Computer Security

Introduction and Course Overview

1
Introduction and overview
 What is computer/network security?
 Course philosophy and goals
 High-level overview of topics

2
“Security”
 Most of computer science is concerned with
achieving desired behavior
 In some sense, security is concerned with
preventing undesired behavior
– Different way of thinking!
– An enemy/opponent/hacker/adversary may be
actively and maliciously trying to circumvent
any protective measures you put in place

3
Computer vs. network security
 One view:
– Computer security: focuses on security aspects
of systems in isolation
– Network security: focuses on security of data as
it is transmitted between networked systems
 Not always a clear-cut dividing line…

4
Some examples…
 Computer security
– Viruses
– Secure data storage
– OS Security
 Network security
– Authentication protocols
– Encryption of transmitted data
– Firewalls

5
Broader impacts of security
 Explosive growth of interest in security
– Most often following notable security failures…
 Impact on/interest from all (?) areas of CS
– Theory (especially cryptography)
– Databases
– Operating systems
– AI/learning theory
– Networking
– Computer architecture/hardware
– Programming languages/compilers

6
Philosophy
 We are not going to be able to cover everything
 Main goals
– Exposure to different aspects of security; meant mainly
to “pique” your interest
– The “mindset” of security: a new way of thinking…
about more than computer networks
– Become familiar with basic crypto, acronyms (RSA,
SSL, PGP, etc.), and “buzzwords”
– Security is a process, not a product

7
High-level overview
 Introduction…
– Including various classes of attacks
 Cryptography
– Cryptography is not the (whole) solution…
– …but is is an important part of the solution
– Along the way, we will see why cryptography
can’t solve all security problems

8
High-level overview II
 Security policies and analysis
– Attack trees
– Access control
– Confidentiality/integrity
– Key management
 Principles for secure design/implementation

9
High-level overview III
 Network security
– Identity
– Authentication
– Some real-world protocols
– Wireless security

10
High-level overview IV
 Miscellaneous
– Firewalls
– Intrusion detection
– Buffer overflows; secure programming
languages
– Viruses and malicious logic
– Etc…

11
Information security in past & present
 Traditional Information Security
– keep the cabinets locked
– put them in a secure room
– human guards
– electronic surveillance systems
– in general: physical and administrative mechanisms

 Modern World
– Data are in computers
– Computers are interconnected
12
Security: an Introduction

13
An Overview of Computer
Security

14
Basic components
 Confidentiality
 Integrity
 Availability

15
16
17
18
Confidentiality
 Confidentiality is the concealment of information or resources. The need for
keeping information secret arises from the use of computers in sensitive fields
such as government and industry.
 For example, military and civilian institutions in the government often restrict
access to information to those who need that information. The first formal
work in computer security was motivated by the military's attempt to
implement controls to enforce a "need to know" principle. This principle also
applies to industrial firms, which keep their proprietary designs secure lest
their competitors try to steal the designs.
 As a further example, all types of institutions keep personnel records secret.
 Access control mechanisms support confidentiality. One access control
mechanism for preserving confidentiality is cryptography, which scrambles
data to make it incomprehensible. A cryptographic key controls access to the
unscrambled data, but then the cryptographic key itself becomes another
datum to be protected.

19
Confidentiality - Example
 Ex: Enciphering an income tax return will prevent anyone from
reading it. If the owner needs to see the return, it must be deciphered.
Only the possessor of the cryptographic key can enter it into a
deciphering program. However, if someone else can read the key
when it is entered into the program, the confidentiality of the tax
return has been compromised.

 All the mechanisms that enforce confidentiality require supporting

services from the system. The assumption is that the security services
can rely on the kernel, and other agents, to supply correct data. Thus,
assumptions and trust underlie confidentiality mechanisms.

20
Integrity
 Trustworthiness of data or resources
 Prevention vs. detection
 Blocking unauthorized attempts to change
data, or attempts to change data in
unauthorized ways
– The second is much harder…
 Correctness vs. trustworthiness of data

21
Integrity
 Integrity refers to the trustworthiness of data or resources, and it is
usually phrased in terms of preventing improper or unauthorized
change. Integrity includes data integrity (the content of the
information) and origin integrity (the source of the data, often called
authentication). The source of the information may bear on its
accuracy and credibility and on the trust that people place in the
information. This dichotomy illustrates the principle that the aspect of
integrity known as credibility is central to the proper functioning of a
system. We will return to this issue when discussing malicious logic.
 EXAMPLE: A newspaper may print information obtained from a leak
at the White House but attribute it to the wrong source. The
information is printed as received (preserving data integrity), but its
source is incorrect (corrupting origin integrity).

