CSC 482/582: Computer Security Fundamentals of Computer Security CSC 482/582: Computer Security

About Me James Walden Associate Professor of Computer Science waldenj@nku.edu http://faculty.cs.nku.edu/~waldenj Interests: Software Security Mobile Application Security Web Application Security Empirical Software Engineering

Topics What is Security? Security Concepts States of Information Confidentiality Integrity Availability States of Information Policies and Principles Security Controls

What is Security? Security is the prevention of certain types of intentional actions from occurring in a system. The people who might attack a system are called threats, attackers, or adversaries. Threats carry out attacks to compromise a system. Attacks work by exploiting vulnerabilities in a system. The goal of attacks is to obtain assets from a system, which may be informational or physical in nature. Security controls reduce the ability of threats to obtain assets from a system by exploiting vulnerabilities.

We all have Assets: The Value of a Hacked PC http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/

Safety vs. Security The key difference between safety and security is the presence of an adversary, an intelligent attacker who intentionally causes the system to fail. Safety Measures Home: fire alarm. Car: crumple zones. Computer: UPS. Security Measures Home: door lock. Car: alarm. Computer: password.

Components of Security Integrity Figure from Goodrich and Tamassia, Introduction to Computer Security, Pearson, 2011. Confidentiality Availability

Confidentiality Confidentiality is the avoidance of the unauthorized disclosure of information. Assets for which confidentiality is critical: Personal information Trade secrets Military plans

Confidentiality Controls Access Control: rules and policies that limit access to certain people and/or systems. File permissions (which users can access) Firewall settings (which IP addresses can access) Cryptography: transform information so that it can only be read using a secret key. Advanced Encryption Standard (AES) Transport Layer Security (TLS)

Integrity Integrity is the property that information has not be altered in an unauthorized way. Assets for which integrity is critical: Operating system files Software updates and downloads Bank account records

Integrity Controls Anti-Virus: checks for malicious code that may take control of the system. Checksums: compute a mathematical function on data to check with stored value to verify that data was not changed by an adversary. Logs: record actions on system to detect violations of integrity by a program or a human reader.

Availability Availability is the property that information is accessible and modifiable in a timely fashion by those authorized to do so. Assets for which availability is critical: Industrial control systems Authentication server for your network Current stock quotes

Availability Controls CAPTCHA: Ask client to perform task that only a human can supposedly do, like identify a word in an image, to prevent too many automated requests. Failover: Use redundant servers, disks, network connections with automated failover in case one system fails. Resource Limits: Limit resources (time, memory, disk space, etc.) that can be used by a process or thread, terminating threads that exceed limits.

Other Security Components Authenticity Figure from Goodrich and Tamassia, Introduction to Computer Security, Pearson, 2011. Anonymity Assurance

Assurance Information assurance is the practice of finding reasons for justified confidence that claims about security are correct. An assurance case consists of The claim about the security of the system. A division of the claim into sub-claims. Justifications based on assumptions and evidence.

States of Information Storage: information in permanent storage (disk or tape) that is not currently being accessed. Processing: information in memory (RAM or cache) that is currently being used by a program. Transmission: information in transit between one node and another on a network.

Securing Information in All States Internet Information in Transmission Information in Storage Information in Processing

Security Policies A security policy is a definition of what it means to be secure for a system or organization. Policies describe who is permitted to perform which actions with system assets. Security controls are used to enforce security policies. Not every policy item will be enforced by a control. From http://oit.nku.edu/security/policies-and-guidelines.html Acceptable Use Policy Antivirus Policy Security Policy LISTSERV and Mass Email Policy

Security Principles Security Principles Economy of mechanism Fail-safe defaults Complete mediation Open design Separation of privilege Least privilege Least common mechanism Psychological acceptability Work factor Compromise recording Figure from Goodrich and Tamassia, Introduction to Computer Security, Pearson, 2011.

Security Controls Security controls are policies, technologies, or human factors that protect a system from attacks in one of three ways: Prevention: prevent attackers from violating security policy. Ex: firewall. Detection: detect attackers’ violation of security policy. Ex: anti-virus. Recovery: stop attack, assess and repair damage. Ex: backups.

Types of Security Controls Technologies Hardware/software used to ensure confidentiality, integrity, or availability. Policy and practice. Security requirements and activities. Education, training, and awareness. Understanding of threats and vulnerabilities and how to protect against them.

Prevention Controls Firewalls Authentication File Access Control Prevent unauthorized network connections. Authentication Prevent unauthorized users from using system. File Access Control Prevent unauthorized access to files. Cryptography Prevent confidentiality violation even if intruder has access to data.

Detection Controls Change management process Intrusion detection Require security approval of network changes. Intrusion detection Automated network and/or host based intrusion detection systems. Network scans Audit network for rogue/missing machines. Verify security status of each network device. Log monitoring Monitor sensitive logs (e.g. firewall) in real time.

