basic security chapter 1

TOPIC 1 TOPIC 1 Basic Security ConceptsBasic Security Concepts

INTRODUCTIONINTRODUCTION

What is security?What is security?Security is about the protection of assets.Security is about the protection of assets.- Computer-related assets.- Computer-related assets.Computing system :- hardware, software, Computing system :- hardware, software, storage media, data and people.storage media, data and people.

Principle of Easiest PenetrationPrinciple of Easiest PenetrationIntruder must be expected to use all Intruder must be expected to use all available means of penetration. Use the available means of penetration. Use the ‘weakest point’.‘weakest point’.


There are 3 classification of protection:There are 3 classification of protection:– PreventionPrevention: take measures that prevent : take measures that prevent

your assets from being damaged. your assets from being damaged. – DetectionDetection: take measures that allow you to : take measures that allow you to

detect when an asset has been damageddetect when an asset has been damaged– ReactionReaction: take measures that allow you to : take measures that allow you to

recover your assets or to recover from recover your assets or to recover from damage to your assets.damage to your assets.

Example from physical world:Example from physical world:– PreventionPrevention: locks at the door or window : locks at the door or window

bars, wall around the propertybars, wall around the property– DetectionDetection: you detect when something has : you detect when something has

been stolen if it is no longer there, a been stolen if it is no longer there, a burglar alarm goes on when break-in burglar alarm goes on when break-in occurs, cctv provide information that occurs, cctv provide information that allows you to identify intrudersallows you to identify intruders

– ReactionReaction: you can call the police or you : you can call the police or you may decide to replace the stolen itemmay decide to replace the stolen item



Example from cyber world: consider credit card Example from cyber world: consider credit card fraud cases.fraud cases.– PreventionPrevention: use encryption when placing an order, : use encryption when placing an order,

rely on the merchant to perform some checks on rely on the merchant to perform some checks on the caller before accepting a credit card order or the caller before accepting a credit card order or don’t use credit card number on the Internet. don’t use credit card number on the Internet.

– DetectionDetection: a transaction that you had not : a transaction that you had not authorized appears on your credit card authorized appears on your credit card statements.statements.

– ReactionReaction: you can ask for new credit card number, : you can ask for new credit card number, the cost of the fraudulent may be recovered by the cost of the fraudulent may be recovered by the card holder or the merchant where the the card holder or the merchant where the fraudster had made the purchase or the credit fraudster had made the purchase or the credit card issuer.card issuer.

SECURITY GOALS

SECURITY GOALS

INTEGRITY: An assets can be modified only by authorized or only in authorized ways.

CONFIDENTIALITY: an assets of computing systems are available only by authorized parties (also known as secrecy).

AVAILABILITY : An assets are accessible to authorized parties when needed without any delay.

SECURITY THREATS

INTERRUPTION: An asset of the system is destroyed or become unavailable or unusable – attack on AVAILABILTY

INTERCEPTION: An unauthorized party (program, person, computer) gains access to an asset – attack on CONFIDENTIALITY

MODIFICATION: An unauthorized party not only gain access to but tampers with an assets – attack on INTEGRITY

FABRICATION: An unauthorized party insert counterfeit objects into the system – an attack on AUTHENTICITY

Informationsource

Informationdestination

INTERRUPTION

Informationsource


MODIFICATION

Informationsource


INTERCEPTION

Informationsource


FABRICATION

Middle man

Middle man

Middle man

SECURITY THREATS

Examples of security threats/attacks:Examples of security threats/attacks:

Interruption

~ destruction of piece of hardware (hard disk) ~ cutting of communication line or ~ disabling of the file management system

Interception

~ wiretapping~ illicit copy of files or programs

Modification

~ changing values in data file, ~ altering a program so that it performs differently,~ modifying the content of messages being transmitted in a network.

Fabrication

~ addition of records to a file,~ insertion of spurious messages in a network

VulnerabilitiesVulnerabilities

VulnerabilitiesVulnerabilities: a weaknesses in the : a weaknesses in the securitysecurity

systemsystem that might be exploited to cause that might be exploited to cause

loss or harm.loss or harm.

DATADATASOFTWARESOFTWARE

HARDWAREHARDWARE

Interception (Theft)

Interruption(Denial of service)

Interruption(Deletion)

Interception (piracy)

Modification

Interruption(Loss)

Interception

Modification

Fabrication

Vulnerabilities in Computing Systems


Threats to Hardware• involuntary machine-slaughter: accidental acts not intended to do serious damage.

• voluntary machine-slaughter: intended to do harm

Threats to Software• deletion

• modification – trojan horse, virus, trapdoor, logic bomb

• theft - piracy


Threats to Data• loss of data

•interception

• modification

• fabrication

Threats to other exposed assets• storage media – consider backups

• networks – very expose medium, access from distant

• access – steal computer time, denial of service

• key people – disgruntled employees

Methods of DefenseMethods of Defense

Encryption provides ~ confidentiality for data ~ integrity~ basis for protocol

SOFTWARE/HARDWARE CONTROLSENCRYPTION

POLICIES

Software controls:~ Internal program controls~ Operating system controls~ Development controlsHardware controls:~ hardware devices : - smartcard (encryption) - circuit board ctrl disk drives in PCs~ frequent changes

of password~ trainingLegal and ethical controls~ codes of ethics ~ locks of doors

~ backup copies of important s/w and data~ physical site planning (reduce natural disasters)

PHYSICAL CONTROLS

METHODS OF DEFENSE

METHODS OF DEFENSE

Who are the people?Who are the people?

