chapter 1

04/24/23Prof. Ehud Gudes Security

Ch 1 1

Chapter 1

[SB ]chapters 1,13,14,15,16,17,18Articles J1,J2


Ch 1 2

Security objectivesConfidentiality –

No leakage of sensitive or private information Only authorized access is allowed (both Read and

Write)Integrity –

no modification or destruction of information (both accidental and malicious)

Availability – Timely Response, No denial of service , Quality of service

Security – all-together, but mainly confidentiality!

Key Security Concepts

Prof. Ehud Gudes Security Ch 1

Integrity vs. Security

Integrity – Disallow Invalid update – Read is not a problem!

Security - Disallow unauthorized access – Read is a problem!


Aspects of Integrity

Preciseness, AccuracyConsistencyMeaningfulness and correctness

Integrity problems may happen accidentally or maliciously


Integrity - Types of errorsA single user enters invalid data -

Integrity.

Access by Multiple users causing invalid or inconsistent database – Concurrency

System (Hardware or Software) Failures – Recovery

Abort of Transactions which may leave database in Inconsistent state - Recovery


Aspects of Availability

Timely responseFair allocationFault toleranceUtility and Usability, Quality of

ServiceControlled concurrencyNo denial of service


Examples for Security Problems

Computer CrimeAccess to Proprietary InformationDisruption of Operations (Denial of

service)Violation of PrivacyTheft of Proprietary Software


Types of Security ThreatsHardware

Theft Eavesdropping Fire, Flood Terror.

Software Illegal use Illegal modification Theft

Data Destruction Illegal disclosure Illegal modification


Ch 1 10

Security Threats - Locations


Ch 1 11

AttackersInsiders –

According to studies, about half of the attacks to a system come from insiders [Neu99].

Hackers – Usually try to show off their ability by penetrating systems

Spies –Industrial or government espionage.


Methods of AttacksBypassing authentication

(e.g. guessing password)Using Authority dishonestly

(e.g. System people )Utilizing human error or carelessnessUtilizing “holes” in Software - TrapdoorsBypassing access controlUsing VirusesUse Inference from authorized access


Ch 1 13

Attack methodsPreparation —

Information gathering, scanning, planting malicious code, masquerading (spoofing)

Activation —perpetrator-controlled, timed, victim activated

Mission — active (affects integrity and availability), and passive misuse (eavesdropping, inference), denial of service


Trap-doorsA Trap-door is a “hole” in a legal program

module through which an invalid access can be performed.

Such hole may be left intentionally or unintentionally

Example – a hole in the password checking module (Thompson’s example)


Ch 1 15

Malicious Code Trojan Horses — A Trojan Horse is an apparently

useful program that has hidden functions, usually harmful. A Trojan Horse can violate integrity more easily than confidentiality.

Viruses – A virus is a program that attaches itself to another program, propagates, and usually causes some data destruction. General virus detection is a difficult problem, but we can detect specific viruses.

Worms — A worm is a program that propagates itself without infecting the host.


Ch 1 16

Viruses and worms

Self-propagatingMay destroy information and clog servicesA mix of vandalism and ego tripTake advantage of operating system and

utilities flaws and uniformity of systemsExamples of malicious softwareMay also be used by organizations or

government agencies


Ch 1 17

Virus - Stages of an Attack

Network Security Attacksclassify as passive or activepassive attacks are eavesdropping

release of message contentstraffic analysisare hard to detect so aim to prevent

active attacks modify/fake datamasqueradereplaymodificationdenial of servicehard to prevent so aim to detect


Ch 1 19

Web site defacing and hijackingAlteration of the web pages of some

institutionVisitors may be hijacked to other sites,

sometimes impostor sitesPolitical motivation or hackingTake advantage of web server weaknesses,

e.g., CGI scripts or lack of isolation of pages; also through OS

Cross-site scripting - XSSPhishing


Ch 1 20

Dist. Denial of ServiceMultiplication of messages towards some

siteRequires previously inserted software by

perpetrator (slaves)A site may become inaccessiblePolitical motivation or vandalismUses flaws or features of network protocols

and OS flaws


Ch 1 21

Illegal database access

Illegal access to web-connected databases

Stealing of information, e.g., credit card numbers.

