Computer Security_ Principles and Practice Global Edition-William Stallings -2017.pdf
Document Details
Uploaded by ExuberantOrangutan
Full Transcript
Digital Resources for Students Your new textbook provides 12-month access to digital resources that may include VideoNotes (step-by-step video tutorials on programming concepts), source code, web chapters, quizzes, and more. Refer to the preface in the textbook for a detailed list of resou...
Digital Resources for Students Your new textbook provides 12-month access to digital resources that may include VideoNotes (step-by-step video tutorials on programming concepts), source code, web chapters, quizzes, and more. Refer to the preface in the textbook for a detailed list of resources. Follow the instructions below to register for the Companion Website for William Stallings/Lawrie Brown’s Computer Security: Principles and Practice, Fourth Edition, Global Edition. 1. Go to www.pearsonglobaleditions.com/stallings. 2. Enter the title of your textbook or browse by author name. 3. Click Companion Website. 4. Click Register and follow the on-screen instructions to create a login name and password. Use a coin to scratch off the coating and reveal your access code. Do not use a sharp knife or other sharp object as it may damage the code. Use the login name and password you created during registration to start using the online resources that accompany your textbook. IMPORTANT: This access code can only be used once. This subscription is valid for 12 months upon activation and is not transferrable. If the access code has already been revealed it may no longer be valid. For technical support go to https://support.pearson.com/getsupport/ Computer Security Principles and Practice Fourth Edition Global Edition William Stallings Lawrie Brown UNSW Canberra at the Australian Defence Force Academy 330 Hudson Street, New York, NY 10013 Director, Portfolio Management: Engineering, Rights and Permissions Manager: Ben Ferrini Computer Science & Global Editions: Manufacturing Buyer, Higher Ed, Lake Side Julian Partridge Communications Inc (LSC): Maura Zaldivar-Garcia Specialist, Higher Ed Portfolio Management: Senior Manufacturing Controller, Global Edition: Tracy Johnson (Dunkelberger) Angela Hawksbee Acquisitions Editor, Global Edition: Sourabh Inventory Manager: Ann Lam Maheshwari Product Marketing Manager: Yvonne Vannatta Portfolio Management Assistant: Meghan Jacoby Field Marketing Manager: Demetrius Hall Managing Content Producer: Scott Disanno Marketing Assistant: Jon Bryant Content Producer: Robert Engelhardt Cover Designer: Lumina Datamatics, Inc. Project Editor, Global Edition: K.K. Neelakantan Cover Photo: Alex Kosev / Shutterstock Web Developer: Steve Wright Full-Service Project Management: Kirthika Raj, Manager, Media Production, Global Edition: Vikram SPi Global Kumar Credits and acknowledgments borrowed from other sources and reproduced, with permission, in this textbook appear on page 777. Many of the designations by manufacturers and seller to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed in initial caps or all caps. Pearson Education Limited KAO Two KAO Park Harlow CM17 9NA United Kingdom and Associated Companies throughout the world Visit us on the World Wide Web at: www.pearsonglobaleditions.com © Pearson Education Limited 2018 The rights of William Stallings and Lawrie Brown to be identified as the authors of this work have been asserted by them in accordance with the Copyright, Designs and Patents Act 1988. Authorized adaptation from the United States edition, entitled Computer Security: Principles and Practice, 4th Edition, ISBN 978-0-13-479410-5 by William Stallings and Lawrie Brown published by Pearson Education © 2018. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without either the prior written permission of the publisher or a license permitting restricted copying in the United Kingdom issued by the Copyright Licensing Agency Ltd, Saffron House, 6–10 Kirby Street, London EC1N 8TS. All trademarks used herein are the property of their respective owners. The use of any trademark in this text does not vest in the author or publisher any trademark ownership rights in such trademarks, nor does the use of such trademarks imply any affiliation with or endorsement of this book by such owners. British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library 10 9 8 7 6 5 4 3 2 1 ISBN 10: 1-292-22061-9 ISBN 13: 978-1-292-22061-1 Typeset by SPi Global Printed and bound in Malaysia For my loving wife, Tricia —WS To my extended family and friends, who helped make this all possible —LB This page intentionally left blank Contents Preface 12 Notation 21 About the Authors 22 Chapter 1 Overview 23 1.1 Computer Security Concepts 24 1.2 Threats, Attacks, and Assets 31 1.3 Security Functional Requirements 37 1.4 Fundamental Security Design Principles 39 1.5 Attack Surfaces and Attack Trees 43 1.6 Computer Security Strategy 46 1.7 Standards 48 1.8 Key Terms, Review Questions, and Problems 49 PART ONE COMPUTER SECURITY TECHNOLOGY AND PRINCIPLES 52 Chapter 2 Cryptographic Tools 52 2.1 Confidentiality with Symmetric Encryption 53 2.2 Message Authentication and Hash Functions 59 2.3 Public-Key Encryption 67 2.4 Digital Signatures and Key Management 72 2.5 Random and Pseudorandom Numbers 77 2.6 Practical Application: Encryption of Stored Data 79 2.7 Key Terms, Review Questions, and Problems 80 Chapter 3 User Authentication 85 3.1 Digital User Authentication Principles 86 3.2 Password-Based Authentication 92 3.3 Token-Based Authentication 104 3.4 Biometric Authentication 109 3.5 Remote User Authentication 114 3.6 Security Issues for User Authentication 117 3.7 Practical Application: An Iris Biometric System 119 3.8 Case Study: Security Problems for ATM Systems 121 3.9 Key Terms, Review Questions, and Problems 124 Chapter 4 Access Control 127 4.1 Access Control Principles 128 4.2 Subjects, Objects, and Access Rights 131 4.3 Discretionary Access Control 132 4.4 Example: UNIX File Access Control 139 4.5 Role-Based Access Control 142 4.6 Attribute-Based Access Control 148 5 6 CONTENTS 4.7 Identity, Credential, and Access Management 154 4.8 Trust Frameworks 158 4.9 Case Study: RBAC System for a Bank 162 4.10 Key Terms, Review Questions, and Problems 164 Chapter 5 Database and Data Center Security 169 5.1 The Need for Database Security 170 5.2 Database Management Systems 171 5.3 Relational Databases 173 5.4 SQL Injection Attacks 177 5.5 Database Access Control 183 5.6 Inference 188 5.7 Database Encryption 190 5.8 Data Center Security 194 5.9 Key Terms, Review Questions, and Problems 200 Chapter 6 Malicious Software 205 6.1 Types of Malicious Software (Malware) 207 6.2 Advanced Persistent Threat 209 6.3 Propagation—Infected Content—Viruses 210 6.4 Propagation—Vulnerability Exploit—Worms 215 6.5 Propagation—Social Engineering—Spam E-mail, Trojans 224 6.6 Payload—System Corruption 227 6.7 Payload—Attack Agent—Zombie, Bots 229 6.8 Payload—Information Theft—Keyloggers, Phishing, Spyware 231 6.9 Payload—Stealthing—Backdoors, Rootkits 233 6.10 Countermeasures 236 6.11 Key Terms, Review Questions, and Problems 242 Chapter 7 Denial-of-Service Attacks 246 7.1 Denial-of-Service Attacks 247 7.2 Flooding Attacks 255 7.3 Distributed Denial-of-Service Attacks 256 7.4 Application-Based Bandwidth Attacks 258 7.5 Reflector and Amplifier Attacks 261 7.6 Defenses Against Denial-of-Service Attacks 265 7.7 Responding to a Denial-of-Service Attack 269 7.8 Key Terms, Review Questions, and Problems 270 Chapter 8 Intrusion Detection 273 8.1 Intruders 274 8.2 Intrusion Detection 278 8.3 Analysis Approaches 281 8.4 Host-Based Intrusion Detection 284 8.5 Network-Based Intrusion Detection 289 8.6 Distributed or Hybrid Intrusion Detection 295 8.7 Intrusion Detection Exchange Format 297 CONTENTS 7 8.8 Honeypots 300 8.9 Example System: Snort 302 8.10 Key Terms, Review Questions, and Problems 306 Chapter 9 Firewalls and Intrusion Prevention Systems 310 9.1 The Need for Firewalls 311 9.2 Firewall Characteristics and Access Policy 312 9.3 Types of Firewalls 314 9.4 Firewall Basing 320 9.5 Firewall Location and Configurations 323 9.6 Intrusion Prevention Systems 328 9.7 Example: Unified Threat Management Products 332 9.8 Key Terms, Review Questions, and Problems 336 PART TWO SOFTWARE AND SYSTEM SECURITY 341 Chapter 10 Buffer Overflow 341 10.1 Stack Overflows 343 10.2 Defending Against Buffer Overflows 364 10.3 Other forms of Overflow Attacks 370 10.4 Key Terms, Review Questions, and Problems 377 Chapter 11 Software Security 379 11.1 Software Security Issues 380 11.2 Handling Program Input 384 11.3 Writing Safe Program Code 395 11.4 Interacting with the Operating System and Other Programs 400 11.5 Handling Program Output 413 11.6 Key Terms, Review Questions, and Problems 415 Chapter 12 Operating System Security 419 12.1 Introduction to Operating System Security 421 12.2 System Security Planning 422 12.3 Operating Systems Hardening 422 12.4 Application Security 426 12.5 Security Maintenance 428 12.6 Linux/Unix Security 429 12.7 Windows Security 433 12.8 Virtualization Security 435 12.9 Key Terms, Review Questions, and Problems 443 Chapter 13 Cloud and IoT Security 445 13.1 Cloud Computing 446 13.2 Cloud Security Concepts 454 13.3 Cloud Security Approaches 457 13.4 The Internet of Things 466 13.5 IoT Security 470 13.6 Key Terms and Review Questions 478 8 CONTENTS PART THREE MANAGEMENT ISSUES 480 Chapter 14 IT Security Management and Risk Assessment 480 14.1 IT Security Management 481 14.2 Organizational Context and Security Policy 484 14.3 Security Risk Assessment 487 14.4 Detailed Security Risk Analysis 490 14.5 Case Study: Silver Star Mines 502 14.6 Key Terms, Review Questions, and Problems 507 Chapter 15 IT Security Controls, Plans, and Procedures 510 15.1 IT Security Management Implementation 511 15.2 Security Controls or Safeguards 511 15.3 IT Security Plan 520 15.4 Implementation of Controls 521 15.5 Monitoring Risks 522 15.6 Case Study: Silver Star Mines 524 15.7 Key Terms, Review Questions, and Problems 527 Chapter 16 Physical and Infrastructure