introduction to computer...
TRANSCRIPT
1
Introduction to Computer
Security
資訊安全導論
Lecture 5
March 23, 2016
洪國寶
2
Outline
• Review
• More on user authentication
• General security principles and practices
3
Review: Biba Integrity Model
• Proposed in 1977, a lattice-based model
• The lattice as a set of integrity classes (IC) and an ordered relationship among classes
1. The Simple Integrity Axiom
States that a subject at one level of integrity is not permitted to observe (read) an object of a lower integrity
No Read Down
2. The * (Star) Integrity Axiom,
States that an object at one level of integrity is not permitted to modify (write to) an object of a higher level of integrity.
No Write Up
4
Review: Identification and
Authentication Methods
Where you are IP address
Who you recog. Passfaces
5
Password-Based Authentication
• User has a secret password. System checks it to authenticate the user.
• How is the password communicated?
– Eavesdropping risk
• How is the password stored?
– In the clear? Encrypted? Hashed?
• How does the system check the password?
• How easy is it to guess the password?
– Easy-to-remember passwords tend to be easy to guess
– Password file is difficult to keep secret
6
Rules for creating secure passwords
• Passwords should at least six characters in length.
• Passwords should contain at least one number or
punctuation character.
• Do not use dictionary word or combinations of
dictionary words.
• Do not use common personal data.
• Never write down your password.
• Try to make your password easy to remember but
hard to guess. ■
7
Review: Single Sign-On
• Used to avoid multiple logins
• Once a subject is positively identified, authentication
information can be used within a trusted group
• Great for users since they can sign on once and use
multiple resources
• Requires additional work for administrators
• Several good SSO systems in use, Kerberos is one
example
8
• Uses symmetric key cryptography for messages
• Provides end-to-end security
– Intermediate machines between the source and target cannot read contents of messages
• Used in distributed environments but implemented with a central server
• Includes a data repository and an authentication process
• Weaknesses include
– Single point of failure, performance bottleneck
– Session key lives on client machines for a small amount of time, can be stolen ■
Review: Kerberos
9
Review: Related Methods of Attacks
• The primary purpose of attackers is to access objects
for which they do not have authorization.
• Most attacks related to access controls are designed to
bypass the controls.
• Related Methods of Attacks
– Brute force attack
– Dictionary attack
– Spoofing attack
10
Attacks on passwords
Kinds of password attacks
• Try all possible passwords (exhaustive, brute force
attack)
• Try many probable passwords
• Try likely passwords
• Search system list of passwords
• Find passwords by exploiting indiscreet users (social
engineering) ■
11
Try all possible passwords
Try all possible = exhaustive attack / brute force attack
Approach: Try all possible character combinations
Example
Suppose: - only 26 chars (a-z) allowed in password- password length: 8 chars
nr_of_pwds = Σi=1 nr_of_i-char_pwd
= Σ i=1 26i = 269 – 1 ≈ 5 * 1012
If attacker’s computer checks 1 pwd/μs => 5* 1012 μs = 5 mln s ≈ 2 months to check all possible char combinations for a given pwd (max. exhaustive attack time)
With uniform distribution (neither good nor bad luck), expected successful attack time is = ½ of max. exh. attack time (1 month)
Is the attack target worth such attacker’s investment?
Might be – e.g., a bank account, credit card number
8
8
12
Try all possible passwords
• Countering brute force pwd attacks - finding minimum required pwd length to limit probability of attack success
– Assumptions
• Passwords drawn from a 96-char alphabet
• Attacker can test G = 104 guesses per second
– Goal
• Find the required minimum password length s of passwords so that probability P of a successful attack is 0.5 over a 365-day guessing attack period (continued in next
slide)
• Use Blackboard
13
Try all possible passwords
• Solution
– We know that: P ≥ TG / NP - probability of a successful attack
T - number of time units [sec] during which guessing occurs
G - number of guesses per time unit [sec]
N - number of possible passwords
P ≥ TG / N => N ≥ TG / P
– Calculations:N ≥ TG / P =
= (365 days24hrs60min60s)104/0.5 = 6.311011
Choose password length s such that at least N passwords are possible, i.e.
