K. Salah 1

Introduction to SecurityIntroduction to Security

Overview of Computer SecurityOverview of Computer Security

K. Salah 2

Why is security important?Why is security important?

Computers and networks are the nerves of Computers and networks are the nerves of the basic services and critical the basic services and critical infrastructures in our societyinfrastructures in our society Financial services and commerce Transportation Power grids Etc.

Computers and networks are targets of Computers and networks are targets of attacks by our adversariesattacks by our adversaries

K. Salah 3

Why is security so hard?Why is security so hard?

The complexity of computers and networksThe complexity of computers and networks Increases Internet usageIncreases Internet usage User expectationUser expectation Lack of awareness of threats and risksLack of awareness of threats and risks

Software by peopleware Social engineering

Defense is inherently more expensiveDefense is inherently more expensive Offense only needs the weakest link

Ample cracking toolsAmple cracking tools

K. Salah 4

K. Salah 5

Tempset AttackTempset Attack

TempestTempest is an acronym for Transient ElectroMagnetic Pulse

Emanation Surveillance. This is the science of monitoring at a distance electronic

signals carried on wires or displayed on a monitor. It is of enormous importance to serious cryptography

snoopers. To minimize a tempest attack you should screen all the

cables between your computer and your accessories, particularly your monitor.

A non CRT monitor screen such as those used by laptops (or plasma TV) offers a considerable reduction in radiated emissions and is recommended.

K. Salah 6

Type of AttackersType of Attackers

AmateursAmateurs: regular users, who exploit the vulnerabilities of the computer : regular users, who exploit the vulnerabilities of the computer systemsystem aka “Smart kiddies” Less experienced Motivation: easy access to vulnerable resources

Hackers/CrackersHackers/Crackers: attempt to access computing facilities for which they do : attempt to access computing facilities for which they do not have the authorizationnot have the authorization Experts Motivation: enjoy challenge, curiosity

Career criminalsCareer criminals: professionals who understand the computer system and : professionals who understand the computer system and its vulnerabilitiesits vulnerabilities Motivation: personal gain (e.g., financial)

IntrudersIntruders are all of the above are all of the above

K. Salah 7

Methods of DefenseMethods of Defense

PreventPrevent: block attack: block attackDeterDeter: make the attack harder: make the attack harderDeflectDeflect: make other targets more : make other targets more

attractive attractive E.g. is honeypots

DetectDetect: identify misuse : identify misuse TolerateTolerate: function under attack : function under attack RecoverRecover: restore to correct state: restore to correct state

K. Salah 8

Computer Security DomainsComputer Security Domains Physical securityPhysical security -- Controlling the comings and goings of people and -- Controlling the comings and goings of people and

materials; protection against the elements and natural disasters materials; protection against the elements and natural disasters

Operational/procedural securityOperational/procedural security -- Covering everything from managerial -- Covering everything from managerial policy decisions to reporting hierarchies policy decisions to reporting hierarchies

Personnel securityPersonnel security -- Hiring employees, background screening, training, -- Hiring employees, background screening, training, security briefings, monitoring, and handling departures security briefings, monitoring, and handling departures

System securitySystem security -- User access and authentication controls, assignment of -- User access and authentication controls, assignment of privilege, maintaining file and filesystem integrity, backups, monitoring privilege, maintaining file and filesystem integrity, backups, monitoring processes, log-keeping, and auditing. OS and database systems. processes, log-keeping, and auditing. OS and database systems.

Network securityNetwork security -- Protecting network and telecommunications equipment, -- Protecting network and telecommunications equipment, protecting network servers and transmissions, combating eavesdropping, protecting network servers and transmissions, combating eavesdropping, controlling access from untrusted networks, firewalls, and detecting intrusions controlling access from untrusted networks, firewalls, and detecting intrusions

Information SecurityInformation Security – Hiding of information (cryptography) and also – Hiding of information (cryptography) and also security of information in transit over a network. Examples: e-commerce security of information in transit over a network. Examples: e-commerce transactions, online banking, confidential e-mails, file transfers, record transactions, online banking, confidential e-mails, file transfers, record transfers, authorization messages, etc.transfers, authorization messages, etc.

K. Salah 9

What is Security?What is Security?

