1.

COMPUTER SECURITY CONCEPTS

A Definition of Computer Security

Computer Security: The protection afforded to an automated information system in order to attain the
applicable objectives of preserving the integrity, availability, and confidentiality of information system
resources (includes hardware, software, firmware, information/data, and telecommunications).

These three concepts form what is often referred to as the CIA triad (Fig 1.1). The three concepts embody the
fundamental security objectives for both data and for information and computing services. FIPS PUB 199
provides a useful characterization of these three objectives in terms of requirements and the definition of a
loss of security in each category:

Fig 1.1

• Confidentiality (covers both data confidentiality and privacy): preserving authorized restrictions on
information access and disclosure, including means for protecting personal privacy and proprietary
information. A loss of confidentiality is the unauthorized disclosure of information.

• Integrity (covers both data and system integrity): Guarding against improper information modification or
destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the
unauthorized modification or destruction of information.

• Availability: Ensuring timely and reliable access to and use of information. A loss of availability is the
disruption of access to or use of information or an information system.

Although the use of the CIA triad to define security objectives is well established, some in the security field
feel that additional concepts are needed to present a complete picture. Two of the most commonly mentioned
are:

 Authenticity: The property of being genuine and being able to be verified and trusted; confidence in
the validity of a transmission, a message, or message originator.
 Accountability: The security goal that generates the requirement for actions of an entity to be traced
uniquely to that entity.

1.1 The challenges of computer security

1. The major requirements for security services can be given self-explanatory, one-word labels:
confidentiality, authentication, nonrepudiation, or integrity.
2. In developing a particular security mechanism or algorithm, one must always consider potential attacks on
those security features.

3. When the various aspects of the thread are considered that elaborate security mechanisms make sense.

4. It is necessary to decide where to use the security mechanisms, both in terms of physical placement (at what
points in a network) and in a logical sense (at what layer or layers of an architecture such as TCP/IP)

5. Security mechanism typically involve more than a particular algorithm or protocol.

6. Computer and network security is essentially a battle of wits between an attackers and the designer/
administrator.

7. Security requires regular, even constant, monitoring.

8. Security is still too often an afterthought to be incorporated into a system after the design is complete rather
than being an integral part of the design process.

9. Many users and even security administrator view strong security as an impediment to efficient and user-
friendly operation of an information system.

1.2 Threats, Attacks and Assets

Threats: A threat is a possible danger that might exploit a vulnerability. A potential for violation of security,
which exists when there is a circumstance, capability, action, or event that could breach security and cause
harm.

Table 1.1 Threat Consequences, and the Types of Threat Actions that Cause Each Consequence
Attacks: An assault on system security that derives from an intelligent threat; that is, an intelligent act that is a
deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the
security policy of a system. Computer security is generally protecting the computer. Information security is
about how to prevent attacks and detect attacks on information-based systems.

The security attacks can be classified into two types’ passive attacks and active attacks.

 A passive attack attempts to learn or make use of information from the system but does not
affect system resources.
 An active attack attempts to alter system resources or affect their operation.

Passive Attacks

Two types of passive attacks are the release of message contents and traffic analysis (Fig 1.2.a). The
release of message contents is easily understood. A telephone conversation, an electronic mail message, and
a transferred file may contain sensitive or confidential information. We would like to prevent an opponent
from learning the contents of these transmissions. A second type of passive attack, traffic analysis, is subtler.
Suppose that we had a way of masking the contents of messages or other information traffic so that
opponents, even if they captured the message, could not extract the information from the message. The
common technique for masking contents is encryption. If we had encryption protection in place, an opponent
might still be able to observe the pattern of these messages. Passive attacks are very difficult to detect,
because they do not involve any alteration of the data. Typically, the message traffic is not sent and received
in an apparently normal fashion and the sender nor receiver is aware that a third party has read the messages
or observed the traffic pattern.

Fig 1.2.a. Passive Attacks

ACTIVE ATTACKS
Active attacks involve modification of the message contents or the creation of a false message contents.
Active attacks are subdivided into four categories:

1. Masquerade

2. Replay

3. Modification of messages and

4. Denial of service.

A masquerade takes place when one entity pretends to be a different entity. A masquerade attack usually
includes one of the other forms of active attack. For example, authentication sequences can be captured and
replayed after a valid authentication sequence has taken place, thus enabling an authorized entity with few
privileges to obtain extra privileges by impersonating an entity that has those privileges.

Replay involves the passive capture of a data unit and its subsequent retransmission to produce an
unauthorized effect.

Modification of messages simply means that some portion of a legitimate message is altered, or that
messages are delayed or reordered, to produce an unauthorized effect. For example, a message meaning
“Allow John Smith to read confidential file accounts” is modified to mean “Allow Fred Brown to read
confidential file account.

The denial of service prevents or inhibits the normal use or management of communications facilities. This
attack may have a specific target.
 ` Fig 1.2.b. Active Attacks

1.3 SECURITY FUNCTIONAL REQUIREMENTS

FIPS 200 (Minimum Security Requirements for Federal Information and Information Systems). This standard
enumerates 17 security-related areas with regard to protecting the confidentiality, integrity, and availability of
information systems and the information processed, stored, and transmitted by those systems. The areas are
defined in Table 1.2. The requirements listed in FIP

Table 1.2 Security Requirements

1.4 Fundamental Security Design Principles

Despite years of research and development, it has not been possible to develop security design and
implementation techniques that systematically exclude security flaws and prevent all unauthorized actions. In
the absence of such fool proof techniques, it is useful to have a set of widely agreed design principles that can
guide the development of protection mechanisms. The National Centres of Academic Excellence in
Information Assurance/Cyber Defense, which is jointly sponsored by the U.S. National Security Agency and
the U. S. Department of Homeland Security, list the following as fundamental security design principles
[NCAE13]:

