Chapter 1_v2_4ae5c53304efd603cdc931dd29ec9247(1).pdf

Full Transcript

Cybersecurity Fundamentals
(CY 101)
Chapter 1: Overview
 Outline

Computer Security Concepts
Computer Security Terminology
Threats, Attacks, and Assets
Security Functional Requirements
Attack Surface
Computer Security Strategy
 Computer Security Concepts

The NIST Internal/Interagency Report NISTIR 7298 (Glossary of Key
Information Security Terms, July 2019) Defines the Term Computer
Security as Follows:

“ Measures and controls that ensure confidentiality,
integrity, and availability of information processed and
stored by a computer, including hardware, software,
firmware, information data, and telecommunications.”
 Objectives of cyber security

CIA model:
Confidentiality
Preserving authorized restrictions on
information access and disclosure, including
means for protecting personal privacy and
proprietary information
Integrity
Guarding against improper information
modification or destruction, including ensuring
information nonrepudiation and authenticity
Availability
Ensuring timely and reliable access to and use
of information
 Confidentiality
This term covers two related concepts:
Data confidentiality:
Only authorized subjects should be able to read given data
Privacy:
Only authorized people can collect and keep information about you
Only those you approve can access that information
Achieved by:
Access control
Cryptograph
Examples:
Business Plan Recipe for Coca-Cola
Source code Your password
Personnel Records
 Integrity

This term covers two related concepts:
Data integrity:
Information and programs should be modified a controlled manner
System integrity:
System performs its intended function in an unimpaired manner

Examples of integrity policies:
Only by authorized subjects
In a consistent/meaningful fashion
Never modify
Only by a given method
 Availability

Applies to data and services
Presence of object/service for use
Enough of object/service to meet demand
Sufficient speed/timeliness of access or response
Fair use of shared object/service
 Objectives of cyber security

Figure 1.1: Essential Network and
Computer Security Requirements
 Authenticity

Confirmation of the identity (or other feature) of some object
User authentication
“I am who I say I am!”
Document authorship/agreement
“I wrote that document!”
Group membership
“I’m with the government, we’re here to help you.”

Authenticity vs. Integrity:
Integrity means an object doesn’t change
An object is authentic if it is the same object as it claims
So, if an object can change in some way and yet still retain its identity, it can be authentic
but lack integrity.
 Accountability

The security goal that generates the requirement for actions of an entity
to be traced uniquely to that entity.
Traceability of actions supports various security measures and aids in
post-incident analysis.
Secure systems are not yet an achievable goal, we must be able to trace
a security breach to a responsible party.
 Levels of Impact

Low
The loss could be expected to have a limited adverse effect on
organizational operations, organizational assets, or individuals.
Moderate
The loss could be expected to have a serious adverse effect on
organizational operations, organizational assets, or individuals.
High
The loss could be expected to have a severe or catastrophic adverse
effect on organizational operations, organizational assets, or
individuals.
 Exercise

For each of the given scenarios, rate the relative importance of
Confidentiality, Integrity, Authentication, Accountability, and Availability,
and give short reasons why you chose the ordering.

Scenarios:
1. Information collected/accessed via an Automatic Teller Machine(ATM)
2. Semi-public web site advising stockholders
3. Control Programs on a 777 Jet
4. Smart Home System Controlling Door Locks and Security Cameras
 Computer Security Challenges

1. Computer security is not as simple as it might first appear to the novice.
2. In developing a particular security mechanism or algorithm, one must
always consider potential attacks on those security features.
3. Procedures used to provide particular services are often
counterintuitive.
4. Physical and logical placement needs to be determined.
5. Security mechanisms typically involve more than a particular algorithm
or protocol and also require that participants possess some secret
information which raises questions about the creation, distribution, and
protection of that secret information.
6. Attackers only need to find a single weakness, while the designer must
find and eliminate all weaknesses to achieve perfect security.
 Computer Security Challenges (cont.)

