Introduction to Computer Security: Terminology, Security Policy ECE 422 / CS 461 - Fall 2013...

Introduction to Computer Security: Terminology, Security Policy

ECE 422 / CS 461 - Fall 2013

*Acknowledgment: Thanks to Susan Hinrichs for her slides

Outline

• Administrative Issues• Class Overview• Introduction to Computer Security

– What is computer security?– Why computer security?– Computer security components

• Introduction to security policy

1-2

Staff etc. • Staff

– INSTRUCTORS: • David Nicol: First half (Roughly: Aug. 26 – Oct. 14) • Rakesh Bobba: Second half (Roughly: Oct. 16 – Dec. 12)

– TAs • Balaji Manoharan• Ted Pacyga

• Office hours – David Nicol (held when teaching; 451 CSL)

• TBD

– Rakesh Bobba (held when teaching; 444 CSL)• TBD

1-3

Academic Honesty

• Review department and university cheating and honor codes:– http://www.ece.illinois.edu/students/ugrad/academic-

honesty.html– https

://wiki.engr.illinois.edu/display/undergradProg/Honor+Code

– http://admin.illinois.edu/policy/code/article1_part4_1-402.html

• Expectations for exams, homeworks, projects, and papers• When in doubt, ask! 1-4

Class Overview I – Format &Text

• Format– Meets 2-times a week (MW)– Mostly lecture based

• Text Books / Readings– Computer Security: Principles and Practice by

William Stallings and Lawrie Brown 2nd Ed.– Additional Readings

• Links and documents posted in Compass• Books on reserve at library

1-5

Class Overview II – Lectures

• Lecture Slides - Disclaimer– Not intended to be self sufficient– Going through lecture slides will NOT be enough

to master course material

1-6

Class Overview III - Grades

• 2 midterms worth 20% each (total 40%)– Tentatively: October 2nd and November 6th

• Comprehensive Final worth 30%– Date & Time: December 16th 8 -11 AM

• In class quizzes – 5%• Homeworks & MPs 25%

– About 7 – 8 homeworks ; can drop lowest homework– Submit homeworks via Compass2g

• Extra project for grad. students (4 credits) 20%

1-7

Class Overview IV - Communication

• Class web page– https://wiki.engr.illinois.edu/display/ece422sp13/ECE422+-+CS461

+Computer+Security+I+Fall+2013

• Lecture slides, schedule, homeworks

• Lecture Videos (For Online Students)– https://wiki.engr.illinois.edu/display/ENGRonline/Fall+2013+CS+

courses• Compass2g

– Homework submissions and grade distribution• Piazza

– For discussions– https://piazza.com/illinois/fall2013/cs461ece422/home

1-8

Security Classes Roadmap I

• 3 Introductory/General Courses– Computer Security I (CS461/ECE422)

• Covers NSA 4011 security professional requirements• Taught every semester (mostly)

– Computer Security II (CS463/ECE424)• Continues in greater depth on more advanced security topics• Taught every semester or so

– Applied Computer Security Lab (CS460)• Generally taught in the spring• With CS461 covers NSA 4013 system administrator requirements

– Two of the three courses will satisfy the Security Specialization in the CS track for Computer Science majors.

1-9

Security Classes Roadmap II• Theoretical Foundations of Cryptography (CS 498) & Applied Cryptography (CS

598 MAN)– Prof Manoj Prabhakaran

• Advanced Applied Cryptography (ECE 598 NB) & Privacy Enhancing Technologies (ECE 598 NB)– Prof Nikita Borisov

• Cryptography (Math 595/ECE 559)– Prof. Blahut

• Malware Analysis CS498SH• Security Reading Group CS591RHC• Advanced Computer Security CS563• Local talks

– http://www.iti.illinois.edu/content/seminars-and-events• ITI Security Roadmap

– http://www.iti.illinois.edu/education/course-roadmaps/security1-10

ECE 422 / CS 461 Topics

• First course in computer security at UIUC• Mix of motivation, design, planning, and

mechanisms• Covers what, why and how of computer

security– Breadth first look

1-11

What is computer security?Why do we need it?

