a symmetric block cipher Using encryption with feedback & error propagation ─ CBC-MAC or GCM Adding a key to the hashed data ─ Keyed-MD5 (128 bits) MD5(K, keyfill, text, K, MD5fill) ─ HMAC (output length depends on the function H used) H(K, opad, H(K, ipad, text)) ipad = 0x36 B times opad = 0x5C B times B = size of H input block ▪ HMAC-MD5, HMAC-SHA-1, etc. João Paulo Barraca, André Zúquete SIO 12 Message Authentication Code (MAC) When used with encryption Encrypt-then-MAC: MAC is computed from cryptogram: M = C | MAC(C, K2), C=E(T, K1) ─ Allows verifying integrity before decryption ─ MAC calculation is frequently faster than decryption Encrypt-and-MAC: MAC is computed from plaintext: M = E(T, K1) | MAC(T, K2) ─ May give information regarding original text (if similar to other text) ─ Receiver will find that text was manipulated only after decryption plus MAC calculation (slower) ─ Manipulated ciphertext may attack the decryption algorithm without detection BAD MAC-then-Encrypt: MAC is computed from plaintext: M = E( T | MAC(T, K2), K1) ─ MAC is encrypted (which is not bad) ─ Receiver will find that text was manipulated only after decryption plus MAC calculation (slower) ─ Manipulated ciphertext may attack the decryption algorithm without detection João Paulo Barraca, André Zúquete SIO 13 Example: GCM (Galois Counter Mode) CTR0 +1 CTR1 +1 CTRn E E E Standard CTR K K K encryption process T1 C1 Tn Cn multH Digest construction auth data multH multH len(A) || len(C) multH auth tag Results in a cryptogram (C1, C2, C3 … Cn) and a auth_tag acting as MAC Requires an additional auth_data João Paulo Barraca, André Zúquete SIO 14 Key derivation Motivation Cipher algorithms require fixed dimension keys ─ 56, 128, 256… bits We may need to derive keys from multiple sources ─ Shared secrets ─ Passwords generated by humans ─ PIN codes and small length secrets Original source may have low entropy ─ Reduces the difficulty of a brute force attack ─ Although we must have some strong relation into a useful key Sometimes we need multiple keys from the same material ─ While not allowing to find the material (a password, another key) from the new key João Paulo Barraca, André Zúquete SIO 15 Key derivation Purposes Key reinforcement: increase the security of a password ─ Usually defined by humans ─ To make dictionary attacks impractical Key expansion: increase/decrease the length of a key ─ Expansion to a size that suits an algorithm ─ Eventually derive other related keys for other algorithms (e.g. MAC) João Paulo Barraca, André Zúquete SIO 16 Key derivation Key derivation requires the existence of: ꟷ A Salt which makes the derivation unique ꟷ A difficult problem ꟷ A chosen level of complexity Computational difficulty ꟷ Transformation requires relevant computational resources Memory difficulty ꟷ Transformation requires relevant storage resources ꟷ Limits attacks using dedicated hardware accelerators João Paulo Barraca, André Zúquete SIO 17 Key derivation Simple Approach: A Digest function Arguments: ─ Salt = A random value ─ Password = a secret (provided by humans) ─ H = An adequate Digest Function key = H(password, salt) Advantages: ─ Key has a large length, and can be truncated to the adequate length ─ Two passwords will result in diferent keys ─ Finding the key will not lead to the password Issues: simple, enabling brute force/diccionary attacks João Paulo Barraca, André Zúquete SIO 18 Key derivation Password Based Key Derivation Function (PBKDF2) Produces a key from a password, with a chosen difficulty K = PBKDF2(PRF, Salt, rounds, dim, password) ─ PRF: Pseudo-Random-Function: a digest function ─ Salt: a random value ─ Rounds: the computational cost (hundreds of thousands) ─ Dim: the size of the result required Operation: calculate ROUNDS x DIM operations of the PRF using the SALT and Password ─ Higher number of rounds will increase the cost of brute force/diccionary attacks João Paulo Barraca, André Zúquete SIO 19 Key derivation Password Based Key Derivation Function (PBKDF2) Dimension Rounds João Paulo Barraca, André Zúquete SIO 20 Key derivation scrypt Produces a key with a chosen computation and storage cost K = scrypt(password, salt, n, p, dim, r, hLen, Mflen) ─ Password: a secret ─ Salt: a random value ─ N: the cost parameter ─ P: the parallelization parameter. p ≤ (232− 1) * hLen / MFLen ─ Dim: the size of the result ─ R: the size of the blocks to use (default is 8) ─ hLen: the size of the digest function (32 for SHA256) ─ Mflen: bytes in the internal mix (default is 8 x R) João Paulo Barraca, André Zúquete SIO 21 Key Derivation: scrypt Produces a key with a chosen storage cost K = scrypt(password, salt, n, p, dim, r, hLen, Mflen) ꟷ Password: a secret ꟷ Salt: a random value ꟷ N: the cost parameter ꟷ P: the parallelization parameter. p ≤ (232− 1) * hLen / MFLen ꟷ Dim: the size of the result ꟷ R: the size of the blocks to use (default is 8) ꟷ hLen: the size of the digest function (32 for SHA256) ꟷ Mflen: bytes in the internal mix (default is 8 x R) © André Zúquete, João Paulo Barraca Information and Organizational Security 22 SIO Key derivation scrypt João Paulo Barraca, André Zúquete SIO 23 Defending an Organization SIO The current organizational landscape Organizations are complex and must reach everyone Physical space: where we live since >10000y BC ꟷ We know it, it’s slow, it involves moving matter around ꟷ Laws are plentiful and cover most interactions Cyberspace: to which organizations just tapped into ꟷ We do not know it, it’s fast, there are no barriers ꟷ Everything can be hidden, laws are limited João Paulo Barraca, André Zúquete SIO 2 Malicious actors are motivated and organized João Paulo Barraca, André Zúquete ENISA Threat Landscape 2023 SIO 3 The current legal landscape Must comply with new regulatory frameworks ꟷ 2016: NIS – Defines basic cybersecurity requirements ꟷ 2018: GDPR – Defines requirements for private data ꟷ 2018: RJSC – Legal Framework for the national Cyberspace ꟷ 2021: DL65 – Defines processes for inventory, reporting, formalize strategy ꟷ 2024?: NIS 2 – Defines cyber teams and processes for critical/essential services ꟷ 2025: DORA - Digital Operational Resilience Act – Financial Institutions Strategies are based on risk and maturity ꟷ Risk: identify assets and determine their risk ꟷ Maturity: determine organization maturity over multiple areas Evolve all as adequate João Paulo Barraca, André Zúquete SIO 4 National Cybersecurity Framework (QNRCS) Objectives https://www.cncs.gov.pt/pt/quadro-nacional/ João Paulo Barraca, André Zúquete SIO 5 National Cybersecurity Framework (QNRCS) Objectives Identify: Understanding the organization’s context, the assets that support the critical business processes and relevant associated risks. Protect: Implementation of measures aimed at protecting the business processes and company assets, regardless of their technological nature. Detect: Definition and implementation of appropriate activities aimed at identifying incidents on time. Respond: Definition and implementation of appropriate measures in case of incident detection. Recover: Definition and implementation of activities aimed at managing the recovering plans and actions to restore impaired processes and services… João Paulo Barraca, André Zúquete SIO 6 National Cybersecurity Framework (QNRCS) ISO/IEC 27032, Basic concepts and high level relationships Risk Based ─ Aims to minimize risk Consider Stakeholders ─ Decision Level Consider Assets Inventory ─ Services ─ Products João Paulo Barraca, André Zúquete SIO 7 National Cybersecurity Framework (QNRCS) ISO/IEC 27005, Basic concepts and high level relationships Strategy focused on Risk Management Risk used to decide what to address ─ Vulnerabilities to handle ─ Controls do deploy ─ Policies ─ Mechanisms to apply ─ Investment in cybersecurity João Paulo Barraca, André Zúquete SIO 8 Assets: Crown Jewels Approach Focused on identifying and protecting the most critical assets ꟷ To the organization mission! What is a crown jewel? ꟷ Essential Sensitive Data ꟷ Essential Servers ꟷ Essential Software Systems ꟷ Any other asset (HVAC, Generators…) Disruption to the crown jewels will pose a serious impact to the organization Objective: Protect the crown jewels ꟷ and grow from there to the rest of the organization ꟷ based on a risk assessment João Paulo Barraca, André Zúquete SIO 9 Security Plan Live document describing the security posture ꟷ Allows organizations to know where they are and where they want to go ꟷ Considers authentication, backups, risk, access control, policies, etc. Accepted by the organization, signed by Security Principal ꟷ Periodically reviewed and improved Written and accepted policies implies higher maturity ꟷ Organizations frequently only