Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture notes Fall 2008 Dr. Clifford Neuman University of Southern California Information Sciences Institute

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Security Systems Lecture 1 – August 29, 2008 The Security Problem Dr. Clifford Neuman University of Southern California Information Sciences Institute

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Administration Class home page –Preliminary Syllabus –Assigned Readings –Lecture notes –Assignments

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Who gets in There will be additional seats that open up in the class. If you do not have D Clearance yet, give me your form at break. I turn these into the department and they decide who gets in based on their prioritization

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Structure of lecture Classes from 9:00 AM – 11:50 AM –10-15 minute break halfway through –Final 15 minutes for discussion of current events in security.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Administration Lab Component (see –1 of the 4 units –Instructor is David Morgan –Instruction 3:30-4:20 Fridays in OHE 122 ▪WebCast via DEN ▪Today’s Lab instruction is only a 30 minute introduction –Hands on sections, choose from 7 sessions ▪Provides an opportunity to do hands on work in OHE 406 lab. ▪Must sign up for your preference of session. ▪Details will be provided this afternoon.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Administration Class Instructor –Dr. Clifford Neuman –Office hours Friday 12:50-1:50 SAL 212 –Contact info on class web page TAs –None Assigned YET –Be sure to complain about this

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Administration Grading –Reading reports: 5%,5%,5% –Exams: 25%, 30% –Research paper 30% –Lab exercises Pass(hi,lo)/Fail (adj 15%) –Class participation ▪up to 10% bonus

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Blackboard Using the DEN Blackboard system –Go to –Click “for on campus students” –Follow the instructions to obtain your Blackboard password for the DEN site. –Contact if you have difficulty gaining access to the

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Class Participation This is a large class, but I treat is as smaller. –Class participation is important. ▪Ask and answering questions in class. ▪Ask, answer, participate on-line –Bonus for class participation ▪If I don’t remember you from class, I look in the web discussion forum to check participation. –Did you ask good questions. –Did you provide good answers. –Did you make good points in discussions.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Academic Integrity I take Academic Integrity Seriously –Every year I have too many cases of cheating –Last year I assigned multiple F’s for the class What is and is not OK –I encourage you to work with others to learn the material –Do not to turn in the work of others –Do not give others your work to use as their own –Do not plagiarize from others (published or not) –Do not try to deceive the instructors See section on web site and assignments –More guidelines on academic integrity –Links to university resources –Don’t just assume you know what is acceptable.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE The Three Aspects of Security Confidentiality –Keep data out of the wrong hand Integrity –Keep data from being modified Availability –Keep the system running and reachable

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Orthogonal Aspects Policy –Deciding what the first three mean Mechanism –Implementing the policy

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Important Considerations Risk analysis and Risk Management –How important to enforce a policy. –Legislation may play a role. The Role of Trust –Assumptions are necessary Human factors –The weakest link

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE In The Shoes of an Attacker Motivation –Financial –Bragging Rights –Revenge / to inflict damage –Terrorism and Extortion Risk to the attacker –Can play a defensive role.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE What is security System, Network, Data –What do we want to protect –From what perspective How to evaluate –Balance cost to protect against cost of compromise –Balance costs to compromise with risk and benefit to attacker. Security vs. Risk Management –Prevent successful attacks vs. mitigate the consequences. It’s not all technical

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Security and Society Does society set incentives for security. –OK for criminal aspects of security. –Not good in assessing responsibility for allowing attacks. –Privacy rules are a mess. –Incentives do not capture gray area ▪Spam and spyware ▪Tragedy of the commons

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Why we aren’t secure Buggy code Protocols design failures Weak crypto Social engineering Insider threats Poor configuration Incorrect policy specification Stolen keys or identities Denial of service

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE What do we want from security Confidentiality –Prevent unauthorized disclosure Integrity –Authenticity of document –That it hasn’t changed Availability –That the system continues to operate –That the system and data is reachable and readable. Enforcement of policies –Privacy –Accountability and audit –Payment

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE The role of policy in security architecture Policy – Defines what is allowed and how the system and security mechanisms should act. Enforced By Mechanism – Provides protection interprets/evaluates (firewalls, ID, access control, confidentiality, integrity) Implemented as: Software: which must be implemented correctly and according to sound software engineering principles.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Security Mechanisms Encryption Checksums Key management Authentication Authorization Accounting Firewalls Virtual Private Nets Intrusion detection Intrusion response Development tools Virus Scanners Policy managers Trusted hardware

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Today’s security deployment Most deployment of security services today handles the easy stuff, implementing security at a single point in the network, or at a single layer in the protocol stack: –Firewalls, VPN’s –IPSec –SSL –Virus scanners –Intrusion detection

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE A more difficult problem Unfortunately, security isn’t that easy. It must be better integrated with the application. –At the level at which it must ultimately be specified, security policies pertain to application level objects, and identify application level entities (users).

