UCCN 1213Information Security: An Introduction

October 2011

Definition

Information security is a “well-informed sense of assurance that the information risks and controls are in balance.” — Jim Anderson, Inovant (2002)

Does not guarantee the safety of an organization, information, or computer systems Involves in examining threats and vulnerabilities of an

organization and managing them appropriately Take appropriate preventative steps to guard information

and capabilities against these threats Security professionals must review the origins of this

field to understand its impact on our understanding of information security today

History

Computer security began immediately after the first mainframes were developed Groups developing code-breaking computations

during World War II created the first modern computers

Multiple levels of security were implemented Physical controls to limit access to sensitive

military locations to authorized personnel Rudimentary in defending against physical

theft, espionage, and sabotage

1960s to 1980s

1960s – US Department of Defense’s Advanced Research Project Agency (ARPA) began to examine feasibility of redundant networked communications

Larry Roberts, who known as the founder of internet, developed ARPANET from its inception

Early 1970s – ARPANET grew in popularity as did its potential for misuse

Late 1970s – microprocessor expanded computing capabilities and security threats

1960s to 1980s

Information security began with “Rand Report R-609: Security Control for Computer Systems” (paper that started the study of computer security)

Scope of computer security grew from physical security to include: Safety of data Limiting unauthorized access to data Involvement of personnel from multiple levels of an

organization At this stage, the concept of computer security

evolved into the more sophisticated system we call information security

Key Dates for Seminal Works in Early Computer Security

2000 to Present

The Internet brings millions of computer networks into communication with each other—many of them unsecured

Ability to secure a computer’s data influenced by the security of every computer to which it is connected

Growing threat of cyber attacks has increased the need for improved security

What is Security

“The quality or state of being secure—to be free from danger”

A successful organization should have multiple layers of security in place: Physical security - To protect the physical items, objects, or

areas of an organization from unauthorized access and misuse.

Personal security - To protect the individual or group of individuals who are authorized to access the organization and its operations.

Operations security - To protect the details of a particular operation or series of activities.

What is Security

Layers of security continued: Communications security - To protect an organization’s

communications media, technology, and content. Network security - To protect networking components,

connections, and contents. Information security- To protect the confidentiality, integrity

and availability of information assets, whether in storage, processing or transmission. It is achieved via the application of policy, education, training and awareness, and technology.

Components of Information Security

What is Security

The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information

Necessary tools: policy, awareness, training, education, technology

C.I.A. triangle Was standard based on confidentiality, integrity

and availability Now expanded into list of critical characteristics of

information

12

Integrity

Confidentiality Availability

Security Goal

Critical Characteristics of Information The value of information comes from the characteristics it

possesses: Availability – Enables users who need to access information to

do so without interference or obstruction and in the required format. The information is said to be available to an authorized user when and where needed and in the correct format.

Accuracy – Free from mistake or error and having the value that the end user expects. If information contains a value different from the user’s expectations due to the intentional or unintentional modification of its content, it is no longer accurate.

Authenticity –The quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created, placed, stored, or transferred.

Critical Characteristics of Information Characteristics continued:

Confidentiality – The quality or state of preventing disclosure or exposure to unauthorized individuals or systems.

Integrity – The quality or state of being accurate, complete, and authorised. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state.

Utility – The quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful.

Possession – The quality or state of having ownership or control of some object or item. Information is said to be in possession if one obtains it, independent of format or other characteristic. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality.

CNSS Security Model

The McCumber Cube

Cryptography

Can protect confidentiality and integrity, but not availability

Confidentiality - Hide the secret data from unauthorised personnel

Integrity – Make sure the data is not tampered during transmission

Availability – cannot be control by cryptosystem, e.g. unplug network cable

16

Cryptographic Concepts Encryption: a means to allow two parties,

customarily called Alice and Bob, to establish confidential communication over an insecure channel that is subject to eavesdropping.

17

Alice Bob

Eve

Encryption and Decryption

The message M is called the plaintext. Alice will convert plaintext M to an encrypted

form using an encryption algorithm E that outputs a ciphertext C for M.

