Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
FundamentalsofNetworkSecurity
CryptoWorks21•July25&27,2017
Dr DouglasStebila
https://www.douglas.stebila.ca/teaching/cryptoworks21
FundamentalsofNetworkSecurity1. BasicsofInformationSecurity
– Securityarchitectureandinfrastructure;securitygoals(confidentiality,integrity,availability,andauthenticity);threats/vulnerabilities/attacks;riskmanagement
2. CryptographicBuildingBlocks– Symmetriccrypto:ciphers(stream,block),hashfunctions,message
authenticationcodes,pseudorandomfunctions– Publickeycrypto:publickeyencryption,digitalsignatures,keyagreement
3. NetworkSecurityProtocols&Standards– Indetail:publickeyinfrastructure,TLS– Overview:Networking,SSH,IPsec,Kerberos,WEP
4. NetworkScanningandDefence– Trafficsniffingandnetworkreconnaissance(mmap)– Networkprotection:firewallsandintrusiondetection
5. AccessControl&Authentication;WebApplicationSecurity– Accesscontrol:discretionary/mandatory/role-based;phases– Authentication:somethingyouknow/have/are/somewhereyouare– Websecurity:cookies,SQLinjection– Supplementalmaterial:Passwords
FundamentalsofNetworkSecurity
• Lectures:– Tuesday10:30-12and1-2:30pminQNC1201– Thursday10:30-12and1-2:30pminQNC4104
• Assessment:– 4practicalhands-onexerciseswithnetworkandapplicationsecurity,withafewquestionstosubmitfromeach
– DueFridayAugust11
FundamentalsofNetworkSecurity1.BasicsofInformationSecurity
CryptoWorks21•June27,2016
Dr DouglasStebila
https://www.douglas.stebila.ca/teaching/cryptoworks21
LectureGoals
• Developabroaderperspectiveoninformationsecuritythanjustcryptography.
• Terminologyfordescribinginformationsecurity.• Howdoorganizationsapproachmakinginformationsecuritydecisions?
• Non-technicallecturetoday;technicallecturestofollow.
InformationSecurityProcess
1. Identifyinformationassets2. Describesecuritygoalsforassets3. Characterizethreats4. Identifyvulnerabilities5. Assessrisks6. Applycontrols
SECURITYTERMINOLOGY
InformationSecurityProcess
1. Identifyinformationassets2. Describesecuritygoalsforassets3. Characterizethreats4. Identifyvulnerabilities5. Assessrisks6. Applycontrols
WhatisSecurity?
• Security isabouttheprotectionofassetsfromdamageorharm.
• Assets areitemsorprocessesthatareofvalue– Property– People– Intangibles
WhatisSecurity?
• Foreffectiveprotectionyouneedtoknow:–Whattheassetsare–Whattheyareworth,andhowcriticaltheyare–Whatcouldpossiblyhappentoaffectthem• Consideraccidentalandintentionalevents
– Howtheycouldbeprotected,andatwhatcost?• Considerpossibilitiesfor:
– Prevention ofdamagetoasset(orminimisingdamage)– Detection ofdamagetoasset– when,how,who?– Reaction torecoverfromdamage
InformationSecurityGoalsorServices
Traditionaldefinitionsofinformationsecurityarebasedonthreeinformationsecuritygoalsorservices:• Confidentiality:preventingunauthoriseddisclosureofinformation
• Integrity:preventingunauthorised (accidentalordeliberate)modificationordestructionofinformation
• Availability:ensuringresourcesareaccessiblewhenrequiredbyanauthorised user
AdditionalGoalsorServices
Theseadditionalgoalsorservicesarebecomingincreasinglyimportantforsomeapplications:• Authentication:– Entityauthentication– theprocessofverifyingaclaimedidentity
– Dataoriginauthentication– verifythesource(andintegrity)ofamessage
• Non-repudiation:– createevidencethatanactionhasoccurred,sothattheusercannotfalselydenytheactionlater
InformationStates
• Informationsecurityinvolvesprotectinginformationassetsfromharmordamage.
