Introduction to Information Security -...

Seong-je Cho

Spring 2019

Computer Security & Operating Systems Lab, DKU

Introduction to Software Security

Introduction to Information Security

- 2 -

References

Textbook

N. Vlajic, CSE 3482: Introduction to Computer Security, Yorku

Please do not duplicate and distribute

Computer Security & OS Lab, DKU

- 3 -

Contents

The cast of characters

Alice’s online Bank

Type of Security Threats

C.I.A of Information Security

Confidentiality

Integrity

Availability

Extended CIA Framework

Main components of a security threat

About the textbook


- 4 -

The Cast of Characters


Alice and Bob are the good guys

Trudy, and Darth are the bad guy

Trudy is our generic “intruder”

- 5 -

Alice’s Online Bank (AOB)

Alice opens Alice’s Online Bank (AOB)

What are Alice’s security concerns?

What type of security threats are there?

If Bob is a customer of AOB, what are his security concerns?

How are Alice and Bob concerns similar? How are they different?

How does Trudy view the situation?


What type of attacks can adversaries perform in this situation?

- 6 -

Type of Threats (Security Attacks)

Trudy tries to know Bob’s account number/balance, PIN, …

Trudy tries to withdraw money from Bob’s account

Trudy tries to change Bob’s account balance

Trudy tries to improperly change his own account balance if he opens a savings account

There may be too many transactions to provide normal services


- 7 -

Type of Threats (Security Attacks)

Interruption: asset is lost or unavailable, DoS attacks

Interception: unauthorized access, wiretapping, illegal copying

Modification: changes/alteration into DB/program file band’s firmware modification, repackaged Android apps

Fabrication: insert spurious transaction, illegally add entry to passwd file or DB


Which is the hardest threat to be detected?

Which threats can be prevented by Block-chain?

- 8 -

Examples of Threats and Attacks

What type of threat are the followings related to?

Eavesdropping on communication, Wiretapping telecommunications networks, …

Packet sniffing and key logging to capture, data from a computer system or network

Illicit copying of files or programs

User / Credential counterfeiting, Email spoofing, Fake message, …

Destruction of SW or HW, Cutting a communication line

Flooding: TCP flood, SYN flood, Ping flood, …

Occupying target server’s resources: A fork bomb (rabbit virus), Repetitive file creation, Deadlock condition, …

Changing information stored in data files

Altering programs so they perform differently

Reconfiguring system HW or network topologies

Replaying previously intercepted messages

Spoofing a web site or other network service

Phishing, Pharming, Smishing, Vishing (voice or VoIP phishing), Telephone scam, …


- 9 -

Key Security Properties : C.I.A.

Confidentiality

AOB must prevent Trudy from learning Bob’s account balance

Confidentiality: prevent unauthorized reading of information

Integrity

Trudy must not be able to change Bob’s account balance

Bob must not be able to improperly change his own account balance

Integrity: prevent unauthorized writing of information

Availability AOB’s information must be available when needed

Alice must be able to make transaction If not, Bob’ll take his business elsewhere

Availability: Data is available in a timely manner when needed

Availability is a “new” security concern In response to denial of service (DoS)


- 10 -

Key Security Properties (Security Goals)

C.I.A. Triangle – 3 key characteristics of information that must be protected by information security:

Confidentiality (Secrecy) - only authorized parties can view private information

Integrity - information is changed only in a specified and authorized manner (by authorized users)

Availability - information is accessible to authorized users whenever needed


An information systems is secure if it supports C.I.A.

- 11 -

How to prevent/detect fabrication attacks

Use of Authentication and Authorization mechanisms

Use Digital Signatures

ID/Password

iPIN, 공인인증서,

Biometrics: Fingerprint, Iris, Face recognition, …


- 12 -

Beyond CIA

CIA are only beginning of the Info Sec.

Case 1: when Bob logs on his computer/smartphone,

How does Bob’s computer know that “Bob” is really Bob and not Trudy?

Bob’s password must be verified

This requires some clever cryptography

What are security concerns of pwds?

Are there alternatives to passwords?

Case2: when Bob logs into AOB

how does AOB know that “Bob” is really Bob?

