6/9/2015Madhumita. Chatterjee1 Overview of Computer Security

04/18/23 Madhumita. Chatterjee 1

Overview of Computer Security


Security concerns on the Internet

Highly contagious viruses Defacing web pages Credit card no theft On-line scams Intellectual property theft Wiping out data Denial of service Spam emails Etc etc etc………….

04/18/23 M. Chatterjee 3

Who are the attackers?

Unintended blunders Hackers driven by technical

challenges Disgrunted employees or customers Petty criminals Organized crimes Organized terror groups Information warfare


Vulnerabilities

Application security Buggy code Buffer overflows

Host security Server side Client side

Transmission security Network Security


Security Requirements Confidentiality Protection from

disclosure to unauthorized persons Authenticity is the identification and

assurance of the origin of information. Integrity refers to the trustworthiness

of data or resources in terms of preventing improper and unauthorized changes.

Non-Repudiation: Originator cannot deny sending the message


Security Requirements……

Availability refers to the ability to use the information or resource desired.

Access control Anonymity


Security Mechanisms

System security: “Nothing bad happens to

my computers and equipment”Virus, trojan horse, logic/time bombs.

Network Security: Authentication Mechanisms: “you say who you say

you are”Access control: Firewalls, proxies…..who can do what? Data Security: “For your eyes only”

Encryption, digests, signatures…..

Security Mechanisms…. Encipherment

Hiding or covering data Data Integrity

Appends a checkvalue to data Digital Signature

Electronic signature Authentication exchange

Two parties exchange messages to prove their identities


Security Mechanisms…. Traffic padding

Inserting bogus data into traffic Routing control

Changing different available routes between sender and receiver

Notarization Selecting a trusted third party to control

communication Access control04/18/23 Madhumita. Chatterjee 9


Security Threats and Attacks

A threat is a potential violation of security. Flaws in design, implementation, and

operation. An attack is any action that

violates security. Active adversary.

Threat to confidentiality Snooping Traffic Analysis

Threat to Integrity Modification Masquerading Replaying Repudiation


Threat to availibility Denial of Service



Eavesdropping - Message Interception (Attack on Confidentiality) Unauthorized access to information Packet sniffers and wiretappers Illicit copying of files and programs

S R

Eavesdropper


Integrity Attack - Tampering With Messages

Stop the flow of the message Delay and optionally modify the

message Release the message again

S R

Perpetrator


Authenticity Attack - Fabrication Unauthorized assumption of other’s

identity Generate and distribute objects under

this identity

S R

Masquerader: from S


Attack on Availability Destroy hardware (cutting fiber) or software Modify software in a subtle way (alias

commands) Corrupt packets in transit

Blatant denial of service (DoS): Crashing the server Overwhelm the server (use up its resource)

S R


Impact of Attacks

Theft of confidential information Unauthorized use of

Network bandwidth Computing resource

Spread of false information Disruption of legitimate servicesAll attacks can be related and are

dangerous!

Passive vs Active AttacksAttacks Passive/Active Threatening

Snooping,Traffic Analysis

Passive Confidentiality

Modification,Masquerading,Replaying,Repudiation

Active Integrity

Denial of Service Active Availibility



Close-knit Attack Family

who toimpersonate

sniff forcontent

traffic analysis- who is talking

re-targetjam/cut it

capture &modify

pretend

re-target

I need tobe Bill

Passive attacks Active Attacks


Security Policy and Mechanism Policy: a statement of what is, and is not

allowed. Mechanism: a procedure, tool, or method of

enforcing a policy. Security mechanisms implement functions

that help prevent, detect, and respond to recovery from security attacks.

Security functions are typically made available to users as a set of security services through APIs or integrated interfaces.

Cryptography underlies many security mechanisms.


Security Services

Confidentiality: protection of any information from being exposed to unintended entities. Information content. Parties involved. Where they are, how they

communicate, how often, etc.


Security Services - Cont’d

Authentication: assurance that an entity of concern or the origin of a communication is authentic - it’s what it claims to be or from

Integrity: assurance that the information has not been tampered with

Non-repudiation: offer of evidence that a party indeed is the sender or a receiver of certain information



Access control: facilities to determine and enforce who is allowed access to what resources, hosts, software, network connections

Monitor & response: facilities for monitoring security attacks, generating indications, surviving (tolerating) and recovering from attacks



Security management: facilities for coordinating users’ service requirements and mechanism implementations throughout the enterprise network and across the Internet Trust model Trust communication protocol Trust management infrastructure

Relation between security services and mechanisms

Security Service

Security Mechanisms

Data Confidentiality

Encipherment and routing control

Data Integrity Encipherment, digital signature, data integrity

Authentication Encipherment, digital signature, authentication exchanges

Non-repudiation

Digital signature, data integrity and notarization

Access control Access control mechanisms



Integrity

Confidentiality

Avalaibility

Security GoalsSecurity Goals

Security Techniques

Cryptography Symmetric key encipherment Asymmetric key encipherment

Hashing Steganography

Covered writing





Methods of DefenceMethods of Defence

Encryption Software Controls (access

limitations in a data base, in operating system protect each user from other users)

Hardware Controls (smartcard) Policies (frequent changes of

passwords) Physical Controls

Documents

6/9/2015Madhumita. Chatterjee1 Overview of Computer Security