• Considerinformationinoneofthreepossiblestates:
– Storage• Informationstoragecontainers– electronic,physical,human
– Transmission• Physicalorelectronic
– Processing (Use)• Physicalorelectronic
Vulnerabilities,ThreatsandAttacks• Informationsecurityanalysisinvolvesconsidering:– Threats:
• Setsofcircumstanceswiththepotentialtocauseharmbycompromisingstatedsecuritygoals
– Vulnerabilities:• Weaknessesinasystemthatcouldbeusedtocauseharmbycompromisingstatedsecuritygoals
– Attacks:• Occurwhenvulnerabilitiesaredeliberatelyexploited• Exploit:Anattackonasystem,especiallyonethattakesadvantageofaparticularvulnerabilitythatthesystemofferstointruders.
• NOTE:Securityincidentscanalsoresultfromnon-deliberateacts.
InformationSecurity:Attacks• Twomaintypesofattacks:– Passive:
• Attacker’sgoalistoobtaininformation• Attackerdoesn’taltersystemresourcesorinteractotherthanbylisteningorobserving– E.g.eavesdropping,shouldersurfing
• Difficulttodetect;usuallytrytopreventtheattack.– Active:
• Attacker’sgoalmaybetomodify,replicateorfabricateinformation
• Requiresinteractionwiththeinformationsystembytheattacker– E.g.Phishing,Denialofservice,Man-in-the-middle
• Trytodetectattacker’sactions,recognisesignsofattackandrespond
SecurityMeasuresorControls• Usesecuritymeasuresorcontrolstocounterthreatsand
preventattacks– Alsoknownascountermeasures
• Preventive controls:– preventattemptstoexploitvulnerabilities
• Example:encryptionoffilestopreventeavesdropping• Detective controls:
– warnofattemptstoexploitvulnerabilities• Example:UseofChecksum/MACtodetectdatacorruption
• Corrective controls:– correcterrorsorirregularitiesthathavebeendetected
• Example:Restoringallapplicationsfromthelastknowngoodimagetobringacorruptedsystembackonline
SecurityMeasuresorControls• Thesemayinvolve:– Technology• Firewalls,Ciphers(encryption),Digitalsignatures,IDS,tamper-resistantsystems,etc
– Policyandpractice• Planoutliningorganisation’sapproachtomanaginginformationsecurity
– Education,trainingandawareness• Employeetraining
– Forexample,againstsocialengineering• Rememberpeople arecomponentsoftheinformationsystems
Usefuldiagramtocombineideas:NSTISSI4011SecurityModel
NSTISSI4011 providesaframeworkfordiscussingInformationSecurity
THREATS,VULNERABILITIES,ANDATTACKS
InformationSecurityProcess
1. Identifyinformationassets2. Describesecuritygoalsforassets3. Characterizethreats4. Identifyvulnerabilities5. Assessrisk6. Applycontrols
Threats
• Setofcircumstanceswithpotential tocauseharmtoaninformationassetbycompromisingstatedinformationsecuritygoals.– Abreachofconfidentiality: informationisdisclosedtounauthorisedentities
– Abreachofintegrity: informationassetshavebeenmodifiedordestroyedbyunauthorisedentity
– Abreachofavailability: informationassetsarenotaccessiblewhenrequiredbyanauthorisedentity
ThreatSources
• External:– Sourceofthreatliesoutsideoftheorganisation– Example:
• Peoplewhoarenotauthorizedtouseinformationsystems-commercialcompetitor,cyber-criminal,politicalactivist,terrorists
• Internal:– Sourceofthreatlieswithintheorganisation– Example:
• peoplewhoareauthorizedtouseinformationsystems-employees,contractors,clients,visitors
Threats• Externalthreatsources
• Mayneedtogainaccesstoinformationassetsusedinanorganisationinordertoharmthem– Physicalaccess– Logicalaccess
• Increasingdependenceoninformationandcommunicationstechnologies(ICT)operatingoverinternetexpandspotentialexternalsourceswithlogicalaccess– Commonthreats:malware(virus,Trojan,worm,spyware)
Threats• Externalthreatsources– 2013CERTCyberCrime&SecuritySurveyReport
Threats• Internalthreatsources:Insidersarefamiliarwithinformationsystemsusedinanorganisation:
