Lecture 1 - Modern Network Security Threats PDF

Summary

This lecture covers modern network security threats. It discusses key security concepts like confidentiality, integrity, and availability, and examines different types of threats, attacks, and assets. It also delves into security functional requirements and fundamental security design principles. A comprehensive security strategy involves three aspects: specification/policy, implementation/mechanisms, and correctness/assurance.

Full Transcript

CHAPTER-1
MODERN NETWORK SECURITY THREATS

1
 TOPICS COVERED
▪ 1 Computer Security Concepts 5. Attack Surfaces and Attack Trees

▪ 1.1 A Definition of Computer Security , Examples
5.1 Attack Surfaces

▪ 1.2 A Model for Computer Security 5.2 Attack Trees

▪ 2. Threats, Attacks, and Assets
6. Computer Security Strategy
▪ 2.1 Threats and Attacks
6.1 Security Policy
▪ 2.2 Threats and Assets
6.2 Security Implementation
▪ 3. Security Functional Requirements
6.3 Assurance and Evaluation
▪ 4. Fundamental Security Design Principles

2
LEARNING OBJECTIVES
After studying this chapter, you should be able to:

◆ Describe the key security requirements of confidentiality, integrity, and availability.

◆ Discuss the types of security threats and attacks that must be dealt with and give examples of
the types of threats and attacks that apply to different categories of computer and network assets.
◆ Summarize the functional requirements for computer security.
◆ Explain the fundamental security design principles.
◆ Discuss the use of attack surfaces and attack trees.
◆ Understand the principle aspects of a comprehensive security strategy

3
1. COMPUTER SECURITY CONCEPTS.

1.1 Definition of computer security

▪ The protection afforded to an automated information system in order to attain the applicable

objectives of preserving the integrity, availability, and confidentiality of information system
resources.
▪ Resources includes ( hardware, software, firmware, information/data, and telecommunications).

4
 CIA -> refers to Confidentiality , Integrity and Availability

THREE OBJECTIVES - CIA
▪ This definition introduces three key objectives that are at the heart of computer security:

▪ Confidentiality: This term covers two related concepts:

▪ — Data confidentiality:1 Assures that private or confidential information is not made available or disclosed to unauthorized
individuals.
▪ — Privacy: Assures that individuals control or influence what information related to them may be collected and stored and by
whom and to whom that information may be disclosed.

▪ Integrity: This term covers two related concepts:

▪ — Data integrity: Assures that information and programs are changed only in a specified and authorized manner.

▪ — System integrity: Assures that a system performs its intended function an unimpaired manner, free from deliberate or
inadvertent unauthorization manipulation of the system.

▪ Availability: Assures that systems work promptly and service is not denied to authorized users.

5
CIA IN LOSS OF SECURITY

▪ Confidentiality: Preserving authorized restrictions on information access and disclosure, including

means for protecting personal privacy and proprietary information. A loss of confidentiality is the
unauthorized disclosure of information.

▪ Integrity: Guarding against improper information modification or destruction, including ensuring

information nonrepudiation and authenticity. A loss of integrity is the unauthorized modification or
destruction of information.

▪ Availability: Ensuring timely and reliable access to and use of information. A loss of availability is the

disruption of access to or use of information or an information system.

6
EXAMPLES FOR CIA
▪ Confidentiality : Student grade information is an asset whose confidentiality is considered to be highly
important by students. Grade information should only be available to students, their parents, and
employees that require the information to do their job.

▪ Integrity Several aspects of integrity are illustrated by the example of a hospital patient’s allergy
information stored in a database. The doctor should be able to trust that the information is correct and
current. Updating the information falsifies the data to cause harm to the hospital.

▪ Availability Consider a system that provides authentication services for critical systems, applications, and
devices. An interruption of service results in the inability for customers to access computing resources
and staff to access the resources they need to perform critical tasks. The loss of the service translates into
a large financial loss in lost employee productivity and potential customer loss.

7
ADDITIONAL CONCEPTS
These are the additional concepts are needed to present a complete picture. Two of the most commonly
mentioned are as follows:

▪ Authenticity: The property of being genuine and being able to be verified and trusted; confidence in the

validity of a transmission, a message, or message originator. This means verifying that users are who they
say they are and that each input arriving at the system came from a trusted source.

▪ Accountability: The security goal that generates the requirement for actions of an entity to be traced

uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection and
prevention, and after-action recovery and legal action.

8
WE USE THREE LEVELS OF IMPACT ON ORGANIZATIONS

▪ For these examples, we use three levels of impact on organizations or individuals should

there be a breach of security.

