FundamentalsofNetworkSecurity

CryptoWorks21•July25&27,2017

Dr DouglasStebila

https://www.douglas.stebila.ca/teaching/cryptoworks21

FundamentalsofNetworkSecurity1. BasicsofInformationSecurity

– Securityarchitectureandinfrastructure;securitygoals(confidentiality,integrity,availability,andauthenticity);threats/vulnerabilities/attacks;riskmanagement

2. CryptographicBuildingBlocks– Symmetriccrypto:ciphers(stream,block),hashfunctions,message

authenticationcodes,pseudorandomfunctions– Publickeycrypto:publickeyencryption,digitalsignatures,keyagreement

3. NetworkSecurityProtocols&Standards– Indetail:publickeyinfrastructure,TLS– Overview:Networking,SSH,IPsec,Kerberos,WEP

4. NetworkScanningandDefence– Trafficsniffingandnetworkreconnaissance(mmap)– Networkprotection:firewallsandintrusiondetection

5. AccessControl&Authentication;WebApplicationSecurity– Accesscontrol:discretionary/mandatory/role-based;phases– Authentication:somethingyouknow/have/are/somewhereyouare– Websecurity:cookies,SQLinjection– Supplementalmaterial:Passwords

FundamentalsofNetworkSecurity

• Lectures:– Tuesday10:30-12and1-2:30pminQNC1201– Thursday10:30-12and1-2:30pminQNC4104

• Assessment:– 4practicalhands-onexerciseswithnetworkandapplicationsecurity,withafewquestionstosubmitfromeach

– DueFridayAugust11

FundamentalsofNetworkSecurity1.BasicsofInformationSecurity

CryptoWorks21•June27,2016

Dr DouglasStebila

https://www.douglas.stebila.ca/teaching/cryptoworks21

LectureGoals

• Developabroaderperspectiveoninformationsecuritythanjustcryptography.

• Terminologyfordescribinginformationsecurity.• Howdoorganizationsapproachmakinginformationsecuritydecisions?

• Non-technicallecturetoday;technicallecturestofollow.

InformationSecurityProcess

1. Identifyinformationassets2. Describesecuritygoalsforassets3. Characterizethreats4. Identifyvulnerabilities5. Assessrisks6. Applycontrols

SECURITYTERMINOLOGY

InformationSecurityProcess

1. Identifyinformationassets2. Describesecuritygoalsforassets3. Characterizethreats4. Identifyvulnerabilities5. Assessrisks6. Applycontrols

WhatisSecurity?

• Security isabouttheprotectionofassetsfromdamageorharm.

• Assets areitemsorprocessesthatareofvalue– Property– People– Intangibles

WhatisSecurity?

• Foreffectiveprotectionyouneedtoknow:–Whattheassetsare–Whattheyareworth,andhowcriticaltheyare–Whatcouldpossiblyhappentoaffectthem• Consideraccidentalandintentionalevents

– Howtheycouldbeprotected,andatwhatcost?• Considerpossibilitiesfor:

– Prevention ofdamagetoasset(orminimisingdamage)– Detection ofdamagetoasset– when,how,who?– Reaction torecoverfromdamage

InformationSecurityGoalsorServices

Traditionaldefinitionsofinformationsecurityarebasedonthreeinformationsecuritygoalsorservices:• Confidentiality:preventingunauthoriseddisclosureofinformation

• Integrity:preventingunauthorised (accidentalordeliberate)modificationordestructionofinformation

• Availability:ensuringresourcesareaccessiblewhenrequiredbyanauthorised user

AdditionalGoalsorServices

Theseadditionalgoalsorservicesarebecomingincreasinglyimportantforsomeapplications:• Authentication:– Entityauthentication– theprocessofverifyingaclaimedidentity

– Dataoriginauthentication– verifythesource(andintegrity)ofamessage

• Non-repudiation:– createevidencethatanactionhasoccurred,sothattheusercannotfalselydenytheactionlater

InformationStates

• Informationsecurityinvolvesprotectinginformationassetsfromharmordamage.

