Computer Security Concepts and Principles PDF

Chapter 1 Overview © 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved. The NIST Computer Security Handbook defines the term Computer Security as: © 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved. Integ iality rity ident Data Conf and services Availability Figure 1.1 The Security Requirements Triad © 2016 Pearson Education, Inc., Hoboken, NJ. All rights Computer Security Objectives Confidentiality Data confidentiality Assures that private or confidential information is not made available or disclosed to unauthorized individuals Privacy Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed Integrity Data integrity Assures that information and programs are changed only in a specified and authorized manner System integrity Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system Availability Assures that systems work promptly and service is not denied to authorized users © 2017 Pearson Education, Ltd., All rights reserved. Other Security Objectives Authenticity - Users and system inputs are genuine and can be verified and trusted > Data authentication > Source authentication Accountability - Actions of an entity can be traced uniquely to that entity - Supports: non-repudiation, fault isolation, intrusion detection and prevention, after-action recovery and legal action © 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved. Breaches of Security Levels of Impact Low Moderate High The loss could be The loss could be The loss could be expected to have a expected to have a expected to have a severe or limited adverse serious adverse catastrophic effect on effect on adverse effect on organizational organizational organizational operations, operations, operations, organizational organizational organizational assets, or assets, or assets, or individuals individuals individuals © 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved. Computer security is not as Attackers only need to find simple as it might first a single weakness, the appear to the novice developer needs to find all weaknesses Potential attacks on the Users and system managers security features must be tend to not see the benefits considered of security until a failure Procedures used to provide occurs particular services are often Security requires regular counterintuitive and constant monitoring Physical and logical Is often an afterthought to placement needs to be be incorporated into a determined system after the design is complete Additional algorithms or Thought of as an protocols may be involved impediment to efficient and user-friendly operation © 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved. Table 1.1 Computer Security Terminology RFC 4949, Internet Security Glossary, May 2000 © 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved. Owners Threat agents value wish to abuse wish to impose and/or minimize may damage give rise to countermeasures assets to reduce to to risk threats that increase Figure 1.1 Security Concepts and Relationships © 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved. Assets of a Computer System Hardware Software Data Communication facilities and networks © 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved. Vulnerabilities, Threats and Attacks Categories of vulnerabilities Corrupted (loss of integrity) Leaky (loss of confidentiality) Unavailable or very slow (loss of availability) Threats Capable of exploiting vulnerabilities Represent potential security harm to an asset Attacks (threats carried out) Passive – attempt to learn or make use of information from the system that does not affect system resources Active – attempt to alter system resources or affect their operation Insider – initiated by an entity inside the security parameter Outsider – initiated from outside the perimeter © 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved. Passive and Active Attacks Passive Attack Active Attack Attempts to learn or make Attempts to alter system use of information from the resources or affect their system but does not affect operation system resources Involve some modification Eavesdropping on, or of the data stream or the monitoring of, transmissions creation of a false stream Goal of attacker is to obtain Four categories: information that is being o Replay transmitted o Masquerade o Modification of messages Two types: o Denial of service o Release of message contents o Traffic analysis © 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved. © 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved. Categories of Active Attacks Takes place when one entity pretends to be a different entity Masquerade Usually includes one of the other forms of active attack Involves the passive capture of a data unit and its subsequent Replay retransmission to produce an unauthorized effect Some portion of a legitimate message Modification is altered, or messages are delayed or of messages reordered to produce an unauthorized effect Denial of Prevents or inhibits the normal use or management of communications service facilities © 2017 Pearson Education, Ltd., All rights reserved. Countermeasures Means used to deal with security attacks Prevent Detect Recover Residual vulnerabilities may remain Goal is to May itself minimize introduce new residual level of vulnerabilities risk to the assets © 