▪ Low: The loss could be expected to have a limited adverse effect on organizational operations,

organizational assets, or individuals.

▪ Moderate: The loss could be expected to have a serious adverse effect on organizational

operations, organizational assets, or individuals.

▪ High: The loss could be expected to have a severe or catastrophic adverse effect on

organizational operations, organizational assets, or individuals.

9
 1.2 MODEL FOR COMPUTER SECURITY
Adversary An entity that attacks, or is a threat to, a system.
Attack an intelligent act that is a deliberate attempt to evade
security services and violate the security policy of a system.
Countermeasure An action, device, procedure, or technique that reduces a
threat, a vulnerability, or an attack by eliminating or
preventing it, by minimizing the harm it can cause, or by
discovering and reporting it so that corrective action can be
taken.
Risk An expectation of loss expressed as the probability that a
particular threat will exploit
Security Policy A set of rules and practices that specify or regulate how a
system or organization provides security services
System Resource (Asset) Data contained in an information system;
Threat A potential for violation of security, which exists when there
is a circumstance, capability, action, or event, that could
breach security and cause harm.
Vulnerability A flaw or weakness in a system’s design, implementation, or
operation and management that could be exploited to 10
violate the system’s security policy.
SECURITY CONCEPTS AND RELATIONSHIPS

11
We start with the with the concept of a system resource, or asset, that users and owners wish to
protect.

The assets of a computer system can be categorized as follows:
▪ Hardware: Including computer systems and other data processing, data storage,
and data communications devices
▪ Software: Including the operating system, system utilities, and applications.
▪ Data: Including files and databases, as well as security-related data, such as
password files.
▪ Communication facilities and networks: Local and wide area network. Communication links,
bridges, routers,
and so on.
12
CATEGORIES OF VULNERABILITIES:
In the context of security, our concern is with the vulnerabilities(weakness) of system
resources. [NRC02] lists the following general categories of vulnerabilities.

▪ It can be corrupted, so that it does the wrong thing or gives wrong answers.
For example, stored data values may differ from what they should be because they have been
improperly modified.
▪ It can become leaky.
For example, someone who should not have access to some or all of the information available
through the network obtains such access.
▪ It can become unavailable or very slow.
That is, using the system or network becomes impossible or impractical.

13
TYPES OF VULNERABILITY BASED ON CIA
▪ Corresponding to the various types of vulnerabilities to a system resource are threats that are
capable of exploiting those vulnerabilities. A threat represents a potential security harm to an asset.
▪ An attack is a threat that is carried out (threat)

The agent carrying out the attack is referred to as an attacker, or threat agent.

We can distinguish two types of attacks:
▪ Active attack: An attempt to alter system resources or affect their operation.
▪ Passive attack: An attempt to learn or make use of information from the system that does not
affect system resources. We can also classify attacks based on the origin of the attack:

14
CLASSIFYING ATTACKS BASED ON THE
ORIGIN
▪ Inside attack: Initiated by an entity inside the security perimeter (an “ insider”).

The insider is authorized to access system resources but uses them in a way not approved by
those who granted the authorization.

▪ Outside attack: Initiated from outside the perimeter, by an unauthorized or illegitimate user of

the system (an “outsider”). On the Internet, potential outside attackers range from amateur
pranksters to organized criminals, international terrorists, and hostile governments.

15
2. THREATS, ATTACKS, AND
ASSETS.
2.1 Threats and Attacks :
It describes four kinds of threat consequences and lists the kinds of attacks that result in each consequence.
Category 1 - Unauthorized disclosure - A circumstance or event whereby an entity gains access to data for
which the entity is not authorized
▪ Exposure: Sensitive data are directly released to an unauthorized entity.

▪ Interception: An unauthorized entity directly accesses sensitive data traveling between authorized sources
and destinations.
▪ Inference: A threat action whereby an unauthorized entity indirectly accesses sensitive data (but not
necessarily the data contained in the communication) by reasoning from characteristics or by-products of
communications.
▪ Intrusion: An unauthorized entity gains access to sensitive data by circumventing(avoiding) a system’s
security protections.

16
2. THREATS, ATTACKS, AND
ASSETS.
2.1 Threats and Attacks :
It describes four kinds of threat consequences and lists the kinds of attacks that result in each
consequence.
▪ Category 2-Deception - A circumstance or event that may result in an authorized entity
receiving false data and believing it to be true.
▪ Masquerade: An unauthorized entity gains access to a system or performs a malicious act by
posing as an authorized entity.
▪ Falsification: False data deceive(cheat) an authorized entity.
▪ Repudiation: An entity deceives another by falsely denying responsibility for an act.