18

encryptencrypt decryptdecrypt

ciphertext

plaintext

sharedsecret

key

sharedsecret

key

Communicationchannel

Sender Recipient

Attacker(eavesdropping)

plaintext

Encryption and Decryption

As equations:

C = E(M)

M = D(C) The encryption and decryption algorithms are

chosen so that it is infeasible for someone other than Alice and Bob to determine plaintext M from ciphertext C. Thus, ciphertext C can be transmitted over an insecure channel that can be eavesdropped by an adversary.

19

Caesar Cipher Replace each letter with the one “three over” in the alphabet. Can be represented by using modular arithmathic:

En(x) = (x + n) mod 26 Dn(x) = (x – n) mod 26

20Public domain image from http://commons.wikimedia.org/wiki/File:Caesar3.svg

Symmetric Cryptosystems

Alice and Bob share a secret key, which is used for both encryption and decryption.

21

encryptencrypt decryptdecrypt

ciphertext

plaintext

sharedsecret

key

sharedsecret

key

CommunicationchannelSender Recipient

Attacker(eavesdropping)

plaintext

Symmetric Key Distribution

Requires each pair of communicating parties to share a (separate) secret key.

22

n n12 keys

sharedsecret

sharedsecret

sharedsecret

sharedsecret

sharedsecret

sharedsecret

Public-Key Cryptography

23

Public-Key Cryptography

Separate keys are used for encryption and decryption.

24

encryptencrypt decryptdecrypt

ciphertext

plaintext

publickey

privatekey

Communicationchannel

Sender Recipient

Attacker(eavesdropping)

plaintext plaintext

Public Key Distribution

Only one key is needed for each recipient

25

n key pairs

private

private private

private

public public

public public

Digital Signatures

26

Cryptographic Hash Functions A checksum on a message, M, that is: One-way: it should be easy to compute

Y=H(M), but hard to find M given only Y Collision-resistant: it should be hard to find

two messages, M and N, such that H(M)=H(N).

Examples: SHA-1, SHA-256, MD5.

27

Message Authentication Codes Allows for Alice and Bob to have data integrity, if they share a

secret key. Given a message M, Alice computes H(K||M) and sends M and

this hash to Bob.

28

(attack detected)=?

MAChh

sharedsecret

key

Communicationchannel

Sender RecipientAttacker(modifying)

MAC

6B343396B34339 4C668094C66809 4C668094C66809

message M’

hh

sharedsecret

key

87F902487F9024

receivedMAC

computedMAC

message M

Digital Certificates

certificate authority (CA) digitally signs a binding between an identity and the public key for that identity.

29

Access Control Models

Users and groups Authentication Passwords File protection Access control lists

Which users can read/write which files?

Are my files really safe? What does it mean to

be root? What do we really want

to control?

30

Access Control Matrices

A table that defines permissions. Each row of this table is associated with a subject, which

is a user, group, or system that can perform actions. Each column of the table is associated with an object,

which is a file, directory, document, device, resource, or any other entity for which we want to define access rights.

Each cell of the table is then filled with the access rights for the associated combination of subject and object.

Access rights can include actions such as reading, writing, copying, executing, deleting, and annotating.

An empty cell means that no access rights are granted.

31

Example Access Control Matrix

32

Access Control Lists It defines, for each object, o, a list, L, called o’s

access control list, which enumerates all the subjects that have access rights for o and, for each such subject, s, gives the access rights that s has for object o.

33

/etc/passwd /usr/bin/ /u/roberto/ /admin/

root: r,w,xbackup: r,x

root: r,w,xroberto: r,w,xbackup: r,x

root: r,w,xmike: r,xroberto: r,xbackup: r,x

root: r,wmike: rroberto: rbackup: r

Capabilities

Takes a subject-centered approach to access control. It defines, for each subject s, the list of the objects for which s has nonempty access control rights, together with the specific rights for each such object.

