6/30/2015 5:58 PM Lecture 3: Policy James Hook CS 591: Introduction to Computer Security.

Slides:



Advertisements
Similar presentations
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Advertisements

Northside I.S.D. Acceptable Use Policy
Hart District Acceptable Use Policy Acceptable Use Policy.
US Constitution and Right to Privacy Generally only protects against government action Doesn’t obligate government to do something, but rather to refrain.
Acceptable Use of Computer and Network Resources Jim Conroy Acting Director, Academic Computing Services September 9, 2013.
COPYRIGHT NOTICE: This presentation contains copyrighted and/ or trademarked material the use of which has not always been specifically authorized by.
Uintah School District Acceptable Use for Computer and Network Access.
Acceptable Use Policy (AUP) What does it actually say? Why is it necessary?
Riverside Community School District
Internet Privacy & Security A Presentation to WPI Student Pugwash Michael J. Ciaraldi Professor of Practice, WPI Computer Science 2003/10/02.
Information Security Policies and Standards
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.
6/18/2015 6:46 AM Lecture 3: History and Policy James Hook CS 591: Introduction to Computer Security.
6/23/ :43 PM Lecture 13: Evaluation James Hook CS 591: Introduction to Computer Security.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #4-1 Chapter 4: Security Policies Overview The nature of policies –What they.
6/26/2015 6:23 PM Lecture 1: Overview James Hook CS 591: Introduction to Computer Security.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
7/15/2015 7:56 AM Lecture 3: Policy James Hook CS 591: Introduction to Computer Security.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
ACCEPTABLE An acceptable use policy (AUP), also known as an acceptable usage policy or fair use policy, is a set of rules applied by the owner or manager.
INTERNET and CODE OF CONDUCT
Port Byron Central School Port Byron NY Computer Ethics Presentation September 2003.
The Social Context of Computing Foundation Computing Never underestimate the power of human stupidity.
Cyber Crimes.
BUS1MIS Management Information Systems Semester 1, 2012 Week 7 Lecture 1.
CS 3043 Social Implications Of Computing 9/7/2015© 2004 Keith A. Pray 1 Class 7 Crime And Privacy Keith A. Pray Instructor socialimps.keithpray.net.
 Computer Hacking is the practice of modifying computer hardware and software to accomplish a goal outside of the creator’s original purpose.  the act.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
Computer and Internet privacy University of Palestine University of Palestine Eng. Wisam Zaqoot Eng. Wisam Zaqoot Feb 2010 Feb 2010 ITSS 4201 Internet.
Security Policy What is a security policy? –Defines what it means for a system to be secure Formally: Partition system into –Secure (authorized) states.
Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.
Employee Guidelines for Acceptable Use of Technology Resources.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Computing Essentials 2014 Privacy, Security and Ethics © 2014 by McGraw-Hill Education. This proprietary material solely for authorized instructor use.
CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor:
Use of U.T. Austin Property Computers: Security & Acceptable Use The University of Texas at Austin General Compliance Training Program.
Digital Citizenship Created By: Kelli Stinson June 2011.
Jenkins Independent Schools NETWORK STAFF USER CONTRACT Acceptable Use Policy 2007 – 2008.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.
Slide #4-1 Chapter 4: Security Policies Overview The nature of policies –What they cover –Policy languages The nature of mechanisms –Types Underlying both.
CS 3043 Social Implications Of Computing 10/21/2015© 2008 Keith A. Pray 1 Class 5 Crime and Privacy Keith A. Pray Instructor socialimps.keithpray.net.
Chapter 2 Legal Aspects of Investigation © 2009 McGraw-Hill Higher Education. All rights reserved. LEARNING OBJECTIVES Explain the historical evolution.
Acceptable Use Policy by Andrew Breen. What is an Acceptable Use Policy? According to Wikipedia: a set of rules applied by many transit networks which.
The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy.
CMSC 414 Computer (and Network) Security Lecture 11 Jonathan Katz.
Topic 5: Basic Security.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Copyright © 2007 Pearson Education Canada 7-1 Chapter 7: Audit Planning and Documentation.
12/13/20151 Computer Security Security Policies...
IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
By: Christina Anderson EDTC 630. AUP stands for Acceptable Use Policy  The AUP is an outline of procedures/rules to inform all students and employees.
Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.
Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University
Woodland Hills School District Computer Network Acceptable Use Policy.
E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
INTRO TO COMPUTER SECURITY LECTURE 2 Security Policies M M Waseem Iqbal
Chap 4. Security Policies
Privacy and the Law.
Internet Safety and Acceptable Use Policies.
NET 311 Information Security
Advanced System Security
Red Flags Rule An Introduction County College of Morris
Chapter 4: Security Policies
Chapter 4: Security Policies
Student User Agreement and Policy 2022
Computer Security Security Policies
Chapter 4: Security Policies
Presentation transcript:

6/30/2015 5:58 PM Lecture 3: Policy James Hook CS 591: Introduction to Computer Security

6/30/2015 5:58 PM Objectives Explore what a security policy is; develop a vocabulary to discuss policies Examine the role of trust in policy

6/30/2015 5:58 PM What is a Security Policy? Statement that articulates the security goal In the state machine model it identifies the authorized or secure states (which are distinct from the unauthorized or nonsecure states) A secure system is one in which the system can only enter authorized states –Note: The policy doesn’t make the system secure; it defines what secure is

6/30/2015 5:58 PM Confidentiality X: set of entities I: some information I has the property of confidentiality with respect to X if no member of X can obtain information about I What is information?

