Lecture 1:

Overview

modified from slides of Lawrie Brown

 Outline
The focus of this chapter is on three fundamental
questions:

• What assets do we need to protect?

• How are those assets threatened?

• What can we do to counter those threats?

 Computer Security Overview
• The NIST Computer Security Handbook defines
the term Computer Security as:
“The protection afforded to an automated
information system in order to attain the applicable
objectives of preserving the integrity, availability
and confidentiality of information system resources”
includes hardware, software, firmware,
information/data, and telecommunications.
The CIA Triad
 Key Security Concepts

Confidentiality Integrity Availability

• preserving • guarding against • ensuring timely

authorized improper and reliable access
restrictions on information to and use of
information access modification or information
and disclosure. destruction,
• including means • including ensuring
for protecting information
personal privacy nonrepudiation
and proprietary and authenticity Is this all?
information
 Levels of Impact

Low Moderate High

The loss could be
The loss could be The loss could be
expected to have
expected to have expected to have
a severe or
a limited adverse a serious adverse
catastrophic
effect on effect on
adverse effect on
organizational organizational
organizational
operations, operations,
operations,
organizational organizational
organizational
assets, or assets, or
assets, or
individuals individuals
individuals
 Computer Security Challenges
• computer security is not as simple as it might
first appear to the novice
• potential attacks on the security features must
be considered
• procedures used to provide particular services
are often counterintuitive
• physical and logical placement needs to be
determined
• multiple algorithms or protocols may be
involved
 Computer Security Challenges
• attackers only need to find a single weakness,
the developer needs to find all weaknesses
• users and system managers tend to not see the
benefits of security until a failure occurs
• security requires regular and constant
monitoring
• is often an afterthought to be incorporated
into a system after the design is complete
• thought of as an impediment to efficient and
user-friendly operation
 Computer Security Terminology
• Adversary (threat agent)
– An entity that attacks, or is a threat to, a system.
• Attack
– An assault on system security that derives from an
intelligent threat; a deliberate attempt to evade security
services and violate security policy of a system.
• Countermeasure
– An action, device, procedure, or technique that reduces a
threat, a vulnerability, or an attack by eliminating or
preventing it, by minimizing the harm it can cause, or
by discovering and reporting it so that corrective action
can be taken.
9
 Computer Security Terminology
• Risk
– An expectation of loss expressed as the probability that a
particular threat will exploit a particular vulnerability with a
particular harmful result.
• Security Policy
– A set of rules and practices that specify how a system or org
provides security services to protect sensitive and critical
system resources.
• System Resource (Asset)
– Data; a service provided by a system; a system
capability; an item of system equipment; a facility
that houses system operations and equipment.
10
 Computer Security Terminology
• Threat
– A potential for violation of security, which exists when
there is a circumstance, capability, action, or event that
could breach security and cause harm.

• Vulnerability
– Flaw or weakness in a system's design, implementation,
or operation and management that could be
exploited to violate the system's security policy.

11
Security Concepts and Relationships

12
Assets of a Computer System
Hardware

Software

Data

Communication facilities and

networks
 Vulnerabilities, Threats and Attacks
• vulnerabilities
– leaky (loss of confidentiality)
– corrupted (loss of integrity)
– unavailable or very slow (loss of availability)
• threats
– capable of exploiting vulnerabilities
– represent potential security harm
• attacks (threats carried out)
– passive or active attempt to alter/affect system resources
– insider or outsider

14
Countermeasures
• prevent
means used to deal • detect
with security attacks • recover

may introduce new

vulnerabilities
Residual
vulnerabilities may
remain
goal is to minimize
residual level of risk
to the assets

15
 Lecture 2:
Overview (cont)

modified from slides of Lawrie Brown

by Peter Steiner,
New York, July 5, 1993
 Threat Consequences
Unauthorized disclosure is a threat to confidentiality

• Exposure: This can be deliberate or be the result of a

human, hardware, or software error

• Interception: unauthorized access to data

• Inference: e.g., traffic analysis or use of limited

access to get detailed information

• Intrusion: unauthorized access to sensitive data

18
 Threat Consequences
Deception is a threat to either system or data
integrity
• Masquerade: an attempt by an unauthorized
user to gain access to a system by posing as an
authorized user
• Falsification: altering or replacing of valid data
or the introduction of false data
• Repudiation: denial of sending, receiving or
possessing the data.
19
 Threat Consequences
Usurpation is a threat to system integrity.

