• Professor DARWIN

VARGAS

INFORMATION
ASSURANCE
• Chapter 1: Overview

SECURITY
 Computer Security Concepts

Threats, Attacks, and Assets

Security Functional Requirements

Chapter 1
overview Fundamental Security Design
Principles

Attack Surfaces and Attack Trees

Computer Security Strategy

2
 Describe the key security requirements of
Describe confidentiality, integrity and availability

Discuss the types security threats and attacks that must

Discuss be dealt with

Summariz Summarize the functional requirements for computer

e security
Learning
objectives Explain Explain the fundamental security design principles

Discuss Discuss the use of attack surfaces and attack trees

Understan Understand the principle aspects of a comprehensive

d security strategy

3
 Computer security: The protection
afforded to an automated information
system in order to attain the applicable
objectives of preserving the integrity,
availability and confidentiality of
information system resources (includes
hardware, software, firmware,
A definition information/data, and
telecommunications)
of computer
NIST 1995
security

4
 Confidentiality
Privacy: Assures that individual
Data confidentiality: Assures that
control or influence what
confidential information is not
information may be collected and
disclosed to unauthorized individuals
stored
Three key
objectives
(the CIA Integrity
Data integrity: assures that
triad) information and programs are
changed only in a specified and
authorized manner
System integrity: Assures that a
system performs its operations in
unimpaired manner

Availability: assure that systems

works promptly and service is not
denied to authorized users

5
 • Authenticity: the property of
being genuine and being able to
be verified and trusted;
Other confident in the validity of a
concepts to transmission, or a message, or
its originator
a complete • Accountability: generates the
security requirement for actions of an
picture entity to be traced uniquely to
that individual to support
nonrepudiation, deference,
fault isolation, etc

7
 • Low: the loss will have a limited
impact, e.g., a degradation in
mission or minor damage or minor
financial loss or minor harm
Levels of • Moderate: the loss has a serious
effect, e.g., significance
security degradation on mission or
breach significant harm to individuals but
no loss of life or threatening
impact injuries
• High: the loss has severe or
catastrophic adverse effect on
operations, organizational assets
or on individuals (e.g., loss of life)

8
 • Student grade information is an
asset whose confidentiality is
considered to be very high
– The US FERPA Act: grades should
only be available to students,
Examples of their parents, and their employers
security (when required for the job)
requirements: • Student enrollment
Confidentiality information: may have
moderate confidentiality rating;
less damage if enclosed
• Directory information: low
confidentiality rating; often
available publicly
9
 • A hospital patient’s allergy information (high
integrity data): a doctor should be able to trust that
the info is correct and current
– If a nurse deliberately falsifies the data, the
Examples of database should be restored to a trusted basis
and the falsified information traced back to the
security person who did it
requirements: • An online newsgroup registration data: moderate
level of integrity
Integrity • An example of low integrity requirement:
anonymous online poll (inaccuracy is well
understood)

10
 • A system that provides authentication: high
availability requirement
– If customers cannot access resources, the loss of
Examples of services could result in financial loss
security • A public website for a university: a moderate
availably requirement; not critical but causes
requirements: embarrassment
• An online telephone directory lookup: a low
Availability availability requirement because unavailability is
mostly annoyance (there are alternative sources)

11
 1. Computer security is not simple
2. One must consider potential (unexpected)
attacks
3. Procedures used are often counter-
Challenges intuitive
4. Must decide where to deploy mechanisms
of 5. Involve algorithms and secret info (keys)
computer 6. A battle of wits between attacker / admin
7. It is not perceived on benefit until fails
security 8. Requires constant monitoring
9. Too often an after-thought (not integral)
10. Regarded as impediment to using system

12
 • Table 1.1 and Figure 1.1 show the relationship
• Systems resources
– Hardware, software (OS, apps), data (users,
A model for system, database), communication facilities
and network (LAN, bridges, routers, …)
computer • Our concern: vulnerability of these resources
(corrupted, unavailable, leaky)
security • Threats exploit vulnerabilities
• Attack is a threat that is accrued out
– Active or passive; from inside or from outside
• Countermeasures: actions taken to prevent,
detect, recover and minimize risks

