Assignment
Computer Security:
Principles and Practice
Fourth Edition
By: William Stallings and Lawrie Brown
Lecture slides prepared for “Computer Security: Principles and Practice”, 4/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”.
1
Chapter 1
Overview
This chapter provides an overview of computer security. We begin with a discussion
of what we mean by computer security. In essence, computer security deals
with computer-related assets that are subject to a variety of threats and for which
various measures are taken to protect those assets. Accordingly, the next section of
this chapter provides a brief overview of the categories of computer-related assets
that users and system managers wish to preserve and protect, and a look at the
various threats and attacks that can be made on those assets. Then, we survey the
measures that can be taken to deal with such threats and attacks. This we do from
three different viewpoints, in Sections 1.3 through 1.5. We then lay out in general
terms a computer security strategy.
The focus of this chapter, and indeed this book, is on three fundamental
questions:
1. What assets do we need to protect?
2. How are those assets threatened?
3. What can we do to counter those threats?
2
The NIST Internal/Interagency Report NISTIR 7298 (Glossary of Key Information Security Terms , May 2013) defines the term computer security as follows:
“ Measures and controls that ensure confidentiality, integrity, and availability of information system
assets including hardware, software, firmware, and information being processed, stored, and communicated.”
3
The NIST Internal/Interagency Report NISTIR 7298 (Glossary of Key Information
Security Terms , May 2013) defines the term computer security as follows:
Computer Security: Measures and controls that ensure confidentiality, integrity,
and availability of information system assets including hardware, software, firmware,
and information being processed, stored, and communicated.
This definition introduces three key objectives that are at the heart of computer
security:
• Confidentiality: This term covers two related concepts:
— Data confidentiality : Assures that private or confidential information is
not made available or disclosed to unauthorized individuals.
— Privacy : Assures that individuals control or influence what information
related to them may be collected and stored and by whom and to whom
that information may be disclosed.
• Integrity: This term covers two related concepts:
— Data integrity : Assures that information and programs are changed only
in a specified and authorized manner.
— System integrity : Assures that a system performs its intended function in
an unimpaired manner, free from deliberate or inadvertent unauthorized
manipulation of the system.
• Availability: Assures that systems work promptly and service is not denied to
authorized users.
4
These three concepts form what is often referred to as the CIA triad . The three
concepts embody the fundamental security objectives for both data and for information
and computing services. For example, the NIST standard FIPS 199 (Standards for Security
Categorization of Federal Information and Information Systems , February 2004) lists confidentiality,
integrity, and availability as the three security objectives for information and
for information systems.
Although the use of the CIA triad to define security objectives is well established,
some in the security field feel that additional concepts are needed to present a
complete picture (see Figure 1.1). Two of the most commonly mentioned are as follows:
• Authenticity: The property of being genuine and being able to be verified and
trusted; confidence in the validity of a transmission, a message, or message
originator. This means verifying that users are who they say they are and that
each input arriving at the system came from a trusted source.
• Accountability: The security goal that generates the requirement for actions
of an entity to be traced uniquely to that entity. This supports nonrepudiation,
deterrence, fault isolation, intrusion detection and prevention, and after-action
recovery and legal action. Because truly secure systems are not yet an achievable
goal, we must be able to trace a security breach to a responsible party.
Systems must keep records of their activities to permit later forensic analysis
to trace security breaches or to aid in transaction disputes.
Note that FIPS 199 includes authenticity under integrity.
Key Security Concepts
FIPS 199 provides a useful characterization of these three objectives in terms of requirements
and the definition of a loss of security in each category:
• Confidentiality: Preserving authorized restrictions on information access
and disclosure, including means for protecting personal privacy and proprietary
information. A loss of confidentiality is the unauthorized disclosure of
information.
• Integrity: Guarding against improper information modification or destruction,
including ensuring information non-repudiation and authenticity. A loss of
integrity is the unauthorized modification or destruction of information.
• Availability: Ensuring timely and reliable access to and use of information.
A loss of availability is the disruption of access to or use of information or an
information system.
Although the use of the CIA triad to define security objectives is well established,
some in the security field feel that additional concepts are needed to present
a complete picture. Two of the most commonly mentioned are as follows:
• Authenticity: The property of being genuine and being able to be verified and
trusted; confidence in the validity of a transmission, a message, or message
originator. This means verifying that users are who they say they are and that
each input arriving at the system came from a trusted source.
• Accountability: The security goal that generates the requirement for actions
of an entity to be traced uniquely to that entity. This supports nonrepudiation,
deterrence, fault isolation, intrusion detection and prevention, and after-action
recovery and legal action. Because truly secure systems aren’t yet an achievable
goal, we must be able to trace a security breach to a responsible party. Systems
must keep records of their activities to permit later forensic analysis to trace
security breaches or to aid in transaction disputes.
Note that FIPS 199 includes authenticity under integrity.
5
Confidentiality
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information
Integrity
Guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity
Availability
Ensuring timely and reliable access to and use of information
Levels of Impact
We use three levels of impact on organizations or
individuals should there be a breach of security (i.e., a loss of confidentiality, integrity,
or availability). These levels are defined in FIPS 199:
• Low: The loss could be expected to have a limited adverse effect on organizational
operations, organizational assets, or individuals. A limited adverse effect
means that, for example, the loss of confidentiality, integrity, or availability
might (i) cause a degradation in mission capability to an extent and duration
that the organization is able to perform its primary functions, but the effectiveness
of the functions is noticeably reduced; (ii) result in minor damage to
organizational assets; (iii) result in minor financial loss; or (iv) result in minor
harm to individuals.
• Moderate: The loss could be expected to have a serious adverse effect on
organizational operations, organizational assets, or individuals. A serious
adverse effect means that, for example, the loss might (i) cause a significant
degradation in mission capability to an extent and duration that the organization
is able to perform its primary functions, but the effectiveness of the functions
is significantly reduced; (ii) result in significant damage to organizational
assets; (iii) result in significant financial loss; or (iv) result in significant harm
to individuals that does not involve loss of life or serious, life-threatening
injuries.
