chapter 1: overview - missouri university of science and...
TRANSCRIPT
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Chapter 1: Overview
Comp Sci 3600 Security
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Outline
1 Why security?
2 Definitions
3 Difficulties
4 Security relationshipsAssetsVulnerabilities, threats, attacksCountermeasuresPassive attacksActive attacks
5 Security design aspirations
6 Attack surfacesAttack trees
7 Admin notes
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Why is security important?
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Why is security important?
The contents of a man’s letters are more valuable than thecontents of his purse.- Lord Varys
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Information is power
Data transmissions are not just used for messages, but physicalcontrol of systems, power grids, water, manufacturing, etc.
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
WannaCry, what went wrong?
Overview: Ransomware cryptoworm targeted computersrunning Microsoft Windows OS by encrypting data anddemanding ransom payments in Bitcoin. Those still runningolder, unsupported versions of Microsoft Windows, such asWindows XP and Windows Server 2003, were initially atparticular risk. May 12, 2017, UK’s National Health Servicewas affected.Exploit: WannaCry propagates using EternalBlue, an exploit ofWindows’ Server Message Block (SMB) protocol. Much of theattention and comment around the event was occasioned by thefact that the U.S. National Security Agency (NSA) had alreadydiscovered the vulnerability, but used it to create an exploit forits own offensive work, rather than report it to Microsoft. Thevulnerability exists because the SMB version 1 (SMBv1) serverin various versions of Microsoft Windows mishandles speciallycrafted packets from remote attackers, allowing them toexecute arbitrary code on the target computer.
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
WannaCry
President and Chief Legal Officer of Microsoft in a publicstatement announced, quote:”This attack provides yet another example of why thestockpiling of vulnerabilities by governments is such aproblem.”https://blogs.microsoft.com/on-the-issues/2017/05/14/
need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Outline
1 Why security?
2 Definitions
3 Difficulties
4 Security relationshipsAssetsVulnerabilities, threats, attacksCountermeasuresPassive attacksActive attacks
5 Security design aspirations
6 Attack surfacesAttack trees
7 Admin notes
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
What is computer security?
The NIST Computer Security Handbook defines the termComputer Security as:
• ”The protection afforded to an automated informationsystem in order to attain the applicable objectives ofpreserving the integrity, availability and confidentiality ofinformation system resources”
• Includes hardware, software, firmware, information/data,and telecommunications
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
CIA triad
• Confidentiality: Preserving authorized restrictions oninformation access and disclosure, including means forprotecting personal privacy and proprietary information
• Integrity: Guarding against improper informationmodification or destruction, including ensuring informationnon-repudiation and authenticity
• Availability: Ensuring timely and reliable access to anduse of information
• Authenticity is sometimes included: Property of beinggenuine and being able to be verified and trusted.
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
CIA triad applied
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Outline
1 Why security?
2 Definitions
3 Difficulties
4 Security relationshipsAssetsVulnerabilities, threats, attacksCountermeasuresPassive attacksActive attacks
5 Security design aspirations
6 Attack surfacesAttack trees
7 Admin notes
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Difficulties in computer security
• Computer security is not simple• Potential attacks on the security features must be
considered• Procedures used to provide particular services are often
counter-intuitive• Physical and logical placement of countermeasures needs
to be determined• Many algorithms or protocols may be involved• Attackers only need to find a single weakness, the
developer needs to find all weaknesses• Users and system managers tend to not see the benefits of
security until a failure occurs• Arms race requires regular and constant monitoring• Is often an afterthought to be incorporated into a system
after the design is complete• Thought of as an impediment to efficient and user-friendly
operation
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Outline
1 Why security?
2 Definitions
3 Difficulties
4 Security relationshipsAssetsVulnerabilities, threats, attacksCountermeasuresPassive attacksActive attacks
5 Security design aspirations
6 Attack surfacesAttack trees
7 Admin notes
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Security and threat modeling is hard
Owners
countermeasures
valuewish to minimize
wish to abuse and/or may damage
impose
to
tothat
increasegive
rise to
toreduce
risk
assetsthreats
Figure 1.1 Security Concepts and Relationships
Threat agents
What is your threat model?