34

/etc/passwd: r,w,x; /usr/bin: r,w,x; /u/roberto: r,w,x; /admin/: r,w,xroot

/usr/passwd: r; /usr/bin: r;/u/roberto: r,w,xroberto

/usr/passwd: r; /usr/bin: r,xmike

backup/etc/passwd: r,x; /usr/bin: r,x; /u/roberto: r,x; /admin/: r,x

Role-based Access Control

Define roles and then specify access control rights for these roles, rather than for subjects directly.

35Department

MemberDepartment

Member

Administrative Personnel

Administrative Personnel

AccountantAccountant SecretarySecretary

Administrative Manager

Administrative Manager

FacultyFaculty

Lab Technician

Lab Technician

Lab Manager

Lab Manager

StudentStudent

Undergraduate Student

Undergraduate Student

Graduate Student

Graduate Student

Department Chair

Department Chair

Technical PersonnelTechnical Personnel

Backup Agent

Backup Agent

System Administrator

System Administrator

Undergraduate TA

Undergraduate TA

Graduate TA

Graduate TA

Passwords

A short sequence of characters used as a means to authenticate someone via a secret that they know.

Userid: _________________ Password: ______________

36

How a password is stored?

Password fileUser

Butch:ASDSA 21QW3R50E ERWWER323 … …

hash function

Dog124

38

Strong Passwords• What is a strong password

– UPPER/lower case characters– Special characters– Numbers

• When is a password strong?– Seattle1– M1ke03– P@$$w0rd– TD2k5secV

Password Complexity• A fixed 6 symbols password:

– Numbers 106 = 1,000,000

– UPPER or lower case characters 266 = 308,915,776

– UPPER and lower case characters 526 = 19,770,609,664

– 32 special characters (&, %, $, £, “, |, ^, §, etc.)326 = 1,073,741,824

• 94 practical symbols available– 946 = 689,869,781,056

• ASCII standard 7 bit 27 =128 symbols– 1286 = 4,398,046,511,104

39

40

Password Length• 26 UPPER/lower case characters = 52 characters• 10 numbers• 32 special characters • => 94 characters available • 5 characters: 945 = 7,339,040,224• 6 characters: 946 = 689,869,781,056• 7 characters: 947 = 64,847,759,419,264• 8 characters: 948 = 6,095,689,385,410,816• 9 characters: 949 = 572,994,802,228,616,704

41

Password Validity: Brute Force Test• Password does not change for 60 days• how many passwords should I try for each

second?– 5 characters: 1,415 PW /sec– 6 characters: 133,076 PW /sec– 7 characters: 12,509,214 PW /sec– 8 characters: 1,175,866,008 PW /sec– 9 characters: 110,531,404,750 PW /sec

Secure Passwords• A strong password includes characters from at

least three of the following groups:

• Use pass phrases eg. "I re@lly want to buy 11 Dogs!"

42

Social Engineering

Pretexting: creating a story that convinces an administrator or operator into revealing secret information.

Baiting: offering a kind of “gift” to get a user or agent to perform an insecure action.

Quid pro quo (from the Latin meaning "what for what"): offering an action or service and then expecting something in return.

43

Direct Attacks on Computational Devices

44

Environmental Attacks Electricity. Computing equipment requires

electricity to function; hence, it is vital that such equipment has a steady uninterrupted power supply.

Temperature. Computer chips have a natural operating temperature and exceeding that temperature significantly can severely damage them.

Limited conductance. Because computing equipment is electronic, it relies on there being limited conductance in its environment. If random parts of a computer are connected electronically, then that equipment could be damaged by a short circuit (e.g., in a flood).

45

Eavesdropping Eavesdropping is the process of secretly listening in on another

person’s conversation. Protection of sensitive information must go beyond computer

security and extend to the environment in which this information is entered and read.

Simple eavesdropping techniques include Using social engineering to allow the attacker to read information

over the victim’s shoulder Installing small cameras to capture the information as it is being

read Using binoculars to view a victim’s monitor through an open

window. These direct observation techniques are commonly referred to

as shoulder surfing.46

Wiretapping Many communication networks employ

the use of inexpensive coaxial copper cables, where information is transmitted via electrical impulses that travel through the cables.