22
 Prevention mechanisms seek to maintain the integrity of the data by blocking
any unauthorized attempts to change the data or any attempts to change the
data in unauthorized ways. The distinction between these two types of
attempts is important. The former occurs when a user tries to change data
which she has no authority to change. The latter occurs when a user authorized
to make certain changes in the data tries to change the data in other ways.
 For example, suppose an accounting system is on a computer. Someone breaks
into the system and tries to modify the accounting data. Then an unauthorized
user has tried to violate the integrity of the accounting database. But if an
accountant hired by the firm to maintain its books tries to embezzle money by
sending it overseas and hiding the transactions, a user (the accountant) has
tried to change data (the accounting data) in unauthorized ways (by moving it
to a Swiss bank account). Adequate authentication and access controls will
generally stop the break-in from the outside, but preventing the second type of
attempt requires very different controls.
 Detection mechanisms do not try to prevent violations of integrity; they
simply report that the data's integrity is no longer trustworthy. Detection
mechanisms may analyze system events (user or system actions) to detect
problems or (more commonly) may analyze the data itself to see if required or
expected constraints still hold. The mechanisms may report the actual cause of
the integrity violation (a specific part of a file was altered), or they may
simply report that the file is now corrupt.
23
Availability
 Denial of service attacks
 Denying access can lead to more serious
attacks
– I.e., if credit card verification is down

24
Availability
 Availability refers to the ability to use the information or resource
desired. Availability is an important aspect of reliability as well as of
system design because an unavailable system is at least as bad as no
system at all.
 The aspect of availability that is relevant to security is that someone
may deliberately arrange to deny access to data or to a service by
making it unavailable. System designs usually assume a statistical
model to analyze expected patterns of use, and mechanisms ensure
availability when that statistical model holds. Someone may be able to
manipulate use (or parameters that control use, such as network
traffic) so that the assumptions of the statistical model are no longer
valid. This means that the mechanisms for keeping the resource or
data available are working in an environment for which they were not
designed. As a result, they will often fail.

25
Availability
 EXAMPLE: Suppose Anne has compromised a bank's secondary system
server, which supplies bank account balances. When anyone else asks that
server for information, Anne can supply any information she desires.
Merchants validate checks by contacting the bank's primary balance server. If
a merchant gets no response, the secondary server will be asked to supply the
data. Anne's colleague prevents merchants from contacting the primary
balance server, so all merchant queries go to the secondary server. Anne will
never have a check turned down, regardless of her actual account balance.
Notice that if the bank had only one server (the primary one), this scheme
would not work. The merchant would be unable to validate the check.
 Attempts to block availability, called denial of service attacks, can be the most
difficult to detect, because the analyst must determine if the unusual access
patterns are attributable to deliberate manipulation of resources or of
environment. Complicating this determination is the nature of statistical
models.

26
Threats (or “attacks”)
 Snooping, eavesdropping
 Modification, alteration
 Masquerading, spoofing
 False repudiation/denial of receipt
 Network delay, denial of service

27
Threats
 A threat is a potential violation of security. The violation
need not actually occur for there to be a threat. The fact
that the violation might occur means that those actions that
could cause it to occur must be guarded against (or
prepared for). Those actions are called attacks. Those who
execute such actions, or cause them to be executed, are
called attackers.
 The three security services—confidentiality, integrity, and
availability—counter threats to the security of a system.

28
 Snooping, the unauthorized interception of information, is a form of
disclosure. It is passive, suggesting simply that some entity is listening to (or
reading) communications or browsing through files or system information.
Wiretapping, or passive wiretapping, is a form of snooping in which a network
is monitored. Confidentiality services counter this threat.
 Modification or alteration, an unauthorized change of information, covers
three classes of threats. The goal may be deception, in which some entity
relies on the modified data to determine which action to take, or in which
incorrect information is accepted as correct and is released. If the modified
data controls the operation of the system, the threats of disruption and
usurpation arise.
 Masquerading or spoofing, an impersonation of one entity by another, is a
form of both deception and usurpation. It lures a victim into believing that the
entity with which it is communicating is a different entity. For example, if a
user tries to log into a computer across the Internet but instead reaches another
computer that claims to be the desired one, the user has been spoofed.
Similarly, if a user tries to read a file, but an attacker has arranged for the user
to be given a different file, another spoof has taken place. This may be a
passive attack (in which the user does not attempt to authenticate the recipient,
but merely accesses it), but it is usually an active attack (in which the
masquerader issues responses to mislead the user about its identity).
29
 Repudiation of origin, a false denial that an entity sent (or created) something,
is a form of deception. For example, suppose a customer sends a letter to a
vendor agreeing to pay a large amount of money for a product. The vendor
ships the product and then demands payment. The customer denies having
ordered the product and by law is therefore entitled to keep the unsolicited
shipment without payment. The customer has repudiated the origin of the
letter. If the vendor cannot prove that the letter came from the customer, the
attack succeeds. A variant of this is denial by a user that he created specific
information or entities such as files. Integrity mechanisms cope with this
threat.
 Denial of receipt, a false denial that an entity received some information or
message, is a form of deception. Suppose a customer orders an expensive
product, but the vendor demands payment before shipment. The customer
pays, and the vendor ships the product. The customer then asks the vendor
when he will receive the product. If the customer has already received the
product, the question constitutes a denial of receipt attack. The vendor can
defend against this attack only by proving that the customer did, despite his
denials, receive the product. Integrity and availability mechanisms guard
against these attacks.

