Chapter 1. Introduction to Information Securitysecuresw.dankook.ac.kr/ISS18-1/ISS_2018_03_Intro_part3.pdfConfidentiality (Secrecy) - only authorized parties can view private information

Seong-je Cho

Spring 2018

Computer Security & Operating Systems Lab, DKU

Introduction to Software Security

Chapter 1.

Introduction to Information Security

- 2 -

References

Textbook

N. Vlajic, CSE 3482: Introduction to Computer Security, Yorku

Please do not duplicate and distribute

Computer Security & OS Lab, DKU

- 3 -

Contents

The cast of characters

Alice’s online Bank

Type of Security Threats

C.I.A of Information Security

Confidentiality

Integrity

Availability

Extended CIA Framework

Main components of a security threat

About the textbook


- 4 -

The Cast of Characters


Alice and Bob are the good guys

Trudy is the bad guy

Trudy is our generic “intruder”

- 5 -

Alice’s Online Bank (AOB)

Alice opens Alice’s Online Bank (AOB)

What are Alice’s security concerns?

What type of security threats are there?

If Bob is a customer of AOB, what are his security concerns?

How are Alice and Bob concerns similar? How are they different?

How does Trudy view the situation?


- 6 -

Type of Threats (Security Attacks)

Trudy tries to know Bob’s account number/balance, PIN, …

Trudy tries to withdraw money from Bob’s account

Trudy tries to change Bob’s account balance

Trudy tries to improperly change his own account balance if he opens a savings account

There may be too many transactions to provide normal services


- 7 -

Type of Threats (Security Attacks)

Interruption: asset is lost or unavailable, DoS attacks

Interception: unauthorized access, wiretapping, illegal copying

Modification: changes/alteration into DB/program file

Fabrication: insert spurious transaction, illegally add entry to passwd file or DB


- 8 -

Key Security Properties : C.I.A.

Confidentiality

AOB must prevent Trudy from learning Bob’s account balance

Confidentiality: prevent unauthorized reading of information

Integrity

Trudy must not be able to change Bob’s account balance

Bob must not be able to improperly change his own account balance

Integrity: prevent unauthorized writing of information

Availability AOB’s information must be available when needed

Alice must be able to make transaction If not, Bob’ll take his business elsewhere

Availability: Data is available in a timely manner when needed

Availability is a “new” security concern In response to denial of service (DoS)


- 9 -

Key Security Properties (Security Goals)

C.I.A. Triangle – 3 key characteristics of information that must be protected by information security:

Confidentiality (Secrecy) - only authorized parties can view private information

Integrity - information is changed only in a specified and authorized manner (by authorized users)

Availability - information is accessible to authorized users whenever needed


An information systems is secure if it supports C.I.A.

- 10 -

Beyond CIA

CIA are only beginning of the Info Sec.

Case 1: when Bob logs on his computer

How does Bob’s computer know that “Bob” is really Bob and not Trudy?

Bob’s password must be verified

This requires some clever cryptography

What are security concerns of pwds?

Are there alternatives to passwords?

Case2: when Bob logs into AOB

how does AOB know that “Bob” is really Bob?

As before, Bob’s password is verified

Unlike standalone computer case, network security issues arise

What are network security concerns?

Protocols are critically important

Crypto also important in protocols


- 11 -

Beyond CIA

Once Bob is authenticated by AOB, then AOB must restrict actions of Bob

Bob can’t view Charlie’s account info

Bob can’t install new software, etc.

Enforcing these restrictions is known as authorization

Access control includes both authentication and authorization

Cryptography, protocols, and access control are implemented in software

What are security issues of software?

Most software is complex and buggy

Software flaws lead to security flaws

How to reduce flaws in software development?


- 12 -

Beyond CIA

Some software is intentionally evil

Malware: computer viruses, worms, etc.

How do the malwares work?

What can Alice and Bob do to protect themselves from malware?

What can Trudy do to make malware more “effective”?

Operating systems enforce security

For example, authorization

OS: large and complex software

Win XP has 40,000,000 lines of code!

Subject to bugs and flaws like any other software

Many security issues specific to OSs

Can you trust an OS?


