CHAPTER 1 - INTRODUCTION

BASIC COMPONENTSConfidentiality : keep data and resource hiddenIntegrity : prevent unauthorized modificationAvailability : Enabling access to data and resources

THREATDefinition:A potential violation of security that can affect the assets & resources associated with computer system. E.g.: Virus

Classes of Threat:Disclosure - unauthorized access to information

E.g.: snooping, wiretapping (Confidentiality)Deception - acceptance of false data

E.g.: spoofing, denial of receipt (Integrity)Disruption - interruption of correct operation

E.g.: modification (Integrity)Usurpation - unauthorized control of some system’s part

E.g.: modification, denial of service (Availability)

Areas of Threat:Confidentiality threat - masquerade as recipient and view message.Integrity threat - hacker accesses the bank computer system

compromising the integrity of the record.Availability threat - Spamming and causing server to crashed.

ATTACKDefinition:A threat executed by an attacker that exploits vulnerabilities to cause threat to occur. E.g.: Hacking into the network

SECURITY POLICYA statement of what is or isn’t allowedTypes:Military - primarily protecting confidentialityCommercial - primarily protecting integrityConfidentiality - protecting only confidentialityIntegrity - protecting only integrity

SECURITY MECHANISMSA method, tool, or procedure for enforcing a security policy.

GOAL OF SECURITYPrevention - stop attackers from violate security policyDetection - discover attacker’s violation of security policyRecovery - prevent attack and repair damage

ASSUMPTION & TRUST - Underlie all aspect of security

ASSURANCEDefinition : A basis of “how much” one can trust a systemSpecification - requirement analysisDesign - How system meet specificationImplementation - System that carry out design

OPERATIONAL ISSUESCost-benefit AnalysisRisk AnalysisLaws and Customs

ORGANIZATIONAL PROBLEMS- Power & responsibility- NO Financial benefits- Human limitation- Lack of Resource

PEOPLE PROBLEM- Outsider & Insider- Social engineering

SECURE SYSTEMA system that starts in an authorized state and cannot enter an unauthorized state.

BREACH OF SECURITYOccurs when a system enters an unauthorized state.

CONFIDENTIALITY POLICYBell-Lapadula Model (BLP)

O - Object, [_] - Subject

Information flow: No Read Up, No Write Down (NRU, NWD)

INTEGRITY POLICYBiba Integrity Model

Information flow: No Read Down, No Write Up (NRD, NWU)

BIBA CLARK-WILSONAttach many integrity levels to subjects and objects.

2 levels:Object - CDI / UDISubjects - TP & others

No notion of certification rules, trusted subjects ensure actions obey rules.

Explicit requirements that actions must meet

Un-trusted data examined before being made trusted.

Trusted entity must certify method to upgrade un-trusted data

CHAPTER 2 - AUTHENTICATION & IDENTIFICATION

Authorization - The granting of specific rights.Identification - Establishing whether someone’s identity.

IDENTITY MANAGEMENTA set of properties assigned to a given object.- Creation & deletion of identity- Management of properties assigned to identity- Secure storage of identity- Secure handling of queries regarding identity & their property

LIGHTWIEGHT DIRECTORY ACCESS PROTOCOL (LDAP) A directory is a specialized database optimized for searching and

browsing. LDAP entries are collections of attributes identified by a unique

distinguished name (dn). Entries are characterized by types that determine their format

and syntax (e.g. ou = “Organisational Unit”). Entries are stored in a hierarchy. A relative distinguished name

defines a search path to an entry. Applications: User account management, Address book

(Outlook)

USER AUTHENTICATION- Something you know: passwords- Something you have: smart cards- Something you are: biometrics, voice print

PASSWORDSMaintenance:- Generation & distribution- Password synchronization- Forgotten passwords; password reset

Threats:- Brute force search- Guessing- Keylogging- Shoulder surfing- Identity spoofing / phishing

ACCESS CONTROLAccess control is the collection of mechanisms that permits management to specify what users can do, which resources they can access, and what operations they can perform on a system.