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Security Systems vs Systems Security SECURITY AUDIT RECORDS INTRUSION DETECTION UNDER ATTACK POLICY GAA API EACL... Authentication Integration of dynamic security services creates feedback path enabling effective response to attacks Databases Web Servers Firewalls IPSec …

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Loosely Managed Systems Security is made even more difficult to implement since today’s system lack a central point of control. –Home machines unmanaged –Networks managed by different organizations. –A single function touches machines managed by different parties. –Who is in control?

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Who is in Control The Intruder The Government Your employer The Merchant The credit card companies The credit bureaus Ultimately, it must be you who takes control, but today’s systems don’t take that view.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Current event – How does this relate to our discussion Internet Security Patch May Not Do the Job New York Times – August , John Markoff SAN FRANCISCO — Faced with the discovery of a serious flaw in the Internet’s workings, computer network administrators around the world have been rushing to fix their systems with a cobbled-together patch. Now it appears that the patch has some gaping holes. On Friday, a Russian physicist demonstrated that the emergency fix to the basic Internet address system, known as the Domain Name System, is vulnerable and will almost certainly be exploited by criminals. The flaw could allow Internet traffic to be secretly redirected so thieves could, for example, hijack a bank’s Web address and collect customer passwords. oIn a posting on his blog, the physicist, Evgeniy Polyakov, wrote that he had fooled the software that serves as the Internet’s telephone book into returning an incorrect address in just 10 hours, using two standard desktop computers and a high-speed network link. Internet experts who reviewed the posting said the approach appeared to be effective.a posting on his blog oThe basic vulnerability of the network has become a heated controversy since Dan Kaminsky, a Seattle-based researcher at the security firm IOActive, quietly notified a number of companies that distribute Internet addressing software earlier this year. On Wednesday, Mr. Kaminsky described the vulnerability to a packed room at a technical conference in Las Vegas. He said that it could affect not just the Web but also other services like . oThe general risk of such a flaw had been known for some years within the Internet technical community. But in the last month security engineers have repeatedly stated that it is only a matter of time before financial organizations are attacked by computer criminals seeking to exploit the now-public flaw. One expert says this is happening now. It is now almost certain that there will be an escalating number of attacks, Mr. Woodcock said. Before the patch, which has now been distributed to more than three-quarters of the affected servers in the world, it would have taken as little as one second to insert false information into the address database. Now, even with the patch, attacks will be possible in a matter of minutes or hours, he said. oMr. Polyakov carried out his attack using two fast computers, but the same attack could be carried out more quickly. There is now an intense debate over how to find a more permanent fix for the system’s weaknesses. “We’ve bought some time,” said Paul Mockapetris, the software engineer who devised the original D.N.S. system and is now chairman of Nominum, a firm that makes a version of the D.N.S. software that is not vulnerable to the current flaw. Mr. Mockapetris described the patch that is now being put in place as the equivalent of “playing Russian roulette with a gun that has 100 bullet chambers instead of six. The point,” he said, “should be to take the gun out of people’s hands.” oThe root of the problem lies in the fact that the address system, was not meant for services like electronic banking that require strict verification of identity. “They are relying on infrastructure that was not intended to do what people assume it does,” said Clifford Neuman, director of the Center for Computer Systems Security at the University of Southern California. “What makes this so frustrating is that no one has been listening to what we have been saying for the past 17 years.” A number of Internet security engineers point out that if a solution is found for the deeper problem of identity and authentication on the Internet, it will go a long way toward stopping many of the identity-related crimes that are now commonplace.University of Southern California oSome experts are proposing an encryption-based solution known as DNSSEC. It would give Web users high confidence that the Internet address they are being sent to is correct. “DNSSEC is not an overnight solution for the Kaminsky problem, but it’s the right solution in the long run,” said Richard Lamb, a technical expert at the Internet Corporation for Assigned Names and Numbers, the nonprofit organization that oversees Internet security and stability. Others remain skeptical that the more secure approach is practical for the wider commercial Internet, because it requires more computing power and because it would be hard to get the whole world to adopt it.Internet Corporation for Assigned Names and Numbers