Post on 19-Dec-2015
Computer Science and Engineering 1
Which is the Cuckoo's Egg?Which is the Cuckoo's Egg?
• $45 million • Quebec • Drug arrest• Hacking scam• Poland, Brazil, Manitoba, and the United States • Age 17 to 26• Computer network
Computer Science and Engineering 2
Cuckoo's EggCuckoo's Egg
• Drug arrest• Canada: police have broken up a major international
computer-hacking network• Target: unprotected personal computers around the
world• Police arrested 16 people – age between 17 and 26• Online to attack and gain control of as many as one
million computers worldwide
Computer Science and Engineering 3
Csilla FarkasAssociate Professor
Dept. of Computer Science and EngineeringUniversity of South Carolina
farkas@cse.sc.eduhttp://www.cse.sc.edu/~farkas
Computer Science and Engineering 4
Financial LossFinancial Loss
Dollar Amount Losses by Type
Total Loss (2006): $53,494,290 CSI/FBI Computer Crime and Security SurveyComputer Security Institute
Computer Science and Engineering 5
Security ProtectionSecurity ProtectionPercentage of Organizations
Using ROI, NPV, or IRR MetricsPercentage of IT Budget
Spent on Security
CSI/FBI Computer Crime and Security SurveyComputer Security Institute
Computer Science and Engineering 6
What is Wrong with the What is Wrong with the Following Specification?Following Specification?
• The CEO of ReallySecure Inc. instructed the system administrator of the organization’s computing resources to implement security mechanisms, including– Hardware firewall– Authentication mechanisms– Access control– Secure communication– Encryption capabilities
Computer Science and Engineering 7
Risk Management Framework(Business Context)
Understand BusinessContext
Identify Business and Technical Risks
Synthesize and RankRisks
Define RiskMitigation Strategy
Carry Out Fixesand Validate
Measurement and Reporting
Computer Science and Engineering 8
Understand the Business Understand the Business ContextContext
• “Who cares?”• Identify business goals, priorities and
circumstances, e.g., – Increasing revenue– Meeting service-level agreements– Reducing development cost– Generating high return investment
• Identify security risk to consider
Computer Science and Engineering 9
Identify Business and Identify Business and Technical RisksTechnical Risks
• “Why should business care?”• Business risk
– Direct threat– Indirect threat
• Consequences– Financial loss– Loss of reputation– Violation of customer or regulatory constraints– Liability
• Tying technical risks to the business context in a meaningful way
Computer Science and Engineering 10
Synthesize and Rank the Synthesize and Rank the RisksRisks
• “What should be done first?”• Prioritization of identified risks based on business
goals• Allocating resources• Risk metrics:
– Risk likelihood– Risk impact– Risk severity– Number of emerging risks
Computer Science and Engineering 11
Define the Risk Mitigation Define the Risk Mitigation StrategyStrategy
• “How to mitigate risks?”• Available technology and resources• Constrained by the business context: what can the
organization afford, integrate, and understand• Need validation techniques
Computer Science and Engineering 12
Carry Out Fixes and Carry Out Fixes and ValidateValidate
• Perform actions defined in the previous stage• Measure “completeness” against the risk
mitigation strategy– Progress against risk– Remaining risks– Assurance of mechanisms
• Testing
Computer Science and Engineering 13
Measuring and ReportingMeasuring and Reporting
• Continuous and consistent identification and storage of risk information over time
• Maintain risk information at all stages of risk management
• Establish measurements, e.g., – Number of risks, severity of risks, cost of
mitigation, etc.
Computer Science and Engineering 14
What is Being Protected, What is Being Protected, Why, and How?Why, and How?
• Risk assessment
RISKRISK
Threats
Vulnerabilities Consequences
Computer Science and Engineering 15
Security ObjectivesSecurity Objectives
Secrecy
Prevent/detect/deter improperDisclosure of information
Availability
Prevent/detect/deter improperDenial of access to services
Integrity
Prevent/detect/deter Improper modificationof information
Computer Science and Engineering 16
Security TradeoffsSecurity Tradeoffs
COST
Security Functionality
Ease of Use
Computer Science and Engineering 17
Achieving Security
PolicyWhat to protect?
MechanismHow to protect?
AssuranceHow good is the protection?
Computer Science and Engineering 19
Security by ObscuritySecurity by Obscurity
Hide inner working of the systemBad idea!