Relatively inexpensive means exist that measure these impulses and can reconstruct the data being transferred through a tapped cable, allowing an attacker to eavesdrop on network traffic.

These wiretapping attacks are passive, in that there is no alteration of the signal being transferred, making them extremely difficult to detect.

47

Signal Emanations

Computer screens emit radio frequencies that can be used to detect what is being displayed.

Visible light reflections can also be used to reconstruct a display from its reflection on a wall, coffee mug, or eyeglasses.

Both of these require the attacker to have a receiver close enough to detect the signal.

48

Acoustic Emissions

49

Dmitri Asonov and Rakesh Agrawal published a paper in 2004 detailing how an attacker could use an audio recording of a user typing on a keyboard to reconstruct what was typed.

microphone to capture keystrokesounds

sound recordingdevice

Each keystroke has minute differences in the sound it produces, and certain keys are known to be pressed more often than others.

After training an advanced neural network to recognize individual keys, their software recognized an average 79% of all keystrokes.

Hardware Keyloggers A keylogger is any means of recording a victim’s keystrokes,

typically used to eavesdrop passwords or other sensitive information.

Hardware keyloggers are typically small connectors that are installed between a keyboard and a computer.

For example, a USB keylogger is a device containing male and female USB connectors, which allow it to be placed between a USB port on a computer and a USB cable coming from a keyboard.

50

USB Keylogger

TEMPEST

TEMPEST is a U.S. government code word for a set of standards for limiting information-carrying electromagnetic emanations from computing equipment.

TEMPEST establishes three zones or levels of protection:1. An attacker has almost direct contact with the equipment, such

as in an adjacent room or within a meter of the device in the same room.

2. An attacker can get no closer than 20 meters to the equipment or is blocked by a building to have an equivalent amount of attenuation.

3. An attacker can get no closer than 100 meters to the equipment or is blocked by a building to have an equivalent amount of attenuation.

51

Emanation Blockage

To block visible light emanations, we can enclose sensitive equipment in a windowless room.

To block acoustic emanations, we can enclose sensitive equipment in a room lined with sound-dampening materials.

To block electromagnetic emanations in the electrical cords and cables, we can make sure every such cord and cable is well grounded and insulated.

52

Faraday Cages To block electromagnetic

emanations in the air, we can surround sensitive equipment with metallic conductive shielding or a mesh of such material, where the holes in the mesh are smaller than the wavelengths of the electromagnetic radiation we wish to block.

Such an enclosure is known as a Faraday cage.

53

Computer Forensics

Computer forensics is the practice of obtaining information contained on an electronic medium, such as computer systems, hard drives, and optical disks, usually for gathering evidence to be used in legal proceedings.

Unfortunately, many of the advanced techniques used by forensic investigators for legal proceedings can also be employed by attackers to uncover sensitive information.

54

Computer Forensics

Forensic analysis typically involves the physical inspection of the components of a computer, sometimes at the microscopic level, but it can also involve electronic inspection of a computer’s parts as well.

55

ATMs

An automatic teller machine (ATM) is any device that allows customers of financial institutions to complete withdrawal and deposit transactions without human assistance.

Typically, customers insert a magnetic stripe credit or debit card, enter a PIN, and then deposit or withdraw cash from their account.

The ATM has an internal cryptographic processor that encrypts the entered PIN and compares it to an encrypted PIN stored on the card (only for older systems that are not connected to a network) or in a remote database.

56ATM

ATMs

To ensure the confidentiality of customer transactions, each ATM has a cryptographic processor that encrypts all incoming and outgoing information, starting the moment a customer enters their PIN.

The current industry standard for ATM transactions is the Triple DES (3DES) cryptosystem, a legacy symmetric cryptosystem with up to 112 bits of security.

The 3DES secret keys installed on an ATM are either loaded on-site by technicians or downloaded remotely from the ATM vendor.

57ATM

3DES Encryption

Bank

Attacks on ATMs Lebanese loop: A perpetrator inserts this sleeve into the card

slot of an ATM. When a customer attempts to make a transaction and inserts their credit card, it sits in the sleeve, out of sight from the customer, who thinks that the machine has malfunctioned. After the customer leaves, the perpetrator can then remove the sleeve with the victim’s card.