As before, Bob’s password is verified → Authentication

Unlike standalone computer case, network security issues arise

What are network security concerns?

Protocols are critically important

Crypto also important in protocols


- 13 -

Beyond CIA

Once Bob is authenticated by AOB, then AOB must restrict actions of Bob

Bob can’t view Charlie’s account info

Bob can’t install new software, etc.

Enforcing these restrictions is known as authorization

Access control includes both authentication and authorization

Cryptography, protocols, and access control are implemented in software

What are security issues of software?

Most software is complex and buggy

Software flaws lead to security flaws

How to reduce flaws in software development?


- 14 -

Beyond CIA

Some software is intentionally evil

Malware: computer viruses, worms, ransomware, spyware, etc.

How does the malware work?

What can Alice and Bob do to protect themselves from malware?

What can Trudy do to make malware more “effective”?

Operating systems enforce security

For example, authorization

OS: large and complex software

Win XP has 40,000,000 lines of code!

Subject to bugs and flaws like any other software

Many security issues specific to OSs

Can you trust an OS?


- 15 -

Extended C.I.A. Triangle

some security experts feel that additional concept need to be added to the CIA triad:

Authentication (Authenticity) - being able to verify that users are who they claim to be, and that each data input has come from a trusted source

User or data origin accurately identifiable

Accountability - being able to trace actions of an entity uniquely to that entity

Accountability means that the system is able to provide audit trails of all transactions.

Actions are traceable to those responsible

Access controls

They provide the limitation and control of access to authorised users through identification

and authentication.

Non-repudiation

It is the prevention of either the sender or the receiver denying a transmitted message.


- 16 -

Extended CIA Framework


• The Pillars of Information Security

• Futuristic Approach to Ensuring Data Security in Clouds

Examples of C.I.A.A.A


- 18 -

Example: DATA CONFIDENTIALITY

Student grade – an information asset of high importance for student.

In US, release of such information is regulated by Family Educational Rights and Privacy Act(FERPA).

Grade information should only be available to students, their parents and employees that require this information to do their job.

In Canada, the same issue is regulated by Personal Information Protection and Electronic Documents Act (PIPEDA).


- 19 -

Example: How to ensure data confidentiality?

cryptography

strong access control

Never access, No read, No view

limiting number of places where data can appear

(e.g., cannot be stored on an USB)


- 20 -

Example: DATA Integrity

Patient information in a hospital – the doctor should be able to trust that the information is correct and current.

Inaccurate info could result in serious harm to the patient end expose the hospital to massive liability.

In US, Health Insurance Portability and Accountability Act (HIPAA) regulates the collection, storage, and transmission of sensitive personal health care information.

Hospital is responsible for safeguarding patient information against error, loss, defacing, tampering and unauthorized use.

(Ontario’s Personal Health Information Protection Act -PHIPA)


- 21 -

Example: How to ensure data integrity?

strong access control - prevents attacks on data integrity

Cryptographic hashing

Detects attacks

on data integrity

documenting system activity - who did what and when

detects attacks on data integrity


- 22 -

Example: DATA Availability

Accessible and properly functioning web site – a key asset for an e-commerce company.

E.g., a DDoS attack could make the site

unavailable and cause significant loss

in revenue and reputation.

In US, Computer Fraud and Abuse Act (CFAA) applies to DoS-related attacks.

In Canada, DoS activities are regulated under Criminal Code of Canada, Section 342: Unauthorized Use of Computer


- 23 -

Example: How to ensure data availability?

anti-DDoS system (in case of attack that attempt to prevent access by blocking the bandwidth/server):

e.g., Content Distribution Networks, Scrubbing centers


well established backup procedure (in case of attacks that attempt to prevent access by destroying data)

- 24 -

Example: CIA of different IT components


Computer and Network Assets, with Examples of Threats.