– Vendor independent open standard– Widespread computer knowledge
Computer Science and Engineering 20
Security by LegislationSecurity by Legislation
Instruct users how to behaveNot good enough!
– Important– Only enhance security– Targets only some of the security problems
Computer Science and Engineering 21
Security MechanismSecurity Mechanism
Prevention DetectionTolerance and Recovery
Computer Science and Engineering 23
AuthenticationAuthentication• Allows an entity (a user or a system) to prove its
identity to another entity• Typically, the entity whose identity is verified reveals
knowledge of some secret S to the verifier• Strong authentication: the entity reveals knowledge of
S to the verifier without revealing S to the verifier
Computer Science and Engineering 24
User AuthenticationUser Authentication
• What the user knows– Password, personal information
• What the user possesses– Physical key, ticket, passport, token, smart card
• What the user is (biometrics)– Fingerprints, voiceprint, signature dynamics
Computer Science and Engineering 26
Access ControlAccess Control
• Protection objects: system resources for which protection is desirable– Memory, file, directory, hardware resource,
software resources, etc.• Subjects: active entities requesting accesses to
resources– User, owner, program, etc.
• Access mode: type of access– Read, write, execute
Computer Science and Engineering 27
Access ControlAccess Control
• Access control components:– Access control policy: specifies the authorized accesses
of a system– Access control mechanism: implements and enforces
the policy• Separation of components allows to:
– Define access requirements independently from implementation
– Compare different policies– Implement mechanisms that can enforce a wide range
of policies
Computer Science and Engineering 28
Closed v.s. Open SystemsClosed v.s. Open Systems
Closed system Open System
Access requ. Access requ.
Exists Rule? Exists Rule?
Access permitted
Access denied
Access denied
Access permitted
Allowed accesses
Disallowed accesses
yes no yesno
(minimum privilege) (maximum privilege)
Computer Science and Engineering 30
Traffic Control – FirewallTraffic Control – Firewall
External Network
security wall between private (protected) network and outside word
Private Network
Firewall
Computer Science and Engineering 31
Firewall ObjectivesFirewall Objectives
Keep intruders, malicious code and
unwanted traffic or
information out
Keep proprietary and sensitive
information in
Private Network
External Network
Proprietary data
External attacks
Computer Science and Engineering 32
Cryptography
- Secret-Key Encryption
- Public-Key Encryption
- Cryptographic Protocols
Computer Science and Engineering 33
Insecure communicationsInsecure communications
Sender
Snooper
Recipient
Insecure channel
Confidential
Computer Science and Engineering 34
Encryption and Decryption
Encryption DecryptionPlaintext Ciphertext Plaintext
Computer Science and Engineering 35
Conventional (Secret Key) Conventional (Secret Key) CryptosystemCryptosystem
Encryption Decryption
Plaintext PlaintextCiphertext
K
Sender Recipient
C=E(K,M)M=D(K,C)
K needs secure channel
Computer Science and Engineering 36
Public Key Cryptosystem
Encryption Decryption
Plaintext PlaintextCiphertext
Sender Recipient
C=E(Kpub,M)M=D(Kpriv,C)
Recipient’s public Key (Kpub)
Recipient’s private Key (Kpriv)
Kpub needs reliable channel
Computer Science and Engineering 37
Cryptographic Protocols
Messages should be transmitted to destinationMessages should be transmitted to destination Only the recipient should see itOnly the recipient should see it Only the recipient should get itOnly the recipient should get it Proof of the sender’s identityProof of the sender’s identity Message shouldn’t be corrupted in transitMessage shouldn’t be corrupted in transit Message should be sent/received once onlyMessage should be sent/received once only
Computer Science and Engineering 39
Misuse PreventionMisuse Prevention
• Prevention techniques: first line of defense• Secure local and network resources• Techniques: cryptography, identification,
authentication, authorization, access control, security filters, etc.
Problem: Losses occur!