sj=1 96j ≥ N = 6.311011
(96 1-char “words” + 962 2-char “words” + …96s s-char “words”)
=> s ≥ 6
i.e., passwords must be at least 6 chars long
14
Try many probable passwords
Can reduce expected successful attack time by checking most probable
char combinations for a pwd first:
Check short passwords first
Check common words, etc. first
Example – check short passwords first
People prefer short passwords => check passwords of length ≤ k
Assume 1 password checked per μs
k=3: 261 + 262 + 263 = 18,278 possible pwds
=> 18,278 μs ≈ 18.3 ms to check all combinations
k=4: ... ≈ 475 ms ≈ 0.5 s
k=5: ... ≈ 12,356 ms ≈ 12.4 s (continued in next slide)
15
Try many probable passwords
Expected time can be further reduced
because people use common words rather than random char
combinations
• E.g., prefer ‘jenny’ or ‘beer’ to ‘vprw’ or ‘qipd’
=> attacker can use spell checker dictionaries
=> dictionary attack
Limiting succes of attacks on short passwords:
– ATM swallows the cash card after k bad attempts of entering the PIN
code (extremely short 4-digit code! Only 10,000 combinations)
– Computer locks up after n tries (e.g. freezes the attacked account) ■
16
Attacks on passwords (summary)
12 steps an attacker might try (start with ‘most probable’ guesses)
1. No password
2. Same as user ID
3. User’s name or derived from it
4. Common word list plus common names and patterns Ex. common patterns: ‘asdfg’ – consecutive keyboard keys, ‘aaaa’
5. Short college dictionary
6. Complete English word list
7. Common non-English language dictionaries
8. Short college dictionary with capitalizations & substitutions E.g. PaSsWoRd, pa$$w0rd
Substitutions include: a -> @, e -> 3, i/l -> 1, o -> 0, s -> $, ...
9. Complete English with capitalization and substitutions
10. Common non-English dictionaries with capitalization and substitutions
11. Brute force, lowercase alphabetic characters
12. Brute force, full character set ■
17
Outline
• Review
• More on user authentication
• General security principles and practices
18
Graphical Passwords
• Images are easy for humans to remember
– Especially if you invent a memorable story to go along
with the images
• Dictionary attacks on graphical passwords are
believed to be difficult
– Images are very “random”
• Still not a perfect solution
– Need infrastructure for displaying and storing images
– Shoulder surfing ■
19
One time Passwords
Use blackboard
20
Challenge-Response Authentication
• User and system share a secret key
• Challenge: system presents user with some string
• Response: user computes response based on secret key
and challenge
– Secrecy: difficult to recover key from response
• One-way hashing or symmetric encryption work well
– Freshness: if challenge is fresh and unpredictable, attacker on
the network cannot replay an old response
• For example, use a fresh random number for each challenge
• Good for systems with pre-installed secret keys ■
21
The Brain Deals with Faces
Differently than Any Other Image
Face recognition is a
dedicated process which
is different from general
object recognition.
Source: Face Recognition: A Literature Survey.
National Institute of Standards and Technology
22
Recognition-Based Authentication
• Passfaces represents a new, 4th class of authentication:
Cognometrics
Recognition-Based Authentication
• http://www.realuser.com/
23
Advantages to using Passfaces over
passwords
• Can’t be written down or copied
• Can’t be given to another person
• Can’t be guessed
• Involve cognitive not memory skills (see next slide for more
detail)
• Can be used as a single or part of a dual form of
authentication
24
Recall vs. Recognize
You must RECALL a password You simply RECOGNIZE a face
Remember High School …. What kind of test did your prefer?
Fill in the Blank Multiple Choice
1 2 3 g f w y
25
Preference-based authentication
Intuition:
• preferences are more stable than long-term memory
(confirmed by psychology research)
• preferences are rarely documented (in contrast to city
of birth, brand of first car, etc.) … especially dislikes!
26
Approach (1/2)
Demo at Blue-Moon-Authentication.com, info at I-forgot-my-password.com
27
Approach (2/2)
28
Enhanced User Authentication
Techniques
• RSA Laboratories
– Life Question Authentication
– Authentication by Vouching
– Error Tolerant Authentication Protocols
– Protecting Sensitive Data with Secret Splitting -
Nightingale
29
Authentication by Vouching (1/3)
• Vouching involves the leveraging of human relationships for
the purpose of online authentication.
• Suppose two parties, Alice and Bob, know each other well.
When Alice asserts that Bob is indeed Bob, we say that Alice
vouches for Bob's identity.
– This gives Bob a means of authenticating himself to those who trust
Alice to vouch for him.