ACCESS CONTROL MATRIX (ACM)Advantage: - Clarify of definition- Easy to verify

Disadvantage: - Poor scalability- Poor handling of changes

ACCESS CONTROL LIST (ACL)Advantage: - Easy for administrator to see access rights for given resource.- Relative easiness of management using abstraction.

Disadvantage:- Poor overview of access rights per subject- Difficulty of renovation- Difficulty of sharing

CAPABILITIES- A piece of data possession which proves authorization to access resource.- Advantage: May be transferred offline between users.

Alice : {edit.exe: execute}, {fun.com: execute, read}Bob : {bill.doc: read, write}, {edit.exe: execute},

{fun.com: execute, read, write}

Columns of Access Control Matrixfile1 file2 file3

Andy rx r rwoBetty rwxo r -Charlie rx rwo w

Capabilities-Lists (CL) - Subject-centeredAndy : { (file1, rx) (file2, r) (file3, rwo) }Betty : { (file1, rwxo) (file2, r) }Charlie : { (file1, rx) (file2, rwo) (file3, w) }

Access Control List (ACL) - Object-centeredfile1 : { (Andy, rx) (Betty, rwxo) (Charlie, rx) }file2 : { (Andy, r) (Betty, r) (Charlie, rwo) }file3 : { (Andy, rwo) (Charlie, w) }

Discretionary Access Control (DAC)• A system that uses discretionary access control allows the

owner of the resource to specify which subjects can access which resources.

• Access control is at the discretion of the owner• Deployed in a majority of common systems.• Advantages:

- Simple & efficient access rights management- Scalability

• Disadvantages:- Intentional abuse of access rights- No control over information flow

Mandatory Access Control (MAC)• Access control is based on a security labeling system. Users

have security clearances and resources have security labels that contain data classifications.

• This model is used in environments where information classification and confidentiality is very important.

• Advantages:- Strict control over information flow- Strong exploit containment

• Disadvantages:- Major usability problems- Cumbersome administration

Role Based Access Control (RBAC) RBAC uses a centrally administered set of controls to determine

how subjects & objects interact. The best system for an organization that has high turnover. Attempts to handle complexity of access control by extensive

used of abstractions (Data types; Procedures; Roles; Hierarchy).

CHAPTER 3 - DIGITAL CERTIFICATES

DEFINITIONA digital certificate (DC) is a digital file that certifies the identity of an individual or institution, or even a router seeking access to computer- based information. It is issued by a Certification Authority (CA) , and serves the same purpose as a driver’s license or a passport.

CERTIFICATION AUTHORITIESCertification Authorities are the digital world’s equivalent to passport offices. They issue digital certificates and validate holders’ identity and authority.

TYPES OF DIGITAL CERTIFICATESERVER CERTIFICATE• Allows visitors to exchange personal information, free from the

threat of interception or tampering. • For building and designing e-commerce sites as confidential

information is shared between clients, customers and vendors.

PERSONAL CERTIFICATE• Allow one to authenticate a visitor’s identity and restrict access

to specified content to particular visitors. • For business to business communications such as shipping dates

and inventory management.

ORGANIZATION & DEVELOPER CERTIFICATE• Organization Certificates are used by corporate entities to

identify employees for secure e-mail and web-based transaction.

• Developer Certificates prove authorship and retain integrity of distributed software programs.

DIGITAL CERTIFICATE COMPONENT- Name- Serial number- Expiration date- Copy of the certificate holder’s public key - Digital signature of the certificate-issuing authority.

PURPOSE OF DIGITAL CERTIFICATE1. Proving the Identity of the sender of a transaction2. Non Repudiation – the owner of the certificate cannot deny

partaking in the transaction 3. Encryption and checking the integrity of data - provide the

receiver with the means to encode a reply.4. Single Sign-On - It can be used to validate a user and log them

into various computer systems without having to use a different password for each system

PUBLIC & PRIVATE KEYComprises of two related cryptographic keys, mathematically related, and only the corresponding private key can decrypt their corresponding public key.

