Lecture 1 (2).pdf

Full Transcript

Computer System
Security: Lecture 1
Dr Tahani Aljohani

1
Lecture 1 overview
Computer Security Concepts
Threats, Attacks, and Assets
Security Functional Requirements
Fundamental Security Design Principles
Attack Surfaces and Attack Trees
Computer Security Strategy

2
 Learning objectives
Describe the key security requirements of
confidentiality, integrity and availability
Discuss the types security threats and attacks that
must be dealt with
Summarize the functional requirements for computer
security
Explain the fundamental security design principles
Discuss the use of attack surfaces and attack trees
Understand the principle aspects of a comprehensive
security strategy

3
A definition of computer security
Computer security: The protection afforded to an
automated information system in order to attain the
applicable objectives of preserving the integrity,
availability and confidentiality of information system
resources (includes hardware, software, firmware,
information/data, and telecommunications)
NIST
EFt1995
oh I ÉJ In owl w 211 awl
Cofidentiality Availability
D
Integrity 25611
mm
Hw
sw
Firmware
intodata
telecommunications
lanai an area 4
 Three key objectives (the CIA
triad)
Confidentiality
Key 1
us oumisse se moi on D
privacy wsj b
Data confidentiality: Assures that confidential information is not

jiffIII
disclosed to unauthorized individuals
j
Privacy: Assures that individual control or influence what a
information may be collected and stored go.mxautism
Data lab base um1
Google

IntegrityIf
Key 2

i Data integrity: assures that information and programs are
changed only in a specified and authorized manner
System integrity: Assures that a system performs its operationsfunTna
in unimpaired manner sÉ
so as
Availability: assure that systems works promptly and
Key 3 si ai
authentication

service is not denied to authorized users
IAvailabilityy
It on em
5
22h win an oxas
Key Security Concepts

D simi3 it

1 Data
2 Services

6
Other concepts to a complete
security picture verified
swim
know
Confident
Trusted
aetosy
Aksum an
a
Authenticity: the property of being genuine and
being able to be verified and trusted; confident in the
validity of a transmission, or a message, or its
originator Justinian's's www.t.sn im say twenty
Accountability: generates the requirement for actions
of an entity to be traced uniquely to that individual to
support nonrepudiation, deference, fault isolation,
etc. D fault nonreputations twos
isolation deference
www.sawiooses aiy
d
time em
snows

7
 obj1158lose 6 Is

stasis
b
taxes in a was

Cofidentiality was.ws s

j Integrity

Availability
to sew

writ
is

se Isaia
b
noisome
at zih.owouss.su
Cofidentiality msas l

h p awesome're new.ws
Availability p ease i

xnxx.wsta.is
simianassetown

t

Cofidentiality p
Integrity p cost was siberian

p web sues a a
serviceauthentication
Availability
 Examples of security
requirements: Confidentiality
1. Student grade information is an asset whose
confidentiality is considered to be very high
The US FERPA Act: grades should only be available to
students, their parents, and their employers (when
required for the job)
2. Student enrollment information: may have moderate
confidentiality rating; less damage if enclosed
3. Directory information: low confidentiality rating;
often available publicly
1. 2. 3.

If
Btf
High
Moderf SAW Loe
9
 Examples of security
requirements: Integrity Ka e e ren
1. A hospital patient’s allergy information Weg
(high integrity
data): a doctor should be able to trust that the info is
correct and current
If a nurse deliberately falsifies the data, the database should
be restored to a trusted basis and the falsified information
traced back to the person who did it K in a At1
2. An online newsgroup registration data:Mauling
moderate level
mmmm
of integrity
3. An example ofMiggy
low integrity requirement: anonymous
online poll (inaccuracy is well understood)
at hi a e 4 das s I Ea i n
10
 Examples of security
requirements: Availability
1. imma b

availability requirement Iffy
A system that provides authentication: high as it

If customers cannot access resources, the loss of
services could result in financial loss
2.
Mulling
A public website for a university: a moderate these
availably requirement; not critical butmmmm
causes
waists

embarrassment
3. An online telephone directory lookup: a low was
unygg
availability requirement because unavailability is
mostly annoyance (there are alternative sources)

11
mysecurityischallenge
insist
or
t
45.33mi
Challenges of computer security
1. Computer security is not simple
2. One must consider potential (unexpected) attacks 1
a

3. Procedures used are often counter-intuitive
security

4. Must decide where to deploy mechanisms
5. Involve algorithms and secret info (keys)
serenata
6. A battle of wits between attacker / admin
7. It is not perceived on benefit until fails
8. Requires constant monitoring th

9. Too often an after-thought (not integral) was
10. Regarded as impediment to using system
12
 ix s s

w.ae

manyanticantiaeprotoco
integrity

iman
amie.am
Anno
reset
mesingatrain

amazons

a
Computer
security
terminology
are
encrypting
was.am

y
evaximent

minestrongnow mechanisms.es searitysi
o.evssao oas

soso.ae
bias

14
 Threat consequences
Unauthorized disclosure: threat to confidentiality

so Exposure (release data), interception, inference, intrusion
25 do threat to integrity
Deception: 0
Masquerade, falsification (alter data), repudiation
or