have word of mouth or informal frequent practices João Paulo Barraca, André Zúquete SIO 10 Incident Response Framework NIST SP 800-61r2 Confinement, Detection and Post Incident Preparation Erradication Analysis Activities and Recovery NIST SP 800-61r2 – Incident Response Life cycle https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf João Paulo Barraca, André Zúquete SIO 11 Incident Response Coordination FIRST: Forum of Incident Response and Security Teams ─ Global forum of incident response and security teams. ─ Aim to improve cooperation between security teams on handling major cybersecurity incidents. ─ FIRST is an association of incident response teams with global coverage. ENISA: European Union Agency for Cybersecurity ─ Contributes to EU cyber policy, improving trust and resilience CERT: Computer Emergency Response Team ─ One per country, coordinating João Paulo Barraca, André Zúquete SIO 12 Incident Response Coordination CERT: Computer Emergency Response Team ─ One per country, coordinating all significant events ─ Helps companies identifying, preparing and recovering from attacks CSIRT: Computer Security Incident Response Team ─ One per relevant organization, coordinating the response in coordination with the CERT ─ https://www.cncs.gov.pt/pt/certpt/ CSIRT Networks: Groups of CSIRTs to facilitate joint actions ─ E.g. training, taxonomy, Threat information exchange ─ https://www.redecsirt.pt/ João Paulo Barraca, André Zúquete SIO 13 Incident Response Coordination Support Activities ─ Networks, projects ─ E.g. https://www.ccc-centro.pt (Competence Center) ─ Increase the security posture and resilience of organizations Training and awareness Exchange strategies, information, and tools Incident Response Funding Police Authorities ─ Polícia Judiciária ─ Unidade Nacional de Combate ao Cibercrime e à Criminalidade Tecnológica (UNC3T): [email protected] João Paulo Barraca, André Zúquete SIO 14 Security Teaming Security operations are frequently organized in teams ꟷ Blue Team: Defends an organization from malicious actors ꟷ Red Team: Attacks an organization to help finding weak spots ꟷ Purple Team: Mixed attack defense role Each team uses specific tools and methods Todays’ lecture João Paulo Barraca, André Zúquete SIO 15 Blue Teams Defend organizations from malicious actors ꟷ Abusing and Careless actors, and general failures also Typical fundamental tasks to address: ꟷ People: training, awareness, culture ꟷ Processes: analysis, investigation, data, reporting ꟷ Technology: monitoring, detection, scripting, automation João Paulo Barraca, André Zúquete SIO 16 Blue Teams Mandatory for all organizations! ꟷ Good amount of job opportunities ꟷ extreme shortage of professionals Very demanding due to high asymmetry ꟷ Attackers must succeed once, using their preferred TTPs ꟷ Defenders must defend continuously, from all attacks ꟷ To the entire organization attack surface, using any TTP Challenging and interesting ꟷ Many topics to address: prog, forensics, AI/ML, training… ꟷ Continuously evolving with new techniques and tools João Paulo Barraca, André Zúquete SIO 17 Blue Team Defence Techniques Everything Everywhere All at Once? ꟷ No! Prioritize according to the organization mission Current approaches focus on: ꟷ the CIA triad ꟷ the crown jewels Risk assessment ꟷ with the least pain ꟷ security plan João Paulo Barraca, André Zúquete SIO 18 SOC – Security Operations Center Responsible for continuously monitoring ꟷ Organization's digital infrastructure Monitor, detect and respond ꟷ To cybersecurity threats Empowered with skilled analysts and technology ꟷ Security assessments ꟷ Data protection ꟷ Incident response João Paulo Barraca, André Zúquete SIO 19 João Paulo Barraca, André Zúquete SIO 20 Main concepts Defensive Security (Engineering) ꟷ Firewalls, backups, logs ꟷ Secure Software Development Lifecycle ꟷ Security related requirements (e.g., OWASP ASVS) ꟷ Training and Awareness Incident Response ꟷ Have processes and procedures to handle incidents ꟷ Involve stakeholders (Decision maker, Clients, Lawyers) and communicate (Public Relations) Detection Engineering ꟷ designing, developing, testing, and maintaining threat detection logic João Paulo Barraca, André Zúquete SIO 21 Detection Engineering Source: SANS João Paulo Barraca, André Zúquete TTPs: Tactics, Techniques, and Procedures SIO 22 Direction: CTI Assess the