SQL injectionExploit poor database authorization,

implementation, or alternate routes


Ch 1 22

Cyberwar and TerrorismMassive attack to the computer systems

of some country or institution or to the Internet itself

Carried out by organized groups or a government

Uses all the other attacks


Ch 1 23

איך מתקיפיםהתקפה פאסיבית

)Interception( ציתותהתקפה על סודיותהתקפות אקטיביות

)Interruption( הפרעההתקפה על זמינות

)Modification( שינויהתקפה על שלמות

)Fabrication( זיוףהתקפה על אמיתות

)Replay(שידור חוזר


Ch 1 24

תוצאות מקוות - הטרדה Intrusion

.…Denial of service

גניבת אינפורמציה

מרמה


Ch 1 25

תכנון ההתקפה

איום לא מכוון..…באגים..…שכחתי את הסיסמאאיום מכווןאיום טבעי

אסונות טבע


Ch 1 26

מקור ההתקפה

מתוך משתמשי המערכתמתוך הארגוןמחוץ לארגון, אבל פיסית מבפנים”מארגון אחר “מהימןמחוץ לארגון-מהInternet


Ch 1 27

דוגמאותהעברת חלקי אגורות לחשבונו של עובד הבנקגניבת סרטי גיבוי ומחיקת דיסקים ע”י עובד החברה.הצפת מרכז המחשבים-ברכה לחג המולד - סוס טרויאני בPostScript -וירוסים בMail attachments – I Love you virus -תשלומים בעזרת כרטיסי אשראי בטלפון (בInternet( - סוס טרויאניWindows NT registration-שינוי הדף של הC.I.A-ב WebInternet Wormפרסום הדיסק של יזהר אשדות-התקפת הDDOS על Yahoo, Amazon , CNNועוד


Most popular Attack methods ([P] sidebar 1.3 )

Exploiting OS vulnerability – 33%Exploiting unknown application – 27%Guessing Passwords – 22%Abusing valid user accounts – 17%Using internal denial of service – 12%


Ch 1 29

CountermeasuresAccess control/ authorization --provide

confidentiality and integrityAuthentication-- proper identificationAuditing-- basis for prosecution or

improvements to the systemCryptography-- a mechanism to hide

information and prove identity and rights

Security Functional Requirementstechnical measures:

access control; identification & authentication; system & communication protection; system & information integrity

management controls and procedures awareness & training; audit & accountability;

certification, accreditation, & security assessments; contingency planning; maintenance; physical & environmental protection; planning; personnel security; risk assessment; systems & services acquisition

overlapping technical and management:configuration management; incident response; media

protection


Ch 1 31

Identification, Authentication OS, [DBMS] Authorization, Access Controls DBMS, OS security enforcement module Integrity, Consistency DBMS data model transaction manager Auditing, Encryption OS, [DBMS]

Basic Security Mechanisms


Ch 1 32

Security Mechanisms Area Procedures and Mechanisms

External Procedures Security clearance of personnel Protection of passwords Information classification and security

policy formulation Application program controls Audit Periods processing

Physical environment Secure areas for files / processors / terminals

Radiation shielding

Data storage Data encryption Duplicate copies


Ch 1 33

Security Mechanisms cont. Area Procedures and Mechanisms

Processor software Authentication of user Access control Threat monitoring Audit trail of transactions

Processor hardware Memory protection States of privilege Reliability

Communication lines Data encryption

Counter Measures (Stallings)technical measures:

access control; identification & authentication; system & communication protection; system & information integrity

management controls and procedures awareness & training; audit & accountability;

certification, accreditation, & security assessments; contingency planning; maintenance; physical & environmental protection; planning; personnel security; risk assessment; systems & services acquisition

overlapping technical and management:configuration management; incident response; media

protection

Computer Security Losses

Security Technologies Used


Ch 1 37

מדיניות הגנה

?על מה להגןמשאבים, נתונים?כנגד אילו איומים

,ציתות, שנויDenial of service?על אילו חלקים מהמערכת להגן

חמרה, תכנה


Ch 1 38

שיקולים בבחירת מדיניות הגנה

מידת ההגנה שרוצים לספק : בד”כ תלוי בנזקשיכול הארגון “לספוג”

מחיר ההגנה(כספי) מחיר פיסיקלות ונוחות השימוש(להלן) מודל הערכת סיכונים

נוגדים זה את זה - שיקולי עלות/תועלתתמיד - במי בוטחיםTrust Model


Ch 1 39

לאחר בחירת מדיניות ההגנה, יש לבחור מהם מנגנוני ההגנה שבעזרתם מממשים את

מדיניות ההגנה.