• Art & science of protecting/securing computer systems?

• Because we need to protect/secure computers from …. adversaries– Mischief makers (script kiddies)?– Hackers?– Hactivists?– Ourselves (sometimes)– ….

1-12

What is Computer Security?

• “The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources” (includes hardware, software, firmware, information/data, and telecommunications).”– NIST Security Handbook

1-13

Key Security Notions/Concepts

• Confidentiality– Preventing unauthorized access or disclosure

• Keeping data confidential to authorized parties

– Privacy (subtle difference)• Integrity

– Preventing against unauthorized modifications• Data Integrity (integrity)• Origin Integrity (authentication)

• Availability– Ensuring timely availability of (data, system service etc.)

1-14

Additional Security Concepts

• Authenticity– Property of being genuine; can be verified and

trusted– Similar to authentication

• Accountability– Requirement for entity actions to be traced

uniquely to that entity – Non-repudiation -- one cannot repudiate one’s

actions

1-15

Why is computer security challenging?

• Both systems to be protected and security mechanisms can be quite complex and subtle

• Security mechanisms themselves might become targets or introduce unintended weaknesses

• A single weakness can bring down the system – defenders have to work harder

• Systems, environments, and adversaries are constantly evolving/changing

• Security often tends to be an afterthought rather than designed in

• ….1-16

Some Terminology

• Threat – Set of circumstances that has the potential to breach security and cause harm

• Vulnerability – Weakness in the system that could be exploited to violate security property of interest

• Attack – When an entity exploits a vulnerability on system

• Control or Countermeasure – A means to prevent a vulnerability from being exploited; or minimize harm from the vulnerability/attack; or detect attack so recovering actions may be initiated

• Adversary – threat agent1-17

Classes of Threats

• Disclosure – Unauthorized access to information

• Deception – Acceptance of false data• Disruption – Interruption or prevention of

correct operation• Usurpation – Unauthorized control of some

part of a system

1-18

What security property(ies) or concept(s) does each class violate?

Some common threats• Snooping or interception– Unauthorized interception of information

• Falsification– Unauthorized change of information

• Masquerading or spoofing – An impersonation of one entity by another

• Repudiation– A false denial that an entity received some

information.

1-19

Security Strategy

• Specification/Policy• What does it mean to be secured in particular?

• Implementation/Mechanism• How to enforce the specified security policy?

• Correctness/Assurance• Does the security system work as advertised

1-20

Specification/Policy

• Specification considerations• Security vs. ease of use• Return on investment – security business case

• Policy• A statement of what is and what is not allowed• Divides the world into secure and non-secure

states• A secure system starts in a secure state. All

transitions keep it in a secure state.

1-21

1-22

Is this situation secure?• Web server accepts all connections– No authentication required– Self-registration– Connected to the Internet

Security Mechanism or Implementation

• A method, tool, or procedure for enforcing a security policy– Prevention– Detection – Response– Recovery

1-23

1-24

Trust and Assumptions• Locks prevent unwanted physical access.– What are the assumptions this statement builds

on?

Policy Assumptions• Policy correctly divides world into secure and

insecure states.• Mechanisms prevent transition from secure

to insecure states.

1-25

Assurance• Evidence of how much to trust a system• Evidence can include– System specifications– Design– Implementation

1-26

1-27

Aspirin Assurance Example• Why do you trust Aspirin from a major

manufacturer?– FDA certifies the aspirin recipe– Factory follows manufacturing standards– Safety seals on bottles

• Analogy to software assurance

Slide #1-28

Key Points• Must look at the big picture when securing a

system• Main components of security– Confidentiality– Integrity– Availability

• Differentiating Threats, Vulnerabilities, Attacks and Controls

• Policy vs. mechanism• Assurance

Security Policy

• A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must apply. (RFC 2196)

• Defines what it means for the organization to be in a secure state.– Otherwise people can claim ignorance.