7. There is a natural tendency on the part of users and system managers
to perceive little benefit from security investment until a security
failure occurs
8. Security requires regular and constant monitoring
9. Security is still too often an afterthought and is incorporated into a
system after the design is complete, rather than being an integral part
of the design process
10.Many users and even security administrators view strong security as an
impediment to efficient and user-friendly operation of an information
system or use of information
 Computer Security Terminology

Adversary (threat agent)
Individual, group, organization, or government that conducts or has the intent to
conduct detrimental activities.
Attack
Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or
destroy information system resources or the information itself.
Countermeasure
A device or technique that has as its objective the impairment of the operational
effectiveness of undesirable or adversarial activity, or the prevention of espionage,
sabotage, theft, or unauthorized access to or use of sensitive information or
information systems.
 Computer Security Terminology (cont.)

Risk
A measure of the extent to which an entity is threatened by a potential
circumstance or event, and typically a function of 1) the adverse impacts that
would arise if the circumstance or event occurs; and 2) the likelihood of
occurrence.
Security Policy
A set of criteria for the provision of security services. It defines and constrains the
activities of a data processing facility in order to maintain a condition of security
for systems and data.
System Resource (Asset)
A major application, general support system, high impact program, physical plant,
mission critical system, personnel, equipment, or a logically related group of
systems.
 Computer Security Terminology (cont.)

Threat
Any circumstance or event with the potential to adversely impact organizational
operations (including mission, functions, image, or reputation), organizational
assets, individuals, other organizations, or the Nation through an information
system via unauthorized access, destruction, disclosure, modification of
information, and/or denial of service.
Vulnerability
Weakness in an information system, system security procedures, internal controls,
or implementation that could be exploited or triggered by a threat source.
Security Concepts and Relationships

Figure 1.2: Security Concepts and Relationships
 Assets of a Computer System

Hardware
Software
Data
Communication facilities and networks
 Vulnerabilities, Threats and Attacks
Categories of vulnerabilities
Corrupted (loss of integrity)
Leaky (loss of confidentiality)
Unavailable or very slow (loss of availability)
Threats
Capable of exploiting vulnerabilities
Represent potential security harm to an asset
Attacks (threats carried out)
Active – attempt to alter system resources or affect their operation
Passive – attempt to learn or make use of system information that does not
affect system resources
Insider – initiated by an entity inside the security parameter
Outsider – initiated from outside the perimeter
 Exercise

State the specific "asset", "attack" and "risk”, for the given scenario.
A user visiting a compromised web page, that contains a hidden link to a
malicious site with code that compromises the user's web browser, which
then installs spyware that subsequently monitors the user accessing their
internet banking site, and sends their credentials to the adversary.
Solution:
The asset: is the users internet banking credentials
The attack: is the use of "drive-by-download" to compromise browser to reveal
the users banking credentials
The risk: is the likelihood that the user will lose their credentials via this attack and
hence that the attacker is able to steal money from their account.
 Countermeasures

Means used to deal with security attacks
Prevent
Detect
Recover
May itself introduce new vulnerabilities
Residual vulnerabilities may remain
Goal is to minimize residual level of risk to the assets
 Threats, Attacks, and Assets
Threat Consequence Threat Action (Attack)
Unauthorized Disclosure Exposure: Sensitive data are directly released to an unauthorized
A circumstance or event entity.
whereby an entity gains Interception: An unauthorized entity directly accesses sensitive data
unauthorized access to data. traveling between authorized sources and destinations.
Inference: A threat action whereby an unauthorized entity indirectly
accesses sensitive data (but not necessarily the data contained in
the communication) by reasoning from characteristics or by-products
of communications.
Intrusion: An unauthorized entity gains access to sensitive data by
circumventing a system’s security protections.
Deception Masquerade: An unauthorized entity gains access to a system or
A circumstance or event that performs a malicious act by posing as an authorized entity.
may result in an authorized Falsification: False data deceive an authorized entity.
entity receiving false data Repudiation: An entity deceives another by falsely denying
and believing it to be true. responsibility for an act.
Table 1.2: Threat Consequences and the Types of Threat Actions that Cause Each Consequence
 Threats, Attacks, and Assets (cont.)
Threat Consequence Threat Action (Attack)
Disruption Incapacitation: Prevents or interrupts system operation by
A circumstance or event disabling a system component.
that interrupts or prevents Corruption: Undesirably alters system operation by
the correct operation of adversely modifying system functions or data.
system services and Obstruction: A threat action that interrupts delivery of
functions. system services by hindering system operation.
Source: Based on RFC
Usurpation Misappropriation: An entity assumes unauthorized logical 4949
A circumstance or event or physical control of a system resource.
that results in control of Misuse: Causes a system component to perform a function
system services or or service that is detrimental to system security
functions by an
unauthorized entity

