Computer Security: Principles and Practice, 1/e
Introduction to computer security: fundamentals
By
Dr. Imran Ullah Khan
Informatics, University of Sussex
Resources ref: Computer Security: Principles and Practice”, 4/e, GE, by William Stallings and Lawrie Brown, Chapter 1
1
Overview
Fundamental security design principles
Attack surfaces and attack trees
Attack surfaces
Attack trees
Computer security concepts
Definition
Challenges
Model
Threats, attacks, and assets
Threats and attacks
Threats and assets
Security functional requirements
Standards
2
The NIST Internal/Interagency Report NISTIR 7298 (Glossary of Key Information Security Terms , May 2013) defines the term computer security as follows:
“ Measures and controls that ensure confidentiality, integrity, and availability of information system
assets including hardware, software, firmware, and information being processed, stored, and communicated.”
3
4
Key Security Concepts
5
Confidentiality
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information
Integrity
Guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity
Availability
Ensuring timely and reliable access to and use of information
Levels of Impact
6
Low
The loss could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals
Moderate
The loss could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals
High
The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals
Computer Security Challenges
7
1. Computer security is not as simple as it might first appear to the novice
2. In developing a particular security mechanism or algorithm, one must always consider potential attacks on those security features
3. Procedures used to provide particular services are often counterintuitive
4. Physical and logical placement needs to be determined
5. Security mechanisms typically involve more than a particular algorithm or protocol and also require that participants be in possession of some secret information which raises questions about the creation, distribution, and protection of that secret information
6. Attackers only need to find a single weakness, while the designer must find and eliminate all weaknesses to achieve perfect security
9. There is a natural tendency on the part of users and system managers to perceive little benefit from security investment until a security failure occurs
8. Security requires regular and constant monitoring
7. Security is still too often an afterthought to be incorporated into a system after the design is complete, rather than being an integral part of the design process
10. Many users and even security administrators view strong security as an impediment to efficient and user-friendly operation of an information system or use of information
Table 1.1
Computer Security Terminology, from RFC 2828, Internet Security Glossary, May 2000
Adversary (threat agent)
Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.
Attack
Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself.
Countermeasure
A device or techniques that has as its objective the impairment of the operational effectiveness of undesirable or adversarial activity, or the prevention of espionage, sabotage, theft, or unauthorized access to or use of sensitive information or information systems.
Risk
A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of 1) the adverse impacts that would arise if the circumstance or event occurs; and 2) the likelihood of occurrence.
Security Policy
A set of criteria for the provision of security services. It defines and constrains the activities of a data processing facility in order to maintain a condition of security for systems and data.
System Resource (Asset)
A major application, general support system, high impact program, physical plant, mission critical system, personnel, equipment, or a logically related group of systems.
Threat
Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
Vulnerability
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
(Table can be found on page 8 in the textbook)
8
9
Assets of a Computer System
10
Hardware
Software
Data
Communication facilities and networks
Vulnerabilities, Threats
and Attacks
Categories of vulnerabilities
Corrupted (loss of integrity)
Leaky (loss of confidentiality)
Unavailable or very slow (loss of availability)
Threats
Capable of exploiting vulnerabilities
Represent potential security harm to an asset
Attacks (threats carried out)
Passive – attempt to learn or make use of information from the system that does not affect system resources