6/30/2015 5:58 PM Confidentiality Scenario If an instructor wishes to keep class grades confidential from the students which of the following can the instructor do? – the grade file to the class mailing list – an encrypted grade file to the class mailing list – summary statistics (mean, median, max, and min) to the class mailing list What is information? What is data?

6/30/2015 5:58 PM Integrity Bishop: –X, I as before –I has the property of integrity with respect to X if all members of X trust I Dictionary ( ) –1 : firm adherence to a code of especially moral or artistic values : INCORRUPTIBILITY –2 : an unimpaired condition : SOUNDNESS –3 : the quality or state of being complete or undivided : COMPLETENESS

6/30/2015 5:58 PM Integrity If Alice and Bob trust their horoscopes do horoscopes have integrity? What about their elected representatives? Does this definition imply that “anything’s legal as long as you don’t get caught” [Traveling Wilburys; Tweeter and the Monkey Man] If the users of a system trust the file system does it have integrity? Is it reasonable for integrity to be an extrinsic property?

6/30/2015 5:58 PM Assurance Assurance aims to provide intrinsic evidence of integrity We trust the integrity of the bank because we intrinsically trust the accounting practices used by banks We also trust the bank because –The bank is audited for compliance with these trusted practices –The bank’s data is scrutinized for signatures of fraud

6/30/2015 5:58 PM Integrity Although we may desire an intrinsic notion of integrity we must accept an extrinsic notion in the general case If we do not have intrinsic assurance the best we can demand is that no agent can refute integrity

6/30/2015 5:58 PM Availability Let X be a set of entities, I a resource I has the property of availability with respect to X if all members of X can access I What is access? Quality of service is not always binary

6/30/2015 5:58 PM Setting the bar on access Organizational context is critical For a person, access sufficient to perform their job function –Avionics system: micro-/milli second (some military airframes are aerodynamically unstable; avionics system is required to keep them in the air) –Air Traffic control: 100s of milliseconds –Airline reservations: 10s of seconds –[These numbers are notional]

6/30/2015 5:58 PM Access and Quality of Service Behavior of service under load may be important –Graceful degradation –QoS threshold When is it better to do a few things quickly than all things slowly?

6/30/2015 5:58 PM Dimensions of Policy Policy defines security objective: –Confidentiality: Protect Information and Resources I from X –Integrity: …in a manner trusted by Y –Availability: …to be accessible to Z Mechanisms can be evaluated to determine if they help meet the objective

6/30/2015 5:58 PM Does this model match reality? Recall PSU AUP What facets focus on –Confidentiality: what is I? who/what is X? –Integrity: I? X? –Availability: I? X? What facets are outside of this model?

6/30/2015 5:58 PM PSU Computer & Network Acceptable Use Policy This acceptable use policy governs the use of computers and networks at Portland State University (PSU). As a user of these resources, you are responsible for reading and understanding this document. … Portland State University encourages the use and application of information technologies to support the research, instruction, and public service mission of the institution. PSU computers and networks can provide access to resources on and off campus, as well as the ability to communicate with other users worldwide. Such open access is a privilege and requires that individual users act responsibly. Users must respect the rights of other users, respect the integrity of systems and related physical resources, and observe all relevant laws, regulations, and contractual obligations.

6/30/2015 5:58 PM PSU AUP (cont) Acceptable use terms and conditions: –The primary purpose of electronic systems and communications resources is for University-related activities only. –Users do not own accounts on University computers, but are granted the privilege of exclusive use. Users may not share their accounts with others, and must keep account passwords confidential. –Each account granted on a University system is the responsibility of the individual who applies for the account. Groups seeking accounts must select an individual with responsibility for accounts that represent groups. –The University cannot guarantee that messages or files are private or secure. The University may monitor and record usage to enforce its policies and may use information gained in this way in disciplinary and criminal proceedings. –Users must adhere strictly to licensing agreements and copyright laws that govern all material accessed or stored using PSU computers and networks. –When accessing remote systems from PSU systems, users are responsible for obeying the policies set forth herein as well as the policies of other organizations. –Misuse of University computing, networking, or information resources may result in the immediate loss of computing and/or network access. Any violation of this policy or local, state, or federal laws may be referred to appropriate University offices and/or, as appropriate, law enforcement authorities.

