Cosc 4765

Security?

This system is secure.

• This will make your network secure

• We have secure e-commerce.

• What does that mean?

• Secure from what or whom?

• Secure from an employee theft?

• Secure from Social Engineering?

• Secure from a small explosion in the hallway?

Security?

• Involves people:– Things people know, relations between people

and how they relate to computers

• Digital Security – involves computers

• complex, unstable, and buggy

People and computers

• Computers are mathematical in nature.– Math is perfect, reality is subjective– Math is defined and computers are ornery– Math is logical, while people are erratic,

capricious, and barely comprehensible.1

• Security is fundamentally a people problem!

Why aren't computers secure?• And why aren't applications secure?• Computer companies are businesses.

– They do a risk assessment and figure what is the most cost effective way to get their product to market.

– Software manufacturers are not hold held accountable for their products

• Microsoft has not been found at fault once for a breach into a computer running a windows product. Some bad press, but little else.

• Instead, their stock goes up with a new release of their O/S.

– But a bank using that software, could go under because of security breach.

Security and people

• Increased security annoys users!

• Think about the security that has been implemented on campus.– How often have you complained about it?– Complained about the things you can't do

anymore?

Security and economics

• If CEO of Microsoft walked into the boardroom and said the next version of Windows will be secure, but cut the companies earning by one third.– The board will fire him.

• On the other hand, bad press goes away– Have several press conferences saying "security

is our top priority".

Security and economics• Example: Firewalls

– There are everywhere. Over last 10 years more companies and people are using firewalls

– Many are so badly configured that they are barely effective

» May actually cause more problems

– Everyone is on the firewall bandwagon.– Why?

• All the best practices guide say to use one.

• Economically they work, because of lawsuits.– Because they are following the guides, so they are making a best

attempt at security, even if they are broken into.

Vulnerabilities

• Hardware and physical– In the computer itself secure?

• Software– Bugs, modifications, viruses, trojan horses, logic

bombs, back doors, information leaks, etc.• Data

– Leaks and badly formed (accidentally or intentional)• Network

– Physical, hardware, software, data, etc.• People

The nature of attacks

• The nature of attacks haven't really changed much (digital and real world):– embezzlement, theft, robbery, invasion of

privacy, and identity theft.– racketeering, vandalism, voyeurism,

exploitation, extortion, con games, and fraud.– stalking, and physical harm

Computer attacks

• The real difference from real world attacks and computer attacks is these three:

1. more widespread and common• automation is the key.

2. harder to track, capture, and convict the attackers• because they may not even be in the country, let alone in

town where the "attack" happened.

3. More devastating.• with automation you can do more in a shorter time.

Computer attacks (2)

• Technique Propagation– Physical techniques are harder to master and

the people must be able learn how to do it.

– computer attacks can be done by people with little knowledge or expertise

• publish a script and 1,000s will attempt.– script kiddies. Common for people to make simple

modifications to viruses as well.

The nature of Adversaries• Who are these people?

– Hackers, criminals, businesses, governments?– Basically they are the same as in the real world

• Criminals looking for easy money

• thieves and robbers

• industrial spies stealing secrets

• intelligence agencies looking for “intelligence”

• hackers looking for the “secret knowledge”

• People wanting to make a “social statement”

The nature of Adversaries (2)

• Sometimes easier to think of them by what do/want:– Raw damage– Malicious insiders– Financial gain– Information– publicly.

Different types of attackers

• Amateurs and Insiders:– Usually people who never had intent to attack a system, but

observe a weakness and take advantage of it– Often they are insiders who may become disgruntled or greedy

and abuse their power, other times it is much more innocuous– Examples:

• A user notices opening disk and cpu accounting policies, so they use the computer system at work for their own purposes.

• A programmer inserts a backdoor so that they may access the system later without being noticed

– Not all insiders are necessarily amateurs. Sometimes (rarely) they are hired as spies or by organized crime to infiltrate organizations.

Different types of attackers (2)

• The Script Kiddie– Usually teenaged kids, not very smart. Sometimes they can be

University or even Graduate Students!– Get packaged up “scripts” of exploits from various sources– IRC Channels, Web Pages, Friends– Often make many mistakes

• Typing/spelling errors• Typing “dir” at a UNIX prompt• May unintentionally ruin a machine after getting in

– Usually have a bag of (old) exploits– Will persistently scan for vulnerable machines– Not a problem as long as you are patched and ready

Different types of attackers (3)

• The Professional Hacker/Black Hat– Usually someone with in-depth knowledge– Can create new exploits (zero day exploits)– May have various motives

• Hack for fun, Money, Fame, Politically motivated

– Will often distribute exploits to Kiddies after they’ve been discovered

• Their tracks will get lost in the noise

Security Needs• Generally, what kinds of security are

necessary:– multilevel security

• Not all data is created equal.

– authentication• Who are you? origin of data?

– integrity• is it real? has it been tampered with?

– Audit• logs, verification, and such

Security Needs (2)

– privacy• Hotly debated!

• Government argues against this one regularly.

– anonymity• personal, medical, commercial

5 Security Design questions

1. In a given application should the protection mechanisms in a computer focus on data, operations, or users?

2. In which layer of the computer system should a security mechanism be placed?

3. Do you prefer simplicity and higher assurance – to a feature rich security environment?

5 Security Design questions (2)

4. Should the tasks of defining and enforcing security be given over to a central entity or left to individual components?

5. How can you prevent an attacker from getting access to a layer below the protection mechanism?

A Good Security System

• A mixture of the following:– Prevention– Detection– Response

Back to the Question:What is Computer Security?

• Security can be defined by these three terms:– Confidentiality

• Only those who are authorized to access the system and/or data

– Integrity• The system is functioning the way we except it to• The data is accurate and what is excepted.

– Availability• It is usable, responds in a timely matter, and meets the

service’s needs.

• Where these three intersection is one definition of computer security.

Cryptography

• Many argue this is the answer to our "security problems", prevention at the very least.

• Many other argue around this type of statement:– Cryptography is rarely ever the solution to a security

problem. Cryptography is a translation mechanism, usually converting a communications security problem into a key management problem and ultimately into a computer security problem. Hopefully, the resulting problem is easier to solve than the original problem. In summary, cryptography can enhance computer security; it is not a substitute for computer security.2

A little history

• In the early 90s, most said there was little need for cryptography in computer security.– It was all about the Trust Computer Base (TCB)– Monitors, discretionary and mandatory access

control, and formal verification of security models and systems

• Now, in many ways it is the other extreme.– Why has it changed?

References

• Computer Security, Dieter Gollmann, Wiley, 2003• Secrets & lies Digital Security in a Networked

World, Bruce Schneier, Wiley, 2004• Practical Cryptography, Ferguson & Schneier,

Wiley, 2003• Security in Computing, Pfleeger & Pfleeger,

Prentice Hall, 2003

QA&