Public Key - made assessable to anyonePrivate Key - confidential to its respective owner

USAGE OF DIGITAL CERTIFICATION1. Secure Socket Layer (SSL) developed by Netscape Communications Corporation.2. Secure Multipurpose Internet Mail Extensions (S/MIME) Standard for securing email and electronic data interchange (EDI).3. Secure Electronic Transactions (SET) protocol for securing electronic payments4. Internet Protocol Secure Standard (IPSec) for authenticating networking devices

ADVANTAGES OF DIGITAL CERTIFICATION• Decrease the number of passwords a user has to remember to

gain access to different network domains.• They create an electronic audit trail that allows companies to

track down who executed a transaction or accessed an area.

CHAPTER 4

UNIX SECURITY Security was not a primary design goal of UNIX; dominant goals

were modularity, portability and efficiency. UNIX provides sufficient security mechanisms that have to be

properly configured and administered. The main security strength of UNIX systems comes from open

source implementation which helps improve its code base. The main security weakness of UNIX systems comes from open

source implementation resulting in a less professional code base.

USER ACCOUNT INFORMATION: /etc/passwd Username: used when user logs in, 1–32 characters long Password: ’x’ indicates that encrypted password is stored in

/etc/shadow User ID (UID): 0 reserved for root, 1-99 for other predefined

accounts, 100-999 for system accounts/groups Group ID (GID): the primary group ID User ID Info: a comment field Home directory: The absolute path to the directory the user will

be in when they log in Command/shell: The absolute path of a command or shell

(/bin/bash)

ROOT PRIVILAGESAlmost no security checks:o all access control mechanisms turned offo can become an arbitrary usero can change system clock

Some restrictions remain but can be overcome:o cannot write to read-only file system but can remount them

as writableo cannot decrypt passwords but can reset them

Any user name can be root!

SUBJECTSSubjects in UNIX processes identified by a process ID (PID)New process creation: fork: spawns a new child process which is an identical process to

the parent except for a new PID vfork: the same as fork except that memory is shared between

the two processes exec family: replaces the current process with a new process

imageProcesses are mapped to UID: real UID is always inherited from the parent process effective UID is either inherited from the parent process or from

the owner of the file to be executed

OBJECTS Files, directories, memory devices, I/O devices etc. are

uniformly treated as resources subject to access control. All resources are organized in tree-structured hierarchy Each resource in a directory is a pointer to the inode data

structure that describes essential resource properties.

WINDOW SECURITYKERNEL MODE Security Reference Monitor: ACL verification

USER MODE Log-on process (winlogon): user logon Local Security Authority (LSA): password verification and

change, access tokens, audit logs (MS04-11 buffer overflow: Sasser worm!)

Security Accounts Manager (SAM): accounts database, password encryption

User Account Control (UAC, Vista): enforcement of limited user privileges

WINDOWS REGISTRY A hierarchical database containing critical system information Key-value pairs, subkeys, 11 values types A registry hive is a group of keys, subkeys, and values

WINDOWS DOMAIN A domain is a collection of machines sharing user accounts and

security policies. Domain authentication is carried out by a domain controller

(DC). To avoid a single point of failure, a DC may be replicated

ACCESS CONTROL IN WINDOWS Access control is applied to objects: files, registry keys and

hives, Active Directory objects. More than just access control on files! Various means exist for expressing security policies

SUBJECTS Subjects are active entities in OS primitives. Windows subjects are processes and threads. Security credentials for a subject are stored in a token. Tokens provide a principal/subject mapping and may contain

additional security attributes. Tokens are inherited (possibly with restrictions) during creation

of new processes.

CHAPTER 5 - MALICIOUS CODE

MALWAREA malware is a set of instructions that run on your computer and make your system do something that an attacker wants it to do.

VIRUSA program that can infect other programs by modifying them to include a, possibly evolved, version of itselfTYPES: Polymorphic - uses a polymorphic engine to mutate while keeping the original algorithm intact (packer)Metamorphic - Change after each infection

TROJAN HORSEA Trojan horse describes the class of malware that appears to perform a desirable function but in fact performs undisclosed malicious functions

ROOTKITA Rootkit is a component that uses stealth to maintain a persistent and undetectable presence on the machine

WORMA computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes and do so without any user intervention.