30
 Denial of service, a long-term inhibition of service, is a form of
usurpation, although it is often used with other mechanisms to
deceive. The attacker prevents a server from providing a service. The
denial may occur at the source (by preventing the server from
obtaining the resources needed to perform its function), at the
destination (by blocking the communications from the server), or
along the intermediate path (by discarding messages from either the
client or the server, or both). Denial of service poses the same threat as
an infinite delay. Availability mechanisms counter this threat.
 Denial of service or delay may result from direct attacks or from non
security-related problems. From our point of view, the cause and result
are important; the intention underlying them is not. If delay or denial
of service compromises system security, or is part of a sequence of
events leading to the compromise of a system, then we view it as an
attempt to breach system security. But the attempt may not be
deliberate; indeed, it may be the product of environmental
characteristics rather than specific actions of an attacker.

31
Policy vs. mechanism
 Security policy
– Statement of what is and is not allowed
 Security mechanism
– Method for enforcing a security policy
 One is meaningless without the other…
 Problems when combining security policies
of multiple organizations

32
 Definition 1–1. A security policy is a statement of what is, and what is not,
allowed.
 Definition 1–2. A security mechanism is a method, tool, or procedure for
enforcing a security policy.
 Mechanisms can be nontechnical, such as requiring proof of identity before
changing a password; in fact, policies often require some procedural
mechanisms that technology cannot enforce.
 As an example, suppose a university's computer science laboratory has a
policy that prohibits any student from copying another student's homework
files. The computer system provides mechanisms for preventing others from
reading a user's files. Anna fails to use these mechanisms to protect her
homework files, and Bill copies them. A breach of security has occurred,
because Bill has violated the security policy. Anna's failure to protect her files
does not authorize Bill to copy them.
 In this example, Anna could easily have protected her files. In other
environments, such protection may not be easy. For example, the Internet
provides only the most rudimentary security mechanisms, which are not
adequate to protect information sent over that network. Nevertheless, acts such
as the recording of passwords and other sensitive information violate an
implicit security policy of most sites (specifically, that passwords are a user's
confidential property and cannot be recorded by anyone).
33
Tying It All Together
 The considerations discussed above appear to flow linearly from one to the
next (see Figure 1-1). Human issues pervade each stage of the cycle. In
addition, each stage of the cycle feeds back to the preceding stage, and
through that stage to all earlier stages. The operation and maintenance stage is
critical to the life cycle. Figure 1-1 breaks it out so as to emphasize the impact
it has on all stages. The following example shows the importance of feedback.
 Figure 1-1. The security life cycle.

34
 EXAMPLE: A major corporation decided to improve its security. It hired consultants,
determined the threats, and created a policy. From the policy, the consultants derived
several specifications that the security mechanisms had to meet. They then developed a
design that would meet the specifications.
 During the implementation phase, the company discovered that employees could connect
modems to the telephones without being detected. The design required all incoming
connections to go through a firewall. The design had to be modified to divide systems
into two classes: systems connected to "the outside," which were put outside the firewall;
and all other systems, which were put behind the firewall. The design needed other
modifications as well.
 When the system was deployed, the operation and maintenance phase revealed several
unexpected threats. The most serious was that systems were repeatedly misconfigured to
allow sensitive data to be sent across the Internet in the clear. The implementation made
use of cryptographic software very difficult. Once this problem had been remedied, the
company discovered that several "trusted" hosts (those allowed to log in without
authentication) were physically outside the control of the company. This violated policy,
but for commercial reasons the company needed to continue to use these hosts. The
policy element that designated these systems as "trusted" was modified.
 Finally, the company detected proprietary material being sent to a competitor over
electronic mail. This added a threat that the company had earlier discounted. The
company did not realize that it needed to worry about insider attacks.

35
Computer Security Challenges
Computer security is both fascinating and complex. Some
of the reasons follow:
 1.Computer security is not as simple as it might first
appear to the novice. The requirements seem to be
straightforward, but the mechanisms used to meet those
requirements can be quite complex and subtle.
 2. In developing a particular security mechanism or
algorithm, one must always consider potential attacks
(often unexpected) on those security features.
 3. Hence procedures used to provide particular services are
often counterintuitive.
 4. Having designed various security mechanisms, it is
necessary to decide where to use them.

36
 5. Security mechanisms typically involve more than a
particular algorithm or protocol, but also require
participants to have secret information, leading to issues of
creation, distribution, and protection of that secret
information.
 6. Computer security is essentially a battle of wits between
a perpetrator who tries to find holes and the designer or
administrator who tries to close them.
 7. There is a natural tendency on the part of users and
system managers to perceive little benefit from security
investment until a security failure occurs.

37
 8. Security requires regular monitoring,
difficult in today's short-term environment.
 9. Security is still too often an afterthought -
incorporated after the design is complete.
 10. Many users / security administrators
view strong security as an impediment to
efficient and user-friendly operation of an
information system or use of information.

38