7/12/2015 Prof. Ehud Gudes Security Ch 1 1 Chapter 1 [SB] chapters 1,13,14,15,16,17,18 Articles...
-
date post
22-Dec-2015 -
Category
Documents
-
view
214 -
download
0
Transcript of 7/12/2015 Prof. Ehud Gudes Security Ch 1 1 Chapter 1 [SB] chapters 1,13,14,15,16,17,18 Articles...
04/19/23Prof. Ehud Gudes Security
Ch 1 2
Security objectives
Confidentiality – No leakage of sensitive or private information
Only authorized access is allowed (both Read and Write)
Integrity – no modification or destruction of information (both accidental and malicious)
Availability – Timely Response, No denial of service , Quality of service
Security – all-together, but mainly confidentiality!
Prof. Ehud Gudes Security Ch 1
Integrity vs. Security
Integrity – Disallow Invalid update – Read is not a problem!
Security - Disallow unauthorized access – Read is a problem!
Prof. Ehud Gudes Security Ch 1
Aspects of Integrity
Preciseness, AccuracyConsistencyMeaningfulness and correctness
Integrity problems may happen accidentally or maliciously
Prof. Ehud Gudes Security Ch 1
Integrity - Types of errors
A single user enters invalid data - Integrity.
Access by Multiple users causing invalid or inconsistent database – Concurrency
System (Hardware or Software) Failures – Recovery
Abort of Transactions which may leave database in Inconsistent state - Recovery
Prof. Ehud Gudes Security Ch 1
Aspects of Availability
Timely responseFair allocationFault toleranceUtility and Usability, Quality of
ServiceControlled concurrencyNo denial of service
Prof. Ehud Gudes Security Ch 1
Examples for Security Problems
Computer CrimeAccess to Proprietary InformationDisruption of Operations (Denial of
service)Violation of PrivacyTheft of Proprietary Software
Prof. Ehud Gudes Security Ch 1
Types of Security Threats
Hardware Theft Eavesdropping Fire, Flood Terror.
Software Illegal use Illegal modification Theft
Data Destruction Illegal disclosure Illegal modification
04/19/23Prof. Ehud Gudes Security
Ch 1 11
Attackers
Insiders – According to studies, about half of the attacks to a system come from insiders [Neu99].
Hackers – Usually try to show off their ability by penetrating systems
Spies –Industrial or government espionage.
Prof. Ehud Gudes Security Ch 1
Methods of Attacks
Bypassing authentication (e.g. guessing password)
Using Authority dishonestly (e.g. System people )
Utilizing human error or carelessnessUtilizing “holes” in Software - TrapdoorsBypassing access controlUsing VirusesUse Inference from authorized access
04/19/23Prof. Ehud Gudes Security
Ch 1 13
Attack methods
Preparation —Information gathering, scanning, planting malicious code, masquerading (spoofing)
Activation —perpetrator-controlled, timed, victim activated
Mission — active (affects integrity and availability), and passive misuse (eavesdropping, inference), denial of service
Prof. Ehud Gudes Security Ch 1
Trap-doors
A Trap-door is a “hole” in a legal program module through which an invalid access can be performed.
Such hole may be left intentionally or unintentionally
Example – a hole in the password checking module (Thompson’s example)
04/19/23Prof. Ehud Gudes Security
Ch 1 15
Malicious Code Trojan Horses — A Trojan Horse is an
apparently useful program that has hidden functions, usually harmful. A Trojan Horse can violate integrity more easily than confidentiality.
Viruses – A virus is a program that attaches itself to another program, propagates, and usually causes some data destruction. General virus detection is a difficult problem, but we can detect specific viruses.
Worms — A worm is a program that propagates itself without infecting the host.
