Post on 19-Mar-2018
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger
Lecture 2 - Security Overview
CSE497b - Spring 2007Introduction Computer and Network Security
Professor Jaeger
www.cse.psu.edu/~tjaeger/cse497b-s07
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Readings• Books
– Perlman et al– Gollmann– Both are listed on calendar
• Readings– Please check the calendar for the class readings– Today
• Gollmann Chs. 1 and 2• Next, Perlman Ch. 10, Gollmann Ch. 3
2
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
What is security?
• “the property that a system behaves as expected”– G. Spafford and many others ....
• Note that this does not say what a system should or should not do.– Implication -- there is no universal definition or test for
security (why?)– Apply this definition to the ATM
• How do you think an ATM should behave?• What should it do?• What should it not do?
• We talk about expectations often in terms of confidentiality, integrity, and availability.
3
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Risk• At-risk valued resources that can be misused
– Monetary– Data (loss or integrity)– Time– Confidence– Trust
• What does being misused mean?– Confidentiality (privacy or communication)– Integrity (personal or communication)– Availability (existential or fidelity)
• Q: What is at stake in your life?
4
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Adversary
• An adversary is any entity trying to circumvent the security infrastructure– The curious and otherwise generally clueless (e.g., script-
kiddies)– Casual attackers seeking to understand systems– Venal people with an ax to grind– Malicious groups of largely sophisticated users (e.g,
chaos clubs)– Competitors (industrial espionage)– Governments (seeking to monitor activities)
5
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Threats• A threat is a specific means by which a risk can be
realized by an adversary– Context specific (a fact of the environment)– An attack vector is a specific threat (e.g., key logger)
• A threat model is a collection of threats that deemed important for a particular environment– E.g., should be addressed – A set of “security requirements” for a system
• Q: What were (unaddressed) risks/threats in the introductory examples?– SQL Slammer– Yale/Princeton
6
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Vulnerabilities (attack vectors)
• A vulnerability is a systematic artifact that exposes the user, data, or system to a threat– E.g., buffer-overflow, WEP key leakage
• What is the source of a vulnerability?– Bad software (or hardware)– Bad design, requirements– Bad policy/configuration– System Misuse
• unintended purpose or environment• E.g., student IDs for liquor store
7
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Are users adversaries?
• Have you ever tried to circumvent the security of a system you were authorized to access?
• Have you ever violated a security policy (knowingly or through carelessness)?
8
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Attacks
• An attack occurs when someone attempts to exploit a vulnerability
• Kinds of attacks– Passive (e.g., eavesdropping)– Active (e.g., password guessing)– Denial of Service (DOS)
• Distributed DOS – using many endpoints
• A compromise occurs when an attack is successful– Typically associated with taking over/altering resources
9
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Participants
• Participants are expected system entities– Computers, agents, people, enterprises, …– Depending on context referred to as: servers, clients,
users, entities, hosts, routers, …– Security is defined with respect to these entitles
• Implication: every party may have unique view
• A trusted trusted third party– Trusted by all parties for some set of actions– Often used as introducer or arbiter
10
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Trust
• Trust refers to the degree to which an entity is expected to behave
– What the entity not expected to do?• E.g., not expose password
– What the entity is expected to do (obligations)?• E.g., obtain permission, refresh
• A trust model describes, for a particular environment, who is trusted to do what?
• Note: you make trust decisions every day– Q: What are they?– Q: Whom do you trust?
11
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Related Terminology
• Reliability - property of a system that indicates it will continue to function for long periods of time under varying circumstances
• Survivability - ability of a system to maintain function during abnormal or environmentally troubling events
• Privacy - the ability to stop information from becoming known to people other than those they choose to give the information
• Assurance - confidence that system meets its security requirements• as typically evidenced by some evaluation methodology
(FIPs 192, Common Criteria)
12
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Security Model• A security model is the combination of a trust and threat
models that address the set of perceived risks– The “security requirements” used to develop some cogent and
comprehensive design– Every design must have security model
• LAN network or global information system• Java applet or operating system
– The single biggest mistake seen in use of security is the lack of a coherent security model
– It is very hard to retrofit security (design time)• This class is going to talk a lot about security models
– What are the security concerns (risks)?– What are the threats?– Who are our adversaries?– Who do we trust and to do what?
• Systems must be explicit about these things to be secure.
13
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Review• An adversary is a subject who tries to gain unauthorized
access• A threat is a mechanism that the adversary is capable of
employing to gain unauthorized access• A risk is a loss due to an adversary gaining unauthorized
access• A vulnerability is a flaw in a that enables a threat to allow
the adversary unauthorized access• A threat model describes all the mechanisms available to
the adversaries• A trust model describes all the subjects that are trusted not
to have vulnerabilities that can be abused or be adversaries• A security model consists of a threat model and a trust
model (functional and security goals as well)14
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Security Overview
• Security can be separated into many ways, e.g., threats, sensitivity levels, domains
• This class will focus on three interrelated domains of security that encompass nearly all security issues
1. Network Security2. Systems Security3. Program Security
• There are other areas, e.g., physical security, privacy, etc. that will not directly be covered.
15
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Common problems in network security
• Network security attempts to protect communication between hosts carried by the (often untrusted) network.– Eavesdropping communication (confidentiality)– Modifying communication (integrity)– Preventing communication (availability)
• Example: securing application traffic (Web)– Protecting on network (HTTP requests/responses)– As passing through intermediaries (proxies)– In server (from malicious requests)– Protecting the client (from malicious content)
16
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Common problems in systems security
• Systems security attempts to protect data held on hosts and sometimes (sometimes untrusted) storage.– Prevention of sensitive data leakage (confidentiality)
• Also known as information flow governance
– Prevention of data corruption (integrity)– Controlling data response (availability)
• Systems Security: Controlling Data Leakage• on disk (key in clear -- encrypt with pass phrase)• provide pass-phrase (window manager)• memory of program • swap memory to swap space
17
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Common problems in program security
• Program security attempts to protect data received, held, and output on a (sometimes untrusted) host.– Prevention of sensitive data leakage (confidentiality)
• Also known as information flow governance
– Prevention of data corruption (integrity)– Controlling data access (availability)
• Example: Handling A Remote Request• process user request (authenticate, authorize)• data-driven attack from request• buffer overflows
18
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
The remainder ....
• The remaining weeks will explore the design and use of these approaches– Always ask yourself what tools are appropriate for a
particular environment.– For example, which of then proceeding is appropriate for
SPAM mitigation• Authentication• Access Control• Transport/Data Security• Audit/Detection
– What about protecting the confidentiality of your email?
• Next week: Passwords and Authentication19