Skimmer: a device that reads and stores magnetic stripe information when a card is swiped. An attacker can install a skimmer over the card slot of an ATM and store customers’ credit information without their knowledge. Later, this information can be retrieved and used to make duplicates of the original cards.

Fake ATMs: capture both credit/debit cards and PINs at the same time.

58

Authentication Technologies

59

Authentication The determination of identity, usually based on a

combination of something the person has (like a smart card or a radio key

fob storing secret keys), something the person knows (like a password), something the person is (like a human with a fingerprint).

60

Something you are

Something you know

Something you have

radio token withsecret keys

password=ucIb()w1Vmother=Jonespet=Caesarhuman with fingers

and eyes

Barcodes

Developed in the 20th century to improve efficiency in grocery checkout.

First-generation barcodes represent data as a series of variable-width, vertical lines of ink, which is essentially a one-dimensional encoding scheme.

Some more recent barcodes are rendered as two-dimensional patterns using dots, squares, or other symbols that can be read by specialized optical scanners, which translate a specific type of barcode into its encoded information.

61

Authentication via Barcodes Since 2005, the airline industry has been incorporating two-dimensional

barcodes into boarding passes, which are created at flight check-in and scanned before boarding.

In most cases, the barcode is encoded with an internal unique identifier that allows airport security to look up the corresponding passenger’s record with that airline.

Staff then verifies that the boarding pass was in fact purchased in that person’s name (using the airline’s database), and that the person can provide photo identification.

In most other applications, however, barcodes provide convenience but not security. Since barcodes are simply images, they are extremely easy to duplicate.

62Public domain image from http://commons.wikimedia.org/wiki/File:Bpass.jpg

Two-dimensional barcode

Magnetic Stripe Cards Plastic card with a magnetic stripe containing personalized

information about the card holder. The first track of a magnetic stripe card contains the

cardholder’s full name in addition to an account number, format information, and other data.

The second track may contain the account number, expiration date, information about the issuing bank, data specifying the exact format of the track, and other discretionary data.

63Public domain image by Alexander Jones from http://commons.wikimedia.org/wiki/File:CCardBack.svg

Magnetic Stripe Card Security One vulnerability of the magnetic stripe medium is that it is easy

to read and reproduce. Magnetic stripe readers can be purchased at relatively low cost,

allowing attackers to read information off cards. When coupled with a magnetic stripe writer, which is only a little

more expensive, an attacker can easily clone existing cards. So, many uses require card holders to enter a PIN to use their

cards (e.g., as in ATM and debit cards in the U.S.).

64Public domain image by Alexander Jones from http://commons.wikimedia.org/wiki/File:CCardBack.svg

Smart Cards

Smart cards incorporate an integrated circuit, optionally with an on-board microprocessor, which microprocessor features reading and writing capabilities, allowing the data on the card to be both accessed and altered.

Smart card technology can provide secure authentication mechanisms that protect the information of the owner and are extremely difficult to duplicate.

65Public domain image from http://en.wikipedia.org/wiki/File:Carte_vitale_anonyme.jpg

Circuit interface

Smart Card Authentication

They are commonly employed by large companies and organizations as a means of strong authentication using cryptography.

Smart cards may also be used as a sort of “electronic wallet,” containing funds that can be used for a variety of services, including parking fees, public transport, and other small retail transactions.

66

SIM Cards

Many mobile phones use a special smart card called a subscriber identity module card (SIM card).

A SIM card is issued by a network provider. It maintains personal and contact information for a user and allows the user to authenticate to the cellular network of the provider.

67

SIM Card Security SIM cards contain several pieces of information that are used to identify

the owner and authenticate to the appropriate cell network. Each SIM card corresponds to a record in the database of subscribers

maintained by the network provider. A SIM card features an integrated circuit card ID (ICCID), which is a unique 18-digit number used for hardware identification. Next, a SIM card contains a unique international mobile subscriber

identity (IMSI), which identifies the owner’s country, network, and personal identity.

