An Overview of Information Security
Content
An Overview of Information Security
Week 1
Computer Security
• Computational data can be in one of 3 states
at a time:
– Stored
– Processed
– In transmission
• Hence, computer security involves
– Data security
– Program security
– Network security
2
Security Principles
CIA
principles
• Confidentiality
– Secrecy of data
• Integrity
– Data have not been changed incorrectly (by accident or
deliberately)
• Availability
– Data should be available to authorized entities at all
times.
3
Confidentiality
• Concealment of data, its resources and/or the
existence of data.
– Data concealment can be achieved via
cryptography.
– Resources are protected by limiting data, for
example by using firewalls or address translation
mechanisms.
– We can conceal the existence of data by access
control mechanisms.
• Relies on the “need to know” principle of
military.
4
Integrity
• Trustworthiness of data or resources by
preventing improper or unauthorized change.
• Integrity includes
– Data integrity (the content of information)
– Origin integrity (also called authentication)
• A newspaper prints information leaked from
White House, but it turns out to be from a
wrong source. This information preserves data
integrity (printed as received), but violates
origin integrity (as the source is incorrect).
5
Integrity
• Integrity mechanisms are categorized into 2
classes
– Prevention mechanisms, such as access controls
that prevent unauthorized modification of data
• Occurs when an unauthorized user attempts to
change data
– Detection mechanisms, which are intended to
detect unauthorized modifications when
preventive mechanisms have failed.
• Occurs when an authorized user attempts to change
data in illegitimate ways.
6
Integrity
• Example:
– An interrupted database transaction, leaving the
database in an inconsistent state violates integrity of
data.
• Controls that protect integrity include principles of
least privilege, separation, and rotation of duties.
– Clark-Wilson model brings together these controls to
provide integrity.
• Cryptographic tools can be used to detect violation of
integrity, but they cannot prevent them.
– Digital signature can be used to determine if data has
changed.
7
Availability
• The ability to use the information or resource
desired.
• Defined in terms of “quality of service,” in which
authorized users are expected to receive a specific
level of service (stated in terms of a metric).
• System designs assume a statistical model to
analyze expected patterns of use, and
mechanisms ensure availability when that
statistical model holds.
• Denial of service (DoS) attacks are attempts to
block availability.
8
Availability
• Example:
– Ann compromises a bank’s secondary system server,
which supplies bank account balances. When an
inquiry is submitted to this secondary server, Ann can
supply any information she wants. Merchants validate
checks by contacting the bank’s primary balance
server. But when the primary server connection is
prohibited, all merchant queries will to the second
server, where Ann will never have a check turned
down, regardless of her actual balance.
– If the bank had only the primary server, this scheme
wouldn’t work as the merchant wouldn’t be able to
validate checks.
9
Threats
• A threat is a potential violation of security.
• The violation need not actually occur for there
to be a threat.
• The possibility that a violation might occur
means that we should guard against those
actions that could cause it. These actions are
called attacks.
10
Classes of Threats
• Disclosure
– Snooping
• Deception
– Modification, spoofing (masquerading),
repudiation of origin, denial of receipt
• Disruption
– Modification (alteration)
• Usurpation
– Modification, spoofing, delay, denial of service
Classes of Threats
• Disclosure
– Snooping: unauthorized interception of
data.
• Ex: passive wiretapping, where the attacker
monitors communications.
12
Classes of Threats
• Deception
– Modification (alteration): Ex: active wiretapping,
where the attacker injects something into a
communication or modifies parts of the
communication.
– Spoofing (masquerading): an impersonation of
one entity by another.
• Delegation is a legitimate form of spoofing.
– Repudiation of origin: A false denial that an
entity sent or created something.
– Denial of receipt: A false denial that an entity
received data.
13
Classes of Threats
• Disruption
– Modification
• Usurpation
–
–
–
–
Modification
Spoofing
Delay: A temporary inhibition of service.
Denial of service: A long-term inhibition of
service.