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Outline
1 Why security?
2 Definitions
3 Difficulties
4 Security relationshipsAssetsVulnerabilities, threats, attacksCountermeasuresPassive attacksActive attacks
5 Security design aspirations
6 Attack surfacesAttack trees
7 Admin notes
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Assets of a Computer System
• Hardware: storage, processing, and communications
• Software: OS, system utilities, applications
• Data: files, databases, password databases
• Communication facilities and networks: LAN, WAN,bridges, routers, etc
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Outline
1 Why security?
2 Definitions
3 Difficulties
4 Security relationshipsAssetsVulnerabilities, threats, attacksCountermeasuresPassive attacksActive attacks
5 Security design aspirations
6 Attack surfacesAttack trees
7 Admin notes
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Vulnerabilities, Threats, and Attacks
Vulnerabilities lead to several categories of fault
• Corrupted (loss of integrity): wrong answers
• Leaky (loss of confidentiality): information leaks
• Unavailable or very slow (loss of availability): server down
Threats (potential)
• Capable of exploiting vulnerabilities
• Represent potential security harm to an asset
Attacks (threats carried out)
• Passive – attempt to learn or make use of informationfrom the system that does not affect system resources
• Active – attempt to alter system resources or affect theiroperation
• Insider – initiated by an entity inside the securityparameter
• Outsider – initiated from outside the perimeter
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Outline
1 Why security?
2 Definitions
3 Difficulties
4 Security relationshipsAssetsVulnerabilities, threats, attacksCountermeasuresPassive attacksActive attacks
5 Security design aspirations
6 Attack surfacesAttack trees
7 Admin notes
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Countermeasures
• Means used to deal with security attacks:Prevent, Detect, Recover
• Goal is to minimize residual level of risk to the assets• Residual vulnerabilities may remain• May itself introduce new vulnerabilities
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Threats and attacks
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Scope of security
Guard
Data
Computer System Computer System
Processes representing users
1 Access to the datamust be controlled
(protection)
Guard
Data
Processes representing users
2 Access to the computerfacility must be controlled
(user authentication)
3 Data must besecurely transmitted
through networks(network security)
4 Sensitive filesmust be secure(file security)
Users making requests
Figure 1.2 Scope of Computer Security. This figure depicts security concerns other than physical security, including control of access to computers systems, safeguarding of data transmitted over communications systems, and safeguarding of stored data.
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Outline
1 Why security?
2 Definitions
3 Difficulties
4 Security relationshipsAssetsVulnerabilities, threats, attacksCountermeasuresPassive attacksActive attacks
5 Security design aspirations
6 Attack surfacesAttack trees
7 Admin notes
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Passive attacks
• Attempts to learn or make use of information from thesystem but does not affect system resources
• Eavesdropping on, or monitoring of, transmissions
• Goal of attacker is to obtain information that is beingtransmitted
Two types:
• Release of message contents
• Traffic analysis
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Outline
1 Why security?
2 Definitions
3 Difficulties
4 Security relationshipsAssetsVulnerabilities, threats, attacksCountermeasuresPassive attacksActive attacks
5 Security design aspirations
6 Attack surfacesAttack trees
7 Admin notes
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Active attacks
• Attempts to alter system resources or affect their operation
• Involve some modification of the data stream or thecreation of a false stream
Four categories:
• Replay
• Masquerade
• Modification of messages
• Denial of service
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Outline
1 Why security?
2 Definitions
3 Difficulties
4 Security relationshipsAssetsVulnerabilities, threats, attacksCountermeasuresPassive attacksActive attacks
5 Security design aspirations
6 Attack surfacesAttack trees
7 Admin notes
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Fundamental Security Design Principles
• Layering: Multiple overlapping protections!
• Modularity: design modularity allows fixing and upgrading easily
• Encapsulation: type of object oriented isolation of internals
• Isolation: isolate users, processes, and data
• Open design: why?