שיקולים בבחירת מדיניות הגנה


Ch 1 40

מנגנוני הגנההגנה פיסיתהגנה אישית/ מנהליתאמצעי ניטור - מעקבבקרת גישהבקרת זרימהבקרת היקשמנגנונים קריפטוגרפים


Ch 1 41

דוגמאותFirewallsSmart cardsהצפנההקשחה של מערכות הפעלהAccess Controlהגנות פיסיות


Ch 1 42

מערכות בטוחות צריכות להכיל מנגנונים (ידניים או ממוחשבים), לזהוי והגנה כנגד

כל סוגי האיומים.אפילו אם מנגנון בודד חסר, המערכת עלולה

להיות לא בטוחה לחלוטין.

חוזקה של שרשרת האבטחה היא כחוזק החוליה החלשה ביותר שבה.


Ch 2 43

Summary - Security objectives

Confidentiality – no leakage of sensitive or private information

Integrity – no modification or destruction of information

Availability – No denial of service


Ch 1 44

The meaning of securitySecurity implies providing these

objectives in the presence of the attacks discussed earlier

Security requires technical, management, and physical countermeasures

We mainly consider technical aspects here

A related aspect is privacy, a legal and ethics concern

How we achieve all the above without sacrificing basic democratic principles!


Ch 1 45

Principles for SecurityAccountabilityAwarenessEthicsMultidisciplinaryProportionalityIntegrationNon-repudiationTimelinessReassessmentdemocracy


The principle of Effectiveness

A security control is effective if:

It is easy to useEfficient (not too much overhead)Appropriate (not impeding legal access)And actually USED!

Remember: the strength of a chain is that of its weakest segment!


Ch 1 47

Need for conceptual structure Security is an all-levels problem In current systems we have disjoint, ad hoc

solutions at each levelWe should start from high-level policies that

can be mapped to the lower levels We need precise models to guide system

development


Management and Administrative Aspects

PC measuresUnix Issues - e.g. use of Accounts,

PasswordsNetwork issues - Insiders vs. Outsiders,

firewallsComputer emergency response teams

(CERT)Risk Analysis


Ch 1 49

Security Measures

Administrative

Security

Measures

Physical

Security

MeasuresLegal

Security

Measures

Technical

Security

Measures


PC measuresSecure equipment. Do not leave PCs, printers

unattended. Secure equipment.Secure secondary media.Perform periodic backupsPractice separation of authorityAdd security boards or plugsUse authorized software onlyProvide access control and/or encryption to filesProvide automatic logout and screen save locksAssure machine identification


Unix MeasuresControl accounts - delete old accounts - limit access of guest accountsProvide for passwords securityLimit super-user accessibilityBackup periodically and at several levelsLog activities and look for suspicious

behaviorControl carefully proxy servers and

network services


Issues in Password SelectionLength - at least 8?Composition - No common names, places, sport terms,

movies and actors, machine names, bible words, etc.

- Yes upper&lower, digits, control charsComputer generated PasswordsPasswords encryption - One way functions - Public keys and Certificates - Kerberose


WINDOWS-NT SECURITY

Authentication - Using modern cryptographic protocolsFile and Directory security - Using Access-Control lists based on groups User-profiles and System policies - using Default settings and conflict resolution Auditing and Logging Sophisticated management and

Security administration tools


Auditing Issues - Protection of the Log

Only privileged users can write on the log

Log is stored on a separate computer without editors or printers

a filled log is sent to a separate site and printed on a secure printer


Auditing IssuesWhat granularity? - every login? every shell command? every file

read/write?When? - Always? At certain times of day? of week? To whom? - all users? Suspicious ones? Performance implications? Implementation - Other media/machine? What to do when Log is

filled?


Ch 1 56

Auditing

ITEMS

RECORDED

FUNCTIONS

Physical details

of data and

operations

Restore database

to consistent

state

Update actions

(before and

after images)

Read operations

Log-ons

Illegal requests

Analyze for policy

compliance

Detect violations

Compensate for errors

AUDIT TRAILRECOVERY LOG

Relationship between recovery log and audit trail


Use of ToolsCERT – Computer emergency response

team - both before and after attackCRACK – a password checking toolCOPS – checking system files SATAN – network analysis tool Anti-viruses

04/24/23 58

פיסית הגנה


Ch 1 59

הגנה כנגד אסונות טבע ו/ או פגיעה מלחמתית

מבנים עמידים במקומות בטוחיםהגנה כנגד ברקיםגלאי אש, מתזיםגנרטור חירוםגיבויים בכספת עמידת אש – גיבויים באתר נפרד)Offline, Online((דרך מרכזיה נפרדת) מערכת תקשורת חירום


