Week 1 – Part 2
Deakin University CRICOS Provider Code: 00113B
SIT182 – Real World Practices For Cyber Security
Trimester 2 – 2021
Deakin College
Week 1 – Part 2
Deakin University CRICOS Provider Code: 00113B
Understanding
“Cybersecurity”
Deakin University CRICOS Provider Code: 00113B
What makes Cybersecurity a distinct subject?
3
What makes a problem a `computer security’ problem?
“Properties of a computer system must be maintained despite a resourced
strategic adversary”
As compared with:
• Safety,
• Robustness,
• Program Correctness
Deakin University CRICOS Provider Code: 00113B
What is Cybersecurity?
4
• Cybersecurity is the body of technologies, processes and practices designed to prevent,
detect, and recover networks, computers, programs and data from attack, damage or
unauthorized access.
No single solution exists for protecting assets against all possible threats.
→ Key concepts: Security Policy, Threat Model, Assumptions
Deakin University CRICOS Provider Code: 00113B
The Security Policy
5
– A high level description of the Principals (subjects), Assets (objects) and Security Properties that must
hold in the system.
– Usually requires the requirements & high-level architecture of the system to be somewhat defined.
Terminologies:
➢ Principals: people, computer programs, (entities with some
legitimate authority, may not contain the adversary).
➢ Assets: anything with value that needs to be protected.
➢ Security Properties: usually defined in relation to Principals
+ Assets.
Deakin University CRICOS Provider Code: 00113B
Security Properties
6
• Traditional properties – (The CIA Triad)
– Confidentiality – Concealment of information or resources.
(eg. The adversary should not be able to read my emails)
– Integrity – Trustworthiness of data or resources (provenance).
(eg. The adversary should not be able to change my bank balance)
– Availability – Ability to use information or resource by “authorized” parties
only.
(eg. The adversary should not prevent me accessing this news website)
• Other:
– Authenticity – Mechanisms to establish identity.
– Non-repudiation – Non-deniability of actions.
https://www.thesecurityawarenesscompany.com/2015/05/14/the-cia-triad/
Deakin University CRICOS Provider Code: 00113B
Where do Security Policies come from?
7
• Factors in formulating security policy:
– Security Engineering,
– Business,
– Risk Management,
– Legal and Compliance.
• Must be revised as the above change.
Image from https://www.shutterstock.com/image-illustration/security-policy-word-tag-cloud-on-195043955
Deakin University CRICOS Provider Code: 00113B
The Adversary – Who are they?
8
Some examples:
• Script kiddies : lacks knowledge necessary to attack on their own. Use automated software,
purchases `exploit kit’.
• Brokers : excellent computer skills, sell their knowledge of a vulnerability to other attackers or
governments.
• Insiders : An organization’s own employees, contractors, and business partners. In 2018, most
of the data breaches were reported to be related to Insiders.
• Cyberterrorists : Ideologically motivated, unpredictable, Attack to incite panic.
• Hacktivists: Ideologically motivated, targets specific websites.
• State-sponsored : “cyberwar”, governments attacking their own citizen or foreign
governments.
Possibly many motives: fame, money, commercial advantage, military advantage, political …
Deakin University CRICOS Provider Code: 00113B
The Adversary – “Resourced strategic adversary”
9
• Key concept: “Threat Model”:
“What are the resources available to the adversary?”
• Adversary resources and capabilities:
E.g. parts of the system that can be observed, parts of the system that
can be influenced / modified, entities that they can corrupt to extract
secrets or act on behalf of the adversary.
• Strategic:
The adversary will choose to commit resources optimally to violate the
security properties.
Image from https://www.csoonline.com/article/3257672/us-cybersecurity-threat-
risk-remains-high-no-signs-of-lessening.html
Deakin University CRICOS Provider Code: 00113B
Threat vs. Threat Model
10
• Threat: “What bad thing can happen”, “What the adversary wants to achieve, or how”.
– End goal or means of attack.
– E.g. Threat: the adversary steals the password, the adversary steals some money, the adversary
disrupts a service.
• Threat model: “An adversary capability”
– Technical term (usage from cryptography)
– E.g. The adversary can eavesdrop on traffic, the adversary controls a server and can make it act
arbitrarily.
Deakin University CRICOS Provider Code: 00113B
Example 1: The State Level Adversary
11
• What is the security policy?
– What is the system under attack?
– Who are the principals?
– What are their assets?
– What are the security properties they try to maintain?
