Information Security, CSI 424/524 Stuff - Course Materials Required Text Books • Security Engineering: A guide to Building Dependable Distributed Systems John Wiley and Sons, Ltd

Information Security, CSI 424/524

Prof. William A. ManiattyLecture 1

[email protected]

http://www.cs.albany.edu/˜maniatty/teaching/security/

CSI 424/524, William A. Maniatty, Dept. of Computer Science, University at Albany 1

Introduction

Welcome to Computer Security, Today we cover• Administrative stuff

• Overview of our approach


Administrative Stuff - Course Materials

Required Text Books• Security Engineering: A guide to Building Dependable Distributed Systems John

Wiley and Sons, Ltd. Ross Anderson, 2001 ISBN: 0471389226Gives a good insight, and has some insights from a top flight researcher in thearea.

• Computer Security: Art and Science Matt Bishop, Addison Wesley, 2003. ISBN:0201440997Gives a bit more formal treatment and has some deeper coverage of theoreticalissues.

Course Home Page:

http://www.cs.albany.edu/˜maniatty/teaching/security/


Administrative Stuff - Course Policies

This course is geared toward preparing researchers.• CSi 424 students have 402 or 400 as prerequisite

• CSI 524 have 500 as a prerequisite

My Goal: Reward good students

Class covers key concepts, you'll need to read on your own.

Learn by research and doing, don't just sit and listen.

Please attend.

Number of talks and scope of projects depend on enrollment.

Grading gripes - I regrade the entire item, not just the com-plaint

• On Exam - hand back exam before leaving class with a note about grading issues

• On Projects / Homeworks - Must be within one week of the return.


Engineering Approach Reviewed

Engineers want to control some process/phenomena (or solve aproblem)

• Identify the problem (perhaps formalize it)

• Propose a solution

• Measure or analyze solution

. Correctness/Completeness --- Which cases does it solve?

. Cost --- What resources are required?

. Performance --- How efficient is the solution?

Remember the engineering motto:• Measure

• Understand

• Control


Computers and Security

Vulnerabilities are a form of errors• However, intruders, intentionally exploit these errors

. This makes it hard (Programming the devil's computer).

• When do errors happen?

. Design

. Implementation

How can engineering approaches address security concerns• Security Protocols are the core (as per Ross Anderson).


Related trends

New small machines feel like old version of previous generation• Small Memory

• Limited Processing

But with differences• Highly connected

• Intermittent connectivity (for mobiles)

• With limited power supply (for mobiles)

• Embedded Software/Ubiquitous Computing

Concerns of Users• It's all about data!

. Access

. Correctness

. Control


Stallings Model of Network Security Services

Stallings [2] models security as providing services• Authentication --- Identifying users

• Authorization --- Checking permission

• Auditing --- Tracking users actions

• Confidentiality --- Privacy Preservation

• Integrity --- Avoid accidental or malicious data changes/deletion

• Availability --- Keeping the system on line for legitimate users.


Stallings Forms of Network Attack

Stallings [2] gives an attack taxonomy

Normal Flow

Sender Receiver

Sender Receiver

Interruption (DOS)

Sender Receiver

Intruder

Modification

Sender Receiver

Intruder

Interception

Sender Receiver

Intruder

Fabrication


Threats (1 of 2)

A threat is a potential violation of security

Attackers carry out threats or instigate others to do them.• Shirey gives 4 broad classes of threats

. Disruption --- denial of service

. Disclosure --- release of potentially confidential data

. Deception --- acceptance of false data

. Usurpation --- unauthorized assumption of control


Threats (2 of 2)

Bishop lists additional threats• Snooping or Eavesdropping --- interception of confidential data

. e.g. sniffing packets for passwords

• Modification or Alteration --- changing data

. e.g. change a salary by editing the payroll file

• Masquerading or Spoofing --- forging data about origin

. e.g. identity theft (charging stuff to someone else's credit card)

• Repudiation of origin --- false denial of creation

. e.g. bad guy order's stuff and refuses to pay claiming he never orderedit

• Denial of receipt --- falsely claim of nondelivery

. e.g. bad guy orders stuff but refuses payment on first shipmentclaiming it never arrived

• Delay (or replay) --- cause a legitimate message to arrive at a later time

. e.g. ``The Sting'' (famous movie)

• Denial of service --- interrupt availability


Policy and Mechanism(Bishop)

A Security Policy is a statement about what is and is notallowed

• e.g. university rules about computer usage

• Communicating/cooperating entities require consistent security policies or breachescan occur.

A Security Mechanism is a method, tool or procedure for en-forcing a security policy.

• Mechanisms may be non-technical

. e.g. have a guard who checks I.D.