04/19/23Prof. Ehud Gudes Security
Ch 1 16
Viruses and worms
Self-propagatingMay destroy information and clog servicesA mix of vandalism and ego tripTake advantage of operating system and
utilities flaws and uniformity of systemsExamples of malicious softwareMay also be used by organizations or
government agencies
Network Security Attacksclassify as passive or activepassive attacks are eavesdropping
release of message contentstraffic analysisare hard to detect so aim to prevent
active attacks modify/fake datamasqueradereplaymodificationdenial of servicehard to prevent so aim to detect
04/19/23Prof. Ehud Gudes Security
Ch 1 19
Web site defacing and hijacking
Alteration of the web pages of some institution
Visitors may be hijacked to other sites, sometimes impostor sites
Political motivation or hackingTake advantage of web server weaknesses,
e.g., CGI scripts or lack of isolation of pages; also through OS
Cross-site scripting - XSSPhishing
04/19/23Prof. Ehud Gudes Security
Ch 1 20
Dist. Denial of Service
Multiplication of messages towards some site
Requires previously inserted software by perpetrator (slaves)
A site may become inaccessiblePolitical motivation or vandalismUses flaws or features of network protocols
and OS flaws
04/19/23Prof. Ehud Gudes Security
Ch 1 21
Illegal database access
Illegal access to web-connected databases
Stealing of information, e.g., credit card numbers.
SQL injectionExploit poor database authorization,
implementation, or alternate routes
04/19/23Prof. Ehud Gudes Security
Ch 1 22
Cyberwar and Terrorism
Massive attack to the computer systems of some country or institution or to the Internet itself
Carried out by organized groups or a government
Uses all the other attacks
04/19/23Prof. Ehud Gudes Security
Ch 1 23
איך מתקיפים
התקפה פאסיבית)Interception( ציתות
התקפה על סודיות
התקפות אקטיביות)Interruption( הפרעה
התקפה על זמינות)Modification( שינוי
התקפה על שלמות)Fabrication( זיוףהתקפה על אמיתות
)Replay(שידור חוזר
04/19/23Prof. Ehud Gudes Security
Ch 1 24
תוצאות מקוות
- הטרדה Intrusion
.…Denial of service
גניבת אינפורמציה
מרמה
04/19/23Prof. Ehud Gudes Security
Ch 1 25
תכנון ההתקפה
איום לא מכוון..…באגים..…שכחתי את הסיסמא
איום מכווןאיום טבעי
אסונות טבע
04/19/23Prof. Ehud Gudes Security
Ch 1 26
מקור ההתקפה
מתוך משתמשי המערכתמתוך הארגוןמחוץ לארגון, אבל פיסית מבפנים”מארגון אחר “מהימןמחוץ לארגון-מהInternet
04/19/23Prof. Ehud Gudes Security
Ch 1 27
דוגמאותהעברת חלקי אגורות לחשבונו של עובד הבנקגניבת סרטי גיבוי ומחיקת דיסקים ע”י עובד החברה.הצפת מרכז המחשבים-ברכה לחג המולד - סוס טרויאני בPostScript -וירוסים בMail attachments – I Love you virus -תשלומים בעזרת כרטיסי אשראי בטלפון (ב
Internet( - סוס טרויאניWindows NT registration-שינוי הדף של הC.I.A-ב WebInternet Wormפרסום הדיסק של יזהר אשדות-התקפת הDDOS על Yahoo, Amazon , CNNועוד
Prof. Ehud Gudes Security Ch 1
Most popular Attack methods ([P] sidebar 1.3 )
Exploiting OS vulnerability – 33%Exploiting unknown application – 27%Guessing Passwords – 22%Abusing valid user accounts – 17%Using internal denial of service – 12%
04/19/23Prof. Ehud Gudes Security
Ch 1 29
Countermeasures
Access control/ authorization --provide confidentiality and integrity
Authentication-- proper identificationAuditing-- basis for prosecution or
improvements to the systemCryptography-- a mechanism to hide
information and prove identity and rights
Security Functional Requirementstechnical measures:
access control; identification & authentication; system & communication protection; system & information integrity
management controls and procedures awareness & training; audit & accountability;
certification, accreditation, & security assessments; contingency planning; maintenance; physical & environmental protection; planning; personnel security; risk assessment; systems & services acquisition
overlapping technical and management:configuration management; incident response; media
protection
04/19/23Prof. Ehud Gudes Security
Ch 1 31
Identification, Authentication OS, [DBMS] Authorization, Access Controls DBMS, OS security enforcement module Integrity, Consistency DBMS data model transaction manager Auditing, Encryption OS, [DBMS]
Basic Security Mechanisms
04/19/23Prof. Ehud Gudes Security
Ch 1 32
Security Mechanisms Area Procedures and Mechanisms
External Procedures Security clearance of personnel Protection of passwords Information classification and security
policy formulation Application program controls Audit Periods processing
Physical environment Secure areas for files / processors / terminals
Radiation shielding
Data storage Data encryption Duplicate copies
04/19/23Prof. Ehud Gudes Security
Ch 1 33
Security Mechanisms cont.
