introduction to computer...

1

Introduction to Computer

Security

資訊安全導論

Lecture 5

March 23, 2016

洪國寶

2

Outline

• Review

• More on user authentication

• General security principles and practices

3

Review: Biba Integrity Model

• Proposed in 1977, a lattice-based model

• The lattice as a set of integrity classes (IC) and an ordered relationship among classes

1. The Simple Integrity Axiom

States that a subject at one level of integrity is not permitted to observe (read) an object of a lower integrity

No Read Down

2. The * (Star) Integrity Axiom,

States that an object at one level of integrity is not permitted to modify (write to) an object of a higher level of integrity.

No Write Up

4

Review: Identification and

Authentication Methods

Where you are IP address

Who you recog. Passfaces

5

Password-Based Authentication

• User has a secret password. System checks it to authenticate the user.

• How is the password communicated?

– Eavesdropping risk

• How is the password stored?

– In the clear? Encrypted? Hashed?

• How does the system check the password?

• How easy is it to guess the password?

– Easy-to-remember passwords tend to be easy to guess

– Password file is difficult to keep secret

6

Rules for creating secure passwords

• Passwords should at least six characters in length.

• Passwords should contain at least one number or

punctuation character.

• Do not use dictionary word or combinations of

dictionary words.

• Do not use common personal data.

• Never write down your password.

• Try to make your password easy to remember but

hard to guess. ■

7

Review: Single Sign-On

• Used to avoid multiple logins

• Once a subject is positively identified, authentication

information can be used within a trusted group

• Great for users since they can sign on once and use

multiple resources

• Requires additional work for administrators

• Several good SSO systems in use, Kerberos is one

example

8

• Uses symmetric key cryptography for messages

• Provides end-to-end security

– Intermediate machines between the source and target cannot read contents of messages

• Used in distributed environments but implemented with a central server

• Includes a data repository and an authentication process

• Weaknesses include

– Single point of failure, performance bottleneck

– Session key lives on client machines for a small amount of time, can be stolen ■

Review: Kerberos

9

Review: Related Methods of Attacks

• The primary purpose of attackers is to access objects

for which they do not have authorization.

• Most attacks related to access controls are designed to

bypass the controls.

• Related Methods of Attacks

– Brute force attack

– Dictionary attack

– Spoofing attack

10

Attacks on passwords

Kinds of password attacks

• Try all possible passwords (exhaustive, brute force

attack)

• Try many probable passwords

• Try likely passwords

• Search system list of passwords

• Find passwords by exploiting indiscreet users (social

engineering) ■

11

Try all possible passwords

Try all possible = exhaustive attack / brute force attack

Approach: Try all possible character combinations

Example

Suppose: - only 26 chars (a-z) allowed in password- password length: 8 chars

nr_of_pwds = Σi=1 nr_of_i-char_pwd

= Σ i=1 26i = 269 – 1 ≈ 5 * 1012

If attacker’s computer checks 1 pwd/μs => 5* 1012 μs = 5 mln s ≈ 2 months to check all possible char combinations for a given pwd (max. exhaustive attack time)

With uniform distribution (neither good nor bad luck), expected successful attack time is = ½ of max. exh. attack time (1 month)

Is the attack target worth such attacker’s investment?

Might be – e.g., a bank account, credit card number

8

8

12


• Countering brute force pwd attacks - finding minimum required pwd length to limit probability of attack success

– Assumptions

• Passwords drawn from a 96-char alphabet

• Attacker can test G = 104 guesses per second

– Goal

• Find the required minimum password length s of passwords so that probability P of a successful attack is 0.5 over a 365-day guessing attack period (continued in next

slide)

• Use Blackboard

13


• Solution

– We know that: P ≥ TG / NP - probability of a successful attack

T - number of time units [sec] during which guessing occurs

G - number of guesses per time unit [sec]

N - number of possible passwords

P ≥ TG / N => N ≥ TG / P

– Calculations:N ≥ TG / P =

= (365 days24hrs60min60s)104/0.5 = 6.311011

Choose password length s such that at least N passwords are possible, i.e.

sj=1 96j ≥ N = 6.311011

(96 1-char “words” + 962 2-char “words” + …96s s-char “words”)