Security Goals, Specification, Design andImplementation

Security Systems are designed to provide:• Prevention --- Makes an attack fail if attempted

• Detection --- Alerts defender of attack

• Recovery --- Reaction to attack

. Offline --- Stop an attack, assess and repair damage

. Online --- Maintain system functioning during compromise and repair

Like Other software systems, security systems have• A specification describes the desired functionality of a system.

. Specifications can be either formal or informal.

• A design translates the specification into the components that will implementthem.

• An implementation creates a system that satisfies the specification.

. Errors can occur at each phase.

. Errors


Assumptions and Trust

Designs are based on Assumptions and Trust• Trusted entities have fewer restrictions

• Assumptions govern design decisions

. e.g. do we trust locks to keep out intruders?

. If only locksmiths pick locks and we trust them, maybe.

. But what if criminals can pick locks?

Designers always assume:• Policy correctly and unambiguously partitions the system into secure and nonsecure

states.

• The security mechanisms prevent the system from entering nonsecure states.

. Each mechanism is designed to implement one or more parts of thesecurity policy.

. The union of mechanisms fully implements the complete security policy.

. Each mechanism is correctly implemented.

. The mechanisms are installed and configured correctly.


Correctness and Completeness of Security Systems

Consider a security mechanism's impact on a system, we canmodel its state space as follows:

• Let P be the set of possible states if the security mechanism was not employed

• Let S, S ⊆ P be the set of safe states

• Let R, R ⊆ P be the set of restricted states that can occur when the securitymechanism is employed

The coverage of the mechanism is said to be:• Secure if R ⊆ S

• Precise if R = S.

• Broad if ∃r ∈ R such that r 6∈ S.

. Note: A security measure is a failure if R ∩ S = ∅.


Secure, Precise and Broad State Spaces

��

��

��

��

��

��

��

��

��

��

A Secure System

��

��

S

P

R

P

R = S

A Precise System

P

RS

A Broad System


Assurance

Informally, assurance measures how much users should trust asystem employing a set of security mechanisms.

• But trust is hard (impossible) to quantify precisely!

Consider allegations of food contamination (hypodermic needlein can) against a soda vendor

• Soda is dispensed in sealed cans (tamper resistant)

• Assembly line moves quickly

. Cans sterilized open top down before filling.

. Cans upright for a very short interval during filling before sealing.

• The Food and Drug Administration regulates ingredients and canning operations.

A system is said to satisfy a specification if the specificationstates how the system will perform.


Operational Issues - Cost-Benefit Analysis

Cost-Benefit Analysis - How much security can we afford?• Costs of security failures can be financial

. e.g. A bank keeps a central database of account information

. e.g. Stock market trading software

• But some costs are not financial

. e.g. A player ``cheats'' at a video game

. e.g. Real time software controlling an aircraft

. e.g. Health care information (HIPAA)

• But applying security measures has a cost too

. A bank vault makes sense for large sums of money, but not to protecta 3$ magazine.


Operational Issues - Risk Analysis

Risk Analysis - depends on• Value of what we want to protect

• Likelihood of threat being executed

• Knowledge of attacker, e.g. Anderson's example

. Drug addict, desperate for money to get a fix

. 3 time convicted thief, not intelligent, but knows some tricks

. Sophisticated art thief, conceals a single conviction

. Head of Militia, trained in military academy, access to Ph.D. levelscientists

• Bishop notes that

. Risk is a factor of environment

. Risks change over time (like Schneier's motto, security is a process [1]).

. Many risks are very remote but still exist

. Beware of Analysis Paralysis!


Operational Issues - Laws and Culture

Laws and culture• The U.S. used to be quite restrictive on cryptographic technology (treated export

like munitions)

• Laws across jurisdictions differ (e.g. France required government key escrow).

• Government decides what is legal, society decides what is acceptable.


Human issues

Organizational issues - Security requires effort• So people (like electricity) tend take the path of least resistance.

• Security tends to be viewed as a cost, not an asset/revenue generator.

• Thus it is critical to establish responsibility.

• The responsible parties need authority and resources to secure the system.

People Problems - Both intentional and accidental• Motivation to attack may come from without or within

• Personnel may have insufficient training

• Social Engineering - tricking people into divulging critical secrets

• Misconfiguration or security patch/functionality conflicts


Tying it all together

PolicyThreats Specification Design Implementation

Operation and Maintenance


Bibliography

References

[1] Bruce Schneier. Secrets & Lies --- Digital Security in a NetworkedWorld. John Wiley & Sons, 2000.

[2] W. Stallings. Cryptography and Network Security: Principles andPractice. Prentice Hall, Upper Saddle River, NJ. U.S.A., 2 edition,1999.


Documents

Information Security, CSI 424/524 Stuff - Course Materials Required Text Books • Security Engineering: A guide to Building Dependable Distributed Systems John Wiley and Sons, Ltd