Area Procedures and Mechanisms
Processor software Authentication of user Access control Threat monitoring Audit trail of transactions
Processor hardware Memory protection States of privilege Reliability
Communication lines Data encryption
Counter Measures (Stallings)
technical measures:access control; identification & authentication; system
& communication protection; system & information integrity
management controls and procedures awareness & training; audit & accountability;
certification, accreditation, & security assessments; contingency planning; maintenance; physical & environmental protection; planning; personnel security; risk assessment; systems & services acquisition
overlapping technical and management:configuration management; incident response; media
protection
04/19/23Prof. Ehud Gudes Security
Ch 1 37
מדיניות הגנה
?על מה להגןמשאבים, נתונים
?כנגד אילו איומים ,ציתות, שנויDenial of service
?על אילו חלקים מהמערכת להגןחמרה, תכנה
04/19/23Prof. Ehud Gudes Security
Ch 1 38
שיקולים בבחירת מדיניות הגנה
מידת ההגנה שרוצים לספק : בד”כ תלוי בנזקשיכול הארגון “לספוג”
מחיר ההגנה(כספי) מחיר פיסיקלות ונוחות השימוש(להלן) מודל הערכת סיכונים
נוגדים זה את זה - שיקולי עלות/תועלתתמיד - במי בוטחיםTrust Model
04/19/23Prof. Ehud Gudes Security
Ch 1 39
לאחר בחירת מדיניות ההגנה, יש לבחור מהם מנגנוני ההגנה שבעזרתם מממשים את
מדיניות ההגנה.
שיקולים בבחירת מדיניות הגנה
04/19/23Prof. Ehud Gudes Security
Ch 1 40
מנגנוני הגנה
הגנה פיסיתהגנה אישית/ מנהליתאמצעי ניטור - מעקבבקרת גישהבקרת זרימהבקרת היקשמנגנונים קריפטוגרפים
04/19/23Prof. Ehud Gudes Security
Ch 1 41
דוגמאות
FirewallsSmart cardsהצפנההקשחה של מערכות הפעלהAccess Controlהגנות פיסיות
04/19/23Prof. Ehud Gudes Security
Ch 1 42
מערכות בטוחות צריכות להכיל מנגנונים (ידניים או ממוחשבים), לזהוי והגנה כנגד
כל סוגי האיומים.אפילו אם מנגנון בודד חסר, המערכת עלולה
להיות לא בטוחה לחלוטין.
חוזקה של שרשרת האבטחה היא כחוזק החוליה החלשה ביותר שבה.
04/19/23Prof. Ehud Gudes Security
Ch 2 43
Summary - Security objectives
Confidentiality – no leakage of sensitive or private information
Integrity – no modification or destruction of information
Availability – No denial of service
04/19/23Prof. Ehud Gudes Security
Ch 1 44
The meaning of security
Security implies providing these objectives in the presence of the attacks discussed earlier
Security requires technical, management, and physical countermeasures
We mainly consider technical aspects here
A related aspect is privacy, a legal and ethics concern
How we achieve all the above without sacrificing basic democratic principles!
04/19/23Prof. Ehud Gudes Security
Ch 1 45
Principles for Security
AccountabilityAwarenessEthicsMultidisciplinaryProportionalityIntegrationNon-repudiationTimelinessReassessmentdemocracy
Prof. Ehud Gudes Security Ch 1
The principle of Effectiveness
A security control is effective if:
It is easy to useEfficient (not too much overhead)Appropriate (not impeding legal access)And actually USED!