Security 529 16.1 Overview 530 16.2 Physical Security Threats 531 16.3 Physical Security Prevention and Mitigation Measures 538 16.4 Recovery from Physical Security Breaches 541 16.5 Example: A Corporate Physical Security Policy 541 16.6 Integration of Physical and Logical Security 542 16.7 Key Terms, Review Questions, and Problems 548 Chapter 17 Human Resources Security 550 17.1 Security Awareness, Training, and Education 551 17.2 Employment Practices and Policies 557 17.3 E-mail and Internet Use Policies 560 17.4 Computer Security Incident Response Teams 561 17.5 Key Terms, Review Questions, and Problems 568 Chapter 18 Security Auditing 570 18.1 Security Auditing Architecture 572 18.2 Security Audit Trail 576 18.3 Implementing the Logging Function 581 18.4 Audit Trail Analysis 592 18.5 Security Information and Event Management 596 18.6 Key Terms, Review Questions, and Problems 598 Chapter 19 Legal and Ethical Aspects 600 19.1 Cybercrime and Computer Crime 601 19.2 Intellectual Property 605 19.3 Privacy 611 19.4 Ethical Issues 618 19.5 Key Terms, Review Questions, and Problems 624 CONTENTS 9 PART FOUR CRYPTOGRAPHIC ALGORITHMS 627 Chapter 20 Symmetric Encryption and Message Confidentiality 627 20.1 Symmetric Encryption Principles 628 20.2 Data Encryption Standard 633 20.3 Advanced Encryption Standard 635 20.4 Stream Ciphers and RC4 641 20.5 Cipher Block Modes of Operation 644 20.6 Key Distribution 650 20.7 Key Terms, Review Questions, and Problems 652 Chapter 21 Public-Key Cryptography and Message Authentication 656 21.1 Secure Hash Functions 657 21.2 HMAC 663 21.3 Authenticated Encryption 666 21.4 The RSA Public-Key Encryption Algorithm 669 21.5 Diffie-Hellman and Other Asymmetric Algorithms 675 21.6 Key Terms, Review Questions, and Problems 679 PART FIVE NETWORK SECURITY 682 Chapter 22 Internet Security Protocols and Standards 682 22.1 Secure E-mail and S/MIME 683 22.2 Domainkeys Identified Mail 686 22.3 Secure Sockets Layer (SSL) and Transport Layer Security (TLS) 690 22.4 HTTPS 697 22.5 IPv4 and IPv6 Security 698 22.6 Key Terms, Review Questions, and Problems 703 Chapter 23 Internet Authentication Applications 706 23.1 Kerberos 707 23.2 X.509 713 23.3 Public-Key Infrastructure 716 23.4 Key Terms, Review Questions, and Problems 719 Chapter 24 Wireless Network Security 722 24.1 Wireless Security 723 24.2 Mobile Device Security 726 24.3 IEEE 802.11 Wireless LAN Overview 730 24.4 IEEE 802.11i Wireless LAN Security 736 24.5 Key Terms, Review Questions, and Problems 751 Appendix A Projects and Other Student Exercises for Teaching Computer Security 754 A.1 Hacking Project 754 A.2 Laboratory Exercises 755 A.3 Security Education (SEED) Projects 755 A.4 Research Projects 757 A.5 Programming Projects 758 A.6 Practical Security Assessments 758 10 CONTENTS A.7 Firewall Projects 758 A.8 Case Studies 759 A.9 Reading/Report Assignments 759 A.10 Writing Assignments 759 A.11 Webcasts for Teaching Computer Security 760 Acronyms 761 List of NIST and ISO Documents 762 References 764 Credits 777 Index 780 CONTENTS 11 ONLINE CHAPTERS AND APPENDICES1 Chapter 25 Linux Security 25.1 Introduction 25.2 Linux’s Security Model 25.3 The Linux DAC in Depth: Filesystem Security 25.4 Linux Vulnerabilities 25.5 Linux System Hardening 25.6 Application Security 25.7 Mandatory Access Controls 25.8 Key Terms, Review Questions, and Problems Chapter 26 Windows and Windows Vista Security 26.1 Windows Security Architecture 26.2 Windows Vulnerabilities 26.3 Windows Security Defenses 26.4 Browser Defenses 26.5 Cryptographic Services 26.6 Common Criteria 26.7 Key Terms, Review Questions, Problems, and Projects Chapter 27 Trusted Computing and Multilevel Security 27.1 The Bell-LaPadula Model for Computer Security 27.2 Other Formal Models for Computer Security 27.3 The Concept of Trusted Systems 27.4 Application of Multilevel Security 27.5 Trusted Computing and the Trusted Platform Module 27.6 Common Criteria for Information Technology Security Evaluation 27.7 Assurance and Evaluation 27.8 Key Terms, Review Appendix B Some Aspects of Number Theory Appendix C Standards and Standard-Setting Organizations Appendix D Random and Pseudorandom Number Generation Appendix E Message Authentication Codes Based on Block Ciphers Appendix F TCP/IP Protocol Architecture Appendix G Radix-64 Conversion Appendix H The Domain Name System Appendix I The Base-Rate Fallacy Appendix J SHA-3 Appendix K Glossary 1 Online chapters, appendices, and other documents are Premium Content, available via the access code at the front of this book. Preface WHAT’S NEW IN THE FOURTH EDITION Since the third edition of this book was published, the field has seen continued innovations and improvements. In this new edition, we try to capture these changes while maintaining a broad and comprehensive coverage of the entire field. To begin the process of revision, the third edition of this book was extensively reviewed by a number of professors who teach the subject and by professionals working in the field. The result is that in many places the narra- tive has been clarified and tightened, and illustrations have been improved. Beyond these refinements to improve pedagogy and user-friendliness, there have been major substantive changes throughout the book. The most noteworthy changes are as follows: Data center security: Chapter 5 includes a new discussion of data center security, including the TIA-492 specification of reliability tiers. Malware: The material on malware in Chapter 6 has been revised to include additional material on macro viruses and their structure, as they are now the most common form of virus malware. Virtualization security: The material on virtualization security in Chapter 12 has been extended, given the rising use of such systems by organizations and in cloud computing environments. A discussion of virtual firewalls, which may be used to help secure these environments, has also been added. Cloud security: Chapter 13 includes a new discussion of cloud security. The discussion includes an introduction to cloud computing, key cloud security concepts, an analysis of approaches to cloud security, and an open-source example. IoT security: Chapter 13 includes a new discussion of security for the Internet of Things (IoT). The discussion includes an introduction to IoT, an overview of IoT security issues, and an open-source example. SEIM: The discussion of Security Information and Event Management (SIEM) systems in Chapter 18 has been updated. Privacy: The section on privacy issues and its management in Chapter 19 has been extended with additional discussion of moral and legal approaches, and the privacy issues related to big data. Authenticated encryption: Authenticated encryption has become an increasingly wide- spread cryptographic tool in a variety of applications and protocols. Chapter 21 includes a new discussion of authenticated description and describes an important authenticated encryption algorithm known as offset codebook (OCB) mode. 12 PREFACE 13 BACKGROUND Interest in education in computer security and related topics has been growing at a dramatic rate in recent years. This interest has been spurred by a number of factors, two of which stand out: 1. As information systems, databases, and Internet-based distributed systems and com- munication have become pervasive in the commercial world, coupled with the increased intensity and sophistication of security-related attacks, organizations now recognize the need for a comprehensive security strategy. This strategy encompasses the use of special- ized hardware and software and trained personnel to meet that need. 2. Computer security education, often termed information security education or information assurance education, has emerged as a national goal in the United States and other coun- tries, with national defense and homeland security implications. The NSA/DHS National Center of Academic Excellence in Information Assurance/Cyber Defense is spearhead- ing a government role in the development of standards for computer security education. Accordingly, the number of courses in universities, community colleges, and other institutions in computer security and related areas is growing. OBJECTIVES The objective of this book is to provide an up-to-date survey of developments in computer security. Central problems that confront security designers and security administrators include defining the threats to computer and network systems, evaluating the relative risks of these threats, and developing cost-effective and user friendly countermeasures. The following basic themes unify the discussion: Principles: Although the scope of this book is broad, there are a number of basic prin- ciples that appear repeatedly as themes and that unify this field. Examples are issues relating to authentication and access control. The book highlights these principles and examines their application in specific areas of computer security. Design approaches: The book examines alternative approaches to meeting specific computer security requirements. Standards: Standards have come to assume an increasingly important, indeed dominant, role in this field. An understanding of the current status and future direction of technol- ogy requires a comprehensive discussion of the related standards. Real-world examples: A number of chapters include a section that shows the practical application of that chapter’s principles in a real-world environment. SUPPORT OF ACM/IEEE COMPUTER SCIENCE CURRICULA 2013 This book is intended for both an academic and a professional audience. As a textbook, it is intended as a one- or two-semester undergraduate course for computer science, com- puter engineering, and electrical engineering majors. This edition is designed to support 14 PREFACE Table P.1 Coverage of CS2013 Information Assurance and Security (IAS) Knowledge Area IAS Knowledge Units Topics Textbook Coverage Foundational Concepts CIA (Confidentiality, Integrity, and 1—Overview in Security (Tier 1) Availability) 3—User Authentication Risk, threats, vulnerabilities, and attack 4—Access Control vectors 19—Legal