• Misappropriation: e.g., theft of service,

distributed denial of service attack

• Misuse: security functions can be disabled or

thwarted

20
 Threat Consequences
Disruption is a threat to availability or system
integrity
• Incapacitation: a result of physical destruction
of or damage to system hardware
• Corruption: system resources or services
function in an unintended manner;
unauthorized modification
• Obstruction: e.g. overload the system or
interfere with communications
21
Scope of Computer Security

22
 Computer and Network Assets
Availability Confidentiality Integrity
Equipment is stolen or
An unencrypted CD-
Hardware disabled, thus denying Jamming
ROM or DVD is stolen.
service.
A working program is
modified, either to
Programs are deleted, An unauthorized copy cause it to fail during
Software
denying access to users. of software is made. execution or to cause it
to do some unintended
task.
An unauthorized read
of data is performed. Existing files are
Files are deleted,
Data An analysis of modified or new files
denying access to users.
statistical data reveals are fabricated.
underlying data.
Messages are destroyed Messages are modified,
Communication or deleted. Messages are read. The delayed, reordered, or
Lines and Communication lines traffic pattern of duplicated. False
Networks or networks are messages is observed. messages are
rendered unavailable. fabricated.
23
 Passive and Active Attacks
• Passive attacks attempt to learn or make use of information
from the system but does not affect system resources
• eavesdropping/monitoring transmissions
• difficult to detect
• emphasis is on prevention rather than detection
• two types:
– message contents
– traffic analysis

• Active attacks involve modification of the data stream

• goal is to detect them and then recover
• categories:
– masquerade
– replay
– modification of messages
– denial of service
24
 Security Functional Requirements
overlap computer
computer security management controls security technical
technical measures and procedures measures and
management controls
• access control • awareness & training • configuration
• identification & • audit & accountability management
authentication; • certification, • incident response
• system & accreditation, & security • media protection
communication assessments
protection • contingency planning
• system & information • maintenance
integrity • physical &
environmental
protection
• planning
• personnel security
• risk assessment
• systems & services
acquisition
25
  Data Origin Authentication
Authentication  corroboration of the source of
Service a data
 supports applications where
there are no prior interactions

• assuring a communication is • Peer Entity Authentication

from the source that it claims
to be from
– interference by a third party
masquerading as one of the
two legitimate parties
– corroboration of the identity
of a peer entity
– confidence that an entity is
not performing
• a masquerade or
• an unauthorized replay
26
 Access Nonrepudiation
Control Service
Service

 prevents either sender or

• limit and control the access to
receiver from denying a
host systems and applications
transmitted message

• each entity trying to gain access

must first be identified, or
authenticated

27
 Data – connection confidentiality
Confidentiality
Service – connectionless confidentiality

– selective-field confidentiality

• protection of transmitted
data from passive attacks – traffic-flow confidentiality

• protects user data transmitted

over a period of time

28
 • connectionless integrity service
Data – provides protection against
Integrity message modification only
Service
• connection-oriented integrity
service
– assures that messages are
• can apply to a stream of received as sent
messages, a single message, • no duplication, insertion
or selected fields within a modification, reordering, or
message replays

• with and without recovery

29
 • a variety of attacks can result in
the loss of or reduction in
Availability availability
Service • some of these attacks are
amenable to authentication
and encryption
• some attacks require a
physical action to prevent
or recover from loss of
• a service that protects a availability
system to ensure its
availability • depends on proper
– being accessible and management and control of
usable upon demand by system resources
an authorized system
entity
30
 Security Implementation

prevention detection

complementary
courses of
action

recovery
response

31
 Security Mechanism
• Feature designed to
– Prevent attackers from violating security policy
– Detect attackers’ violation of security policy
– Response to mitigate attack
– Recover, continue to function correctly even if attack
succeeds

• No single mechanism that will support all services

– Authentication, authorization, availability,
confidentiality, integrity, non-repudiation
32
 Fundamental Security Design Principles

