Unit 1: Introduction

EECS710: Information Security

Professor Hossein Saiedian
Fall 2014
 Chapter 1 overview
• Computer Security Concepts
• Threats, Attacks, and Assets
• Security Functional Requirements
• Fundamental Security Design Principles
• Attack Surfaces and Attack Trees
• Computer Security Strategy
 A definition of computer security
• Computer security: The protection afforded
to an automated information system in order
to attain the applicable objectives of
preserving the integrity, availability and
confidentiality of information system
resources (includes hardware, software,
firmware, information/data, and
telecommunications)
Three key objectives (the CIA triad)
• Confidentiality
– Data confidentiality: Assures that confidential information
is not disclosed to unauthorized individuals
– Privacy: Assures that individual control or influence what
information may be collected and stored
• Integrity
– Data integrity: assures that information and programs are
changed only in a specified and authorized manner
– System integrity: Assures that a system performs its
operations in unimpaired manner
• Availability: assure that systems works promptly and
service is not denied to authorized users
Other concepts to a complete security
picture
• Authenticity: the property of being genuine
and being able to be verified and trusted;
confident in the validity of a transmission, or a
message, or its originator
• Accountability: generates the requirement for
actions of an entity to be traced uniquely to
that individual to support nonrepudiation,
deference, fault isolation, etc
 Levels of security breach impact
• Low: the loss will have a limited impact, e.g., a
degradation in mission or minor damage or
minor financial loss or minor harm
• Moderate: the loss has a serious effect, e.g.,
significance degradation on mission or significant
harm to individuals but no loss of life or
threatening injuries
• High: the loss has severe or catastrophic adverse
effect on operations, organizational assets or on
individuals (e.g., loss of life)
 Examples of security requirements:
Confidentiality
• Student grade information is an asset whose
confidentiality is considered to be very high
– The US FERPA Act: grades should only be available to
students, their parents, and their employers (when
required for the job)
• Student enrollment information: may have
moderate confidentiality rating; less damage if
enclosed
• Directory information: low confidentiality rating;
often available publicly
 Examples of security requirements:
Integrity
• A hospital patient’s allergy information (high
integrity data): a doctor should be able to trust
that the info is correct and current
– If a nurse deliberately falsifies the data, the database
should be restored to a trusted basis and the falsified
information traced back to the person who did it
• An online newsgroup registration data: moderate
level of integrity
• An example of low integrity requirement:
anonymous online poll (inaccuracy is well
understood)
 Examples of security requirements:
Availability
• A system that provides authentication: high
availability requirement
– If customers cannot access resources, the loss of
services could result in financial loss
• A public website for a university: a moderate
availably requirement; not critical but causes
embarrassment
• An online telephone directory lookup: a low
availability requirement because unavailability is
mostly annoyance (there are alternative sources)
 Challenges of computer security
1. Computer security is not simple
2. One must consider potential (unexpected)
attacks
3. Procedures used are often counter-intuitive
4. Must decide where to deploy mechanisms
5. Involve algorithms and secret info (keys)
6. A battle of wits between attacker / admin
7. It is not perceived on benefit until fails
8. Requires constant monitoring
9. Too often an after-thought (not integral)
10. Regarded as impediment to using system
 A model for computer security
• Table 1.1 and Figure 1.1 show the relationship
• Systems resources
– Hardware, software (OS, apps), data (users, system,
database), communication facilities and network (LAN,
bridges, routers, …)
• Our concern: vulnerability of these resources
(corrupted, unavailable, leaky)
• Threats exploit vulnerabilities
• Attack is a threat that is accrued out
– Active or passive; from inside or from outside
• Countermeasures: actions taken to prevent, detect,
recover and minimize risks
Computer security terminology
Security concepts and relationships
 Threat consequences
• Unauthorized disclosure: threat to confidentiality
– Exposure (release data), interception, inference, intrusion
• Deception: threat to integrity
– Masquerade, falsification (alter data), repudiation
• Disruption: threat to integrity and availability
– Incapacitation (destruction), corruption (backdoor logic),
obstruction (infer with communication, overload a line)
• Usurpation: threat to integrity
– Misappropriation (theft of service), misuse (hacker gaining
unauthorized access)
Threat consequences(tabular
form)
The scope of computer security
Threats of Computer System
 Security functional requirements (FIPS 200)
• What is Federal Information Processing Standard 200 FIPS 200?
• FIPS 200 addresses the specification of minimum security
requirements for federal information and information systems.
FIPS 199 addresses the classification divides systems. It divides
the systems into high, moderate, and low impact systems
based on their impact on individuals and organizations.