• High: The loss could be expected to have a severe or catastrophic adverse
effect on organizational operations, organizational assets, or individuals. A
severe or catastrophic adverse effect means that, for example, the loss might
(i) cause a severe degradation in or loss of mission capability to an extent
and duration that the organization is not able to perform one or more of its
primary functions; (ii) result in major damage to organizational assets; (iii)
result in major financial loss; or (iv) result in severe or catastrophic harm to
individuals involving loss of life or serious life-threatening injuries.
6
Low
The loss could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals
Moderate
The loss could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals
High
The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals
Computer Security Challenges
7
Computer security is both fascinating and complex. Some of the reasons follow:
1. Computer security is not as simple as it might first appear to the novice. The
requirements seem to be straightforward; indeed, most of the major requirements
for security services can be given self-explanatory one-word labels:
confidentiality, authentication, nonrepudiation, and integrity. But the mechanisms
used to meet those requirements can be quite complex, and understanding
them may involve rather subtle reasoning.
2. In developing a particular security mechanism or algorithm, one must always consider
potential attacks on those security features. In many cases, successful attacks
are designed by looking at the problem in a completely different way, therefore
exploiting an unexpected weakness in the mechanism.
3. Because of Point 2, the procedures used to provide particular services are often
counterintuitive. Typically, a security mechanism is complex, and it is not obvious
from the statement of a particular requirement that such elaborate measures are
needed. Only when the various aspects of the threat are considered do elaborate
security mechanisms make sense.
4. Having designed various security mechanisms, it is necessary to decide where to
use them. This is true both in terms of physical placement (e.g., at what points in
a network are certain security mechanisms needed) and in a logical sense [e.g.,
at what layer or layers of an architecture such as TCP/IP (Transmission Control
Protocol/Internet Protocol) should mechanisms be placed].
5. Security mechanisms typically involve more than a particular algorithm or
protocol. They also require that participants be in possession of some secret
information (e.g., an encryption key), which raises questions about the creation,
distribution, and protection of that secret information. There may also be a reliance
on communications protocols whose behavior may complicate the task of
developing the security mechanism. For example, if the proper functioning of the
security mechanism requires setting time limits on the transit time of a message
from sender to receiver, then any protocol or network that introduces variable,
unpredictable delays may render such time limits meaningless.
6. Computer security is essentially a battle of wits between a perpetrator who tries
to find holes, and the designer or administrator who tries to close them. The great
advantage that the attacker has is that he or she need only find a single weakness,
while the designer must find and eliminate all weaknesses to achieve perfect
security.
7. There is a natural tendency on the part of users and system managers to perceive
little benefit from security investment until a security failure occurs.
8. Security requires regular, even constant monitoring, and this is difficult in today’s
short-term, overloaded environment.
9. Security is still too often an afterthought to be incorporated into a system after
the design is complete, rather than being an integral part of the design process.
10. Many users and even security administrators view strong security as an impediment
to efficient and user-friendly operation of an information system or use
of information.
1. Computer security is not as simple as it might first appear to the novice
2. In developing a particular security mechanism or algorithm, one must always consider potential attacks on those security features
3. Procedures used to provide particular services are often counterintuitive
4. Physical and logical placement needs to be determined
5. Security mechanisms typically involve more than a particular algorithm or protocol and also require that participants be in possession of some secret information which raises questions about the creation, distribution, and protection of that secret information
6. Attackers only need to find a single weakness, while the designer must find and eliminate all weaknesses to achieve perfect security
9. There is a natural tendency on the part of users and system managers to perceive little benefit from security investment until a security failure occurs
8. Security requires regular and constant monitoring
7. Security is still too often an afterthought to be incorporated into a system after the design is complete, rather than being an integral part of the design process
10. Many users and even security administrators view strong security as an impediment to efficient and user-friendly operation of an information system or use of information
Table 1.1
Computer Security Terminology, from RFC 2828, Internet Security Glossary, May 2000
Adversary (threat agent)
Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.
Attack
Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself.
Countermeasure
A device or techniques that has as its objective the impairment of the operational effectiveness of undesirable or adversarial activity, or the prevention of espionage, sabotage, theft, or unauthorized access to or use of sensitive information or information systems.
Risk A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of 1) the adverse impacts that would arise if the circumstance or event occurs; and 2) the likelihood of occurrence.
Security Policy A set of criteria for the provision of security services. It defines and constrains the activities of a data processing facility in order to maintain a condition of security for systems and data.
System Resource (Asset)
A major application, general support system, high impact program, physical plant, mission critical system, personnel, equipment, or a logically related group of systems.
Threat
Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
Vulnerability Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
(Table can be found on page 8 in the textbook)
We now introduce some terminology that will be useful throughout the book, relying
on RFC 2828, Internet Security Glossary . Table 1.1 defines terms.
8
9
Figure 1.2, based on [CCPS12a], shows the relationship among some of these terms.
We start with the concept of a system resource , or asset , that users and owners wish to protect.
Assets of a Computer System
The assets of a computer system can be categorized as follows:
• Hardware: Including computer systems and other data processing, data storage,
and data communications devices
• Software: Including the operating system, system utilities, and applications.
• Data: Including files and databases, as well as security-related data, such as
password files.
• Communication facilities and networks: Local and wide area network
communication links, bridges, routers, and so on.
10
Hardware
Software
Data
Communication facilities and networks
Vulnerabilities, Threats and Attacks
Categories of vulnerabilities
Corrupted (loss of integrity)
Leaky (loss of confidentiality)
Unavailable or very slow (loss of availability)
Threats
Capable of exploiting vulnerabilities
Represent potential security harm to an asset
Attacks (threats carried out)
Passive – attempt to learn or make use of information from the system that does not affect system resources
Active – attempt to alter system resources or affect their operation
Insider – initiated by an entity inside the security parameter
Outsider – initiated from outside the perimeter
11
In the context of security, our concern is with the vulnerabilities of system
resources. [NRC02] lists the following general categories of vulnerabilities of a
computer system or network asset:
• The system can be corrupted , so it does the wrong thing or gives wrong answers.
For example, stored data values may differ from what they should be because
they have been improperly modified.
