Introduction to Computer Security: Terminology, Security Policy ECE 422 / CS Fall 2013 *Acknowledgment: Thanks to Susan Hinrichs for her slides
Outline Administrative Issues Class Overview Introduction to Computer Security – What is computer security? – Why computer security? – Computer security components Introduction to security policy 1-2
Staff etc. Staff – INSTRUCTORS: David Nicol: First half (Roughly: Aug. 26 – Oct. 14) Rakesh Bobba: Second half (Roughly: Oct. 16 – Dec. 12) – TAs Balaji Manoharan Ted Pacyga Office hours – David Nicol (held when teaching; 451 CSL) TBD – Rakesh Bobba (held when teaching; 444 CSL) TBD 1-3
Academic Honesty Review department and university cheating and honor codes: – ic-honesty.html ic-honesty.html – /Honor+Code /Honor+Code – _1-402.html _1-402.html Expectations for exams, homeworks, projects, and papers When in doubt, ask! 1-4
Class Overview I – Format &Text Format – Meets 2-times a week (MW) – Mostly lecture based Text Books / Readings – Computer Security: Principles and Practice by William Stallings and Lawrie Brown 2 nd Ed. – Additional Readings Links and documents posted in Compass Books on reserve at library 1-5
Class Overview II – Lectures Lecture Slides - Disclaimer – Not intended to be self sufficient – Going through lecture slides will NOT be enough to master course material 1-6
Class Overview III - Grades 2 midterms worth 20% each (total 40%) – Tentatively: October 2nd and November 6 th Comprehensive Final worth 30% – Date & Time: December 16 th AM In class quizzes – 5% Homeworks & MPs 25% – About 7 – 8 homeworks ; can drop lowest homework – Submit homeworks via Compass2g Extra project for grad. students (4 credits) 20% 1-7
Class Overview IV - Communication Class web page – -+CS461+Computer+Security+I+Fall CS461+Computer+Security+I+Fall+2013 Lecture slides, schedule, homeworks Lecture Videos (For Online Students) – 3+CS+courses 3+CS+courses Compass2g – Homework submissions and grade distribution Piazza – For discussions –
Security Classes Roadmap I 3 Introductory/General Courses – Computer Security I (CS461/ECE422) Covers NSA 4011 security professional requirements Taught every semester (mostly) – Computer Security II (CS463/ECE424) Continues in greater depth on more advanced security topics Taught every semester or so – Applied Computer Security Lab (CS460) Generally taught in the spring With CS461 covers NSA 4013 system administrator requirements – Two of the three courses will satisfy the Security Specialization in the CS track for Computer Science majors. 1-9
Security Classes Roadmap II Theoretical Foundations of Cryptography (CS 498) & Applied Cryptography (CS 598 MAN) – Prof Manoj Prabhakaran Advanced Applied Cryptography (ECE 598 NB) & Privacy Enhancing Technologies (ECE 598 NB) – Prof Nikita Borisov Cryptography (Math 595/ECE 559) – Prof. Blahut Malware Analysis CS498SH Security Reading Group CS591RHC Advanced Computer Security CS563 Local talks – ITI Security Roadmap –
ECE 422 / CS 461 Topics First course in computer security at UIUC Mix of motivation, design, planning, and mechanisms Covers what, why and how of computer security – Breadth first look 1-11
What is computer security? Why do we need it? Art & science of protecting/securing computer systems? Because we need to protect/secure computers from …. adversaries – Mischief makers (script kiddies)? – Hackers? – Hactivists? – Ourselves (sometimes) – …. 1-12
What is Computer Security? “The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources” (includes hardware, software, firmware, information/data, and telecommunications).” – NIST Security Handbook 1-13
Key Security Notions/Concepts Confidentiality – Preventing unauthorized access or disclosure Keeping data confidential to authorized parties – Privacy (subtle difference) Integrity – Preventing against unauthorized modifications Data Integrity (integrity) Origin Integrity (authentication) Availability – Ensuring timely availability of (data, system service etc.) 1-14
Additional Security Concepts Authenticity – Property of being genuine; can be verified and trusted – Similar to authentication Accountability – Requirement for entity actions to be traced uniquely to that entity – Non-repudiation -- one cannot repudiate one’s actions 1-15
Why is computer security challenging? Both systems to be protected and security mechanisms can be quite complex and subtle Security mechanisms themselves might become targets or introduce unintended weaknesses A single weakness can bring down the system – defenders have to work harder Systems, environments, and adversaries are constantly evolving/changing Security often tends to be an afterthought rather than designed in …. 1-16
Some Terminology Threat – Set of circumstances that has the potential to breach security and cause harm Vulnerability – Weakness in the system that could be exploited to violate security property of interest Attack – When an entity exploits a vulnerability on system Control or Countermeasure – A means to prevent a vulnerability from being exploited; or minimize harm from the vulnerability/attack; or detect attack so recovering actions may be initiated Adversary – threat agent 1-17
Classes of Threats Disclosure – Unauthorized access to information Deception – Acceptance of false data Disruption – Interruption or prevention of correct operation Usurpation – Unauthorized control of some part of a system 1-18 What security property(ies) or concept(s) does each class violate?