14
Security Attacks
• Passive attacks
–
–
–
–
Listen only - no modification
No or less harm to system
Prevented by data encryption
Harder to detect
• Active attacks
– Modify data
– More harm to system
– Easier to detect (mostly after it is too late!) than
to prevent
15
Confidentiality Attacks
• Traffic analysis
– Intercept communication to observe ongoing
traffic
– Still works even if message is encrypted
– Yields frequency, length of messages
– Prevention: traffic padding
• Snooping
– Intercept communication to exploit the content
– Prevention: Encrypt data
• Both are passive attacks
16
Integrity Attacks
• Modification
– Modify, delete, or delay message
– Active attacks
– Prevention: hash (fingerprint)
• Replay
– Intercept the message and send again at a later
time
– Active attack
– Prevention: Use timestamps
17
Availability Attacks
• Denial of Service
– Slow down or completely prevent a
communication, an entity, or a whole network
from servicing
– Active attack
– Prevention: Use upper limit for # of messages in
buffer
18
Authenticity Attacks
• Masquerading (Spoofing)
– Attacker impersonates either sender or receiver
(man-in-the-middle attack)
– Active attack
– Prevention: Use MAC (keyed-hash)
19
Non-Repudiation Attacks
• Repudiation
– Rejecting the occurrence of transmission
– Either sender or receiver may perform
repudiation attack
– Prevention: Use digital signature
20
Policies and Mechanisms
• Policy says what is, and is not, allowed
– This defines “security” for the site, system, etc.
– Policy maybe expressed in:
• natural language, imprecise but easy to
understand
• mathematics, precise but hard to understand
• policy languages, look like some form of
programming language and try to balance
precision with ease of understanding
21
Policies and Mechanisms
• Mechanism
– A method, tool, or procedure to enforce a security
policy.
– Mechanisms maybe:
• technical, in which controls in the computer enforce
the policy; for example, the requirement that a user
supply a password to authenticate herself before
using the computer
• procedural, in which controls outside the system
enforce the policy; for example, firing someone for
bringing in a disk containing a game program
obtained from an untrusted source
• Composition of policies
– If policies conflict, discrepancies may create
security vulnerabilities
22
Goals of Security
• Prevention
– Prevent attackers from violating security policy
• Detection
– Detect attackers’ violation of security policy
• Recovery
– Stop attack, assess and repair damage
– Continue to function correctly even if attack
succeeds
23
Assurance
• Assurance is how much you can trust the system to do
what it is supposed to do. It does not say what the
system is to do; rather, it only covers how well the
system does it.
• Specification
– Requirements analysis
– Statement of desired functionality
• Design
– How system will meet specification
• Implementation
– Programs/systems that carry out design
24
Operational Issues
• Cost-Benefit Analysis
– Is it cheaper to prevent or recover?
• Risk Analysis
– Should we protect something?
– How much should we protect this thing?
• Laws and Customs
– Are desired security measures illegal?
– Will people do them?
25
Cost – Benefit Analysis Example
• A DB provides salary information to another system
that prints checks. If the data in the DB is altered, the
company would suffer significant financial loss; hence,
the cost-benefit analysis should suggest that the
strongest integrity mechanisms should protect the data
in the DB.
• Another company has several branch offices, and each
day a copy of the data is copied to each branch office.
The branch offices use the data to recommend salaries
for new employees. However, the final decision is made
by the main office using the original DB. In this case,
guarding the integrity of the copies is not particularly
important.
26
Risk Analysis
• Risk is a function of environment.
• The risks change with time.
• Many risks are remote, but still exist.
27
Laws and Customs - Example
• Until the year 2000, the US controlled the
export of cryptographic h/w and s/w
(considered munitions under US law). If a US
company worked with a computer
manufacturer in London, the US company
could not send cryptographic s/w to the
manufacturer. The US company should first
obtain a license to export the s/w. Any security
policy that depended on the London
manufacturer’s using that cryptographic s/w
would need to take this into account.
28
Human Issues
• Organizational Problems
– Power and responsibility
– Financial benefits
• People problems
– Outsiders and insiders
– Social engineering
29
Bringing it all together ..
