Hardware Security Attacks Security Architecture Hardware Security.
-
Upload
britney-parrish -
Category
Documents
-
view
250 -
download
2
Transcript of Hardware Security Attacks Security Architecture Hardware Security.
Hardware SecurityAttacksSecurity ArchitectureHardware Security
GoalsThe student shall be able to: Define: Confidentiality, integrity, availability.Describe example security techniques for the processing states: processing, storage, transmission.Define categories for, and give examples of, threat agents and vulnerabilities.Define the role of the security countermeasures - education, training and awareness, and policy, procedures, and practices.Define policy, standard, procedure, guidelineDefine preventive, detective, and corrective control, and define which is best.
Reading: Hackers in China Attacked The Times for Last 4 Months, Jan 30, 2013, New York Times.U.S. Indicts 11 in Global Credit Card Scheme, Wall Street Journal, Aug. 6, 2008.
Example Security Attacks NY Times was attacked by Chinese
hackers, when China’s prime minister was the target of news reports
Credit card fraud results in cheap credit cards and identity theft
Spy and destructive programs implemented for national security (STUXNET, Flame)
Security VocabularyAsset: DiamondsThreat: TheftVulnerability: Open
door or windowsThreat agent:
BurglarOwner: Those
accountable or who value the asset
Risk: Danger to assets
Threat Agent TypesHackers/ Crackers
Challenge, rebellion Unauthorized access
Criminals Financial gain, Disclosure/ destruction of info.
Fraud, computer crimes
Hacktivist/ Hostile Intel. Service
Spying/ destruction/ revenge/ extortion
DOS, info warfare
Industry Spies, Surveillance State
Competitive advantage
Info theft, econ. exploitation
Insiders Opportunity, personal issues
Fraud/ theft, malware, abuse
System Vulnerabilities
System Vulnerabilities
Behavioral:Disgruntled employee,
uncontrolled processes,poor network design,improperly configured
equipment
Misinterpretation:Poorly-defined
procedures,employee error,Insufficient staff,
Inadequate mgmt,Inadequate compliance
enforcement
Coding Problems:
Security ignorance,poorly-defined requirements,
defective software,unprotected
communication
Physical Vulnerabilities:
Fire, flood,negligence, theft,kicked terminals,no redundancy
Security Goals
CIA Triad
Confidentiality
Integrity Availability
Conformity to Law& Privacy Requirements
CIAConfidentiality Data is accessible only to authorized partiesData is provided on ‘need-to-know’ basisIntegrity Data is modified only by authorized partiesData is accurateExample: Does your resume/credit report accurately reflect you?AvailabilityData is available to authorized persons when needed
Security: Defense in Depth
Border RouterPerimeter firewallInternal firewallIntrusion Detection SystemPolicies & Procedures & AuditsAuthenticationAccess Controls
IT Control ClassificationsTime ofEvent
Detective Controls:Finding fraud when it occursIncludes:Hash totalsCheck pointsDuplicate checkingError messagesPast-due account reportsReview of activity logs
After Event Before Problematic Event
Preventive Controls*:Preventing fraud
Includes:Programmed edit checksEncryption softwareAccess control S/WWell-designed proceduresPhysical controlsEmploy only qualified personnel
CorrectiveControls:Fix problemsand preventfuture problemsIncludes:Contingency planningBackup proceduresReruns
Preventive Controls are BEST
Three states:transmit – process - storage
Confidentiality controls (e.g.)transmit – process - storage
EncryptionFrequency hoppingFirewallNetwork Intrusion Prevention SystemShielding
EncryptionSecured roomMedia destructionMedia sanitization
AuthenticationAccess controlAntivirusAudit trailHost IDS/IPS
Availability controls (e.g.)transmit – process - storage
RedundancyTest equipment (Loopback, sniffers)
RAIDRedundant DBHVAC, Fire suppressantFiltered power
Redundancy: Clusters Primary-SecondaryUniversal Power SupplyLocks, alarms, anti-theft
Confidentiality & ProcessingNeed-to-know: Persons should have ability to
access data sufficient to perform primary job and no more
Least Privilege: Persons should have ability to do tasks sufficient to perform primary job and no more
Segregation of Duties: Ensure that no person can assume two roles: Origination, Authorization, Distribution, Verification
Privacy: Personal/private info is retained only when a true business need exists: Privacy is a liability Retain records for short time
Personnel office should change permissions as jobs change