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved. Threat Consequence Threat Action (Attack) Unauthorized Exposure: Sensitive data are directly released to an Disclosure unauthorized entity. A circumstance or Interception: An unauthorized entity directly accesses event whereby an sensitive data traveling between authorized sources and Table 1.2 entity gains access to destinations. data for which the Inference: A threat action whereby an unauthorized entity entity is not indirectly accesses sensitive data (but not necessarily the Threat authorized. data contained in the communication) by reasoning from characteristics or byproducts of communications. Consequences, Intrusion: An unauthorized entity gains access to sensitive data by circumventing a system's security protections. and the Deception Masquerade: An unauthorized entity gains access to a A circumstance or system or performs a malicious act by posing as an Types of event that may result authorized entity. in an authorized entity Falsification: False data deceive an authorized entity. Threat Actions receiving false data Repudiation: An entity deceives another by falsely denying and believing it to be responsibility for an act. That Cause true. Each Disruption Incapacitation: Prevents or interrupts system operation by A circumstance or disabling a system component. Consequence event that interrupts Corruption: Undesirably alters system operation by or prevents the correct adversely modifying system functions or data. operation of system Obstruction: A threat action that interrupts delivery of services and system services by hindering system operation. Based on functions. Usurpation Misappropriation: An entity assumes unauthorized logical RFC 4949 A circumstance or or physical control of a system resource. event that results in Misuse: Causes a system component to perform a function control of system or service that is detrimental to system security. services or functions by an unauthorized entity. **Table is on page 20 in the textbook. © 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved. © 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved. Table 1.3 Computer and Network Assets, with Examples of Threats Availability Confidentiality Integrity Equipment is stolen or An unencrypted CD- Hardware disabled, thus denying ROM or DVD is stolen. service. A working program is modified, either to Programs are deleted, An unauthorized copy cause it to fail during Software denying access to users. of software is made. execution or to cause it to do some unintended task. An unauthorized read of data is performed. Existing files are Files are deleted, Data An analysis of modified or new files denying access to users. statistical data reveals are fabricated. underlying data. Messages are destroyed Messages are modified, Communication or deleted. Messages are read. The delayed, reordered, or Lines and Communication lines traffic pattern of duplicated. False Networks or networks are messages is observed. messages are rendered unavailable. fabricated. Table 1.4 Security Requirements (FIPS PUB 200) (page 1 of 2) (Table can be found on page 26 in the textbook.) Table 1.4 Security Requirements (FIPS PUB 200) (page 2 of 2) (Table can be found on page 27 in the textbook.) Aspects of Security in Computers and Networks Security Attack Any action that attempts to compromise the security of information or facilities Security Mechanism A method for preventing, detecting, or recovering from an attack Security Service uses mechanisms to enhance the security of information or facilities in order to stop attacks © 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved. Security Services Defined by X.800 as: A service provided by a protocol layer of communicating open systems and that ensures adequate security of the systems or of data transfers Defined by RFC 4949 as: A processing or communication service provided by a system to give a specific kind of protection to system resources © 2017 Pearson Education, Ltd., All rights reserved. Table 1.2 Security Services (X.800) (This table is found on page 30 in textbook) © 2017 Pearson Education, Ltd., All rights reserved. Authentication Concerned with assuring that a communication is authentic o In the case of a single message, assures the recipient that the message is from the source that it claims to be from o In the case of ongoing interaction, assures the two entities are authentic and that the connection is not interfered with in such a way that a third party can masquerade as one of the two legitimate parties Two specific authentication services are defined in X.800: Peer entity authentication Data origin authentication © 2017 Pearson Education, Ltd., All rights reserved. Access Control The ability to limit and control the access to host systems and applications via communications links To achieve this, each entity trying to gain access must first be indentified, or authenticated, so that access rights can be tailored to the individual © 2017 Pearson Education, Ltd., All rights reserved. Data Confidentiality The protection of transmitted data from passive attacks o Broadest service protects all user data transmitted between two users over a period of time o Narrower forms of service includes the protection of a single message or even specific fields within a message The protection of traffic flow from analysis o This requires