Intro to Computer Security Computer crime is a

Intro to Computer Security Computer crime is a serious and growing problem In 1994, The Yankee Group estimated that computer security breaches cost businesses based in the USA $5 billion annually! In 1995, this estimate had risen to $10 billion! A survey by the Computer Security Institute, again in 1995, again in the USA, showed that: 25% of the companies surveyed had experienced a computer crime within the preceding 12 months Theft of private business information rose by 260% over the five year period from 1988 to 1993 1 1

Computer Crime Statistics A different study conducted by the Michigan State University in 1995 found that: 98. 5% of all surveyed businesses had been victims of some type of computer crime 43. 3% of these businesses reported having been victims more than 25 times! Unauthorised access (or “snooping”) had increased by 95% over the last 5 years Piracy had increased by 91% over the past 5 years Intentional introduction of a computer virus was up 66% over the last 5 years Unauthorised access to business information and its’ theft rose 2 2 by 75% over the last 5 years

More Computer Crime Statistics Ernst & Young and Information Week also revealed that a survey of major companies in North America on computer crime found: 20 or more businesses surveyed had lost more than $1 million worth of information as a result of a security lapse 80% of these companies had full-time Directors of Information Security on their payroll (not for long … ) All agreed that the computer security threat to companies was on the rise! The wide-open nature of the Internet is probably the single largest threat to secure computer-based information - not such as “friendly” Global Village 3 3

When is a Computer Secure? “A computer is secure if you can depend on it and its software to behave as you expect” • Definition of “Computer Security” as taken from “Practical UNIX and Internet Security”, 2 nd Ed. , by Garfinkel and Spafford, published by O’Reilly & Associates, Inc. , 1996 This relatively simple statement has a lot more to it than meets the eye … if it holds, it assumes that an organisation has considered (at least) the following: • Security Policies, Password Policies, Backup Procedures, Account Management, Auditing and Logging, Protection against Programmed Threats, Physical Security, Personnel Security, Network Security, OS Security, etc. Computer Security is not a simple subject 4 4

Fighting a Losing Battle. . . An unlimited amount of resources can be applied to attempting to ensure a computer system is secure, however, given the right set of circumstances, any computer can always be compromised. . . Those responsible for securing an organisations’ computerbased information, need to: Decide how must time, effort, and money needs to be applied to computer security Define the policies, guidelines, and procedures required to implement the security mechanisms decided upon Audit the procedures to ensure that the appropriate mechanisms 5 5 are being implemented correctly

Security Policy and Management Practical computer security is more a question of management and administration than it is one of technical skill (although when implementing security mechanisms, technical skill comes into play) To be effective, a security policy must be a priority of the business, not just the computer department - if the policies are not driven from the top of the business down, they may not be successful The security policy should also be geared towards protecting the businesses information, not just its’ computer-based information 6 6

Advanced Planning = Security There are six steps to security planning: Security Needs Planning Risk Assessment Cost-Benefit Analysis Creating Policies to Reflect your Needs Implementation Auditing and Incident Response/Reporting We will look at the first four of these in some detail, as Implementation and Auditing are dependent on the environment being made secure and the technologies being used (i. e. , what works for UNIX may not work for 7 7 Windows NT)

Security Needs Planning There a number of different kinds of security that we (as users and administrators) need to be concerned with: Confidentiality: we need to protect all (or some) information from being read or copied by unauthorised “eyes” Data Integrity: we need to protect information (and programs) from being changed without the permission of the owner of the information Availability: we want to be sure the systems are available when needed, and are not “brought down” by some unauthorised act or process Consistency: we want to ensure the correctness of the data and software we use, and have systems behave as they are expected to by authorised users 8 8

More Kinds of Security Control: We need to ensure no unauthorised users are active on our systems - if found, we need to worry about how they got in, what they did (if anything), and who or what else has accessed the systems. Mechanisms need to exist to verify that nothing important on the systems has changed … Audit: even authorised users make mistakes, or maliciously carry out some damaging act - auditing mechanisms need to exist to be able to “point-the-finger” and, if possible, recover from an act of this type Different organisations will place more importance on some of these kinds of security than others As security planners, we need to identify which of the kinds of security are most important to our business, and develop policies and procedures accordingly 9 9

Risk Assessment Risk assessment, as it pertains to computer security, involves answering the following three questions: What am I trying to protect? What do I need to protect against? How much time, effort, and money am I willing to expend to obtain adequate protection? You cannot protect yourself if you do not know what you are protecting yourself against! When you know the risks to your environment, you can target specific actions that can reduce the risks, and hopefully, enhance the overall security of the environment 10 10 you are protecting