Security Threats


- 26 -

Microsoft STRIDE model


Threat Definition Example

Spoofing An attacker tries to be something or someone he/she isn’t

Phising attack to fool user into sending credentials to fake site

Tampering An attacker attempts to modify data that’s exchanged between your application and a legitimate user

Message integrity compromised to change parameters or values

Repudiation An attacker or actor can perform an action with your application that is not attributable

Illegitimately claiming a transaction was not completed

Information disclosure

An attacker can read the private data that your application is transmitting or storing

Unencrypted message sniffed off the network

Denial of Service

An attacker can prevent your legitimate users from accessing your application or service

System flooded by requests until web server fails

Elevation of Privilege

An attacker is able to gain elevated access rights through unauthorized means

Attacker changes group membership. Rooting

- 27 -

Security Threat

any action/inaction that could cause disclosure, alteration, loss, damage or unavailability of a company’s/individual’s assets

Three main components of a security threat:

Target [Asset with vulnerability]: organization’s asset that might be attacked

information(its confidentiality, integrity, availability), software, hardware, network service,

system resource, etc.

Agent [may or may not be present]: people/organizations originating the threat –intentional or non-intentional

employees, ex-employees, hackers, commercial rivals, terrorists, …

Event: action that exploits target’s vulnerability

malicious/ accidental destruction or alteration of information, misuse of authorized

information, etc.


- 28 -

Example: Threat in WiFi network


- 29 -

Examples of Threats

Threat without Agent

Asset with vulnerability: Data on a server, Not backuped!

Event: Flood or fire in the server room

Outsider vs. insider, deliberate vs. accidental

Asset with vulnerability

Agent: outsider or insider

Example of insider agent: SysAdmin has added a new software to the system and has

forgotten to change the password

Event: deliberate or accidental

Attack

Asset with vulnerability

Event: deliberate

Agent executed threat event deliberately Attack


- 30 -

Threat Events

Categories of Threat Events


- 31 -

Threat Events: Intentional Attacks

Passive Attack – attempts to learn or make use of info. from the system but does not affect system resources

compromises Confidentiality

generally hard to detect !!!

examples: release of message content and traffic sniffing

Active Attack – attempts to alter system resources or affect their operation

compromises Integrity or Availability

examples: masquerade, data modification and DoS


- 32 -

Threat Events: Software Attacks

Deliberate Software Attacks

a deliberate action aimed to violate / compromise a system’s security through the use of specialized software

types of attacks:

a) Use of Malware

b) Password Cracking

c) DoS and DDoS

d) Spoofing

e) Sniffing

f) Man-in-the-Middle

g) Phishing

h) Pharming


Security Life Cycle,

Cyber Security Essentials


- 34 -

Security Life Cycle

first defining a security policy

then choosing some mechanism to enforce the policy

finally providing assurance that both the mechanism and the policy are sound

Spec/policy: What the sys supposed to do?

Impl/mechanism: How does it do it?

Correctness/assurance: Does it really work?

Human nature: Can the sys survive “clever” user?

The focus of the text book

Implementation/mechanism

Why?


- 35 -

10 Steps to Cyber Security


If 10 large steps are too complex for small organizations, …

- 36 -

Cyber Security Essentials

It requires …

Five Mandatory Controls:


The text consists of four major parts• Cryptography

• Access control

• Protocols

• Software


- 38 -

Cryptography & Access Control

Cryptography

Classic cryptography

Symmetric ciphers

Public key cryptography

Hash functions

Advanced cryptanalysis

Access Control

Authentication

Passwords

Biometrics and other

Authorization

Access Control Lists and Capabilities

Multilevel security (MLS), security modeling, covert channel, inference control

Firewalls and Intrusion Detection Systems


- 39 -

Protocols

Simple authentication protocols

“Butterfly effect” small change can have drastic effect on security

Cryptography used in protocols

Real-world security protocols

SSL

IPSec

Kerberos

GSM security


- 40 -

Software

Software security-critical flaws

Buffer overflow

Other common flaws

Incomplete Mediation

Race Conditions

Malware

Specific viruses and worms

Prevention and detection

The future of malware

Software reverse engineering (SRE) How hackers “dissect” software

Digital rights management (DRM) Shows difficulty of security in software

Also raises OS security issues

Limits of testing Open source vs closed source


- 41 -

Software

Operating systems Basic OS security issues

“Trusted” OS requirements

NGSCB(“n-scub): Microsoft’s trusted OS for PC Next Generation Secure Computing Base

Software is a big security topic Lots of material to cover

Lots of security problems to consider


- 42 -

Think Like Trudy

In the past, no respectable sources talked about “hacking” in detail

It was argued that such info would help hackers

Very recently, this has changed

Books on network hacking, how to write evil software, how to hack software, etc.