that an attacker not be able to observe the source and destination, frequency, length, or other characteristics of the traffic on a communications facility © 2017 Pearson Education, Ltd., All rights reserved. Data Integrity Can apply to a stream of messages, a single message, or selected fields within a message Connection-oriented integrity service, one that deals with a stream of messages, assures that messages are received as sent with no duplication, insertion, modification, reordering, or replays A connectionless integrity service, one that deals with individual messages without regard to any larger context, generally provides protection against message modification only © 2017 Pearson Education, Ltd., All rights reserved. Nonrepudiation Prevents either sender or receiver from denying a transmitted message When a message is sent, the receiver can prove that the alleged sender in fact sent the message When a message is received, the sender can prove that the alleged receiver in fact received the message © 2017 Pearson Education, Ltd., All rights reserved. Availability Protects a system to ensure its availability This service addresses the security concerns raised by denial-of-service attacks It depends on proper management and control of system resources and thus depends on access control service and other security services © 2017 Pearson Education, Ltd., All rights reserved. Security Mechanism A method (technique) for preventing, detecting, or recovering from an attack No single mechanism can provide all services Common in most mechanisms: Cryptographic techniques © 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved. Table 1.3 Security Mechanisms (X.800) (This table is found on pages 32-33 in textbook) © 2017 Pearson Education, Ltd., All rights reserved. Fundamental Security Design Principles (1) Economy of Fail-safe Complete Open design mechanism defaults mediation Separation of Least common Psychological Least privilege privilege mechanism acceptability Isolation Encapsulation Modularity Layering Least astonishment © 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved. Fundamental Security Design Principles (2) Economy of mechanism Fail-safe defaults Means that the design of Means that access security measures embodied decisions should be in both hardware and based on permission software should be as simple rather than exclusion and small as possible Relatively simple, small The default situation is design is easier to test and lack of access, and the verify thoroughly protection scheme With a complex design, identifies conditions there are many more under which access is opportunities for an permitted adversary to discover subtle Most file access systems weaknesses to exploit that and virtually all protected may be difficult to spot ahead of time services on client/server use fail-safe defaults © 2017 Pearson Education, Ltd., All rights reserved. Fundamental Security Design Principles (3) Complete mediation Open design Means that every access must be checked against Means that the design of a the access control mechanism security mechanism should be Systems should not rely on open rather than secret access decisions retrieved Although encryption keys must from a cache be secret, encryption To fully implement this, every algorithms should be open to time a user reads a field or record in a file, or a data public scrutiny item in a database, the Is the philosophy behind the system must exercise access NIST program of standardizing control encryption and hash algorithms This resource-intensive approach is rarely used © 2017 Pearson Education, Ltd., All rights reserved. Fundamental Security Design Principles (4) Least privilege Separation of privilege Defined as a practice in Means that every process which multiple privilege and every user of the attributes are required system should operate to achieve access to a using the least set of privileges necessary to restricted resource perform the task Multifactor user An example of the use of authentication is an this principle is role-based example which requires access control; the system the use of multiple security policy can identify techniques, such as a and define the various password and a smart roles of users or processes card, to authorize a user and each role is assigned only those permissions needed to perform its functions © 2017 Pearson Education, Ltd., All rights reserved. Fundamental Security Design Principles (5) Least common mechanism Psychological acceptability Means that the design Implies that the security should minimize the mechanisms should not interfere functions shared by unduly with the work of users, different users, providing while at the same time meeting mutual security the needs of those who authorize This principle helps access reduce the number of unintended Where possible, security communication paths mechanisms should be and reduces the amount transparent to the users of the of hardware and system or, at most, introduce software on which all minimal obstruction users depend, thus making it easier to verify if In addition to not being intrusive there are any undesirable or burdensome, security security implications procedures must reflect the user’s mental model of protection © 2017 Pearson Education, Ltd., All rights reserved. Fundamental Security Design Principles (6) Encapsulation Isolation Applies