=> s ≥ 6

i.e., passwords must be at least 6 chars long

14

Try many probable passwords

Can reduce expected successful attack time by checking most probable

char combinations for a pwd first:

Check short passwords first

Check common words, etc. first

Example – check short passwords first

People prefer short passwords => check passwords of length ≤ k

Assume 1 password checked per μs

k=3: 261 + 262 + 263 = 18,278 possible pwds

=> 18,278 μs ≈ 18.3 ms to check all combinations

k=4: ... ≈ 475 ms ≈ 0.5 s

k=5: ... ≈ 12,356 ms ≈ 12.4 s (continued in next slide)

15

Try many probable passwords

Expected time can be further reduced

because people use common words rather than random char

combinations

• E.g., prefer ‘jenny’ or ‘beer’ to ‘vprw’ or ‘qipd’

=> attacker can use spell checker dictionaries

=> dictionary attack

Limiting succes of attacks on short passwords:

– ATM swallows the cash card after k bad attempts of entering the PIN

code (extremely short 4-digit code! Only 10,000 combinations)

– Computer locks up after n tries (e.g. freezes the attacked account) ■

16

Attacks on passwords (summary)

12 steps an attacker might try (start with ‘most probable’ guesses)

1. No password

2. Same as user ID

3. User’s name or derived from it

4. Common word list plus common names and patterns Ex. common patterns: ‘asdfg’ – consecutive keyboard keys, ‘aaaa’

5. Short college dictionary

6. Complete English word list

7. Common non-English language dictionaries

8. Short college dictionary with capitalizations & substitutions E.g. PaSsWoRd, pa$$w0rd

Substitutions include: a -> @, e -> 3, i/l -> 1, o -> 0, s -> $, ...

9. Complete English with capitalization and substitutions

10. Common non-English dictionaries with capitalization and substitutions

11. Brute force, lowercase alphabetic characters

12. Brute force, full character set ■

17

Outline

• Review



18

Graphical Passwords

• Images are easy for humans to remember

– Especially if you invent a memorable story to go along

with the images

• Dictionary attacks on graphical passwords are

believed to be difficult

– Images are very “random”

• Still not a perfect solution

– Need infrastructure for displaying and storing images

– Shoulder surfing ■

19

One time Passwords

Use blackboard

20

Challenge-Response Authentication

• User and system share a secret key

• Challenge: system presents user with some string

• Response: user computes response based on secret key

and challenge

– Secrecy: difficult to recover key from response

• One-way hashing or symmetric encryption work well

– Freshness: if challenge is fresh and unpredictable, attacker on

the network cannot replay an old response

• For example, use a fresh random number for each challenge

• Good for systems with pre-installed secret keys ■

21

The Brain Deals with Faces

Differently than Any Other Image

Face recognition is a

dedicated process which

is different from general

object recognition.

Source: Face Recognition: A Literature Survey.

National Institute of Standards and Technology

22

Recognition-Based Authentication

• Passfaces represents a new, 4th class of authentication:

Cognometrics

Recognition-Based Authentication

• http://www.realuser.com/

http://www.realuser.com/

23

Advantages to using Passfaces over

passwords

• Can’t be written down or copied

• Can’t be given to another person

• Can’t be guessed

• Involve cognitive not memory skills (see next slide for more

detail)

• Can be used as a single or part of a dual form of

authentication

24

Recall vs. Recognize

You must RECALL a password You simply RECOGNIZE a face

Remember High School …. What kind of test did your prefer?

Fill in the Blank Multiple Choice

1 2 3 g f w y

25

Preference-based authentication

Intuition:

• preferences are more stable than long-term memory

(confirmed by psychology research)

• preferences are rarely documented (in contrast to city

of birth, brand of first car, etc.) … especially dislikes!

26

Approach (1/2)

Demo at Blue-Moon-Authentication.com, info at I-forgot-my-password.com

27

Approach (2/2)

28

Enhanced User Authentication

Techniques

• RSA Laboratories

– Life Question Authentication

– Authentication by Vouching

– Error Tolerant Authentication Protocols

– Protecting Sensitive Data with Secret Splitting -

Nightingale

29

Authentication by Vouching (1/3)

• Vouching involves the leveraging of human relationships for

the purpose of online authentication.

• Suppose two parties, Alice and Bob, know each other well.