AmateursAmateurs: : not career criminal but normal people who observe a flaw in a security system – have access to something valuable.

Crackers: may be university or high school students who attempt to access computing facilities for which they have not been authorized.

Career criminal: understands the targets of computer crime, international groups, electronic spies, information brokers.

Hackers: someone with deep knowledge and interest in operating systems or multiple OS. Do not attempt to intentionally break any system (non-malicious).

How to makes a system How to makes a system secure?secure?

There are four methods how computer security provide There are four methods how computer security provide protection:protection:(1)(1) System Access ControlSystem Access Control: ensuring that : ensuring that unauthorized users don’t get into the system. unauthorized users don’t get into the system. (2)(2) Data Access ControlData Access Control: monitoring who can : monitoring who can access what data and for what purposes.access what data and for what purposes.(3)(3) System and Security AdministrationSystem and Security Administration: : performing certain procedures (system administrator’s performing certain procedures (system administrator’s responsibilities or training users appropriately)responsibilities or training users appropriately)(4)(4) System DesignSystem Design: Taking advantage of basic : Taking advantage of basic hardware and software security characteristics.hardware and software security characteristics.

System Access ControlSystem Access Control

The first way in which system provides The first way in which system provides computer security is by controlling access to computer security is by controlling access to that system:that system:– Who’s allowed to log in?Who’s allowed to log in?– How does the system decide whether a user is How does the system decide whether a user is

legitimate?legitimate? Identification and authentication provides the Identification and authentication provides the

above.above.

Identification & AutheticationIdentification & Authetication IdentificationIdentification tells the system who you are tells the system who you are AuthenticationAuthentication proves to the system that proves to the system that

you are who you are.you are who you are. There are 3 ways to prove ourselves:There are 3 ways to prove ourselves:

– Something you knowSomething you know– Something you haveSomething you have– Something you areSomething you are


e.g.: password~ you know the password, you the owner

IDENTIFICATION &

AUTHENTICATION

IDENTIFICATION &

AUTHENTICATION

SOMETHING YOU HAVE

SOMETHING YOU KNOW

SOMETHING YOU ARE

e.g.: tokens, keys & smart cards

~ you have the key, you must be the owner of it

e.g: fingerprints, retina pattern, handprint etc.

Username and PasswordUsername and Password Typical first line of defenseTypical first line of defense User name (Login ID) – identificationUser name (Login ID) – identification Password – authentication Password – authentication Login will succeed if you entered a valid user name and corresponding password.Login will succeed if you entered a valid user name and corresponding password.


User plays an important role in User plays an important role in password protection – password protection – authentication is compromised authentication is compromised when you gave away your own when you gave away your own password by telling others.password by telling others.

Common threats on password:Common threats on password:– Password guessing: exhaustive search Password guessing: exhaustive search

and intelligent searchand intelligent search– Password spoofingPassword spoofing– Compromise of the password fileCompromise of the password file


How we can defend password security:How we can defend password security:– Compulsory to set a password Compulsory to set a password – Change default passwordChange default password– Password lengthPassword length– Password formatPassword format– Avoid obvious passwordsAvoid obvious passwords

How system help to improve password security:How system help to improve password security:– Password checkersPassword checkers– Password generationPassword generation– Password ageingPassword ageing– Limit login attemptsLimit login attempts– Inform usersInform users


Data Access ControlData Access Control

On the most elementary level, a On the most elementary level, a subject may observe an object or alter subject may observe an object or alter an object, therefore the common an object, therefore the common access modes are defined as below:access modes are defined as below:– Observe: look at the contents of an objectObserve: look at the contents of an object– Change: change the contents of an objectChange: change the contents of an object

Data Access ControlData Access Control

Observe

Change

execute append read write

√

√ √

√

Access rights in the Bell-LaPadula model

{execute, read, write}

Alice

Bill

bill.doc edit.exe fun.com

{read, write}

{execute}

{execute}

{execute, read}

-

An access control matrix

Effectiveness of ControlsEffectiveness of Controls

Awareness of ProblemsAwareness of Problems: people will : people will cooperate with security requirements only if cooperate with security requirements only if they understand why security is appropriate they understand why security is appropriate in each specific situation.in each specific situation.

Likelihood of useLikelihood of use: controls must be used to : controls must be used to be effective – therefore it must be easy to be effective – therefore it must be easy to use and appropriate.use and appropriate.

Overlapping controlsOverlapping controls: combinations of : combinations of control on one exposure.control on one exposure.

Periodic reviewPeriodic review: ongoing task in judging : ongoing task in judging the effectiveness of a control.the effectiveness of a control.

The EndThe End

basic security chapter 1

Education

credit card order

credit card issuer

credit card statements

credit card fraudexample

assets attack

protection of assets

new credit card number

dont use credit card