Ch 1 60

פגיעה על ידי עובדים ובאי המתקן

הגבלת הגישה הפיסית למערכת המחשבשומר בכניסהדלת כניסה עם קודדלת עם סורק קרקעית העיןנעילת חומר רגיש בכספותשמירת גבויים במיקום פיסי נפרד במערכות קריטיות במיוחד - מניעת תקשורת

החוצה


Ch 1 61

קרינה אלקטרו-מגנטית:מערכות המחשב פולטות קרינה

(בד”כ חלשה ולא ניתנת למדידה) המעבדציוד היקפיצגיםקווי תקשורתאמצעי הגנה

סיכוך קווי תקשורת, הפרדה מקווי טלפוןהגנה באמצעות כלוב פרדיי


Risk Analysis

Identify AssetsDetermine VulnerabilitiesEstimate Likelihood of exploitationSurvey Applicable controls and Defense

measuresProject Saving of Control

Like an insurance Problem


Risk Analysis

Assets: hardware, software, data, peopleCost of each damage, including legal

obligationsProbability of occurrence – the Delphi

approachCost of control: - in Hardware - in Software - in People

04/24/23 64

Typical Risk Analysis Form

DESCRIPTION OF RISKPOTENTIAL EFFECT

POTENTIAL COST OF

RISK

PROBABILITY(high=.75)(average=.50)(low=.25)(negligible=.05)

COST PROBABILITY

PRODUCT (x103)(RELATIVE PRIORITY)

(high priority is highest product

PREVENTATIVE / REMEDIAL ACTION

COSTS OF SAFEGUARD

AND COMMENTS1. Computer Room Destroyed

i. Loss of processing capability for production scheduling,

payroll, etc.ii. Replacement of computeriii. Site reconstruction

$ 500,000

200,000 2,000,000

Low675i. Ensure adequate backupii. Maintain fall-back manual systemiii. Insure site and Equipmentiv. Impose fire Precautions

Nil.

$3,000 per year

2. Complete loss of Records

i. Unable to bill customers ii. Production line stoppage within four daysiii. Unable to continue trading within six weeks

500,000 250,000

25,000,000

Low6437.5i. Ensure remote copies kept of all vital filesii. Insure against consequential loss during Recovery

$1,000 per year

3. Theft of information of use to Competitors

i. Erosion of market positionii. Estimated saving to Competitors

1,000,000 10,000

Average505i. Strict control of access to vital filesii. Personnel bonding

i. Impose system for signing out files

4. Illegal sale of machine

Time

i. Slightly increased machine costsii. Possible adverse effect on own systems testing

10,000

5,000

Negligible0.750i. Spot checksNo action recommended; risk/small loss outweighed by staff morale considerations

5. Improper Disclosure of personal

Data

i. Lawsuit against firmii. Loss of goodwill through publicity

10,000,000 7,500,000

High13125i. Tighten up controls at areas where information is disseminatedii. Put a legal notice on all forms with personal data specifying laws and sanctions applicable to it

Intangible effect and cost to data subjects important but not considered here

04/24/23 65

Justification of Access Control SoftwareTable 10-4 Justification of Access Control Software

Item AmountRisks: disclosure of company confidential data,Computation based on incorrect data

Cost to reconstruct correct data: $1,000,000@ 10% likelihood per year $ 100,000

Effectiveness of access control software: 60% -$ 60,000

Cost of access control software +$25,000

Expected annual costs due to loss and controls:$100,000 - $60,000 + $25,000 $65,000

Savings: $100,000 - $65,000 $35,000


Secure Planning

People and responsibilities Disaster Recovery (Flood, Fire, Power

loss, Robbery, Terrorism, etc.)Backups (off-site, Cold site)Disposal of Media (Shredders,etc.)


Types of Backups

Full vs. Selective or Incremental (use of RAIDs)

OffsiteCold site vs. Hot site

Note on Sept 11th !…

X.800 Security ArchitectureX.800, Security Architecture for OSIsystematic way of defining

requirements for security and characterizing approaches to satisfying them

defines:security attacks - compromise security security mechanism - act to detect, prevent,

recover from attacksecurity service - counter security attacks

chapter 1

Documents

ehud gudes security

key security conceptsprof

invalid access

unauthorized access

integrity types

invalid data integrity

denial of serviceprof

invalid update