CIS/TCOM 551Computer and Network SecuritySlide Set 2

Carl A. GunterSpring 2004

Introduction to Security

Goals Availability Integrity Confidentiality

Targets Hardware Software Data

Controls Physical security Limited interface Identification and

authorization Encryption

Analysis of costs and benefits

Progress and Risk

Risk = (Probability of failure) * (Size of loss)

Safety-critical considerations Dutch port authority RER train Software in automobiles Intelligent highways

Progress and Risk, cont.

Security-critical considerations Credit card purchases on the web Voting on the web Banking on the web Mobile agents and active networks

Safety and security considerations Military systems, eg. Star Wars Actuators on public networks

Security Requirements

Banking Government Public Telecommunications Carriers Corporate / Private Networks Electronic Commerce

Ref: Computer Communications Security, W. Ford, 94.

Banking

Electronic Funds Transfer (EFT) Prosecution of fraud problematic Financial system overall at risk

Automated Teller Machine (ATM)

Automatic Teller Machines

Goals Availability: Provide automated teller

operations 24x7 in convenient locations Integrity: Authorized users only,

transactional guarantees Confidentiality: Private communication

with branches or center Vulnerabilities and controls Risk analysis and liabilities

Government

National security of course, but also “Unclassified but sensitive

information” must not be disclosed Example: social security web page

Electronic signatures approved for government contractors

Public Telecom Carriers

Operations, Administration, Maintenance, and Provisioning (OAM&P)

Availability is a key concern Significant insider risks

Corporate Private Networks

Completely private networks are becoming a thing of the past because of telecommuting.

Protection of proprietary information of course, but also concerns like privacy in the health care industry.

Foreign government threat?

Electronic Commerce

Electronic Data Interchange (EDI) Electronic contracts need to be

binding ABA Resolution: “recognize that information

in electronic form, where appropriate, may be considered to satisfy legal requirements regarding a writing or signature to the same extent as information on paper or in other conventional forms, when appropriate security techniques, practices, and procedures have been adopted.”

Goals of Security

DATA

Integrity

DATA

Availability

DATA

Confidentiality

Ref: Pfleeger.

Safety and Security

Many things in common and some major differences.

Some similarities aid understanding of both.

System vs. Environment. Accident, breach. Hazard, vulnerability.

System vs. Environment (Safety)

Environment

System

System vs. Environment (Security)

System

Environment

Accident and Security Breach

Accident Loss of life Injury Damage to property

Security Breach Secret is revealed Service is disabled Data is altered Messages are fabricated

Accident Definition

An accident is an undesired and unplanned (but not necessarily unexpected) event that results in (at least) a specified level of harm.

Define breach similarly. A security threat is a possible form of

breach

Hazards and Vulnerabilities

Hazard No fire alarms No fire extinguishers Rags close to furnace

Vulnerability Password too short Secret sent in plaintext over public

network Files not write protected

Hazard Definition

A hazard is a state or set of conditions of a system that, together with other conditions in the environment of the system, will lead inevitably to an accident.

Define security vulnerability similarly.

Other Terms

Asset: object of value. Exposure: threat to an asset. Attack: effort by an agent to exploit

a vulnerability and create a breach.

Major Threats

Interruption Interception Modification Fabrication

Major Assets

Hardware Software Data

Threats to Hardware

Interruption: crash, performance degradation

Interception: theft Modification: tapping Fabrication: spoofed devices

Threats to Software Code

Interruption: deletion Interception: theft Modification

Trojan horse Logic bomb Virus Back door Information leak

Fabrication: spoofing software distribution on the web

Threats to Software Processes

Interruption: bad inputs Interception: attacks on agents Modification: of exploited data Fabrication: service spoofing (man-

in-the-middle)

Threats to Data

Interruption: deletion, perceived integrity violation

Interception: eavesdropping, snooping memory

Modification: alteration of important information

Fabrication: spoofing web pages

Principles of Security

Easiest Penetration: An intruder must be expected to use any available means of penetration.

Adequate Protection: Computer items must be protected only until they lose their value. They must be protected to a degree consistent with their value.

Effectiveness: Controls must be used to be effective. They must be efficient, easy to use, and appropriate.

Controls

Physical security Limited interface Identification and authorization Encryption

Breakdown of S/W Controls

Program controls as exercised by the programmer as dictated by the programming

language or programming environment Operating system controls Development process controls

Security Models

Multi-layer security Graham-Denning model

Ref: Pfleeger.

Military Security

Familiar hierarchy of sensitivities, partitioned in to compartments.

Compartments

Each piece of information is coded with its security level and one or more compartments

Classification and Clearance

<rank; compartments> Each piece of information, or object, o is

classified by its rank and compartments. C(o) = classification of o

Each actor, or subject, s is given a clearance by rank and compartments. C(s) = clearance of s

Dominance <r;c> <r’;c’> iff r r’ and c is a subset of c’.

C(o) C(s) if the classification of o is dominated by the clearance of s.

Guarantees

A subject s is only able to access an object o if the rank of s is higher than that of o,

and s is cleared for all of the compartments

of o. The first is called a hierarchical

requirement, the second a non-hierarchical requirement.

Top Secret

Secret

Confidential

Restricted

Unclassified

A

B

C

D

x y

z

w

v

Graham-Denning Model

Subject executing command is x.Transferable rights are denoted r*.Non-transferable rights are denoted r.

A[x,s]