• The system can become leaky . For example, someone who should not have access to
some or all of the information available through the network obtains such
access.
• The system can become unavailable or very slow. That is, using the system or network
becomes impossible or impractical.
These three general types of vulnerability correspond to the concepts of integrity,
confidentiality, and availability, enumerated earlier in this section.
Corresponding to the various types of vulnerabilities to a system resource are
threats that are capable of exploiting those vulnerabilities. A threat represents a
potential security harm to an asset. An attack is a threat that is carried out (threat
action) and, if successful, leads to an undesirable violation of security, or threat
consequence. The agent carrying out the attack is referred to as an attacker, or
threat agent . We can distinguish two types of attacks:
• Active attack: An attempt to alter system resources or affect their operation.
• Passive attack: An attempt to learn or make use of information from the
system that does not affect system resources.
We can also classify attacks based on the origin of the attack:
• Inside attack: Initiated by an entity inside the security perimeter (an “insider”).
The insider is authorized to access system resources but uses them in a way not
approved by those who granted the authorization.
• Outside attack: Initiated from outside the perimeter, by an unauthorized or
illegitimate user of the system (an “outsider”). On the Internet, potential
outside attackers range from amateur pranksters to organized criminals, international
terrorists, and hostile governments.
Countermeasures
12
Finally, a countermeasure is any means taken to deal with a security attack.
Ideally, a countermeasure can be devised to prevent a particular type of attack from
succeeding. When prevention is not possible, or fails in some instance, the goal is to
detect the attack and then recover from the effects of the attack. A countermeasure
may itself introduce new vulnerabilities. In any case, residual vulnerabilities
may remain after the imposition of countermeasures. Such vulnerabilities may be
exploited by threat agents representing a residual level of risk to the assets. Owners
will seek to minimize that risk given other constraints.
Means used to deal with security attacks
Prevent
Detect
Recover
May itself introduce new vulnerabilities
Residual vulnerabilities may remain
Goal is to minimize residual level of risk to the assets
**Table is on page 10 in the textbook.
Table 1.2
Threat Consequences,
and the
Types of
Threat Actions
That Cause
Each
Consequence
Based on
RFC 4949
13
Table 1.2 , based on RFC 4949, describes four kinds of threat consequences and lists
the kinds of attacks that result in each consequence.
Unauthorized disclosure is a threat to confidentiality. The following types of
attacks can result in this threat consequence:
• Exposure: This can be deliberate, as when an insider intentionally releases
sensitive information, such as credit card numbers, to an outsider. It can also
be the result of a human, hardware, or software error, which results in an entity
gaining unauthorized knowledge of sensitive data. There have been numerous
instances of this, such as universities accidentally posting student confidential
information on the Web.
• Interception: Interception is a common attack in the context of communications.
On a shared local area network (LAN), such as a wireless LAN or a
broadcast Ethernet, any device attached to the LAN can receive a copy of
packets intended for another device. On the Internet, a determined hacker
can gain access to e-mail traffic and other data transfers. All of these situations
create the potential for unauthorized access to data.
• Inference: An example of inference is known as traffic analysis, in which an
adversary is able to gain information from observing the pattern of traffic on
a network, such as the amount of traffic between particular pairs of hosts on
the network. Another example is the inference of detailed information from
a database by a user who has only limited access; this is accomplished by
repeated queries whose combined results enable inference.
• Intrusion: An example of intrusion is an adversary gaining unauthorized
access to sensitive data by overcoming the system’s access control protections.
Deception is a threat to either system integrity or data integrity. The following
types of attacks can result in this threat consequence:
• Masquerade: One example of masquerade is an attempt by an unauthorized
user to gain access to a system by posing as an authorized user; this could
happen if the unauthorized user has learned another user’s logon ID and
password. Another example is malicious logic, such as a Trojan horse, that
appears to perform a useful or desirable function but actually gains unauthorized
access to system resources or tricks a user into executing other malicious
logic.
• Falsification: This refers to the altering or replacing of valid data or the introduction
of false data into a file or database. For example, a student may alter
his or her grades on a school database.
• Repudiation: In this case, a user either denies sending data or a user denies
receiving or possessing the data.
Disruption is a threat to availability or system integrity. The following types of
attacks can result in this threat consequence:
• Incapacitation: This is an attack on system availability. This could occur as a
result of physical destruction of or damage to system hardware. More typically,
malicious software, such as Trojan horses, viruses, or worms, could operate in
such a way as to disable a system or some of its services.
• Corruption: This is an attack on system integrity. Malicious software in this
context could operate in such a way that system resources or services function
in an unintended manner. Or a user could gain unauthorized access to a system
and modify some of its functions. An example of the latter is a user placing
backdoor logic in the system to provide subsequent access to a system and its
resources by other than the usual procedure.
Obstruction: One way to obstruct system operation is to interfere with communications
by disabling communication links or altering communication
control information. Another way is to overload the system by placing excess
burden on communication traffic or processing resources.
Usurpation is a threat to system integrity. The following types of attacks can
result in this threat consequence:
• Misappropriation: This can include theft of service. An example is a distributed
denial of service attack, when malicious software is installed on a number of hosts
to be used as platforms to launch traffic at a target host. In this case, the malicious
software makes unauthorized use of processor and operating system resources.
• Misuse: Misuse can occur by means of either malicious logic or a hacker that
has gained unauthorized access to a system. In either case, security functions
can be disabled or thwarted.
14
The assets of a computer system can be categorized as hardware, software, data,
and communication lines and networks. In this subsection, we briefly describe these
four categories and relate these to the concepts of integrity, confidentiality, and
availability introduced in Section 1.1 (see Figure 1.3 and Table 1.3 ).
Table 1.3
Computer and Network Assets, with Examples of Threats
HARDWARE A major threat to computer system hardware is the threat to
availability. Hardware is the most vulnerable to attack and the least susceptible to
automated controls. Threats include accidental and deliberate damage to equipment
as well as theft. The proliferation of personal computers and workstations and the
widespread use of LANs increase the potential for losses in this area. Theft of
USB drives can lead to loss of confidentiality. Physical and administrative
security measures are needed to deal with these threats.