Active – attempt to alter system resources or affect their operation
Insider – initiated by an entity inside the security parameter
Outsider – initiated from outside the perimeter
11
Countermeasures
12
Means used to deal with security attacks
Prevent
Detect
Recover
May itself introduce new vulnerabilities
Residual vulnerabilities may remain
Goal is to minimize residual level of risk to the assets
**Table is on page 10 in the textbook.
Table 1.2
Threat Consequences,
and the
Types of
Threat Actions
That Cause
Each
Consequence
Based on
RFC 4949
13
14
Table 1.3
Computer and Network Assets, with Examples of Threats
15
Passive and Active Attacks
Passive Attack
Active Attack
Attempts to learn or make use of information from the system but does not affect system resources
Eavesdropping on, or monitoring of, transmissions
Goal of attacker is to obtain information that is being transmitted
Two types:
Release of message contents
Traffic analysis
Attempts to alter system resources or affect their operation
Involve some modification of the data stream or the creation of a false stream
Four categories:
Replay
Masquerade
Modification of messages
Denial of service
16
Attack Surfaces
17
Consist of the reachable and exploitable vulnerabilities in a system
Examples:
Open ports on outward facing Web and other servers, and code listening on those ports
Services available on the inside of a firewall
Code that processes incoming data, email, XML, office documents, and industry-specific custom data exchange formats
Interfaces, SQL, and Web forms
An employee with access to sensitive information vulnerable to a social engineering attack
Attack Surface Categories
18
Network Attack Surface
Vulnerabilities over an enterprise network, wide-area network, or the Internet
Included in this category are network protocol vulnerabilities, such as those used for a denial-of-service attack, disruption of communications links, and various forms of intruder attacks
Software Attack Surface
Vulnerabilities in application, utility, or operating system code
Particular focus is Web server software
Human Attack Surface
Vulnerabilities created by personnel or outsiders, such as social engineering, human error, and trusted insiders
19
An attack tree is a branching, hierarchical data structure that represents a set of
potential techniques for exploiting security vulnerabilities. The security incident that is the goal of the attack is represented as the
root node of the tree, and the ways that an attacker could reach that goal are iteratively
and incrementally represented as branches and subnodes of the tree. Each
subnode defines a subgoal, and each subgoal may have its own set of further subgoals,
etc. The final nodes on the paths outward from the root, i.e., the leaf nodes,
represent different ways to initiate an attack. Each node other than a leaf is either
an AND-node or an OR-node. To achieve the goal represented by an AND-node,
the subgoals represented by all of that node’s subnodes must be achieved; and for
an OR-node, at least one of the subgoals must be achieved. Branches can be labeled
with values representing difficulty, cost, or other attack attributes, so that alternative
attacks can be compared.
The motivation for the use of attack trees is to effectively exploit the information
available on attack patterns. Organizations such as CERT publish security
advisories that have enabled the development of a body of knowledge about both
general attack strategies and specific attack patterns. Security analysts can use the
attack tree to document security attacks in a structured form that reveals key vulnerabilities.
The attack tree can guide both the design of systems and applications,
and the choice and strength of countermeasures.
Figure is an example of an attack tree analysis
for an Internet banking authentication application. The root of the tree is the objective
of the attacker, which is to compromise a user’s account. The shaded boxes on the tree
are the leaf nodes, which represent events that comprise the attacks. The white boxes
are categories which consist of one or more specific attack events (leaf nodes). Note
that in this tree, all the nodes other than leaf nodes are OR-nodes. The analysis used
to generate this tree considered the three components involved in authentication:
• User terminal and user (UT/U): These attacks target the user equipment,
including the tokens that may be involved, such as smartcards or other password
generators, as well as the actions of the user.
• Communications channel (CC): This type of attack focuses on communication
links.
• Internet banking server (IBS): These types of attacks are offline attack against
the servers that host the Internet banking application.
Five overall attack strategies can be identified, each of which exploits one or
more of the three components. The five strategies are as follows:
• User credential compromise: This strategy can be used against many elements
of the attack surface. There are procedural attacks, such as monitoring a user’s
action to observe a PIN or other credential, or theft of the user’s token or
handwritten notes. An adversary may also compromise token information using
a variety of token attack tools, such as hacking the smartcard or using a brute
force approach to guess the PIN. Another possible strategy is to embed malicious
software to compromise the user’s login and password. An adversary may
also attempt to obtain credential information via the communication channel
(sniffing). Finally, an adversary may use various means to engage in communication
with the target user, as shown in Figure 1.5.
• Injection of commands: In this type of attack, the attacker is able to intercept
communication between the UT and the IBS. Various schemes can be used to
be able to impersonate the valid user and so gain access to the banking system.
• User credential guessing: It is reported in [HILT06] that brute force
attacks against some banking authentication schemes are feasible by sending
random usernames and passwords. The attack mechanism is based on
distributed zombie personal computers, hosting automated programs for
username- or password-based calculation.
• Security policy violation: For example, violating the bank’s security policy in
combination with weak access control and logging mechanisms, an employee
may cause an internal security incident and expose a customer’s account.
• Use of known authenticated session: This type of attack persuades or forces the
user to connect to the IBS with a preset session ID. Once the user authenticates
to the server, the attacker may utilize the known session ID to send packets to
the IBS, spoofing the user’s identity.
Figure 1.5 provides a thorough view of the different types of attacks on an
Internet banking authentication application. Using this tree as a starting point, security
analysts can assess the risk of each attack and, using the design principles outlined
in the preceding section, design a comprehensive security facility. [DIMO07]
provides a good account of the results of this design effort.