- 13 -

Extended C.I.A. Triangle

some security experts feel that additional concept need to be added to the CIA triad:

Authentication - being able to verify that users are who they claim to be, and that each data input has come from a trusted source

User or data origin accurately identifiable

Accountability - being able to trace actions of an entity uniquely to that entity

Actions are traceable to those responsible


- 14 -

Extended CIA Framework


• The Pillars of Information Security

• Futuristic Approach to Ensuring Data Security in Clouds

Examples of C.I.A.A.A


- 16 -

Example: DATA CONFIDENTIALITY

Student grade – an information asset of high importance for student.

In US, release of such information is regulated by Family Educational Rights and Privacy Act(FERPA).

Grade information should only be available to students, their parents and employees that require this information to do their job.

In Canada, the same issue is regulated by Personal Information Protection and Electronic Documents Act (PIPEDA).


- 17 -

Example: How to ensure data confidentiality?

cryptography

strong access control

Never access, No read, No view

limiting number of places where data can appear

(e.g., cannot be stored on an USB)


- 18 -

Example: DATA Integrity

Patient information in a hospital – the doctor should be able to trust that the information is correct and current.

Inaccurate info could result in serious harm to the patient end expose the hospital to massive liability.

In US, Health Insurance Portability and Accountability Act (HIPAA) regulates the collection, storage, and transmission of sensitive personal health care information.

Hospital is responsible for safeguarding patient information against error, loss, defacing, tampering and unauthorized use.

(Ontario’s Personal Health Information Protection Act -PHIPA)


- 19 -

Example: How to ensure data integrity?

strong access control - prevents attacks on data integrity

Cryptographic hashing

Detects attacks

on data integrity

documenting system activity - who did what and when

detects attacks on data integrity


- 20 -

Example: DATA Availability

Accessible and properly functioning web site – a key asset for an e-commerce company.

E.g., a DDoS attack could make the site

unavailable and cause significant loss

in revenue and reputation.

In US, Computer Fraud and Abuse Act (CFAA) applies to DoS-related attacks.

In Canada, DoS activities are regulated under Criminal Code of Canada, Section 342: Unauthorized Use of Computer


- 21 -

Example: How to ensure data availability?

anti-DDoS system (in case of attack that attempt to prevent access by blocking the bandwidth/server):

e.g., content distribution networks, scrubbing centers


well established backup procedure (in case of attacks that attempt to prevent access by destroying data)

- 22 -

Example: CIA of different IT components


Computer and Network Assets, with Examples of Threats.

Security Threats


- 24 -

Microsoft STRIDE model


Threat Definition Example

Spoofing An attacker tries to be something or someone he/she isn’t

Phising attack to fool user into sending credentials to fake site

Tampering An attacker attempts to modify data that’s exchanged between your application and a legitimate user

Message integrity compromised to change parameters or values

Repudiation An attacker or actor can perform an action with your application that is not attributable

Illegitimately claiming a transaction was not completed

Information disclosure

An attacker can read the private data that your application is transmitting or storing

Unencrypted message sniffed off the network

Denial of Service

An attacker can prevent your legitimate users from accessing your application or service

System flooded by requests until web server fails

Elevation of Privilege

An attacker is able to gain elevated access rights through unauthorized means

Attacker changes group membership. Rooting

- 25 -

Security Threat

any action/inaction that could cause disclosure, alteration, loss, damage or unavailability of a company’s/individual’s assets

Three main components of a security threat:

Target [asset with vulnerability]: organization’s asset that might be attacked

information(its confidentiality, integrity, availability), software, hardware, network service,

system resource, etc.

Agent [may or may not be present]: people/organizations originating the threat –intentional or non-intentional

employees, ex-employees, hackers, commercial rivals, terrorists, …

Event: action that exploits target’s vulnerability

malicious/ accidental destruction or alteration of information, misuse of authorized

information, etc.


- 26 -

Example: Threat in WiFi network


- 27 -

Examples of Threats

Threat without Agent

Asset with vulnerability: Data on a server, Not backuped!

