hardware security attacks security architecture hardware security

30
Hardware Security Attacks Security Architecture Hardware Security

Upload: britney-parrish

Post on 27-Dec-2015

250 views

Category:

Documents


2 download

TRANSCRIPT

Page 1: Hardware Security Attacks Security Architecture Hardware Security

Hardware SecurityAttacksSecurity ArchitectureHardware Security

Page 2: Hardware Security Attacks Security Architecture Hardware Security

GoalsThe student shall be able to: Define: Confidentiality, integrity, availability.Describe example security techniques for the processing states: processing, storage, transmission.Define categories for, and give examples of, threat agents and vulnerabilities.Define the role of the security countermeasures - education, training and awareness, and policy, procedures, and practices.Define policy, standard, procedure, guidelineDefine preventive, detective, and corrective control, and define which is best.

Reading: Hackers in China Attacked The Times for Last 4 Months, Jan 30, 2013, New York Times.U.S. Indicts 11 in Global Credit Card Scheme, Wall Street Journal, Aug. 6, 2008.

Page 3: Hardware Security Attacks Security Architecture Hardware Security

Example Security Attacks NY Times was attacked by Chinese

hackers, when China’s prime minister was the target of news reports

Credit card fraud results in cheap credit cards and identity theft

Spy and destructive programs implemented for national security (STUXNET, Flame)

Page 4: Hardware Security Attacks Security Architecture Hardware Security

Security VocabularyAsset: DiamondsThreat: TheftVulnerability: Open

door or windowsThreat agent:

BurglarOwner: Those

accountable or who value the asset

Risk: Danger to assets

Page 5: Hardware Security Attacks Security Architecture Hardware Security

Threat Agent TypesHackers/ Crackers

Challenge, rebellion Unauthorized access

Criminals Financial gain, Disclosure/ destruction of info.

Fraud, computer crimes

Hacktivist/ Hostile Intel. Service

Spying/ destruction/ revenge/ extortion

DOS, info warfare

Industry Spies, Surveillance State

Competitive advantage

Info theft, econ. exploitation

Insiders Opportunity, personal issues

Fraud/ theft, malware, abuse

Page 6: Hardware Security Attacks Security Architecture Hardware Security

System Vulnerabilities

System Vulnerabilities

Behavioral:Disgruntled employee,

uncontrolled processes,poor network design,improperly configured

equipment

Misinterpretation:Poorly-defined

procedures,employee error,Insufficient staff,

Inadequate mgmt,Inadequate compliance

enforcement

Coding Problems:

Security ignorance,poorly-defined requirements,

defective software,unprotected

communication

Physical Vulnerabilities:

Fire, flood,negligence, theft,kicked terminals,no redundancy

Page 7: Hardware Security Attacks Security Architecture Hardware Security

Security Goals

CIA Triad

Confidentiality

Integrity Availability

Conformity to Law& Privacy Requirements

Page 8: Hardware Security Attacks Security Architecture Hardware Security

CIAConfidentiality Data is accessible only to authorized partiesData is provided on ‘need-to-know’ basisIntegrity Data is modified only by authorized partiesData is accurateExample: Does your resume/credit report accurately reflect you?AvailabilityData is available to authorized persons when needed

Page 9: Hardware Security Attacks Security Architecture Hardware Security

Security: Defense in Depth

Border RouterPerimeter firewallInternal firewallIntrusion Detection SystemPolicies & Procedures & AuditsAuthenticationAccess Controls

Page 10: Hardware Security Attacks Security Architecture Hardware Security

IT Control ClassificationsTime ofEvent

Detective Controls:Finding fraud when it occursIncludes:Hash totalsCheck pointsDuplicate checkingError messagesPast-due account reportsReview of activity logs

After Event Before Problematic Event

Preventive Controls*:Preventing fraud

Includes:Programmed edit checksEncryption softwareAccess control S/WWell-designed proceduresPhysical controlsEmploy only qualified personnel

CorrectiveControls:Fix problemsand preventfuture problemsIncludes:Contingency planningBackup proceduresReruns

Preventive Controls are BEST

Page 11: Hardware Security Attacks Security Architecture Hardware Security

Three states:transmit – process - storage

Page 12: Hardware Security Attacks Security Architecture Hardware Security

Confidentiality controls (e.g.)transmit – process - storage

EncryptionFrequency hoppingFirewallNetwork Intrusion Prevention SystemShielding

EncryptionSecured roomMedia destructionMedia sanitization

AuthenticationAccess controlAntivirusAudit trailHost IDS/IPS

Page 13: Hardware Security Attacks Security Architecture Hardware Security

Availability controls (e.g.)transmit – process - storage

RedundancyTest equipment (Loopback, sniffers)

RAIDRedundant DBHVAC, Fire suppressantFiltered power

Redundancy: Clusters Primary-SecondaryUniversal Power SupplyLocks, alarms, anti-theft

Page 14: Hardware Security Attacks Security Architecture Hardware Security

Confidentiality & ProcessingNeed-to-know: Persons should have ability to

access data sufficient to perform primary job and no more

Least Privilege: Persons should have ability to do tasks sufficient to perform primary job and no more

Segregation of Duties: Ensure that no person can assume two roles: Origination, Authorization, Distribution, Verification

Privacy: Personal/private info is retained only when a true business need exists: Privacy is a liability Retain records for short time