SOFTWARE Software includes the operating system, utilities, and application
programs. A key threat to software is an attack on availability. Software, especially
application software, is often easy to delete. Software can also be altered or
damaged to render it useless. Careful software configuration management, which
includes making backups of the most recent version of software, can maintain high
availability. A more difficult problem to deal with is software modification that
results in a program that still functions but that behaves differently than before,
which is a threat to integrity/authenticity. Computer viruses and related attacks fall
into this category. A final problem is protection against software piracy. Although
certain countermeasures are available, by and large the problem of unauthorized
copying of software has not been solved.
DATA Hardware and software security are typically concerns of computing center
professionals or individual concerns of personal computer users. A much more
widespread problem is data security, which involves files and other forms of data
controlled by individuals, groups, and business organizations.
Security concerns with respect to data are broad, encompassing availability,
secrecy, and integrity. In the case of availability, the concern is with the destruction
of data files, which can occur either accidentally or maliciously.
The obvious concern with secrecy is the unauthorized reading of data files or
databases, and this area has been the subject of perhaps more research and effort
than any other area of computer security. A less obvious threat to secrecy involves
the analysis of data and manifests itself in the use of so-called statistical databases,
which provide summary or aggregate information. Presumably, the existence of
aggregate information does not threaten the privacy of the individuals involved.
However, as the use of statistical databases grows, there is an increasing potential
for disclosure of personal information. In essence, characteristics of constituent
individuals may be identified through careful analysis. For example, if one table
records the aggregate of the incomes of respondents A, B, C, and D and another
records the aggregate of the incomes of A, B, C, D, and E, the difference between
the two aggregates would be the income of E. This problem is exacerbated by the
increasing desire to combine data sets. In many cases, matching several sets of data
for consistency at different levels of aggregation requires access to individual units.
Thus, the individual units, which are the subject of privacy concerns, are available at
various stages in the processing of data sets.
Finally, data integrity is a major concern in most installations. Modifications
to data files can have consequences ranging from minor to disastrous.
15
Passive and Active Attacks
Passive Attack
Active Attack
Attempts to learn or make use of information from the system but does not affect system resources
Eavesdropping on, or monitoring of, transmissions
Goal of attacker is to obtain information that is being transmitted
Two types:
Release of message contents
Traffic analysis
Attempts to alter system resources or affect their operation
Involve some modification of the data stream or the creation of a false stream
Four categories:
Replay
Masquerade
Modification of messages
Denial of service
16
Network security attacks can be classified
as passive attacks and active attacks . A passive attack attempts to learn or make
use of information from the system but does not affect system resources. An active
attack attempts to alter system resources or affect their operation.
Passive attacks are in the nature of eavesdropping on, or monitoring of,
transmissions. The goal of the attacker is to obtain information that is being transmitted.
Two types of passive attacks are release of message contents and traffic
analysis.
The release of message contents is easily understood. A telephone conversation,
an electronic mail message, and a transferred file may contain sensitive or
confidential information. We would like to prevent an opponent from learning the
contents of these transmissions.
A second type of passive attack, traffic analysis , is subtler. Suppose that we
had a way of masking the contents of messages or other information traffic so that
opponents, even if they captured the message, could not extract the information
from the message. The common technique for masking contents is encryption. If we
had encryption protection in place, an opponent might still be able to observe the
pattern of these messages. The opponent could determine the location and identity
of communicating hosts and could observe the frequency and length of messages
being exchanged. This information might be useful in guessing the nature of the
communication that was taking place.
Passive attacks are very difficult to detect because they do not involve any
alteration of the data. Typically, the message traffic is sent and received in an
apparently normal fashion and neither the sender nor receiver is aware that a
third party has read the messages or observed the traffic pattern. However, it is
feasible to prevent the success of these attacks, usually by means of encryption.
Thus, the emphasis in dealing with passive attacks is on prevention rather than
detection.
Active attacks involve some modification of the data stream or the creation
of a false stream and can be subdivided into four categories: replay, masquerade,
modification of messages, and denial of service.
Replay involves the passive capture of a data unit and its subsequent retransmission
to produce an unauthorized effect.
A masquerade takes place when one entity pretends to be a different entity. A
masquerade attack usually includes one of the other forms of active attack. For example,
authentication sequences can be captured and replayed after a valid authentication
sequence has taken place, thus enabling an authorized entity with few privileges
to obtain extra privileges by impersonating an entity that has those privileges.
Modification of messages simply means that some portion of a legitimate
message is altered, or that messages are delayed or reordered, to produce an
unauthorized effect. For example, a message stating, “Allow John Smith to read
confidential file accounts” is modified to say, “Allow Fred Brown to read confidential
file accounts.”
The denial of service prevents or inhibits the normal use or management of
communications facilities. This attack may have a specific target; for example, an
entity may suppress all messages directed to a particular destination (e.g., the security
audit service). Another form of service denial is the disruption of an entire network,
either by disabling the network or by overloading it with messages so as to degrade
performance.
Active attacks present the opposite characteristics of passive attacks. Whereas
passive attacks are difficult to detect, measures are available to prevent their
success. On the other hand, it is quite difficult to prevent active attacks absolutely,
because to do so would require physical protection of all communications facilities
and paths at all times. Instead, the goal is to detect them and to recover from any
disruption or delays caused by them. Because the detection has a deterrent effect, it
may also contribute to prevention.
Table 1.4
Security
Requirements
(FIPS 200)
(page 1 of 2)
(Table can be found on pages 16-17 in the textbook.)
There are a number of ways of classifying and characterizing the countermeasures
that may be used to reduce vulnerabilities and deal with threats to system assets. It
will be useful for the presentation in the remainder of the book to look at several
approaches, which we do in this and the next two sections. In this section, we view
countermeasures in terms of functional requirements, and we follow the classification
defined in FIPS 200 ( Minimum Security Requirements for Federal Information
and Information Systems ). This standard enumerates 17 security-related areas with
regard to protecting the confidentiality, integrity, and availability of information
systems and the information processed, stored, and transmitted by those systems.