• RSA Laboratories has proposed a secure vouching protocol for
backup authentication.
• Fourth category of authentication mechanisms: someone you
know.
30
Authentication by Vouching (2/3)
• Vouching provides an attractive alternative to help desk backup authentication.
• Often, the token-less user can easily get in contact with a colleague who can recognize him and vouch for his identity.
• The existing relationship between this "User" and a "Helper", combined with the ability of the Helper to authenticate normally to the system, can be leveraged to prove the authenticity of the User to the system as well.
31
Authentication by Vouching (3/3)
• RSA Laboratories has proposed a secure vouching
protocol for backup authentication.
• Expressed succinctly, the vouching process involves a
User asking a pre-registered Helper to authenticate
him, obtain a one-time code from the server, and
communicate it to the User.
• This code will assist the User in the backup
authentication process.
32
Understanding Social
Engineering
• Social engineering is an attack that depends on
convincing an authorized user to disclose information
or perform an unauthorized act
• A social engineer is a person who will deceive or con
others into divulging information that they wouldn’t
normally share.
• Deterrence requires user education and depends on
making security policies explicit and known to all
employees ■
33
Social Engineering
• Social engineering preys on qualities of human nature:
– the desire to be helpful
– the tendency to trust people
– the fear of getting into trouble
• A truly successful social engineer receives
information without raising any suspicion as to what
they are doing.
• Human-based
• Computer-based ■
34
Human-based
• Impersonation - case studies indicate that Help
desks are the most frequent targets of social
engineering attacks
• Important user - A common ploy is to pretend be not
only an employee, but a vice president (continued in next
slide)■
35
Human-based
• Third-party authorization - the social engineer may
have obtained the name of someone in the
organization who has the authority to grant access to
information
• Tech support - social engineer pretends to be
someone from the infrastructure support groups
– System is having a problem
– Needs them to log on to test the connection (continued
in next slide)■
36
Human-based
• In person - the social engineer may enter the building and
pretend to be an employee, guest or Service personnel
– May be dressed in a uniform
– Allowed to roam
– Become part of the cleaning crew
• Dumpster diving
• Shoulder surfing ■
37
Computer-based
• Popup windows - A window will appear on the
Screen telling the user he has lost his Network
Connection and needs to reenter their user Name and
password
• A program will then e-mail the intruder with the
information ■
38
Computer-based
• Mail attachments - programs can be hidden in E-
mail attachments (see next two slides for examples)
– Viruses
– Worms
– “I love you” ■
39
Subject: Notify about your e-mail account utilization.
From: [email protected]
Dear user of Arizona.edu gateway e-mail server,
Your e-mail account will be disabled because of improper using
in next three days, if you are still wishing to use it, please, resign
your account information.
For further details see the attach. For security reasons attached
file is password protected. The password is "03406".
Best wishes,
The Arizona.edu team
http://www.arizona.edu
Sample E-Mail….
This has a virus attached!
40
41
Computer-based
• Spam, chain letters and hoaxes - these all rely on social
engineering to be spread.
– While they do not usually cause damage, they do cause a loss of
productivity. They use valuable network resources.
• Websites - A common ploy is to offer something free or a
chance to win a sweepstakes on a Website.
– To win requires an e-mail address and password. ■
42
Computer-based
• Social Engineering, the USB Way
– http://www.darkreading.com/document.asp?doc_id=95556
• We recently got hired by a credit union to assess the security of its network. The client asked that we really push hard on the social engineering button. In the past, they'd had problems with employees sharing passwords and giving up information easily.
• We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software.
• I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.
• I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented. (continued in next slide)■
43
Computer-based
• After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results.
– Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers.
– The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience.
– We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management.
• Of all the social engineering efforts we have performed over the years, I always had to worry about being caught, getting detained by the police, or not getting anything of value. The USB route is really the way to go. With the exception of possibly getting caught when seeding the facility, my chances of having a problem are reduced significantly. ■
44
Recognize the Signs
• Refusal to give contact information
• Rushing
• Name-dropping
• Intimidation
• Small mistakes
• Requesting forbidden information
• “I cannot be contacted”
• “I’m on my cell phone and the battery is about to die”
• The number they give you is a “call out only” number ■
45
Protecting passwords
• Remember that passwords are sensitive. A Password
for your personal account should Be known ONLY to
you
• Systems administrators or maintenance technicians
who need to do something to your account will not
require your password. ■
46
The latest scam is
called PHISHING
47
Phishing
• Not a virus, but ways to trick you into giving up personal information
• See http://www.antiphishing.org for a lot of examples
• Symantec observed that online fraud has steadily increased and become more sophisticated. Much of these activities arrived in the form of phishing. – Symantec observes more than 7 million total phishing attempts
each day.