INFECTION METHODSOverwritting, Prepending, Appending, Cavity, Multi-Cavity, and Document-based malware Micro virus - use the built-in script engine

PROPAGATION VECTORShared Folder, Email Propagation, Fake Antivirus, Browser Hijacked, Fake Page!, P2P Files

CHAPTER 5 - WATERMARKING

WATERMARKING A watermark is a “secret message” that is embedded into a

“cover (original or host) message”. Only the knowledge of a secret key allows us to extract the

watermark from the cover message. Effectiveness of a watermarking algorithm is a function of its

Resilience to attacks. Capacity. Stealth.

MULTIMEDIA WATERMARKS A digital watermark is a “secret key dependent” signal

“inserted” into digital multimedia data. Watermark can be later detected / extracted in order to make

an assertion about the data. A digital watermark can be.

Visible (perceptible). Invisible (imperceptible).

WATERMARKING APPLICATION Proof of ownership. Copy prevention or control. Content protection (visible watermarks). Authentication. Media Bridging. Broadcast Monitoring. Fingerprinting. Secret Communications.

REQUIREMENT Perceptually transparent - must not perceptually degrade

original content. Robust - survive accidental or malicious attempts at removal. Oblivious or Non-oblivious - Recoverable with or without access

to original. Capacity – Number of watermark bits embedded. Efficient encoding and/or decoding.

WATERMARKING ATTACKSActive Attacks: Hacker attempts to remove or destroy the watermark. Watermark detector unable to detect watermark. Key issue in proof of ownership, fingerprinting, copy control. Not serious for authentication or covert communication.

Passive Attacks: Hacker tries to find if a watermark is present. Removal of watermark is not an aim. Serious for covert communications.

Collusion Attacks: Hacker uses several copies of watermarked data to construct a

copy with no watermark. Uses several copies to find the watermark. Serious for fingerprinting applications.

Forgery Attacks: Hacker tries to embed a valid watermark. Serious in authentication. If hacker embeds a valid authentication watermark, watermark

detector can accept bogus or modified media.

WATERMARKING RESEARCH Information Theoretic Issues. Decision Theoretic Issues. Signal Processing Issues. Watermarking protocols and system issues. Steganalysis.

CHAPTER 6 - NETWORK SECURITY CONCEPTS

CIRCUIT SWITCHING A methodology of implementing a network in which two nodes establish a dedicated circuit through the network before the nodes may communicate. The circuit guarantees the full bandwidth of the channel and remains connected for the duration of the communication session.

PACKET SWITCHINGA methodology of implementing a network in which divides the data to be transmitted into packets transmitted through the network independently. Packet switching shares available network bandwidth between multiple communication sessions.

TCP/IP ENCAPSULATIONWhen data moves from upper layer to lower level of TCP/IP protocol stack (outgoing transmission) each layer includes a bundle of relevant information called a header along with the actual data. The data package containing the header and the data from the upper layer then becomes the data that is repackaged at the next lower level with lower layer's header. This packing of data at each layer is known as data encapsulation.

TCP CONNECTION SYNCHRONIZATIONTo establish a connection, TCP uses a 3-way handshake. Before a client attempts to connect with a server, the server must first bind to a port to open it up for connections: this is called a passive open. Once the passive open is established, a client may initiate an active open. To establish a connection, the 3-way handshake occurs:a. The active open is performed by sending a SYN to the server. b. In response, the server replies with a SYN-ACK. c. Finally the client sends an ACK back to the server. At this point, both the client and server have received an acknowledgement of the connection.

TCP Connection Termination is implemented as follows: One computer sends a FIN packet to the other computer including an ACK for the last data received (N). a. The other computer sends an ACK number of N+1 b. It also sends a FIN with the sequence number of X. c. The originating computer sends a packet with an ACK number of

N+1. The connection is closed.

Another way to close the connection is for one computer to send a packet with the RST (reset) bit set which will tell the other computer to immediately terminate the connection.

PROBLEMSSniffing is "listening" to network traffic to collect information. A common usage of sniffing is to listen to network traffic to look for patterns of a worm spreading itself.

Spoofing is sending network traffic that's pretending to come from someone else. A common usage for spoofing is sending an email message, but to reformat the header.