• What is the threat model?
Deakin University CRICOS Provider Code: 00113B
Example 2: The Teenage Adversary
12
• What is the security policy?
– System, Principals, Assets, Security Properties
• What is the threat model?
Deakin University CRICOS Provider Code: 00113B
Reflection ..
13
• Consider the security policies and threat models of the two previous examples.
– “The State Level Adversary”, where a national telecommunication carrier tries to
prevent a national security agency from eavesdropping on customer calls.
– “The Teenage Adversary”, where the education authorities are trying to
prevent teenagers accessing Facebook from a device given to them.
• Which of the two security systems is most likely to preserve its security policy?
(And why?)
Deakin University CRICOS Provider Code: 00113B
Why is Cybersecurity hard?
14
• Attacker: needs to find one way to violate one security property.
– Given the resources in the threat model.
– Any one: “lowest hanging fruit”.
• Defender: needs to ensure that no adversary strategy can violate the security policy.
– Much harder job!
Thinking through all possible threat scenarios is difficult
Security often comes with a price, requiring trade-offs
Security ultimately is about risk management
Future-proofing, uniform security policy
Usability, efficacy, security is expensive
How much you are willing to invest?,
Continuous reassessment
Deakin University CRICOS Provider Code: 00113B
Why is Cybersecurity hard?
15
Deakin University CRICOS Provider Code: 00113B
Why is Cybersecurity hard?
16
We will see many cybersecurity cases in the following lectures, where the level of `stupidity’ may be even worse ☺ !!
Assumptions, Assumptions, Assumptions …
Deakin University CRICOS Provider Code: 00113B
Why is Cybersecurity hard?
17
Cybersecurity is multi-layered. It involves a range of different (in many cases) conflicting requirements.
Deakin University CRICOS Provider Code: 00113B
When is a system `Secure’?
18
A system is “secure” if an adversary constrained by a specific threat model cannot
violate the security policy.
– Question: Can a system be “more secure” than another?
“Is this systems secure?” – meaningless question unless …
• Useless threat model: “The adversary can see all traffic, steal all user devices, past
and future, and control all third parties. The adversary is a quasi-supernatural.” –
No room for a security argument.
• Useful Threat Model: “The adversary can observe all network traffic, but does not
control the mail server”.
Deakin University CRICOS Provider Code: 00113B
Security Mechanisms
19
• “Security Mechanism” / (“Controls”)
– A Technical mechanism used to ensure that the security policy is not violated by an adversary within
the threat model.
• “Security Argument”
– A rigorous argument that the security mechanisms are indeed effective in maintaining the
security policy (verbal or mathematical).
– Subject to the assumptions of the threat model.
• These mechanisms are the essence of the technical side of computer security.
– We get to know about some of the Security Mechanisms in this unit.
Deakin University CRICOS Provider Code: 00113B
Security Mechanisms
20
• They are not made of magic pixie dust – you can design them.
• A combination of
– Software (programs), Hardware, Maths (cryptography).
– Distributed systems, people & procedures.
• Example:
– Policy: ensure the log of transactions is not tampered with by a single employee.
– Mechanism: keep a copy of the log on multiple computers, such that no single
employee has access to all of them.
(One more step: what if the logs also need to be secret from any one employee?)
Deakin University CRICOS Provider Code: 00113B
A Systematic approach to engineering secure systems
21
1) High-level specification:
– Define the architecture of the system! (high level block diagram)
– Define the security policy (principals, assets, security properties)
– Define the threat model
2) Security design:
– Define / Design security mechanisms / controls
– State your security argument: which controls maintain which
properties?
3) Secure implementation:
– Implement mechanisms
– Ensure they conform to the design model
– Security testing
Deakin University CRICOS Provider Code: 00113B
Failure
22
• Failure in specification
• Failure in design,
• Failure in implementation.
(see how it maps to previous slide ☺?)
Deakin University CRICOS Provider Code: 00113B
A few key principles
when designing
protection
mechanisms
Deakin University CRICOS Provider Code: 00113B
Least Privilege
24
Every “module” (such as a process, a user or a program) should be able to access only
such information and resources that are necessary to its legitimate purpose.
Examples:
• (Integrity) DB program, can only write the DB.
• (Privacy) Data minimization principle.
Image from https://en.wikipedia.org/wiki/Principle_of_least_privilege#/media/File:Priv_rings.svg
privilege rings for the Intel x86
https://en.wikipedia.org/wiki/Intel_x86
Deakin University CRICOS Provider Code: 00113B
Separation of Privileges
25
The principle of separation of privilege states that a system should not grant permission
based upon a single condition.