– Nine of the top 10 phished brands were financial institutions. Attacks against this sector are most likely to produce the greatest monetary gain for attackers.
– Phishers are innovating and embracing new techniques, such as vishing (voice counterpart to phishing) and SMishing (mobile
phone counterpart to phishing). ■
48
Example of phishing: EBAY
49
EBAY
50
EBAY
51
EBAY
52
Phishing
The following are a few tips to immediately recognize an Email scam:
• Request to change password
• Request for money
• All caps in header, subject line, address or somewhere else prominent in email
• "Re" in an email that is not a response to another e-mail
• Messages from overseas, particularly anything from a country one has never visited
• Request for personal information
• Offer of a free gift. (There are no free gifts on the Internet)
• Anything that says "click here," particularly to see a video, picture or article
• Emails from a known person addressing you differently than they have before (e.g., Robert rather than Bob) ■
53
Outline
• Review
• More on user authentication
• General security principles and practices
– Common Security Principles
– Security Policies
– Security Administration Tools
– Physical Security
– Personnel Security
54
General Security Principles and Practices
• Common Security Principles
• Security Policies
• Security Administration Tools
• Physical Security
• Personnel Security
55
Common Security Principles
• Information security is not new, many principles come from military and commercial fields. The following list is taken from “writing secure code”
– Learn from mistakes
– Minimize your attack surface
– Use defense in depth
– Use least privilege
– Employ secure defaults
– Remember that backward compatibility will always give you grief
– Assume external systems are insecure
– Plan on failure
– Fail to a secure mode
– Remember that security features != secure features
– Never depend on security through obscurity alone
– Don't mix code and data
– Fix security issues correctly ■
56
Common Security Principles
(continued)
Separation of Privileges Principle
• No single person should have enough authority to cause a critical event to happen
• Many examples from outside of computing, e.g., two keys needed to launch a missile
• Tradeoff between security gained and manpower required to achieve it
• CIO should not have access to all systems
• DBA should not have access to encryption key
• Example:– Accountant with privilege to write check as well as balance the
businesses account is potential for abuse ■
57
Common Security Principles
(continued)
Least Privilege Principle
• An individual should have only the minimum level of access controls necessary to carry out job functions
• A common violation of this principle occurs because of administrator inattention
– Users are placed in groups that are too broad
• Another common violation occurs because of privilege creep
– Users are granted new privileges when they change roles without reviewing existing privileges ■
58
Common Security Principles
(continued)
Defense in Depth Principle
• Defenses should be layered
• Layers begin with points of access to a network and
continue with cascading security at bottleneck points
■
59
Defense in Depth
60
Common Security Principles
(continued)
Security through Obscurity
• In early days of computing, administrators depended
upon secrecy about the security that was in place
• No longer very effective in most cases because so
much information is freely available ■
61
General Security Principles and Practices
• Common Security Principles
• Security Policies
• Security Administration Tools
• Physical Security
• Personnel Security
62
Security Policies
• Goal is to have clearly defined security objectives to
– Design specific controls
– Keep users informed of expected behavior
• A security policy should be a written document
– Available to all users of an organizational information
system
• Security policies range from single documents to
multiple documents for specialized use or for specific
groups of users ■
63
Types of Security Policies
• acceptable use policy
• backup policy
• confidentiality policy
• data retention policy
• wireless device policy ■
64
Acceptable Use Policy
• Defines allowable uses of an organization’s
information resources
• Must be specific enough to guide user activity but
flexible enough to cover unanticipated situations
• Should answer key questions
– What activities are acceptable?
– What activities are not acceptable?
– Where can users get more information as needed?
– What to do if violations are suspected or have occurred? ■
65
Backup Policy
• Data backups protect against corruption and loss of
data
– To support the integrity and availability goals of security
• Backup policy should answer key questions
– What data should be backed up and how?
– Where should backups be stored?
– Who should have access?
– How long should backups be retained?
– How often can backup media be reused? ■
66
Confidentiality Policy
• Outlines procedures used to safeguard sensitive information
• Should cover all means of information dissemination including telephone, print, verbal, and computer
• Questions include
– What data is confidential and how should it be handled?