• Considerinformationinoneofthreepossiblestates:

– Storage• Informationstoragecontainers– electronic,physical,human

– Transmission• Physicalorelectronic

– Processing (Use)• Physicalorelectronic

Vulnerabilities,ThreatsandAttacks• Informationsecurityanalysisinvolvesconsidering:– Threats:

• Setsofcircumstanceswiththepotentialtocauseharmbycompromisingstatedsecuritygoals

– Vulnerabilities:• Weaknessesinasystemthatcouldbeusedtocauseharmbycompromisingstatedsecuritygoals

– Attacks:• Occurwhenvulnerabilitiesaredeliberatelyexploited• Exploit:Anattackonasystem,especiallyonethattakesadvantageofaparticularvulnerabilitythatthesystemofferstointruders.

• NOTE:Securityincidentscanalsoresultfromnon-deliberateacts.

InformationSecurity:Attacks• Twomaintypesofattacks:– Passive:

• Attacker’sgoalistoobtaininformation• Attackerdoesn’taltersystemresourcesorinteractotherthanbylisteningorobserving– E.g.eavesdropping,shouldersurfing

• Difficulttodetect;usuallytrytopreventtheattack.– Active:

• Attacker’sgoalmaybetomodify,replicateorfabricateinformation

• Requiresinteractionwiththeinformationsystembytheattacker– E.g.Phishing,Denialofservice,Man-in-the-middle

• Trytodetectattacker’sactions,recognisesignsofattackandrespond

SecurityMeasuresorControls• Usesecuritymeasuresorcontrolstocounterthreatsand

preventattacks– Alsoknownascountermeasures

• Preventive controls:– preventattemptstoexploitvulnerabilities

• Example:encryptionoffilestopreventeavesdropping• Detective controls:

– warnofattemptstoexploitvulnerabilities• Example:UseofChecksum/MACtodetectdatacorruption

• Corrective controls:– correcterrorsorirregularitiesthathavebeendetected

• Example:Restoringallapplicationsfromthelastknowngoodimagetobringacorruptedsystembackonline

SecurityMeasuresorControls• Thesemayinvolve:– Technology• Firewalls,Ciphers(encryption),Digitalsignatures,IDS,tamper-resistantsystems,etc

– Policyandpractice• Planoutliningorganisation’sapproachtomanaginginformationsecurity

– Education,trainingandawareness• Employeetraining

– Forexample,againstsocialengineering• Rememberpeople arecomponentsoftheinformationsystems

Usefuldiagramtocombineideas:NSTISSI4011SecurityModel

NSTISSI4011 providesaframeworkfordiscussingInformationSecurity

THREATS,VULNERABILITIES,ANDATTACKS

InformationSecurityProcess

1. Identifyinformationassets2. Describesecuritygoalsforassets3. Characterizethreats4. Identifyvulnerabilities5. Assessrisk6. Applycontrols

Threats

• Setofcircumstanceswithpotential tocauseharmtoaninformationassetbycompromisingstatedinformationsecuritygoals.– Abreachofconfidentiality: informationisdisclosedtounauthorisedentities

– Abreachofintegrity: informationassetshavebeenmodifiedordestroyedbyunauthorisedentity

– Abreachofavailability: informationassetsarenotaccessiblewhenrequiredbyanauthorisedentity

ThreatSources

• External:– Sourceofthreatliesoutsideoftheorganisation– Example:

• Peoplewhoarenotauthorizedtouseinformationsystems-commercialcompetitor,cyber-criminal,politicalactivist,terrorists

• Internal:– Sourceofthreatlieswithintheorganisation– Example:

• peoplewhoareauthorizedtouseinformationsystems-employees,contractors,clients,visitors

Threats• Externalthreatsources

• Mayneedtogainaccesstoinformationassetsusedinanorganisationinordertoharmthem– Physicalaccess– Logicalaccess

• Increasingdependenceoninformationandcommunicationstechnologies(ICT)operatingoverinternetexpandspotentialexternalsourceswithlogicalaccess– Commonthreats:malware(virus,Trojan,worm,spyware)

Threats• Externalthreatsources– 2013CERTCyberCrime&SecuritySurveyReport

Threats• Internalthreatsources:Insidersarefamiliarwithinformationsystemsusedinanorganisation:

oHaveknowledgeofassetvaluesoKnowprocessesandproceduresinuseoMaybeawareofsystemvulnerabilitiesoHaveopportunitytoaccessassetsoMaymisusesystemsorexceedtheirauthorizationoPotentialtocauseharmishighoOutsourcing(cleaners,catering,supportservices)withoutsecurityassurancebringsoutsidersin