Good guys must think like bad guys!

A police detective

Must study and understand criminals

In information security

We want to understand Trudy’s motives

We must know Trudy’s methods

We’ll often pretend to be Trudy


- 43 -

Think Like Trudy

Is all of this security information a good idea?

“It’s about time somebody wrote a book to teach the good guys what the bad guys already know.” Bruce Schneier

We must try to think like Trudy

We must study Trudy’s methods

We can admire Trudy’s cleverness

Often, we can’t help but laugh at Alice and Bob’s stupidity

But, we cannot act like Trudy


- 44 -

In This Course…

Always think like the bad guy

Always look for weaknesses

Strive to find a weak link

It’s OK to break the rules

Think like Trudy!

But don’t do anything illegal…


- 45 -

Summary, Q & A

Threat models

Microsoft STRIDE

Three main components of a security threat

Target, Agent, Event

Security properties = Security goal

CIA

The text consists of four major parts Cryptography

Access control

Protocols

Software


- 46 -

폰에 악성코드 깔아 통화 가로채 --검사 사칭 보이스피싱의 진화

[출처: 중앙일보]

검찰에 직접 전화했는데…전화받은 건

‘그놈’이었다 -2019.03.05일자 사회면

지난달 14일 오전 11시37분 대구에서운수업체를 운영하는 50대 김모씨는문자메시지 한 통을 받았다. 문자엔‘김○○씨의 결제인증번호(9612), 김○○님557,000원 결제완료’라고 적혀 있었다. 느닷없이 거액이 결제됐단 말에 놀란김씨는 황급히 문자가 온 번호로 전화했다....

원격제어앱을통해김씨 스마트폰에악성코드를심어 서울중앙지검에건 전화를조직원에게돌린 것이다.

이 악성코드는특정전화번호로건 통화를다른곳으로돌릴 수 있다. 다른 번호는정상적으로연결된다.

…KTX에서김씨는다시검사의전화를받았다. 검사는“메신저 대화를백업해야하니원격제어앱을재실행하라”고했다. 그러곤김씨의스마트폰에설치돼 있던악성코드를삭제했다.


Symantec 2019 Security Predictions

Security Predictions for 2019 and Beyond


- 48 -



- 49 -Computer Security & OS Lab, DKU




Massive botnet-powered distributed denial of service (DDoS) attacks have exploited tens of thousands of infected IoT devices to send crippling volumes of traffic to victims’ websites.At the same time, we can expect to see poorly secured IoT devices targeted for other harmful purposes. Among the most troubling will be attacks against IoT devices that bridge the digital and physical worlds. Some of these IoT enabled objects are kinetic, such as cars and other vehicles, while others control critical systems. We expect to see growing numbers of attacks against IoTdevices that control critical infrastructure such as power distribution and communications networks. And as home-based IoT devices become more ubiquitous, there will likely be future attempts to weaponize them–say, by one nation shutting down home thermostats in an enemy state during a harsh winter.

- 53 -


Attacks that Exploit the Supply Chain Will Grow in Frequency and ImpactAn increasingly common target of attackers is the software supply chain, with attackers

implanting malware into otherwise legitimate software packages at its usual distribution location. Such attacks could occur during production at the software vendor or at a third-party supplier. The typical attack scenario involves the attacker replacing a legitimate software update with a malicious version in order to distribute it quickly and surreptitiously to intended targets. Any user receiving the software update will automatically have their computer infected, giving the attacker a foothold in their environment.

These types of attacks are increasing in volume and sophistication and we could see attempts to infect the hardware supply chain in the future. For example, an attacker could compromise or alter a chip or add source code to the firmware of the UEFI/BIOS before such components are shipped out to millions of computers. Such threats would be very difficult to remove, likely persisting even after an impacted computer is rebooted or the hard disk is reformatted.

The bottom line is that attackers will continue to search for new and more sophisticated opportunities to infiltrate the supply chain of organizations they are targeting.


Introduction to Information Security -...

Documents

Transcript of Introduction to Information Security -...