Hardware SecurityAttacksSecurity ArchitectureHardware Security

GoalsThe student shall be able to: Define: Confidentiality, integrity, availability.Describe example security techniques for the processing states: processing, storage, transmission.Define categories for, and give examples of, threat agents and vulnerabilities.Define the role of the security countermeasures - education, training and awareness, and policy, procedures, and practices.Define policy, standard, procedure, guidelineDefine preventive, detective, and corrective control, and define which is best.

Reading: Hackers in China Attacked The Times for Last 4 Months, Jan 30, 2013, New York Times.U.S. Indicts 11 in Global Credit Card Scheme, Wall Street Journal, Aug. 6, 2008.

Example Security Attacks NY Times was attacked by Chinese

hackers, when China’s prime minister was the target of news reports

Credit card fraud results in cheap credit cards and identity theft

Spy and destructive programs implemented for national security (STUXNET, Flame)

Security VocabularyAsset: DiamondsThreat: TheftVulnerability: Open

door or windowsThreat agent:

BurglarOwner: Those

accountable or who value the asset

Risk: Danger to assets

Threat Agent TypesHackers/ Crackers

Challenge, rebellion Unauthorized access

Criminals Financial gain, Disclosure/ destruction of info.

Fraud, computer crimes

Hacktivist/ Hostile Intel. Service

Spying/ destruction/ revenge/ extortion

DOS, info warfare

Industry Spies, Surveillance State

Competitive advantage

Info theft, econ. exploitation

Insiders Opportunity, personal issues

Fraud/ theft, malware, abuse

System Vulnerabilities

System Vulnerabilities

Behavioral:Disgruntled employee,

uncontrolled processes,poor network design,improperly configured

equipment

Misinterpretation:Poorly-defined

procedures,employee error,Insufficient staff,

Inadequate mgmt,Inadequate compliance

enforcement

Coding Problems:

Security ignorance,poorly-defined requirements,

defective software,unprotected

communication

Physical Vulnerabilities:

Fire, flood,negligence, theft,kicked terminals,no redundancy

Security Goals

CIA Triad

Confidentiality

Integrity Availability

Conformity to Law& Privacy Requirements

CIAConfidentiality Data is accessible only to authorized partiesData is provided on ‘need-to-know’ basisIntegrity Data is modified only by authorized partiesData is accurateExample: Does your resume/credit report accurately reflect you?AvailabilityData is available to authorized persons when needed

Security: Defense in Depth

Border RouterPerimeter firewallInternal firewallIntrusion Detection SystemPolicies & Procedures & AuditsAuthenticationAccess Controls

IT Control ClassificationsTime ofEvent

Detective Controls:Finding fraud when it occursIncludes:Hash totalsCheck pointsDuplicate checkingError messagesPast-due account reportsReview of activity logs

After Event Before Problematic Event

Preventive Controls*:Preventing fraud

Includes:Programmed edit checksEncryption softwareAccess control S/WWell-designed proceduresPhysical controlsEmploy only qualified personnel

CorrectiveControls:Fix problemsand preventfuture problemsIncludes:Contingency planningBackup proceduresReruns

Preventive Controls are BEST

Three states:transmit – process - storage

Confidentiality controls (e.g.)transmit – process - storage

EncryptionFrequency hoppingFirewallNetwork Intrusion Prevention SystemShielding

EncryptionSecured roomMedia destructionMedia sanitization

AuthenticationAccess controlAntivirusAudit trailHost IDS/IPS

Availability controls (e.g.)transmit – process - storage

RedundancyTest equipment (Loopback, sniffers)

RAIDRedundant DBHVAC, Fire suppressantFiltered power

Redundancy: Clusters Primary-SecondaryUniversal Power SupplyLocks, alarms, anti-theft

Confidentiality & ProcessingNeed-to-know: Persons should have ability to

access data sufficient to perform primary job and no more

Least Privilege: Persons should have ability to do tasks sufficient to perform primary job and no more

Segregation of Duties: Ensure that no person can assume two roles: Origination, Authorization, Distribution, Verification

Privacy: Personal/private info is retained only when a true business need exists: Privacy is a liability Retain records for short time