Remember: the strength of a chain is that of its weakest segment!
04/19/23Prof. Ehud Gudes Security
Ch 1 47
Need for conceptual structure
Security is an all-levels problem In current systems we have disjoint, ad hoc
solutions at each levelWe should start from high-level policies that
can be mapped to the lower levels We need precise models to guide system
development
Prof. Ehud Gudes Security Ch 1
Management and Administrative Aspects
PC measuresUnix Issues - e.g. use of Accounts,
PasswordsNetwork issues - Insiders vs. Outsiders,
firewallsComputer emergency response teams
(CERT)Risk Analysis
04/19/23Prof. Ehud Gudes Security
Ch 1 49
Security Measures
Administrative
Security
Measures
Physical
Security
MeasuresLegal
Security
Measures
Technical
Security
Measures
Prof. Ehud Gudes Security Ch 1
PC measures
Secure equipment. Do not leave PCs, printers unattended. Secure equipment.
Secure secondary media.Perform periodic backupsPractice separation of authorityAdd security boards or plugsUse authorized software onlyProvide access control and/or encryption to filesProvide automatic logout and screen save locksAssure machine identification
Prof. Ehud Gudes Security Ch 1
Unix Measures
Control accounts
- delete old accounts
- limit access of guest accountsProvide for passwords securityLimit super-user accessibilityBackup periodically and at several levelsLog activities and look for suspicious
behaviorControl carefully proxy servers and
network services
Prof. Ehud Gudes Security Ch 1
Issues in Password Selection
Length - at least 8?Composition - No common names, places, sport terms,
movies and actors, machine names, bible words, etc.
- Yes upper&lower, digits, control charsComputer generated PasswordsPasswords encryption - One way functions - Public keys and Certificates - Kerberose
Prof. Ehud Gudes Security Ch 1
WINDOWS-NT SECURITY
Authentication - Using modern cryptographic protocolsFile and Directory security - Using Access-Control lists based on groups User-profiles and System policies - using Default settings and conflict
resolution Auditing and Logging Sophisticated management and
Security administration tools
Prof. Ehud Gudes Security Ch 1
Auditing Issues - Protection of the Log
Only privileged users can write on the log
Log is stored on a separate computer without editors or printers
a filled log is sent to a separate site and printed on a secure printer
Prof. Ehud Gudes Security Ch 1
Auditing Issues
What granularity? - every login? every shell command? every file
read/write?When? - Always? At certain times of day? of week? To whom? - all users? Suspicious ones? Performance implications? Implementation - Other media/machine? What to do when Log is
filled?
04/19/23Prof. Ehud Gudes Security
Ch 1 56
Auditing
ITEMS
RECORDED
FUNCTIONS
Physical details
of data and
operations
Restore database
to consistent
state
Update actions
(before and
after images)
Read operations
Log-ons
Illegal requests
Analyze for policy
compliance
Detect violations
Compensate for errors
AUDIT TRAILRECOVERY LOG
Relationship between recovery log and audit trail
Prof. Ehud Gudes Security Ch 1
Use of Tools
CERT – Computer emergency response team
- both before and after attackCRACK – a password checking toolCOPS – checking system files SATAN – network analysis tool Anti-viruses
04/19/23Prof. Ehud Gudes Security
Ch 1 59
הגנה כנגד אסונות טבע ו/ או פגיעה מלחמתית
מבנים עמידים במקומות בטוחיםהגנה כנגד ברקיםגלאי אש, מתזיםגנרטור חירוםגיבויים בכספת עמידת אש – גיבויים באתר נפרד)Offline, Online((דרך מרכזיה נפרדת) מערכת תקשורת חירום
04/19/23Prof. Ehud Gudes Security
Ch 1 60
פגיעה על ידי עובדים ובאי המתקן
הגבלת הגישה הפיסית למערכת המחשבשומר בכניסהדלת כניסה עם קודדלת עם סורק קרקעית העין
