CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger
Lecture 2 - Security Overview
CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07 CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page Readings Books Perlman et al Gollmann Both are listed on calendar Readings Please check the calendar for the class readings Today Gollmann Chs. 1 and 2 Next, Perlman Ch. 10, Gollmann Ch. 3 2 CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page What is security? the property that a system behaves as expected G. Spafford and many others .... Note that this does not say what a system should or should not do. Implication -- there is no universal denition or test for security (why?) Apply this denition to the ATM How do you think an ATM should behave? What should it do? What should it not do? We talk about expectations often in terms of condentiality, integrity, and availability. 3 CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page Risk At-risk valued resources that can be misused Monetary Data (loss or integrity) Time Condence Trust What does being misused mean? Condentiality (privacy or communication) Integrity (personal or communication) Availability (existential or delity) Q: What is at stake in your life? 4 CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page Adversary An adversary is any entity trying to circumvent the security infrastructure The curious and otherwise generally clueless (e.g., script- kiddies) Casual attackers seeking to understand systems Venal people with an ax to grind Malicious groups of largely sophisticated users (e.g, chaos clubs) Competitors (industrial espionage) Governments (seeking to monitor activities) 5 CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page Threats A threat is a specic means by which a risk can be realized by an adversary Context specic (a fact of the environment) An attack vector is a specic threat (e.g., key logger) A threat model is a collection of threats that deemed important for a particular environment E.g., should be addressed A set of security requirements for a system Q: What were (unaddressed) risks/threats in the introductory examples? SQL Slammer Yale/Princeton 6 CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page Vulnerabilities (attack vectors) A vulnerability is a systematic artifact that exposes the user, data, or system to a threat E.g., buffer-overow, WEP key leakage What is the source of a vulnerability? Bad software (or hardware) Bad design, requirements Bad policy/conguration System Misuse unintended purpose or environment E.g., student IDs for liquor store 7 CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page Are users adversaries? Have you ever tried to circumvent the security of a system you were authorized to access? Have you ever violated a security policy (knowingly or through carelessness)? 8 CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page Attacks An attack occurs when someone attempts to exploit a vulnerability Kinds of attacks Passive (e.g., eavesdropping) Active (e.g., password guessing) Denial of Service (DOS) Distributed DOS using many endpoints A compromise occurs when an attack is successful Typically associated with taking over/altering resources 9 CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page Participants Participants are expected system entities Computers, agents, people, enterprises, Depending on context referred to as: servers, clients, users, entities, hosts, routers, Security is dened with respect to these entitles Implication: every party may have unique view A trusted trusted third party Trusted by all parties for some set of actions Often used as introducer or arbiter 10 CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page Trust Trust refers to the degree to which an entity is expected to behave What the entity not expected to do? E.g., not expose password What the entity is expected to do (obligations)? E.g., obtain permission, refresh A trust model describes, for a particular environment, who is trusted to do what? Note: you make trust decisions every day Q: What are they? Q: Whom do you trust? 11 CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page Related Terminology Reliability - property of a system that indicates it will continue to function for long periods of time under varying circumstances Survivability - ability of a system to maintain function during abnormal or environmentally troubling events Privacy - the ability to stop information from becoming known to people other than those they choose to give the information Assurance - condence that system meets its security requirements as typically evidenced by some evaluation methodology (FIPs 192, Common Criteria) 12 CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page Security Model A security model is the combination of a trust and threat models that address the set of perceived risks The security requirements used to develop some cogent and comprehensive design Every design must have security model LAN network or global information system Java applet or operating system The single biggest mistake seen in use of security is the lack of a coherent security model It is very hard to retrot security (design time) This class is going to talk a lot about security models What are the security concerns (risks)? What are the threats? Who are our adversaries? Who do we trust and to do what? Systems must be explicit about these things to be secure. 13 CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page Review An adversary is a subject who tries to gain unauthorized access A threat is a mechanism that the adversary is capable of employing to gain unauthorized access A risk is a loss due to an adversary gaining unauthorized access A vulnerability is a aw in a that enables a threat to allow the adversary unauthorized access A threat model describes all the mechanisms available to the adversaries A trust model describes all the subjects that are trusted not to have vulnerabilities that can be abused or be adversaries A security model consists of a threat model and a trust model (functional and security goals as well) 14 CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page Security Overview Security can be separated into many ways, e.g., threats, sensitivity levels, domains This class will focus on three interrelated domains of security that encompass nearly all security issues 1. Network Security 2. Systems Security 3. Program Security There are other areas, e.g., physical security, privacy, etc. that will not directly be covered. 15 CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page Common problems in network security Network security attempts to protect communication between hosts carried by the (often untrusted) network. Eavesdropping communication (condentiality) Modifying communication (integrity) Preventing communication (availability) Example: securing application trafc (Web) Protecting on network (HTTP requests/responses) As passing through intermediaries (proxies) In server (from malicious requests) Protecting the client (from malicious content) 16 CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page Common problems in systems security Systems security attempts to protect data held on hosts and sometimes (sometimes untrusted) storage. Prevention of sensitive data leakage (condentiality) Also known as information ow governance Prevention of data corruption (integrity) Controlling data response (availability) Systems Security: Controlling Data Leakage on disk (key in clear -- encrypt with pass phrase) provide pass-phrase (window manager) memory of program swap memory to swap space 17 CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page Common problems in program security Program security attempts to protect data received, held, and output on a (sometimes untrusted) host. Prevention of sensitive data leakage (condentiality) Also known as information ow governance Prevention of data corruption (integrity) Controlling data access (availability) Example: Handling A Remote Request process user request (authenticate, authorize) data-driven attack from request buffer overows 18 CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page The remainder .... The remaining weeks will explore the design and use of these approaches Always ask yourself what tools are appropriate for a particular environment. For example, which of then proceeding is appropriate for SPAM mitigation Authentication Access Control Transport/Data Security Audit/Detection What about protecting the condentiality of your email? Next week: Passwords and Authentication 19