17
2. THREATS, ATTACKS, AND
ASSETS.
2.1 Threats and Attacks :
It describes four kinds of threat consequences and lists the kinds of attacks that result in each
consequence.
▪ Category 3- Disruption - A circumstance or event that interrupts or prevents the correct
operation of system services and functions.

▪ Incapacitation: Prevents or interrupts system operation by disabling a system component.
▪ Corruption: Undesirably alters system operation by adversely modifying system functions or
data.
▪ Obstruction: A threat action that interrupts delivery of system services by hindering(delaying)
system operation.

18
2. THREATS, ATTACKS, AND ASSETS.
2.1 THREATS AND ATTACKS :

It describes four kinds of threat consequences and lists the kinds of attacks that result in each
consequence.

▪ Category 4- Usurpation - A circumstance or event that results in control of system services or
functions by an unauthorized entity.

▪ Misappropriation: An entity assumes unauthorized logical or physical control of a system
resource.
▪ Misuse: Causes a system component to perform a function or service that is
detrimental(harmful) to system security.

19
2. 2 THREATS AND ASSETS

The assets of a computer system can be as four categories and relate these to the
concepts of integrity, confidentiality, and availability (see figure)
1. Hardware
2. Software
3. Data
4. Communication lines and networks.

20
3. SECURITY FUNCTIONAL REQUIREMENTS
▪ The four categories are described that relate to the concepts of CIA.

1. Hardware

▪ Hardware is the most vulnerable to attack and the least susceptible to automated controls.

Threats include accidental and deliberate damage to equipment as well as theft.

▪ The proliferation(spread) of personal computers and workstations and the widespread use of

LANs increase the potential for losses in this area.

▪ Theft of CD-ROMs and DVDs can lead to loss of confidentiality. Physical and administrative

security measures are needed to deal with these threats.

21
2. Software
▪ It includes the operating system, utilities, and application programs. A key threat to software is an attack
on availability. Software, especially application software, is often easy to delete.
▪ Software can also be altered or damaged to render it useless. Careful software configuration management,
which includes making backups of the most recent version of software, can maintain high availability

3. Data
▪ Hardware and software security are typically concerns of computing center professionals or individual
concerns of personal computer users.
▪ A much more widespread problem is data security, which involves files and other forms of data controlled
by individuals, groups, and business organizations.
4. Communication Lines and Networks
▪ Network security attacks can be classified as passive attacks and active attacks.

▪ A passive attack attempts to learn or make use of information from the system but does not affect system
resources.
▪ An active attack attempts to alter system resources or affect their operation.

22
4. FUNDAMENTAL SECURITY DESIGN PRINCIPLES
Despite years of research and development, it has not been possible to develop security design and
implementation techniques that systematically exclude security flaws and prevent all unauthorized
actions.

The following are the fundamental security design principles.
Principles Explanation
Economy of mechanism Economy of mechanism means that the design of security
measures embodied in both hardware and software should be as
simple and small as possible.
Fail-safe defaults means that access decisions should be based on permission
rather than exclusion.
Complete mediation means that every access must be checked against the
access control mechanism.
Open design means that the design of a security mechanism should be open
rather than secret. For example, although encryption keys must be
secret, encryption algorithms should be open to public scrutiny
23
 Fundamental Security Design Principles

Principle Explanation
Separation of privilege The multiple privilege attributes are required to achieve access
to a restricted resource
Least privilege means that every process and every user of the system should
operate using the least(minimum) set of privileges necessary to
perform the task
Least common mechanism means that the design should minimize the functions
shared by different users, providing mutual security
Psychological implies that the security mechanisms should not
acceptability interfere unduly(improper) with the work of users, while at the
same time meeting the needs of those who authorize access.

24
5. ATTACK SURFACES AND ATTACK TREES
We elaborate on two concepts that are useful in evaluating and classifying threats:
1. Attack surfaces and
2. Attack trees.
An attack surface consists of the reachable and exploitable vulnerabilities in a system [MANA11, HOWA03].
5.1 Examples of Attack surfaces are the following:
▪ Open ports on outward facing Web and other servers, and code listening on those ports.

▪ Services available on the inside of a firewall.

▪ Code that processes incoming data, email, XML, office documents, and industry specific custom data
exchange formats.
▪ Interfaces, SQL, and Web forms.

▪ An employee with access to sensitive information vulnerable to a social engineering Attack.

