1. Chapter 1 Introduction and Overview M M Waseem Iqbal waseem.iqbal@mcs.edu.pk

2. Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues

3. Why Computer Security The past decade has seen an explosion in the concern for the security of information Malicious codes (viruses, worms, etc.) caused over $28 billion in economic losses in 2003, and has grown to over $75 billion by 2007 Jobs and salaries for technology professionals have lessened in recent years. BUT … Security specialists markets are expanding ! “ Full-time information security professionals will rise almost 14% per year around the world, going past 2.1 million in 2008” (IDC: International Data Corporation report)

4. Why Computer Security (cont’d) Internet attacks are increasing in frequency, severity and sophistication Denial of service (DoS) attacks Cost $1.2 billion in 2000 1999 CSI/FBI survey 32% of respondents detected DoS attacks directed to their systems Thousands of attacks per week in 2001-2010 Yahoo, Amazon, eBay, Microsoft, White House, etc., attacked

5. Why Computer Security (cont’d) Virus and worms faster and powerful Melissa, Nimda, Code Red, Code Red II, Slammer … Cause over $28 billion in economic losses in 2003, growing to over $75 billion in economic losses by 2007. Code Red (2001): 13 hours infected >360K machines - $2.4 billion loss Slammer (2003): 10 minutes infected > 75K machines - $1 billion loss

6. Security ? Security is about well-being (integrity) and about protecting property or interests from intrusions, stealing or wire-tapping (privacy - the right to keep a secret can also be stolen). In order to do that, in a hostile environment, we need to restrict access to our assets. To grant access to a few, we need to know whom we can trust and we need to verify the credentials (authenticate) of those we allow to come near us.

7. Security ? A rough classification of protective measures distinguishes between Prevention: take measures that prevent your assets from being damaged Detection: take measures that allow you to detect when an asset has been damaged, how it has been damaged, and who has caused the damage Reaction: take measures that allow you to recover your assets from a damage In some cases the damage may be irretrievable

8. Computer Security ? Computer security is about protection of information assets We must examine how information assets can be compromised Definition of computer security [Anderson]: Computer security deals with the prevention and detection of unauthorized actions by users of a computer system Some notes There is no single definition of security When reading a document, be careful which notion/definition of security is used in the document A lot of time is being spent (and wasted) in trying to define unambiguous notations for security

9. Computer Security ? (cont) Security is thus based on the following independent issues: Privacy - the ability to keep things private/confidential Trust - do we trust data from an individual or a host? Could they be used against us? Authenticity - are security credentials in order? Are we talking to whom we think we are talking to, privately or not. Integrity - has the system been compromised/altered already?

10. What are we afraid of? Environments can be hostile because of Physical threats - weather, natural disaster, bombs, power failures, etc. Human threats - stealing, trickery, bribery, spying, sabotage, accidents. Software threats - viruses, Trojan horses, logic bombs, denial of service. What are we afraid of? Losing the ability to use the system. Losing important data or files Losing face/reputation Losing money Spreading private information about people.

11. Security- Conclusion ? In order to secure a system, we require the ability to restrict access or privilege to the system.

12. Classical Security Target -CIA C onfidentiality : Prevention of unauthorized disclosure of information Problems: Who determines who is authorized? What extent of disclosure is relevant (one bit?)? Can be enforced by rigorous control of who can access which resources in what way I ntegrity : Prevention of unauthorized modification of information Some meanings of integrity are: "precise", "accurate", "unmodified", "modified only in acceptable ways", "modified only by authorized people or processes", "consistent", "internally consistent", "meaningful and correct results" As confidentiality, can be enforced by rigorous control of who can access which resources in what way

13. Classical Security Target -CIA A vailability : Prevention of unauthorized withholding of information or resources Enforcing availability is not trivial and is one of the most serious problems of computer security Other Security Target ?? Relationship between Confidentiality, Integrity, and Availability C AI These three qualities are largely independent, but sometimes Overlapping. They can even be mutually exclusive e.g., ***strong protection of confidentiality can severely restrict availability***

14. The dilemma of security we can only have good security if everyone understands what security means, and agrees with the need for security. Security is a social problem, because it has no meaning until a person defines what it means to them. The harsh truth is: in practice, most users have little or no understanding of security. This is our biggest security hole.