Man-In-The-Middle is the type of attack where attackers intrude into an existing connection to intercept the exchanged data and inject false information.

A denial-of-service (DoS attack) is an attempt to make a computer resource unavailable to its intended users.

TCP HIJACKINGTCP Hijacking is one of the Man-in-the-Middle attacks in which an attacker can allow normal authentication to proceed between the two hosts, and then seize control of the connection.There are two possible ways to do this: one is during the TCP three-way handshake, and the other is in the middle of an established connection.

SYN FLOODA form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system.

IP LAYER SECURITY: IPSecIPsec is a framework for a set of protocols for security at the network or packet processing layer of network communication.

IPsec provides two choices of security service: Authentication Header (AH), which essentially allows authentication of the sender of data, and Encapsulating Security Payload (ESP), which supports both authentication of the sender and encryption of data as well.

Objective:- Secure connectivity of branch offices- Secure remote access

Advantages:- Bypass resistence- Transparency to endusers and applications

Disadvantages:- Infrastructure support needed- Performance degradation

AUTHENTICATION HEADERAH provides data integrity, data origin authentication, and optional anti-replay services to IP. AH does not provide any data confidentiality (encryption), so there is no need for an encryption algorithm.

ENCAPSULATED SECURITY PAYLOAD (ESP)ESP protects the IP packet data from third party interference, by encrypting the contents using symmetric cryptography algorithms as Blowfish & 3DES.

IPSec MODESTransport mode- The outer header determines the IPsec policy that protects the inner IP packet. Tunnel mode - The inner IP packet determines the IPsec policy that protects its contents.

IPSec SECURITY ASSOCIATION (SA)Security Association (SA) forms the basis of Internet Protocol Security (IPSec).

A Security Association (SA) is a simplex (one-way channel) and logical connection that provides relationship between two or more systems to build a unique secure connection.

A Security Association (SA) can be viewed as an agreement between two devices about how to protect information during transit.The Security Association (SA) is one way (simplex).

One Security Association is used for processing out-bound packets and other Security Association is used for processing inbound packets.

A Security Association (SA) consists of three things.1) A Security Parameter Index (SPI) 2) An IP destination address 3) A IPSec Protocol Identifier. IPSec protocols are Authentication Header (AH) and Encapsulating Security Payload (ESP).

TRANSPORT LAYER SECURITY: SSL/TLSSSL/TLS is a cryptographic protocol that provides communication security over the Internet. SSL/TLS encrypt the segments of network connections above the transport layer, using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication code for message integrity. Objectives:o Secure information transmission in Internet applicationso Mutual authentication in Internet applications

Advantages:o Secure end-to-end communication over TCP

Disadvantages:o PKI support needed, o Potential use of weak cryptographic algorithms

SSL ARCHITECTURE SSL connection corresponds to TCP connections SSL sessions represent an association between a cliend and a

server. Sessions define parameters that can be share between connections.

SSL RECORD PROTOCOL Carries out information transfer Provides confidentiality and message integrity services.

APPLICATION LAYER SECURITY: SSHSecure Shell (SSH) is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client (running SSH server and SSH client programs, respectively).

The protocol specification distinguishes two major versions that are referred to as SSH-1 and SSH-2.Applications:o Secure remote logino Secure services (e.g.FTP, copy) over an insecure networko Secure port forwardingAdvantages:o Various authentication methodso A neat way to circumvent firewalls

Disadvantages:o point-to-point onlyo Some security vulnerabilities

SSH PREVENTABLE ATTACKSo Eavesdroppingo TCP session hijackingo Man-in-the-midle attacks

SSH NON-PREVENTABLE ATTACKSo Password crackingo TCP/IP attacks: SYN flood, desynchronizationo Traffic analysiso Covert channels

CHAPTER 6 - IDPS

DEFINITIONIntrusions: attempts to compromise the confidentiality, integrity, availability, or to bypass the security mechanisms of a computer system or network (illegal access).

Intrusion detection: is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible intrusions (incidents).

Intrusion Detection System (IDS): is software that automates the intrusion detection process. The primary responsibility of IDS is to detect unwanted and malicious activities.