25
ATTACK SURFACE CATEGORIES
5.2 Attack surfaces can be categorized in the following way:

▪ Network attack surface: This category refers to vulnerabilities over an enterprise network, wide-area
network, or the Internet. Included in this category are network protocol vulnerabilities, such as those used for a
denial-of-service attack, disruption of communications links, and various forms of intruder attacks.

▪ Software attack surface: This refers to vulnerabilities in application, utility, or operating system code. A
particular focus in this category is Web server software.

▪ Human attack surface: This category refers to vulnerabilities created by personnel or outsiders, such as social
engineering, human error, and trusted insiders.

26
 5.2 ATTACK TREES
▪ An Attack tree is a branching, hierarchical data structure that represents a set of
potential techniques for exploiting security vulnerabilities.
Example : Here is an example of an attack tree analysis for an Internet banking
authentication application.
▪ The root of the tree is the objective of the attacker, which is to compromise a
user’s account.
▪ The shaded boxes on the tree are the leaf nodes, which represent events that
comprise the attacks.
▪ The white boxes are categories which consist of one or more specific attack
events (leaf nodes). Note that in this tree, all the nodes other than leaf nodes are
OR-nodes.

This figure provides a thorough view of the different types of attacks on an
Internet banking authentication application
27
The analysis used to generate this tree considered the three components involved in
authentication.

▪ User terminal and user (UT/U): These attacks target the user equipment, including the tokens that
may be involved, such as smartcards or other password generators, as well as the actions of the user.

▪ Communications channel (CC): This type of attack focuses on communication links.

▪ Internet banking server (IBS): These types of attacks are offline attack against the servers that
host the Internet banking application

28
User credential compromise: This strategy
can be used against many elements
of the attack surface

Injection of commands: In this type of attack,
the attacker is able to intercept
communication between the UT and the IBS.

User credential guessing: It is reported in
[HILT06] that brute force attacks
against some banking authentication schemes
are feasible by sending random
usernames and passwords.

Security policy violation : an employee
may cause an internal security incident and
expose a customer’s account.

Use of known authenticated session: Once the
user authenticates
to the server, the attacker may utilize the known
session ID to send
packets to the IBS, spoofing(fool) the user’s 29
identity.
6. COMPUTER SECURITY STRATEGY
It suggests that a comprehensive security strategy involves three aspects:

1. Specification/policy: What is the security scheme supposed to do?
2. Implementation/mechanisms: How does it do it?
3. Correctness/assurance: Does it really work?

30
6.1. SECURITY POLICY :
In developing a security policy, a security manager needs to consider the following factors:
▪ The value of the assets being protected
▪ The vulnerabilities of the system
▪ Potential threats and the likelihood of attacks
Further, the manager must consider the following trade-offs:
▪ Ease of use versus security: Virtually all security measures involve some penalty in the area
of ease of use. The following are some examples. Access control mechanisms require users to
remember passwords and perhaps perform other access control actions.
▪ Cost of security versus cost of failure and recovery: In addition to ease of use and
performance costs, there are direct monetary costs in implementing and maintaining security
measures.

31
6.2. SECURITY IMPLEMENTATION
Security implementation involves four complementary courses of action:
▪ Prevention: An ideal security scheme is one in which no attack is successful. Although this is not
practical in all cases, there is a wide range of threats in which prevention is a reasonable goal.

▪ Detection: In a number of cases, absolute protection is not feasible, but it is practical to detect
security attacks.

▪ Response: If security mechanisms detect an ongoing attack, such as a denial of service attack, the
system may be able to respond in such a way as to halt the attack and prevent further damage.
▪ Recovery: An example of recovery is the use of backup systems, so that if data
integrity is compromised, a prior, correct copy of the data can be reloaded.

32
6.3.ASSURANCE AND EVALUATION
Security consumers want to feel that the security infrastructure of their systems meet security
requirements and enforce security policies. These considerations bring us to the concepts of
assurance and evaluation.
a) Assurance :
▪ It defines assurance as the degree of confidence one has that the security measures, both technical
and operational, work as intended to protect the system and the information it processes.
▪ This encompasses both system design and system implementation.

Thus, assurance deals with the questions,
▪ “Does the security system design meet its requirements?”
▪ “Does the security system implementation meet its specifications?”

33
b) Evaluation :
▪ It is the process of examining a computer product or system with respect to certain criteria.
Evaluation involves testing and may also involve formal analytic or mathematical techniques.

▪ The central thrust of work in this area is the development of evaluation criteria that can be
applied to any security system (encompassing security services and mechanisms) and that are
broadly supported for making product comparisons.

34
QUESTIONS ?

35