current threats from Cyber Threat Intelligence Cyber Threat Intelligence helps understanding the dynamics ꟷ The “Dark web”: Tor forums, discords, telegrams, IRC, twitter, pastebins ꟷ Official reports: Security Researchers (Reversing, analysis) ꟷ How actors position themselves (hacktivists, crime) ꟷ How attacks to similar organizations are conducted João Paulo Barraca, André Zúquete SIO 23 Direction: CTI Threat Intelligence provide analysis and forecasts ꟷ Official entities, private orgs ꟷ Police Authorities ꟷ Government Ministries João Paulo Barraca, André Zúquete SIO 24 Direction: CTI Assess the current threats from CTI Threat Intelligence from researchers provide analysis and forecasts ꟷ Official entities, private orgs SIO Direction: Alerts and Incidents Current alerts will tailor future rules ꟷ Identify popular threat actions ꟷ Reduce false positives ꟷ Keep the capability to detect new threats ꟷ Includes conducting controlled attacks to validate rules Incident resolution impact resolution playbooks ꟷ One a threat is found, what can the organization do? ꟷ Deficiencies in incident response define future improvements ꟷ Includes simulated incidents to test processes João Paulo Barraca, André Zúquete SIO 26 Collection: Data Harvesting Engineer Data Collection Focus on relevant data sources to address threats ─ Cannot get all data ─ Visiblity will be limited Potential targets ─ Servers: AD, email, HTTP, Databases ─ Wireless Controllers ─ VPN access ─ Firewalls ─ Endpoints: Laptops, VMs, IoT devices João Paulo Barraca, André Zúquete SIO 27 Collection: Data Harvesting Engineer Data Collection Current approaches focus on a large data lake ─ Algorithms match rules, ML models, signatures, behavior https://github.com/gcsuaveiro/gcs-sarai João Paulo Barraca, André Zúquete SIO 28 Collection: Data Harvesting Processing: Pain? Millions of events/hour Things we know are against policy and block Green is good! Right??? João Paulo Barraca, André Zúquete SIO 29 Collection: Data Harvesting Processing: Pain? Millions of events/hour Things we know are against policy and block Green is good! Right??? João Paulo Barraca, André Zúquete Thousands of malicious agents (detect or block) SIO 30 Collection: Data Harvesting Processing: Pain? Millions of events/hour Things we know are against policy and block SO MANY FLOWS Green events are: - Compliant events - Suspicious events that are not blocked - Malicious events that cannot be detected João Paulo Barraca, André Zúquete Thousands of malicious agents (detect or block) SIO 31 SO MANY FLOWS FROM ALL AROUND US João Paulo Barraca, André Zúquete Concepts of Us (Internal) vs others (External) is not robust SIO 32 “The Pyramid of Pain” (Bianco, 2013) The Pyramid of Pain Defence Difficulty Increase defence capabilities from the bottom to the top Why? Detecting URLs/files/emails by comparing hashes is trivial Understanding how actors behave is very very difficult João Paulo Barraca, André Zúquete SIO 33 Triage Or how to select relevant events? Could be one of several definitions ─ Attack near completion ─ Targeting / affecting high-value items Critical hosts, business processes, users, data ─ Advanced targeted attackers or simple attacks ─ Unique, never fired before or lowest count Will depend on the organization João Paulo Barraca, André Zúquete SIO 34 Definition of Dangerous Could be one of several definitions ─ Attack near completion ─ Targeting / affecting high-value items Critical hosts, business processes, users, data ─ Advanced targeted attackers ─ Unique, never fired before or lowest count Will depend on the organization Anything that will cause relevant damage ─ It has a high cost to recover from ─ Or it is difficult to remedy João Paulo Barraca, André Zúquete SIO 35 (Fantastic) Threats and Where to Find Them? Behavior matching: mostly ML ꟷ Known patterns ꟷ Anomally detection Signature matching: YARA ꟷ Signatures for malware are created and disseminated Reputation evaluation: IP addresses /domains ꟷ Low reputation addresses may generate alert or block Known threats are identified be vendor software ꟷ Challenge: Unknown/Tailored threats João Paulo Barraca, André Zúquete SIO 36 (Fantastic) Threats and Where to Find Them? What if we do not know if something is malicicous? ꟷ What is a malicious website or file? ꟷ Most dangerous threats are not classified are Malware. New malware