This action might not be possible to undo. Are you sure you want to continue?
Chandra Prakash Assistant Professor LPU
• Security Engineering, Ross J Anderson, Wiley + Biometrics for Network Security, Paul Reid, Prentice Hall ( Research Papers literature)
Goal: thorough understanding of information security
• http://freevideolectures.com/Course/2383/Computer-SystemEngineering/18 • Book Page
• Give you a thorough understanding of information security technology – Policy (what should be protected) – Mechanisms (cryptography, electrical engineering, …) – Attacks (malicious code, protocol failure …) – Assurance – how do we know when we’re done? • How do we make this into a proper engineering discipline?
Objectives By the end of the course. • formulating a security policy. and • designing specific protection mechanisms to implement the policy. . you should be able to • tackle an information protection problem by drawing up a threat model.
Objectives of the Chapter Introduction Framework and Examples related to role of security .
the need for secure networks is evident. Deliver the expected value of the software to their customers Importance of Secured Systems: In applications where the quality of service depends on data confidentiality. and protection against denial-of-service attack. . data integrity.Software systems Objectives: Engineered with reliable protection mechanisms.
Objectives Software Engg Software Engineering Usability Performance Timely Completion Reliability Flexibility Security Engg customized access control and authentication based on the privilege levels of users. confidentiality. and integrity . non-repudiation. accountability. traceability and detection. privacy.
Security Engineering objectives are to design a software system that meets both security objectives and application objectives .Objectives (contd…) • Current Software Engineering processes do not provide enough support to achieve security goals. • Unification of the process models of Software engineering and Security Engineering is required.
.we are entering a brave new world ...
if you have something. I can copy it – Information – Privileges – Identity – Media – Software – Digital money • Much of information security revolves around making it hard to copy bits .• The digital world behaves differently to the physical world – Everything in the digital world is made of bits – Bits have no uniqueness – It’s easy to copy bits perfectly Nothing is secure in the digital world • Therefore.
Objectives To introduce issues that must be considered in the specification and design of secure software To discuss security risk management and the derivation of security requirements from a risk analysis To describe good design practice for secure systems development. To explain the notion of system survivability and to introduce a method of survivability analysis. .
it focuses on the tools. implement and test complete systems. . As a discipline.Security engineering Tools. techniques and methods to support the development and maintenance of systems that can resist malicious attacks that are intended to damage a computer-based system or its data. A sub-field of the broader field of computer security. Security engineering is about building systems to remain dependable in the face of malice. processes and methods needed to design. and to adapt existing systems as their environment evolves. error and mischance.
Design Hierarchy • What are we trying to do? • How? Policy Protocols … • With what? Hardware. crypto. … .
etc ) Operating S y s tem . shared applications (Browsers . e--mail.System layers Application Reusable c omponents and libraries Middleware Database management Generic.
Infrastructure security is a systems management problem where the infrastructure is configured to resist attacks. .Application/infrastructure security Application security is a software engineering problem where the system is designed to resist attacks.
The possible loss or harm that could result from a successful attack. A protective measure that reduces a system’s vulnerability. Generally. You can think of these as a system vulnerability that is subjected to an attack. Circumstances that have potential to cause loss or harm. Vulnerability Attack Threats Control . A weakness in a computer-based system that may be exploited to cause loss or harm. Encryption would be an example of a control that reduced a vulnerability of a weak access control system.Security Concepts Term Asset Exposure Definition A system resource that has a value and has to be protected. An exploitation of a system’s vulnerability. This can be loss or damage to data or can be a loss of time and effort if recovery is necessary after a security breach. this is from outside the system and is a deliberate attempt to cause some damage.
User ids that are the same as names. Loss of reputation. Potential financial loss from future patients who do not seek treatment because they do not trust the clinic to maintain their data. An unauthorised user will gain access to the system by guessing the credentials (login name and password) of an authorised user. A password checking system that disallows passwords that are set by users which are proper names or words that are normally included in a dictionary. An impersonation of an authorised user. Financial loss from legal action by the sports star. Vulnerability Attack Threat Control . A weak password system which makes it easy for users to set guessable passwords.Examples of security concepts Term Asset Exposure Definition The records of each patient that is receiving or has received treatment.
e. John can access this file • Security engineering traditionally revolves around building dependable systems that work in the face of a world full of clever.Security Requirements • Everything you have been taught so far in engineering revolves around building dependable systems that work – Typically engineering efforts are associated with ensuring something does happen e. the Chinese government can’t access this file. • Reality is far more complex • Security requirements differ greatly between systems . malicious attackers – Typically security has been about ensuring something can’t happen.g.g.
