Computer Security

Threat

A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability

What is a security service

A processing or communication service that enhances the security of the data processing systems and the information transfers of an organization

Number of keys used

Symmetric, single-key, secret-key, conventional encryption and Asymmetric, two key, or public-key encryption

Pervasive security mechanisms

TSESS: Trusted functionality Security Labels Event detection Security audit trails Security recovery

What is a masquerade?

Takes place when one entity pretends to be a different entity Usually includes one of the other forms

Cryptanalysis

Techniques used for deciphering a message without any knowledge of the enciphering details

Access Control

The ability to limit and control the access to host systems and applications via communications links To achieve this, each entity trying to gain access must first be identified, or authenticated, so that access rights can be tailored to the individual

Data integrity

The assurance that data received are exactly as sent by an authorized entity (i.e., contain no modification, insertion, deletion, or replay)

What is Authentication

The assurance that the communicating entity is the one that is claims to be

Chosen-plaintext attack

Trudy can get ciphertext for chosen plaintext

Known plaintext attack

Trudy has plaintext corresponding to ciphertext, i.e., all pairings for a,l,i,c,e,b,o,

What is a security attack

Any action that compromises the security of information owned by an organization

Two types of passive attacks

- Release of message contents - Traffic analysis

Attack Tree

A branching, hierarchical data structure that represents a set of potential techniques for exploiting security vulnerabilities • The security incident that is the goal of the attack is represented as the root node of the tree, and the ways that an attacker could reach that goal are represented as branches and subnodes of the tree • The final nodes on the paths outward from the root, (leaf nodes), represent different ways to initiate an attack • The motivation for the use of attack trees is to effectively exploit the information available on attack patterns

Security Services

A service provided by a protocol layer of communicating open systems and that ensures adequate security of the systems or of data transfers A processing or communication service provided by a system to give a specific kind of protection to system resources

Attack

An assault on system security that derives from an intelligent threat; that is, an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system

Attack Surfaces

An attack surface consists of the reachable and exploitable vulnerabilities in a system • Examples: - Open ports on outward facing Web and other servers, and code listening on those ports - Services available on the inside of a firewall - Code that processes incoming data, email, XML, office documents, and industry-specific custom data exchange formats - Interfaces, SQL, and Web forms - An employee with access to sensitive information vulnerable to a social engineering attack

Isolation

Applies in three contexts: • Public access systems should be isolated from critical resources to prevent disclosure or tampering • Processes and files of individual users should be isolated from one another except where it is explicitly desired • Security mechanisms should be isolated in the sense of preventing access to those mechanisms

Cryptography

Area of study of the many schemes used for encryption

Cryptology

Areas of cryptography and cryptanalysis

Why is availability important?

Assures systems work promptly and service isn't denied to authorized users

Why is privacy important?

Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed

Why is data integrity important?

Assures that information and programs are changed only in a specified and authorized manner

Why is system integrity important?

Assures that information and programs are changed only in a specified and authorized manner

Why is data confidentiality important?

Assures that private or confidential information is not made available or disclosed to unauthorized individuals

Cryptanalysis

Attack relies on the nature of the algorithm plus some knowledge of the general characteristics of the plaintext • Attack exploits the characteristics of the algorithm to attempt to deduce a specific plaintext or to deduce the key being used

Plaintext process methods (2):

Block or stream cipher

Symmetric key crypto

Bob and alice share same key

Fundamental Security Design Principles

CLOSEF and MELLLIP Complete meditation Least privilege Open design Separation of privilege Economy of mechanism Fail-safe defaults Modularity Encapsulation Layering Least astonishment Least common mechanism Isolation Psychological acceptability

Encapsulation

Can be viewed as a specific form of isolation based on object-oriented functionality • Protection is provided by encapsulating a collection of procedures and data objects in a domain of its own so that the internal structure of a data object is accessible only to the procedures of the protected subsystem, and the procedures may be called only at designated domain entry points

Ciphertext

Coded message

Selective field confidentiality

Confidentiality of selected fields within the user data on a connection or in a single data block

What is CIAAA?

