Lecture 2 - Security Overview

Lecture 2 - Security OverviewCSE497b - Spring 2007Introduction Computer and Network SecurityProfessor Jaegerwww.cse.psu.edu/ tjaeger/cse497b-s07CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Readings Books– Perlman et al– Gollmann– Both are listed on calendar Readings– Please check the calendar for the class readings– Today Gollmann Chs. 1 and 2 Next, Perlman Ch. 10, Gollmann Ch. 3CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor JaegerPage2

What is security? “the property that a system behaves as expected”– G. Spafford and many others . Note that this does not say what a system should orshould not do.– Implication -- there is no universal definition or test forsecurity (why?)– Apply this definition to the ATM How do you think an ATM should behave? What should it do? What should it not do? We talk about expectations often in terms ofconfidentiality, integrity, and availability.CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor JaegerPage3

Risk At-risk valued resources that can be misused–––––MonetaryData (loss or integrity)TimeConfidenceTrust What does being misused mean?– Confidentiality (privacy or communication)– Integrity (personal or communication)– Availability (existential or fidelity) Q: What is at stake in your life?CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor JaegerPage4

Adversary An adversary is any entity trying tocircumvent the security infrastructure– The curious and otherwise generally clueless (e.g., scriptkiddies)– Casual attackers seeking to understand systems– Venal people with an ax to grind– Malicious groups of largely sophisticated users (e.g,chaos clubs)– Competitors (industrial espionage)– Governments (seeking to monitor activities)CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor JaegerPage5

Threats A threat is a specific means by which a risk can berealized by an adversary– Context specific (a fact of the environment)– An attack vector is a specific threat (e.g., key logger) A threat model is a collection of threats that deemedimportant for a particular environment– E.g., should be addressed– A set of “security requirements” for a system Q: What were (unaddressed) risks/threats in theintroductory examples?– SQL Slammer– Yale/PrincetonCSE497b Introduction to Computer and Network Security - Spring 2007 - Professor JaegerPage6

Vulnerabilities (attack vectors) A vulnerability is a systematic artifact that exposesthe user, data, or system to a threat– E.g., buffer-overflow, WEP key leakage What is the source of a vulnerability?––––Bad software (or hardware)Bad design, requirementsBad policy/configurationSystem Misuse unintended purpose or environment E.g., student IDs for liquor storeCSE497b Introduction to Computer and Network Security - Spring 2007 - Professor JaegerPage7

Are users adversaries? Have you ever tried to circumvent the security of asystem you were authorized to access? Have you ever violated a security policy (knowinglyor through carelessness)?CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor JaegerPage8

Attacks An attack occurs when someone attempts to exploita vulnerability Kinds of attacks– Passive (e.g., eavesdropping)– Active (e.g., password guessing)– Denial of Service (DOS) Distributed DOS – using many endpoints A compromise occurs when an attack is successful– Typically associated with taking over/altering resourcesCSE497b Introduction to Computer and Network Security - Spring 2007 - Professor JaegerPage9

Participants Participants are expected system entities– Computers, agents, people, enterprises, – Depending on context referred to as: servers, clients,users, entities, hosts, routers, – Security is defined with respect to these entitles Implication: every party may have unique view A trusted trusted third party– Trusted by all parties for some set of actions– Often used as introducer or arbiterCSE497b Introduction to Computer and Network Security - Spring 2007 - Professor JaegerPage 10

Trust Trust refers to the degree towhich an entity is expected to behave– What the entity not expected to do? E.g., not expose password– What the entity is expected to do (obligations)? E.g., obtain permission, refresh A trust model describes, for a particularenvironment, who is trusted to do what? Note: you make trust decisions every day– Q: What are they?– Q: Whom do you trust?CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor JaegerPage 11

Related Terminology Reliability - property of a system that indicates it willcontinue to function for long periods of time undervarying circumstances Survivability - ability of a system to maintain functionduring abnormal or environmentally troubling events Privacy - the ability to stop information frombecoming known to people other than those theychoose to give the information Assurance - confidence that system meets itssecurity requirements as typically evidenced by some evaluation methodology(FIPs 192, Common Criteria)CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor JaegerPage 12

Security Model A security model is the combination of a trust and threatmodels that address the set of perceived risks– The “security requirements” used to develop some cogent andcomprehensive design– Every design must have security model LAN network or global information system Java applet or operating system– The single biggest mistake seen in use of security is the lack of acoherent security model– It is very hard to retrofit security (design time) This class is going to talk a lot about security models––––What are the security concerns (risks)?What are the threats?Who are our adversaries?Who do we trust and to do what? Systems must be explicit about these things to be secure.CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor JaegerPage 13

Review An adversary is a subject who tries to gain unauthorizedaccess A threat is a mechanism that the adversary is capable ofemploying to gain unauthorized access A risk is a loss due to an adversary gaining unauthorizedaccess A vulnerability is a flaw in a that enables a threat to allowthe adversary unauthorized access A threat model describes all the mechanisms available tothe adversaries A trust model describes all the subjects that are trusted notto have vulnerabilities that can be abused or be adversaries A security model consists of a threat model and a trustmodel (functional and security goals as well)CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor JaegerPage 14

Security Overview Security can be separated into many ways, e.g.,threats, sensitivity levels, domains This class will focus on three interrelated domains ofsecurity that encompass nearly all security issues1. Network Security2. Systems Security3. Program Security There are other areas, e.g., physical security, privacy,etc. that will not directly be covered.CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor JaegerPage 15

Common problems in network security Network security attempts to protect communicationbetween hosts carried by the (often untrusted)network.– Eavesdropping communication (confidentiality)– Modifying communication (integrity)– Preventing communication (availability) Example: securing application traffic (Web)––––Protecting on network (HTTP requests/responses)As passing through intermediaries (proxies)In server (from malicious requests)Protecting the client (from malicious content)CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor JaegerPage 16

Common problems in systems security Systems security attempts to protect data held onhosts and sometimes (sometimes untrusted) storage.– Prevention of sensitive data leakage (confidentiality) Also known as information flow governance– Prevention of data corruption (integrity)– Controlling data response (availability) Systems Security: Controlling Data Leakage on disk (key in clear -- encrypt with pass phrase) provide pass-phrase (window manager) memory of program swap memory to swap spaceCSE497b Introduction to Computer and Network Security - Spring 2007 - Professor JaegerPage 17

Common problems in program security Program security attempts to protect data received,held, and output on a (sometimes untrusted) host.– Prevention of sensitive data leakage (confidentiality) Also known as information flow governance– Prevention of data corruption (integrity)– Controlling data access (availability) Example: Handling A Remote Request process user request (authenticate, authorize) data-driven attack from request buffer overflowsCSE497b Introduction to Computer and Network Security - Spring 2007 - Professor JaegerPage 18

The remainder . The remaining weeks will explore the design and useof these approaches– Always ask yourself what tools are appropriate for aparticular environment.– For example, which of then proceeding is appropriate forSPAM mitigation AuthenticationAccess ControlTransport/Data SecurityAudit/Detection– What about protecting the confidentiality of your email? Next week: Passwords and AuthenticationCSE497b Introduction to Computer and Network Security - Spring 2007 - Professor JaegerPage 19

– The single biggest mistake seen in use of security is the lack of a coherent security model – It is very hard to retrofit security (design time) This class is going to talk a lot about security models – What are the security concerns (risks)? – What are the threats?