6/30/2015 5:58 PM PSU AUP (cont) Conduct which violates this policy includes, but is not limited to the following: –Unauthorized attempts to view and/or use another person’s accounts, computer files, programs, or data. –Using PSU computers, accounts, and/or networks to gain unauthorized access to University systems or other systems. –Using PSU computers, accounts, and/or networks for: threat of imminent physical harm, sexual or other harassment, stalking, forgery, fraud, generally offensive conduct, or any criminal activity. –Attempting to degrade performance of University computers and/or networks. –Attempting to deprive other users of University technology resources or access to systems/networks. –Using University resources for commercial activity such as creating products or services for sale. –Copying, storing, sharing, installing or distributing software, movies, music, and other materials currently protected by copyright, except as permitted by licensing agreements or fair use laws. –Unauthorized mass ings to newsgroups, mailing lists, or individuals, i.e. “spamming” or propagating electronic chain letters. –Unauthorized “broadcasting” of unsolicited mail, material, or information using University computers/networks.

6/30/2015 5:58 PM Policies and the world What about –Obey the law –Organizational consequences

6/30/2015 5:58 PM Policy model vs reality Consider password policies (e.g. Sans model policy ) What dimension of security do password polices primarily address?

6/30/2015 5:58 PM Policy informed by experience Most organizations have a policy that has evolved Reflects understanding of threat environment (or at least threat history) Can reveal critical assumptions

6/30/2015 5:58 PM Policy vs. Mechanism Policy says what is allowed and what isn’t Mechanism is an entity or procedure that enforces some part of the policy Discuss –List some mechanisms –Facets of policy for which mechanisms are appropriate –Facets of policy for which mechanisms are unlikely to be appropriate

6/30/2015 5:58 PM Security Model A security model is a model that represents a particular policy or set of policies Abstracts from the policy –We will see various security models: –Bell LaPadula for Confidentiality –Clark-Willson Integrity –Chinese Wall Model

6/30/2015 5:58 PM Families of Policies Military Security Policy (Governmental) –Primary goal: confidentiality Commercial Security Policy –Primary goal: integrity –Common mechanism: transactions; transaction- oriented integrity security policies –When you buy a book from Amazon you want to get exactly what you ordered and pay for it exactly once

6/30/2015 5:58 PM Assumptions and Trust All policies have assumptions Typically something is trusted: –Hardware will faithfully execute the program –Patch is uncorrupted from vendor –Vendor tested patch appropriately –Vendor’s environment similar to system being patched –Patch is installed correctly

6/30/2015 5:58 PM Trust What are some assumptions of – the PSU AUP? –The sans password policy?

6/30/2015 5:58 PM Access Control Discretionary Access Control (DAC) –An individual user can set allow or deny access to an object Mandatory Access Control (MAC) –System mechanism controls access –User cannot alter that access Originator Controlled Access Control (ORCON) –Access control set by creator of information –Owner (if different) can’t alter AC Like copyright

6/30/2015 5:58 PM Conclusions Policy declares security goal Policy can be understood in terms of security components: –Confidentiality –Integrity –Availability Policy is based on assumptions about the environment It is critical to understand what entitie the policy “trusts”

6/30/2015 5:58 PM Looking Forward Bell-LaPadula Model –Military style classification of information –Confidentiality –Reading: Bishop: Chapter 5 (start 6 as well) RA: Chapter 7 Background –What is a lattice? –Reading: Chapter 27

6/30/2015 5:58 PM US Constitution Amendment IV The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

6/30/2015 5:58 PM Credit Card Fraud detection Credit Card companies have done nearly real- time analysis of card usage Anomalies are flagged; card holder is contacted Customers have come to expect this service –It is considered a protection and an added value Discuss: –Abuse potential –Does government have a role? Why or why not?

6/30/2015 5:58 PM Telephone Phone companies have collected “call detail data” for a long time Analyze data to build customer profiles One useful technique is the “Community of interest” –Top k callers in period of study (k is usually 9) –Can define a metric on communities –Tends to provide a good surrogate for identity (“Record Linkage Using COI-based matching”)

6/30/2015 5:58 PM Telephone fraud detection Historically, COI-based matching is used to detect a deadbeat customer who has assumed a new network identity Is this a legitimate business use? Is there a potential privacy issue? Discuss potential abuses

6/30/2015 5:58 PM NY Times Story Revealed content of international phone calls between “persons of interest” were monitored outside of FISA –What not use FISA? –What if identity is a surrogate, not a name?

6/30/2015 5:58 PM USA Today Story Several telephone companies providing call detail data to NSA “Largest database ever” Asserts no content being monitored Discussion/Conjecture: –What if they are calculating COI? Or COI-like data? –Could this serve as the source of the “surrogate identities” used for non-FISA wiretaps –If it is reasonable for business to use this technology for fraud detection is it reasonable for the government to exploit it as well? –What other personal information could be obtained from this data?