Threats• Internalthreatsources– 2013CERTCyberCrime&SecuritySurveyReport

Vulnerabilities

• Weaknessesinasystem– thatcouldbeusedtocauseharmtoinformationassets

• Needtoconsidercomponentsofinformationsystem:– Property– People– Procedures

Vulnerabilities:Property

• Physicalassets:buildingsandcontents– Location;physicalsecurity;maintenance;monitoringandloggingphysicalaccess

• Hardware:computersystems,datacommunicationsdevices,datastoragedevices

• Software:Operatingsystem,applications– Source;testing;updates;(mis)configuration

• Data:Files,databases,passwords

Vulnerabilities:People• Employees:– Recruitingstaffsuitablefortheposition

• Failuretocheckbackgroundiscommon– Monitoringaccessofpeopletopropertyandprocesses• Disgruntledemployees,clientsorcontractorscanbethreatsource

– Inadequateeducationofstaffwithrespecttothreats:forexample,arestaffawareofpoliciesregarding:• providinginformationbyemailoroverphone• downloadingsoftware,• useofmobiledevices,etc

Vulnerabilities:People

Vulnerabilities:People

• Employees:– Aretherekeypersonnelcriticaltoorganisation?• Maybeunavailableduetoaccidentorillness,orotherevent(transportfailure,naturaldisaster)

– Vulnerableifnoback-upforthesepeople• Ifproceduresareundocumented

• Others:– Aresecurityconditionsincludedincontractswithconsultants,contractors,outsourcing?

Vulnerabilities:Processes

• Accesscontrol andprivilegemanagement– Includingkeys,cards,passwords

• Backup offilesandsystems• Businesscontinuityplans– forrecoveryofinformationassetsafterdisaster

• Communications

Vulnerabilities:Processes

• Checksandbalances:– Peoplemakemistakes:arethereprocessestodetect,correctorreducetheimpactoferrors?• Example:Separationofduties

• Processesassociatedwithstaffjoining/leavingorganisation– Clearstatementofduties– Nondisclosure/confidentialityagreements

• Softwaremanagementprocessesandauditing

AttacksAnattackiswhenvulnerabilitiesaredeliberately exploitedtogainunauthorizedaccessorperformunauthorizedactions.

• Passive– Attacker’sgoalistoobtaininformation– Attackerdoesnotalterinformationsystemresources

• Nointeractionbytheattacker otherthanlisteningorobserving– Difficulttodetect;usuallytrytopreventtheattack.

• Active– Attacker’sgoalmaybetoobtain,modify,replicateorfabricate

information– Requiressomeactionorinteractionwiththeinformationsystem by

theattacker– Usualapproachistotrydetectattackersactions,recognisethemas

signsofattackandrecover

PassiveAttacks

• Eavesdropping:– Listeningtotheconversationsofotherswithouttheirknowledgeorconsent

–Wiretapping• Eavesdroppingovertelephonenetwork• Maybehardertodetectinwirelessnetwork

– Informationcanbeobtainedfrom:• thecontentoftheconversations,and• knowingwhoistalkingtowhoandwhen(trafficanalysis)

PassiveAttacks

• Shouldersurfing–Watchingtheactionsofothers(especiallyatdataentry)withouttheirknowledgeorconsent

– Usuallyconnectedwithentryofconfidentialinformation• PIN(forfinancialaccessatATM)• Securitycodeorpassword

– Canalsobeforgreateramountsofdata• Useofmobiledevicesininsecuresurroundingsisvulnerabilitythatcanbeexploitedforthisattack

PassiveAttacks

• Networkmonitoringandeavesdropping– Apacketsnifferornetworkanalyzercanmonitornetworktraffic• canbeusedfornetworkmaintenance(findingfaultsandtrafficproblems)

• Butcanalsobeusedtogainknowledgeofconfidentialinformation

• e.gpasswordscorrespondingtousernames– Confidentialinformationshouldnotbesentoveruntrustednetworks

withoutprotection• Example:whenloggingontoaremoteresource,passwordsshouldnotbesent‘intheclear’

