It is insufficient to protect ourselves with laws we need to protect ourselves with mathematics.

1

• It is insufficient to protect ourselves with
  laws we need to protect ourselves with
  mathematics.
• ---Bruce Schneier in Applied
  Cryptography,
• 
  pp xx

2
Security Planning
A Revision

• Components of security planning
•  assessing the threat,
•  writing a security policy a statement of what
  is allowed and what is not allowed assigning
  security responsibilities.
• Choosing the mechanism, tools and methodologies
  to implement the policy

3
Types of Attack A Revision

• Most Internet security problems are
• access control or
• authentication ones
• Denial of service is also popular, but mostly an
  annoyance
• Types of Attack
• A Passive attack can only observe communications
  or data
• An Active attack can actively modify
  communications or data
• Often difficult to perform, but very
  powerful
• Mail forgery/modification
• TCP/IP spoofing/session hijacking

4
Attackers

• External Attackers (through wired part of
  Internet) Class 1
• External Attackers (through wireless part of
  Internet) Class 2
• Internal Attackers (through wired segment of the
  LAN) Class 3
• Internal Attackers (through wireless segment of
  the LAN) Class 4

5
5 Stages of an Attack The first three

• Reconnaissance To find out about hosts, services
  and application versions
• high probability of
  detection
• Exploitation To enter the network to use the
  services (without legitimate authorization) or to
  subvert the services
• medium probability of
  detection
• Reinforcement To retrieve tools to elevate
  access rights and to hide the intrusion
• If tools are encrypted ? difficult to detect
• can be detected by keeping a watch on the
  outbound activity of servers

6
5 Stages of an Attack The last two

• Consolidation to communicate by using a secret
  channel (back-doors)
• may be detected through
  traffic profiling.
• Pillage to steal information or to damage the
  asset
• may be detected through traffic
  profiling.
• Reference for the last three slides
  Classification by Richard Bejtlich, The TAO of
  Network Security Monitoring, Addison Wesley,
  2005, pp45, pp 19

7
Additional terminology

• Shoulder Surfing A hacker reads, when the user
  is writing on a paper or when he is typing on a
  keyboard.
• Pulsing zombie A compromised computer (zombie),
  which is used for intermittently attacking other
  targets
• Snoop Server a server put in a promiscuous mode
  for accessing all the data in each network
  packet used for surveillance

8
Additional terminology continued

• Back Orifice a window application, which allows
  a hacker at one computer to control a remote
  computer written by a hackers group called the
  Cult of the Dead Cow
• War Driving Unauthorized access into the
  wireless net of a company by parking a car
  outside the building of the company
• Smurf attack DoS attack mounted through a ping
  addressed to an IP broadcast address the
  resultant echo may flood the net

9
Additional terminology continued 2

• Hacktivism intrusion done as a protest
  justified as free speech
• Rootkit the tools installed on a computer to
  hide the presence of an intruder
• Symantec Definition A rootkit is a component
  that uses stealth to maintain a persistent and
  undetectable presence on a computer. "Actions
  performed by a rootkit, such as installation and
  any form of code execution, are done without
  end-user consent or knowledge." -- Ryan
  Naraine, When's a Rootkit Not a Rootkit? In
  Search of Definitions, eWeek, Jan18, 2006
• Pete Allor, director of operations, IT-ISAC
• ( Information Sharing and Analysis Center)
  working on a definition of Rootkit.

10
Security TheoriesRef Matt Bishop, Computer
Security Art Science, Addison-Wesley 03

• Given A computing system ( with computers,
  networks etc)
• To Find Is it (provably) secure?
• Answers
• 1976 Harrison, Ruzzo and Ullman In the most
  general abstract case, the security of computer
  systems was undecidable.
• Reference M. Harrison, W. Ruzzo and J. Ullman,
  Protection in Operating Systems, Communications
  of the ACM 19 (8), pp.461-471 (Aug. 1976).

11
Security Theories Answers continued

• Jones, Lipton and Snyder presented a specific
  system, in which security was decidable --- in
  a time period, which increased linearly with the
  size of the system.
• Reference A. Jones, R. Lipton and L. Snyder, A
  Linear-Time Algorithm for Deciding Security,
  Proceedings of the 17th Symposium on the
  Foundations of Computer Science, pp.33-41 (Oct.
  1976).

12
Security Theories Answers continued 2

• Minsky presented a model to examine why in the
  general case the security was undecidable and in
  a specific case it was.
• Reference N. Minsky, Selective and Locally
  Controlled Transport of Priveleges, ACM
  Transactions on Programming Languages and Systems
  6 (4), pp.573-602 (Oct. 1984).
• Sandhu Extended the Minsky model and presented
  further insights.
• Reference R. Sandhu, The Schematic Protection
  Model Its Definition and Analysis for Acyclic
  Attenuating Schemes, Journal of the ACM 35 (2),
  pp.404-432 (Apr. 1988).

