Computer and Information Security - CEMS

homuskratΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 3 χρόνια και 10 μήνες)

74 εμφανίσεις

1

Security Concepts

Introduction


2

Main Themes of the Course


Vulnerabilities of networked applications


Worms, denial of service attacks, malicious code
arriving from the network, attacks on infrastructure


Defense technologies


Protection of information in transit: cryptography,
application
-

and transport
-
layer security protocols


Protection of networked applications: firewalls and
intrusion detection


Study a few deployed systems in detail: from
design principles to gory implementation details


Kerberos, SSL/TLS, IPSec

Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

3

What This Semester Does
Not

Cover


No

ethical, legal or economic issues



No file sharing, DMCA, free speech issues


Only cursory overview of cryptography


Only some issues in systems security


No detail of access control, OS security,
secure hardware


No language
-
based security

Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

4

Set Text

William
Stalling’s


Network Security Essentials: Applications
and Standards

Published by Pearson


ISBN
-
10:

0132303787


ISBN
-
13:

978
-
0132303781


We will follow this text.


Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

5

This Session
-

Overview


Security Goals


The need for security


OSI Security Architecture


Attacks, services and mechanisms


Security attacks


Security services


Methods of Defense


A model for Internetwork Security


Internet standards and RFCs

Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

6




Security Goals

Integrity

Confidentiality

Avalaibility

Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

7

Security Goals


Confidentiality


Concealment of information or resources


Integrity


Trustworthiness of data or resources


Availability


Ability to use information or resources

Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

8

Confidentiality


Need for keeping information secret
arises from use of computers in
sensitive fields such as government
and industry


Access mechanisms, such as
cryptography, support confidentiality


Example: encrypting income tax return

Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

9

Integrity


Often requires preventing unauthorized
changes


Includes data integrity (content) and origin
integrity ( source of data also called
authentication)


Include prevention mechanisms and detection
mechanisms


Example: Newspaper prints info leaked from White
House and gives wrong source


Includes both correctness and trustworthiness


Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

10

Availability


Is an aspect of reliability and system
design


Attempts to block availability, called
denial of service attacks

are difficult
to detect


Example: bank with two servers

one is
blocked, the other provides false
information

Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

11

The Need for Security


Computer Security

-

the collection of
tools designed


to protect data and


to thwart hackers


Network security or internet
security
-

security measures needed
to protect data during their
transmission

Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

12

Security

Motivation:
Why do we need security
?



Increased reliance on Information technology with or with
out the use of networks



The use of IT has changed our lives drastically.



We depend on E
-
mail, Internet banking, and several other
governmental activities that use IT



Increased use of E
-
Commerce and the World wide web on
the Internet as a vast repository of various kinds of
information (immigration databases, flight tickets, stock
markets etc.)


Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

13

Security Concerns


Damage to any IT
-
based system or activity can
result in severe disruption of services and losses


Systems connected by networks are more prone
to attacks and also suffer more as a result of the
attacks than stand
-
alone systems (Reasons?)


Concerns such as the following are common


How do I know the party I am talking on the network is
really
the one I want to talk?


How can I be assured that no one else is listening and
learning the data that I send over a network


Can I ever stay relaxed that no hacker can enter my
network and play havoc?


Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

14

Concerns continued…


Is the web site I am downloading
information from a legitimate one, or a
fake?



How do I ensure that the person I just did
a financial transaction denies having done it
tomorrow or at a later time?



I want to buy some thing online, but I don’t
want to let them charge my credit card
before they deliver the product to me


Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

15

That is why…

..we need security


To safeguard the confidentiality, integrity,
authenticity and availability of data
transmitted over insecure networks


Internet is
not

the only insecure network in
this world


Many internal networks in organizations are
prone to insider attacks


In fact, insider attacks are greater both in
terms of likelihood of happening and damage
caused

Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

16

However, in reality


Security is often over looked (not one of the top criteria)


Availability, efficiency and performance tend to be the
ones


Buggy implementations


Systems too complex in nature and rich in features can
be filled with security holes


Incorporation of security into networks, not growing with
the rapidly growing number and size of networks


Attacking is becoming so common and easy


there are
books clearly explaining how to launch them


Security and attacks are a perpetual cat
-
and
-
mouse play.
The only way to avoid attacks is to keep up
-
to
-
date with
latest trends and stay ahead of malicious netizens


Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

17

OSI Security Architecture


ITU
-
T Recommendation X.800 Security
Architecture for OSI


International Telecommunications Union
(ITU) is a United Nations sponsored
agency that develops standards relating
to telecommunications and to Open
system Interconnection (OSI)


Extended by ISO 18028
-

part 2

Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

18

Attacks, Services and
Mechanisms


Security Attack:

Any action that
compromises the security of information.