and Ethical Aspects Authentication and authorization, access control (mandatory vs. discretionary) Trust and trustworthiness Ethics (responsible disclosure) Principles of Secure Least privilege and isolation 1—Overview Design (Tier 1) Fail-safe defaults Open design End-to-end security Defense in depth Security by design Tensions between security and other design goals Principles of Secure Complete mediation 1—Overview Design (Tier 2) Use of vetted security components Economy of mechanism (reducing trusted computing base, minimize attack surface) Usable security Security composability Prevention, detection, and deterrence Defensive Programming Input validation and data sanitization 11—Software Security (Tier 1) Choice of programming language and type-safe languages Examples of input validation and data sanitization errors (buffer overflows, integer errors, SQL injection, and XSS vulnerability) Race conditions Correct handling of exceptions and unexpected behaviors Defensive Programming Correct usage of third-party components 11—Software Security (Tier 2) Effectively deploying security updates 12—OS Security Threats and Attacks Attacker goals, capabilities, and motivations 6—Malicious Software (Tier 2) Malware 7—Denial-of-Service Attacks Denial of service and distributed denial of service Social engineering Network Security Network-specific threats and attack types 8—Intrusion Detection (Tier 2) Use of cryptography for data and network 9—Firewalls and Intrusion security Prevention Systems Architectures for secure networks Part 5—Network Security Defense mechanisms and countermeasures Security for wireless, cellular networks Cryptography (Tier 2) Basic cryptography terminology 2—Cryptographic Tools Cipher types Part 4—Cryptographic Overview of mathematical preliminaries Algorithms Public key infrastructure PREFACE 15 the recommendations of the ACM/IEEE Computer Science Curricula 2013 (CS2013). The CS2013 curriculum recommendation includes, for the first time, Information Assurance and Security (IAS) as one of the Knowledge Areas in the Computer Science Body of Knowledge. CS2013 divides all course work into three categories: Core-Tier 1 (all topics should be included in the curriculum), Core-Tier 2 (all or almost all topics should be included), and Elective (desirable to provide breadth and depth). In the IAS area, CS2013 includes three Tier 1 topics, five Tier 2 topics, and numerous Elective topics, each of which has a number of subtopics. This text covers all of the Tier 1 and Tier 2 topics and subtopics listed by CS2013, as well as many of the elective topics. Table P.1 shows the support for the ISA Knowledge Area provided in this textbook. COVERAGE OF CISSP SUBJECT AREAS This book provides coverage of all the subject areas specified for CISSP (Certified I nformation Systems Security Professional) certification. The CISSP designation from the International Information Systems Security Certification Consortium (ISC)2 is often referred to as the “gold standard” when it comes to information security certification. It is the only univer- sally recognized certification in the security industry. Many organizations, including the U.S. Department of Defense and many financial institutions, now require that cyber security per- sonnel have the CISSP certification. In 2004, CISSP became the first IT program to earn accreditation under the international standard ISO/IEC 17024 (General Requirements for Bodies Operating Certification of Persons). The CISSP examination is based on the Common Body of Knowledge (CBK), a compen- dium of information security best practices developed and maintained by (ISC)2, a nonprofit organization. The CBK is made up of 8 domains that comprise the body of knowledge that is required for CISSP certification. The 8 domains are as follows, with an indication of where the topics are covered in this textbook: Security and risk management: Confidentiality, integrity, and availability concepts; security governance principles; risk management; compliance; legal and regulatory issues; professional ethics; and security policies, standards, procedures, and guidelines. (Chapter 14) Asset security: Information and asset classification; ownership (e.g. data owners, system owners); privacy protection; appropriate retention; data security controls; and handling requirements (e.g., markings, labels, storage). (Chapters 5, 15, 16, 19) Security engineering: Engineering processes using secure design principles; security models; security evaluation models; security capabilities of information systems; security architectures, designs, and solution elements vulnerabilities; web-based systems vulner- abilities; mobile systems vulnerabilities; embedded devices and cyber-physical systems vulnerabilities; cryptography; and site and facility design secure principles; physical secu- rity. (Chapters 1, 2, 13, 15, 16) Communication and network security: Secure network architecture design (e.g., IP and non-IP protocols, segmentation); secure network components; secure communication channels; and network attacks. (Part Five) 16 PREFACE Identity and access management: Physical and logical assets control; identification and authentication of people and devices; identity as a service (e.g. cloud identity); third- party identity services (e.g., on-premise); access control attacks; and identity and access provisioning lifecycle (e.g., provisioning review). (Chapters 3, 4, 8, 9) Security assessment and testing: Assessment and test strategies; security process data (e.g., management and operational controls); security control testing; test outputs (e.g., automated, manual); and security architectures vulnerabilities. (Chapters 14, 15, 18) Security operations: Investigations support and requirements; logging and monitoring activities; provisioning of resources; foundational security operations concepts; resource protection techniques; incident management; preventative measures; patch and vulner- ability management; change management processes; recovery strategies; disaster recov- ery processes and plans; business continuity planning and exercises; physical security; and personnel safety concerns. (Chapters 11, 12, 15, 16, 17) Software development security: Security in the software development lifecycle; devel- opment environment security controls; software security effectiveness; and acquired software security impact. (Part Two) SUPPORT FOR NSA/DHS CERTIFICATION The U.S. National Security Agency (NSA) and the U.S. Department of Homeland Security (DHS) jointly sponsor the National Centers of Academic Excellence in Information Assur- ance/Cyber Defense (IA/CD). The goal of these programs is to reduce vulnerability in our national information infrastructure by promoting higher education and research in IA and producing a growing number of professionals with IA expertise in various disciplines. To achieve that purpose, NSA/DHS have defined a set of Knowledge Units for 2- and 4-year institutions that must be supported in the curriculum to gain a designation as a NSA/DHS National Center of Academic Excellence in IA/CD. Each Knowledge Unit is composed of a minimum list of required topics to be covered and one or more outcomes or learning objectives. Designation is based on meeting a certain threshold number of core and optional Knowledge Units. In the area of computer security, the 2014 Knowledge Units document lists the following core Knowledge Units: Cyber Defense: Includes access control, cryptography, firewalls, intrusion detection sys- tems, malicious activity detection and countermeasures, trust relationships, and defense in depth. Cyber Threats: Includes types of attacks, legal issues, attack surfaces, attack trees, insider problems, and threat information sources. Fundamental Security Design Principles: A list of 12 principles, all of which are covered in Section 1.4 of this text. Information Assurance Fundamentals: Includes threats and vulnerabilities, intrusion detection and prevention systems, cryptography, access control models, identification/ authentication, and audit. PREFACE 17 Introduction to Cryptography: Includes symmetric cryptography, public-key cryptography, hash functions, and digital signatures. Databases: Includes an overview of databases, database access controls, and security issues of inference. This book provides extensive coverage in all of these areas. In addition, the book partially covers a number of the optional Knowledge Units. PLAN OF THE TEXT The book is divided into five parts (see Chapter 0): Computer Security Technology and Principles Software and System Security Management Issues Cryptographic Algorithms Network Security The text is also accompanied by a number of online chapters and appendices that pro- vide more detail on selected topics. The text includes an extensive glossary, a list of frequently used acronyms, and a bib- liography. Each chapter includes homework problems, review questions, a list of key words, and suggestions for further reading. INSTRUCTOR SUPPORT MATERIALS The major goal of this text is to make it as effective a teaching tool for this exciting and fast-moving subject as possible. This goal is reflected both in the structure of the book and in the supporting material. The text is accompanied by the following supplementary material to aid the instructor: Projects manual: Project resources including documents and portable software, plus sug- gested project assignments for all of the project categories listed in the following section. Solutions manual: Solutions to end-of-chapter Review Questions and Problems. PowerPoint slides: A set of slides covering all chapters, suitable for use in lecturing. PDF files: Reproductions of all figures and tables from the book. Test bank: A chapter-by-chapter set of questions. Sample syllabuses: The text contains more material than can be conveniently covered in one semester. Accordingly, instructors are provided with several sample syllabuses that guide the use of the text within limited time. These samples are based on real-world experience by professors with the first edition. All of these support materials are available at the Instructor Resource Center (IRC) for this textbook, which can be reached through the publisher’s Website www.pearsonglobaleditions.com/stallings. To gain access to the IRC, please contact your local Pearson sales representative. 