13
Security Policy

• Study needs of an organization
• ? Security Policy
• ? Mechanism
• -- Procedural
• -- Technical
• -- Physical

14
Definitions

• Consider a computer system as a FINITE STATE
  AUTOMATON with Transition Functions that change
  state.
• Security Policy A statement that partitions the
  system into sets of
• authorized or secure states (called S in slide
  38)
• unauthorized or secure states. (P S)
• A Secure System One that starts in an authorized
  state and cannot enter an unauthorized state.
• A Security Incident When a system enters an
  unauthorized state.

15
Definitions Confidentiality
and Integrity

• X a set of entities I some information or
  resource
• I has the property of confidentiality wrt X, if
  no member of X can obtain information about I.
• I has the property of integrity wrt X, if all
  members of X trust I.

16
TRUST

• Trust that
• Conveyance and storage of I does not change the
  information or its trustworthiness ? Data
  Integrity
• I is correct and unchanged, if I is information
  about the origin of some thing or about
  identification of an entity ? Authentication
• The resource functions correctly, if I is a
  resource rather than information ? Assurance

17
Definitions
Availability

• X a set of entities I some resource
• I has the property of availability wrt X, if all
  members of X can access it.
• Meaning of access depends upon
• needs of members of X
• nature of resource
• use to which the resource is put

18
Security Policy Confidentiality,
Integrity

• The policy considers the issues of CIA as
  follows
• confidentiality
• During information flow
• For environment, which changes with time
• ( Example a contractor bound by non-disclosure
  agreement, during the period of contract)
• Integrity
• Authorized ways of altering information
• Entities authorized to alter it
• Principle of separation of duties

19
Security Policy Availability

• Availability
• Services that must be provided
• Parameters within which the services will be
  accessible
• (Example A browser may download web pages but
  not java applets.)
• QoS issues
• Assumptions The context of the policy
• laws,
• organizational policies and
• other environmental factors

20
Example Policy vs. Mechanism

• University Rule No cheating is allowed.
• School of CS Procedures Students should write
  the programs on the School computers and every
  such file should be read-protected so that other
  students are not able to read it.
• Example A forgets to read-protect his file. B
  copies it. The copying is caught.
• B claims The policy does not prohibit copying of
  a file. So he is not guilty. The policy says that
  one should read-protect the file. So A is guilty.
• IS B GUILTY?
• A security mechanism an entity or procedure to
  enforce some part of policy.

21
Security Models

• Security Model
• represents a policy or a set of policies.
• Helps analyze specific characteristics of
  policies.
• No single non-trivial analysis can cover all
  policies.
• By restricting the class of policies, a
  meaningful analysis may be possible.

22
Confidentiality Policies Bell-LaPadula Model
Ref D.Bell, L.LaPadula, Secure Computer System
Mathematical Foundations, Technical Report
MTR-2547, Vol. I, MITRE Corporation, Bedford, MA
(Mar. 1973)

• Confidentiality classification linearly ordered
  sensitivity levels
• Subject security clearance
• Object security classification
• Goal To prevent read access to objects at a
  security classification higher than the subjects
  clearance.
• McLeans questions about B-P model (and the B-P
  responses) essentially led to the IEEE Computer
  Security Fundamentals Workshops.

23
Research the Theory of Security Systems

• June 1988 First IEEE Computer Security
  Foundations Workshop held at The Franconia Inn,
  New Hampshire ( The Workshop referred to as
  Franconia even today).
• (The preface of the Proceedings, written by
  the workshop Chair, Jonathan Millen, refers to
  another workshop on the Foundations of Secure
  Computation 1977.)
• 19th IEEE Computer Security Foundations Workshop
  (CSFW 19), July 5 - 7, 2006, Venice, Italy,
  sponsored by the Technical Committee on Security
  and Privacyof the IEEE Computer Society

24
Integrity Policies Biba Integrity Model Ref
K.Biba, Integrity Considerations for Secure
Computer Systems, Technical Report MTR-3153,
MITRE Corporation, Bedford, MA (Apr. 1997).

• Goal of the model To find answers to Has the
  integrity of a piece of software or of data, on
  which the software relies, been compromised? for
  software, that exhibit specific properties.
• Principle of separation of duties, wherever two
  or more steps are required for a critical
  function
• Principle of separation of functions
• (Ex. Development, testing, deployment,
  certification)
• Requirements of auditing, extensive logging,
  recovery and accountability

25
The Biba Integrity Model

• S a set of subjects O a set of objects
• I a set of integrity levels.
• s ? S can read o ? O, iff i(s) i(o).
• s ? S can write to o ? O, iff i(o) i(s).
• s1 ? S can execute s2 ? S , iff i(s2) i(s1).

26
Data Access Controls Privacy issues

• Mandatory Access Controls (MACs)
• Discretionary Access Controls (DACs)
• Many questions?
• Should MACs or DACs be exercised by the owner,
  the originator, the creator or all?
• Are temporal changes required in access rights?
• Conflict of Interest issues