Security Mechanism:

A mechanism that
is designed to detect, prevent, or recover
from a security attack.


Security Service:

A service that
enhances the security of data processing
systems and information transfers. A
security service makes use of one or more
security mechanisms

Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

19

Security Attacks

Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

20

Security Attacks


Interruption:

This is an attack on
availability


Disrupting traffic


Physically breaking communication line


Interception:

This is an attack on
confidentiality


Overhearing, eavesdropping over a
communication line


Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

21

Security Attacks (continued)


Modification:

This is an attack on
integrity


Corrupting transmitted data or
tampering with it before it reaches its
destination


Fabrication:

This is an attack on
authenticity


Faking data as if it were created by a
legitimate and authentic party


Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

22

Threats and Attacks


Threat

-

a potential for violation of
security or a possible danger that
might exploit a vulnerability


Attack

-

an assault on system
security
-

an intelligent act that is a
deliberate attempt to evade security
services and violate the security
policy of a system.

Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

23

Passive and active attacks


Passive attacks


No modification of content or fabrication


Eavesdropping to learn contents or other
information (transfer patterns, traffic flows etc.)


Active attacks


Modification of content and/or participation in
communication to


Impersonate legitimate parties


Modify the content in transit


Launch denial of service attacks



Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

24

Fundamental threats


Information leakage


Disclosure to unauthorized parties


Prince Charles mobile phone calls, 2006 ( and 1993)


Sarah Palin’s email hack (Sept. 2008)


Integrity violation


Corruption of data or loss of data


Top Iraqi cleric’s web site defaced (Sept 2008)


Denial of service


Unavailability of system/service/network


Xbox (Jan 2008)


Illegitimate use


Sasser worm 2004


Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

25

Services and Mechanisms


A
security
policy

is a statement of what is
and what is not allowed.


A
security
service

is a measure to address
a threat


E.g. authenticate individuals to prevent
unauthorized access


A
security
mechanism

is a means to
provide a service


E.g. encryption, cryptographic protocols


Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

26

Security Services


A security service is a service provided
by the protocol layer of a
communicating system (X.800)


5 Categories


Authentication


Access Control


Data confidentiality


Data Integrity


Nonrepudiation (and Availability)

Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

27

Security Services


Authentication (who created or sent the data)


Access control (prevent misuse of resources)


Confidentiality (privacy)


Integrity (has not been altered)


Non
-
repudiation (the order is final)


Availability (permanence, non
-
erasure)



Denial of Service Attacks



Virus that deletes files


Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

28

Security Mechanisms
Examples


Two types


Specific

mechanisms existing to provide certain
security services


E.g. encryption used for authentication



Pervasive
mechanisms which are general
mechanisms incorporated into the system and
not specific to a service


E.g. security audit trail



Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

29

OSI Network Stack and Attacks

(V. Shmatikov)

application

presentation

session

transport

network

data link

physical

IP

TCP

email,Web,NFS

RPC

802.11

Sendmail, FTP, NFS bugs


SYN flooding, RIP attacks,

sequence number prediction

IP smurfing and other

address spoofing attacks

RPC worms, portmapper exploits

WEP attacks

Only as secure as the
single

weakest layer…

Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

30

Model for Network Security


Basic tasks


Design an algorithm that opponent cannot
defeat


Generate the secret information to be used
with the algorithm


Develop methods for distributing secret
information


Specify a protocol to be used


May need a trusted third part to assist

Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

31

Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

32

Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

33

Methods of Defense


Encryption


Software Controls



(access limitations in a data base, in operating
system protect each user from other users)


Hardware Controls



(smartcard)


Policies



(frequent changes of passwords)


Physical Controls


Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW

34

Internet standards and
RFCs

The Internet society (ISOC)


Internet Architecture Board (IAB)


Internet Engineering Task Force (IETF)


Internet Engineering Steering Group (IESG)

International Standards Organisation (ISO)


Numerous security related standards especially
17799, 18028, 27001

National Institute of Standards and
Technology (NIST)



Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy,
University College, UNSW