18 PREFACE The Companion Website includes the following: Links to Web sites for other courses being taught using this book. Sign-up information for an Internet mailing list for instructors using this book to exchange information, suggestions, and questions with each other and with the author. STUDENT RESOURCES For this new edition, a tremendous amount of original support- ing material for students has been made available online, at two Web locations. The Companion Website, includes a list of relevant links organized by chapter and an errata sheet for the book. Purchasing this textbook now grants the reader 12 months of access to the Premium Content Site, which includes the following materials: O nline chapters: To limit the size and cost of the book, three chapters of the book are provided in PDF format. The chapters are listed in this book’s table of contents. Online appendices: There are numerous interesting topics that support material found in the text but whose inclusion is not warranted in the printed text. A total of eleven online appendices cover these topics for the interested student. The appendices are listed in this book’s table of contents. Homework problems and solutions: To aid the student in understanding the material, a separate set of homework problems with solutions is available. These enable the stu- dents to test their understanding of the text. To access the Premium Content site, click on the link at www.pearsonglobaleditions.com/stallings and enter the student access code found on the inside front cover. PROJECTS AND OTHER STUDENT EXERCISES For many instructors, an important component of a computer security course is a project or set of projects by which the student gets hands-on experience to reinforce concepts from the text. This book provides an unparalleled degree of support for including a projects component in the course. The instructor’s support materials available through Pearson not only include guidance on how to assign and structure the projects but also include a set of user manuals for various project types plus specific assignments, all written especially for this book. Instructors can assign work in the following areas: Hacking exercises: Two projects that enable students to gain an understanding of the issues in intrusion detection and prevention. Laboratory exercises: A series of projects that involve programming and experimenting with concepts from the book. PREFACE 19 Security education (SEED) projects: The SEED projects are a set of hands-on exercises, or labs, covering a wide range of security topics. Research projects: A series of research assignments that instruct the students to research a particular topic on the Internet and write a report. Programming projects: A series of programming projects that cover a broad range of topics and that can be implemented in any suitable language on any platform. Practical security assessments: A set of exercises to examine current infrastructure and practices of an existing organization. Firewall projects: A portable network firewall visualization simulator is provided, together with exercises for teaching the fundamentals of firewalls. Case studies: A set of real-world case studies, including learning objectives, case descrip- tion, and a series of case discussion questions. Reading/report assignments: A list of papers that can be assigned for reading and writing a report, plus suggested assignment wording. Writing assignments: A list of writing assignments to facilitate learning the material. Webcasts for teaching computer security: A catalog of webcast sites that can be used to enhance the course. An effective way of using this catalog is to select, or allow the student to select, one or a few videos to watch, and then to write a report/analysis of the video. This diverse set of projects and other student exercises enables the instructor to use the book as one component in a rich and varied learning experience and to tailor a course plan to meet the specific needs of the instructor and students. See Appendix A in this book for details. ACKNOWLEDGMENTS This new edition has benefited from review by a number of people, who gave generously of their time and expertise. The following professors and instructors reviewed all or a large part of the manuscript: Bernardo Palazzi (Brown University), Jean Mayo (Michigan Technological University), Scott Kerlin (University of North Dakota), Philip Campbell (Ohio University), Scott Burgess (Humboldt State University), Stanley Wine (Hunter College/CUNY), and E. Mauricio Angee (Florida International University). Thanks also to the many people who provided detailed technical reviews of one or more chapters: Umair Manzoor (UmZ), Adewumi Olatunji (FAGOSI Systems, Nigeria), Rob Meijer, Robin Goodchil, Greg Barnes (Inviolate Security LLC), Arturo Busleiman (Buanzo Consulting), Ryan M. Speers (Dartmouth College), Wynand van Staden (School of C omputing, University of South Africa), Oh Sieng Chye, Michael Gromek, Samuel Weisberger, Brian Smithson (Ricoh Americas Corp, CISSP), Josef B. Weiss (CISSP), Robbert-Frank Ludwig (Veenendaal, ActStamp Information Security), William Perry, Daniela Zamfiroiu (CISSP), Rodrigo Ristow Branco, George Chetcuti (Technical Editor, TechGenix), Thomas Johnson (Director of Information Security at a banking holding company in Chicago, CISSP), Robert Yanus (CISSP), Rajiv Dasmohapatra (Wipro Ltd), Dirk Kotze, Ya’akov Yehudi, and Stanley Wine (Adjunct Lecturer, Computer Information Systems Department, Zicklin School of Business, Baruch College). 20 PREFACE Dr. Lawrie Brown would first like to thank Bill Stallings for the pleasure of working with him to produce this text. I would also like to thank my colleagues in the School of Engineering and Information Technology, UNSW Canberra at the Australian Defence Force Academy for their encouragement and support. In particular, thanks to Gideon Creech, Edward Lewis, and Ben Whitham for discussion and review of some of the chapter content. Finally, we would like to thank the many people responsible for the publication of the book, all of whom did their usual excellent job. This includes the staff at Pearson, particularly our editor Tracy Dunkelberger, her editorial assistant Kristy Alaura, and project manager Bob Engelhardt. Thanks also to the marketing and sales staffs at Pearson, without whose efforts this book would not be in front of you. ACKNOWLEDGMENTS FOR THE GLOBAL EDITION Pearson would like to thank and acknowledge Somitra Sanadhya (Indian Institute of Technol- ogy Ropar) for contributing to the Global Edition, and Arup Bhattacharya (RCC Institute of Technology), A. Kannammal (Coimbatore Institute of Technology), and Khyat Sharma for reviewing the Global Edition. Notation Symbol Expression Meaning D, K D(K, Y) Symmetric decryption of ciphertext Y using secret key K D, PRa D(PRa, Y) Asymmetric decryption of ciphertext Y using A’s private key PRa D, PUa D(PUa, Y) Asymmetric decryption of ciphertext Y using A’s public key PUa E, K E(K, X) Symmetric encryption of plaintext X using secret key K E, PRa E(PRa, X) Asymmetric encryption of plaintext X using A’s private key PRa E, PUa E(PUa, X) Asymmetric encryption of plaintext X using A’s public key PUa K Secret key PRa Private key of user A PUa Public key of user A H H(X) Hash function of message X + x + y Logical OR: x OR y x y Logical AND: x AND y ∼ ∼ x Logical NOT: NOT x C A characteristic formula, consisting of a logical formula over the values of attributes in a database X X(C) Query set of C, the set of records satisfying C , X X(C) Magnitude of X(C): the number of records in X(C) x X(C) x X(D) Set intersection: the number of records in both X(C) and X(D) x y x concatenated with y 21 About the Authors Dr. William Stallings authored 18 textbooks, and, counting revised editions, a total of 70 books on various aspects of these sub- jects. His writings have appeared in numerous ACM and IEEE publications, including the Proceedings of the IEEE and ACM Computing Reviews. He has 13 times received the award for the best Computer Science textbook of the year from the Text and Academic Authors Association. In over 30 years in the field, he has been a technical contributor, technical manager, and an executive with several high-technology firms. He has designed and implemented both TCP/IP-based and OSI-based protocol suites on a variety of computers and operating s ystems, ranging from microcomputers to mainframes. Currently he is an independent consultant whose clients have included computer and networking manufacturers and customers, software development firms, and leading-edge government research institutions. He created and maintains the Computer Science Student Resource Site at Computer ScienceStudent.com. This site provides documents and links on a variety of subjects of general interest to computer science students (and professionals). He is a member of the editorial board of Cryptologia, a scholarly journal devoted to all aspects of cryptology. Dr. Lawrie Brown is a visiting senior lecturer in the School of Engineering and Information Technology, UNSW Canberra at the Australian Defence Force Academy. His professional interests include communications and computer systems security and cryptography, including research on pseudo-anonymous communication, authentication, security and trust issues in Web environments, the design of secure remote code execution environments using the functional language Erlang, and on the design and implementation of the LOKI family of block ciphers. During his career, he has presented courses on cryptography, cybersecurity, data communications, data structures, and programming in Java to both undergraduate and postgraduate students. 