Computer Security Introduction Central Principles and Concepts Why

Computer Security Introduction, Central Principles and Concepts

Why Study Computer Security? Increasingly important issue for: n n n Computer system and network administrators Application programmers Anyone working with internet applications Security issues follow technology n Desktop systems, wireless networks, handheld devices, cell phones, wireless sensors Security issues affect software, laws, profits and businesses

Current Incidents Malicious i. Phone package, 1/07/2008 n http: //www. symantec. com/enterprise/security_ response/weblog/2008/01/first_sightings_of_ malicious_i. html Data thefts soar, 1/16/2008 n http: //www. chron. com/disp/story. mpl/tech/new s/5460085. html Attacks on utilities, 1/18/2008 n http: //www. washingtonpost. com/wpdyn/content/article/2008/01/18/AR 200801180 3277. html

Security Quiz – Question 1 Currently most attackers of computer systems are: n n A) Mobsters B) Script kiddies C) Disgruntled employees D) University students

Security Quiz – Question 2 The primary motive for security intrusions is currently: n n A) Fame / Notoriety B) Terrorism C) Money D) Political change

Security Quiz – Question 3 The computer system area that is currently most subject to attack is: n n A) the operating system B) applications C) the network D) firmware

Security Quiz – Question 4 Computer security/information assurance is primarily a _______ problem n n n A) hardware B) people C) software D) technology in general E) <all of the above> F) <none of the above>

Computer Security Definition – ensuring the security of resources in a computing environment n n “ensuring” – work to make it so – a process “resources” – data, network, hardware, applications, … “computing environment” – mix of hardware, software and people “security” - ?

Information Assurance Definition – ensuring the security, quality and availability of resources in an information environment n Somewhat broader than computer security, including: Confidentiality Integrity Availability Accountability Dependability

Core Concepts Vulnerability, Exploit, Agent, Threat n n Vulnerability – a weakness in some aspect of a system Exploit – a known method for taking advantage of a vulnerability Agent – person(s) making attack using exploit Threat – possible harm resulting from some agent using an exploit to compromise security Note: not all threats are equally likely, depends on: n n n Target being attacked Agent attacking the target (skill, persistence, resources) Probability of success with exploit

Vulnerabilities Examples n n n FTP Server code does not check size of input placed into array; possibility of a buffer overflow Misconfiguration of web server allows outside user to write files to server disk and run them, potentially gaining privileged user access on system Telnet application passes username and password as plain text

Exploits Examples n n n FTP server buffer overflow: attacker generates data packet that overwrites buffer, may open shell on server Misconfigured web server: attacker finds way to drop fake system programs into /bin directory as part of rootkit that will take over system and hide evidence of this Weak application: attacker uses packet sniffer to identify username/password pairs, logs into system

Agents Who is bigger threat? n n n Insiders – those within an organization Outsiders – those outside an organization Not always clear (e. g. , consultants) Depends on situation

Threats What is largest threat to a: n Bank ? Insider or outsider stealing money or account information electronically n Trucking Logistics company ? Client (insider) gaining information on other clients n University ? Variety of attackers, variety of exploits, want systems for further probing, storage of illegal digital copies, etc.

Risk Analysis in Security n n Identifying vulnerabilities, exploits, possible agents of attack, threats Calculating likelihood of security violations Calculating degree to which we can control relevant activity Deciding how to reduce risk Avoiding risk Transferring risk Assuming risk

Important Security Lists Cryptogram Newsletter, Bruce Schneier n http: //www. counterpane. com Newsletter / Cryptogram US/CERT Advisory List (Dept. of Homeland Security) n http: //www. us-cert. gov ; Sign Up / Mailing Lists & Feeds Bugtraq List n http: //seclists. org , Bugtraq and other lists

Principles To Consider Security is a very difficult area to work in No silver bullets However, consideration of major principles will help develop a good set of security processes and policies

1 st Principle “Security is a process, not a product” – attributed to Bruce Schneier of Counterpane Security Systems, others n n n Not something you purchase Rather, a set of processes (approved set of steps) and policies (rules for behavior) you create and enforce in your environment Must be dealt with continually

2 nd Principle Computer Security is not just about computer systems n Three major aspects to computer security Technology n n Hardware (systems, networks, any connected equipment) Software (programming, configuration) People, in many different roles n n n Legitimate users, disgruntled users, hackers Insiders vs. outsiders – fuzzy line! Social engineering is a large concern Physical environment n Surroundings, access, proximity

3 rd Principle Security and convenience are inversely proportional n n Lack of security generally makes it easier to get work done Addition of security may interfere with the ease of getting a job done Cannot just shut off all access; no functionality remains Goal: find the balance point that supports both

4 th Principle Security succeeds or fails based on the weakest link n n All aspects (technology, people, environment) must be attended to equally Must remain current with each aspect E. g. , software patches should be applied as they come out, not when you “get around to it” Corollary: “People are the weakest link” – Kevin Mitnick (coined “Social Engineering”)

5 th Principle Attackers are generally technologists (as opposed to programmers) n n Smaller group of hackers program exploits, viruses More attackers apply technology already available, sometimes in creative ways Mis-configuration of systems is a major security problem Corollary – good programming skills aren’t sufficient to make a good security professional Add understanding of networks & technology, attention to detail, creativity, …

6 th Principle Utilize Multiple Layers of Defense n E. g. Network hardware Router – initial line of defense Bastion host(s) – system(s) visible/available to outside world (e. g. , web server) Firewall – second line of defense Secure intranet – internally available systems Secure host systems n n Can anyone bypass one or more layers? Layers shouldn’t be a straight hierarchy Every resource in organization should have one or more layers protecting it

7 th Principle Focus your security resources toward dealing with the most likely threats n Consider what is most relevant to your environment Which vulnerabilities do you have? Which of these have known exploits? What users are likely to cause problems? What is the likelihood of a given threat?

8 th Principle One aspect of security is obscurity n n Don’t set yourself up as a target Maintain a low network profile for your business, computer system, etc. Problem: contradicts marketing principles if you’re a business n Examples Windows is attacked more than Mac. OS/OS X Those who claim their systems can’t be hacked will have lots of people trying… However, security that relies on obscurity is bound to fail

9 th Principle Best to be conservative when evaluating security and risk n Assume best conditions for the attacker

10 th Principle Plan for unknown attackers n n New attackers (and types of attacks) are becoming part of the problem all the time Very difficult to predict characteristics of attackers and attacks in advance

Putting It Together Computer Security involves balancing a number of interrelated tasks n n n n Considering Security Goals Developing Layered Protection (Vertically, Horizontally) Utilizing Available Resources Developing and Enforcing Policies and Processes Minimizing Interference With Functionality Weighing of Risks Maintaining Constant Vigilance