• The security lifecycle
Threats
Policy
Specification
Design
Implementation
Operation &
maintenance
30
Week 1
Computer Security
• Computational data can be in one of 3 states
at a time:
– Stored
– Processed
– In transmission
• Hence, computer security involves
– Data security
– Program security
– Network security
2
Security Principles
CIA
principles
• Confidentiality
– Secrecy of data
• Integrity
– Data have not been changed incorrectly (by accident or
deliberately)
• Availability
– Data should be available to authorized entities at all
times.
3
Confidentiality
• Concealment of data, its resources and/or the
existence of data.
– Data concealment can be achieved via
cryptography.
– Resources are protected by limiting data, for
example by using firewalls or address translation
mechanisms.
– We can conceal the existence of data by access
control mechanisms.
• Relies on the “need to know” principle of
military.
4
Integrity
• Trustworthiness of data or resources by
preventing improper or unauthorized change.
• Integrity includes
– Data integrity (the content of information)
– Origin integrity (also called authentication)
• A newspaper prints information leaked from
White House, but it turns out to be from a
wrong source. This information preserves data
integrity (printed as received), but violates
origin integrity (as the source is incorrect).
5
Integrity
• Integrity mechanisms are categorized into 2
classes
– Prevention mechanisms, such as access controls
that prevent unauthorized modification of data
• Occurs when an unauthorized user attempts to
change data
– Detection mechanisms, which are intended to
detect unauthorized modifications when
preventive mechanisms have failed.
• Occurs when an authorized user attempts to change
data in illegitimate ways.
6
Integrity
• Example:
– An interrupted database transaction, leaving the
database in an inconsistent state violates integrity of
data.
• Controls that protect integrity include principles of
least privilege, separation, and rotation of duties.
– Clark-Wilson model brings together these controls to
provide integrity.
• Cryptographic tools can be used to detect violation of
integrity, but they cannot prevent them.
– Digital signature can be used to determine if data has
changed.
7
Availability
• The ability to use the information or resource
desired.
• Defined in terms of “quality of service,” in which
authorized users are expected to receive a specific
level of service (stated in terms of a metric).
• System designs assume a statistical model to
analyze expected patterns of use, and
mechanisms ensure availability when that
statistical model holds.
• Denial of service (DoS) attacks are attempts to
block availability.
8
Availability
• Example:
– Ann compromises a bank’s secondary system server,
which supplies bank account balances. When an
inquiry is submitted to this secondary server, Ann can
supply any information she wants. Merchants validate
checks by contacting the bank’s primary balance
server. But when the primary server connection is
prohibited, all merchant queries will to the second
server, where Ann will never have a check turned
down, regardless of her actual balance.
– If the bank had only the primary server, this scheme
wouldn’t work as the merchant wouldn’t be able to
validate checks.
9
Threats
• A threat is a potential violation of security.
• The violation need not actually occur for there
to be a threat.
• The possibility that a violation might occur
means that we should guard against those
actions that could cause it. These actions are
called attacks.
10
Classes of Threats
• Disclosure
– Snooping
• Deception
– Modification, spoofing (masquerading),
repudiation of origin, denial of receipt
• Disruption
– Modification (alteration)
• Usurpation
– Modification, spoofing, delay, denial of service
Classes of Threats
• Disclosure
– Snooping: unauthorized interception of
data.
• Ex: passive wiretapping, where the attacker
monitors communications.
12
Classes of Threats
• Deception
– Modification (alteration): Ex: active wiretapping,
where the attacker injects something into a
communication or modifies parts of the
communication.
– Spoofing (masquerading): an impersonation of
one entity by another.
• Delegation is a legitimate form of spoofing.
– Repudiation of origin: A false denial that an
entity sent or created something.
– Denial of receipt: A false denial that an entity
received data.
13
Classes of Threats
• Disruption
– Modification
• Usurpation
–
–
–
–
Modification
Spoofing
Delay: A temporary inhibition of service.
Denial of service: A long-term inhibition of
service.