ActiveAttacks

• DenialofService(DoS)Attack– Objectiveistomakeaninformationassetorresourceunavailabletoauthorizedusers

– Commonmethodsare:• Tooverloadtheresource,soitcannotrespondtolegitimaterequests• Todamagetheresource,sothatitcannotbeused• Todeliberatelyinterruptcommunicationsbetweenusersandresource,sothatitcannotbeaccessed

ActiveAttacks

• DistributedDenialofService(DDoS)Attack– ObjectiveissameasDoSattack:

• Breachesavailabilityofinformationasset

– Method:• Usemultiplesourcestomakeresourcerequests• Hopetooverloadresource,soitcannotrespondtolegitimaterequests

• Malware(e.g.virus)maybeusedtocompromisemanymachines– allhavesametarget,andpayloadisactivatedatsametime,tomakesimultaneousresourcerequest

ActiveAttacks• DDoS Attacks– 1999– firstDDoS attack– 2000– Yahoo,eBay,AmazonDDoS’ed forhours– Early2000’s:peakspeed4gigabit/sec– 2015:

• Averagespeed:10–60Gb/sec• peakspeed:≥400Gb/sec– Onecompanyreportedreceiving250xnormalbandwidth

• Averageduration:17hours– Attacktechniques:

• Resource/bandwidthconsumption,keepconnectionsopen– Defensetechniques:

• Cloudhosting,coordinationwithupstreamproviders

http://gcn.com/articles/2015/07/27/ddos-attack-mitigation.aspxhttp://www.darkreading.com/cloud/inside-a-vicious-ddos-attack/a/d-id/1321286

ActiveAttacks

• Masquerade/Spoofing:–Whereoneentitypretendstobeanotherinordertodeceiveothers

• Commonspoofingattacksinclude:– Emailaddressspoofing• Alteringthesenderinformationonemailtotrickrecipientsintothinkingthemessageisfromanothersource

– Webpagespoofing• Creatingafakewebpagethatlookslikethepageforalegitimatebusinesstotrickusers– intogivingthecredentialstheywoulduseatlegitimatesite– Intodownloadingmaterialsfromanalternativesite

ActiveAttacks

• Phishing:– Attemptstogaincredentialstoenableaccesstootherresourcesbymasqueradingasalegitimateorganisation(Bank,eBay,PayPal)• Example:accountdetails,PINnumber,password

– Usuallyinvolves• spoofedemailsand/orspoofedwebpages• socialengineering

ActiveAttacks• Phishing

Basicphishingemail Targetedspearphishingemail

https://iconixtruemark.wordpress.com/2011/06/10/spear-phishing-examples/

ActiveAttacks• Phishing

ActiveAttacks• Man-in-the-MiddleAttack(MITM)– Anattacker(Carol)positionsherselfbetweentwoentitieswhowishtocommunicate,sayAliceandBob.

– CarolpretendstoAlicesheisBob,andpretendstoBobsheisAlice(spoofing).

Bob

Alice

Carol

MITM• Normalinformationflow

Information Source (Alice)

Information Destination (Bob)

MITMInterception

Breachesconfidentiality

TheunauthorizedMITMobservestheinformationandtransmitsit

MITMInterruptionTheunauthorizedMITMpreventstransmission,so

informationassetsareunavailabletoBob

Breachesavailability

MITMModification

Breachesintegrity

TheMITMmodifiestheinformationandthensendstoBob

MITMFabrication

Breachesauthenticity

TheMITMcreatesinformationassetandsendstoBobbutclaimsitisfromAlice

ActiveAttacks• SocialEngineering:usingsocialskillstoconvincepeopletorevealinformationorpermitaccesstoresources.Examples:– Claimtobenewemployee,manager’sassistant,maintenanceperson,etcandaskforassistanceinaccessingresourcetocompleteanurgenttask:• I’velostmypasswordandIhavetofinishthistoday…• Myswipecarddoesn’twork/leftathome…

– Tailgating– followanotherpersoncloselysothatwhentheygointosecureareayoucanalsogetinwithoutprovidingappropriatecredentials

ActiveAttacks• Replayattack:– Thisiswhereavaliddatatransmissionisrecorded,andretransmittedatalaterdate

– Example:• Accesstoasystemrequiresuseofpassword,butpasswordisencryptedduringtransmission• Attackerrecordsencryptedpassword,andreplaysthisinformationinordertogainaccess• Doesn’tmatterthatattackerdoesn’tknowthepassword– theycouldprovidetheexpectedcredentialonrequest.