Keeping something (information in our case) Keeping something (information in our case) secure againstsecure against Someone stealing it Someone destroying it Someone changing it Someone preventing me from using it

More SpecificallyMore Specifically Confidentiality: nobody else can see it Integrity: nobody else can change it Availability: I can get at it whenever I want

K. Salah 10

Basic Components of SecurityBasic Components of Security

ConfidentialityConfidentiality Keeping data and resources secret or hidden

IntegrityIntegrity Ensuring authorized modifications; Includes correctness and trustworthiness

AvailabilityAvailability Ensuring authorized access to data and resources when desired

AccountabilityAccountability Ensuring that an entity’s action is traceable uniquely to that entity

Security assuranceSecurity assurance Assurance that all four objectives are met

K. Salah 11

What “secure” meansWhat “secure” means

Confidentiality

Integrity Availability

Secure

K. Salah 12

Information security todayInformation security today

Emergence of the Internet and distributed systemsEmergence of the Internet and distributed systems Increasing system complexity

Digital information needs to be kept secureDigital information needs to be kept secure Competitive advantage Protection of assets Liability and responsibility

Financial lossesFinancial losses There are reports that the annual financial loss due to information

security breaches is between 5 and 45 billion dollars National defenseNational defense

Protection of critical infrastructures: Power Grid; Air transportation

Interlinked government agencies Severe concerns regarding security management and access control

measures

K. Salah 13

TerminologyTerminology

SecurityFeatures

orServices

InformationInformation

Attackers/Intruders/Malfeasors

Requirements& Policies

SecurityMechanisms

Security Architecture

K. Salah 14

Attack Vs ThreatAttack Vs Threat

A threat is a “potential” violation of securityA threat is a “potential” violation of security The violation does not need actually occur The fact that the violation might occur makes it

a threat It is important to guard against threats and be

prepared for the actual violation “being paranoid”

The actual violation of security is called an The actual violation of security is called an attackattack

K. Salah 15

Common security attacksCommon security attacks

Interruption, delay, denial of receipt or denial of serviceInterruption, delay, denial of receipt or denial of service System assets or information become unavailable or are

rendered unavailable

Interception or snoopingInterception or snooping Unauthorized party gains access to information by browsing

through files or reading communications

Modification or alterationModification or alteration Unauthorized party changes information in transit or information

stored for subsequent access

Fabrication, masquerade, or spoofingFabrication, masquerade, or spoofing Spurious information is inserted into the system or network by

making it appear as if it is from a legitimate entity

K. Salah 16

Malicious Code or malwareMalicious Code or malware

TrapdoorsTrapdoorsTrojan HorsesTrojan Horses BacteriumBacterium

Logic BombsLogic Bombs WormsWorms VirusVirus

XFiles

K. Salah 17

DOS and DDOSDOS and DDOS

K. Salah 18

Trojan/Backdoor ProgramTrojan/Backdoor Program

Trojan part: masquerades itself as a nice programTrojan part: masquerades itself as a nice program WildAnimals.scr (Any executable can be saved as .scr) YourDocumnet.doc … .exe

100 spaces followed by .exe

BackdoorBackdoor Once launched, it opens a communication channel (IRC,

FTP, telnet, etc) with a certain machine Can be used to hijack a machine if running proxy

communication protocols (ssh or socks4) and bypassing firewalls

Internet traffic would seem to be coming/outgoing from infected system and routed to attacker machine

K. Salah 19

Goals of SecurityGoals of Security

PreventionPrevention To prevent someone from violating a security policy

DetectionDetection To detect activities in violation of a security policy Verify the efficacy of the prevention mechanism

RecoveryRecovery Stop policy violations (attacks) Assess and repair damage Ensure availability in presence of an ongoing attack Fix vulnerabilities for preventing future attack Retaliation against the attacker

K. Salah 20

Operational IssuesOperational Issues

Cost-Benefit AnalysisCost-Benefit Analysis Benefits vs. total cost Is it cheaper to prevent or recover?

Risk AnalysisRisk Analysis Should we protect something? How much should we protect this thing? Risk depends on environment and change with time

Laws and CustomsLaws and Customs Are desired security measures illegal? Will people do them? Affects availability and use of technology

K. Salah 21

Human IssuesHuman Issues

Organizational ProblemsOrganizational Problems Power and responsibility Financial benefits

People problemsPeople problems Outsiders and insiders

Which do you think is the real threat? Social engineering