Introduction to Computer Security

1. Ethical Issues2. State of the Art3. Fundamentals of Computer Security4. Security Engineering :Lifecycle and Principles

99%Use a mixture of prevention, detection, and reaction technologies

90%Use prevention technologies such as firewall, access control, and physical security

75%Also use intrusion detection systems

75%Acknowledged financial losses due to security breaches

92%Detected attacks during the last 12 months

$201,797,340 Total annual financial losses (only 251 out of 530 reported their loss, i.e. 47%)

AnswersQuestions

2. State-of-the-ArtCSI/FBI Annual Survey for 2003 (sample of 530 companies)

1. Ethical Issues

Classes of Security Threats-System modification: may involve intrusion into the system itself.-Invasion of privacy: involves disclosing information about a user or

host machine that should not be publicized.-Denial of service: makes system resources unavailable.-Antagonism: attacks that merely antagonize or annoy a user.

Popular Security Technologies-Many organizations address security from three different perspectives:prevention, detection, and reaction.

-Prevention technologies involve firewall, encryption, access control, physical security etc.

-Detection technologies involve intrusion detection systems (IDS), digital watermarking etc.

-Reaction technologies involve forensics systems, trace-back tools etc.

2. Fundamentals of Computer SecurityWhat is Computer Security?

From the dictionary:safety and freedom from worry when using computers.

More technically:confidentiality, integrity and availabilityidentification and authentication, access control, audit, and assurance

In fact security is what you get if all the above technology works asadvertised.

The main thing the computer industry does to provide safety is calledprotection.

What the computer industry does to provide freedom from worry iscalled assurance.

Protection

Provided by a set of security services (countermeasures), eachdesigned to prevent a specific kind of bad thing (threat) fromhappening.

Example: a file system access control mechanism

Three kinds of protection: authorization, accountability, and availability

Authorization Protects the system against attempt to break the rules:

The Rules

Protected Resources

Users

The rules generally say things like:Anyone can read unclassified dataNo one outside the company can read proprietary dataNo one inside the company can read confidential data without first

demonstrating a need to know

Two broad categories of authorization mechanisms:Access control mechanisms:-enforce the rules-used in environments that can be trusted to run a program to checkwhether the rules are being violated.

Data protection mechanisms:-used when the environment isnt able to run a program to check the rules or isnt trusted to enforce the rules even if it can check them.Example: a telephone wire cant run a program; a PC running DOS can

run programs, but DOS isnt a secure OS.-normally implemented using encryption.

-Confidentiality protection keeps unauthorized readers from snoopingthrough protected data.

-Integrity protection keeps vandals from making unauthorized changes to protected data

Accountability

Assumption:Theres no way to prevent authorized users with evil intent from doingthings which the rules dont allow.

Hence, the only rule that can keep all your resources safe: no one is allowed to do anything.

Accountability: you can tell who did what, when.

Two strengths of accountability: audit and non-repudiation.

The System Audit Log

Audit:A weak form of accountabilityWhen someone suspects foul play, the audit log is examined to discoverevidence of the deed and the identity of the perpetrator.

Limitations: some kinds of foul play cant be accurately diagnosed using audit.

The SystemAuditLogSignature

Non-repudiation:A stronger form of accountabilityRequires users to sign their requests for systems actions

Depends on:-the strength of a digital signature algorithm -the secrecy of each users signature key to guarantee that privilegedusers and system administrators cant forge other users signatures.

AvailabilityA resource is available if its there when you need it.

A bad guy can do various things to deny the use of a resource:Destroy or damage the resourceInterfere with the communications between you and the resourceInterfere with your ability to pass the authorization check required for use of the resource

User

Hacker

Server

network

attacks

Two approaches to availability protection: service continuity and disaster recovery.

-Service continuity: Make sure that you can always get to your resourcesUsually involves keeping many active copies of each resource andkeeping a couple of independent communication paths to each copy.

-Disaster recovery:Assumes that service will eventually be interrupted, and figures out how you can get back up and running after the interruption.Consists of keeping backup copies of everything and planning inadvance how the backups will be activated and used in emergency.

Assurance

The set of things the builder and the operator of a system do toconvince you that it really is safe to use.

Means that the system keeps its security promises:the system can enforce the policy youre interested in;the system works.

Based on an assurance argument, which tries to prove three things:the systems protection mechanisms are correct (e.g. not full of bugs, enforce the stated policy)

the system always uses its protection mechanisms when they areneededtheres no way to circumvent the systems protection mechanisms

Assurance has to be done throughout the systems lifetime.

Three kinds of assurance contribute to a strong assurance argument:

Design assurance: use of good security engineering practices to identifyimportant threats and to choose appropriate countermeasures.

Development assurance: use of disciplined processes to implement thedesign correctly and to deliver the final system securely and reliably.

Operational assurance: mandates secure installation, configuration andday-to-day operation of the system.

Good records of what has been done during every phase of systemslife must be kept as evidence, and can help in deciding how much faithin the systems security is justified.

4. Security Engineering: Lifecycle and Principles Lifecycle

Define Application &Resources to be protected

Establish security policy

Select and implement security services and mechanisms

Estimate risks

Identify Security Vulnerabilities and Threats

Repeat procedure when certain interval has expired or circumstances have changed

Specify System Architecture

Prioritize risks

Risk isAcceptablylow

Deploy&Maintain

Design Principles and GuidelinesLeast privileges: every user and process should have the least set of

access rights necessary.

Economy of mechanisms: the design should be sufficiently small andsimple that it can be verified and correctly implemented.

Complete mediation: every access should be checked for authorization.

Open design: security should not depend on the design being secret or on the ignorance of the attackers.

Separation of privilege: where possible, access to objects shoulddepend on more than one condition being satisfied.

Least common mechanism: mechanisms shared by multiple users providepotential information channels, and therefore should be minimized.

Psychological acceptability: the mechanism must be easy to use sothat they will be applied correctly and not bypassed.