13
 Computer
security
terminology

14
 Security
concepts and
relationships

15
 • Unauthorized disclosure: threat to confidentiality
– Exposure (release data), interception,
inference, intrusion
• Deception: threat to integrity
– Masquerade, falsification (alter data),
repudiation
Threat • Disruption: threat to integrity and availability
consequences – Incapacitation (destruction), corruption
(backdoor logic), obstruction (infer with
communication, overload a line)
• Usurpation: threat to integrity
– Misappropriation (theft of service), misuse
(hacker gaining unauthorized access)

16
 Threat
consequences
(tabular form)

17
The scope
of
computer
security

18
Examples
of
threats

19
 • Technical measures
– Access control; identification &
authentication; system & communication
Security protection; system & information integrity
functional • Management controls and procedures
– Awareness & training; audit & accountability;
requirements certification, accreditation, & security
assessments; contingency planning;
(FIPS 200) maintenance; physical & environmental
protection; planning; personnel security; risk
assessment; systems & services acquisition
• Overlapping technical and management
– Configuration management; incident
response; media protection

20
Fundamental security design principles
[1/4]

• Despite years of research, it is still difficult to design systems that

comprehensively prevent security flaws
• But good practices for good design have been documented (analogous to
software engineering)
– Economy of mechanism, fail-safe defaults, complete mediation, open
design, separation of privileges, lease privilege, least common
mechanism, psychological accountability, isolation, encapsulation,
modularity, layering, least astonishment

22
 Economy of mechanism: the design
of security measures should be as
simple as possible
Fundamental
security
design
principles
[2/4]

23
 • Isolation
Fundamental – Public access should be isolated from critical
resources (no connection between public
security and critical information)
design – Users files should be isolated from one
another (except when desired)
principles – Security mechanism should be isolated (i.e.,

[3/4] preventing access to those mechanisms)

• Encapsulation: similar to object concepts (hide
internal structures)
• Modularity: modular structure

24
 Layering (defense in
depth): use of
Fundamental multiple, overlapping
security protection approaches
design
principles
[4/4] Least astonishment: a
program or interface
should always respond
in a way that is least
likely to astonish a user
25
 • Separation of privilege: multiple privileges should
be needed to do achieve access (or complete a
Fundamental task)
security • Least privilege: every user (process) should have
the least privilege to perform a task
design • Least common mechanism: a design should
minimize the function shared by different users
principles (providing mutual security; reduce deadlock)
• Psychological acceptability: security mechanisms
should not interfere unduly with the work of
users

26
 • Attack surface: the reachable and exploitable
vulnerabilities in a system
– Open ports
– Services outside a firewall
– An employee with access to sensitive info
– …
Attack • Three categories
– Network attack surface (i.e., network
surfaces vulnerability)
– Software attack surface (i.e., software
vulnerabilities)
– Human attack surface (e.g., social
engineering)
• Attack analysis: assessing the scale and severity of
threats

27
 A branching, hierarchical
data structure that
represents a set of
potential vulnerabilities
published on CERT or
Attack similar forums
Objective: to effectively
trees exploit the info available
on attack patterns
Security analysts can use
the tree to guide design
and strengthen
coiuntermeasures

28
An attack
tree

29
 • An overall strategy for providing security
– Policy (specs): what security schemes are supposed to
do
• Assets and their values

Computer • Potential threats

• Ease of use vs security
• Cost of security vs cost of failure/recovery
security – Implementation/mechanism: how to enforce
• Prevention
strategy • Detection
• Response
• Recovery
– Correctness/assurance: does it really work
(validation/review)

30
Security Taxonomy

31
Security
Trends

32
Computer
Security
Losses

33
Security
Technologies
Used

34
 • Security concepts
• Terminology
Summary • Functional requirements
• Security design principles
• Security strategy

35