Recovery Controls Snapshots Version Control Systems Filesystem and VM snapshots allow reversion to a previous correct state of the system. Version Control Systems Version control systems like git allow sets of files to be reverted to a previous correct state. Configuration Management Systems like puppet automatically deploy servers based on configuration stored in a version control system. Backups Off-system/site backups permit recovery when all is lost.

Evaluating Security Controls What assets are you trying to protect? What are the risks to those assets? How well does the security control mitigate those risks? What additional risks does the security control cause? What costs and trade-offs does the security control impose?

Example: Password Vault Asset: passwords. Risks: use of passwords by someone else to gain access to private email, bank, health information. Mitigate: encrypted storage prevents use of passwords without vault key. Other risks: lose access to all passwords if you forget the vault key. Costs/tradeoffs: if vault is on PC, lose access elsewhere. If vault is networked, passwords may not be encrypted in transit, will be accessible to attackers who don’t have access to your PC.

Security Risk A risk is any event that could result in an adversary obtaining unauthorized access to assets. To evaluate a risk, we need to evaluate both: Probability of risk occurring. Cost incurred by risk if it occurs. To reduce risk, we minimize the product of probability and cost of a risk.

Legal Issues What you are permitted to do What you are required to do Copyright and DMCA limitations Cryptography export regulations Network monitoring for intrusions What you are required to do Data breach notification laws Privacy regulations

Security is a Human Problem Social engineering The practice of psychological manipulation to obtain information or to perform attacks for an attacker. Kevin Mitnick testified before Congress “I was so successful in that line of attack that I rarely had to resort to a technical attack.” Circumvention Users write down passwords, leave screens unlocked. Insider attacks Insiders are legitimate users with authorized access who act as a threat. Disgruntled employees, planted spies, subverted people. Organizations: the key here is that those responsible for security have the power to enforce security. Otherwise there is confusion, and the architects need not worry if the system is secure because they won’t be blamed if someone gets in. This arises when system administrators, for example, are responsible for security, but only security officers can make the rules. Preventing this problem (power without responsibility, or vice versa) is tricky and requires capable management. What’s worse is that security is not a direct financial incentive for most companies because it doesn’t bring in revenue. It merely prevents the loss of revenue obtained from other sources. People problems are by far the main source of security problems. Outsiders are attackers from without the organization; insiders are people who have authorized access to the system and, possibly, are authorized to access data and resources, but use the data or resources in unauthorized ways. It is speculated that insiders account for 80-90% of all security problems, but the studies generally do not disclose their methodology in detail, so it is hard to know how accurate they are. (Worse, there are many slightly different definitions of the term “insider,” causing the studies to measure slightly different things!) Social engineering, or lying, is quite effective, especially if the people gulled are inexperienced in security (possibly because they are new, or because they are tired).

What do you trust? Your vendor’s software Your encryption libraries “Yet another picture frame malware incident” http://blog.trendmicro.com/trendlabs-security-intelligence/yet-another-digital-picture-frame-malware-incident/ Your encryption libraries RSA warns customers to stop using BSAFE lib http://rt.com/usa/nsa-weak-cryptography-rsa-110/ Your ISP ISP hijacks DNS and adds affiliates to URLs http://erichelgeson.github.io/blog/2013/12/31/i-fought-my-isps-bad-behavior-and-won/

Can you trust your compiler? Ken Thompson’s compiler hack from “Reflections on Trusting Trust.” Modified C compiler does two things: If compiling a compiler, inserts the self-replicating code into the executable of the new compiler. If compiling login, inserts code to allow a backdoor password. After recompiling and installing old C compiler: Source code for Trojan horse does not appear anywhere in login or C compiler. Only method of finding Trojan is analyzing binary.

Key Points Definitions Components of security Security, security policy, security control, threat, attack, asset. Components of security Confidentiality, Integrity, Availability Protect CIA in all states of information: Storage, Processing, Transmission Security Controls Actions: Prevention, Detection, Recovery Types: Technology, policy, education Five questions for evaluating security controls Risk Analysis Probability × cost of the risk Trust and Security

References Anderson, Security Engineering 2nd Edition, Wiley, 2008. Bishop, Computer Security: Art and Science, Addison-Wesley, 2002. Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011.

Released under CC BY-SA 3.0 This presentation is released under the Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) license You are free: to Share — to copy and redistribute the material in any medium to Adapt— to remix, build, and transform upon the material to use part or all of this presentation in your own classes Under the following conditions: Attribution — You must attribute the work to James Walden, but cannot do so in a way that suggests that he endorses you or your use of these materials. Share Alike — If you remix, transform, or build upon this material, you must distribute the resulting work under this or a similar open license. Details and full text of the license can be found at https://creativecommons.org/licenses/by-nc-sa/3.0/