Security Mechanisms

University of Sunderland

CSEM02

Harry R. Erwin, PhD

Resources

• The Common Criteria

• The ‘Orange Book’

• CCTool

• See the Multics paper.

Basic Rules of Security

• Concentrate valuable assets• Defense in depth• Coordinate all aspects of security

– Software– Hardware– Physical– Procedural

We will examine software security mechanisms first and then survey the other areas.

Definition

• A security mechanism is ‘a hardware or software component, system, or product that supports one or more security objectives.’

• Another term that might be applied is a ‘security service.’

• “The function of a security mechanism is to detect, prevent, or recover from a security attack (William Stallings).”

Typical Security Mechanisms

• Identification and Authentication• Access Control• Audit• Firewalls• Intrusion Detection• Cryptography and Public Key Infrastructure (PKI)• Virus Protection• Object Reuse/Media Sanitizing• Electronic Signatures

Identification and Authentication

• Identifies someone to the system.• At least one of the following must be supplied:

– Something known (user name and password)

– Something owned (password token)

– Some physical characteristic (fingerprint, retinal scan, voice scan)

• Authentication is ‘weak’ if only one is supplied.• Two required for ‘strong’ authentication.

Access Control

• Based on what the user is authorized to do.• ‘Discretionary access control (DAC)’ is where the

document owner controls who has access to it. This is designed for benign environments.

• ‘Mandatory access control (MAC)’ defines a security level for documents and resources. A potential user or process has to have that level.

• Commercial organizations may go further—time of day, location, task being performed.

• Should be enforced by operating system kernel.

Audit

• Tracks who did what and when.• Done right, can stand up in court as

evidence.• Usually must be turned on (selectively).• May result in large audit files.• Audit trails are extremely interesting to

hackers—show what can and cannot be seen.

Firewalls

• Control access to protected assets.

• Workstation firewalls are the minimum.

• Bridge/router/switch firewalls should:– Control access to TCP/IP ports selectively.– Track outgoing as well as incoming packets.– Monitor packet contents if possible.

• SOAP “bypasses corporate firewalls.” (M$)

Intrusion Detection

• Must be based on documented policies for use of the system. Uses expertise.

• Can detect evidence of– Break-ins– Remote exploitation– Application-level exploitation

• Generates log files of great interest to hackers.• Does not detect one-time events

Cryptography and Public Key Infrastructure (PKI)

• May support virtual private networks (VPNs) and closed user groups (CUGs) where information is sent using encrypted tunneling. Usually peer-to-peer.

• May support strong authentication.• ssh, sftp, ssl, Kerberos, PGP, etc.• Functional infrastructure required is extensive.

Distribution of keys is extremely manpower-intensive and expensive.

• PKI allows the distribution of keys ‘in-band’ (over the network).

Virus Protection

• Viruses (and other malware) are the most serious vulnerability of modern computer systems. They are usually malicious.

• Many websites upload ‘malware’ when you visit them. Consider using adaware to detect these programs.

• Virus protection depends on:– Careful procedures for dealing with untrusted programs

and data.– Programs to detect the ‘signatures’ of viruses that manage

to penetrate the installation procedures.

Object Reuse/Media Sanitizing

• The random bits in memory or on the disk contain information. Most operating systems do not zero these bits when they reallocate resources.

• A secure operating system zeros memory and other resources before allocating them (and often when the resources are released).

Electronic Signatures

• Provide– Authentication– Data integrity– Non-repudiation

• The same legal status as a hand-written signature (Electronic Communications Act 2000)

Rules for Writing Secure Software

• Least privilege—limit access rights to those necessary for the function

• Economy—keep the design simple• Complete mediation—check all accesses for

authorization• Open design—don’t hide your code!• Separation of privilege—no single key for access• Least common mechanism—isolate users• Psychological acceptability—make security easy to

use

Non-Software Security Mechanisms

• Physical Security• Environmental Security• Personnel Security• Training and Security Awareness• Guidance and Policy Documentation• Configuration Management

(based on Qinetiq recommendations, Spafford et al., 2003, are similar)

Physical Security

To deny unauthorized access:– Perimeter defense

– Building security

– Inner protection of the office and server rooms

– Workstation protection

Perimeter defense

• Defined security perimeter

• Controlled access points

• Pass system and visitor control

• Guards during quiet hours

Office Security

• Office layout and design

• Anonymity

• Location of support services

• Inventory sensitive assets

Workstation Security

• Control unauthorized access

• Removable media

• Peripherals protected

• Regular inspections to verify user configuration modification has not subverted security.

Environmental Security

• Natural disasters– Fire– Flood– Storm– Earthquake

• Utilities• Communications• Hardware failure

Personnel Security

To ensure you can trust people with access to sensitive information and other assets. Tasks include:– Establishing identity– Verification of details– Credit checks– Maintenance of records

Training and Security Awareness

• Important vulnerabilities are to – Social engineering and – Non-malicious actions by insiders

• To mitigate these vulnerabilities, the most effective approach is a training program.– Trust your people, but– Make sure they understand these vulnerabilities

and what they should do to mitigate them.

Guidance and Policy Documentation

Provide:

• Administrator guidance documentation

• User guidance documentation

• Defined security policies

• Defined security procedures

Configuration Management

It is difficult to secure a system whose configuration is not defined and managed.

– User software and hardware modifications to workstations may occur. (e.g., personal modems)

– Security may not be enabled.

– Security may not be managed and configured.

– Threats may not be addressed in a timely fashion.

Keep track of your configuration!

Conclusions

General Principles of Security:– Concentrate valuable assets– Defense in depth– Coordinate all aspects of security

• Software

• Hardware

• Physical

• Procedural