Table 1.2: Threat Consequences and the Types of Threat Actions that Cause Each Consequence
 Computer and Network Assets, with Examples of Threats
Blank

Availability Confidentiality Integrity
Hardware Equipment is stolen or An unencrypted USB drive A door sensor is replaced with one
disabled, thus denying is stolen. that sends a closed status,
service. regardless of actual door position, at
certain times.
Software Programs are deleted, An unauthorized copy of A working program is modified,
denying access to users. software is made. either to cause it to fail during
execution or to cause it to do some
unintended task.
Data Files are deleted, denying An unauthorized read of Existing files are modified, or new
access to users. data is performed. An files are fabricated.
analysis of statistical data
reveals underlying data.

Communica- Messages are destroyed or Messages are read. The Messages are modified, delayed,
tion Lines and deleted. Communication traffic pattern of messages reordered, or duplicated. False
Networks lines or networks are is observed. messages are fabricated.
rendered unavailable.
 Passive and Active Attacks
We can distinguish two types of attacks:
Passive Attack Active Attack
Attempts to learn or make use of Attempts to alter system resources or
information from the system, but it affect their operation
does not affect system resources Involve some modification of the data
Eavesdropping on, or monitoring of, stream or the creation of a false
transmissions stream
Goal of attacker is to obtain Four categories:
information that is being transmitted Replay
Two types: Masquerade
Release of message contents Modification of messages
Traffic analysis Denial of service
 Exercise
For each of the given scenarios, is this an active attack or a passive attack?

Scenarios:
1. An unauthorized user intercepts and listens to communication
between two parties to gather sensitive information. Passive Attack

2. A hacker sends malicious code to a server, aiming to disrupt its normal
operation and render it inaccessible. Active Attack

3. An intruder gains unauthorized access to a computer system and
quietly observes user activities without making any changes. Passive Attack
 Security Functional Requirements

Access Control:
Limit information system access to authorized users, processes acting on behalf of
authorized users, or devices.
Awareness and Training:
(i) Ensure that managers and users of organizational information systems are made aware of
the security risks associated with their activities and of the applicable laws, regulations, and
policies related to the security of organizational information systems; and
(ii) ensure that personnel are trained.
Audit and Accountability:
(i) Create, protect, and retain information system audit records to the extent needed to
enable the monitoring, analysis, investigation
(ii) ensure that the actions of individual information system users can be uniquely traced to
those users so they can be held accountable for their actions.
 Security Functional Requirements (cont.)

Certification, Accreditation, and Security Assessments:
(i) Periodically assess the security controls in organizational information systems to
determine if the controls are effective in their application;
(ii) develop and implement plans of action designed to correct deficiencies and reduce or
eliminate vulnerabilities;
(iii) authorize the operation of organizational information systems and any associated
information system connections;
(iv) monitor information system security controls to ensure the continued effectiveness of
the controls.
Configuration Management:
(i) Establish and maintain baseline configurations and inventories of organizational
information
(ii) establish and enforce security configuration settings for information technology
products employed in organizational information systems.
 Security Functional Requirements (cont.)

Contingency Planning:
Establish, maintain, and implement plans for emergency response, backup
operations, and postdisaster recovery for organizational information systems
Identification and Authentication:
Identify information system users, processes acting on behalf of users, or devices,
and authenticate (or verify) the identities of those users.
Incident Response:
(i) Establish an operational incident-handling capability for organizational
information systems that includes preparation, detection, analysis, containment,
recovery, and user-response activities;
(ii) track, document, and report incidents to appropriate organizational officials.
 Security Functional Requirements (cont.)