15. The meaning of security lies in trust Every security problem boils down to a question of trust in the end. Whom or what do we trust? We introduce the idea of security for protecting ourselves against parties whom we do not trust. But how do we solve this problem? Usually, we introduce some kind of technology to move trust from a risky place to a safer place. For example, if we do not trust our neighbours not to steal our possessions, we put a lock on our door. We no longer have to trust our neighbours, but we have to trust that the lock will do its job in the way we expect.

16. The meaning of security lies in trust If we don't entirely trust the lock, we could install an alarm system which rings the police if someone breaks in. Now we are trusting the lock a little, the alarm system and the police Every day, we go about our lives placing our trust in banks, cash terminals (ATM/minibanks), course examiners, police, government, restaurants (will they poison us today?) and a hundred other things. We do not question this trust, because it is seldom broken. But that is not always the case.

17. The meaning of security lies in trust Why you learn to drive a dangerous piece of machinery, like a car, you are placing lives at risk, and most governments require you to pass en exam to show that you can use the equipment safely. Computer systems are just as capable of causing great damage, perhaps not to individuals so much as to society. We are so reliant on them that things fall apart quickly when they fail to work. Still, we do not demand that users take a driving test for computers. Nor do we demand that the computers themselves be safe to drive. Our trust in computers and their users is often quite misplaced. And this is where the problems lie.

18. Minimum requirements: Orange Book The only risk to computers is the people who come into contact with them: networked users. To minimize the effects of users on the system, we introduce security mechanisms. The Trusted Computer Security Evaluation Criteria (TSEC) Orange book was the first attempt to try to specify a standard for security management in the US in 1967 Although concentrated on national security issues, the recommendations were also of general applicability.

19. Security Threats and Attacks A threat is a potential violation of security. Flaws in design, implementation, and operation. An attack is any action that violates security. Active adversary An attack has an implicit concept of “intent” Router mis-configuration or server crash can also cause loss of availability, but they are not attacks

20. Friends and enemies: Alice, Bob, Trudy well-known in network security world Bob, Alice (Friends) want to communicate “securely” Trudy (intruder) may intercept, delete, add messages secure sender secure receiver channel data, control messages data Alice Bob Trudy

21. Eavesdropping - Message Interception (Attack on Confidentiality) Unauthorized access to information Packet sniffers and wiretappers Illicit copying of files and programs A B Eavesdropper

22. Integrity Attack - Tampering With Messages Stop the flow of the message Delay and optionally modify the message Release the message again A B Perpetrator

23. Authenticity Attack - Fabrication Unauthorized assumption of other’s identity Generate and distribute objects under this identity A B Masquerader: from A

24. Attack on Availability Destroy hardware (cutting fiber) or software Modify software in a subtle way (alias commands) Corrupt packets in transit Blatant denial of service (DoS): Crashing the server Overwhelm the server (use up its resource) A B

25. Classify Security Attacks as Passive attacks - eavesdropping on, or monitoring of transmissions to: obtain message contents, or monitor traffic flows Active attacks – modification of data stream to: masquerade of one entity as some other replay previous messages modify messages in transit denial of service

26. Pieces of the Security Puzzle

27. ATTACKER TYPES An attacker is a person who tries to gain an advantage by exploiting a security hole. Misfeasors Authorized users gain additional but unauthorized access to resources on a system or misuse their authorization. An "inside" person, someone within an organization Programmers who use their accounts to exploit OS vulnerabilities and gain administrative privileges, Accountants who embezzle money by falsifying records in a database to which they have regular access. Masqueraders Using authorized user access privileges to enter a system and then, posing as that user, attack the system. Persons outside the organization. Hackers who obtain usernames and passwords by cracking password files, and then use that information to gain entry to the system. Clandestine users Insiders or outsiders who obtain their own, distinct unauthorized access to a system. Hackers who obtain administrative access to a system long enough to create their own user accounts for subsequent access.