Security Vs Dependability • Dependability = reliability + security • Reliability and security are often strongly correlated in practice • But malice is different from error! – Reliability: “Bob will be able to read this file” – Security: “The Chinese Government won’t be able to read this file” • Proving a negative can be much harder … .
g.Why do systems fail? • Systems often fail because designers : – Protect the wrong things – Protect the right things in the wrong way – Make poor assumptions about their systems – Do not understand their system’s threat model properly – Fail to account for paradigm shifts (e. the Internet) – Fail to understand the scope of their system .
Framework • Security Engineering Analysis Framework .
• Incentive: the motive that the people guarding and maintaining the system have to do their job properly. • Mechanism: the ciphers. and also the motive that the attackers have to try to defeat your policy .Framework • Policy: what you’re supposed to achieve. access controls. • Assurance: the amount of reliance you can place on each particular mechanism. hardware tamperresistance and other machinery that you assemble in order to implement the policy.
sophisticated criminals – Goal: integrity of transactions • Internet banking – Most likely threat: hacking the website or account – Goal: authentication and availability • Safe – Threat: physical break-ins. stealing safe – Goal: physical integrity. difficult to transport.Bank security requirements • Core of a bank’s operations is its bookkeeping system – Most likely threat: internal staff stealing petty cash – Goal: highest level of integrity • ATMs – Most likely threat: petty thieves – Goal: authentication of customers. slow to open . resist attack • High value transaction systems – Most likely threat: internal staff.
• Compartmentalisation – Objective example: logistics software. resilience to traffic analysis? • Nuclear weapons command & control – Goal: prevent weapons from being used outside the chain of command . availability – Result: spread spectrum communications etc. countercountermeasures etc. • Military communications – Objective: Low probability of intercept (LPI) – Goal: confidentiality. covertness.Military communications • Electronic warfare systems – Objective: jam enemy radar without being jammed yourself – Goal: covertness. availability. availability – Result: countermeasures.administration of boot polish different from stinger missiles – Goal: confidentiality.
online reference books – Goal: integrity of data • • Remote access for doctors – Goal: authentication. confidentiality Patient record systems – Goal: “nurses may only look at records of patients who have been in their ward in the last 90 days” – Goal: anonymity of records for research • Paradigm shifts introduce new threats – Shift to online drug databases means paper records are no longer kept – Results in new threats on • availability e.g.g. denial of service of network • integrity e.Hospital security requirements • Use of web based technologies – Goal: harness economies of the Internet (EoI ) e.g. malicious “temporary” tampering of information .
Risk Analysis Risk Impact Matrix Impact Extreme Certain Likely Likelihood Moderate Unlikely Rare 1 2 3 4 5 6 7 1 1 2 3 4 High 1 2 3 4 5 Medium 2 3 4 5 6 Low 3 4 5 6 7 Negligible 4 5 6 7 7 severe must be managed by senior management with a detailed plan high detailed research and management planning required at senior levels major senior management attention is needed significant management responsibility must be specified moderate manage by specific monitoring or response procedures low manage by routine procedures trivial unlikely to need specific application of resources .
Axioms of information security • All systems are buggy • The bigger the system the more buggy it is • Nothing works in isolation • Humans are most often the weakest link • It’s a lot easier to break a system than to make it secure .
• • • • • • • • A product or component – e. web server.g.g.g.A system can be. smart card … plus infrastructure – e. politicians. vendors … plus the law. regulators… . communications … plus applications – e. competitors. the media. cryptographic protocol.. PC. payroll system … plus IT staff … plus users and management … plus customers and external users … plus partners. operating system. software program.
Aspects of security • Authenticity – Proof of a message’s origin – Integrity plus freshness (i.e. message is not a replay) Confidentiality – The ability to keep messages secret (for time t) Integrity – Messages should not be able to be modified in transit – Attackers should not be able to substitute fakes Non-repudiation – Cannot deny that a message was sent (related to authenticity) • • • • • Availability – Guarantee of quality of service (fault tolerance) Covertness – Message existence secrecy (related to anonymity) .
Passive attacks • • • Those that do not involve modification or fabrication of data Examples include eavesdropping on communications Interception – An unauthorised party gains access to an asset – Release of message contents: an attack on confidentiality – Traffic analysis: an attack on covertness .