22 CHAPTER Overview 1.1 Computer Security Concepts A Definition of Computer Security Examples The Challenges of Computer Security A Model for Computer Security 1.2 Threats, Attacks, and Assets Threats and Attacks Threats and Assets 1.3 Security Functional Requirements 1.4 Fundamental Security Design Principles 1.5 Attack Surfaces and Attack Trees Attack Surfaces Attack Trees 1.6 Computer Security Strategy Security Policy Security Implementation Assurance and Evaluation 1.7 Standards 1.8 Key Terms, Review Questions, and Problems 23 24 CHAPTER 1 / Overview Learning Objectives After studying this chapter, you should be able to: ◆◆ Describe the key security requirements of confidentiality, integrity, and availability. ◆◆ Discuss the types of security threats and attacks that must be dealt with and give examples of the types of threats and attacks that apply to different categories of computer and network assets. ◆◆ Summarize the functional requirements for computer security. ◆◆ Explain the fundamental security design principles. ◆◆ Discuss the use of attack surfaces and attack trees. ◆◆ Understand the principle aspects of a comprehensive security strategy. This chapter provides an overview of computer security. We begin with a discussion of what we mean by computer security. In essence, computer security deals with computer-related assets that are subject to a variety of threats and for which v arious measures are taken to protect those assets. Accordingly, the next section of this chapter provides a brief overview of the categories of computer-related assets that users and system managers wish to preserve and protect, and a look at the various threats and attacks that can be made on those assets. Then, we survey the measures that can be taken to deal with such threats and attacks. This we do from three dif- ferent viewpoints, in Sections 1.3 through 1.5. We then lay out in general terms a computer security strategy. The focus of this chapter, and indeed this book, is on three fundamental questions: 1. What assets do we need to protect? 2. How are those assets threatened? 3. What can we do to counter those threats? 1.1 COMPUTER SECURITY CONCEPTS A Definition of Computer Security The NIST Internal/Interagency Report NISTIR 7298 (Glossary of Key Information Security Terms, May 2013) defines the term computer security as follows: Computer Security: Measures and controls that ensure confidentiality, integrity, and availability of information system assets including hardware, software, firm- ware, and information being processed, stored, and communicated. 1.1 / COMPUTER SECURITY CONCEPTS 25 This definition introduces three key objectives that are at the heart of computer security: Confidentiality: This term covers two related concepts: ——Data confidentiality:1 Assures that private or confidential information is not made available or disclosed to unauthorized individuals. ——Privacy: Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed. Integrity: This term covers two related concepts: ——Data integrity: Assures that information and programs are changed only in a specified and authorized manner. ——System integrity: Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system. Availability: Assures that systems work promptly and service is not denied to authorized users. These three concepts form what is often referred to as the CIA triad. The three concepts embody the fundamental security objectives for both data and for information and computing services. For example, the NIST standard FIPS 199 (Standards for Security Categorization of Federal Information and Information Systems, February 2004) lists con- fidentiality, integrity, and availability as the three security objectives for information and for information systems. FIPS 199 provides a useful characterization of these three objec- tives in terms of requirements and the definition of a loss of security in each category: Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary infor- mation. A loss of confidentiality is the unauthorized disclosure of information. Integrity: Guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity. A loss of integ- rity is the unauthorized modification or destruction of information. Availability: Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system. Although the use of the CIA triad to define security objectives is well estab- lished, some in the security field feel that additional concepts are needed to present a complete picture (see Figure 1.1). Two of the most commonly mentioned are as follows: Authenticity: The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message 1 RFC 4949 (Internet Security Glossary, August 2007) defines information as “facts and ideas, which can be represented (encoded) as various forms of data,” and data as “information in a specific physical rep- resentation, usually a sequence of symbols that have meaning; especially a representation of information that can be processed or produced by a computer.” Security literature typically does not make much of a distinction; nor does this book. 26 CHAPTER 1 / Overview ty tiali den In teg n fi Co rit y Data Acco and unta ity services entic bility Auth Availability Figure 1.1 Essential Network and Computer Security Requirements originator. This means verifying that users are who they say they are and that each input arriving at the system came from a trusted source. Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action. Because truly secure systems are not yet an achiev- able goal, we must be able to trace a security breach to a responsible party. Systems must keep records of their activities to permit later forensic analysis to trace security breaches or to aid in transaction disputes. Note that FIPS 199 includes authenticity under integrity. Examples We now provide some examples of applications that illustrate the requirements just enumerated.2 For these examples, we use three levels of impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability). These levels are defined in FIPS 199: Low: The loss could be expected to have a limited adverse effect on organiza- tional operations, organizational assets, or individuals. A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effec- tiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals. 2 These examples are taken from a security policy document published by the Information Technology Security and Privacy Office at Purdue University. 1.1 / COMPUTER SECURITY CONCEPTS 27 Moderate: The loss could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. A serious adverse effect means that, for example, the loss might: (i) cause a significant degradation in mission capability to an extent and duration that the organiza- tion is able to perform its primary functions, but the effectiveness of the func- tions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life-threatening injuries. High: The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. A severe or catastrophic adverse effect means that, for example, the loss might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary func- tions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involv- ing loss of life or serious life-threatening injuries. Confidentiality Student grade information is an asset whose confidentiality is considered to be highly important by students. In the United States, the release of such information is regulated by the Family Educational Rights and Privacy Act (FERPA). Grade information should only be available to students, their parents, and employees that require the information to do their job. Student enrollment informa- tion may have a moderate confidentiality rating. While still covered by FERPA, this information is seen by more people on a daily basis, is less likely to be targeted than grade information, and results in less damage if disclosed. Directory information, such as lists of students or faculty or departmental lists, may be assigned a low confiden- tiality rating or indeed no rating. This information is typically freely available to the public and published on a school’s website. Integrity Several aspects of integrity are illustrated by the example of a hospital patient’s allergy information stored in a database. The doctor should be able to trust that the information is correct and current. Now, suppose an employee (e.g., a nurse) who is authorized to view and update this information deliberately falsifies the data to cause harm to the hospital. The database needs to be restored to a trusted basis quickly, and it should be possible to trace the error back to the person responsible. Patient allergy information is an example of an asset with a high requirement for integrity. Inaccurate information could result in serious harm or death to a patient, and expose the hospital to massive liability. An example of an asset that may be assigned a moderate level of integrity requirement is a website that offers a forum to registered users to discuss some spe- cific topic. Either a registered user or a hacker could falsify some entries or deface the website. If the forum exists only for the enjoyment of the users, brings in little or no advertising revenue, and is not used for something important such as research, then potential damage is not severe. The Webmaster may experience some data, financial, and time loss. An example of a low integrity requirement is an anonymous online poll. Many websites, such as news organizations, offer these polls to their users with very few 28 CHAPTER 1 / Overview safeguards. However, the inaccuracy and unscientific nature of such polls is well understood. Availability The more critical a component or service is, the higher will be the level of availability required. Consider a system that provides authentication services for critical systems, applications, and devices. An interruption of service results in the inability for customers to access computing resources and staff to access the resources they need to perform critical tasks. The loss of the service translates into a large financial loss in lost employee productivity and potential customer loss. An example of an asset that would typically be rated as having a moderate availability requirement is a public website for a university; the website provides information for current and prospective students and donors. Such a site is not a critical component of the university’s information system, but its unavailability will cause some embarrassment. An online telephone directory lookup application would be classified as a low availability requirement. Although the temporary loss of the application may be an annoyance, there are other ways to access the information, such as a hardcopy direc- tory or the operator. The Challenges of Computer Security Computer security is both fascinating and complex. Some of the reasons are as follows: 1. Computer security is not as simple as it might first appear to the novice. The requirements seem to be straightforward; indeed, most of the major require- ments for security services can be given self-explanatory one-word labels: confidentiality, authentication, nonrepudiation, and integrity. But the mecha- nisms used to meet those requirements can be quite complex, and understanding them may involve rather subtle reasoning. 