When Alice asserts that Bob is indeed Bob, we say that Alice

vouches for Bob's identity.

– This gives Bob a means of authenticating himself to those who trust

Alice to vouch for him.

• RSA Laboratories has proposed a secure vouching protocol for

backup authentication.

• Fourth category of authentication mechanisms: someone you

know.

30


• Vouching provides an attractive alternative to help desk backup authentication.

• Often, the token-less user can easily get in contact with a colleague who can recognize him and vouch for his identity.

• The existing relationship between this "User" and a "Helper", combined with the ability of the Helper to authenticate normally to the system, can be leveraged to prove the authenticity of the User to the system as well.

31


• RSA Laboratories has proposed a secure vouching

protocol for backup authentication.

• Expressed succinctly, the vouching process involves a

User asking a pre-registered Helper to authenticate

him, obtain a one-time code from the server, and

communicate it to the User.

• This code will assist the User in the backup

authentication process.

32

Understanding Social

Engineering

• Social engineering is an attack that depends on

convincing an authorized user to disclose information

or perform an unauthorized act

• A social engineer is a person who will deceive or con

others into divulging information that they wouldn’t

normally share.

• Deterrence requires user education and depends on

making security policies explicit and known to all

employees ■

33

Social Engineering

• Social engineering preys on qualities of human nature:

– the desire to be helpful

– the tendency to trust people

– the fear of getting into trouble

• A truly successful social engineer receives

information without raising any suspicion as to what

they are doing.

• Human-based

• Computer-based ■

34

Human-based

• Impersonation - case studies indicate that Help

desks are the most frequent targets of social

engineering attacks

• Important user - A common ploy is to pretend be not

only an employee, but a vice president (continued in next

slide)■

35

Human-based

• Third-party authorization - the social engineer may

have obtained the name of someone in the

organization who has the authority to grant access to

information

• Tech support - social engineer pretends to be

someone from the infrastructure support groups

– System is having a problem

– Needs them to log on to test the connection (continued

in next slide)■

36

Human-based

• In person - the social engineer may enter the building and

pretend to be an employee, guest or Service personnel

– May be dressed in a uniform

– Allowed to roam

– Become part of the cleaning crew

• Dumpster diving

• Shoulder surfing ■

37

Computer-based

• Popup windows - A window will appear on the

Screen telling the user he has lost his Network

Connection and needs to reenter their user Name and

password

• A program will then e-mail the intruder with the

information ■

38

Computer-based

• Mail attachments - programs can be hidden in E-

mail attachments (see next two slides for examples)

– Viruses

– Worms

– “I love you” ■

39

To: [email protected]

Subject: Notify about your e-mail account utilization.

From: [email protected]

Dear user of Arizona.edu gateway e-mail server,

Your e-mail account will be disabled because of improper using

in next three days, if you are still wishing to use it, please, resign

your account information.

For further details see the attach. For security reasons attached

file is password protected. The password is "03406".

Best wishes,

The Arizona.edu team

http://www.arizona.edu

Sample E-Mail….

This has a virus attached!

41

Computer-based

• Spam, chain letters and hoaxes - these all rely on social

engineering to be spread.

– While they do not usually cause damage, they do cause a loss of

productivity. They use valuable network resources.

• Websites - A common ploy is to offer something free or a

chance to win a sweepstakes on a Website.

– To win requires an e-mail address and password. ■

42

Computer-based

• Social Engineering, the USB Way

– http://www.darkreading.com/document.asp?doc_id=95556

• We recently got hired by a credit union to assess the security of its network. The client asked that we really push hard on the social engineering button. In the past, they'd had problems with employees sharing passwords and giving up information easily.

• We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software.

• I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.

• I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented. (continued in next slide)■

http://www.darkreading.com/document.asp?doc_id=95556

43

Computer-based

• After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results.

– Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers.

– The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience.

– We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management.