Confidentiality, Integrity, Accountability, Availability, Authenticity

Separation of privilege

Defined as a practice in which multiple privilege attributes are required to achieve access to a restricted resource • Multifactor user authentication is an example which requires the use of multiple techniques, such as a password and a smart card, to authorize a user

Cipher text only attack

Hacker has ciphertext they can analyze, using stat analysis or brute force

Psychological acceptability

Implies that the security mechanisms should not interfere unduly with the work of users, while at the same time meeting the needs of those who authorize access • Where possible, security mechanisms should be transparent to the users of the system or, at most, introduce minimal obstruction • In addition to not being intrusive or burdensome, security procedures must reflect the user's mental model of protection

Data-Origin Authentication

In a connectionless transfer, provides assurance that the source of received data is as claimed.

Active attacks

Involve some modification of the data stream or the creation of a false stream Difficult to prevent because of the wide variety of potential physical, software, and network vulnerabilities Goal is to detect attacks and to recover from any disruption or delays caused by them

Replay

Involves passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect

What is a low-impact security breach?

Loss could be expected to have a limited adverse effect on organization operations, organizational assets, or individuals

What is a medium-impact security breach?

Loss could be expected to have a serious adverse effect on organization operations, organizational assets, or individuals

Least astonishment

Means that a program or user interface should always respond in the way that is least likely to astonish the user • The mechanism for authorization should be transparent enough to a user that the user has a good intuitive understanding of how the security goals map to the provided security mechanism

Fail-safe defaults

Means that access decisions should be based on permission rather than exclusion • The default situation is lack of access, and the protection scheme identifies conditions under which access is permitted • Most file access systems and virtually all protected services on client/ server use fail-safe defaults

Complete mediation

Means that every access must be checked against the access control mechanism • Systems should not rely on access decisions retrieved from a cache • To fully implement this, every time a user reads a field or record in a file, or a data item in a database, the system must exercise access control • This resource-intensive approach is rarely used

Least of privilege

Means that every process and every user of the system should operate using the least set of privileges necessary to perform the task • An example of the use of this principle is role-based access control; the system security policy can identify and define the various roles of users or processes and each role is assigned only those permissions needed to perform its functions

Open Design

Means that the design of a security mechanism should be open rather than secret • Although encryption keys must be secret, encryption algorithms should be open to public scrutiny • Is the philosophy behind the NIST program of standardizing encryption and hash algorithms

Economy of mechanism

Means that the design of security measures embodied in both hardware and software should be as simple and small as possible • Relatively simple, small design is easier to test and verify thoroughly • With a complex design, there are many more opportunities for an adversary to discover subtle weaknesses to exploit that may be difficult to spot ahead of time

Least common mechanism

Means that the design should minimize the functions shared by different users, providing mutual security • This principle helps reduce the number of unintended communication paths and reduces the amount of hardware and software on which all users depend, thus making it easier to verify if there are any undesirable security implications

Symmetric Cipher Model

Needs both a strong encryption algorithm, and sender/receiver must have obtained copies of the secret key securely

Attack Surface Categories

Network attack surface - Refers to vulnerabilities over an enterprise network, wide- area network, or the Internet • Software attack surface - Refers to vulnerabilities in application, utility, or operating system code • Human attack surface - Refers to vulnerabilities created by personnel or outsiders

Plaintext

Original message

What 2 specific authentication services are defined in X.800?

Peer entity authentication, data origin authentication

Unwanted Access

Placement in a computer system of logic that exploits vulnerabilities in the system and that can affect application programs as well as utility programs such as editors and compilers • Programs can present two kinds of threats: - Information access threats • Intercept or modify data on behalf of users who should not have access to that data - Service threats • Exploit service flaws in computers to inhibit use by legitimate users

Nonrepudiation

Prevents either sender or receiver from denying a transmitted message • When a message is sent, the receiver can prove that the alleged sender in fact sent the message • When a message is received, the sender can prove that the alleged receiver in fact received the message

Denial of service

Prevents or inhibits normal use or management of communications facilities

Enciphering/encryption

Process of converting from plaintext to ciphertext

Nonrepudiation, destination

Proof message receieved by specific party

Nonrepudiation, orign

Proof message sent by specified party

Connectionless confidentiality

Protection of all user data in a single data block

Traffic Flow confidentiality

Protection of the information that might be derived from observation of traffic flows

Availability Service

Protects a system to ensure its availability • This service addresses the security concerns raised by denial- of-service attacks • It depends on proper management and control of system resources and thus depends on access control service and other security services

Connectionless Integrity

Provides for the integrity of a single connectionless data block and may take the form of detection of data modification. Additionally, a limited form of replay detection may be provided.