2. In developing a particular security mechanism or algorithm, one must always con- sider potential attacks on those security features. In many cases, successful attacks are designed by looking at the problem in a completely different way, therefore exploiting an unexpected weakness in the mechanism. 3. Because of Point 2, the procedures used to provide particular services are often counterintuitive. Typically, a security mechanism is complex, and it is not obvious from the statement of a particular requirement that such elaborate measures are needed. Only when the various aspects of the threat are considered do elaborate security mechanisms make sense. 4. Having designed various security mechanisms, it is necessary to decide where to use them. This is true both in terms of physical placement (e.g., at what points in a network are certain security mechanisms needed) and in a logical sense [e.g., at what layer or layers of an architecture such as TCP/IP (Transmission Control Protocol/Internet Protocol) should mechanisms be placed]. 5. Security mechanisms typically involve more than a particular algorithm or protocol. They also require that participants be in possession of some secret information (e.g., an encryption key), which raises questions about the creation, distribution, and protection of that secret information. There may also be a reli- ance on communications protocols whose behavior may complicate the task of 1.1 / COMPUTER SECURITY CONCEPTS 29 developing the security mechanism. For example, if the proper functioning of the security mechanism requires setting time limits on the transit time of a message from sender to receiver, then any protocol or network that introduces variable, unpredictable delays may render such time limits meaningless. 6. Computer security is essentially a battle of wits between a perpetrator who tries to find holes, and the designer or administrator who tries to close them. The great advantage that the attacker has is that he or she need only find a single weak- ness, while the designer must find and eliminate all weaknesses to achieve perfect security. 7. There is a natural tendency on the part of users and system managers to perceive little benefit from security investment until a security failure occurs. 8. Security requires regular, even constant monitoring, and this is difficult in today’s short-term, overloaded environment. 9. Security is still too often an afterthought to be incorporated into a system after the design is complete, rather than being an integral part of the design process. 10. Many users and even security administrators view strong security as an impedi- ment to efficient and user-friendly operation of an information system or use of information. The difficulties just enumerated will be encountered in numerous ways as we examine the various security threats and mechanisms throughout this book. A Model for Computer Security We now introduce some terminology that will be useful throughout the book.3 Table 1.1 defines terms and Figure 1.2, based on [CCPS12a], shows the relationship among some of these terms. We start with the concept of a system resource or asset, that users and owners wish to protect. The assets of a computer system can be categorized as follows: Hardware: Including computer systems and other data processing, data storage, and data communications devices. Software: Including the operating system, system utilities, and applications. Data: Including files and databases, as well as security-related data, such as password files. Communication facilities and networks: Local and wide area network com- munication links, bridges, routers, and so on. In the context of security, our concern is with the vulnerabilities of system resources. [NRC02] lists the following general categories of vulnerabilities of a com- puter system or network asset: The system can be corrupted, so it does the wrong thing or gives wrong answers. For example, stored data values may differ from what they should be because they have been improperly modified. 3 See Chapter 0 for an explanation of RFCs. 30 CHAPTER 1 / Overview Table 1.1 Computer Security Terminology Adversary (threat agent) Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities. Attack Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself. Countermeasure A device or techniques that has as its objective the impairment of the operational effectiveness of undesirable or adversarial activity, or the prevention of espionage, sabotage, theft, or unauthorized access to or use of sensitive information or information systems. Risk A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of 1) the adverse impacts that would arise if the circumstance or event occurs; and 2) the likelihood of occurrence. Security Policy A set of criteria for the provision of security services. It defines and constrains the activities of a data process- ing facility in order to maintain a condition of security for systems and data. System Resource (Asset) A major application, general support system, high impact program, physical plant, mission critical system, per- sonnel, equipment, or a logically related group of systems. Threat Any circumstance or event with the potential to adversely impact organizational operations (including mission, func- tions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an informa- tion system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Vulnerability Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. Source: Stallings, William, Computer Security: Principles and Practice, 4e., ©2019. Reprinted and electronically reproduced by permission of pearson education, inc., new york, ny. The system can become leaky. For example, someone who should not have access to some or all of the information available through the network obtains such access. The system can become unavailable or very slow. That is, using the system or network becomes impossible or impractical. Owners Threat agents Value Wish to abuse Wish to Impose and/or minimize may damage Give rise to Countermeasures Assets To reduce To To Risk Threats That increase Figure 1.2 Security Concepts and Relationships 1.2 / THREATS, ATTACKS, AND ASSETS 31 These three general types of vulnerability correspond to the concepts of integrity, confidentiality, and availability, enumerated earlier in this section. Corresponding to the various types of vulnerabilities to a system resource are threats that are capable of exploiting those vulnerabilities. A threat represents a potential security harm to an asset. An attack is a threat that is carried out (threat action) and, if successful, leads to an undesirable violation of security, or threat con- sequence. The agent carrying out the attack is referred to as an attacker or threat agent. We can distinguish two types of attacks: Active attack: An attempt to alter system resources or affect their operation. Passive attack: An attempt to learn or make use of information from the system that does not affect system resources. We can also classify attacks based on the origin of the attack: Inside attack: Initiated by an entity inside the security perimeter (an “insider”). The insider is authorized to access system resources but uses them in a way not approved by those who granted the authorization. Outside attack: Initiated from outside the perimeter, by an unauthorized or ille- gitimate user of the system (an “outsider”). On the Internet, potential outside attackers range from amateur pranksters to organized criminals, international terrorists, and hostile governments. Finally, a countermeasure is any means taken to deal with a security attack. Ideally, a countermeasure can be devised to prevent a particular type of attack from succeeding. When prevention is not possible, or fails in some instance, the goal is to detect the attack then recover from the effects of the attack. A countermeasure may itself introduce new vulnerabilities. In any case, residual vulnerabilities may remain after the imposition of countermeasures. Such vulnerabilities may be exploited by threat agents representing a residual level of risk to the assets. Owners will seek to minimize that risk given other constraints. 