Economy of Fail-safe Complete

Open design
mechanism defaults mediation

Separation of Least common Psychological

Least privilege
privilege mechanism acceptability

Isolation Encapsulation Modularity Layering

Least
astonishment
 Attack Surfaces
Consist of the reachable and exploitable vulnerabilities in
a system

Examples:
Code that
processes An employee
Open ports on incoming data, with access to
outward facing Services email, XML, sensitive
Web and other available on office Interfaces, SQL, information
servers, and the inside of a documents, and Web forms vulnerable to a
code listening firewall and industry- social
on those ports specific custom engineering
data exchange attack
formats
 Attack Surface Categories
Network Software Human Attack
Attack Surface Attack Surface Surface
Vulnerabilities over an
enterprise network, wide- Vulnerabilities in
area network, or the application, utility, or
Internet operating system code
Vulnerabilities created by
personnel or outsiders,
Included in this category such as social
are network protocol engineering, human
vulnerabilities, such as error, and trusted insiders
those used for a denial-of-
service attack, disruption Particular focus is Web
of communications links, server software
and various forms of
intruder attacks
Security Technologies Used

36
Types of Attacks Experienced

37
38
 Defense in Depth and Attack Surface

Shallow Medium High

Security Risk Security Risk
Layering

Low Medium
Deep

Security Risk Security Risk

Small Large
Attack Surface
 Computer Security Strategy

Specification & Implementation Correctness &

policy & mechanisms assurance

what is the
how does it do does it really
security scheme
it? work?
supposed to do?

40
Computer Security Strategy
 Security Policy
• formal statement of rules and practices that
specify or regulate security services
• factors to consider:
– value of the protected assets
– vulnerabilities of the system
– potential threats and the likelihood of attacks
• trade-offs to consider:
– ease of use versus security
– cost of security versus cost of failure and recovery
42
 Assurance and Evaluation
• assurance
– the degree of confidence one has that the security
measures work as intended
– both system design and implementation

• evaluation
– process of examining a system with respect to
certain criteria
– involves testing and formal analytic or
mathematical techniques
43
Security Trends

www.cert.org (Computer Emergency Readiness Team) 44

 Early Hacking – Phreaking
• In1957, a blind seven-year old, Joe Engressia
Joybubbles, discovered a whistling tone that
resets trunk lines
– Blow into receiver – free phone calls

Cap’n Crunch cereal prize

Giveaway whistle produces
2600 MHz tone

45
 The Seventies
• John Draper
– a.k.a. Captain Crunch
– “If I do what I do, it is only
to explore a system”

• In 1971, built Bluebox

– with Steve Jobs and
Steve Wozniak

46
 The Eighties
• Robert Morris worm - 1988
– Developed to measure the size of the Internet
• However, a computer could be infected multiple times
– Brought down a large fraction of the Internet
• ~ 6K computers

– Academic interest in network security

47
 The Nineties
• Kevin Mitnick
– First hacker on FBI’s Most Wanted list
– Hacked into many networks
• including FBI
– Stole intellectual property
• including 20K credit card numbers
– In 1995, caught 2nd time
• served five years in prison

48
 Code-Red Worm
• On July 19, 2001, more than 359,000 computers connected to the
Internet were infected in less than 14 hours

• Spread

49
 Sapphire Worm
• was the fastest computer worm in history
– doubled in size every 8.5 seconds
– infected more than 90 percent of vulnerable hosts
within 10 minutes.

50
 DoS attack on SCO
• On Dec 11, 2003
– Attack on web and FTP servers of SCO
• a software company focusing on UNIX systems

– SYN flood of 50K packet-per-second

– SCO responded to more than 700 million attack

packets over 32 hours

51
 Witty Worm
• 25 March 2004
– reached its peak activity after approximately 45
minutes
– at which point the majority of vulnerable hosts
had been infected
• World
• USA

52
 Nyxem Email Virus

 Jan 15, 2006: infected about 1M computers within

two weeks
– At least 45K of the infected computers were
also compromised by other forms of spyware
or botware

• Spread

53
 Sipscan Botnet

 a botnet-orchestrated stealth scan of the entire

IPv4 address space
 31 Jan–12 Feb 2011

• probing

54