Computer Science and Engineering 40
Intrusion ManagementIntrusion Management
Intrusion Prevention: protect system resources
Intrusion Detection: (second line of defense) discriminate intrusion attempts from normal system usage
Intrusion Recovery: cost effective recovery models
Computer Science and Engineering 41
Looks likeNORMAL behavior
Does NOT lookLike NORMAL behavior
Anomaly versus MisuseAnomaly versus MisuseNon-intrusive use Intrusive use
False negativeNon-anomalous but Intrusive activities
False positiveNon-intrusive butAnomalous activities like
Computer Science and Engineering 42
Malicious Code Detection Malicious Code Detection
• Virus and Worm• Programming Flaws• Application Specific Code
– Distributed, heterogeneous platforms– Complex applications
• Security Applications vs. Secure Applications– Build security into the system
Computer Science and Engineering 44
Incident ResponseIncident Response
• Federal Communications Commission: Computer Security Incident Response Guide, 2001, http://csrc.nist.gov/fasp/FASPDocs/incident-response/Incident-Response-Guide.pdf
•Incident Response Team, R. Nellis, http://www.rochissa.org/downloads/presentations/Incidence%20Response%20Teams.ppt
•NIST special publications, http://csrc.nist.gov/publications/nistpubs/index.html
Computer Science and Engineering 45
Intrusion RecoveryIntrusion Recovery
• Actions to avoid further loss from intrusion • Terminate intrusion and protect against reoccurrence• Law enforcement• Enhance defensive security• Reconstructive methods based on:
– Time period of intrusion– Changes made by legitimate users during the effected period– Regular backups, audit trail based detection of effected
components, semantic based recovery, minimal roll-back for recovery
Computer Science and Engineering 46
What is What is “Survivability”?“Survivability”?
To decide whether a computer system is “survivable”, you must first decide what “survivable” means.
Computer Science and Engineering 47
Effect Modeling and Effect Modeling and Vulnerability DetectionVulnerability Detection
Cascading effects
Seriously effectedcomponents
Weaklyeffected component
Not effectedcomponents
Computer Science and Engineering 48
Due Care and LiabilityDue Care and Liability
• Organizational liability for misuse– US Federal Sentencing Guidelines: chief executive
officer and top management are responsible for fraud, theft, and antivirus violations committed by insiders or outsiders using the company’s resources.
– Fines and penalties• Base fine• Culpability score (95%-400%)
– Good faith efforts: written policies, procedures, security awareness program, disciplinary standards, monitoring and auditing, reporting, and cooperation with investigations
Computer Science and Engineering 52
Roles and Roles and ResponsibilitiesResponsibilities
• User: – Vigilant for unusual behavior– Report incidents
• Manager:– Awareness training– Policies and procedures
• System administration:– Install safeguards– Monitor system– Respond to incidents, including preservation of evidences
Computer Science and Engineering 53
Computer Incident Computer Incident Response TeamResponse Team
• Assist in handling security incidents– Formal – Informal
• Incident reporting and dissemination of incident information
• Computer Security Officer– Coordinate computer security efforts
• Others: law enforcement coordinator, investigative support, media relations, etc.
Computer Science and Engineering 54
Incident Response Incident Response Process 1.Process 1.
Preparation – Baseline Protection – Planning and guidance– Roles and Responsibilities – Training – Incident response team
Computer Science and Engineering 55
Incident Response Incident Response Process 2.Process 2.
Identification and assessment
– Symptoms
– Nature of incident• Identify perpetrator, origin and extent of attack
• Can be done during attack or after the attack
– Gather evidences • Key stroke monitoring, honey nets, system logs, network traffic,
etc.
• Legislations on Monitoring!
– Report on preliminary findings
Computer Science and Engineering 56
Incident Response Incident Response Process 3.Process 3.
Containment– Reduce the chance of spread of incident– Determine sensitive data– Terminate suspicious connections, personnel,
applications, etc.– Move critical computing services– Handle human aspects, e.g., perception management,
panic, etc.
Computer Science and Engineering 57
Incident Response Incident Response Process 4.Process 4.
Eradication– Determine and remove cause of incident if
economically feasible– Improve defenses, software, hardware, middleware,
physical security, etc.– Increase awareness and training– Perform vulnerability analysis
Computer Science and Engineering 58
Incident Response Incident Response Process 5.Process 5.
Recovery– Determine course of action– Reestablish system functionality– Reporting and notifications– Documentation of incident handling and evidence
preservation
Computer Science and Engineering 59
Follow Up ProceduresFollow Up Procedures
• Incident evaluation:– Quality of incident (preparation, time to response,
tools used, evaluation of response, etc.)– Cost of incident (monetary cost, disruption, lost data,
hardware damage, etc.)• Preparing report• Revise policies and procedures