1.2 THREATS, ATTACKS, AND ASSETS We now turn to a more detailed look at threats, attacks, and assets. First, we look at the types of security threats that must be dealt with, and then give some examples of the types of threats that apply to different categories of assets. Threats and Attacks Table 1.2, based on RFC 4949, describes four kinds of threat consequences and lists the kinds of attacks that result in each consequence. Unauthorized disclosure is a threat to confidentiality. The following types of attacks can result in this threat consequence: Exposure: This can be deliberate, as when an insider intentionally releases sen- sitive information, such as credit card numbers, to an outsider. It can also be the result of a human, hardware, or software error, which results in an entity gaining unauthorized knowledge of sensitive data. There have been numerous 32 CHAPTER 1 / Overview Table 1.2 Threat Consequences, and the Types of Threat Actions that Cause Each Consequence Threat Consequence Threat Action (Attack) Unauthorized Disclosure Exposure: Sensitive data are directly released to an unauthorized A circumstance or event whereby entity. an entity gains access to data for Interception: An unauthorized entity directly accesses sensitive which the entity is not authorized. data traveling between authorized sources and destinations. Inference: A threat action whereby an unauthorized entity indirectly accesses sensitive data (but not necessarily the data contained in the communication) by reasoning from characteristics or by-products of communications. Intrusion: An unauthorized entity gains access to sensitive data by circumventing a system’s security protections. Deception Masquerade: An unauthorized entity gains access to a system or A circumstance or event that performs a malicious act by posing as an authorized entity. may result in an authorized entity Falsification: False data deceive an authorized entity. receiving false data and believing it Repudiation: An entity deceives another by falsely denying to be true. responsibility for an act. Disruption Incapacitation: Prevents or interrupts system operation by A circumstance or event that disabling a system component. interrupts or prevents the correct Corruption: Undesirably alters system operation by adversely operation of system services and modifying system functions or data. functions. Obstruction: A threat action that interrupts delivery of system services by hindering system operation. Usurpation Misappropriation: An entity assumes unauthorized logical or A circumstance or event that results physical control of a system resource. in control of system services or Misuse: Causes a system component to perform a function or functions by an unauthorized entity. service that is detrimental to system security. Source: Based on RFC 4949 instances of this, such as universities accidentally posting confidential student information on the Web. Interception: Interception is a common attack in the context of communica- tions. On a shared local area network (LAN), such as a wireless LAN or a broadcast Ethernet, any device attached to the LAN can receive a copy of packets intended for another device. On the Internet, a determined hacker can gain access to e-mail traffic and other data transfers. All of these situations cre- ate the potential for unauthorized access to data. Inference: An example of inference is known as traffic analysis, in which an adversary is able to gain information from observing the pattern of traffic on a network, such as the amount of traffic between particular pairs of hosts on the network. Another example is the inference of detailed information from a database by a user who has only limited access; this is accomplished by repeated queries whose combined results enable inference. Intrusion: An example of intrusion is an adversary gaining unauthorized access to sensitive data by overcoming the system’s access control protections. 1.2 / THREATS, ATTACKS, AND ASSETS 33 Deception is a threat to either system integrity or data integrity. The following types of attacks can result in this threat consequence: Masquerade: One example of masquerade is an attempt by an unauthorized user to gain access to a system by posing as an authorized user; this could hap- pen if the unauthorized user has learned another user’s logon ID and password. Another example is malicious logic, such as a Trojan horse, that appears to perform a useful or desirable function but actually gains unauthorized access to system resources, or tricks a user into executing other malicious logic. Falsification: This refers to the altering or replacing of valid data or the intro- duction of false data into a file or database. For example, a student may alter his or her grades on a school database. Repudiation: In this case, a user either denies sending data, or a user denies receiving or possessing the data. Disruption is a threat to availability or system integrity. The following types of attacks can result in this threat consequence: Incapacitation: This is an attack on system availability. This could occur as a result of physical destruction of or damage to system hardware. More typically, malicious software, such as Trojan horses, viruses, or worms, could operate in such a way as to disable a system or some of its services. Corruption: This is an attack on system integrity. Malicious software in this context could operate in such a way that system resources or services function in an unintended manner. Or a user could gain unauthorized access to a system and modify some of its functions. An example of the latter is a user placing backdoor logic in the system to provide subsequent access to a system and its resources by other than the usual procedure. Obstruction: One way to obstruct system operation is to interfere with commu- nications by disabling communication links or altering communication control information. Another way is to overload the system by placing excess burden on communication traffic or processing resources. Usurpation is a threat to system integrity. The following types of attacks can result in this threat consequence: Misappropriation: This can include theft of service. An example is a distributed denial of service attack, when malicious software is installed on a number of hosts to be used as platforms to launch traffic at a target host. In this case, the malicious software makes unauthorized use of processor and operating system resources. Misuse: Misuse can occur by means of either malicious logic or a hacker that has gained unauthorized access to a system. In either case, security functions can be disabled or thwarted. Threats and Assets The assets of a computer system can be categorized as hardware, software, data, and communication lines and networks. In this subsection, we briefly describe these four 34 CHAPTER 1 / Overview categories and relate these to the concepts of integrity, confidentiality, and availability introduced in Section 1.1 (see Figure 1.3 and Table 1.3). Hardware A major threat to computer system hardware is the threat to availabil- ity. Hardware is the most vulnerable to attack and the least susceptible to automated controls. Threats include accidental and deliberate damage to equipment as well as theft. The proliferation of personal computers and workstations and the widespread use of LANs increase the potential for losses in this area. Theft of USB drives can lead to loss of confidentiality. Physical and administrative security measures are needed to deal with these threats. Software Software includes the operating system, utilities, and application pro- grams. A key threat to software is an attack on availability. Software, especially application software, is often easy to delete. Software can also be altered or damaged to render it useless. Careful software configuration management, which includes making backups of the most recent version of software, can maintain high avail- ability. A more difficult problem to deal with is software modification that results in a program that still functions but that behaves differently than before, which is a threat to integrity/authenticity. Computer viruses and related attacks fall into this category. A final problem is protection against software piracy. Although certain Computer system Computer system 4 Sensitive files must be secure Data (file security) Data 1 Access to the data 3 Data must be must be controlled securely transmitted (protection) through networks (network security) Processes representing users Processes representing users Guard Guard 2 Access to the computer facility must be controlled (user authentication) Users making requests Figure 1.3 Scope of Computer Security Note: This figure depicts security concerns other than physical security, including controlling of access to computers systems, safeguarding of data transmitted over communications systems, and safeguarding of stored data. 1.2 / THREATS, ATTACKS, AND ASSETS 35 Table 1.3 Computer and Network Assets, with Examples of Threats Availability Confidentiality Integrity Hardware Equipment is stolen or An unencrypted disabled, thus denying USB drive is stolen. service. Software Programs are deleted, An unauthorized copy of A working program is modi- denying access to users. software is made. fied, either to cause it to fail during execution or to cause it to do some unintended task. Data Files are deleted, denying An unauthorized read Existing files are modified or access to users. of data is performed. An new files are fabricated. analysis of statistical data reveals underlying data. Communication Messages are destroyed or Messages are read. The Messages are modified, Lines and deleted. Communication traffic pattern of messages delayed, reordered, or dupli- Networks lines or networks are is observed. cated. False messages are rendered unavailable. fabricated. countermeasures are available, by and large the problem of unauthorized copying of software has not been solved. Data Hardware and software security are typically concerns of computing cen- ter professionals or individual concerns of personal computer users. A much more widespread problem is data security, which involves files and other forms of data controlled by individuals, groups, and business organizations. Security concerns with respect to data are broad, encompassing availability, secrecy, and integrity. In the case of availability, the concern is with the destruction of data files, which can occur either accidentally or maliciously. The obvious concern with secrecy is the unauthorized reading of data files or databases, and this area has been the subject of perhaps more research and effort than any other area of computer security. A less obvious threat to secrecy involves the analysis of data and manifests itself in the use of so-called statistical databases, which provide summary or aggregate information. Presumably, the existence of aggregate information does not threaten the privacy of the individuals involved. However, as the use of statistical databases grows, there is an increasing potential for disclosure of personal information. In essence, characteristics of constituent individuals may be identified through careful analysis. For example, if one table records the aggregate of the incomes of respondents A, B, C, and D and another records the aggregate of the incomes of A, B, C, D, and E, the difference between the two aggregates would be the income of E. This problem is exacerbated by the increasing desire to combine data sets. In many cases, matching several sets of data for consistency at different levels of aggregation requires access to individual units. Thus, the individual units, which are the subject of privacy concerns, are available at various stages in the processing of data sets. Finally, data integrity is a major concern in most installations. Modifications to data files can have consequences ranging from minor to disastrous. 