Lecture 2 - Security Overview - Pennsylvania State Universitytrj1/cse497b-s07/slides/cse497b-lecture-2... · Lecture 2 - Security Overview CSE497b ... every party may have unique

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Lecture 2 - Security Overview

CSE497b - Spring 2007Introduction Computer and Network Security

Professor Jaeger

www.cse.psu.edu/~tjaeger/cse497b-s07

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

Readings• Books

– Perlman et al– Gollmann– Both are listed on calendar

• Readings– Please check the calendar for the class readings– Today

• Gollmann Chs. 1 and 2• Next, Perlman Ch. 10, Gollmann Ch. 3

2


What is security?

• “the property that a system behaves as expected”– G. Spafford and many others ....

• Note that this does not say what a system should or should not do.– Implication -- there is no universal definition or test for

security (why?)– Apply this definition to the ATM

• How do you think an ATM should behave?• What should it do?• What should it not do?

• We talk about expectations often in terms of confidentiality, integrity, and availability.

3


Risk• At-risk valued resources that can be misused

– Monetary– Data (loss or integrity)– Time– Confidence– Trust

• What does being misused mean?– Confidentiality (privacy or communication)– Integrity (personal or communication)– Availability (existential or fidelity)

• Q: What is at stake in your life?

4


Adversary

• An adversary is any entity trying to circumvent the security infrastructure– The curious and otherwise generally clueless (e.g., script-

kiddies)– Casual attackers seeking to understand systems– Venal people with an ax to grind– Malicious groups of largely sophisticated users (e.g,

chaos clubs)– Competitors (industrial espionage)– Governments (seeking to monitor activities)

5


Threats• A threat is a specific means by which a risk can be

realized by an adversary– Context specific (a fact of the environment)– An attack vector is a specific threat (e.g., key logger)

• A threat model is a collection of threats that deemed important for a particular environment– E.g., should be addressed – A set of “security requirements” for a system

• Q: What were (unaddressed) risks/threats in the introductory examples?– SQL Slammer– Yale/Princeton

6


Vulnerabilities (attack vectors)

• A vulnerability is a systematic artifact that exposes the user, data, or system to a threat– E.g., buffer-overflow, WEP key leakage

• What is the source of a vulnerability?– Bad software (or hardware)– Bad design, requirements– Bad policy/configuration– System Misuse

• unintended purpose or environment• E.g., student IDs for liquor store

7


Are users adversaries?

• Have you ever tried to circumvent the security of a system you were authorized to access?

• Have you ever violated a security policy (knowingly or through carelessness)?

8


Attacks

• An attack occurs when someone attempts to exploit a vulnerability

• Kinds of attacks– Passive (e.g., eavesdropping)– Active (e.g., password guessing)– Denial of Service (DOS)

• Distributed DOS – using many endpoints

• A compromise occurs when an attack is successful– Typically associated with taking over/altering resources

9


Participants

• Participants are expected system entities– Computers, agents, people, enterprises, …– Depending on context referred to as: servers, clients,

users, entities, hosts, routers, …– Security is defined with respect to these entitles

• Implication: every party may have unique view

• A trusted trusted third party– Trusted by all parties for some set of actions– Often used as introducer or arbiter

10


Trust

• Trust refers to the degree to which an entity is expected to behave

– What the entity not expected to do?• E.g., not expose password

– What the entity is expected to do (obligations)?• E.g., obtain permission, refresh

• A trust model describes, for a particular environment, who is trusted to do what?

• Note: you make trust decisions every day– Q: What are they?– Q: Whom do you trust?

11


Related Terminology

• Reliability - property of a system that indicates it will continue to function for long periods of time under varying circumstances

• Survivability - ability of a system to maintain function during abnormal or environmentally troubling events

• Privacy - the ability to stop information from becoming known to people other than those they choose to give the information

• Assurance - confidence that system meets its security requirements• as typically evidenced by some evaluation methodology

(FIPs 192, Common Criteria)

12


Security Model• A security model is the combination of a trust and threat

models that address the set of perceived risks– The “security requirements” used to develop some cogent and

comprehensive design– Every design must have security model

• LAN network or global information system• Java applet or operating system

– The single biggest mistake seen in use of security is the lack of a coherent security model

– It is very hard to retrofit security (design time)• This class is going to talk a lot about security models

– What are the security concerns (risks)?– What are the threats?– Who are our adversaries?– Who do we trust and to do what?

• Systems must be explicit about these things to be secure.

13


Review• An adversary is a subject who tries to gain unauthorized

access• A threat is a mechanism that the adversary is capable of

employing to gain unauthorized access• A risk is a loss due to an adversary gaining unauthorized

access• A vulnerability is a flaw in a that enables a threat to allow

the adversary unauthorized access• A threat model describes all the mechanisms available to

the adversaries• A trust model describes all the subjects that are trusted not

to have vulnerabilities that can be abused or be adversaries• A security model consists of a threat model and a trust

model (functional and security goals as well)14


Security Overview

• Security can be separated into many ways, e.g., threats, sensitivity levels, domains

• This class will focus on three interrelated domains of security that encompass nearly all security issues

1. Network Security2. Systems Security3. Program Security

• There are other areas, e.g., physical security, privacy, etc. that will not directly be covered.

15


Common problems in network security

• Network security attempts to protect communication between hosts carried by the (often untrusted) network.– Eavesdropping communication (confidentiality)– Modifying communication (integrity)– Preventing communication (availability)

• Example: securing application traffic (Web)– Protecting on network (HTTP requests/responses)– As passing through intermediaries (proxies)– In server (from malicious requests)– Protecting the client (from malicious content)

16


Common problems in systems security

• Systems security attempts to protect data held on hosts and sometimes (sometimes untrusted) storage.– Prevention of sensitive data leakage (confidentiality)

• Also known as information flow governance

– Prevention of data corruption (integrity)– Controlling data response (availability)

• Systems Security: Controlling Data Leakage• on disk (key in clear -- encrypt with pass phrase)• provide pass-phrase (window manager)• memory of program • swap memory to swap space

17


Common problems in program security

• Program security attempts to protect data received, held, and output on a (sometimes untrusted) host.– Prevention of sensitive data leakage (confidentiality)

• Also known as information flow governance

– Prevention of data corruption (integrity)– Controlling data access (availability)

• Example: Handling A Remote Request• process user request (authenticate, authorize)• data-driven attack from request• buffer overflows

18


The remainder ....

• The remaining weeks will explore the design and use of these approaches– Always ask yourself what tools are appropriate for a

particular environment.– For example, which of then proceeding is appropriate for

SPAM mitigation• Authentication• Access Control• Transport/Data Security• Audit/Detection

– What about protecting the confidentiality of your email?

• Next week: Passwords and Authentication19

Documents

Lecture 2 - Security Overview - Pennsylvania State Universitytrj1/cse497b-s07/slides/cse497b-lecture-2... · Lecture 2 - Security Overview CSE497b ... every party may have unique