28. WHO CAN CAUSE SECURITY PROBLEM AND WHY? AdversaryGoal StudentTo have fun snooping on people’s email HackerTo test out someone’s security system; steal data BusinessmanTo discover a competitor’s strategic marketing plan Ex-employeeTo get revenge for being fired AccountantTo embezzle money from a company StockbrokerTo deny a promise made to a customer by email Con manTo steal credit card numbers for sale SpyTo learn an enemy’s military strength TerroristTo steal germ warfare secrets

29. Common Goals of Attackers  Trophy grabbing  Intent is not to disrupt or damage a system, but to prove that they can enter the system.  Information theft  Intruders seek sensitive information such as credit card numbers, usernames, passwords, and medical records.  Service theft  Use computer resources without paying for them.  Identity theft  Act of illegally assuming the identity of another person to gain control of that person's resources.  Tampering  Attacker alters data rather than copying it.  Denial of service (DoS)  Diminish server capacity for authorized clients and temporarily disrupt access to the system.  In the worst cases, DoS attacks render a system unusable for a protracted period by destroying not only its ability to communicate, but also any data that has been entrusted to it.

30. Common Vulnerabilities That Attackers Prey Upon Implicit trust The unquestioned, unchecked acceptance of a person or agent. Configuration error An error in configuration or a failure to replace a default configuration with a more secure one. Public information Leveraging well-known or easily obtainable information to expose weaknesses or to facilitate an attack. Weak design A process or system that was not designed with security as a goal. Carelessness Failure to observe procedures that would foster a secure environment, such as staying current with software patches or choosing good passwords.

31. DEFENSES AGAINST SECURITY ATTACKS A defense is a countermeasure for dealing with security attacks. Obfuscation Confusing the attacker by obscuring publicly available information that exposes vulnerability. Examples include: anonymity, encryption, packet stuffing, public key cryptography, shielding, steganography, trash disposal Authentication and authorization Ensuring that a person or system claiming an identity is the real owner of the identity, and granting access on a "must have" basis. Examples include: badges and cards, biometrics, password, shared secret, signature, watermark Monitoring and auditing Observing system vulnerabilities, either in real time or through audit tools, to detect attacks. Examples include: filtering, firewall, integrity check, intrusion detection, misuse detection, password checker, peer review, process review, security audit tools, virus detection

32. Concurrency Consistently using tested software updates and periodically reviewing human processes and procedures. Examples include: patching, process review, upgrading Education and enforcement Effectively equipping system designers and users with knowledge of security risks, and then enforcing application of this knowledge. Examples include: reminders, tip of the day, training DEFENSES AGAINST SECURITY ATTACKS

33. Typical Attack Progression Intruder(s): Objective, Exploit Script Victim(s): Vulnerabilities, Consequences Locate system to attack Gain user access Gain privileged access Cover tracks Install backdoors Attack other hosts Take or alter information Engage in Other unauthorized activity

34. Classes Of Threats Disclosure: unauthorized access to information Deception: acceptance of false data Disruption: interruption or prevention of correct operation Usurpation: unauthorized control of some part of a system

35. Some Common Threats Snooping: unauthorized interception of information Threat Class: Disclosure Security Service: Confidentiality Modification or alteration: unauthorized change of information Threat Class: Deception, Disruption and Usurpation Security Service: Integrity Masquerading or spoofing: impersonation of one entity by another Threat Class: Deception and Usurpation Security Service: Integrity Repudiation of origin: a false denial that an entity sent (or created) something Threat Class: Deception Security Service: Integrity Denial of receipt: a false denial that an entity received some information or message. Threat Class: Deception Security Service: Integrity and availability

36. Some Common Threats Delay: a temporary inhibition of a service Threat Class: Usurpation, Deception Security Service: Availability Denial of service: a long-term inhibition of service Threat Class: Usurpation Security Service: Availability

37. Security Policy and Mechanism Policy: a statement of what is, and is not allowed. Mechanism: a procedure, tool, or method of enforcing a policy. Security mechanisms implement functions that help prevent, detect, and respond to recovery from security attacks. Security functions are typically made available to users as a set of security services through APIs or integrated interfaces. Cryptography underlies many security mechanisms.

38. Assurance Specification Requirements analysis Statement of desired functionality Design How system will meet specification Implementation Programs/systems that carry out design

39. Operational Issues Cost-Benefit Analysis Is it cheaper to prevent or recover? Risk Analysis Should we protect something? How much should we protect this thing? Laws and Customs Are desired security measures illegal? Will people do them?

40. Human Issues Organizational Problems Power and responsibility Financial benefits People problems Outsiders and insiders Social engineering

41. Tying Together Threats Policy Specification Design Implementation Operation

42. References [1] Intro to Computer Security by Matt Bishop [2] Computer Security by Dieter Gollmann