oHaveknowledgeofassetvaluesoKnowprocessesandproceduresinuseoMaybeawareofsystemvulnerabilitiesoHaveopportunitytoaccessassetsoMaymisusesystemsorexceedtheirauthorizationoPotentialtocauseharmishighoOutsourcing(cleaners,catering,supportservices)withoutsecurityassurancebringsoutsidersin
Threats• Internalthreatsources– 2013CERTCyberCrime&SecuritySurveyReport
Vulnerabilities
• Weaknessesinasystem– thatcouldbeusedtocauseharmtoinformationassets
• Needtoconsidercomponentsofinformationsystem:– Property– People– Procedures
Vulnerabilities:Property
• Physicalassets:buildingsandcontents– Location;physicalsecurity;maintenance;monitoringandloggingphysicalaccess
• Hardware:computersystems,datacommunicationsdevices,datastoragedevices
• Software:Operatingsystem,applications– Source;testing;updates;(mis)configuration
• Data:Files,databases,passwords
Vulnerabilities:People• Employees:– Recruitingstaffsuitablefortheposition
• Failuretocheckbackgroundiscommon– Monitoringaccessofpeopletopropertyandprocesses• Disgruntledemployees,clientsorcontractorscanbethreatsource
– Inadequateeducationofstaffwithrespecttothreats:forexample,arestaffawareofpoliciesregarding:• providinginformationbyemailoroverphone• downloadingsoftware,• useofmobiledevices,etc
Vulnerabilities:People
Vulnerabilities:People
• Employees:– Aretherekeypersonnelcriticaltoorganisation?• Maybeunavailableduetoaccidentorillness,orotherevent(transportfailure,naturaldisaster)
– Vulnerableifnoback-upforthesepeople• Ifproceduresareundocumented
• Others:– Aresecurityconditionsincludedincontractswithconsultants,contractors,outsourcing?
Vulnerabilities:Processes
• Accesscontrol andprivilegemanagement– Includingkeys,cards,passwords
• Backup offilesandsystems• Businesscontinuityplans– forrecoveryofinformationassetsafterdisaster
• Communications
Vulnerabilities:Processes
• Checksandbalances:– Peoplemakemistakes:arethereprocessestodetect,correctorreducetheimpactoferrors?• Example:Separationofduties
• Processesassociatedwithstaffjoining/leavingorganisation– Clearstatementofduties– Nondisclosure/confidentialityagreements
• Softwaremanagementprocessesandauditing
AttacksAnattackiswhenvulnerabilitiesaredeliberately exploitedtogainunauthorizedaccessorperformunauthorizedactions.
• Passive– Attacker’sgoalistoobtaininformation– Attackerdoesnotalterinformationsystemresources
• Nointeractionbytheattacker otherthanlisteningorobserving– Difficulttodetect;usuallytrytopreventtheattack.
• Active– Attacker’sgoalmaybetoobtain,modify,replicateorfabricate
information– Requiressomeactionorinteractionwiththeinformationsystem by
theattacker– Usualapproachistotrydetectattackersactions,recognisethemas
signsofattackandrecover
PassiveAttacks
• Eavesdropping:– Listeningtotheconversationsofotherswithouttheirknowledgeorconsent
–Wiretapping• Eavesdroppingovertelephonenetwork• Maybehardertodetectinwirelessnetwork
– Informationcanbeobtainedfrom:• thecontentoftheconversations,and• knowingwhoistalkingtowhoandwhen(trafficanalysis)
PassiveAttacks
• Shouldersurfing–Watchingtheactionsofothers(especiallyatdataentry)withouttheirknowledgeorconsent
– Usuallyconnectedwithentryofconfidentialinformation• PIN(forfinancialaccessatATM)• Securitycodeorpassword
– Canalsobeforgreateramountsofdata• Useofmobiledevicesininsecuresurroundingsisvulnerabilitythatcanbeexploitedforthisattack
PassiveAttacks
• Networkmonitoringandeavesdropping– Apacketsnifferornetworkanalyzercanmonitornetworktraffic• canbeusedfornetworkmaintenance(findingfaultsandtrafficproblems)
• Butcanalsobeusedtogainknowledgeofconfidentialinformation
• e.gpasswordscorrespondingtousernames– Confidentialinformationshouldnotbesentoveruntrustednetworks
withoutprotection• Example:whenloggingontoaremoteresource,passwordsshouldnotbesent‘intheclear’