The areas are defined in Table 1.4.
The requirements listed in FIP 200 encompass a wide range of countermeasures
to security vulnerabilities and threats. Roughly, we can divide these
countermeasures into two categories: those that require computer security technical
measures (covered in this book in Parts One and Two), either hardware or
software, or both; and those that are fundamentally management issues (covered in
Part Three).
17
Table 1.4
Security
Requirements
(FIPS 200)
(page 2 of 2)
(Table can be found on pages 16-17 in the textbook.)
Each of the functional areas may involve both computer security technical measures
and management measures. Functional areas that primarily require computer
security technical measures include access control, identification and authentication,
system and communication protection, and system and information integrity.
Functional areas that primarily involve management controls and procedures include
awareness and training; audit and accountability; certification, accreditation, and
security assessments; contingency planning; maintenance; physical and environmental
protection; planning; personnel security; risk assessment; and systems and services
acquisition. Functional areas that overlap computer security technical measures and
management controls include configuration management, incident response, and
media protection.
Note the majority of the functional requirements areas in FIPS 200 are either
primarily issues of management or at least have a significant management component,
as opposed to purely software or hardware solutions. This may be new to
some readers, and is not reflected in many of the books on computer and information
security. But as one computer security expert observed, “If you think technology
can solve your security problems, then you don’t understand the problems
and you don’t understand the technology” [SCHN00]. This book reflects the need
to combine technical and managerial approaches to achieve effective computer
security.
FIPS 200 provides a useful summary of the principal areas of concern, both
technical and managerial, with respect to computer security. This book attempts to
cover all of these areas.
18
Fundamental Security Design Principles
Despite years of research and development, it has not been possible to develop
security design and implementation techniques that systematically exclude security
flaws and prevent all unauthorized actions. In the absence of such foolproof techniques,
it is useful to have a set of widely agreed design principles that can guide
the development of protection mechanisms. The National Centers of Academic
Excellence in Information Assurance/Cyber Defense, which is jointly sponsored by
the U.S. National Security Agency and the U. S. Department of Homeland Security,
list the following as fundamental security design principles [NCAE13]:
• Economy of mechanism
• Fail-safe defaults
• Complete mediation
• Open design
• Separation of privilege
• Least privilege
• Least common mechanism
• Psychological acceptability
• Isolation
• Encapsulation
• Modularity
• Layering
• Least astonishment
The first eight listed principles were first proposed in [SALT75] and have withstood
the test of time.
19
Economy of mechanism
Fail-safe defaults
Complete mediation
Open design
Separation of privilege
Least privilege
Least common mechanism
Psychological acceptability
Isolation
Encapsulation
Modularity
Layering
Least astonishment
Attack Surfaces
An attack surface consists of the reachable and exploitable vulnerabilities in a system
[BELL16, MANA11, HOWA03]. Examples of attack surfaces are the following:
• Open ports on outward facing Web and other servers, and code listening on
those ports
• Services available on the inside of a firewall
• Code that processes incoming data, email, XML, office documents, and industry-specific
custom data exchange formats
• Interfaces, SQL, and Web forms
• An employee with access to sensitive information vulnerable to a social engineering
attack
20
Consist of the reachable and exploitable vulnerabilities in a system
Examples:
Open ports on outward facing Web and other servers, and code listening on those ports
Services available on the inside of a firewall
Code that processes incoming data, email, XML, office documents, and industry-specific custom data exchange formats
Interfaces, SQL, and Web forms
An employee with access to sensitive information vulnerable to a social engineering attack
Attack Surface Categories
Attack surfaces can be categorized in the following way:
• Network attack surface: This category refers to vulnerabilities over an enterprise
network, wide-area network, or the Internet. Included in this category
are network protocol vulnerabilities, such as those used for a denial-of-service
attack, disruption of communications links, and various forms of intruder attacks.
• Software attack surface: This refers to vulnerabilities in application, utility,
or operating system code. A particular focus in this category is Web server
software.
• Human attack surface: This category refers to vulnerabilities created by personnel
or outsiders, such as social engineering, human error, and trusted insiders.
An attack surface analysis is a useful technique for assessing the scale and
severity of threats to a system. A systematic analysis of points of vulnerability
makes developers and security analysts aware of where security mechanisms are
required. Once an attack surface is defined, designers may be able to find ways to
make the surface smaller, thus making the task of the adversary more difficult. The
attack surface also provides guidance on setting priorities for testing, strengthening
security measures, or modifying the service or application.
21
Network Attack Surface
Vulnerabilities over an enterprise network, wide-area network, or the Internet
Included in this category are network protocol vulnerabilities, such as those used for a denial-of-service attack, disruption of communications links, and various forms of intruder attacks
Software Attack Surface
Vulnerabilities in application, utility, or operating system code
Particular focus is Web server software
Human Attack Surface
Vulnerabilities created by personnel or outsiders, such as social engineering, human error, and trusted insiders
As illustrated in Figure 1.4, the use of layering, or defense in depth, and attack
surface reduction complement each other in mitigating security risk.
22
An attack tree is a branching, hierarchical data structure that represents a set of
potential techniques for exploiting security vulnerabilities [MAUW05, MOOR01,
SCHN99]. The security incident that is the goal of the attack is represented as the
root node of the tree, and the ways that an attacker could reach that goal are iteratively
and incrementally represented as branches and subnodes of the tree. Each
subnode defines a subgoal, and each subgoal may have its own set of further subgoals,
etc. The final nodes on the paths outward from the root, i.e., the leaf nodes,
represent different ways to initiate an attack. Each node other than a leaf is either
an AND-node or an OR-node. To achieve the goal represented by an AND-node,
the subgoals represented by all of that node’s subnodes must be achieved; and for
an OR-node, at least one of the subgoals must be achieved. Branches can be labeled
with values representing difficulty, cost, or other attack attributes, so that alternative
attacks can be compared.
The motivation for the use of attack trees is to effectively exploit the information
available on attack patterns. Organizations such as CERT publish security
advisories that have enabled the development of a body of knowledge about both
general attack strategies and specific attack patterns. Security analysts can use the
attack tree to document security attacks in a structured form that reveals key vulnerabilities.