in three Can be viewed as a specific form of isolation based on contexts: object-oriented functionality o Public access systems Protection is provided by should be isolated from encapsulating a collection critical resources to prevent of procedures and data disclosure or tampering objects in a domain of its own so that the internal o Processes and files of structure of a data object is individual users should be accessible only to the isolated from one another procedures of the protected except where it is explicitly subsystem, and the desired procedures may be called o Security mechanisms should only at designated domain be isolated in the sense of entry points preventing access to those mechanisms © 2017 Pearson Education, Ltd., All rights reserved. Fundamental Security Design Principles (7) Modularity Layering Refers both to the Refers to the use of multiple, overlapping development of protection approaches security functions as addressing the people, separate, protected technology, and operational aspects of modules and to the information systems use of a modular The failure or architecture for circumvention of any mechanism design individual protection approach will not leave and implementation the system unprotected © 2017 Pearson Education, Ltd., All rights reserved. Fundamental Security Design Principles (8) Least astonishment Means that a program or user interface should always respond in the way that is least likely to astonish the user The mechanism for authorization should be transparent enough to a user that the user has a good intuitive understanding of how the security goals map to the provided security mechanism © 2017 Pearson Education, Ltd., All rights reserved. Attack Surfaces Consist of the reachable and exploitable vulnerabilities in a system Examples: Code that processes An employee with Open ports on incoming data, access to sensitive outward facing Web Services available on email, XML, office Interfaces, SQL, and information and other servers, the inside of a documents, and Web forms vulnerable to a and code listening firewall industry-specific social engineering on those ports custom data attack exchange formats © 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved. Attack Surface Categories Network Software Human Attack Attack Surface Attack Surface Surface Vulnerabilities over an Vulnerabilities in application, enterprise network, wide-area utility, or operating system network, or the Internet code Vulnerabilities created by personnel or outsiders, such as social engineering, human error, and trusted insiders Included in this category are network protocol vulnerabilities, such as those used for a denial- Particular focus is Web server of-service attack, disruption of software communications links, and various forms of intruder attacks © 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved. Shallow Medium High Security Risk Security Risk Layering Low Medium Deep Security Risk Security Risk Small Large Attack Surface Figure 1.3 Defense in Depth and Attack Surface © 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved. Bank Account Compromise User credential compromise UT/U1a User surveillance UT/U1b Theft of token and handwritten notes Malicious software Vulnerability exploit installation UT/U3a Smartcard analyzers UT/U2a Hidden code UT/U3b Smartcard reader UT/U2b Worms manipulator UT/U2c E-mails with malicious code UT/U3c Brute force attacks with PIN calculators CC2 Sniffing User communication UT/U4a Social engineering with attacker UT/U4b Web page obfuscation Redirection of Injection of commands CC3 Active man-in-the communication toward middle attacks fraudulent site User credential guessing IBS1 Brute force attacks CC1 Pharming IBS2 Security policy IBS3 Web site manipulation violation Use of known authenticated Normal user authentication CC4 Pre-defined session session by attacker with specified session ID IDs (session hijacking) Figure 1.4 An Attack Tree for Internet Banking Authentication © 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved. Computer Security Strategy Security Policy: What is the security scheme supposed to do? > Informal description or formal set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources > Consider: assets value, vulnerabilities, potential threats and probability of attacks > Trade-offs: Ease of use vs. security; cost of security vs. cost of failure and recovery Security Implementation: How does it do it? >Involves four complementary courses of action ( Prevention, detection, response, recovery) Assurance: Does it really work? Degree of confidence one has that security measures work as intended to protect the system and the information it pocesses Evaluation: Process of evaluating system with respect to certain criteria © 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved. Summary Computer security Fundamental concepts security design o Definition principles o Challenges o Model Attack surfaces Threats, attacks, and attack trees o Attack surfaces and assets o Attack trees o Threats and attacks o Threats and assets Computer Security functional security strategy o Security policy requirements o Security implementation o Assurance and evaluation © 2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Computer Security Concepts and Principles PDF

Document Details

Tags

Related

Summary

Full Transcript