• Economy of mechanism: as simple and small as possible, e.g.,microkernel
• Fail-safe defaults: default is lack of access
• Complete mediation: don’t cache access, check every time
• Separation of privilege: multi-factor authorization, processseparation
• Least privilege: processes and users have least access needed fortheir job
• Least common mechanism: each user has their ownmechanism/config/software, etc
• Psychological acceptability: don’t over-burden the user
• Least astonishment: Intuitive designs allow user understanding
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Outline
1 Why security?
2 Definitions
3 Difficulties
4 Security relationshipsAssetsVulnerabilities, threats, attacksCountermeasuresPassive attacksActive attacks
5 Security design aspirations
6 Attack surfacesAttack trees
7 Admin notes
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Attack surfaces
Reachable and exploitable vulnerabilities in a system. Examplesare:
• Open ports on outward facing Web and other servers, andcode listening on those ports
• Services available on the inside of a firewall
• Code that processes incoming data, email, XML, officedocuments, and industry-specific custom data exchangeformats
• Interfaces, SQL, and Web forms
• An employee with access to sensitive informationvulnerable to a social engineering attack
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Attack Surface Categories
Network Attack Surface
• Vulnerabilities over an enterprise network, wide-areanetwork, or the Internet
• Included in this category are network protocolvulnerabilities, such as those used for a denial-of-serviceattack, disruption of communications links, and variousforms of intruder attacks
Software Attack Surface
• Vulnerabilities in application, utility, or operating systemcode
• Particular focus is Web server software
Human Attack Surface
• Vulnerabilities created by personnel or outsiders, such associal engineering, human error, and trusted insiders
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
The human element and AI?
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
The human element
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Minimize attack surfaces, increase layering
Figure 1.3 Defense in Depth and Attack Surface
Attack Surface
MediumSecurity Risk
HighSecurity Risk
LowSecurity RiskD
eep
Laye
ring
Shal
low
Small Large
MediumSecurity Risk
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Outline
1 Why security?
2 Definitions
3 Difficulties
4 Security relationshipsAssetsVulnerabilities, threats, attacksCountermeasuresPassive attacksActive attacks
5 Security design aspirations
6 Attack surfacesAttack trees
7 Admin notes
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Attack tree for internet banking
Green: attack; UT/U: user equipment;CC: communication links; IBS: Internet Banking Server;White: category of attack
Figure 1.4 An Attack Tree for Internet Banking Authentication
Bank Account Compromise
User credential compromise
User credential guessing
UT/U1a User surveillance
UT/U1b Theft of token andhandwritten notes
Malicious softwareinstallation Vulnerability exploit
UT/U2a Hidden code
UT/U2b Worms
UT/U3a Smartcard analyzers
UT/U2c E-mails withmalicious code
UT/U3b Smartcard readermanipulator
UT/U3c Brute force attackswith PIN calculators
CC2 Sniffing
UT/U4a Social engineering
IBS3 Web site manipulation
UT/U4b Web pageobfuscation
CC1 Pharming
Redirection ofcommunication towardfraudulent site
CC3 Active man-in-themiddle attacks
IBS1 Brute force attacks
User communicationwith attacker
Injection of commands
Use of known authenticatedsession by attacker
Normal user authenticationwith specified session ID
CC4 Pre-defined sessionIDs (session hijacking)
IBS2 Security policyviolation
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Attack trees
Figure 1.4 An Attack Tree for Internet Banking Authentication
Bank Account Compromise
User credential compromise
User credential guessing
UT/U1a User surveillance
UT/U1b Theft of token andhandwritten notes
Malicious softwareinstallation Vulnerability exploit
UT/U2a Hidden code
UT/U2b Worms
UT/U3a Smartcard analyzers
UT/U2c E-mails withmalicious code
UT/U3b Smartcard readermanipulator
UT/U3c Brute force attackswith PIN calculators
CC2 Sniffing
UT/U4a Social engineering
IBS3 Web site manipulation
UT/U4b Web pageobfuscation
CC1 Pharming
Redirection ofcommunication towardfraudulent site
CC3 Active man-in-themiddle attacks
IBS1 Brute force attacks
User communicationwith attacker
Injection of commands
Use of known authenticatedsession by attacker
Normal user authenticationwith specified session ID
CC4 Pre-defined sessionIDs (session hijacking)
IBS2 Security policyviolation
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Computer Security Strategy
• Security Policy: Formal statement of rules and practicesthat specify or regulate how a system or organizationprovides security services to protect sensitive and criticalsystem resources
• Assurance: The degree of confidence one has that thesecurity measures, both technical and operational, work asintended to protect the system and the information itprocesses
• Evaluation: Process of examining a computer product orsystem with respect to certain criteria
• Security Implementation: involves four complementarycourses of action:
• Prevention• Detection• Response• Recovery
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Outline
1 Why security?
2 Definitions
3 Difficulties
4 Security relationshipsAssetsVulnerabilities, threats, attacksCountermeasuresPassive attacksActive attacks
5 Security design aspirations
6 Attack surfacesAttack trees
7 Admin notes
Why security?
Definitions
Difficulties
Securityrelationships
Assets
Vulnerabilities,threats, attacks
Countermeasures
Passive attacks
Active attacks
Securitydesignaspirations
Attacksurfaces
Attack trees
Admin notes
Admin notes
Digital book