potentially has high impact ꟷ It is not detected by Anti-virus ꟷ Explores unpatched vulnerabilities or flaws (0 day) A new malicious asset is just a new program/website ꟷ May be a variation of a existing malware Different language/obfuscated/encrypted/packed ꟷ May simply bypass existing signatures ꟷ There is a robust market selling malware João Paulo Barraca, André Zúquete SIO 37 Threat Research Threat Research allows detection of new offenses ꟷ Takes a Indicators and determines its behavior Includes several knowledge areas ꟷ Open Source Intelligence Social Networks, DNS/TLS Records, Dark Web ꟷ Reverse Engineering ꟷ Networking concepts ꟷ Network traffic analysis ꟷ Cryptography ꟷ Machine Learning João Paulo Barraca, André Zúquete SIO 38 Joe Sandbox Threat Research: Execution Graphs João Paulo Barraca, André Zúquete SIO 39 Virus Total Threat Research: Relation Graphs Some become suspicious because it contacts/has other malicious assets João Paulo Barraca, André Zúquete SIO 40 MITRE Att&ck Matrix A globally-accessible knowledge base of adversary tactics and techniques ꟷ based on real-world observations. Allows organizations to map actions to a kill chain ꟷ Also facilitates tracking the Actor or how it evolves ꟷ Actors will reuse tools, tactics and techniques João Paulo Barraca, André Zúquete SIO 41 MITRE Att&ck Matrix João Paulo Barraca, André Zúquete SIO 42 Introduction to cybersecurity SIO Is this Cybersecurity ? João Paulo Barraca, André Zúquete This Photo by Unknown Author is licensed under CC BY-NC SIO 2 Cybersecurity Subject focused on the predictability of systems, processes, environments… Across all aspects of a (business, system, organization) life cycle: ꟷ Planning ꟷ Development ꟷ Execution and operations ꟷ Processes ꟷ Human resources and clients ꟷ Supply Chain ꟷ Mechanisms and Controls ꟷ Standards, Compliance and Laws, … João Paulo Barraca, André Zúquete SIO 3 Areas in Cyber João Paulo Barraca SIO 8 Security Domains or Areas Security is scoped into domains with many overlaps Organizational Security Physical Security Organizational Security Information Security We are here System Security Information Security Operacional Security Secure Development João Paulo Barraca, André Zúquete SIO 9 Security Domains Organizational Security (ISO 27001) Measures to protect data (electronic and otherwise) collected, held, and processed, Organizational Security and to protect its computer systems, devices, infrastructure, computing We are here environment, information and data stored Information and all other relevant equipment Security from damage and threats whether internal, external, deliberate, or accidental. João Paulo Barraca, André Zúquete SIO 10 Security Domains Information Security (ISO 27001) preservation of confidentiality, integrity, and availability (CIA) of information. Organizational Security Confidentiality: Ensuring that information is We are here accessed only by authorized individuals. Information Integrity: Maintaining the accuracy and Security completeness of information. Availability: Ensuring that information is accessible when needed by authorized users. João Paulo Barraca, André Zúquete SIO 11 Information Security Objectives Confidentiality: Ensuring that information is accessed only by authorized individuals. Measures: ꟷ Encrypt information ꟷ Use access passwords (strong) ꟷ Use Identity Management and Authentication systems ꟷ Doors, Strong walls ꟷ Security personel ꟷ Training João Paulo Barraca, André Zúquete SIO 12 Information Security Objectives Integrity: Maintaining the accuracy and completeness of information. Measures: ꟷ Encrypt information ꟷ Use access passwords (strong) ꟷ Use Identity Management and Authentication systems ꟷ Doors, Strong walls ꟷ Security personel ꟷ Training João Paulo Barraca, André Zúquete SIO 13 Information Security Objectives Availability: Ensuring that information is accessible when needed by authorized users. Measures: ꟷ Backups ꟷ Disaster recovery plans ꟷ Redundancy ꟷ Virtualization ꟷ Monitoring João Paulo Barraca, André Zúquete SIO 14 How can use security in an organization? With a strategy following the organizational dimensions Vulnerability scanning Firewalls Selection Authentication Strategy Training Access Control Awareness Cryptography Organization of security Digital Signatures People Certification authorities Technology Certification hierarchies