– How is confidential information released?
– What happens if information is released in violation of the policy?
• Employees may be asked to sign nondisclosure agreements ■
67
Data Retention Policy
• Defines categories of data
– Different categories may have different protections under
the policy
• For each category, defines minimum retention time
– Time may be mandated by law, regulation, or business
needs, e.g., financial information related to taxes must be
retained for 7 years
• For each category, defines maximum retention time
– This time may also be mandated by law, regulation, or
business needs
– Common in personal privacy areas ■
68
Wireless Device Policy
• Includes mobile phones, PDAs, palm computers
• Users often bring personal devices to the workplace
• Policy should define
– Types of equipment that can be purchased by the
organization
– Type of personal equipment that may be brought into the
facility
– Permissible activities
– Approval authorities for exceptions ■
69
Implementing Policy
• A major challenge for information security
professionals
• Includes processes of developing and maintaining the
policies themselves as well as ensuring their
acceptance and use within the organization
• Activities related to policy implementation are often
ongoing within an organization ■
70
Developing Policies
• In any but the smallest organization, a team approach should be employed
– Include members from different departments or functional elements within the organization
• Commonly, a high-level list of business objectives is first developed
• The second step is to determine the documents that must be written to achieve objectives
• These steps are followed by documents drafts until consensus is achieved ■
71
Building Consensus
• Once consensus is reached among the development
committee, consensus must be spread throughout the
organization (“selling” the policies)
• Important because employees who are not on board
may bypass the security policies, leaving the
information system vulnerable
• Often the policies are promoted and advertised by
senior management ■
72
Education
• Includes education and training programs for affected
employees
• Users should be aware of their responsibilities with
regard to policies
• Two types of training
– Initial training is a one-time program early in an
employee’s tenure with company
– Refresher training should be done periodically to
• Remind employees of their responsibilities
• Provide employees with updates of policies and technologies that
affect their responsibilities ■
73
Enforcement and Maintenance
• Policies should define responsibilities for
– Reporting violations
– Procedures when violations occur
• Policies should be strictly enforced
• Policy changes occur as companies and technologies
change
• Policies should contain provisions for modification
through maintenance procedures
– Common to have periodic reviews mandated ■
74
General Security Principles and Practices
• Common Security Principles
• Security Policies
• Security Administration Tools
• Physical Security
• Personnel Security
75
Security Administration Tools
• Tools that help with consistent application and
enforcement of security policy
• Security checklists
– Security professionals should review all checklists used in
an organization for compliance with security procedures
– Security professionals may develop their own checklists for
security-specific tasks
• Security matrices
– Used in development of security policies and
implementation of particular procedures
– Helps focus amount of attention paid to particular goals ■
76
Sample Security Matrices
77
General Security Principles and Practices
• Common Security Principles
• Security Policies
• Security Administration Tools
• Physical Security
• Personnel Security
78
Physical Security
• Ensures that people cannot gain physical access to a facility where they can manipulate information resources
• Ensures that data resources are protected from natural disasters such as fires and floods
• Many large organizations have separate professionals for physical security
• Three common categories of physical security issues
– Perimeter protection
– Electronic emanations
– Fire protection ■
79
Perimeter Protection/Access
Controls• On the perimeter of a facility you can use
– Fences
– Lighting
– Motion detectors
– Dogs
– Patrols
• Remember the defense in depth principle
– For example, use fences around the facility and biometrics
for specific offices within a facility ■
80
Electronic Emanations and Fire
Protection• Electronic devices emit electromagnetic radiation
– Emanations can be picked up and interpreted outside
facility
– Equipment is available to block interception but it is costly
and bulky, sometimes used by government facilities
• Fire protection requires detection and suppression
systems
– Often dictated by building codes
– Suppression systems include sprinklers, chemicals, and fire
extinguishers ■
81
General Security Principles and Practices
• Common Security Principles
• Security Policies
• Security Administration Tools
• Physical Security
• Personnel Security
82
Personnel Security
• People are the weakest link in a security system
• Perform background investigations
– Can include criminal record checks, reference evaluations
• Monitor employee activity
– Can include monitoring Internet activity, surveillance
cameras, telephone recording
• Mandatory vacations
• Exit procedures for employees leaving the company
– Remind employees of any nondisclosure agreements ■
83
Questions?