2/24/2013

1

TOPIC 1 Basic Security Concepts

INTRODUCTION

� What is security? Security is about the protection of assets. - Computer-related assets. Computing system :- hardware, software,

storage media, data and people. � Principle of Easiest Penetration Intruder must be expected to use all

available means of penetration. Use the ‘weakest point’.

INTRODUCTION

� There are 3 classification of protection:

– Prevention: take measures that prevent your assets from being damaged.

– Detection: take measures that allow you to detect when an asset has been damaged

– Reaction: take measures that allow you to recover your assets or to recover from damage to your assets.

� Example from physical world:

– Prevention: locks at the door or window bars, wall around the property

– Detection: you detect when something has been stolen if it is no longer there, a burglar alarm goes on when break-in occurs, cctv provide information that allows you to identify intruders

– Reaction: you can call the police or you may decide to replace the stolen item

INTRODUCTION

INTRODUCTION

� Example from cyber world: consider credit card fraud cases.

– Prevention: use encryption when placing an order, rely on the merchant to perform some checks on the caller before accepting a credit card order or don’t use credit card number on the Internet.

– Detection: a transaction that you had not authorized appears on your credit card statements.

– Reaction: you can ask for new credit card number, the cost of the fraudulent may be recovered by the card holder or the merchant where the fraudster had made the purchase or the credit card issuer.

SECURITY GOALS

INTEGRITY: An assets can be modified only by authorized or only in authorized ways.

CONFIDENTIALITY: an assets of computing systems are available only by authorized parties (also known as secrecy).

AVAILABILITY : An assets are accessible to authorized parties when needed without any delay.

2/24/2013

2

SECURITY THREATS

INTERRUPTION: An asset of the system is destroyed or become unavailable or unusable – attack on AVAILABILTY

INTERCEPTION: An unauthorized party (program, person, computer) gains access to an asset – attack on CONFIDENTIALITY

MODIFICATION: An unauthorized party not only gain access to but tampers with an assets – attack on INTEGRITY

FABRICATION: An unauthorized party insert counterfeit objects into the system – an attack on AUTHENTICITY

Information

source Information

destination

INTERRUPTION

Information

source Information

destination

MODIFICATION

Information

source Information

destination

INTERCEPTION

Information

source Information

destination

FABRICATION

Middle

man

Middle

man

Middle

man

SECURITY THREATS

Examples of security threats/attacks:

Interruption

~ destruction of piece of hardware (hard disk) ~ cutting of communication line or ~ disabling of the file management system

Interception

~ wiretapping ~ illicit copy of files or programs

Modification

~ changing values in data file, ~ altering a program so that it performs differently, ~ modifying the content of messages being transmitted in a network.

Fabrication

~ addition of records to a file, ~ insertion of spurious messages in a network

Vulnerabilities

Vulnerabilities: a weaknesses in the security

system that might be exploited to cause

loss or harm.

DATA SOFTWARE

HARDWARE

Interception (Theft)

Interruption (Denial of service)

Interruption (Deletion)

Interception (piracy)

Modification

Interruption (Loss)

Interception

Modification

Fabrication

Vulnerabilities in Computing Systems Vulnerabilities

Threats to Hardware

• involuntary machine-slaughter: accidental acts not intended to do serious damage.

• voluntary machine-slaughter: intended to do harm

Threats to Software

• deletion

• modification – trojan horse, virus, trapdoor, logic bomb

• theft - piracy

2/24/2013

3

Vulnerabilities

Threats to Data

• loss of data

•interception

• modification

• fabrication

Threats to other exposed assets

• storage media – consider backups

• networks – very expose medium, access from distant

• access – steal computer time, denial of service

• key people – disgruntled employees

Methods of Defense

Encryption provides

~ confidentiality for data

~ integrity

~ basis for protocol

SOFTWARE/HARDWARE CONTROLS ENCRYPTION

POLICIES

Software controls:

~ Internal program controls

~ Operating system controls

~ Development controls

Hardware controls:

~ hardware devices :

- smartcard (encryption)

- circuit board ctrl disk

drives in PCs ~ frequent changes

of password

~ training

Legal and ethical controls

~ codes of ethics ~ locks of doors ~ backup copies of important s/w and data ~ physical site planning (reduce natural disasters)

PHYSICAL CONTROLS

METHODS OF DEFENSE

Who are the people?

� Amateurs: not career criminal but normal people who observe a flaw in a security system – have access to something valuable.

� Crackers: may be university or high school students who attempt to access computing facilities for which they have not been authorized.

� Career criminal: understands the targets of computer crime, international groups, electronic spies, information brokers.

� Hackers: someone with deep knowledge and interest in operating systems or multiple OS. Do not attempt to intentionally break any system (non-malicious).

How to makes a system secure?

There are four methods how computer security provide protection:

(1) System Access Control: ensuring that unauthorized users don’t get into the system.

(2) Data Access Control: monitoring who can access what data and for what purposes.

(3) System and Security Administration: performing certain procedures (system administrator’s responsibilities or training users appropriately)

(4) System Design: Taking advantage of basic hardware and software security characteristics.

System Access Control

� The first way in which system provides computer security is by controlling access to that system:

– Who’s allowed to log in?

– How does the system decide whether a user is legitimate?

� Identification and authentication provides the above.

Identification & Authetication

� Identification tells the system who you are

� Authentication proves to the system that you are who you are.

� There are 3 ways to prove ourselves:

– Something you know

– Something you have

– Something you are

System Access Control

2/24/2013

4

e.g.: password

~ you know the

password,

you the owner

AUTHENTICATION

IDENTIFICATION &

AUTHENTICATION

SOMETHING YOU HAVE

SOMETHING YOU KNOW

SOMETHING YOU ARE

e.g.: tokens, keys &

smart cards

~ you have the key,

you must be the owner

of it

e.g: fingerprints, retina pattern, handprint etc.

Username and Password � Typical first line of defense � User name (Login ID) – identification

� Password – authentication

� Login will succeed if you entered a valid user name and corresponding password.

System Access Control

� User plays an important role in password protection – authentication is compromised when you gave away your own password by telling others.

Common threats on password:

– Password guessing: exhaustive search and intelligent search

– Password spoofing

– Compromise of the password file

System Access Control

� How we can defend password security:

– Compulsory to set a password

– Change default password

– Password length

– Password format

– Avoid obvious passwords

� How system help to improve password security:

– Password checkers

– Password generation

– Password ageing

– Limit login attempts

– Inform users

System Access Control

Data Access Control

� On the most elementary level, a subject may observe an object or alter an object, therefore the common access modes are defined as below:

– Observe: look at the contents of an object

– Change: change the contents of an object

Data Access Control

Observe

Change

execute append read write

√

√ √

√

Access rights in the Bell-LaPadula model

{execute, read, write}

Alice

Bill

bill.doc edit.exe fun.com

{read, write}

{execute}

{execute}

{execute, read} -

An access control matrix

2/24/2013

5

Effectiveness of Controls

� Awareness of Problems: people will cooperate with security requirements only if they understand why security is appropriate in each specific situation.

� Likelihood of use: controls must be used to be effective – therefore it must be easy to use and appropriate.

� Overlapping controls: combinations of control on one exposure.

� Periodic review: ongoing task in judging the effectiveness of a control.

The End