1-29

Question

• University policy disallows cheating.– Alice forgets to write protect her homework.– Bob copies it.– Who violated policy?

1-30

Question Part 2

• Alice posts her homework on the department bulletin board (or piazza).

• Bob copies it.• Who is at fault with respect to policy?

1-31

Mechanisms or Controls or Countermeasures

• Entity or procedure that enforces some part of the security policy– Access controls (like bits to prevent someone from

reading a homework file)– Disallowing people from bringing CDs and floppy

disks into a computer facility to control what is placed on systems

1-32

Hierarchy of Policy

Organizational Policy

Departmental Policy

Department Standards

CSIL-Linux10SE Linux Policy

Linux LabUmask settings

1-33

-34

Natural Language Security Policies

• Targeting Humans– Written at different levels

• To inform end users• To inform lawyers• To inform technicians• Users, owners, beneficiaries (customers)

• As with all policies, should define purpose not mechanism– May have additional documents that define how policy maps to

mechanism• Should be enduring

– Don't want to update with each change to technology• Shows due diligence on part of the organization

1-34

Key Parts of Organizational Policy

1. What is being protected? Why?2. Generally how should it be protected?3. Who is responsible for ensuring policy is

applied?4. How are conflicts and discrepancies to be

interpreted and resolved?

1-35

-36

How to Write a Policy• Understand your environment

– Risk Analysis (see next lecture)• Understand your industry

– Look for “standards” from similar companies– Leverage others wisdom– Already proven with auditors/regulators

• Standards• ISO 17799 – Code of Practice for Information Security Management• COBIT – Control Objectives for Information and Related Technolgy• SANS, CERT have policy guidelines

• Gather the right set of people– Technical experts, person ultimately responsible, person who can

make it happen– Not just the security policy “expert”

1-36

Security Policy Life Cycle

Risk Analysis

Policy Development

Reassessment

Policy Implementation

Raising Awareness

Policy Approval

1-37

-38

Security Policy Contents

• Purpose – Why are we trying to secure things

• Identify protected resources• Who is responsible for protecting – What kind of protection? Degree but probably

not precise mechanism. • Cover all cases• Realistic

1-38

More Specific Policy Content Ideas

• Principles of Security• Organizational Reporting

Structure• Physical Security• Hiring, management, firing• Data protection• Communication security• Hardware• Software• Operating systems

• Technical support• Privacy• Access• Accountability• Authentication• Availability• Maintenance• Violations reporting• Business continuity• Supporting information

1-39

-40

University of Illinois Information Security Policies

• University of Illinois Information Security Policies– System wide policy; Identifies what, not how– http://www.obfs.uillinois.edu/cms/one.aspx?pageId=91

4038• CITES UIUC standards and guidelines– DNS – http://www.cites.uiuc.edu/dns/standards.html

• CS Department policies• https://wiki.engr.illinois.edu/display/tsg/Policies

1-40

-41

Example Privacy policies

• Busey Bank• https://www.busey.com/home/fiFiles/static/

documents/privacy.pdf– Financial Privacy Policy• Targets handling of personal non-public data• Clarifies what data is protected• Who the data is shared with

1-41

Poorly Written Policies

• Cars.gov – Had following in click-through policy for dealers

• This application provides access to the [Department of Transportation] DoT CARS system. When logged on to the CARS system, your computer is considered a Federal computer system and is the property of the U.S. Government. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed... to authorized CARS, DoT, and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign.

• According to EFF• http

://www.eff.org/deeplinks/2009/08/cars-gov-terms-service -42 1-42

-43

Example Acceptable Use Policy

• IEEE Email Acceptable Use Policy – http://eleccomm.ieee.org/email-aup.shtml– Inform user of what he can do with IEEE email– Inform user of what IEEE will provide• Does not accept responsibility of actions resulting

from user email• Does not guarantee privacy of IEEE computers and

networks– Examples of acceptable and unacceptable use

1-43

Key Points

• Security policy bridges between human expectations and implementation reality

1-44