Intrusion Prevention System (IPS): is software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents.

USAGE OF IDPS It’s a dire fact that while every enterprise has a firewall, most

still suffer from network security problems. Intrusion Prevention Systems have been promoted as cost-

effective ways to block malicious traffic.

IDPS MAIN FUNCTIONSRecording information related to observed events:Information is usually recorded locally, and might also be sent to separate systems such as centralized logging servers.

Notifying security administrators of important observed events:This notification, known as an alert, may take the form of audible signals, e-mails, pager notifications, or log entries.

Producing reports:Reports summarize the monitored events or provide details on particular events of interest.

PREVENTING ATTACK BY SEVERAL TECHNIQUESThe IDPS stops the attack itself:Terminate the network connection or user session that is being used for the attack such as block access to the target.

The IDPS changes the security environment:The IDPS could change the configuration of other security controls to disrupt an attack such as reconfiguring a network device (e.g. router or switch).

The IDPS changes the attack’s content:Some IDPS technologies can remove or replace malicious portions of an attack to make it benign such as removing an infected file attachment from an e-mail.

METHODOLOGY OF DETECTIONSignature-Based Detection: This method compares known threat signatures to observed

events to identify incidents. This is very effective at detecting known threats but largely

ineffective at detecting unknown threats and many variants on known threats.

Anomaly-Based Detection: This method samples network activity to compare to traffic that

is known to be normal. When measured activity is outside baseline parameters or

clipping level, IDPS will trigger an alert. Anomaly-based detection can detect new types of attacks but it

requires much more overhead and processing capacity than signature-based.

Stateful Protocol Analysis: A key development in IDPS technologies was the use of protocol

analyzers. It can decode application-layer network protocols, like HTTP or FTP. Once the protocols are fully decoded, the IPS analysis engine can evaluate different parts of the protocol for anomalous behavior.

Problems with this type are it cannot detect attacks that do not violate the characteristics of generally acceptable protocol behavior.

FALSE POSITIVE The normal activity is considered as an intrusion. IDPS technologies cannot provide completely accurate

detection.

FALSE NEGATIVE The system fails to recognize an intrusion. Altering the configuration of an IDPS to improve its detection

accuracy is known as tuning.

TYPES OF IDPSNETWORK-BASED It performs packet sniffing and analyzes network traffic to

identify and stop suspicious activity. It allows some attacks such as network service worms and

viruses with easily recognizable characteristics, to be detected on networks before they reach their intended targets.

Network-based products might be able to detect and stop some unknown threats through application protocol analysis.

Although poorly written signature triggers false positives, it can block a new malware threat hours before antivirus signatures become available.

However, network-based products are generally not capable of stopping malicious mobile code or Trojan horses.

Placement of Network-based IDPSOutside / inside firewallBehind remote access serverBetween business unitsBetween corporate network and partner networks In all switched network segments

HOST-BASED Similar to network-based, except that a host-based product

monitors the characteristics of a single host and the events occurring within that host such as monitoring network traffic.

They often use a combination of attack signatures and knowledge of expected or typical behavior to identify known and unknown attacks on systems.

Host-based IDPSs are most commonly deployed on critical hosts such as publicly accessible servers and servers containing sensitive information.

Placement of Host-based IDPS Key servers that contain mission-critical and sensitive information, Web servers, FTP and DNS servers, E-commerce database servers,, and Other high value assets.

NETWORK BEHAVIOR ANALYSIS (NBA) It examines network traffic to identify threats that generate

unusual traffic flows, such as denial of service (DoS) and distributed denial of service (DDoS) attacks.

NBA systems are most often deployed to monitor flows on an organization’s internal networks, and are also deployed where they can monitor flows between an organization’s networks and external networks.

WIRELESS This type monitors wireless network traffic and analyzes its

wireless networking protocols to identify suspicious activity involving the protocols themselves.

It cannot identify suspicious activity in the application or higher-layer network protocols (e.g., TCP, UDP) that the wireless network traffic is transferring.

