19
© 2018 CrySyS Lab, BME Basic Security Concepts Levente Buttyán CrySyS Lab, BME HIT [email protected] w w w . c r y s y s . h u

Basic Security Concepts - CrySyS

  • Upload
    others

  • View
    11

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Basic Security Concepts - CrySyS

©2018CrySySLab,BME

BasicSecurityConceptsLevente ButtyánCrySyS Lab,[email protected]

w w w . c r y s y s . h u

Page 2: Basic Security Concepts - CrySyS

|

(IT)Security

Securitymeansmanagementofrisksresultingfromdeliberateattacks

– lossofconfidentiality,integrity,oravailability (CIA)ofinformationthatisprocessed,stored,andtransferredbycomputingsystems,

– unauthorizedaccess tocomputingsystems,and

– illegitimateuse,corruption,ordenial ofservicesprovidedbycomputingsystems.

Basicsecurityconcepts 2

Confidentiality

Integrity Availability

Informationcannotbeobtained

Informationcannotbe

modified,added,ordeleted

Informationisavailable whenandtowhomitis

needed

CIAtriad

Page 3: Basic Security Concepts - CrySyS

|

Security=RiskManagement

Securityisaprocess,nota(desired)stateofthesystem.

Basicsecurityconcepts 3

Securityengineering

selectionanddeploymentofsecuritycontrolstominimizeriskundersomebudgetconstraints

Securityoperations

usingsecuritycontrolsforattackpreventionanddetection+handlingsecurityincidents

Page 4: Basic Security Concepts - CrySyS

|

Commoninformationsecuritygoals

§ Confidentiality§ Integrity§ Availability§ Authenticity§ Non-repudiation§ Privacy

Basicsecurityconcepts 4

CIA

Page 5: Basic Security Concepts - CrySyS

|

Commonsystemsecuritygoals

§ (Entity)Authentication§ Authorization(accesscontrol)§ Accountability§ Integrity§ Availability§ Anonymity

Basicsecurityconcepts 5

AAA

Page 6: Basic Security Concepts - CrySyS

|

Riskfactors

Basicsecurityconcepts 6

Likelihoodofattack Impact(Loss)directindirect(e.g.,reputation)

Page 7: Basic Security Concepts - CrySyS

|

Threats(attackers,adversaries)

§ motivations§ informationgatheringcapabilities§ leveloftechnicalexpertise§ amountofresources

Basicsecurityconcepts 7

Page 8: Basic Security Concepts - CrySyS

|

Commonattackermodels

Basicsecurityconcepts 8

technicalexpertise

informationgatheringcapabilities

+

+--

AdvancedPersistentThreat

cybercrimeorganization

securityresearcher

scriptkiddie

hacktivistgroup

disgruntledemployee

Page 9: Basic Security Concepts - CrySyS

|

Vulnerabilities

§ Weaknessesatdifferentsystemarchitecturelevels– Hardware– Software– Interfaces(e.g.,API)– Protocols

§ Introducedindifferentsystemlifecyclephases– Designflaws– Implementationerrors– Operationalmistakes

Basicsecurityconcepts 9

Page 10: Basic Security Concepts - CrySyS

|

Knownvulnerabilities

§ Technicalvulnerabilities(inadesignorimplementation)maybepubliclydisclosedthrougharesponsibledisclosureprocedure

§ Reportedvulnerabilitiesgetgloballyrecognizedidentifiers– CVEID– CommonVulnerabilitiesandExposures(cve.mitre.org)

§ Informationonreportedvulnerabilitiesisstoredinpubliclyavailabledatabases– structuredvulnerabilityinformationinasearchableform– example:USNationalVulnerabilityDatabase(nvd.nist.gov)

Basicsecurityconcepts 10

Page 11: Basic Security Concepts - CrySyS

|

Zero-dayvulnerabilities

§ Somevulnerabilitiesare known only to attackers– some companiesmake their living outoffindingandselling such zero-

day vulnerabilities (or exploits)to criminals andgovernments

§ Zero-day vulnerabilitiesare dangerous,because potentialvictims are usually not prepared for them

§ They are expensive,henceoften used only intargeted attacks– successfully compromisingaparticular target isimportant– risk ofdetection andexposure ofthe zero-day vulnerability issmall

Basicsecurityconcepts 11

Page 12: Basic Security Concepts - CrySyS

|

Whydovulnerabilitiesexist?