The attack tree can guide both the design of systems and applications,
and the choice and strength of countermeasures.
Figure 1.5, based on a figure in [DIMI07], is an example of an attack tree analysis
for an Internet banking authentication application. The root of the tree is the objective
of the attacker, which is to compromise a user’s account. The shaded boxes on the tree
are the leaf nodes, which represent events that comprise the attacks. The white boxes
are categories which consist of one or more specific attack events (leaf nodes). Note
that in this tree, all the nodes other than leaf nodes are OR-nodes. The analysis used
to generate this tree considered the three components involved in authentication:
• User terminal and user (UT/U): These attacks target the user equipment,
including the tokens that may be involved, such as smartcards or other password
generators, as well as the actions of the user.
• Communications channel (CC): This type of attack focuses on communication
links.
• Internet banking server (IBS): These types of attacks are offline attack against
the servers that host the Internet banking application.
Five overall attack strategies can be identified, each of which exploits one or
more of the three components. The five strategies are as follows:
• User credential compromise: This strategy can be used against many elements
of the attack surface. There are procedural attacks, such as monitoring a user’s
action to observe a PIN or other credential, or theft of the user’s token or
handwritten notes. An adversary may also compromise token information using
a variety of token attack tools, such as hacking the smartcard or using a brute
force approach to guess the PIN. Another possible strategy is to embed malicious
software to compromise the user’s login and password. An adversary may
also attempt to obtain credential information via the communication channel
(sniffing). Finally, an adversary may use various means to engage in communication
with the target user, as shown in Figure 1.5.
• Injection of commands: In this type of attack, the attacker is able to intercept
communication between the UT and the IBS. Various schemes can be used to
be able to impersonate the valid user and so gain access to the banking system.
• User credential guessing: It is reported in [HILT06] that brute force
attacks against some banking authentication schemes are feasible by sending
random usernames and passwords. The attack mechanism is based on
distributed zombie personal computers, hosting automated programs for
username- or password-based calculation.
• Security policy violation: For example, violating the bank’s security policy in
combination with weak access control and logging mechanisms, an employee
may cause an internal security incident and expose a customer’s account.
• Use of known authenticated session: This type of attack persuades or forces the
user to connect to the IBS with a preset session ID. Once the user authenticates
to the server, the attacker may utilize the known session ID to send packets to
the IBS, spoofing the user’s identity.
Figure 1.5 provides a thorough view of the different types of attacks on an
Internet banking authentication application. Using this tree as a starting point, security
analysts can assess the risk of each attack and, using the design principles outlined
in the preceding section, design a comprehensive security facility. [DIMO07]
provides a good account of the results of this design effort.
23
Computer Security Strategy
The first step in devising security services and mechanisms is to develop a security
policy. Those involved with computer security use the term security policy in
various ways. At the least, a security policy is an informal description of desired
system behavior [NRC91]. Such informal policies may reference requirements for
security, integrity, and availability. More usefully, a security policy is a formal statement
of rules and practices that specify or regulate how a system or organization
provides security services to protect sensitive and critical system resources (RFC
4949). Such a formal security policy lends itself to being enforced by the system’s
technical controls as well as its management and operational controls.
In developing a security policy, a security manager needs to consider the
following factors:
• The value of the assets being protected
• The vulnerabilities of the system
• Potential threats and the likelihood of attacks
Further, the manager must consider the following trade-offs:
• Ease of use versus security: Virtually all security measures involve some penalty
in the area of ease of use. The following are some examples: Access control
mechanisms require users to remember passwords and perhaps perform other
access control actions. Firewalls and other network security measures may
reduce available transmission capacity or slow response time. Virus-checking
software reduces available processing power and introduces the possibility of
system crashes or malfunctions due to improper interaction between the security
software and the operating system.
• Cost of security versus cost of failure and recovery: In addition to ease of use
and performance costs, there are direct monetary costs in implementing
and maintaining security measures. All of these costs must be balanced against
the cost of security failure and recovery if certain security measures are
lacking. The cost of security failure and recovery must take into account not
only the value of the assets being protected and the damages resulting from
a security violation, but also the risk, which is the probability that a particular
threat will exploit a particular vulnerability with a particular harmful
result.
Security policy is thus a business decision, possibly influenced by legal
requirements.
Security implementation involves four complementary courses of action:
• Prevention: An ideal security scheme is one in which no attack is successful.
Although this is not practical in all cases, there is a wide range of threats in
which prevention is a reasonable goal. For example, consider the transmission
of encrypted data. If a secure encryption algorithm is used, and if measures
are in place to prevent unauthorized access to encryption keys, then attacks on
confidentiality of the transmitted data will be prevented.
• Detection: In a number of cases, absolute protection is not feasible, but it is
practical to detect security attacks. For example, there are intrusion detection
systems designed to detect the presence of unauthorized individuals logged
onto a system. Another example is detection of a denial of service attack, in
which communications or processing resources are consumed so that they are
unavailable to legitimate users.
• Response: If security mechanisms detect an ongoing attack, such as a denial of
service attack, the system may be able to respond in such a way as to halt the
attack and prevent further damage.
• Recovery: An example of recovery is the use of backup systems, so that if data
integrity is compromised, a prior, correct copy of the data can be reloaded.
Those who are “consumers” of computer security services and mechanisms (e.g., system
managers, vendors, customers, and end users) desire a belief that the security
measures in place work as intended. That is, security consumers want to feel that the
security infrastructure of their systems meet security requirements and enforce security
policies. These considerations bring us to the concepts of assurance and evaluation.
Assurance is an attribute of an information system that provides grounds for
having confidence that the system operates such that the system’s security policy is
enforced. This encompasses both system design and system implementation. Thus,
assurance deals with the questions, “Does the security system design meet its requirements?”
and “Does the security system implementation meet its specifications?”
Assurance is expressed as a degree of confidence, not in terms of a formal proof that
a design or implementation is correct. The state of the art in proving designs and
implementations is such that it is not possible to provide absolute proof. Much work
has been done in developing formal models that define requirements and characterize
designs and implementations, together with logical and mathematical techniques
for addressing these issues. But assurance is still a matter of degree.