20
Fundamental Security Design Principles
21
Economy of mechanism
Fail-safe defaults
Complete mediation
Open design
Separation of privilege
Least privilege
Least common mechanism
Psychological acceptability
Isolation
Encapsulation
Modularity
Layering
Least astonishment
Standards
Standards have been developed to cover management practices and the overall architecture of security mechanisms and services
The most important of these organizations are:
National Institute of Standards and Technology (NIST)
NIST is a U.S. federal agency that deals with measurement science, standards, and technology related to U.S. government use and to the promotion of U.S. private sector innovation
Internet Society (ISOC)
ISOC is a professional membership society that provides leadership in addressing issues that confront the future of the Internet, and is the organization home for the groups responsible for Internet infrastructure standards
International Telecommunication Union (ITU-T)
ITU is a United Nations agency in which governments and the private sector coordinate global telecom networks and services
International Organization for Standardization (ISO)
ISO is a nongovernmental organization whose work results in international agreements that are published as International Standards
22
Summary
Fundamental security design principles
Attack surfaces and attack trees
Attack surfaces
Attack trees
Computer security concepts
Definition
Challenges
Model
Threats, attacks, and assets
Threats and attacks
Threats and assets
Security functional requirements
Standards
23
Figure 1.1 Essential Network and Computer Security Requirements
Data
and
services
Availability
Integrity
A
ccountability
A
ut
he
nt
ic
ity
Co
nfi
de
nti
ali
ty
assets
threats
Figure 1.2 Security Concepts and Relationships
Threat agents
wish to
minimize
wish to abuse
and/or
may damage
toto
that
increase
give
rise to
Owners
countermeasures
risk
impose
value
to
reduce
assets
threats
Figure 1.2 Security Concepts and Relationships
Threat agents
wish to
minimize
wish to abuse
and/or
may damage
to
to
that
increase
give
rise to
Owners
countermeasur es
risk
impose
value
to
reduce
Threat Consequence Threat Action (Attack)
Unauthorized
Disclosure
A circumstance or
event whereby an
entity gains access to
data for which the
entity is not
authorized.
Exposure: Sensitive data are directly released to an
unauthorized entity.
Interception: An unauthorized entity directly accesses
sensitive data traveling between authorized sources and
destinations.
Inference: A threat action whereby an unauthorized entity
indirectly accesses sensitive data (but not necessarily the
data contained in the communication) by reasoning from
characteristics or byproducts of communications.
Intrusion: An unauthorized entity gains access to sensitive
data by circumventing a system’s security protections.
Deception
A circumstance or
event that may result
in an authorized entity
receiving false data
and believing it to be
true.
Masquerade: An unauthorized entity gains access to a
system or performs a malicious act by posing as an
authorized entity.
Falsification: False data deceive an authorized entity.
Repudiation: An entity deceives another by falsely denying
responsibility for an act.
Disruption
A circumstance or
event that interrupts
or prevents the correct
operation of system
services and
functions.
Incapacitation: Prevents or interrupts system operation by
disabling a system component.
Corruption: Undesirably alters system operation by
adversely modifying system functions or data.
Obstruction: A threat action that interrupts delivery of
system services by hindering system operation.
Usurpation
A circumstance or
event that results in
control of system
services or functions
by an unauthorized
entity.
Misappropriation: An entity assumes unauthorized logical
or physical control of a system resource.
Misuse: Causes a system component to perform a function
or service that is detrimental to system security.
Threat Consequence Threat Action (Attack)
Unauthorized
Disclosure
A circumstance or
event whereby an
entity gains access to
data for which the
entity is not
authorized.
Exposure: Sensitive data are directly released to an
unauthorized entity.
Interception: An unauthorized entity directly accesses
sensitive data traveling between authorized sources and
destinations.
Inference: A threat action whereby an unauthorized entity
indirectly accesses sensitive data (but not necessarily the
data contained in the communication) by reasoning from
characteristics or byproducts of communications.
Intrusion: An unauthorized entity gains access to sensitive
data by circumventing a system’s security protections.
Deception
A circumstance or
event that may result
in an authorized entity
receiving false data
and believing it to be
true.
Masquerade: An unauthorized entity gains access to a
system or performs a malicious act by posing as an
authorized entity.
Falsification: False data deceive an authorized entity.
Repudiation: An entity deceives another by falsely denying
responsibility for an act.
Disruption
A circumstance or
event that interrupts
or prevents the correct
operation of system
services and
functions.
Incapacitation: Prevents or interrupts system operation by
disabling a system component.
Corruption: Undesirably alters system operation by
adversely modifying system functions or data.
Obstruction: A threat action that interrupts delivery of
system services by hindering system operation.
Usurpation
A circumstance or
event that results in
control of system
services or functions
by an unauthorized
entity.
Misappropriation: An entity assumes unauthorized logical
or physical control of a system resource.
Misuse: Causes a system component to perform a function
or service that is detrimental to system security.
Guard
Data
Computer System Computer System
Processes representing users
1 Access to the data
must be controlled
(protection)
Guard
Data
Processes representing users
2 Access to the computer
facility must be controlled
(user authentication)
3 Data must be
securely transmitted
through networks
(network security)
4 Sensitive files
must be secure
(file security)
Users making requests
Figure 1.3 Scope of Computer Security. This figure depicts security
concerns other than physical security, including control of access to
computers systems, safeguarding of data transmitted over communications
systems, and safeguarding of stored data.