Event: Flood or fire in the server room

Outsider vs. insider, deliberate vs. accidental

Asset with vulnerability

Agent: outsider or insider

Example of insider agent: SysAdmin has added a new software to the system and has

forgotten to change the password

Event: deliberate or accidental

Attack

Asset with vulnerability

Event: deliberate

Agent executed threat event deliberately Attack


- 28 -

Threat Events

Categories of Threat Events


- 29 -

Threat Events: Intentional Attacks

Passive Attack – attempts to learn or make use of info. from the system but does not affect system resources

compromises Confidentiality

generally hard to detect !!!

examples: release of message content and traffic sniffing

Active Attack – attempts to alter system resources or affect their operation

compromises Integrity or Availability

examples: masquerade, data modification and DoS


- 30 -

Threat Events: Software Attacks

Deliberate Software Attacks

a deliberate action aimed to violate / compromise a system’s security through the use of specialized software

types of attacks:

a) Use of Malware

b) Password Cracking

c) DoS and DDoS

d) Spoofing

e) Sniffing

f) Man-in-the-Middle

g) Phishing

h) Pharming


Security Life Cycle,

Cyber Security Essentials


- 32 -

Security Life Cycle

first defining a security policy

then choosing some mechanism to enforce the policy

finally providing assurance that both the mechanism and the policy are sound

Spec/policy: What the sys supposed to do?

Impl/mechanism: How does it do it?

Correctness/assurance: Does it really work?

Human nature: Can the sys survive “clever” user?

The focus of the text book

Implementation/mechanism

Why?


- 33 -

10 Steps to Cyber Security


If 10 large steps are too complex for small organizations, …

- 34 -

Cyber Security Essentials

It requires …

Five Mandatory Controls:


The text consists of four major parts• Cryptography

• Access control

• Protocols

• Software


- 36 -

Cryptography & Access Control

Cryptography

Classic cryptography

Symmetric ciphers

Public key cryptography

Hash functions

Advanced cryptanalysis

Access Control

Authentication

Passwords

Biometrics and other

Authorization

Access Control Lists and Capabilities

Multilevel security (MLS), security modeling, covert channel, inference control

Firewalls and Intrusion Detection Systems


- 37 -

Protocols

Simple authentication protocols

“Butterfly effect” small change can have drastic effect on security

Cryptography used in protocols

Real-world security protocols

SSL

IPSec

Kerberos

GSM security


- 38 -

Software

Software security-critical flaws

Buffer overflow

Other common flaws

Incomplete Mediation

Race Conditions

Malware

Specific viruses and worms

Prevention and detection

The future of malware

Software reverse engineering (SRE) How hackers “dissect” software

Digital rights management (DRM) Shows difficulty of security in software

Also raises OS security issues

Limits of testing Open source vs closed source


- 39 -

Software

Operating systems Basic OS security issues

“Trusted” OS requirements

NGSCB(“n-scub): Microsoft’s trusted OS for PC Next Generation Secure Computing Base

Software is a big security topic Lots of material to cover

Lots of security problems to consider


- 40 -

Think Like Trudy

In the past, no respectable sources talked about “hacking” in detail

It was argued that such info would help hackers

Very recently, this has changed

Books on network hacking, how to write evil software, how to hack software, etc.

Good guys must think like bad guys!

A police detective

Must study and understand criminals

In information security

We want to understand Trudy’s motives

We must know Trudy’s methods

We’ll often pretend to be Trudy


- 41 -

Think Like Trudy

Is all of this security information a good idea?

“It’s about time somebody wrote a book to teach the good guys what the bad guys already know.” Bruce Schneier

We must try to think like Trudy

We must study Trudy’s methods

We can admire Trudy’s cleverness

Often, we can’t help but laugh at Alice and Bob’s stupidity

But, we cannot act like Trudy


- 42 -

In This Course…

Always think like the bad guy

Always look for weaknesses

Strive to find a weak link

It’s OK to break the rules

Think like Trudy!

But don’t do anything illegal…


- 43 -

Summary, Q & A

Threat models

Microsoft STRIDE

Three main components of a security threat

Target, Agent, Event

Security properties = Security goal

CIA

The text consists of four major parts Cryptography

Access control

Protocols

Software