etc... Security policies Processes Security administration processes Continued evolution of auditing and follow-up processes João Paulo Barraca, André Zúquete SIO 15 Pitfalls Pushing one dimensions without the other weakens the security posture What may have failed? ▪ Technology? ▪ Processes? ▪ People? ▪ Strategy? Walls, firewalls, processes… everything bypassed João Paulo Barraca, André Zúquete SIO 16 Pitfalls Pushing one dimensions without the other When it works and there is a security culture João Paulo Barraca, André Zúquete SIO 17 Security objectives 1/3 – Intrinsic and unhavoidable aspects Defense against catastrophic events ▪ Natural phenomena ▪ Abnormal temperature, lightning, thunder, flooding, radiation, … Degradation of computer hardware ▪ Failure of power supplies ▪ Bad sectors in disks ▪ Bit errors in RAM cells or SSD, etc. João Paulo Barraca, André Zúquete SIO 18 Security objectives 2/3 – Unpredictable ordinary failures Defense against ordinary faults / failures ▪ Power outages ▪ Systems' internal failures Linux Kernel panic, Windows blue screen, OS X panic Deadlocks Abnormal resource usage ▪ Software faults ▪ Communication faults... João Paulo Barraca, André Zúquete SIO 19 Security objectives 3/3 – Threats Defense against non-authorized activities (adversaries) ▪ Initiated by someone “from outside”, “from inside” or “through a supplier” Types of non-authorized activities: ▪ Information access ▪ Information alteration ▪ Resource usage CPU, memory, print, network, wallets, etc… ▪ Denial of Service ▪ Vandalism ▪ Interference with the normal system behavior without any benefit for the attacker João Paulo Barraca, André Zúquete SIO 20 Security Perspectives Which type of approaches Defensive tasks: focus on maintaining predictability and building layers ▪ Deployment of Firewalls, Backups, Alert systems ▪ Creation of processes and compliance Offensive: focus on exploiting vulnerabilities in entities ▪ May have malicious/criminal intent ▪ May have the purpose of validating the solution (Red Teams) Other: ▪ Reverse Engineering: Recovery of design from built products ▪ Forensics: extract information and reconstruct previous events ▪ Disaster Recovery: minimize the impact of attacks ▪ Auditing: validate the solution complies with some set of requirements João Paulo Barraca, André Zúquete Image from: https://medium.com/@dancovic/the-infosec-color-wheel-7e52fd822ae4 SIO 21 Core Concepts 1. Security Domains 2. Security Policies 3. Security Mechanisms 4. Security Controls João Paulo Barraca, André Zúquete SIO 22 Security Domains A system or subsystem that is under the authority of a single trusted authority. Security domains may be organized (eg, hierarchically) to form larger domains. Allow managing security in an aggregated manner ꟷ Management will set the attributes of the domain ꟷ Entities are added do the domain and will get the “group” attributes Behavior and interactions are ruled by homogeneous rules inside the domain Domains can be organized in a flat of hierarchical manner ꟷ Flat: Domains do not overlap but have frontiers, and exist at the same abstraction level ꟷ Hierarchical: Domains have different levels of abstraction (Organization -> devices -> Servers -> ServerA) Interactions between domains are usually controlled ꟷ With gateways the limit, change or log interactions João Paulo Barraca, André Zúquete SIO 23 Security Domains Popular application of security domains circa year 1500 Security Domain Crocs Inter Domain Gateways INFORMATION AND ORGANIZATIONAL SECURITY © André Zúquete, João Paulo Barraca SIO 24 Security policies Set of guidelines related to security, that rule over a domain Organization will contain multiple policies ꟷ Applicable to each specific domain ꟷ They may overlap and have different scopes/abstraction levels The multiple policies must be coherent Examples ꟷ Users can only access web services ꟷ Subjects must be authenticated in order to enter the domain ꟷ Walls must be made of concrete ꟷ Communications must be encrypted João Paulo Barraca, André Zúquete SIO 25 Security Policies Define the power of each subject ꟷ Least privilege principle: each subject should only have the privileges required for the fulfillment of his duties Define security procedures ꟷ Who does what in which circumstances Define the minimum security requirements of a domain ꟷ Security levels, Security Groups