RISKMANAGEMENT

InformationSecurityProcess

1. Identifyinformationassets2. Describesecuritygoalsforassets3. Characterizethreats4. Identifyvulnerabilities5. Assessrisk6. Applycontrols

Informationsecurityandriskmanagement

–Whatisrisk?– Howdowemanagerisk?– Riskmanagementandstandards• ISO31000:2009RiskManagement• ISO27005:2012InformationSecurityRiskManagement

– InformationSecurityManagementStandards• ISO27001:2006InfoSecManagementSystems• ISO27002:2006CodeofpracticeforISmanagement

Informationsecurity&riskmanagement

• Informationsecuritymanagementinvolvesaskingquestionslike:– Whatneedstobeprotected?– Whydoesitneedtobeprotected?– Howcanitbeprotected?

• Whatdoesthatcost?• Howurgentlyisthisrequired?

– Whathappensifitisnotprotected?• Organisationshavelimitedresources(time,money,space)so

makingtradeoffs isnecessary:– Can’taffordtoprotectallassetsagainstallpossiblethreats

• Informationsecuritymanagementinvolvesriskmanagement

Whatisrisk?• DefinitioninISO27005:2012Informationsecurityriskmanagement

• Risk:‘effectofuncertaintyonobjectives.’– Effect includesbothpositiveandnegative– Aspectsofobjectivestoconsider:

• financial,healthandsafety,informationsecurity,environmental

– Mayapplyatdifferentlevels:• organizational,project,product,process

– Informationsecurityriskexpressedintermsofconsequencesandlikelihood• Consequence: ‘outcomeofaneventaffectingobjectives’• Likelihood: ‘chanceofsomethinghappening’

Whatisrisk?Infosecriskconsiderspotentialforthreatsandvulnerabilitiestocoincideandharmassets

threatagent vulnerability

likelihoodofeventoccurrence

consequenceofeventoccurrence

risk

(sometimescalledchanceorrisk)

(sometimescalledbusinessrisk)

Howdowemanagerisk?Riskmanagementprocess (fromISO31000:2009)

Establishthecontext

Identifyrisks

Analyserisks

Evaluaterisks

TreatrisksCommun

icateand

consult

Mon

itora

ndre

view

RiskAssessment

RiskmanagementprocessEstablishthecontext

• Establishtheexternal context:• Relationshipbetweenorganisationandexternal

environmentitoperatesin• Establishtheinternal context:

• Understandtheorganisationanditscapabilities,goalsandobjectives

• Establishtheriskmanagement context:• Goals,objectives,strategies,scopeandparameters

oftheareatheriskmanagementprocessisbeingappliedto

RiskmanagementprocessEstablishthecontext

• Defineriskcriteria(Criteriaagainstwhichriskistobeevaluated)

• Forriskevaluationcriteriaconsider:– Strategicvalueoftheasset,– Criticalityoftheasset,– Legal,regulatoryorcontractualobligations,– Reputation

• Forimpactevaluationcriteriaconsider:– Levelofclassificationofasset,andtypeofbreach(CIA)– Degreeofimpairment/disruption/lossofbusiness

• Forriskacceptancecriteriaconsider:– Whatthetimeframeswillbe– Whatlevelofriskisacceptabletoorganisation, etc

RiskmanagementprocessIdentifyrisks

• Whatcanhappen,whereandwhen?– Identifyplausiblethreatsandexistingvulnerabilities:combinetheseto

identifyeventsandpotentialconsequences

• Whyandhowitcanhappen?– Considercausesandscenarios

• Toolsandtechniques:– Identifyrisksusing• Checklists(Fromotherstandardsdocuments)• Judgementsbasedonexperience(ownandothers)• Systemsanalysis

• Includeallrisks,whethertheyareunderthecontroloftheorganisationornot.