Guard
Data
Computer System Computer System
Processes representing users
1 Access to the data
must be controlled
(protection)
Guard
Data
Processes representing users
2 Access to the computer
facility must be contr olled
(user authentication)
3 Data must be
securely transmitted
through networks
(network security)
4 Sensitive files
must be secure
(file security)
Users making requests
Figure 1.3 Scope of Computer Security . This figure depicts security
concerns other than physical security , including control of access to
computers systems, safeguarding of data transmitted over communications
systems, and safeguarding of stored data.
Availability Confidentiality Integrity
Hardware
Equipment is stolen or
disabled, thus denying
service.
An unencrypted CD-
ROM or DVD is stolen.
Software Programs are deleted, denying access to users.
An unauthorized copy
of software is made.
A working program is
modified, either to
cause it to fail during
execution or to cause it
to do some unintended
task.
Data Files are deleted, denying access to users.
An unauthorized read
of data is performed.
An analysis of
statistical data reveals
underlying data.
Existing files are
modified or new files
are fabricated.
Communication
Lines and
Networks
Messages are destroyed
or deleted.
Communication lines
or networks are
rendered unavailable.
Messages are read. The
traffic pattern of
messages is observed.
Messages are modified,
delayed, reordered, or
duplicated. False
messages are
fabricated.
Availability Confidentiality Integrity
Hardware
Equipment is stolen or
disabled, thus denying
service.
An unencrypted CD-
ROM or DVD is stolen.
Software
Programs are deleted,
denying access to users.
An unauthorized copy
of software is made.
A working program is
modified, either to
cause it to fail during
execution or to cause it
to do some unintended
task.
Data
Files are deleted,
denying access to users.
An unauthorized read
of data is performed.
An analysis of
statistical data reveals
underlying data.
Existing files are
modified or new files
are fabricated.
Communication
Lines and
Networks
Messages are destroyed
or deleted.
Communication lines
or networks are
rendered unavailable.
Messages are read. The
traffic pattern of
messages is observed.
Messages are modified,
delayed, reordered, or
duplicated. False
messages are
fabricated.
Figure 1.4 Defense in Depth and Attack Surface
Attack Surface
Medium
Security Risk
High
Security Risk
Low
Security Risk
D
e
e
p
L
a
y
e
r
in
g
S
h
a
ll
o
w
Small Large
Medium
Security Risk
Figure 1.4 Defense in Depth and Attack Surface
Attack Surface
Medium
Security Risk
High
Security Risk
Low
Security Risk
D
e
e
p
L
a
y
e
r
i
n
g
S
h
a
l
l
o
w
Small Large
Medium
Security Risk
Figure 1.5 An Attack Tree for Internet Banking Authentication
Bank Account Compromise
User credential compromise
User credential guessing
UT/U1a User surveillance
UT/U1b Theft of token and
handwritten notes
Malicious software
installation
Vulnerability exploit
UT/U2a Hidden code
UT/U2b Worms
UT/U3a Smartcard analyzers
UT/U2c E-mails with
malicious code
UT/U3b Smartcard reader
manipulator
UT/U3c Brute force attacks
with PIN calculators
CC2 Sniffing
UT/U4a Social engineering
IBS3 Web site manipulation
UT/U4b Web page
obfuscation
CC1 Pharming
Redirection of
communication toward
fraudulent site
CC3 Active man-in-the
middle attacks
IBS1 Brute force attacks
User communication
with attacker
Injection of commands
Use of known authenticated
session by attacker
Normal user authentication
with specified session ID
CC4 Pre-defined session
IDs (session hijacking)
IBS2 Security policy
violation
Figure 1.5 An Attack Tree for Internet Banking Authentication
Bank Account Compromise
User credential compromise
User credential guessing
UT/U1a User surveillance
UT/U1b Theft of token and
handwritten notes
Malicious software
installation
Vulnerability exploit
UT/U2a Hidden code
UT/U2b Worms
UT/U3a Smartcard analyzers
UT/U2c E-mails with
malicious code
UT/U3b Smartcard reader
manipulator
UT/U3c Brute force attacks
with PIN calculators
CC2 Sniffing
UT/U4a Social engineering
IBS3 Web site manipulation
UT/U4b Web page
obfuscation
CC1 Pharming
Redirection of
communication toward
fraudulent site
CC3 Active man-in-the
middle attacks
IBS1 Brute force attacks
User communication
with attacker
Injection of commands
Use of known authenticated
session by attacker
Normal user authentication
with specified session ID
CC4 Pre-defined session
IDs (session hijacking)
IBS2 Security policy
violation