ActiveAttacks
• DenialofService(DoS)Attack– Objectiveistomakeaninformationassetorresourceunavailabletoauthorizedusers
– Commonmethodsare:• Tooverloadtheresource,soitcannotrespondtolegitimaterequests• Todamagetheresource,sothatitcannotbeused• Todeliberatelyinterruptcommunicationsbetweenusersandresource,sothatitcannotbeaccessed
ActiveAttacks
• DistributedDenialofService(DDoS)Attack– ObjectiveissameasDoSattack:
• Breachesavailabilityofinformationasset
– Method:• Usemultiplesourcestomakeresourcerequests• Hopetooverloadresource,soitcannotrespondtolegitimaterequests
• Malware(e.g.virus)maybeusedtocompromisemanymachines– allhavesametarget,andpayloadisactivatedatsametime,tomakesimultaneousresourcerequest
ActiveAttacks• DDoS Attacks– 1999– firstDDoS attack– 2000– Yahoo,eBay,AmazonDDoS’ed forhours– Early2000’s:peakspeed4gigabit/sec– 2015:
• Averagespeed:10–60Gb/sec• peakspeed:≥400Gb/sec– Onecompanyreportedreceiving250xnormalbandwidth
• Averageduration:17hours– Attacktechniques:
• Resource/bandwidthconsumption,keepconnectionsopen– Defensetechniques:
• Cloudhosting,coordinationwithupstreamproviders
http://gcn.com/articles/2015/07/27/ddos-attack-mitigation.aspxhttp://www.darkreading.com/cloud/inside-a-vicious-ddos-attack/a/d-id/1321286
ActiveAttacks
• Masquerade/Spoofing:–Whereoneentitypretendstobeanotherinordertodeceiveothers
• Commonspoofingattacksinclude:– Emailaddressspoofing• Alteringthesenderinformationonemailtotrickrecipientsintothinkingthemessageisfromanothersource
– Webpagespoofing• Creatingafakewebpagethatlookslikethepageforalegitimatebusinesstotrickusers– intogivingthecredentialstheywoulduseatlegitimatesite– Intodownloadingmaterialsfromanalternativesite
ActiveAttacks
• Phishing:– Attemptstogaincredentialstoenableaccesstootherresourcesbymasqueradingasalegitimateorganisation(Bank,eBay,PayPal)• Example:accountdetails,PINnumber,password
– Usuallyinvolves• spoofedemailsand/orspoofedwebpages• socialengineering
ActiveAttacks• Phishing
Basicphishingemail Targetedspearphishingemail
https://iconixtruemark.wordpress.com/2011/06/10/spear-phishing-examples/
ActiveAttacks• Phishing
ActiveAttacks• Man-in-the-MiddleAttack(MITM)– Anattacker(Carol)positionsherselfbetweentwoentitieswhowishtocommunicate,sayAliceandBob.
– CarolpretendstoAlicesheisBob,andpretendstoBobsheisAlice(spoofing).
Bob
Alice
Carol
MITM• Normalinformationflow
Information Source (Alice)
Information Destination (Bob)
MITMInterception
Breachesconfidentiality
TheunauthorizedMITMobservestheinformationandtransmitsit
MITMInterruptionTheunauthorizedMITMpreventstransmission,so
informationassetsareunavailabletoBob
Breachesavailability
MITMModification
Breachesintegrity
TheMITMmodifiestheinformationandthensendstoBob
MITMFabrication
Breachesauthenticity
TheMITMcreatesinformationassetandsendstoBobbutclaimsitisfromAlice
ActiveAttacks• SocialEngineering:usingsocialskillstoconvincepeopletorevealinformationorpermitaccesstoresources.Examples:– Claimtobenewemployee,manager’sassistant,maintenanceperson,etcandaskforassistanceinaccessingresourcetocompleteanurgenttask:• I’velostmypasswordandIhavetofinishthistoday…• Myswipecarddoesn’twork/leftathome…
– Tailgating– followanotherpersoncloselysothatwhentheygointosecureareayoucanalsogetinwithoutprovidingappropriatecredentials
ActiveAttacks• Replayattack:– Thisiswhereavaliddatatransmissionisrecorded,andretransmittedatalaterdate
– Example:• Accesstoasystemrequiresuseofpassword,butpasswordisencryptedduringtransmission• Attackerrecordsencryptedpassword,andreplaysthisinformationinordertogainaccess• Doesn’tmatterthatattackerdoesn’tknowthepassword– theycouldprovidetheexpectedcredentialonrequest.