ꟷ Required authorization And the related minimum authentication requirements (Strong/weak, single/multifactor, remote/face-to-face) João Paulo Barraca, André Zúquete SIO 26 Security Policies Define defense strategies and fight back tactics ꟷ Defensive architecture ꟷ Monitoring of critical activities or attack signs ꟷ Reaction against attacks or other abnormal scenarios Define what are legal and illegal activities ꟷ Forbid list model: Some activities are denied, the rest are allowed ꟷ Permit list model: Some activities are allowed, the rest is forbidden João Paulo Barraca, André Zúquete SIO 27 Security Mechanisms Mechanisms implement policies ꟷ Policies define, at a higher level, what needs to be done or exist ꟷ Mechanisms are used to deploy policies Generic security mechanisms ꟷ Confinement (sandboxing) ꟷ Authentication ꟷ Access control ꟷ Privileged Execution ꟷ Filtering ꟷ Logging ꟷ Auditing ꟷ Cryptographic algorithms ꟷ Cryptographic protocols João Paulo Barraca, André Zúquete SIO 28 Security Mechanisms Policy: Movement between domains is restricted Mechanisms: Doors, guards, passwords, objects/documents, training, salary João Paulo Barraca, André Zúquete SIO 29 Security Mechanisms Policy: systems must be resilient to arbitrary failures of one component Mechanisms: equipment and links are doubled, protocols are developed João Paulo Barraca, André Zúquete SIO 30 Security Controls A safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability Controls include policies & mechanisms, but also: ꟷ Standards and Laws ꟷ Processes ꟷ Techniques Controls are explicitly stated and can be auditable ꟷ E.g.: ISO 27001 defines 114 controls in 14 groups ꟷ … asset management, physical security, incident management… João Paulo Barraca, André Zúquete SIO 31 Types of Security Controls Prevention Detection Correction Physical - Fences - CCTV - Repair Locks - Gates - Repair Windows - Locks - Redeploy access cards Technical - Firewall - Intrusion Detection Systems - Vulnerability patching - Authentication - Alarms - Reboot Systems - Antivirus - Honeypots - Redeploy VMs - Remove Virus Administrative - Contractual clauses - Review Access Matrixes - Implement a business continuity plan - Separation of Duties - Audits - Implement an incident - Information Classification response plan João Paulo Barraca, André Zúquete SIO 32 Types of Security Controls Prevention Detection Correction Physical - Fences - CCTV - Repair Locks - Gates - Repair Windows - Locks - Redeploy access cards Technical - Firewall - Intrusion Detection Systems - Vulnerability patching - Authentication - Alarms - Reboot Systems Green: in relation to an event - Antivirus - Honeypots - Redeploy VMs Red: in relation to its- Remove natureVirus Administrative - Contractual clauses - Review Access Matrixes - Implement a business continuity plan Ex. CCTV - Separation of Duties is a Physical, Detection - Audits Control - Implement an incident - Information Classification response plan João Paulo Barraca, André Zúquete SIO 33 Practical security Key concept: Realistic Prevention Consider that perfect security is impossible! Focus on the most probable events for the most relevant assets ▪ May depend on physical location, legal framework, … Consider cost and profit ▪ A great number of controls has a low cost ▪ However, there is no upper limit on the cost of a security strategy ▪ Security mechanisms must cost less than the asset it protects Consider all domains and entities ▪ A single breach can be escalated to a more serious situation João Paulo Barraca, André Zúquete SIO 34 Practical security Key concept: Realistic Prevention Consider the impact of an attack ▪ Under the light of CIA and other potential impact areas (e.g., brand or legal) Consider the cost and recover time ▪ Data, Monetary cost, reputation, market access Characterize attackers ▪ Define controls specific for those attackers ▪ There will always exist more resourceful attackers Consider that the system will be compromised ▪ Have recovery plans assuming that everything else failed João Paulo Barraca, André Zúquete SIO 35 Security in computing systems Complex problems Computers can do much damage in short time frames ▪ Computers manage huge amounts of information ▪ Process and communicate with very high speed The number of weaknesses is always growing ▪ Due to the increased complexity ▪ Due to every reducing