Maintenance:
(i) Perform periodic and timely maintenance on organizational information systems;
(ii) provide effective controls on the tools, techniques, mechanisms, and personnel.
Media Protection:
Protect information system media, both paper and digital;
limit access to information on information system media to authorized users;
sanitize or destroy information system media before disposal or release for reuse.
Physical and Environmental Protection:
(i) Limit physical access to information systems, equipment
(ii) protect the physical plant and support infrastructure for information systems;
(iii) provide supporting utilities for information systems;
(iv) protect information systems against environmental hazards;
(v) provide appropriate environmental controls in facilities containing information systems.
 Security Functional Requirements (cont.)

Planning:
Develop, document, periodically update, and implement security plans for
organizational information systems.
Personnel Security:
(i) Ensure that individuals occupying positions of responsibility within organizations
are trustworthy and meet established security criteria for those positions;
(ii) ensure that organizational information and information systems are protected
during and after personnel actions such as terminations and transfers;
(iii) employ formal sanctions for personnel failing to comply with organizational
security policies and procedures.
Risk Assessment:
Periodically assess the risk to organizational operations (including mission,
functions, image, or reputation).
 Security Functional Requirements (cont.)

Systems and Services Acquisition:
(i) Allocate sufficient resources to adequately protect organizational information
systems;
(ii) employ system development life cycle processes that incorporate information
security considerations;
(iii) employ software usage and installation restrictions;
(iv) ensure that third-party providers employ adequate security measures to
protect information, applications, and/or services
System and Communications Protection:
(i) Monitor, control, and protect organizational communications
(ii) employ architectural designs, software development techniques, and systems
engineering principles that promote effective information security within
organizational information systems.
 Security Functional Requirements (cont.)

System and Information Integrity:
(i) Identify, report, and correct information and information system flaws in a
timely manner;
(ii) provide protection from malicious code at appropriate locations within
organizational information systems
(iii) monitor information system security alerts and advisories and take appropriate
actions in response.
 Attack Surfaces
Consist of the reachable and exploitable vulnerabilities in a system
Examples:
Open ports on outward-facing Web and other servers, and code listening on
those ports
Services available on the inside of a firewall
Code that processes incoming data, email, XML, office documents, and industry-
specific custom data exchange formats
Interfaces, SQL, and Web forms
An employee with access to sensitive information that is vulnerable to a social
engineering attack
 Attack Surface Categories

Network Attack Surface
Vulnerabilities over an enterprise network, wide-area network, or the Internet
Included in this category are network protocol vulnerabilities, such as those used for
a denial-of-service attack, disruption of communications links, and various forms of
intruder attacks
Software Attack Surface
Vulnerabilities in application, utility, or operating system code
Particular focus is Web server software
Human Attack Surface
Vulnerabilities created by personnel or outsiders, such as social engineering, human
error, and trusted insiders
Defense in Depth and Attack Surface

Figure 1.4: Defense in Depth and Attack Surface
 Computer Security Strategy

Security Policy
Formal statement of rules and practices that specify or regulate how a system
or organization provides security services to protect sensitive and critical system
resources
Security Implementation
Involves four complementary courses of action:
▪ Prevention
▪ Detection
▪ Response
▪ Recovery
 Computer Security Strategy (cont.)

Assurance
Encompassing both system design and system implementation, assurance is an
attribute of an information system that provides grounds for having confidence
that the system operates such that the system’s security policy is enforced
Evaluation
Process of examining a computer product or system with respect to certain
criteria
Involves testing and may also involve formal analytic or mathematical
techniques
 Standards

Standards have been developed to cover management practices and the overall
architecture of security mechanisms and services
The most important of these organizations are:
National Institute of Standards and Technology (NIST)
NIST is a U.S. federal agency that deals with measurement science, standards, and technology
Internet Society (ISOC)
ISOC is a professional membership society that provides leadership in addressing issues that
confront the future of the Internet
International Telecommunication Union (ITU-T)
ITU is a United Nations agency in which governments and the private sector coordinate global
telecom networks and services
International Organization for Standardization (ISO)
ISO is a nongovernmental organization whose work results in international agreements that are
published as International Standards
Questions/Comments?