Personnel office should change permissions as jobs change

Page 15: Hardware Security Attacks Security Architecture Hardware Security

Availability & Storage: Backups

Daily Events Full Differential Incremental

Monday: Full Backup Monday Monday Monday

Tuesday: A Changes Tuesday Saves A Saves A

Wednesday: B Changes Wed’day Saves A + B Saves B

Thursday: C Changes Thursday Saves A+B+C Saves C

Friday: Full Backup Friday Friday Friday

Incremental or Differential Backups can record transactions since last backup or last full backup, respectively

Page 16: Hardware Security Attacks Security Architecture Hardware Security

Integrity Controls: Audit Trails Audit trail tracks responsibility

Who did what when? Periodic review will help to find excess-authority

access, login successes & failures, and track fraud

Attackers often want to change the audit trail (to hide tracks)

Audit trail must be hard to change: Write-once devices Security & systems admins and managers may

have READ-only access to log Audit trail must be sensitive to privacy

Personal information may be encrypted

Page 17: Hardware Security Attacks Security Architecture Hardware Security

Theoretical Basis for Security Model

Pro

cess

ing

Tra

nsm

issi

on

Sto

rag

e

Technology

Policy

Security Training& Awareness

Confidentiality

Integrity

Availability

Page 18: Hardware Security Attacks Security Architecture Hardware Security

Policy DocumentationPolicy= Direction for ControlPhilosophy of organizationCreated by Senior MgmtReviewed periodically

Employees must understand intentAuditors test for compliance

Procedures:Detailed steps toimplement a policy.Written by processowners

Standards:An image ofwhat is acceptable

GuidelinesRecommendationsand acceptablealternatives

Page 19: Hardware Security Attacks Security Architecture Hardware Security

Policies, Procedures, Standards

Policy Objective: Describes ‘what’ needs to be accomplished Policy Control: Technique to meet objectives

Procedure: Outlines ‘how’ the Policy will be accomplished Standard: Specific rule, metric or boundary that implements policy

Example 1: Policy: Computer systems are not exposed to illegal, inappropriate,

or dangerous software Policy Control Standard: Allowed software is defined to include ... Policy Control Procedure: A description of how to load a computer

with required software.

Example 2: Policy: Access to confidential information is controlled Policy Control Standard: Confidential information SHALL never be

emailed without being encrypted Policy Guideline: Confidential info SHOULD not be written to a

memory stickDiscussion: Are these effective controls by themselves?

Page 20: Hardware Security Attacks Security Architecture Hardware Security

Types of Security TrainingAwareness:

Create security-conscious workforce

Employees, partners & vendors

Newsletters, surveys, quizzes, video training, forums, posters

Training:

Necessary skills for a particular position

HR, legal, middle or top mgmt

Workshops, conferences

Education: High level skills

High-skilled professions: audit, security admin/mgmt,

Risk mgmt…

Organized and gradual development: teaching & coaching

Page 21: Hardware Security Attacks Security Architecture Hardware Security

Hardware security threats

Acousticemanations

Electrical emanationsMagnetic emanations

Page 22: Hardware Security Attacks Security Architecture Hardware Security

Hardware attack examplesATM skimmers: A sleeve reads credit cards when inserted into machines.Altered chips: Include Trojan horse firmware to respond to certain transmissions.Flat Panel Displays: Serial transmissions modulate a video signal that provide eavesdroppers good reception quality.

Page 23: Hardware Security Attacks Security Architecture Hardware Security

Hardware Emanation ControlsTechnology:Shielding (for radiation through space, and magnetic fields)Filtering (for conducted signals on power lines, signal lines, etc.)Masking (for either space-radiated or conducted signals, but mostly for space)Space: Protection zone of 200 feetCertification: Does equipment achieve government-secure levels of safety?

Page 24: Hardware Security Attacks Security Architecture Hardware Security

Question An example of a vulnerability is1. Theft2. Burglar3. Open door4. Diamonds

Page 25: Hardware Security Attacks Security Architecture Hardware Security

Question Three main goals of security include:1.Confidentiality, Integrity, Availability2.Confidentiality, Integrity, Authorization3.Processing, Storage, Transmission4.Preventive, Detective, Corrective

Page 26: Hardware Security Attacks Security Architecture Hardware Security

QuestionIn security, poor coding and disgruntled employees are examples of:1.Threat2.Risk3.Threat agent4.Vulnerability

Page 27: Hardware Security Attacks Security Architecture Hardware Security

QuestionWhat are the three states that need to be protected in security?1.Confidentiality, Integrity, Authentication2.Transmission, Processing, Storage3.Operating System, Application Program, Hardware4.Processes, procedures and standards

Page 28: Hardware Security Attacks Security Architecture Hardware Security

QuestionIn security, a hostile intelligence service and cracker are examples of:1.Risk2.Threat3.Threat agent4.Vulnerability

Page 29: Hardware Security Attacks Security Architecture Hardware Security

QuestionThe best type of security control is:1.Detective2.Corrective3.Compensatory4.Preventive

Page 30: Hardware Security Attacks Security Architecture Hardware Security

QuestionConsider the term: ‘Defense in Depth’. Depth here means:1.Select best-in-class controls2.If an attacker breaks through one control, they have more to attack3.Hardware should use filtering, shielding, or masking4.Extensive security education is preferred to security awareness