• Of all the social engineering efforts we have performed over the years, I always had to worry about being caught, getting detained by the police, or not getting anything of value. The USB route is really the way to go. With the exception of possibly getting caught when seeding the facility, my chances of having a problem are reduced significantly. ■

44

Recognize the Signs

• Refusal to give contact information

• Rushing

• Name-dropping

• Intimidation

• Small mistakes

• Requesting forbidden information

• “I cannot be contacted”

• “I’m on my cell phone and the battery is about to die”

• The number they give you is a “call out only” number ■

45

Protecting passwords

• Remember that passwords are sensitive. A Password

for your personal account should Be known ONLY to

you

• Systems administrators or maintenance technicians

who need to do something to your account will not

require your password. ■

46

The latest scam is

called PHISHING

47

Phishing

• Not a virus, but ways to trick you into giving up personal information

• See http://www.antiphishing.org for a lot of examples

• Symantec observed that online fraud has steadily increased and become more sophisticated. Much of these activities arrived in the form of phishing. – Symantec observes more than 7 million total phishing attempts

each day.

– Nine of the top 10 phished brands were financial institutions. Attacks against this sector are most likely to produce the greatest monetary gain for attackers.

– Phishers are innovating and embracing new techniques, such as vishing (voice counterpart to phishing) and SMishing (mobile

phone counterpart to phishing). ■

http://www.antiphishing.org/

48

Example of phishing: EBAY

49

EBAY

50

EBAY

51

EBAY

52

Phishing

The following are a few tips to immediately recognize an Email scam:

• Request to change password

• Request for money

• All caps in header, subject line, address or somewhere else prominent in email

• "Re" in an email that is not a response to another e-mail

• Messages from overseas, particularly anything from a country one has never visited

• Request for personal information

• Offer of a free gift. (There are no free gifts on the Internet)

• Anything that says "click here," particularly to see a video, picture or article

• Emails from a known person addressing you differently than they have before (e.g., Robert rather than Bob) ■

53

Outline

• Review



– Common Security Principles

– Security Policies

– Security Administration Tools

– Physical Security

– Personnel Security

54

General Security Principles and Practices

• Common Security Principles

• Security Policies

• Security Administration Tools

• Physical Security

• Personnel Security

55

Common Security Principles

• Information security is not new, many principles come from military and commercial fields. The following list is taken from “writing secure code”

– Learn from mistakes

– Minimize your attack surface

– Use defense in depth

– Use least privilege

– Employ secure defaults

– Remember that backward compatibility will always give you grief

– Assume external systems are insecure

– Plan on failure

– Fail to a secure mode

– Remember that security features != secure features

– Never depend on security through obscurity alone

– Don't mix code and data

– Fix security issues correctly ■

56


(continued)

Separation of Privileges Principle

• No single person should have enough authority to cause a critical event to happen

• Many examples from outside of computing, e.g., two keys needed to launch a missile

• Tradeoff between security gained and manpower required to achieve it

• CIO should not have access to all systems

• DBA should not have access to encryption key

• Example:– Accountant with privilege to write check as well as balance the

businesses account is potential for abuse ■

57


(continued)

Least Privilege Principle

• An individual should have only the minimum level of access controls necessary to carry out job functions

• A common violation of this principle occurs because of administrator inattention

– Users are placed in groups that are too broad

• Another common violation occurs because of privilege creep

– Users are granted new privileges when they change roles without reviewing existing privileges ■

58


(continued)

Defense in Depth Principle

• Defenses should be layered

• Layers begin with points of access to a network and

continue with cascading security at bottleneck points

■

59

Defense in Depth

60


(continued)

Security through Obscurity

• In early days of computing, administrators depended

upon secrecy about the security that was in place

• No longer very effective in most cases because so

much information is freely available ■

61







62

Security Policies

• Goal is to have clearly defined security objectives to

– Design specific controls

– Keep users informed of expected behavior

• A security policy should be a written document

– Available to all users of an organizational information

system

• Security policies range from single documents to

multiple documents for specialized use or for specific

groups of users ■

63

Types of Security Policies

• acceptable use policy

• backup policy

• confidentiality policy

• data retention policy

• wireless device policy ■

64

Acceptable Use Policy

• Defines allowable uses of an organization’s

information resources

• Must be specific enough to guide user activity but

flexible enough to cover unanticipated situations

• Should answer key questions

– What activities are acceptable?

– What activities are not acceptable?

– Where can users get more information as needed?

– What to do if violations are suspected or have occurred? ■

65

Backup Policy

• Data backups protect against corruption and loss of

data

– To support the integrity and availability goals of security

• Backup policy should answer key questions

– What data should be backed up and how?

