Copyright © – Curt Hill Computer Security An Introduction

Introduction There are several questions that need answers: –What assets need protection? –What threats exist for these assets? –What counter measures exist for the threats? Security is a course of study all its own –All we do here is introduce the topic An insecure networked system cannot be classified as reliable Copyright © – Curt Hill

NIST Definition National Institute of Standards and Technology defines computer security: The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data and telecommunications). Copyright © – Curt Hill

Audience Participation What does this definition tell us? What is: –Integrity? –Availability? –Confidentiality? Copyright © – Curt Hill

The Heart Computer security centers around these three concepts: –Integrity –Availability –Confidentiality These are also known as the CIA triangle –Failures in one often leak into others Lets unpack this a little further Copyright © – Curt Hill

Integrity Guarding against improper modification or destruction of information System integrity is about software –System performs the functions it was designed to accomplish –We counter threats to the software itself Data integrity –Data is changed only be those authorized to do so and only in specified manners Both data and software are stored in similar ways, so there is overlap Copyright © – Curt Hill

Availability System is available to do the work it was purchased to do –Timely and reliable access It services authorized users and denies service to those who are not One of the problems is that additional security is overhead that reduces amount of work that can be done –Although not as extreme as the availability issues of attacks Copyright © – Curt Hill

Confidentiality Preserving authorized restrictions on information Data confidentiality –Private information is not disclosed to those who are not authorized to access it Privacy –The individuals to whom the data refers have some influence on how the data is used –Ability to correct errors in the data –Ability to limit who may use the data and for what reason Copyright © – Curt Hill

Triangle or Pentangle? Two more concepts that figure in frequently are Authenticity and Accountability Authenticity is about the verification process of users or system –Are they actually who they say they are? Accountability is about being able to track actions in an uncompromised way – often after a security breach –We need to be able to connect each action with the one who originated the action Copyright © – Curt Hill

Definitions Asset – something of value needing protection –Hardware or software Attack – attempt to exploit vulnerability Control – mechanism that reduces vulnerability Exposure – opportunity for loss or harm Threat – potential for an attack Vulnerability – any weakness that might allow an attack Copyright © – Curt Hill

Levels of Impact A failure is categorized into three levels: Low – limited adverse affect –Organization is able to perform its primary function with only minor financial loss Moderate – serious adverse affect –Loss of capability or effectiveness –Damage to assets and finances High – severe or catastrophic affect –Major damage to assets –Could involve life threatening injuries Copyright © – Curt Hill

Examples Asset – student records Attack – stolen account/password attempting to access records Control – program that checks for weak passwords vulnerability Exposure – damaged reputation Threat – guessing a password Vulnerability – weak password requirements Copyright © – Curt Hill

Your turn In regards to VCSU, what would constitute failures of these magnitudes? –Low –Moderate –High Copyright © – Curt Hill

The problems Computer security is complex, what are some of the problems? The underlying software is complex – small error can be exploited to a large problem To succeed the developer has to plug all holes, failure comes from only missing one that is detected Authentication requires the user to possess some secret fact – how can this be distributed? Copyright © – Curt Hill

More problems To most users this is an annoyance, thus they do not employ good practices Security is often an afterthought to system development – a porous surface is hard to plug Continual monitoring is required, this is a budget item that requires justification Thinking about threats requires an unusual mind set Copyright © – Curt Hill

Audience Participation You are familiar with many of these threats –What do they do? What is the danger? Infection by malware Phishing Denial of service Packet sniffers Theft of mobile devices Copyright © – Curt Hill

Survey A survey in 2015 of 1200 businesses and institutions considered system attacks and their sources –This was a broad cross section of different industries What is shown on the next screen is the type of attack and percent of organizations that endured one or more such attacks Copyright © – Curt Hill

Results Phishing – 68% Malware – 66% Hacking – 50% Social engineering – 46% Loss of mobile device – 44% Insider theft – 25% SQL injection – 22% Among others Copyright © – Curt Hill

Attack Classifications Active attack – an attempt to alter resources and operation Passive – an attempt to make use of information without altering any of it Inside – usually mounted by an employee or privileged person –They know about the system and have a starting point of some authorization Outside – not the above –Ranges from high school pranks to organized crime or even governments Copyright © – Curt Hill

Attack Types I Another way to classify attacks is in the type of access they gain Interception – gain access to the asset –While it is on the network –Using falsified authorization –Does not imply modification Interruption – disallow legitimate users from accessing the system –Denial of service attack –Ransomware encryption of data Copyright © – Curt Hill