Some common threats Snooping or interception – Unauthorized interception of information Falsification – Unauthorized change of information Masquerading or spoofing – An impersonation of one entity by another Repudiation – A false denial that an entity received some information. 1-19
Security Strategy Specification/Policy What does it mean to be secured in particular? Implementation/Mechanism How to enforce the specified security policy? Correctness/Assurance Does the security system work as advertised 1-20
Specification/Policy Specification considerations Security vs. ease of use Return on investment – security business case Policy A statement of what is and what is not allowed Divides the world into secure and non-secure states A secure system starts in a secure state. All transitions keep it in a secure state. 1-21
1-22 Is this situation secure? Web server accepts all connections – No authentication required – Self-registration – Connected to the Internet
Security Mechanism or Implementation A method, tool, or procedure for enforcing a security policy – Prevention – Detection – Response – Recovery 1-23
1-24 Trust and Assumptions Locks prevent unwanted physical access. – What are the assumptions this statement builds on?
Policy Assumptions Policy correctly divides world into secure and insecure states. Mechanisms prevent transition from secure to insecure states. 1-25
Assurance Evidence of how much to trust a system Evidence can include – System specifications – Design – Implementation 1-26
1-27 Aspirin Assurance Example Why do you trust Aspirin from a major manufacturer? – FDA certifies the aspirin recipe – Factory follows manufacturing standards – Safety seals on bottles Analogy to software assurance
Slide #1-28 Key Points Must look at the big picture when securing a system Main components of security – Confidentiality – Integrity – Availability Differentiating Threats, Vulnerabilities, Attacks and Controls Policy vs. mechanism Assurance
Security Policy A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must apply. (RFC 2196) Defines what it means for the organization to be in a secure state. – Otherwise people can claim ignorance. 1-29
Question University policy disallows cheating. – Alice forgets to write protect her homework. – Bob copies it. – Who violated policy? 1-30
Question Part 2 Alice posts her homework on the department bulletin board (or piazza). Bob copies it. Who is at fault with respect to policy? 1-31
Mechanisms or Controls or Countermeasures Entity or procedure that enforces some part of the security policy – Access controls (like bits to prevent someone from reading a homework file) – Disallowing people from bringing CDs and floppy disks into a computer facility to control what is placed on systems 1-32
Hierarchy of Policy Organizational Policy Departmental Policy Department Standards CSIL-Linux10 SE Linux Policy Linux Lab Umask settings 1-33
-34 Natural Language Security Policies Targeting Humans – Written at different levels To inform end users To inform lawyers To inform technicians Users, owners, beneficiaries (customers) As with all policies, should define purpose not mechanism – May have additional documents that define how policy maps to mechanism Should be enduring – Don't want to update with each change to technology Shows due diligence on part of the organization 1-34
Key Parts of Organizational Policy 1.What is being protected? Why? 2.Generally how should it be protected? 3.Who is responsible for ensuring policy is applied? 4.How are conflicts and discrepancies to be interpreted and resolved? 1-35
-36 How to Write a Policy Understand your environment – Risk Analysis (see next lecture) Understand your industry – Look for “standards” from similar companies – Leverage others wisdom – Already proven with auditors/regulators Standards ISO – Code of Practice for Information Security Management COBIT – Control Objectives for Information and Related Technolgy SANS, CERT have policy guidelines Gather the right set of people – Technical experts, person ultimately responsible, person who can make it happen – Not just the security policy “expert” 1-36
Security Policy Life Cycle Risk Analysis Policy Development Reassessment Policy Implementation Raising Awareness Policy Approval 1-37
-38 Security Policy Contents Purpose – Why are we trying to secure things Identify protected resources Who is responsible for protecting – What kind of protection? Degree but probably not precise mechanism. Cover all cases Realistic 1-38
More Specific Policy Content Ideas Principles of Security Organizational Reporting Structure Physical Security Hiring, management, firing Data protection Communication security Hardware Software Operating systems Technical support Privacy Access Accountability Authentication Availability Maintenance Violations reporting Business continuity Supporting information 1-39
-40 University of Illinois Information Security Policies – System wide policy; Identifies what, not how – CITES UIUC standards and guidelines – DNS – CS Department policies
-41 Example Privacy policies Busey Bank cuments/privacy.pdf cuments/privacy.pdf – Financial Privacy Policy Targets handling of personal non-public data Clarifies what data is protected Who the data is shared with 1-41
Poorly Written Policies Cars.gov – Had following in click-through policy for dealers This application provides access to the [Department of Transportation] DoT CARS system. When logged on to the CARS system, your computer is considered a Federal computer system and is the property of the U.S. Government. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed... to authorized CARS, DoT, and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. According to EFF terms-service terms-service
-43 Example Acceptable Use Policy IEEE Acceptable Use Policy – – Inform user of what he can do with IEEE – Inform user of what IEEE will provide Does not accept responsibility of actions resulting from user Does not guarantee privacy of IEEE computers and networks – Examples of acceptable and unacceptable use 1-43
Key Points Security policy bridges between human expectations and implementation reality 1-44