• E.g. Company checks for over $75,000 must be signed by two officers of the company. If either does
not sign, the check is not valid. The two conditions are the signatures of both officers.
• Downside?
– Availability.
– Complexity of orchestration.
Deakin University CRICOS Provider Code: 00113B
Least Common Mechanism
26
Mechanisms used to access resources should not be shared.
– Restrictive principle!
– If everybody depends on it, failure will have a higher impact.
– One user can do a DOS attack.
– Shared service [or resource such as CPU cache] can provide side channels.
– A mechanism serving all users must be designed to the satisfaction of every user, harder than
satisfying more specialized requirements
Deakin University CRICOS Provider Code: 00113B
Psychological Acceptability
27
• “It is essential that the human interface be designed for ease of use, so that users routinely and
automatically apply the protection mechanisms correctly” [SS75]
• Mental model of the (honest) users must match security policy and security mechanisms.
• Cultural acceptability:
– (Authentication) Photographs that must uncover faces.
– (Safety) Register of everyone who sleeps in a dorm.
Deakin University CRICOS Provider Code: 00113B
Fail-safe Defaults
28
Unless a subject is given explicit access to an object, it should be denied access to that object
(default DENY)
• Base access decisions on permission rather than exclusion:
• A conservative design must be based on arguments why objects should be
accessible, rather than why they should not.
Deakin University CRICOS Provider Code: 00113B
Open Design Principle
29
The principle of open design states that the security of a mechanism should not depend on
the secrecy of its design or implementation.
• “Security through obscurity” is not a good
principle.
• This principles does not apply to information such
as passwords or cryptographic keys (these are
data and not algorithms).
• Only very specific passwords / keys should be
assumed secret. (Kerckhoffs’ principle from
1883) Image from https://www.codepunker.com/smile/security-through-obscurity
Deakin University CRICOS Provider Code: 00113B
Composition of Security Mechanisms
• Big security systems are build from smaller ones:
– “Composition” of secure systems
– It is not always secure to compose two secure systems.
– Two models for composition of secure systems:
Weakest link: if any sub-system is broken the security policy is
violated.
Bruce Schneier: “security is only as strong as the weakest link.”
Defense in depth (military): if any sub-system
remains secure, the security policy is enforced.
Deakin University CRICOS Provider Code: 00113B
Example of Defence-in-depth (multi-layer)
Image from: https://www.nist.gov/itl/applied-cybersecurity/tig/back-basics-multi-factor-authentication
Deakin University CRICOS Provider Code: 00113B
Example of Weakest link
Image from: https://www.netpresenter.com/blog/cybersecurity-human-firewall/
Human are the weakest link in
cybersecurity.
Social Engineering, …
Deakin University CRICOS Provider Code: 00113B
Assume the worst (or `Average’ case)
• How to measure the degree of protection afforded by a security system:
– In general: Important open question!
• On the basis of the worse case:
– Take the inputs from both the honest users, and the adversary that produces the worse
outcomes (in terms of violating the security policy).
• On the basis of the average case:
– Given the actions of a “typical” / “average” user, and the worse actions of an adversary measure
the outcome.
Deakin University CRICOS Provider Code: 00113B
Pros and Cons
• “Worse case” security measure:
– Makes no assumptions on the user behaviour within the security policy.
– Strong guarantee
– Pessimistic – low performance.
– Examples: Cryptographic primitives
• “Average case” security measures:
– What is a typical user?
– Difficult to second guess which actions are more important to protect within the security
policy.
– More fragile.
– Examples: data anonymization, network anonymization.
Deakin University CRICOS Provider Code: 00113B
References
• Chapter 1 and 13 – Introduction To Computer Security [Matt Bishop].
• Chapter 1 – M. Ciampa, “Security Awareness Applying Practical Security In Your World”, Fifth Edition, Cengage
Learning, 2016.
Deakin University CRICOS Provider Code: 00113B
Acknowledgement
Acknowledging the kind support and contribution of:
Dr Arash Shaghaghi (Deakin University, Australia), Prof. Chang-Tsun Li (Deakin University, Australia), Prof. Sanjay
Jha (The University of New South Wales, Australia), Dr. Nicolas Courtois (University College London, UK), Dr George
Danezis (University College London, UK), and Dr Michael March (University of Maryland, USA).