– Where should backups be stored?

– Who should have access?

– How long should backups be retained?

– How often can backup media be reused? ■

66

Confidentiality Policy

• Outlines procedures used to safeguard sensitive information

• Should cover all means of information dissemination including telephone, print, verbal, and computer

• Questions include

– What data is confidential and how should it be handled?

– How is confidential information released?

– What happens if information is released in violation of the policy?

• Employees may be asked to sign nondisclosure agreements ■

67

Data Retention Policy

• Defines categories of data

– Different categories may have different protections under

the policy

• For each category, defines minimum retention time

– Time may be mandated by law, regulation, or business

needs, e.g., financial information related to taxes must be

retained for 7 years

• For each category, defines maximum retention time

– This time may also be mandated by law, regulation, or

business needs

– Common in personal privacy areas ■

68

Wireless Device Policy

• Includes mobile phones, PDAs, palm computers

• Users often bring personal devices to the workplace

• Policy should define

– Types of equipment that can be purchased by the

organization

– Type of personal equipment that may be brought into the

facility

– Permissible activities

– Approval authorities for exceptions ■

69

Implementing Policy

• A major challenge for information security

professionals

• Includes processes of developing and maintaining the

policies themselves as well as ensuring their

acceptance and use within the organization

• Activities related to policy implementation are often

ongoing within an organization ■

70

Developing Policies

• In any but the smallest organization, a team approach should be employed

– Include members from different departments or functional elements within the organization

• Commonly, a high-level list of business objectives is first developed

• The second step is to determine the documents that must be written to achieve objectives

• These steps are followed by documents drafts until consensus is achieved ■

71

Building Consensus

• Once consensus is reached among the development

committee, consensus must be spread throughout the

organization (“selling” the policies)

• Important because employees who are not on board

may bypass the security policies, leaving the

information system vulnerable

• Often the policies are promoted and advertised by

senior management ■

72

Education

• Includes education and training programs for affected

employees

• Users should be aware of their responsibilities with

regard to policies

• Two types of training

– Initial training is a one-time program early in an

employee’s tenure with company

– Refresher training should be done periodically to

• Remind employees of their responsibilities

• Provide employees with updates of policies and technologies that

affect their responsibilities ■

73

Enforcement and Maintenance

• Policies should define responsibilities for

– Reporting violations

– Procedures when violations occur

• Policies should be strictly enforced

• Policy changes occur as companies and technologies

change

• Policies should contain provisions for modification

through maintenance procedures

– Common to have periodic reviews mandated ■

74







75

Security Administration Tools

• Tools that help with consistent application and

enforcement of security policy

• Security checklists

– Security professionals should review all checklists used in

an organization for compliance with security procedures

– Security professionals may develop their own checklists for

security-specific tasks

• Security matrices

– Used in development of security policies and

implementation of particular procedures

– Helps focus amount of attention paid to particular goals ■

76

Sample Security Matrices

77







78

Physical Security

• Ensures that people cannot gain physical access to a facility where they can manipulate information resources

• Ensures that data resources are protected from natural disasters such as fires and floods

• Many large organizations have separate professionals for physical security

• Three common categories of physical security issues

– Perimeter protection

– Electronic emanations

– Fire protection ■

79

Perimeter Protection/Access

Controls• On the perimeter of a facility you can use

– Fences

– Lighting

– Motion detectors

– Dogs

– Patrols

• Remember the defense in depth principle

– For example, use fences around the facility and biometrics

for specific offices within a facility ■

80

Electronic Emanations and Fire

Protection• Electronic devices emit electromagnetic radiation

– Emanations can be picked up and interpreted outside

facility

– Equipment is available to block interception but it is costly

and bulky, sometimes used by government facilities

• Fire protection requires detection and suppression

systems

– Often dictated by building codes

– Suppression systems include sprinklers, chemicals, and fire

extinguishers ■

81







82

Personnel Security

• People are the weakest link in a security system

• Perform background investigations

– Can include criminal record checks, reference evaluations

• Monitor employee activity

– Can include monitoring Internet activity, surveillance

cameras, telephone recording

• Mandatory vacations

• Exit procedures for employees leaving the company

– Remind employees of any nondisclosure agreements ■

83

Questions?

introduction to computer...

Documents