Personnel office should change permissions as jobs change

Availability & Storage: Backups

Daily Events Full Differential Incremental

Monday: Full Backup Monday Monday Monday

Tuesday: A Changes Tuesday Saves A Saves A

Wednesday: B Changes Wed’day Saves A + B Saves B

Thursday: C Changes Thursday Saves A+B+C Saves C

Friday: Full Backup Friday Friday Friday

Incremental or Differential Backups can record transactions since last backup or last full backup, respectively

Integrity Controls: Audit Trails Audit trail tracks responsibility

Who did what when? Periodic review will help to find excess-authority

access, login successes & failures, and track fraud

Attackers often want to change the audit trail (to hide tracks)

Audit trail must be hard to change: Write-once devices Security & systems admins and managers may

have READ-only access to log Audit trail must be sensitive to privacy

Personal information may be encrypted

Theoretical Basis for Security Model

Pro

cess

ing

Tra

nsm

issi

on

Sto

rag

e

Technology

Policy

Security Training& Awareness

Confidentiality

Integrity

Availability

Policy DocumentationPolicy= Direction for ControlPhilosophy of organizationCreated by Senior MgmtReviewed periodically

Employees must understand intentAuditors test for compliance

Procedures:Detailed steps toimplement a policy.Written by processowners

Standards:An image ofwhat is acceptable

GuidelinesRecommendationsand acceptablealternatives

Policies, Procedures, Standards

Policy Objective: Describes ‘what’ needs to be accomplished Policy Control: Technique to meet objectives

Procedure: Outlines ‘how’ the Policy will be accomplished Standard: Specific rule, metric or boundary that implements policy

Example 1: Policy: Computer systems are not exposed to illegal, inappropriate,

or dangerous software Policy Control Standard: Allowed software is defined to include ... Policy Control Procedure: A description of how to load a computer

with required software.

Example 2: Policy: Access to confidential information is controlled Policy Control Standard: Confidential information SHALL never be

emailed without being encrypted Policy Guideline: Confidential info SHOULD not be written to a

memory stickDiscussion: Are these effective controls by themselves?

Types of Security TrainingAwareness:

Create security-conscious workforce

Employees, partners & vendors

Newsletters, surveys, quizzes, video training, forums, posters

Training:

Necessary skills for a particular position

HR, legal, middle or top mgmt

Workshops, conferences

Education: High level skills

High-skilled professions: audit, security admin/mgmt,

Risk mgmt…

Organized and gradual development: teaching & coaching

Hardware security threats

Acousticemanations

Electrical emanationsMagnetic emanations

Hardware attack examplesATM skimmers: A sleeve reads credit cards when inserted into machines.Altered chips: Include Trojan horse firmware to respond to certain transmissions.Flat Panel Displays: Serial transmissions modulate a video signal that provide eavesdroppers good reception quality.

Hardware Emanation ControlsTechnology:Shielding (for radiation through space, and magnetic fields)Filtering (for conducted signals on power lines, signal lines, etc.)Masking (for either space-radiated or conducted signals, but mostly for space)Space: Protection zone of 200 feetCertification: Does equipment achieve government-secure levels of safety?

Question An example of a vulnerability is1. Theft2. Burglar3. Open door4. Diamonds

Question Three main goals of security include:1.Confidentiality, Integrity, Availability2.Confidentiality, Integrity, Authorization3.Processing, Storage, Transmission4.Preventive, Detective, Corrective

QuestionIn security, poor coding and disgruntled employees are examples of:1.Threat2.Risk3.Threat agent4.Vulnerability

QuestionWhat are the three states that need to be protected in security?1.Confidentiality, Integrity, Authentication2.Transmission, Processing, Storage3.Operating System, Application Program, Hardware4.Processes, procedures and standards

QuestionIn security, a hostile intelligence service and cracker are examples of:1.Risk2.Threat3.Threat agent4.Vulnerability

QuestionThe best type of security control is:1.Detective2.Corrective3.Compensatory4.Preventive

QuestionConsider the term: ‘Defense in Depth’. Depth here means:1.Select best-in-class controls2.If an attacker breaks through one control, they have more to attack3.Hardware should use filtering, shielding, or masking4.Extensive security education is preferred to security awareness