14
Security Attacks
• Passive attacks
–
–
–
–
Listen only - no modification
No or less harm to system
Prevented by data encryption
Harder to detect
• Active attacks
– Modify data
– More harm to system
– Easier to detect (mostly after it is too late!) than
to prevent
15
Confidentiality Attacks
• Traffic analysis
– Intercept communication to observe ongoing
traffic
– Still works even if message is encrypted
– Yields frequency, length of messages
– Prevention: traffic padding
• Snooping
– Intercept communication to exploit the content
– Prevention: Encrypt data
• Both are passive attacks
16
Integrity Attacks
• Modification
– Modify, delete, or delay message
– Active attacks
– Prevention: hash (fingerprint)
• Replay
– Intercept the message and send again at a later
time
– Active attack
– Prevention: Use timestamps
17
Availability Attacks
• Denial of Service
– Slow down or completely prevent a
communication, an entity, or a whole network
from servicing
– Active attack
– Prevention: Use upper limit for # of messages in
buffer
18
Authenticity Attacks
• Masquerading (Spoofing)
– Attacker impersonates either sender or receiver
(man-in-the-middle attack)
– Active attack
– Prevention: Use MAC (keyed-hash)
19
Non-Repudiation Attacks
• Repudiation
– Rejecting the occurrence of transmission
– Either sender or receiver may perform
repudiation attack
– Prevention: Use digital signature
20
Policies and Mechanisms
• Policy says what is, and is not, allowed
– This defines “security” for the site, system, etc.
– Policy maybe expressed in:
• natural language, imprecise but easy to
understand
• mathematics, precise but hard to understand
• policy languages, look like some form of
programming language and try to balance
precision with ease of understanding
21
Policies and Mechanisms
• Mechanism
– A method, tool, or procedure to enforce a security
policy.
– Mechanisms maybe:
• technical, in which controls in the computer enforce
the policy; for example, the requirement that a user
supply a password to authenticate herself before
using the computer
• procedural, in which controls outside the system
enforce the policy; for example, firing someone for
bringing in a disk containing a game program
obtained from an untrusted source
• Composition of policies
– If policies conflict, discrepancies may create
security vulnerabilities
22
Goals of Security
• Prevention
– Prevent attackers from violating security policy
• Detection
– Detect attackers’ violation of security policy
• Recovery
– Stop attack, assess and repair damage
– Continue to function correctly even if attack
succeeds
23
Assurance
• Assurance is how much you can trust the system to do
what it is supposed to do. It does not say what the
system is to do; rather, it only covers how well the
system does it.
• Specification
– Requirements analysis
– Statement of desired functionality
• Design
– How system will meet specification
• Implementation
– Programs/systems that carry out design
24
Operational Issues
• Cost-Benefit Analysis
– Is it cheaper to prevent or recover?
• Risk Analysis
– Should we protect something?
– How much should we protect this thing?
• Laws and Customs
– Are desired security measures illegal?
– Will people do them?
25
Cost – Benefit Analysis Example
• A DB provides salary information to another system
that prints checks. If the data in the DB is altered, the
company would suffer significant financial loss; hence,
the cost-benefit analysis should suggest that the
strongest integrity mechanisms should protect the data
in the DB.
• Another company has several branch offices, and each
day a copy of the data is copied to each branch office.
The branch offices use the data to recommend salaries
for new employees. However, the final decision is made
by the main office using the original DB. In this case,
guarding the integrity of the copies is not particularly
important.
26
Risk Analysis
• Risk is a function of environment.
• The risks change with time.
• Many risks are remote, but still exist.
27
Laws and Customs - Example
• Until the year 2000, the US controlled the
export of cryptographic h/w and s/w
(considered munitions under US law). If a US
company worked with a computer
manufacturer in London, the US company
could not send cryptographic s/w to the
manufacturer. The US company should first
obtain a license to export the s/w. Any security
policy that depended on the London
manufacturer’s using that cryptographic s/w
would need to take this into account.
28
Human Issues
• Organizational Problems
– Power and responsibility
– Financial benefits
• People problems
– Outsiders and insiders
– Social engineering
29
Bringing it all together ..
• The security lifecycle
Threats
Policy
Specification
Design
Implementation
Operation &
maintenance
30