EVALUATING IDPSo Organizations should consider using multiple types of IDPS

technologies to achieve more comprehensive and accurate detection and prevention of malicious activity.

o For most environments, a combination of network-based and host-based IDPSs is needed for an effective IDPS solution.

o NBA technologies can also be deployed if organizations desire additional detection capabilities for DoS & DDoS attacks, worms, and other threats that NBAs are particularly good at detecting.

o Wireless IDPSs may also be needed if the organization determines that its wireless networks need additional monitoring.

o Organizations need to understand the characteristics of their system or network environment before a compatible IDPS can be selected.

o Organizations should articulate the goals and objectives they wish to attain by using an IDPS such as stopping common attacks or identifying misconfigured wireless network devices, etc.

o Organizations should also review their existing security policies, which serve as a specification for many of the features that the IDPS products need to provide.

o Organizations also need to define specialized sets of requirements for the following:

Security capabilitiesIt is including information gathering, logging, detection, and prevention.

Performance It is including maximum capacity and performance features

Management It is including design and implementation

CHAPTER 7 - TRUSTED COMPUTING

A technology developed and promoted by the Trusted Computing Group (TCG)

In TC, the computer will consistently behave in expected ways, and those behaviors will be enforced by hardware and software.

Trusted Computing uses cryptography to help enforce a selected behavior

TC is controversial because it is technically possible not just to secure the hardware for its owner

TC was intended for Digital rights management (DRM), a generic term for access control technologies that can be used by hardware manufacturers, publishers, copyright holders and individuals to impose limitations on the usage of digital content and devices.

Limits the abuse of file sharing over the network Prevent making illegal copies without the authorization from

the vendor Restrict user’s computing actions

TC FUNDAMENTAL CONCEPTSSoftware runs and communicates securely over applications and servers Use “locked-down” architecture - Hardware level cryptographic

keys for encryption and authentication Seal secure data within curtained memory I/O communication path are encrypted TC should be expected the computing behave the way we

wanted and do what we wanted securely

Trusted Computing Platform (TCP) has the following three fundamental features: Protected Capabilities Integrity Capabilities Integrity Reporting

Trusted Computing encompasses six key technology concepts as required for a fully trusted system: Endorsement key Secure input and output Memory curtaining / protected execution Sealed storage Remote attestation Trusted Third Party (TTP)

LaGrande - Intel version of TC Intel’s hardware implementation Runs parallel to normal architecture Uses hash values for modification detection Operates in several different parts of chipset

Higher abstraction layers only as secure as lower Trusted CPU, chipset, and boot ROM Each layer verifies hash of next layer before execution Built on top of secure bootstrap architecture Instruction set extensions to create protected processor

partition Extensions to create protected software stack Trusted platform module (TPM) verifies conditions Changes to I/O controller, memory controller, graphics

controller, and CPU

NGSCB - Microsoft version of TC Software side of TC Domain Manager aka Nexus Sealed Storage Remote Attestation Two primary system components in NGSCB Nexus

o Special kernel (core of the trusted operating)o Goal: Isolate the process of normal mode and trusted mode

differently in memoryo Functionality: Authenticate and protect data (entered,

stored, communicated, and displayed) by data encryptiono Nexus Computing Agent (NCA)

NSGCB operates two operating systems in ONE system Normal Mode:

o Un-protected environmento Same as our current Windows serieso Fully Controlled by the users

Trusted Mode:o Protected environmento Users have no authorities to modify, delete, or copy ANY

content. o Implemented TC: Hardware and Software implementationo Fully Controlled by the computers

Isolate protected and non-protected operating environment that are stored in the same memory

Blocks the access of Direct Memory Access (DMA) devices in term of writing and reading to secured block of memory

Block access of malicious code Claimed: “no illegitimate access will occurring in protected

environment” Encrypts data on storage device Key is not stored on storage device Hash of creating program stored with file TPM only decrypts for program that passes modification

detection Decrypted only with same TPM / same program

USES OF TC Remote banking, business-to-business e-commerce, and online

auctioning Digital rights management Preventing cheating in online games Securing data storage Personal privacy protection, data management, and record

keeping Shared computing and secure transactions Secure home computing Government agencies that require a high level of security and

trust Software license enforcement