SIM cards also contain a 128-bit secret key. This key is used for authenticating a phone to a mobile network.

As an additional security mechanism, many SIM cards require a PIN before allowing any access to information on the card.

68

GSM Challenge-Response Protocol

1. When a cellphone wishes to join a cellular network it connects to a local base station owned by the network provider and transmits its International Mobile Subscriber Identity (IMSI).

2. If the IMSI matches a subscriber’s record in the network provider’s database, the base station transmits a 128-bit random number to the cellphone.

3. This random number is then encoded by the cellphone with the subscriber’s secret key stored in the SIM card using a proprietary encryption algorithm known as A3, resulting in a ciphertext that is sent back to the base station.

4. The base station then performs the same computation, using its stored value for the subscriber’s secret key. If the two ciphertexts match, the cellphone is authenticated to the network and is allowed to make and receive calls.

69

IMSI = (this phone’s ID)

R = a 128-bit random number (the challenge)

EK(R) = the 128-bit random number encrypted using the subscriber’s secret key K

(the response)

RFIDs

Radio frequency identification, or RFID, is a rapidly emerging technology that relies on small transponders to transmit identification information via radio waves.

RFID chips feature an integrated circuit for storing information, and a coiled antenna to transmit and receive a radio signal.

70

RFID Technology

RFID tags must be used in conjunction with a separate reader or writer.

While some RFID tags require a battery, many are passive and do not.

The effective range of RFID varies from a few centimeters to several meters, but in most cases, since data is transmitted via radio waves, it is not necessary for a tag to be in the line of sight of the reader.

71

RFID Technology

This technology is being deployed in a wide variety of applications.

Many vendors are incorporating RFID for consumer-product tracking.

Car key fobs. Electronic toll transponders.

72

Passports

Modern passports of several countries, including the United States, feature an embedded RFID chip that contains information about the owner, including a digital facial photograph that allows airport officials to compare the passport’s owner to the person who is carrying the passport.

73

e-Passport symbol

RFID chip and antenna is embedded in the cover

Passport Security In order to protect the sensitive information on a passport, all

RFID communications are encrypted with a secret key. In many instances, however, this secret key is merely the

passport number, the holder’s date of birth, and the expiration date, in that order. All of this information is printed on the card, either in text or

using a barcode or other optical storage method. While this secret key is intended to be only accessible to

those with physical access to the passport, an attacker with information on the owner, including when their passport was issued, may be able to easily reconstruct this key, especially since passport numbers are typically issued sequentially.

74

Biometrics

Biometric refers to any measure used to uniquely identify a person based on biological or physiological traits.

Generally, biometric systems incorporate some sort of sensor or scanner to read in biometric information and then compare this information to stored templates of accepted users before granting access.

75Image from http://commons.wikimedia.org/wiki/File:Fingerprint_scanner_in_Tel_Aviv.jpg used with permission under the Creative Commons Attribution 3.0 Unported license

Requirements for Biometric Identification Universality. Almost every person should

have this characteristic. Distinctiveness. Each person should have

noticeable differences in the characteristic. Permanence. The characteristic should not

change significantly over time. Collectability. The characteristic should

have the ability to be effectively determined and quantified.

76

Biometric Identification

77

Feature vector

Reference vector

Comparison algorithm

matches doesn’t match

BiometricReader

Candidates for Biometric IDs

Fingerprints Retinal/iris scans DNA “Blue-ink” signature Voice recognition Face recognition Gait recognition Let us consider how each of these scores in terms

of universality, distinctiveness, permanence, and collectability…

78

Public domain image from http://commons.wikimedia.org/wiki/File:Retinal_scan_securimetrics.jpg

Public domain image from http://commons.wikimedia.org/wiki/File:CBP_chemist_reads_a_DNA_profile.jpg

Public domain image from http://commons.wikimedia.org/wiki/File:Fingerprint_Arch.jpg

Summary

History What is security? Critical characteristics of security CNSS

security model Cryptography (Confidentiality, Integrity)

Access Control (Availability) Password Physical attack Authentication Technology