Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Week 1
Computer Security
Computational data can be in one of 3 states
at a time:
Stored
Processed
In transmission
Security Principles
CIA
principles
Confidentiality
Secrecy of data
Integrity
Data have not been changed incorrectly (by accident or
deliberately)
Availability
Data should be available to authorized entities at all
times.
Confidentiality
Concealment of data, its resources and/or the
existence of data.
Data concealment can be achieved via
cryptography.
Resources are protected by limiting data, for
example by using firewalls or address translation
mechanisms.
We can conceal the existence of data by access
control mechanisms.
Integrity
Trustworthiness of data or resources by
preventing improper or unauthorized change.
Integrity includes
Data integrity (the content of information)
Origin integrity (also called authentication)
Integrity
Integrity mechanisms are categorized into 2
classes
Prevention mechanisms, such as access controls
that prevent unauthorized modification of data
Occurs when an unauthorized user attempts to
change data
Integrity
Example:
An interrupted database transaction, leaving the
database in an inconsistent state violates integrity of
data.
Availability
The ability to use the information or resource
desired.
Defined in terms of quality of service, in which
authorized users are expected to receive a specific
level of service (stated in terms of a metric).
System designs assume a statistical model to
analyze expected patterns of use, and
mechanisms ensure availability when that
statistical model holds.
Denial of service (DoS) attacks are attempts to
block availability.
8
Availability
Example:
Ann compromises a banks secondary system server,
which supplies bank account balances. When an
inquiry is submitted to this secondary server, Ann can
supply any information she wants. Merchants validate
checks by contacting the banks primary balance
server. But when the primary server connection is
prohibited, all merchant queries will to the second
server, where Ann will never have a check turned
down, regardless of her actual balance.
If the bank had only the primary server, this scheme
wouldnt work as the merchant wouldnt be able to
validate checks.
Threats
A threat is a potential violation of security.
The violation need not actually occur for there
to be a threat.
The possibility that a violation might occur
means that we should guard against those
actions that could cause it. These actions are
called attacks.
10
Classes of Threats
Disclosure
Snooping
Deception
Modification, spoofing (masquerading),
repudiation of origin, denial of receipt
Disruption
Modification (alteration)
Usurpation
Modification, spoofing, delay, denial of service
Classes of Threats
Disclosure
Snooping: unauthorized interception of
data.
Ex: passive wiretapping, where the attacker
monitors communications.
12
Classes of Threats
Deception
Modification (alteration): Ex: active wiretapping,
where the attacker injects something into a
communication or modifies parts of the
communication.
Spoofing (masquerading): an impersonation of
one entity by another.
Delegation is a legitimate form of spoofing.
Classes of Threats
Disruption
Modification
Usurpation
Modification
Spoofing
Delay: A temporary inhibition of service.
Denial of service: A long-term inhibition of
service.
14
Security Attacks
Passive attacks
Active attacks
Modify data
More harm to system
Easier to detect (mostly after it is too late!) than
to prevent
15
Confidentiality Attacks
Traffic analysis
Intercept communication to observe ongoing
traffic
Still works even if message is encrypted
Yields frequency, length of messages
Prevention: traffic padding
Snooping
Intercept communication to exploit the content
Prevention: Encrypt data
Integrity Attacks
Modification
Modify, delete, or delay message
Active attacks
Prevention: hash (fingerprint)
Replay
Intercept the message and send again at a later
time
Active attack
Prevention: Use timestamps
17
Availability Attacks
Denial of Service
Slow down or completely prevent a
communication, an entity, or a whole network
from servicing
Active attack
Prevention: Use upper limit for # of messages in
buffer
18
Authenticity Attacks
Masquerading (Spoofing)
Attacker impersonates either sender or receiver
(man-in-the-middle attack)
Active attack
Prevention: Use MAC (keyed-hash)
19
Non-Repudiation Attacks
Repudiation
Rejecting the occurrence of transmission
Either sender or receiver may perform
repudiation attack
Prevention: Use digital signature
20
21
Composition of policies
If policies conflict, discrepancies may create
security vulnerabilities
22
Goals of Security
Prevention
Prevent attackers from violating security policy
Detection
Detect attackers violation of security policy
Recovery
Stop attack, assess and repair damage
Continue to function correctly even if attack
succeeds
23
Assurance
Assurance is how much you can trust the system to do
what it is supposed to do. It does not say what the
system is to do; rather, it only covers how well the
system does it.
Specification
Requirements analysis
Statement of desired functionality
Design
How system will meet specification
Implementation
Programs/systems that carry out design
24
Operational Issues
Cost-Benefit Analysis
Is it cheaper to prevent or recover?
Risk Analysis
Should we protect something?
How much should we protect this thing?
25
Risk Analysis
Risk is a function of environment.
The risks change with time.
Many risks are remote, but still exist.
27
Human Issues
Organizational Problems
Power and responsibility
Financial benefits
People problems
Outsiders and insiders
Social engineering
29