Attack Types II Modification – change software or data –Reduce a customer balance or change their contact information –Ransomware could be here as well Fabrication – insert false information –Bogus payments –False transfers to the bad guy’s account Copyright © – Curt Hill

Countermeasures Any attempt to thwart an attack Prevention – predict the attack and disable in advance Detection – look for suspicious activity and unauthorized accesses Recovery – an attempt to undo the effect of an attack Copyright © – Curt Hill

Threat Consequences Copyright © – Curt Hill ConsequenceAction or attack Disclosure Exposure – sensitive data is made available Interception – access to data in transit Inference – deduce information based on what was visible Intrusion – active gaining of access Deception Masquerade – Using other’s authorization Falsification – false data to deceive authorization Repudiation – denial of an unauthorized action Disruption Incapacitation – disabling a component to damage system Corruption – modify component to alter behavior Obstruction – interrupt delivery of system services Usurpation Misappropriation – entity gains unauthorized control Misuse – modification to perform another function

Assets What are the things that need protection? Assets fall into several categories: –Hardware –Software –Data –Communication lines Copyright © – Curt Hill

Assets and Example Threats Copyright © – Curt Hill AvailabilityConfidentialityIntegrity HardwareTheft SoftwareDeletion of pgms Unauthorized copy of pgms Pgms modified to fail or provide unauthorized functions DataDelete filesUnauthorized access Modification of files Communication lines Messages are destroyed or mangled Messages are intercepted Messages are falsified

Where to start? Historically, security is an afterthought –After we get burned, we make sure we do not get burned again Enterprises now live in a world of forest fires –It is not a question of if a problem will occur, but when Therefore security should be considered in every project –Security requirements should be treated with the same level of concern as functional or usability requirements Copyright © – Curt Hill

Risk Assessment I Identify the assets –What hardware, software and data provide support for the enterprise? Value the assets –What is the value of each asset? Assess the asset exposure –What losses would occur if asset were damaged? Identify the threats –Where are the likely dangers against this asset? Copyright © – Curt Hill

Risk Assessment II Assess the attack –What are the ways that an attack on the asset could occur? Consider the defense –How may the asset be protected against the proposed attacks? Feasibility study –How does the cost of the defense compare with the cost of damage and likelihood of attack? Define security requirements Copyright © – Curt Hill

Audience Participation What assets does VCSU have? What value do these assets have? What is their exposure? What are the threats? What type of attacks? What defense can be formed? Compare cost of defense and expense of damage times likelihood Copyright © – Curt Hill

Requirements A normal component of requirements are use cases In the security domain there are misuse cases These involve ways that an attacker could misuse the system These include all the classes of threats –Interception, interruption, modification and fabrication Copyright © – Curt Hill

Project Security Design –It is difficult to add security after the design or implementation Assurance –The quality of data must be protected from unauthorized or accidental change Authentication –Data changes must be verified to prevent incorrect access Access –Ability to control who views and uses Copyright © – Curt Hill

Compromises Security is a necessary burden to any system It will usually slow performance and reduce usability These are usually minor issues compared to an attacker misusing the system –The stakeholders must be aware of this from the beginning Copyright © – Curt Hill

Security Assurance Avoid vulnerabilities –A function of design Detect and eliminate attacks –The application is self-checking looking for intrusion evidence Limit and recover –Backup and recovery functions prevent data modification Copyright © – Curt Hill

Security Policies These are enterprise-wide and layout the general goals –Should be short and readable so that all will use –Everyone should be informed This should indicate those assets that require protection and the level of protection Should make clear the responsibilities or individuals at various levels Copyright © – Curt Hill

Some Design Guidelines Design should reflect security policy A single point of failures should be avoided Fail gracefully without exposing assets Balance usability with security Log actions of users and applications Reduce risks with redundancy and diversity Specify and check input validity Partition assets into separate areas to minimize exposure Design for backup and recovery Copyright © – Curt Hill

Validation of Security Is hard – need to think like a hacker Use tools that may be helpful –Such as password strength testers Formal verification is good but hard to apply Form teams for the purpose of attacking the system and testing its vulnerabilities Copyright © – Curt Hill

Finally Security will continue to be an important topic for the foreseeable future We will continue to balance: –The danger of security threats versus the ease of use problems that security requires –Cost of security versus the cost of failure and recovery Security concerns are also business concerns –Failures can be expensive Copyright © – Curt Hill