נעילת חומר רגיש בכספותשמירת גבויים במיקום פיסי נפרד במערכות קריטיות במיוחד - מניעת תקשורת
החוצה
04/19/23Prof. Ehud Gudes Security
Ch 1 61
קרינה אלקטרו-מגנטית
:מערכות המחשב פולטות קרינה(בד”כ חלשה ולא ניתנת למדידה) המעבדציוד היקפיצגיםקווי תקשורת
אמצעי הגנהסיכוך קווי תקשורת, הפרדה מקווי טלפוןהגנה באמצעות כלוב פרדיי
Prof. Ehud Gudes Security Ch 1
Risk Analysis
Identify AssetsDetermine VulnerabilitiesEstimate Likelihood of exploitationSurvey Applicable controls and Defense
measuresProject Saving of Control
Like an insurance Problem
Prof. Ehud Gudes Security Ch 1
Risk Analysis
Assets: hardware, software, data, peopleCost of each damage, including legal
obligationsProbability of occurrence – the
Delphi approachCost of control: - in Hardware - in Software - in People
04/19/23 64
Typical Risk Analysis Form
DESCRIPTION OF RISKPOTENTIAL EFFECT
POTENTIAL COST OF
RISK
PROBABILITY(high=.75)(average=.50)(low=.25)(negligible=.05)
COST PROBABILITY
PRODUCT (x103)(RELATIVE PRIORITY)
(high priority is highest product
PREVENTATIVE / REMEDIAL ACTION
COSTS OF SAFEGUARD
AND COMMENTS
1. Computer Room Destroyed
i. Loss of processing capability for production scheduling,
payroll, etc.ii. Replacement of computeriii. Site reconstruction
$ 500,000
200,000 2,000,000
Low675i. Ensure adequate backupii. Maintain fall-back manual systemiii. Insure site and Equipmentiv. Impose fire Precautions
Nil.
$3,000 per year
2. Complete loss of Records
i. Unable to bill customers ii. Production line stoppage within four daysiii. Unable to continue trading within six weeks
500,000 250,000
25,000,000
Low6437.5i. Ensure remote copies kept of all vital filesii. Insure against consequential loss during Recovery
$1,000 per year
3. Theft of information of use to Competitors
i. Erosion of market positionii. Estimated saving to Competitors
1,000,000 10,000
Average505i. Strict control of access to vital filesii. Personnel bonding
i. Impose system for signing out files
4. Illegal sale of machine
Time
i. Slightly increased machine costsii. Possible adverse effect on own systems testing
10,000
5,000
Negligible0.750i. Spot checksNo action recommended; risk/small loss outweighed by staff morale considerations
5. Improper Disclosure of personal
Data
i. Lawsuit against firmii. Loss of goodwill through publicity
10,000,000 7,500,000
High13125i. Tighten up controls at areas where information is disseminatedii. Put a legal notice on all forms with personal data specifying laws and sanctions applicable to it
Intangible effect and cost to data subjects important but not considered here
04/19/23 65
Justification of Access Control SoftwareTable 10-4 Justification of Access Control Software
Item Amount
Risks: disclosure of company confidential data,
Computation based on incorrect data
Cost to reconstruct correct data: $1,000,000
@ 10% likelihood per year $ 100,000
Effectiveness of access control software: 60% -$ 60,000
Cost of access control software +$25,000
Expected annual costs due to loss and controls:
$100,000 - $60,000 + $25,000 $65,000
Savings: $100,000 - $65,000 $35,000
Prof. Ehud Gudes Security Ch 1
Secure Planning
People and responsibilities Disaster Recovery (Flood, Fire, Power
loss, Robbery, Terrorism, etc.)Backups (off-site, Cold site)Disposal of Media (Shredders,etc.)
Prof. Ehud Gudes Security Ch 1
Types of Backups
Full vs. Selective or Incremental (use of RAIDs)
OffsiteCold site vs. Hot site
Note on Sept 11th !…
X.800 Security Architecture
X.800, Security Architecture for OSIsystematic way of defining
requirements for security and characterizing approaches to satisfying them
defines:security attacks - compromise security security mechanism - act to detect, prevent,
recover from attacksecurity service - counter security attacks