• Technical measures
– Access control; identification & authentication; system &
communication protection; system & information integrity
• Management controls and procedures
– Awareness & training; audit & accountability; certification,
accreditation, & security assessments; contingency planning;
maintenance; physical & environmental protection; planning;
personnel security; risk assessment; systems & services acquisition
• Overlapping technical and management
– Configuration management; incident response; media protection
 THE OSI(X.800) SECURITY ARCHITECTURE
• The OSI security architecture focuses on security attack, security
mechanism ,security service
X.800, Security Architecture for OSI
systematic way of defining requirements for security and
characterizing approaches to satisfying them
• security attack: Any action that compromises the security of
information owned by an organization.
• Security mechanism: A process that is designed to detect, prevent,
or recover from a security attack.
• Security service: A processing or communication service that
enhances the security of the data processing systems and the
information transfers of an organization.
Fundamental security design principles
[1/4]
• Despite years of research, it is still difficult to
design systems that comprehensively prevent
security flaws
• But good practices for good design have been
documented (analogous to software engineering)
– Economy of mechanism, fail-safe defaults, complete
mediation, open design, separation of privileges,
lease privilege, least common mechanism,
psychological accountability, isolation, encapsulation,
modularity, layering, least astonishment
Fundamental security design principles
[2/4]
• Economy of mechanism: the design of security
measures should be as simple as possible
– Simpler to implement and to verify
– Fewer vulnerabilities
• Fail-safe default: access decisions should be
based on permissions; i.e., the default is lack of
access
• Complete mediation: every access should
checked against an access control system
• Open design: the design should be open rather
than secret (e.g., encryption algorithms)
Fundamental security design principles
[3/4]
• Isolation
– Public access should be isolated from critical
resources (no connection between public and critical
information)
– Users files should be isolated from one another
(except when desired)
– Security mechanism should be isolated (i.e.,
preventing access to those mechanisms)
• Encapsulation: similar to object concepts (hide
internal structures)
• Modularity: modular structure
Fundamental security design principles
[4/4]
• Layering (defense in depth): use of multiple,
overlapping protection approaches
• Least astonishment: a program or interface
should always respond in a way that is least
likely to astonish a user
Fundamental security design principles
• Separation of privilege: multiple privileges
should be needed to do achieve access (or
complete a task)
• Least privilege: every user (process) should have
the least privilege to perform a task
• Least common mechanism: a design should
minimize the function shared by different users
(providing mutual security; reduce deadlock)
• Psychological acceptability: security mechanisms
should not interfere unduly with the work of
users
 Attack surfaces
• Attack surface: the reachable and exploitable
vulnerabilities in a system
– Open ports
– Services outside a firewall
– An employee with access to sensitive info
– …
• Three categories
– Network attack surface (i.e., network vulnerability)
– Software attack surface (i.e., software vulnerabilities)
– Human attack surface (e.g., social engineering)
• Attack analysis: assessing the scale and severity of threats
 Attack trees
• A branching, hierarchical data structure that
represents a set of potential vulnerabilities
• Objective: to effectively exploit the info
available on attack patterns
– published on CERT(Computer Emergency
Response Team ) or similar forums
– Security analysts can use the tree to guide design
and strengthen countermeasures
An attack tree
 Computer security strategy
• An overall strategy for providing security
– Policy (specs): what security schemes are supposed to do
• Assets and their values
• Potential threats
• Ease of use vs security
• Cost of security vs cost of failure/recovery
– Implementation/mechanism: how to enforce
• Prevention
• Detection
• Response
• Recovery
– Correctness/assurance: does it really work
(validation/review)
Security Taxonomy
Security Trends
Computer Security Losses
Security Technologies Used
 Summary
• Security concepts
• Terminology
• Functional requirements
• Security design principles
• Security strategy