Disruption: threat to integrity and availability
Incapacitation (destruction), corruption (backdoor logic),
M
obstruction (infer with communication, overload a line)
Usurpation: threat to integrity
Misappropriation (theft of service), misuse (hacker gaining
unauthorized access)

s asslideI
HAD
16
 are ins

Mitu
a
r me serverscan
cop
I a

aww
communication
pattren
six
msn.am very an nameruse
tons

in some

agoprotectionmechanism

authorized
entity im
soYourlabsystemso g
listsso is ow i isone a

Gradesail in X
GT

e six set a an

Disabuse i systemcomponents
titanosaurs
a t disabusesissies two

a backdoorlogic e as a
time songs
on corrupted
so a on
ti
sa eeswitchas sa
er si Es
na um

a
Ioana
Threat
consequences
(tabular form)

17
 The scope of computer security
outgianton

outview
ist er
atan b

b as
assassin

18
 Examples of threats
oases
Amina
E 1 Is as
mponent as Kim irons
1 Hw
2 sw
5 Data
4 communication
2

45524

y say
g
19
 take.rs ltw eirseillb rirseillb

ISecurity functional requirements
(FIPS IN
200) was 6816
security iwi in
rirseilly
Rey Functional Management

Technical measures
Access control; identification & authentication; system &
communication protection; system & information integrity
Management controls and procedures
Awareness & training; audit & accountability; certification,
accreditation, & security assessments; contingency planning;
maintenance; physical & environmental protection; planning;
personnel security; risk assessment; systems & services
acquisition
Overlapping technical and management
Configuration management; incident response; media
protection

20
 Wh WH s
Fundamental security design
principles [1/4]
Despite years of research, it is still difficult to design
systems that comprehensively prevent security flaws
But good practices for good design have been
documented (analogous to software engineering)
Economy of mechanism, fail-safe defaults, complete
mediation, open design, separation of privileges, lease
privilege, least common mechanism, psychological
accountability, isolation, encapsulation, modularity,
layering, least astonishment

Ipradicis 21
Fundamental security design
principles [2/4] ios
Hackers
it
is a
test sina.us
smallsyseasier to
test
Economy of mechanism: the design of security
measures should be as simple as possible
Simpler to implement and to verify
Fewer vulnerabilities Accesscontrolbasedon They all allow exceptAli wrong
correct
Accesscontrolbasedon They allDeniedexceptauthorized

Fail-safe default: access decisions should be based on
permissions; i.e., the default is lack of access
Complete mediation: every access should checked
against an access control system tote cashes I I É reading

s minor as miss ing
Open design: the design should be open rather than
secret (e.g., encryption algorithms) what you need to be public
makeit public

22
Fundamental security design
principles [3/4]
Isolation Dataempathy to set

Public access should be isolated from critical resources (no
connection between public and critical information)
Users files should be isolated from one another (except
when desired)
Security mechanism should be isolated (i.e., preventing
access to those mechanisms)
Encapsulation: similar to object concepts (hide
internal structures) based
on oop Jodl

Modularity: modular structure A gaim to owe functions components
a

23
 Fundamental security design
principles [4/4] people

Layering (defense in depth): use of multiple, usersroot

a in
overlapping protection approaches
Least astonishment: a program or interface should
always respond in a way that is least likely to astonish
a user me ok as a

Y IE I wi i n

HELLO
I
24
Fundamental security design
principles dis wi d stay 46 win d
c all twish J
is p I
6 it int d int g p moss
s
bl u
w

Separation of privilege: multiple privileges should be
needed to do achieve access (or complete a task)
Least privilege: every user (process) should have the
least privilege to perform a task www 214
N d
car eww In HD to lung
Least common mechanism: a design should minimize
the function shared by different users (providing
mutual security; reduce deadlock)
Psychological acceptability: security mechanisms
should not interfere unduly with the work of users
asix main can em ti u ped
Transparency

25
 Attack surfaces testy

Attack surface: the reachable and exploitable vulnerabilities
in a system
Open ports b
Eg I
Services outside a firewall I
An employee with access to sensitive info 52
…
Three categories
Network attack surface (i.e., network vulnerability)
Software attack surface (i.e., software vulnerabilities)
Human attack surface (e.g., social engineering) Jose
3 I
a

category
Attack analysis: assessing the scale and severity of threats

26
 Attack trees
A branching, hierarchical data structure that
represents a set of potential vulnerabilities
Objective: to effectively exploit the info available on
attack patterns
published on CERT or similar forums
Security analysts can use the tree to guide design and
strengthen countermeasures

27
 thatstoredatunsafeplace
document

1,444,14
1 Root objective

root
2 Howtoachieveit areas
ladies 3
g IKEA
o

new

IDEA
IDEA

IDEA
 Computer security strategy
An overall strategy for providing security
Policy (specs): what security schemes are supposed to do
Assets and their values
Potential threats
Ease of use vs security ksystemforstudent rsecure
itontomakeit
Cost of security vs cost of failure/recovery 1policy on
based requirement a
pongto
write me so
Implementation/mechanism: how to enforce
preserving

aminimum mains
amea snare
race be
and out by
accessed
thestudent
toknow
need
p eople

Prevention confidentiality

sma
2thesystem
no be
asac
avan

availability
Detection
2Mechanism
Response a
emotion
up
aBan
Recovery sassurance
Correctness/assurance: does it really work
(validation/review)

29
 Summary
Security concepts
Terminology
Functional requirements
Security design principles
Security strategy

30
References
Lecture slides prepared from Dr Lawrie Brown
(UNSW@ADFA) for “Computer Security: Principles
and Practice”, 1/e, by William Stallings and Lawrie
Brown, Chapter 1 “Overview”.

31