Active Attacks • • Those which involve some modification of the data stream or creation of a false stream Fabrication – An unauthorised party inserts counterfeit objects into the system – Examples include masquerading as an entity to gain access to the system – An attack on authenticity • Interruption – An asset of the system is destroyed or becomes unavailable or unusable – Examples include denial-of-service attacks on networks – An attack on availability • Modification – An unauthorised party not only gains access to but tampers with an asset – Examples include changing values in a data file or a virus – An attack on integrity .
including invasions of your personal space – Privacy does not extend to corporations • Anonymity – The ability/desire to keep message source/destination confidentiality .Definitions • • • Secrecy – A technical term which refers to the effect of actions to limit access to information Confidentiality – An obligation to protect someone or some organization's secrets Privacy – The ability and/or right to protect the personal secrets of you or your family.
• .Trust • • • A trusted system is one whose failure can break security policy. A NSA employee caught selling US nuclear secrets to a foreign diplomat is trusted but not trustworthy. A trustworthy system is one which won’t fail. In information security trust is your enemy.
Trust is your enemy • You cannot trust software or vendors – They won’t tell you their software is broken – They won’t fix it if you tell them • You cannot trust the Internet nor its protocols – It’s built from broken pieces – It’s a monoculture. something breaks everything breaks – It was designed to work. not a profit centre! • You cannot trust the government – They only want to raise the resource game to their level • You cannot trust your employees or users – They are going to pick poor passwords – They are going to mess up the configuration and try to hack in – They account for 90% of security problems . not be secure • You cannot trust managers – They don’t want to be laggards nor leaders – Security is a cost centre.
Trust is your enemy • • You cannot trust your peers – They are as bad as you You cannot trust algorithms nor curves – Moore’s law does not keep yesterday’s secrets – Tomorrow they might figure out how to factor large numbers – Tomorrow they might build a quantum computer • You cannot trust the security community – They are going to ridicule you when they find a problem – They are going to tell the whole world about it • You cannot trust information security – It’s always going to be easier to break knees than break codes • You cannot trust yourself – You are human – One day you will screw up .
nothing can be said for its security • • • . the system is a good system If an algorithm is secret and no-one has looked at it.Tenet of information security • • Security through obscurity does not work Full disclosure of the mechanisms of security algorithms and systems (except secret key material) is the only policy that works Kirchoff’s Principle: For a system to be truly secure. all secrecy must reside in the key If the algorithms are known but cannot be broken.
dependable [Webster’s on-line] .Case Study • Voting • Do electronic voting machines meet the reasonable expectations of society to provide a technology that is trustworthy and cost effective? Trustworthy: Worthy of confidence.
Expectations of Voting • Vote is by secret ballot Confidentiality • The vote should be correctly tallied. all votes cast should be counted in the election Integrity • Every eligible voter who presents themselves at the polling place should be able to vote Availability .
and availability specific to computers? • Can the properties of the computer system be considered independently of its use? . confidentiality.Security or Computer Security? • Are the expectations of integrity.
Voting: Policies and Mechanisms • Who can vote? Policy – requirements for eligibility • Must be a citizen residing in the precinct • Must be of voting age Mechanism – Administrative requirements to register to vote • Fill out an application • Present evidence of residence (can be by mail or fax) .
Voting Mechanisms • Paper ballot in a ballot box (or mail) – May be implemented as a scan form • • • • Punch cards Mechanical voting machines Direct Recording Electronic Voter-verifiable paper audit trail .
Evaluating mechanisms • How do we evaluate these options? • Evaluation must be relevant to a threat model .
Voting threat models • • • • • • • • • Correlating ballot with voter Ballot stuffing Casting multiple votes Losing ballot boxes Ballot modification Incorrect reporting of results Denial of access to polls Vandalism Physical intimidation .
following good design practice and minimizing the introduction of system vulnerabilities • Key issues when designing a secure architecture include organizing the structure to protect assets and distributing assets to minimize losses • General security guidelines sensitive designers to security issues and serve as review checklists .Key points • Security engineering is concerned with how to develop systems that can resist malicious attacks • Security threats can be threats to confidentiality. integrity or availability of a system or its data • Design for security involves architectural design.
Morals of the story • Nothing is perfectly secure • Information security is a resource game • Nothing works in isolation • Know your system • Know your threat model • Trust is your enemy • All systems can and will fail • Humans are usually the weakest link • Attackers often know more about your system than you do .
org http://www.eff.securityfocus.org http://www.org .csl.digicrime.com http://www.com http://www.phrack.cryptome.org http://www.References • Stallings • Interesting Websites – – – – – – – http://www.com/users/neumann/illustrative.packetstormsecurity.html http://www.sri.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.