Evaluation is the process of examining a computer product or system with respect
to certain criteria. Evaluation involves testing and may also involve formal analytic or
mathematical techniques. The central thrust of work in this area is the development of
evaluation criteria that can be applied to any security system (encompassing security services
and mechanisms) and that are broadly supported for making product comparisons.
24
Security Policy
Formal statement of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources
Security Implementation
Involves four complementary courses of action:
Prevention
Detection
Response
Recovery
Assurance
Encompassing both system design and system implementation, assurance is an attribute of an information system that provides grounds for having confidence that the system operates such that the system’s security policy is enforced
Evaluation
Process of examining a computer product or system with respect to certain criteria
Involves testing and may also involve formal analytic or mathematical techniques
Standards
Standards have been developed to cover management practices and the overall architecture of security mechanisms and services
The most important of these organizations are:
National Institute of Standards and Technology (NIST)
NIST is a U.S. federal agency that deals with measurement science, standards, and technology related to U.S. government use and to the promotion of U.S. private sector innovation
Internet Society (ISOC)
ISOC is a professional membership society that provides leadership in addressing issues that confront the future of the Internet, and is the organization home for the groups responsible for Internet infrastructure standards
International Telecommunication Union (ITU-T)
ITU is a United Nations agency in which governments and the private sector coordinate global telecom networks and services
International Organization for Standardization (ISO)
ISO is a nongovernmental organization whose work results in international agreements that are published as International Standards
Many of the security techniques and applications described in this book have been
specified as standards. Additionally, standards have been developed to cover management
practices and the overall architecture of security mechanisms and services.
Throughout this book, we will describe the most important standards in use or that
are being developed for various aspects of computer security. Various organizations
have been involved in the development or promotion of these standards. The most
important (in the current context) of these organizations are as follows:
• National Institute of Standards and Technology: NIST is a U.S. federal agency
that deals with measurement science, standards, and technology related to U.S.
government use and to the promotion of U.S. private sector innovation. Despite
its national scope, NIST Federal Information Processing Standards (FIPS) and
Special Publications (SP) have a worldwide impact.
Internet Society: ISOC is a professional membership society with worldwide
organizational and individual membership. It provides leadership in addressing
issues that confront the future of the Internet, and is the organization home
for the groups responsible for Internet infrastructure standards, including the
Internet Engineering Task Force (IETF) and the Internet Architecture Board
(IAB). These organizations develop Internet standards and related specifications,
all of which are published as Requests for Comments (RFCs).
• ITU-T: The International Telecommunication Union (ITU) is a United Nations
agency in which governments and the private sector coordinate global telecom
networks and services. The ITU Telecommunication Standardization Sector
(ITU-T) is one of the three sectors of the ITU. ITU-T’s mission is the production
of standards covering all fields of telecommunications. ITU-T standards
are referred to as Recommendations.
• ISO: The International Organization for Standardization (ISO) is a worldwide
federation of national standards bodies from more than 140 countries. ISO is a
nongovernmental organization that promotes the development of standardization
and related activities with a view to facilitating the international exchange
of goods and services, and to developing cooperation in the spheres of intellectual,
scientific, technological, and economic activity. ISO’s work results in
international agreements that are published as International Standards.
25
Summary
Fundamental security design principles
Attack surfaces and attack trees
Attack surfaces
Attack trees
Computer security strategy
Security policy
Security implementation
Assurance and evaluation
Computer security concepts
Definition
Challenges
Model
Threats, attacks, and assets
Threats and attacks
Threats and assets
Security functional requirements
Standards
26
Chapter 1 summary.
Figure 1.1 Essential Network and Computer Security Requirements
Data and
services
Availability
Integrity
A ccountability
A ut he nt ic ity
Co nfi de nti alit y
assets
threats
Figure 1.2 Security Concepts and Relationships
Threat agents
wish to
minimize
wish to abuse
and/or
may damage
toto
that
increase
give
rise to
Owners
countermeasures
risk
impose
value
to
reduce
assets
threats
Figure 1.2 Security Concepts and Relationships
Threat agents
wish to
minimize
wish to abuse
and/or
may damage
to
to
that
increase
give
rise to
Owners
countermeasur es
risk
impose
value
to
reduce
Threat Consequence Threat Action (Attack) Unauthorized
Disclosure A circumstance or
event whereby an entity gains access to data for which the entity is not authorized.
Exposure: Sensitive data are directly released to an unauthorized entity.
Interception: An unauthorized entity directly accesses sensitive data traveling between authorized sources and destinations.
Inference: A threat action whereby an unauthorized entity indirectly accesses sensitive data (but not necessarily the data contained in the communication) by reasoning from characteristics or byproducts of communications.
Intrusion: An unauthorized entity gains access to sensitive data by circumventing a system's security protections.
Deception A circumstance or
event that may result in an authorized entity receiving false data and believing it to be true.
Masquerade: An unauthorized entity gains access to a system or performs a malicious act by posing as an authorized entity.
Falsification: False data deceive an authorized entity. Repudiation: An entity deceives another by falsely denying
responsibility for an act.
Disruption A circumstance or
event that interrupts or prevents the correct operation of system services and functions.
Incapacitation: Prevents or interrupts system operation by disabling a system component.
Corruption: Undesirably alters system operation by adversely modifying system functions or data.
Obstruction: A threat action that interrupts delivery of system services by hindering system operation.
Usurpation A circumstance or
event that results in control of system services or functions by an unauthorized entity.
Misappropriation: An entity assumes unauthorized logical or physical control of a system resource.
Misuse: Causes a system component to perform a function or service that is detrimental to system security.
Threat Consequence Threat Action (Attack)
Unauthorized
Disclosure
A circumstance or
event whereby an
entity gains access to
data for which the
entity is not
authorized.
Exposure: Sensitive data are directly released to an
unauthorized entity.
Interception: An unauthorized entity directly accesses
sensitive data traveling between authorized sources and
destinations.