RISKMANAGEMENT
InformationSecurityProcess
1. Identifyinformationassets2. Describesecuritygoalsforassets3. Characterizethreats4. Identifyvulnerabilities5. Assessrisk6. Applycontrols
Informationsecurityandriskmanagement
–Whatisrisk?– Howdowemanagerisk?– Riskmanagementandstandards• ISO31000:2009RiskManagement• ISO27005:2012InformationSecurityRiskManagement
– InformationSecurityManagementStandards• ISO27001:2006InfoSecManagementSystems• ISO27002:2006CodeofpracticeforISmanagement
Informationsecurity&riskmanagement
• Informationsecuritymanagementinvolvesaskingquestionslike:– Whatneedstobeprotected?– Whydoesitneedtobeprotected?– Howcanitbeprotected?
• Whatdoesthatcost?• Howurgentlyisthisrequired?
– Whathappensifitisnotprotected?• Organisationshavelimitedresources(time,money,space)so
makingtradeoffs isnecessary:– Can’taffordtoprotectallassetsagainstallpossiblethreats
• Informationsecuritymanagementinvolvesriskmanagement
Whatisrisk?• DefinitioninISO27005:2012Informationsecurityriskmanagement
• Risk:‘effectofuncertaintyonobjectives.’– Effect includesbothpositiveandnegative– Aspectsofobjectivestoconsider:
• financial,healthandsafety,informationsecurity,environmental
– Mayapplyatdifferentlevels:• organizational,project,product,process
– Informationsecurityriskexpressedintermsofconsequencesandlikelihood• Consequence: ‘outcomeofaneventaffectingobjectives’• Likelihood: ‘chanceofsomethinghappening’
Whatisrisk?Infosecriskconsiderspotentialforthreatsandvulnerabilitiestocoincideandharmassets
threatagent vulnerability
likelihoodofeventoccurrence
consequenceofeventoccurrence
risk
(sometimescalledchanceorrisk)
(sometimescalledbusinessrisk)
Howdowemanagerisk?Riskmanagementprocess (fromISO31000:2009)
Establishthecontext
Identifyrisks
Analyserisks
Evaluaterisks
TreatrisksCommun
icateand
consult
Mon
itora
ndre
view
RiskAssessment
RiskmanagementprocessEstablishthecontext
• Establishtheexternal context:• Relationshipbetweenorganisationandexternal
environmentitoperatesin• Establishtheinternal context:
• Understandtheorganisationanditscapabilities,goalsandobjectives
• Establishtheriskmanagement context:• Goals,objectives,strategies,scopeandparameters
oftheareatheriskmanagementprocessisbeingappliedto
RiskmanagementprocessEstablishthecontext
• Defineriskcriteria(Criteriaagainstwhichriskistobeevaluated)
• Forriskevaluationcriteriaconsider:– Strategicvalueoftheasset,– Criticalityoftheasset,– Legal,regulatoryorcontractualobligations,– Reputation
• Forimpactevaluationcriteriaconsider:– Levelofclassificationofasset,andtypeofbreach(CIA)– Degreeofimpairment/disruption/lossofbusiness
• Forriskacceptancecriteriaconsider:– Whatthetimeframeswillbe– Whatlevelofriskisacceptabletoorganisation, etc
RiskmanagementprocessIdentifyrisks
• Whatcanhappen,whereandwhen?– Identifyplausiblethreatsandexistingvulnerabilities:combinetheseto
identifyeventsandpotentialconsequences
• Whyandhowitcanhappen?– Considercausesandscenarios
• Toolsandtechniques:– Identifyrisksusing• Checklists(Fromotherstandardsdocuments)• Judgementsbasedonexperience(ownandothers)• Systemsanalysis
• Includeallrisks,whethertheyareunderthecontroloftheorganisationornot.