Availability & Storage: Backups
Daily Events Full Differential Incremental
Monday: Full Backup Monday Monday Monday
Tuesday: A Changes Tuesday Saves A Saves A
Wednesday: B Changes Wed’day Saves A + B Saves B
Thursday: C Changes Thursday Saves A+B+C Saves C
Friday: Full Backup Friday Friday Friday
Incremental or Differential Backups can record transactions since last backup or last full backup, respectively
Integrity Controls: Audit Trails Audit trail tracks responsibility
Who did what when? Periodic review will help to find excess-authority
access, login successes & failures, and track fraud
Attackers often want to change the audit trail (to hide tracks)
Audit trail must be hard to change: Write-once devices Security & systems admins and managers may
have READ-only access to log Audit trail must be sensitive to privacy
Personal information may be encrypted
Theoretical Basis for Security Model
Pro
cess
ing
Tra
nsm
issi
on
Sto
rag
e
Technology
Policy
Security Training& Awareness
Confidentiality
Integrity
Availability
Policy DocumentationPolicy= Direction for ControlPhilosophy of organizationCreated by Senior MgmtReviewed periodically
Employees must understand intentAuditors test for compliance
Procedures:Detailed steps toimplement a policy.Written by processowners
Standards:An image ofwhat is acceptable
GuidelinesRecommendationsand acceptablealternatives
Policies, Procedures, Standards
Policy Objective: Describes ‘what’ needs to be accomplished Policy Control: Technique to meet objectives
Procedure: Outlines ‘how’ the Policy will be accomplished Standard: Specific rule, metric or boundary that implements policy
Example 1: Policy: Computer systems are not exposed to illegal, inappropriate,
or dangerous software Policy Control Standard: Allowed software is defined to include ... Policy Control Procedure: A description of how to load a computer
with required software.
Example 2: Policy: Access to confidential information is controlled Policy Control Standard: Confidential information SHALL never be
emailed without being encrypted Policy Guideline: Confidential info SHOULD not be written to a
memory stickDiscussion: Are these effective controls by themselves?
Types of Security TrainingAwareness:
Create security-conscious workforce
Employees, partners & vendors
Newsletters, surveys, quizzes, video training, forums, posters
Training:
Necessary skills for a particular position
HR, legal, middle or top mgmt
Workshops, conferences
Education: High level skills
High-skilled professions: audit, security admin/mgmt,
Risk mgmt…
Organized and gradual development: teaching & coaching
Hardware security threats
Acousticemanations
Electrical emanationsMagnetic emanations
Hardware attack examplesATM skimmers: A sleeve reads credit cards when inserted into machines.Altered chips: Include Trojan horse firmware to respond to certain transmissions.Flat Panel Displays: Serial transmissions modulate a video signal that provide eavesdroppers good reception quality.
Hardware Emanation ControlsTechnology:Shielding (for radiation through space, and magnetic fields)Filtering (for conducted signals on power lines, signal lines, etc.)Masking (for either space-radiated or conducted signals, but mostly for space)Space: Protection zone of 200 feetCertification: Does equipment achieve government-secure levels of safety?
Question An example of a vulnerability is1. Theft2. Burglar3. Open door4. Diamonds
Question Three main goals of security include:1.Confidentiality, Integrity, Availability2.Confidentiality, Integrity, Authorization3.Processing, Storage, Transmission4.Preventive, Detective, Corrective
QuestionIn security, poor coding and disgruntled employees are examples of:1.Threat2.Risk3.Threat agent4.Vulnerability
QuestionWhat are the three states that need to be protected in security?1.Confidentiality, Integrity, Authentication2.Transmission, Processing, Storage3.Operating System, Application Program, Hardware4.Processes, procedures and standards
QuestionIn security, a hostile intelligence service and cracker are examples of:1.Risk2.Threat3.Threat agent4.Vulnerability
QuestionThe best type of security control is:1.Detective2.Corrective3.Compensatory4.Preventive
QuestionConsider the term: ‘Defense in Depth’. Depth here means:1.Select best-in-class controls2.If an attacker breaks through one control, they have more to attack3.Hardware should use filtering, shielding, or masking4.Extensive security education is preferred to security awareness