Connection Integrity with recovery

Provides for the integrity of all user data on a connection and detects any modification, insertion, deletion, or replay of any data within an entire data sequence, with recovery attempted

Selective field connectionless integrity

Provides for the integrity of selected fields within a single connectionless data block; takes the form of determination of whether the selected fields have been modified.

Selective-Field Connection Integrity

Provides for the integrity of selected fields within the user data of a data block transferred over a connection and takes the form of determination of whether the selected fields have been modified, inserted, deleted, or replayed.

Connection Integrity without recovery

Provides only detection without recovery

Nonrepudiation

Provides protection against denial by one of the entities involved in a communication of having participated in all or part of the communication

Public key crypto

Public encryption key known to all, private decryption key known only to receiver, sender/receiver don't share secret key

Specific Security Mechanisms

RANTEDAD Routing control Authentication exchange Notarization Traffic Padding Encipherment Digital signatures Access controls Data integrity

Modularity

Refers both to the development of security functions as separate, protected modules and to the use of a modular architecture for mechanism design and implementation

Layering

Refers to the use of multiple, overlapping protection approaches addressing the people, technology, and operational aspects of information systems • The failure or circumvention of any individual protection approach will not leave the system unprotected

Deciphering/decryption

Restoring plaintext from ciphertext

2 types of operations used for transforming plaintext to ciphertex

ST = Substitution, Transposition

Cryptographic system/cipher

Scheme

Modification of messages

Some portion of a legitimate message is altered, or messages are delayed or reordered to produce an unauthorized effect

What is a high-impact security breach?

The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals

Access control

The prevention of unauthorized use of a resource (i.e., this service controls who can have access to a resource, under what conditions access can occur, and what those accessing the resource are allowed to do).

What is a security mechanism

The process (or a device incorporating such a process) that is designed to detect, prevent, or recover from a security attack

Connection confidentiality

The protection of all user data on a connection

Data Confidentiality

The protection of transmitted data from passive attacks Broadest service protects all user data transmitted between two users over a period of time Narrower forms of service includes the protection of a single message or even specific fields within a message • The protection of traffic flow from analysis This requires that an attacker not be able to observe the source and destination, frequency, length, or other characteristics of the traffic on a communications facility

Peer Entity Authentication

Used in association with a logical connection to provide confidence in t5he identity of the entities connected.

Computer security is too often __

an afterthought

Authentication is concerned with...

assuring that a communication is authentic -In the case of a single message, assures the recipient that the message is from the source that it claims to be from -In the case of ongoing interaction, assures the two entities are authentic and that the connection is not interfered with in such a way that a third party can masquerade as one of the two legitimate parties

Active attack

attempts to alter system resources or affect their operation

Passive attack

attempts to learn or make use of information from the system but does not affect system resources

Security is essentially a ___

battle of wits between a perpetrator and designer

Security requires ___ monitoring

constant

A security services is intended to

counter security attacks, and they make use of one or more security mechanisms to provide the service

Strong security is often viewed as an impediment to ___

efficient and user-friendly operation

A connectionless integrity service, one that deals with individual messages without regard to any larger context,

generally provides protection against message modification only

What does network and internet security consist of?

measures to deter, prevent, detect, and correct security violations that involve the transmission of information

Connection-oriented integrity services that deal with a strewam of messages assures

messages are received as sent with no duplication, insertion, modification, reordering, or replays

Potential attacks on the security features ________

need to be considered

Procedures used to provide particular services are ____

often counter-intuitive

Security mechanisms typically involve more than a ___

particular algorithm or protocol

Little benefit from security investment is ____

perceived until a security failure occurs

Security is not __

simple

Define Computer Security

the protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources" (includes hardware, software, firmware, information/data, and telecommunications)

Data integrity can apply

to a stream of messages, single message, or selected fields w/n message

It is necessary to decide where to use the _____

various security mechanisms