01 Ch01 Introduction
01 Ch01 Introduction
Chapter 1: Overview
Chapter 1 overview
• Computer Security Concepts
• Threats, Attacks, and Assets
• Security Functional Requirements
• Fundamental Security Design Principles
• Attack Surfaces and Attack Trees
• Computer Security Strategy
2
Learning objectives
• Describe the key security requirements of
confidentiality, integrity and availability
• Discuss the types security threats and attacks that
must be dealt with
• Summarize the functional requirements for
computer security
• Explain the fundamental security design principles
• Discuss the use of attack surfaces and attack trees
• Understand the principle aspects of a comprehensive
security strategy
3
A definition of computer security
• The protection afforded to an information system in
order to attain the applicable objectives of preserving the
integrity, availability and confidentiality of information
system resources (includes hardware, software,
firmware, information/data, and telecommunications)
NIST 1995
4
Key Security Concepts
5
Three key objectives (the CIA triad)
• Confidentiality
– Data confidentiality: Ensure that computer related
information and services can be accessed by only authorized
entities.
– Privacy: Assures that individual control or influence what
information may be collected and stored.
6
• Integrity
– Data integrity: assures that information and programs are
changed or can be accessed by only in a specified and
authorized manner.
– System integrity: Assures that a system performs its operations
in unimpaired manner
7
• Availability: Assure that systems works immediately
and service is not denied to authorized users.
8
Other concepts to a complete security
picture
• Authenticity: the property of being genuine and being
able to be verified and trusted. The Confidence in the
validity of the transmitted data and the validity of its
source.
• Accountability: The traceability of actions performed on
a system to a specific system entity (user, process,
device). For example, the use of unique user
identification and authentication
supports accountability; the use of shared user IDs and
passwords destroys accountability.
9
Levels of security breach impact
• Low: the loss will have a limited impact, e.g., a
degradation in mission or minor damage or minor
financial loss or minor harm
• Moderate: the loss has a serious effect, e.g.,
significance degradation on mission or significant
harm to individuals but no loss of life or threatening
injuries
• High: the loss has severe or catastrophic adverse
effect on operations, organizational assets or on
individuals (e.g., loss of life)
10
Examples of security requirements:
Confidentiality
• Student grade information is an asset whose
confidentiality is considered to be very high
– The US FERPA Act: grades should only be available to
students, their parents, and their employers (when
required for the job)
• Student enrollment information: may have moderate
confidentiality rating; less damage if enclosed
• Directory information: low confidentiality rating;
often available publicly
11
Examples of security requirements:
Integrity
• A hospital patient’s allergy information (high integrity
data): A doctor should be able to trust that the info is
correct and current (file permissions and user access
controls)
– If a nurse deliberately falsifies the data, the database should
be restored to a trusted basis and the falsified information
traced back to the person who did it
• An online newsgroup registration data: moderate level
of integrity
• An example of low integrity requirement: anonymous
online poll (inaccuracy is well understood)
12
Examples of security requirements:
Availability
• Authentication services for critical system: high
availability required
– If customers cannot access resources, the loss of services
could result in financial loss
• A public website for a university: a moderate availably
requirement; not critical but causes embarrassment
• An online telephone directory lookup: a low
availability requirement because unavailability is
mostly annoyance (there are alternative sources)
13
Challenges of computer security
1. Computer security is not simple
2. In developing a particular security mechanism or algorithm ,
One must consider potential (unexpected) attacks
3. Procedures used are often counterintuitive/providing
services
4. Must decide where to deploy security mechanisms
5. Security mechanisms involve algorithms and secret info
(keys)
6. Computer security is a battle of wits between attacker /
admin
7. It is not perceived on benefit until fails(user/ admin)
8. Security required constant monitoring
9. Security is still too often an afterthought - incorporated after
the design is complete.
10. Strong security is regarded as impediment to using system
14
A model for computer security
• Table 1.1 and Figure 1.1 show the relationship
• Systems resources
– Hardware, software (OS, apps), data (users, system, database),
communication facilities and network (LAN, bridges, routers, …)
• Our concern: vulnerability of these resources (corrupted,
unavailable, leaky)
• Threats exploit vulnerabilities
• Attack is a threat that is accrued out
– Active or passive; from inside or from outside
• Countermeasures: actions taken to prevent, detect, recover
and minimize risks
15
Computer
Security
Terminology
16
Security concepts and relationships
17
Examples of threats
18
Fundamental security design principles
[1/4]
• Despite years of research, it is still difficult to design
systems that comprehensively prevent security flaws
• But good practices for good design have been
documented (analogous to software engineering)
– Economy of mechanism, fail-safe defaults, complete
mediation, open design, separation of privileges, lease
privilege, least common mechanism, psychological
accountability, isolation, encapsulation, modularity,
layering, least astonishment
19
Fundamental security design principles
[2/4]
• Economy of mechanism: the design of security
measures should be as simple as possible
– Simpler to implement and to verify
– Fewer vulnerabilities
• Fail-safe default: access decisions should be based
on permissions; i.e., the default is lack of access
• Complete mediation: every access should checked
against an access control system
• Open design: the design should be open rather than
secret (e.g., encryption algorithms)
20
Fundamental security design principles
[3/4]
• Isolation
– Public access should be isolated from critical resources (no
connection between public and critical information)
– Users files should be isolated from one another (except
when desired)
– Security mechanism should be isolated (i.e., preventing
access to those mechanisms)
• Encapsulation: similar to object concepts (hide
internal structures)
• Modularity: modular structure
21
Fundamental security design principles
[4/4]
• Layering (defense in depth): use of multiple,
overlapping protection approaches
• Least astonishment: a program or interface should
always respond in a way that is least likely to
astonish a user
22
Fundamental security design principles
• Separation of privilege: multiple privileges should be
needed to do achieve access (or complete a task)
• Least privilege: every user (process) should have the
least privilege to perform a task
• Least common mechanism: a design should
minimize the function shared by different users
(providing mutual security; reduce deadlock)
• Psychological acceptability: security mechanisms
should not interfere unduly with the work of users
23
Attack surfaces
• Attack surface: the reachable and available vulnerabilities in
a system which include:
– Open ports
– Services outside a firewall
– An employee with access to sensitive info
• Three categories
– Network attack surface (i.e., network vulnerability)
– Software attack surface (i.e., software vulnerabilities)
– Human attack surface (e.g., social engineering)
24
Attack Trees
• A branching, hierarchical data structure that
represents a set of potential vulnerabilities
• Objective: to effectively exploit the info available on
attack patterns
– published on CERT or similar forums
– Security analysts can use the tree to guide design and
strengthen countermeasures
25
An Attack Tree
26
Computer security strategy
• An overall strategy for providing security
– Policy (specs): what security schemes are supposed to do
• Assets and their values
• Potential threats
• Ease of use vs security
• Cost of security vs cost of failure/recovery
27
Security Taxonomy
28
Security Trends
29
Computer Security Losses
30
Security Technologies Used
31
Summary
• Security concepts
• Terminology
• Functional requirements
• Security design principles
• Security strategy
32