CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Lecture 2 - Security Overview

CSE497b - Spring 2007
Introduction Computer and Network Security
Professor Jaeger
www.cse.psu.edu/~tjaeger/cse497b-s07
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Readings
Books
Perlman et al
Gollmann
Both are listed on calendar
Readings
Please check the calendar for the class readings
Today
Gollmann Chs. 1 and 2
Next, Perlman Ch. 10, Gollmann Ch. 3
2
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
What is security?
the property that a system behaves as expected
G. Spafford and many others ....
Note that this does not say what a system should or
should not do.
Implication -- there is no universal denition or test for
security (why?)
Apply this denition to the ATM
How do you think an ATM should behave?
What should it do?
What should it not do?
We talk about expectations often in terms of
condentiality, integrity, and availability.
3
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Risk
At-risk valued resources that can be misused
Monetary
Data (loss or integrity)
Time
Condence
Trust
What does being misused mean?
Condentiality (privacy or communication)
Integrity (personal or communication)
Availability (existential or delity)
Q: What is at stake in your life?
4
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Adversary
An adversary is any entity trying to
circumvent the security infrastructure
The curious and otherwise generally clueless (e.g., script-
kiddies)
Casual attackers seeking to understand systems
Venal people with an ax to grind
Malicious groups of largely sophisticated users (e.g,
chaos clubs)
Competitors (industrial espionage)
Governments (seeking to monitor activities)
5
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Threats
A threat is a specic means by which a risk can be
realized by an adversary
Context specic (a fact of the environment)
An attack vector is a specic threat (e.g., key logger)
A threat model is a collection of threats that deemed
important for a particular environment
E.g., should be addressed
A set of security requirements for a system
Q: What were (unaddressed) risks/threats in the
introductory examples?
SQL Slammer
Yale/Princeton
6
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Vulnerabilities (attack vectors)
A vulnerability is a systematic artifact that exposes
the user, data, or system to a threat
E.g., buffer-overow, WEP key leakage
What is the source of a vulnerability?
Bad software (or hardware)
Bad design, requirements
Bad policy/conguration
System Misuse
unintended purpose or environment
E.g., student IDs for liquor store
7
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Are users adversaries?
Have you ever tried to circumvent the security of a
system you were authorized to access?
Have you ever violated a security policy (knowingly
or through carelessness)?
8
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Attacks
An attack occurs when someone attempts to exploit
a vulnerability
Kinds of attacks
Passive (e.g., eavesdropping)
Active (e.g., password guessing)
Denial of Service (DOS)
Distributed DOS using many endpoints
A compromise occurs when an attack is successful
Typically associated with taking over/altering resources
9
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Participants
Participants are expected system entities
Computers, agents, people, enterprises,
Depending on context referred to as: servers, clients,
users, entities, hosts, routers,
Security is dened with respect to these entitles
Implication: every party may have unique view
A trusted trusted third party
Trusted by all parties for some set of actions
Often used as introducer or arbiter
10
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Trust
Trust refers to the degree to
which an entity is expected to behave
What the entity not expected to do?
E.g., not expose password
What the entity is expected to do (obligations)?
E.g., obtain permission, refresh
A trust model describes, for a particular
environment, who is trusted to do what?
Note: you make trust decisions every day
Q: What are they?
Q: Whom do you trust?
11
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Related Terminology
Reliability - property of a system that indicates it will
continue to function for long periods of time under
varying circumstances
Survivability - ability of a system to maintain function
during abnormal or environmentally troubling events
Privacy - the ability to stop information from
becoming known to people other than those they
choose to give the information
Assurance - condence that system meets its
security requirements
as typically evidenced by some evaluation methodology
(FIPs 192, Common Criteria)
12
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Security Model
A security model is the combination of a trust and threat
models that address the set of perceived risks
The security requirements used to develop some cogent and
comprehensive design
Every design must have security model
LAN network or global information system
Java applet or operating system
The single biggest mistake seen in use of security is the lack of a
coherent security model
It is very hard to retrot security (design time)
This class is going to talk a lot about security models
What are the security concerns (risks)?
What are the threats?
Who are our adversaries?
Who do we trust and to do what?
Systems must be explicit about these things to be secure.
13
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Review
An adversary is a subject who tries to gain unauthorized
access
A threat is a mechanism that the adversary is capable of
employing to gain unauthorized access
A risk is a loss due to an adversary gaining unauthorized
access
A vulnerability is a aw in a that enables a threat to allow
the adversary unauthorized access
A threat model describes all the mechanisms available to
the adversaries
A trust model describes all the subjects that are trusted not
to have vulnerabilities that can be abused or be adversaries
A security model consists of a threat model and a trust
model (functional and security goals as well)
14
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Security Overview
Security can be separated into many ways, e.g.,
threats, sensitivity levels, domains
This class will focus on three interrelated domains of
security that encompass nearly all security issues
1. Network Security
2. Systems Security
3. Program Security
There are other areas, e.g., physical security, privacy,
etc. that will not directly be covered.
15
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Common problems in network security
Network security attempts to protect communication
between hosts carried by the (often untrusted)
network.
Eavesdropping communication (condentiality)
Modifying communication (integrity)
Preventing communication (availability)
Example: securing application trafc (Web)
Protecting on network (HTTP requests/responses)
As passing through intermediaries (proxies)
In server (from malicious requests)
Protecting the client (from malicious content)
16
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Common problems in systems security
Systems security attempts to protect data held on
hosts and sometimes (sometimes untrusted) storage.
Prevention of sensitive data leakage (condentiality)
Also known as information ow governance
Prevention of data corruption (integrity)
Controlling data response (availability)
Systems Security: Controlling Data Leakage
on disk (key in clear -- encrypt with pass phrase)
provide pass-phrase (window manager)
memory of program
swap memory to swap space
17
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Common problems in program security
Program security attempts to protect data received,
held, and output on a (sometimes untrusted) host.
Prevention of sensitive data leakage (condentiality)
Also known as information ow governance
Prevention of data corruption (integrity)
Controlling data access (availability)
Example: Handling A Remote Request
process user request (authenticate, authorize)
data-driven attack from request
buffer overows
18
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
The remainder ....
The remaining weeks will explore the design and use
of these approaches
Always ask yourself what tools are appropriate for a
particular environment.
For example, which of then proceeding is appropriate for
SPAM mitigation
Authentication
Access Control
Transport/Data Security
Audit/Detection
What about protecting the condentiality of your email?
Next week: Passwords and Authentication
19