time-to-market, or cost João Paulo Barraca, André Zúquete SIO 36 Security in computing systems Complex problems Networks allow novel attack mechanisms ▪ “Anonymous” attacks from any place in the planet ▪ Fast spread across geographical boundaries ▪ Exploitation of insecure hosts and applications Attackers can build complex attack chains ▪ First exploration ▪ Lateral movement ▪ Exfiltration ▪ Check: https://attack.mitre.org/matrices/enterprise/ João Paulo Barraca, André Zúquete SIO 37 Mirai botnet operation and communication Causes Distributed Denial of Service (DDoS) attacks to a set of services, by constantly propagating to weakly configured IoT Devices. Observe that victims are used to conduct further attacks to other victims t source: Kolias, Constantinos et al. “DDoS in the IoT: Mirai and Other Botnets.” Computer 50 (2017): 80-84. João Paulo Barraca, André Zúquete SIO 38 Security in computing systems Complex problems Users are mostly unaware of the risks ▪ They do not know the problems, ▪... the impact ▪... the good practices ▪... nor the solutions Users are careless ▪ Because they take risks ▪ Do not care (do not have/identify any responsibility) ▪ Do not estimate the risk correctly João Paulo Barraca, André Zúquete SIO 39 Main sources of issues Hostile applications or bugs in applications ꟷ Rootkits: Insert elements in the operating system ꟷ Worms: Software programs controlled by an attacker ꟷ Virus: Pieces of code that infect other files (e.g., macros) Users ꟷ Ignorant, careless or reckless ꟷ Use insecure alternatives instead of secure ones ꟷ Trust on security tools to solve all problems ꟷ Search and download illegal stuff ꟷ Hostile João Paulo Barraca, André Zúquete SIO 40 Main sources of issues Defective administration ꟷ Default configuration is seldom the most secure ꟷ Security restriction vs flexible operation ꟷ Exceptions to individuals Communication over uncontrolled/unknown network links ꟷ Public hotspots, campus networks, hostile governments João Paulo Barraca, André Zúquete SIO 41 Perimeter Defense Model Minimal defense, frequently not sufficient. The most common. Inside / Internal Network Firewall System that acts as the gateway Outside between the a / trusted (inside) Internet and a untrusted domain (outside) João Paulo Barraca, André Zúquete SIO 42 Perimeter Defense Model Protection against external attackers ꟷ Internet ꟷ Foreign users ꟷ Other organizations Assumes that internal users are trusted and share the same policies ꟷ Friends, family, collaborators Used in domestic scenarios or small offices Limitations ꟷ Too simple ꟷ Doesn’t protect against internal attackers Previously trusted users Attackers that acquired internal access João Paulo Barraca, André Zúquete SIO 43 Defense in Depth Model Layered approach with multiple domains (better) Security Domain Inter Domain Gateways João Paulo Barraca, André Zúquete SIO 44 Defense in Depth Model Protection against internal and external attackers ꟷ From the Internet ꟷ Users ꟷ Other organizations Assumes well-defined domains across the organization ꟷ Walls, doors, authentication, security personnel, ciphers, secure networks Limitations ꟷ Needs coordination between the different controls May end with overlapping controls, but also with holes in the security perimeters ꟷ Cost ꟷ Requires training, changes to processes and frequent audits João Paulo Barraca, André Zúquete SIO 45 Zero Trust Model Defense model without specific perimeters ꟷ There is no inherent trust in entities just because they are internal Actually, there may be no notion of internal and external ꟷ Requires detailed knowledge, controls and observability between all entities Model recommended for new systems ꟷ Traditional systems should migrate to it ꟷ Implies the design of systems/services specific for this model ꟷ Legacy systems will need additional protection layers Firewalls, filters, adapters, plugins João Paulo Barraca, André Zúquete SIO 46 In practice? Cibersecurity is limited by economics, operations and logisticts ꟷ All entities have limited resources Even attackers! ꟷ Security is a business continuity activity, it cannot prevent business Cybersecurity deals with building and applying a strategy ꟷ under an operational and legal context ꟷ preventing issues that may never happen Try this: http://targetedattacks.trendmicro.com/cyoa/en/ João Paulo Barraca, André Zúquete SIO 49