RiskmanagementprocessAnalyserisks

• Determinethemagnitudeofidentifiedrisks• Typesofanalysis:• Qualitative

– Usesdescriptivescales(inwords).Example:• Consequence: Minor,moderate,major,catastrophic• Likelihood: Rare,unlikely,possible,likely,almostcertain

• Semi-quantitative– Qualitativescalesassignednumericalvalues– Canbeusedinformulaeforprioritization(withcaution!)

• Quantitative– Usenumericalvaluesforbothconsequence(e.g.$$$) andlikelihood

(e.g.probabilityvalue)

RiskmanagementprocessQualitativeRiskAnalysis:Example

Measure Description

Major Majorproblems wouldoccurandthreatentheprovisionofimportantprocesses resultinginsignificantfinancialloss.

Moderate Services wouldcontinue, butwould needtobereviewedorchanged.

Minor Effectivenessofserviceswouldbethreatenedbutdealtwith.

Insignificant Dealtwithasapartofroutineoperations.

Incr

easi

ng D

amag

e

QualitativeConsequencescale example:

FromInformationRiskManagementBestPracticeGuidep19

RiskmanagementprocessQualitativeRiskAnalysis:Example

Measure Description

High Isexpectedtooccurinmostconditions(1ormoretimesperyear).

Medium Theeventwillprobablyhappeninmostconditions(aboutonceevery2years).

Possible Theeventshouldhappenatsometime(onceevery5years).

Unlikely Theeventcouldhappenatsometime(onceevery10years).In

crea

sing

Pro

babi

lity

QualitativeLikelihoodscale example:

InformationRiskManagementBestPracticeGuidep19

M

MM

H

M

M

RiskmanagementprocessQualitativeRiskAnalysis:Example

Likelih

ood

Consequence

Insignificant Minor Moderate Major

High

Medium

Low

Unlikely

LegendE:extremerisk;immediateactionrequiredH:highrisk;seniormanagementattentionneededM:moderaterisk;managementresponsibilitymustbespecifiedL:lowrisk;managebyroutineprocedures

M

M

L

H

H

EE

E

L

L

QualitativeLevelofRisk example: Matchconsequencestolikelihoodstodeterminelevelsofrisk

RiskmanagementprocessEvaluaterisks

• Compare thelevelofriskfoundduringriskanalysiswiththeestablishedriskcriteria

• Decidewhichrisksneedtreatment,andwhen– Prioritize listofrisksforfurtheraction• Risksinlowormoderateriskcategoriesmaybeacceptedwithoutfurthertreatment• Highorextremerisksrequireimmediateconsiderationoftreatmentpossibilities

RiskmanagementprocessTreatrisks

• Selectoptionsformodifyingrisks:– optionsforrisktreatmentwith positiveoutcomesinclude:• Activelyseekopportunity• Changethelikelihoodofopportunity toenhancethelikelihoodofbeneficialoutcome• Changetheconsequencestoincreasetheextentofthegains• Sharingtheopportunity• Retain theresidualopportunity

RiskmanagementprocessTreatrisks

• Selectoptionsformodifyingrisks:– optionsforrisktreatmentwithnegativeoutcomesinclude:• Avoid therisk• Reduce likelihoodofnegativeoutcomeby:– Reducingthelikelihood oftherisk– Reducingtheconsequences

• Share therisk• Retain therisk

Exampleriskassessment:effectofquantumcomputersonclassicalcryptography

• Context:alargebankusesRSApublickeycryptographyandAESencryptiontosecurecommunicationoverthepublicinternetbetweenitsbranches

• Identifyrisks:large-scalequantumcomputerswillrenderRSAencryptioncompletelyinsecureandimpactkeylengthofAESencryption

Exampleriskassessment:effectofquantumcomputersonclassicalcryptography

• Analyzerisks:– consequence:major/moderate/minor/insignificant

– likelihood:high/medium/possible/unlikely

• Evaluaterisks:prioritizerisksbasedonconsequencexlikelihood

• Treathighpriorityrisks– ShouldthebankswitchtoQKD?post-quantumcrypto?

InformationSecurityProcess

1. Identifyinformationassets2. Describesecuritygoalsforassets3. Characterizethreats4. Identifyvulnerabilities5. Assessrisk– Identify

->analyze->evaluaterisks

6. Applycontrols