36 CHAPTER 1 / Overview Communication Lines and Networks Network security attacks can be classified as passive attacks and active attacks. A passive attack attempts to learn or make use of information from the system, but does not affect system resources. An active attack attempts to alter system resources or affect their operation. Passive attacks are in the nature of eavesdropping on, or monitoring of, trans- missions. The goal of the attacker is to obtain information that is being transmit- ted. Two types of passive attacks are the release of message contents and traffic analysis. The release of message contents is easily understood. A telephone conversation, an electronic mail message, and a transferred file may contain sensitive or confiden- tial information. We would like to prevent an opponent from learning the contents of these transmissions. A second type of passive attack, traffic analysis, is more subtle. Suppose we had a way of masking the contents of messages or other information traffic so oppo- nents, even if they captured the message, could not extract the information from the message. The common technique for masking contents is encryption. If we had encryption protection in place, an opponent might still be able to observe the pattern of these messages. The opponent could determine the location and identity of com- municating hosts and could observe the frequency and length of messages being exchanged. This information might be useful in guessing the nature of the communi- cation that was taking place. Passive attacks are very difficult to detect because they do not involve any alteration of the data. Typically, the message traffic is sent and received in an appar- ently normal fashion and neither the sender nor receiver is aware that a third party has read the messages or observed the traffic pattern. However, it is feasible to pre- vent the success of these attacks, usually by means of encryption. Thus, the emphasis in dealing with passive attacks is on prevention rather than detection. Active attacks involve some modification of the data stream or the creation of a false stream, and can be subdivided into four categories: replay, masquerade, modification of messages, and denial of service. Replay involves the passive capture of a data unit and its subsequent retrans- mission to produce an unauthorized effect. A masquerade takes place when one entity pretends to be a different entity. A masquerade attack usually includes one of the other forms of active attack. For example, authentication sequences can be captured and replayed after a valid authentication sequence has taken place, thus enabling an authorized entity with few privileges to obtain extra privileges by impersonating an entity that has those privileges. Modification of messages simply means that some portion of a legitimate message is altered, or that messages are delayed or reordered, to produce an unau- thorized effect. For example, a message stating, “Allow John Smith to read confi- dential file accounts” is modified to say, “Allow Fred Brown to read confidential file accounts.” The denial of service prevents or inhibits the normal use or management of communication facilities. This attack may have a specific target; for example, an entity may suppress all messages directed to a particular destination (e.g., the security 1.3 / SECURITY FUNCTIONAL REQUIREMENTS 37 audit service). Another form of service denial is the disruption of an entire network, either by disabling the network or by overloading it with messages so as to degrade performance. Active attacks present the opposite characteristics of passive attacks. Whereas passive attacks are difficult to detect, measures are available to prevent their success. On the other hand, it is quite difficult to prevent active attacks absolutely, because to do so would require physical protection of all communication facilities and paths at all times. Instead, the goal is to detect them and to recover from any disruption or delays caused by them. Because the detection has a deterrent effect, it may also contribute to prevention. 1.3 SECURITY FUNCTIONAL REQUIREMENTS There are a number of ways of classifying and characterizing the countermeasures that may be used to reduce vulnerabilities and deal with threats to system assets. In this section, we view countermeasures in terms of functional requirements, and we follow the classification defined in FIPS 200 (Minimum Security Requirements for Federal Information and Information Systems). This standard enumerates 17 security- related areas with regard to protecting the confidentiality, integrity, and availability of information systems and the information processed, stored, and transmitted by those systems. The areas are defined in Table 1.4. The requirements listed in FIPS 200 encompass a wide range of counter- measures to security vulnerabilities and threats. Roughly, we can divide these countermeasures into two categories: those that require computer security technical measures (covered in Parts One and Two), either hardware or software, or both; and those that are fundamentally management issues (covered in Part Three). Each of the functional areas may involve both computer security technical mea- sures and management measures. Functional areas that primarily require computer security technical measures include access control, identification and authentica- tion, system and communication protection, and system and information integrity. Functional areas that primarily involve management controls and procedures include awareness and training; audit and accountability; certification, accreditation, and security assessments; contingency planning; maintenance; physical and environmen- tal protection; planning; personnel security; risk assessment; and systems and services acquisition. Functional areas that overlap computer security technical measures and management controls include configuration management, incident response, and media protection. Note the majority of the functional requirements areas in FIPS 200 are either primarily issues of management or at least have a significant management com- ponent, as opposed to purely software or hardware solutions. This may be new to some readers, and is not reflected in many of the books on computer and informa- tion security. But as one computer security expert observed, “If you think tech- nology can solve your security problems, then you don’t understand the problems and you don’t understand the technology” [SCHN00]. This book reflects the need 38 CHAPTER 1 / Overview Table 1.4 Security Requirements Access Control: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. Awareness and Training: (i) Ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, regulations, and policies related to the security of organizational information systems; and (ii) ensure that personnel are adequately trained to carry out their assigned information security-related duties and responsibilities. Audit and Accountability: (i) Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. Certification, Accreditation, and Security Assessments: (i) Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems; (iii) authorize the operation of organizational information systems and any associated information system connections; and (iv) monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls. Configuration Management: (i) Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enforce security configuration settings for information technology products employed in organizational information systems. Contingency Planning: Establish, maintain, and implement plans for emergency response, backup operations, and postdisaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations. Identification and Authentication: Identify information system users, processes acting on behalf of users, or devices, and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Incident Response: (i) Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user-response activities; and (ii) track, document, and report incidents to appropriate organizational officials and/or authorities. Maintenance: (i) Perform periodic and timely maintenance on organizational information systems; and (ii) provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance. Media Protection: (i) Protect information system media, both paper and digital; (ii) limit access to information on information system media to authorized users; and (iii) sanitize or destroy information system media before disposal or release for reuse. Physical and Environmental Protection: (i) Limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems. Planning: Develop, document, periodically update, and implement security plans for organizational informa- tion systems that describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems. (Continued) 1.4 / FUNDAMENTAL SECURITY DESIGN PRINCIPLES 39 Personnel Security: (i) Ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for t