RiskmanagementprocessAnalyserisks
• Determinethemagnitudeofidentifiedrisks• Typesofanalysis:• Qualitative
– Usesdescriptivescales(inwords).Example:• Consequence: Minor,moderate,major,catastrophic• Likelihood: Rare,unlikely,possible,likely,almostcertain
• Semi-quantitative– Qualitativescalesassignednumericalvalues– Canbeusedinformulaeforprioritization(withcaution!)
• Quantitative– Usenumericalvaluesforbothconsequence(e.g.$$$) andlikelihood
(e.g.probabilityvalue)
RiskmanagementprocessQualitativeRiskAnalysis:Example
Measure Description
Major Majorproblems wouldoccurandthreatentheprovisionofimportantprocesses resultinginsignificantfinancialloss.
Moderate Services wouldcontinue, butwould needtobereviewedorchanged.
Minor Effectivenessofserviceswouldbethreatenedbutdealtwith.
Insignificant Dealtwithasapartofroutineoperations.
Incr
easi
ng D
amag
e
QualitativeConsequencescale example:
FromInformationRiskManagementBestPracticeGuidep19
RiskmanagementprocessQualitativeRiskAnalysis:Example
Measure Description
High Isexpectedtooccurinmostconditions(1ormoretimesperyear).
Medium Theeventwillprobablyhappeninmostconditions(aboutonceevery2years).
Possible Theeventshouldhappenatsometime(onceevery5years).
Unlikely Theeventcouldhappenatsometime(onceevery10years).In
crea
sing
Pro
babi
lity
QualitativeLikelihoodscale example:
InformationRiskManagementBestPracticeGuidep19
M
MM
H
M
M
RiskmanagementprocessQualitativeRiskAnalysis:Example
Likelih
ood
Consequence
Insignificant Minor Moderate Major
High
Medium
Low
Unlikely
LegendE:extremerisk;immediateactionrequiredH:highrisk;seniormanagementattentionneededM:moderaterisk;managementresponsibilitymustbespecifiedL:lowrisk;managebyroutineprocedures
M
M
L
H
H
EE
E
L
L
QualitativeLevelofRisk example: Matchconsequencestolikelihoodstodeterminelevelsofrisk
RiskmanagementprocessEvaluaterisks
• Compare thelevelofriskfoundduringriskanalysiswiththeestablishedriskcriteria
• Decidewhichrisksneedtreatment,andwhen– Prioritize listofrisksforfurtheraction• Risksinlowormoderateriskcategoriesmaybeacceptedwithoutfurthertreatment• Highorextremerisksrequireimmediateconsiderationoftreatmentpossibilities
RiskmanagementprocessTreatrisks
• Selectoptionsformodifyingrisks:– optionsforrisktreatmentwith positiveoutcomesinclude:• Activelyseekopportunity• Changethelikelihoodofopportunity toenhancethelikelihoodofbeneficialoutcome• Changetheconsequencestoincreasetheextentofthegains• Sharingtheopportunity• Retain theresidualopportunity
RiskmanagementprocessTreatrisks
• Selectoptionsformodifyingrisks:– optionsforrisktreatmentwithnegativeoutcomesinclude:• Avoid therisk• Reduce likelihoodofnegativeoutcomeby:– Reducingthelikelihood oftherisk– Reducingtheconsequences
• Share therisk• Retain therisk
Exampleriskassessment:effectofquantumcomputersonclassicalcryptography
• Context:alargebankusesRSApublickeycryptographyandAESencryptiontosecurecommunicationoverthepublicinternetbetweenitsbranches
• Identifyrisks:large-scalequantumcomputerswillrenderRSAencryptioncompletelyinsecureandimpactkeylengthofAESencryption
Exampleriskassessment:effectofquantumcomputersonclassicalcryptography
• Analyzerisks:– consequence:major/moderate/minor/insignificant
– likelihood:high/medium/possible/unlikely
• Evaluaterisks:prioritizerisksbasedonconsequencexlikelihood
• Treathighpriorityrisks– ShouldthebankswitchtoQKD?post-quantumcrypto?
InformationSecurityProcess
1. Identifyinformationassets2. Describesecuritygoalsforassets3. Characterizethreats4. Identifyvulnerabilities5. Assessrisk– Identify
->analyze->evaluaterisks
6. Applycontrols