Inference: A threat action whereby an unauthorized entity
indirectly accesses sensitive data (but not necessarily the
data contained in the communication) by reasoning from
characteristics or byproducts of communications.
Intrusion: An unauthorized entity gains access to sensitive
data by circumventing a system's security protections.
Deception
A circumstance or
event that may result
in an authorized entity
receiving false data
and believing it to be
true.
Masquerade: An unauthorized entity gains access to a
system or performs a malicious act by posing as an
authorized entity.
Falsification: False data deceive an authorized entity.
Repudiation: An entity deceives another by falsely denying
responsibility for an act.
Disruption
A circumstance or
event that interrupts
or prevents the correct
operation of system
services and
functions.
Incapacitation: Prevents or interrupts system operation by
disabling a system component.
Corruption: Undesirably alters system operation by
adversely modifying system functions or data.
Obstruction: A threat action that interrupts delivery of
system services by hindering system operation.
Usurpation
A circumstance or
event that results in
control of system
services or functions
by an unauthorized
entity.
Misappropriation: An entity assumes unauthorized logical
or physical control of a system resource.
Misuse: Causes a system component to perform a function
or service that is detrimental to system security.
Guard
Data
Computer System Computer System
Processes representing users
1 Access to the data must be controlled
(protection)
Guard
Data
Processes representing users
2 Access to the computer facility must be controlled
(user authentication)
3 Data must be securely transmitted
through networks (network security)
4 Sensitive files must be secure (file security)
Users making requests
Figure 1.3 Scope of Computer Security. This figure depicts security concerns other than physical security, including control of access to computers systems, safeguarding of data transmitted over communications systems, and safeguarding of stored data.
Guard
Data
Computer System Computer System
Processes representing users
1 Access to the data
must be controlled
(protection)
Guard
Data
Processes representing users
2 Access to the computer
facility must be contr olled
(user authentication)
3 Data must be
securely transmitted
through networks
(network security)
4 Sensitive files
must be secure
(file security)
Users making requests
Figure 1.3 Scope of Computer Security . This figure depicts security
concerns other than physical security , including control of access to
computers systems, safeguarding of data transmitted over communications
systems, and safeguarding of stored data.
Availability Confidentiality Integrity
Hardware Equipment is stolen or disabled, thus denying service.
An unencrypted CD- ROM or DVD is stolen.
Software Programs are deleted, denying access to users. An unauthorized copy of software is made.
A working program is modified, either to cause it to fail during execution or to cause it to do some unintended task.
Data Files are deleted, denying access to users.
An unauthorized read of data is performed. An analysis of statistical data reveals underlying data.
Existing files are modified or new files are fabricated.
Communication Lines and Networks
Messages are destroyed or deleted. Communication lines or networks are rendered unavailable.
Messages are read. The traffic pattern of messages is observed.
Messages are modified, delayed, reordered, or duplicated. False messages are fabricated.
Availability Confidentiality Integrity
Hardware
Equipment is stolen or
disabled, thus denying
service.
An unencrypted CD-
ROM or DVD is stolen.
Software
Programs are deleted,
denying access to users.
An unauthorized copy
of software is made.
A working program is
modified, either to
cause it to fail during
execution or to cause it
to do some unintended
task.
Data
Files are deleted,
denying access to users.
An unauthorized read
of data is performed.
An analysis of
statistical data reveals
underlying data.
Existing files are
modified or new files
are fabricated.
Communication
Lines and
Networks
Messages are destroyed
or deleted.
Communication lines
or networks are
rendered unavailable.
Messages are read. The
traffic pattern of
messages is observed.
Messages are modified,
delayed, reordered, or
duplicated. False
messages are
fabricated.
Figure 1.4 Defense in Depth and Attack Surface
Attack Surface
Medium
Security Risk
High
Security Risk
Low
Security Risk
D e e p
L a y e r in
g
S h
a ll
o w
Small Large
Medium
Security Risk
Figure 1.4 Defense in Depth and Attack Surface
Attack Surface
Medium
Security Risk
High
Security Risk
Low
Security Risk
D
e
e
p
L
a
y
e
r
i
n
g
S
h
a
l
l
o
w
Small Large
Medium
Security Risk
Figure 1.5 An Attack Tree for Internet Banking Authentication
Bank Account Compromise
User credential compromise
User credential guessing
UT/U1a User surveillance
UT/U1b Theft of token and handwritten notes
Malicious software
installation Vulnerability exploit
UT/U2a Hidden code
UT/U2b Worms
UT/U3a Smartcard analyzers
UT/U2c E-mails with malicious code
UT/U3b Smartcard reader manipulator
UT/U3c Brute force attacks with PIN calculators
CC2 Sniffing
UT/U4a Social engineering
IBS3 Web site manipulation
UT/U4b Web page obfuscation
CC1 Pharming
Redirection of
communication toward
fraudulent site
CC3 Active man-in-the middle attacks
IBS1 Brute force attacks
User communication
with attacker
Injection of commands
Use of known authenticated
session by attacker
Normal user authentication
with specified session ID
CC4 Pre-defined session IDs (session hijacking)
IBS2 Security policy violation
Figure 1.5 An Attack Tree for Internet Banking Authentication
Bank Account Compromise
User credential compromise
User credential guessing
UT/U1a User surveillance
UT/U1b Theft of token and
handwritten notes
Malicious software
installation
Vulnerability exploit
UT/U2a Hidden code
UT/U2b Worms
UT/U3a Smartcard analyzers
UT/U2c E-mails with
malicious code
UT/U3b Smartcard reader
manipulator
UT/U3c Brute force attacks
with PIN calculators
CC2 Sniffing
UT/U4a Social engineering
IBS3 Web site manipulation
UT/U4b Web page
obfuscation
CC1 Pharming
Redirection of
communication toward
fraudulent site
CC3 Active man-in-the
middle attacks
IBS1 Brute force attacks
User communication
with attacker
Injection of commands
Use of known authenticated
session by attacker
Normal user authentication
with specified session ID
CC4 Pre-defined session
IDs (session hijacking)
IBS2 Security policy
violation