§ Complexityofsystems§ Lackorlimitationsofmethods

– fordesignandimplementationofsecuresystems– forsecurityverificationandtestingofexistingsystems

§ Limitationofresources– money– time– workforce

§ Makingwrongassumptions– duringdesign– duringoperations

§ Creatingpoorspecificationsforimplementers

Basicsecurityconcepts 12

Page 13: Basic Security Concepts - CrySyS

|

Attacks

§ Anattackisaprocessinwhichvulnerabilitiesareexploitedbyanattackerinordertosubvertsecuritygoals

§ Anattackmaybeacomplexprocess…

Basicsecurityconcepts 13

Killchainmodel

Attacktreemodel

Page 14: Basic Security Concepts - CrySyS

|

Example– Stuxnet attackgraph

Basicsecurityconcepts 14

Page 15: Basic Security Concepts - CrySyS

|

Example– Stuxnet attackgraph

Basicsecurityconcepts 15

Page 16: Basic Security Concepts - CrySyS

|

Securitymechanisms

§ mechanisms/controls/countermeasures§ Securitymechanismsaimatreducingrisk§ Generalclassificationofapproaches

– Prevention» Encryption» Passwordbaseduserauthentication» Referencemonitor intheOSchecking fileaccessrights» Firewallsfilteringnetworktraffic» …» Tamperresistanthousing ofHW» Securityeducation

– Detectionandreaction» Messageauthenticationcodes» Anti-virussoftware» Networkintrusion detectionsystem(IDS)» …

Basicsecurityconcepts 16

Page 17: Basic Security Concepts - CrySyS

|

Securityengineering

§ Selectionanddeploymentofsecuritycontrolstominimizeriskundersomebudgetconstraints

§ Typicalquestionstoconsider:– Whatassetsdowehaveinoursystem?– Whataretheplausiblethreats?– Whataretheknownvulnerabilitiesofoursystem?– Whatisthelikelihoodofthosevulnerabilitiesbeingexploitedbythe

plausiblethreats?– Whatistheexpectedlosswhenassetsareattackedsuccessfully?– Whatcountermeasurescanreducetheriskinacosteffectiveway?

§ Resultingsecurityarchitecturewillhavetrade-offs– Securityvs.services,features,usability,efficiency,cost,…– Typically,somerisksremainuncovered!

Basicsecurityconcepts 17

Page 18: Basic Security Concepts - CrySyS

|

Securityincidentresponse

§ Securityincident– resultofasuccessfulattack– Attackpreventionanddetectionmechanismsfailed– Onlytheconsequencesoftheattackaredetected

» Yourharddiscisencrypted» Someone logged inasroot(anditwasnotthesysadmin)» LargefilesaresentregularlytoanIPaddressinNorthKorea» Yourcompany’swebsiteisdefaced» Airbag inyourcardidnotopen inanaccidentL

§ Securityincidentresponsegoals– Containment– Recovery– Investigation– Feedback

Basicsecurityconcepts 18

Don’tpanic!

Needsproperpreparation!

backupslogs

Page 19: Basic Security Concepts - CrySyS

|

Whyissecurityhard?

§ Difficultieswithsecurityriskassessment§ Asymmetrybetweentheattackerandthedefendersides§ Misplacedincentives§ Lackorill-definedregulations§ Difficultiesinsecurityeducation

Basicsecurityconcepts 19


Crysys - Skywiper (Flame)

Crysys - Skywiper (Flame)

Documents
1 Introduction Basic concepts Basic concepts Terminology Terminology

1 Introduction Basic concepts Basic concepts Terminology Terminology

Documents
Basic Concepts in Basic Concepts in Dysmorphology

Basic Concepts in Basic Concepts in Dysmorphology

Documents
basic concepts

basic concepts

Documents
Basic Filters: Basic Concepts

Basic Filters: Basic Concepts

Documents
Basic concepts of microscopy Basic Concepts of Microscopy

Basic concepts of microscopy Basic Concepts of Microscopy

Documents
CHAPTER 2: BASIC COST MANAGEMENT CONCEPTS 2: Basic Cost Management Concepts . Chapter 2: Basic Cost Management Concepts

CHAPTER 2: BASIC COST MANAGEMENT CONCEPTS 2: Basic Cost Management Concepts . Chapter 2: Basic Cost Management Concepts

Documents
Understanding Security APIs - CrySyS

Understanding Security APIs - CrySyS

Documents
INFOCOMMUNICATIONS JOURNAL, VOL.?, NO ... - CrySyS Lab

INFOCOMMUNICATIONS JOURNAL, VOL.?, NO ... - CrySyS Lab

Documents