A Method for Accessing Risk There are three key steps to risk assessment: Identifying Assets: this is a list of items you need to protect, or to which the business attaches significant value (i. e. , what would be the cost if something was unavailable? ) • To compile the list, it may be necessary to host a series of companywide security workshops, which provide a forum within which you can “tap” into the collective business knowledge, as well as increase awareness of security issues among those that attend Identifying Threats: With the assets known, you can identify potential threats to the assets Calculating Risks: Each threat should then have an estimate of the likelihood of its’ occurrence calculated for it - ranking Risk assessment is an ongoing activity. . . 11 11

Cost-Benefit Analysis (CBA) How must will a risk cost, and how must will it cost to defend against it? Calculating costs can be difficult: If something is compromised and destroyed, we can say that the cost of replacement is the cost to the business A more sophisticated cost calculation would factor-in the cost associated with the out-of-service time, additional training, development of new security procedures, and, in some cases, the cost to the company’s reputation is a factor as this can result in the loss of current or future clients Protecting against risks will not be accomplished for free, and CBA is an essential tool for convincing management 12 12 that it’s worth the investment

Security Policies “Policy” defines what an organisation considers to be valuable, as will as specifying the steps to be taken to safeguard the companies identified assets There a number of different ways to formulate a security policy, and they may include: A general policy may exist on a few pages and may cover most possibilities A different policy may exist for each set of assets: e. g. , an e-mail policy, and personnel data policy, an accounting information policy etc. , etc. A small, simple policy may exist, and may be augmented by a series of standards and “guidelines for appropriate behaviour” 13 13 documents

An Example Security Policy MODEM ON THE DESK EARNS A PINK SLIP AT SUN Citing users with dial-up Internet access as the No. 2 biggest security risk after internal hacking, Sun Microsystems has made it a firing offence to have a modem on the desk. Many crackers use a technique called "war dialling" in which their computer tries hundreds or even thousands of phone numbers in search of an idle modem. If that PC's owner is not using the machine, the cracker can effectively "capture" the PC, and gain access to the network it's connected to. If a senior manager at Sun discovers an infraction, that employee is "gone the same day, " says one of Sun's security managers. "Any dial -up line is a tremendous risk. " (Network Week 18 Mar 98) 1

The Role of Policy has three major roles: It makes clear what it being protected and why It clearly states the responsibility for the protection It provides a ground upon which to interpret and resolve an later conflicts that might arise What the policy should not do is list specific threats, machines, or individuals by name The policy is general and will change little over time In organisations that have adopted a policy, employees need to be aware of it, the motivations for adopting it, and the consequences of violating it 14 15

Why Do We Need A Policy? Because we are dealing with humans! “Humans are usually the most susceptible point in any security scheme. A worker who is malicious, careless, or unaware of an organisation’s information policy can compromise the best security. ” • From “Internetworking with TCP/IP Volume 1” by Douglas E. Comers, Prentice-Hall, 1995 Defining an information policy can take a considerable amount of time, as you will need to consult with a wide range of employees from within the business you are trying to secure. . . 15 16

Mechanisms for Internet Security We can divide Internet Security Problems and the Software Mechanisms that help make Internet communications secure into three broad areas: 1. Authorisation and Authentication 2. Privacy 3. Availability Authentication is concerned with verifying identification - is the user who they say they are? Authorisation is concerned with ensuring known users only do what they are supposed to do, once 16 17 authentication has been successful

Using IP Addresses to Authenticate To validate authorisation, a server must know the identity of a client Some organisations use the SOURCE IP ADDRESS as a mechanism for configuring a server with a list of valid IP addresses to accept connections from Although this can work, it is generally regarded as being weak, as it can be easily broken: • a client impostor can be configured with a compromised address and can spoof that it is a valid client of the server - the address can easily be compromised at any Router location within the Internet that communicates with the server!!! • In addition to client spoofing, a server can be spoofed too. . . and trick a valid client into sending potentially confidential information and data 1 to it!!!

Providing a Trusted Service Mechanisms exist for solving the problem of “spoofers” One such mechanism is called the “public key system” (which we will study later in this course) 1

Privacy As we have seen, encryption using private and public key mechanisms can help ensure privacy However, in order for this to work, both the client and the server software need to be modified to support the encryption technology employed This is a non-trivial software engineering activity. . . In addition to ensuring clients and servers are who they say they are, organisations often want to control internet access to and from their site A number of techniques exist for controlling access 1