An Overview of Information Security

Week 1

Computer Security
Computational data can be in one of 3 states
at a time:
Stored
Processed
In transmission

Hence, computer security involves

Data security
Program security
Network security
2

Security Principles
CIA
principles
Confidentiality
Secrecy of data
Integrity
Data have not been changed incorrectly (by accident or
deliberately)
Availability
Data should be available to authorized entities at all
times.

Confidentiality
Concealment of data, its resources and/or the
existence of data.
Data concealment can be achieved via
cryptography.
Resources are protected by limiting data, for
example by using firewalls or address translation
mechanisms.
We can conceal the existence of data by access
control mechanisms.

Relies on the need to know principle of

military.
4

Integrity
Trustworthiness of data or resources by
preventing improper or unauthorized change.
Integrity includes
Data integrity (the content of information)
Origin integrity (also called authentication)

A newspaper prints information leaked from

White House, but it turns out to be from a
wrong source. This information preserves data
integrity (printed as received), but violates
origin integrity (as the source is incorrect).
5

Integrity
Integrity mechanisms are categorized into 2
classes
Prevention mechanisms, such as access controls
that prevent unauthorized modification of data
Occurs when an unauthorized user attempts to
change data

Detection mechanisms, which are intended to

detect unauthorized modifications when
preventive mechanisms have failed.
Occurs when an authorized user attempts to change
data in illegitimate ways.
6

Integrity
Example:
An interrupted database transaction, leaving the
database in an inconsistent state violates integrity of
data.

Controls that protect integrity include principles of

least privilege, separation, and rotation of duties.
Clark-Wilson model brings together these controls to
provide integrity.

Cryptographic tools can be used to detect violation of

integrity, but they cannot prevent them.
Digital signature can be used to determine if data has
changed.

Availability
The ability to use the information or resource
desired.
Defined in terms of quality of service, in which
authorized users are expected to receive a specific
level of service (stated in terms of a metric).
System designs assume a statistical model to
analyze expected patterns of use, and
mechanisms ensure availability when that
statistical model holds.
Denial of service (DoS) attacks are attempts to
block availability.
8

Availability
Example:
Ann compromises a banks secondary system server,
which supplies bank account balances. When an
inquiry is submitted to this secondary server, Ann can
supply any information she wants. Merchants validate
checks by contacting the banks primary balance
server. But when the primary server connection is
prohibited, all merchant queries will to the second
server, where Ann will never have a check turned
down, regardless of her actual balance.
If the bank had only the primary server, this scheme
wouldnt work as the merchant wouldnt be able to
validate checks.

Threats
A threat is a potential violation of security.
The violation need not actually occur for there
to be a threat.
The possibility that a violation might occur
means that we should guard against those
actions that could cause it. These actions are
called attacks.

10

Classes of Threats
Disclosure
Snooping

Deception
Modification, spoofing (masquerading),
repudiation of origin, denial of receipt

Disruption
Modification (alteration)

Usurpation
Modification, spoofing, delay, denial of service

Classes of Threats
Disclosure
Snooping: unauthorized interception of
data.
Ex: passive wiretapping, where the attacker
monitors communications.

12

Classes of Threats
Deception
Modification (alteration): Ex: active wiretapping,
where the attacker injects something into a
communication or modifies parts of the
communication.
Spoofing (masquerading): an impersonation of
one entity by another.
Delegation is a legitimate form of spoofing.

Repudiation of origin: A false denial that an

entity sent or created something.
Denial of receipt: A false denial that an entity
received data.
13

Classes of Threats
Disruption
Modification

Usurpation

Modification
Spoofing
Delay: A temporary inhibition of service.
Denial of service: A long-term inhibition of
service.
14

Security Attacks
Passive attacks

Listen only - no modification

No or less harm to system
Prevented by data encryption
Harder to detect

Active attacks
Modify data
More harm to system
Easier to detect (mostly after it is too late!) than
to prevent
15

Confidentiality Attacks
Traffic analysis
Intercept communication to observe ongoing
traffic
Still works even if message is encrypted
Yields frequency, length of messages
Prevention: traffic padding

Snooping
Intercept communication to exploit the content
Prevention: Encrypt data

Both are passive attacks

16

Integrity Attacks
Modification
Modify, delete, or delay message
Active attacks
Prevention: hash (fingerprint)

Replay
Intercept the message and send again at a later
time
Active attack
Prevention: Use timestamps
17

Availability Attacks
Denial of Service
Slow down or completely prevent a
communication, an entity, or a whole network
from servicing
Active attack
Prevention: Use upper limit for # of messages in
buffer

18

Authenticity Attacks
Masquerading (Spoofing)
Attacker impersonates either sender or receiver
(man-in-the-middle attack)
Active attack
Prevention: Use MAC (keyed-hash)

19

Non-Repudiation Attacks
Repudiation
Rejecting the occurrence of transmission
Either sender or receiver may perform
repudiation attack
Prevention: Use digital signature

20

Policies and Mechanisms

Policy says what is, and is not, allowed
This defines security for the site, system, etc.
Policy maybe expressed in:
natural language, imprecise but easy to
understand
mathematics, precise but hard to understand
policy languages, look like some form of
programming language and try to balance
precision with ease of understanding

21

Policies and Mechanisms

Mechanism
A method, tool, or procedure to enforce a security
policy.
Mechanisms maybe:
technical, in which controls in the computer enforce
the policy; for example, the requirement that a user
supply a password to authenticate herself before
using the computer
procedural, in which controls outside the system
enforce the policy; for example, firing someone for
bringing in a disk containing a game program
obtained from an untrusted source

Composition of policies
If policies conflict, discrepancies may create
security vulnerabilities

22

Goals of Security
Prevention
Prevent attackers from violating security policy

Detection
Detect attackers violation of security policy

Recovery
Stop attack, assess and repair damage
Continue to function correctly even if attack
succeeds

23

Assurance
Assurance is how much you can trust the system to do
what it is supposed to do. It does not say what the
system is to do; rather, it only covers how well the
system does it.
Specification
Requirements analysis
Statement of desired functionality

Design
How system will meet specification

Implementation
Programs/systems that carry out design

24

Operational Issues
Cost-Benefit Analysis
Is it cheaper to prevent or recover?

Risk Analysis
Should we protect something?
How much should we protect this thing?

Laws and Customs

Are desired security measures illegal?
Will people do them?

25

Cost Benefit Analysis Example

A DB provides salary information to another system
that prints checks. If the data in the DB is altered, the
company would suffer significant financial loss; hence,
the cost-benefit analysis should suggest that the
strongest integrity mechanisms should protect the data
in the DB.
Another company has several branch offices, and each
day a copy of the data is copied to each branch office.
The branch offices use the data to recommend salaries
for new employees. However, the final decision is made
by the main office using the original DB. In this case,
guarding the integrity of the copies is not particularly
important.
26

Risk Analysis
Risk is a function of environment.
The risks change with time.
Many risks are remote, but still exist.

27

Laws and Customs - Example

Until the year 2000, the US controlled the
export of cryptographic h/w and s/w
(considered munitions under US law). If a US
company worked with a computer
manufacturer in London, the US company
could not send cryptographic s/w to the
manufacturer. The US company should first
obtain a license to export the s/w. Any security
policy that depended on the London
manufacturers using that cryptographic s/w
would need to take this into account.
28

Human Issues
Organizational Problems
Power and responsibility
Financial benefits

People problems
Outsiders and insiders
Social engineering

29

Bringing it all together ..

The security lifecycle
Threats
Policy
Specification
Design
Implementation
Operation &
maintenance
30