• Economy of mechanism

• Fail-safe defaults

• Complete mediation

• Open design

• Separation of privilege

• Least privilege

• Least common mechanism

• Psychological acceptability

• Isolation

• Encapsulation

• Modularity

• Layering

• Least astonishment
1.5 Attack Surfaces and Attack Trees

Attack Surfaces

An attack surface consists of the reachable and exploitable vulnerabilities in a system [MANA11, HOWA03].
Examples of attack surfaces are the following:

 Open ports on outward facing Web and other servers, and code listening on those ports
 Services available on the inside of a firewall
 Code that processes incoming data, email, XML, office documents, and industry specific custom data
exchange formats
 Interfaces, SQL, and Web forms
 An employee with access to sensitive information vulnerable to a social engineering attack

Attack surfaces can be categorized in the following way:

 Network attack surface: This category refers to vulnerabilities over an enterprise network, wide-area
network, or the Internet. Included in this category are network protocol vulnerabilities, such as those
used for a denial-of-service attack, disruption of communications links, and various forms of intruder
attacks.
 Software attack surface: This refers to vulnerabilities in application, utility, or operating system code.
A particular focus in this category is Web server software.
 Human attack surface: This category refers to vulnerabilities created by personnel or outsiders, such
as social engineering, human error, and trusted insiders.

An attack surface analysis is a useful technique for assessing the scale and severity of threats to a system. A
systematic analysis of points of vulnerability makes developers and security analysts aware of where security
mechanisms are required. Once an attack surface is defined, designers may be able to find ways to make the
surface smaller, thus making the task of the adversary more difficult. The attack surface also provides
guidance on setting priorities for testing, strengthening security measures, or modifying the service or
application.

As illustrated in Figure 1.3, the use of layering, or defence in depth, and attack surface reduction complement
each other in mitigating security risk.
Attack Trees

An attack tree is a branching, hierarchical data structure that represents a set of potential techniques for
exploiting security vulnerabilities [MAUW05, MOOR01, SCHN99]. The security incident that is the goal of
the attack is represented as the root node of the tree, and the ways that an attacker could reach that goal are
iteratively and incrementally represented as branches and sub nodes of the tree. Each sub node defines a
subgoal, and each subgoal may have its own set of further subgoals, etc. The final nodes on the paths outward
from the root, i.e., the leaf nodes, represent different ways to initiate an attack. Each node other than a leaf is
either an AND-node or an OR-node. To achieve the goal represented by an AND-node, the subgoals
represented by all of that node’s sub nodes must be achieved; and for an OR-node, at least one of the subgoals
must be achieved. Branches can be labeled with values representing difficulty, cost, or other attack attributes,
so that alternative attacks can be compared.

The motivation for the use of attack trees is to effectively exploit the information available on attack patterns.
Organizations such as CERT publish security advisories that have enabled the development of a body of
knowledge about both general attack strategies and specific attack patterns. Security analysts can use the
attack tree to document security attacks in a structured form that reveals key vulnerabilities. The attack tree
can guide both the design of systems and applications, and the choice and strength of countermeasures.

Figure 1.4, from [DIMI07], is an example of an attack tree analysis for an Internet banking authentication
application. The root of the tree is the objective of the attacker, which is to compromise a user’s account. The
shaded boxes on the tree are the leaf nodes, which represent events that comprise the attacks. The white boxes
are categories which consist of one or more specific attack events (leaf nodes). Note that in this tree, all the
nodes other than leaf nodes are OR-nodes. The analysis used to generate this tree considered the three
components involved in authentication:

• User terminal and user (UT/U): These attacks target the user equipment, including the tokens that may be
involved, such as smartcards or other password generators, as well as the actions of the user.

• Communications channel (CC): This type of attack focuses on communication links

• Internet banking server (IBS): These types of attacks are offline attack against the servers that host the
Internet banking application. Five overall attack strategies can be identified, each of which exploits one or
more of the three components. The five strategies are as follows:
1.6 Computer Security Strategy

We conclude this chapter with a brief look at the overall strategy for providing computer security. [LAMP04]
suggests that a comprehensive security strategy involves three aspects:

• Specification/policy: What is the security scheme supposed to do?

• Implementation/mechanisms: How does it do it?

• Correctness/assurance: Does it really work?

1.7 Number Theory

A number of cryptographic algorithms rely heavily on properties of finite fields, notably the Advanced
Encryption Standard (AES) and elliptic curve cryptography.

 Other examples include the message authentication code CMAC and the authenticated encryption
scheme GCM
 Groups, Rings, Fields, Modular arithmetic, Euclid’s algorithm
 Finite fields Euclid’s algorithm
 Polynomial Arithmetic
 Prime numbers-Fermat’s and Euler’s theorem
 Testing for primality
 The Chinese remainder theorem
 Discrete logarithms
Widely used in cryptography to perform large calculations

 Some basic concepts are

 Prime Number: a number that is divisible only by itself and 1 (e.g. 2, 3, 5, 7, 11)
 Relative Prime Number: Two integers are relatively prime (or coprime) if there is no integer greater
than one that divides them both (that is, their greatest common divisor is one). For example, 12 and
13, GCD (12,13) = 1→12 and 13 are relatively prime, but 12 and 14 are not.,
 Modular Congruent Modulo
 Modular: When we divide two integers, we will have an equation that looks like the following:

A/B=Q remainder R

 A is the dividend B is the divisor Q is the quotient R is the remainder