Escolar Documentos
Profissional Documentos
Cultura Documentos
SECURITY ENGINEERING
Chandra Prakash Assistant Professor LPU
Course Overview
Textbook:
Security Engineering, Ross J Anderson, Wiley + Biometrics for Network Security, Paul Reid, Prentice Hall ( Research Papers literature)
Related Sites
http://freevideolectures.com/Course/2383/Computer-SystemEngineering/18 Book Page
http://www.cl.cam.ac.uk/~rja14/book.html
Aims
Give you a thorough understanding of information security technology Policy (what should be protected) Mechanisms (cryptography, electrical engineering, ) Attacks (malicious code, protocol failure ) Assurance how do we know when were done? How do we make this into a proper engineering discipline?
Objectives
By the end of the course, you should be able to tackle an information protection problem by drawing up a threat model, formulating a security policy, and designing specific protection mechanisms to implement the policy.
Objectives
Software Engg
Software Engineering Usability Performance Timely Completion Reliability Flexibility
Security Engg
customized access control and authentication based on the privilege levels of users, traceability and detection, accountability, non-repudiation, privacy, confidentiality, and integrity
Objectives (contd)
Current Software Engineering processes do not provide enough support to achieve security goals. Unification of the process models of Software engineering and Security Engineering is required.
Security Engineering objectives are to design a software system that meets both security objectives and application objectives
The digital world behaves differently to the physical world Everything in the digital world is made of bits Bits have no uniqueness Its easy to copy bits perfectly
Therefore, if you have something, I can copy it Information Privileges Identity Media Software Digital money Much of information security revolves around making it hard to copy bits
Objectives
To introduce issues that must be considered in the specification and design of secure software To discuss security risk management and the derivation of security requirements from a risk analysis To describe good design practice for secure systems development. To explain the notion of system survivability and to introduce a method of survivability analysis.
Security engineering
Tools, techniques and methods to support the development and maintenance of systems that can resist malicious attacks that are intended to damage a computer-based system or its data. A sub-field of the broader field of computer security. Security engineering is about building systems to remain dependable in the face of malice, error and mischance. As a discipline, it focuses on the tools, processes and methods needed to design, implement and test complete systems, and to adapt existing systems as their environment evolves.
Design Hierarchy
What are we trying to do? How?
Policy
Protocols
With what?
Hardware, crypto,
System layers
Application Reusable c omponents and libraries Middleware Database management Generic, shared applications (Browsers , e--mail, etc ) Operating S y s tem
Application/infrastructure security
Application security is a software engineering problem where the system is designed to resist attacks. Infrastructure security is a systems management problem where the infrastructure is configured to resist attacks.
Security Concepts
Term Asset Exposure Definition A system resource that has a value and has to be protected. The possible loss or harm that could result from a successful attack. This can be loss or damage to data or can be a loss of time and effort if recovery is necessary after a security breach. A weakness in a computer-based system that may be exploited to cause loss or harm. An exploitation of a systems vulnerability. Generally, this is from outside the system and is a deliberate attempt to cause some damage. Circumstances that have potential to cause loss or harm. You can think of these as a system vulnerability that is subjected to an attack. A protective measure that reduces a systems vulnerability. Encryption would be an example of a control that reduced a vulnerability of a weak access control system.
Vulnerability Attack
Threats
Control
Vulnerability
Attack Threat
Control
Security Requirements
Everything you have been taught so far in engineering revolves around building dependable systems that work
Typically engineering efforts are associated with ensuring something does happen e.g. John can access this file
Security engineering traditionally revolves around building dependable systems that work in the face of a world full of clever, malicious attackers
Typically security has been about ensuring something cant happen. e.g. the Chinese government cant access this file.
Security Vs Dependability
Dependability = reliability + security Reliability and security are often strongly correlated in practice But malice is different from error! Reliability: Bob will be able to read this file Security: The Chinese Government wont be able to read this file Proving a negative can be much harder
Framework
Security Engineering Analysis Framework
Framework
Policy: what youre supposed to achieve. Mechanism: the ciphers, access controls, hardware tamperresistance and other machinery that you assemble in order to implement the policy. Assurance: the amount of reliance you can place on each particular mechanism. Incentive: the motive that the people guarding and maintaining the system have to do their job properly, and also the motive that the attackers have to try to defeat your policy
ATMs
Most likely threat: petty thieves Goal: authentication of customers, resist attack
Internet banking
Most likely threat: hacking the website or account Goal: authentication and availability
Safe
Threat: physical break-ins, stealing safe Goal: physical integrity, difficult to transport, slow to open
Military communications
Electronic warfare systems
Objective: jam enemy radar without being jammed yourself Goal: covertness, availability Result: countermeasures, countercountermeasures etc.
Military communications
Objective: Low probability of intercept (LPI) Goal: confidentiality, covertness, availability Result: spread spectrum communications etc.
Compartmentalisation
Objective example: logistics software- administration of boot polish different from stinger missiles Goal: confidentiality, availability, resilience to traffic analysis?
Risk Analysis
Risk Impact Matrix
Impact Extreme Certain Likely Likelihood Moderate Unlikely Rare 1 2 3 4 5 6 7 1 1 2 3 4 High 1 2 3 4 5 Medium 2 3 4 5 6 Low 3 4 5 6 7 Negligible 4 5 6 7 7
severe must be managed by senior management with a detailed plan high detailed research and management planning required at senior levels major senior management attention is needed significant management responsibility must be specified moderate manage by specific monitoring or response procedures low manage by routine procedures trivial unlikely to need specific application of resources
plus infrastructure
e.g. PC, operating system, communications
plus applications
e.g. web server, payroll system
plus IT staff plus users and management plus customers and external users plus partners, vendors plus the law, the media, competitors, politicians, regulators
Aspects of security
Authenticity Proof of a messages origin Integrity plus freshness (i.e. message is not a replay) Confidentiality The ability to keep messages secret (for time t) Integrity Messages should not be able to be modified in transit Attackers should not be able to substitute fakes Non-repudiation Cannot deny that a message was sent (related to authenticity)
Passive attacks
Those that do not involve modification or fabrication of data Examples include eavesdropping on communications Interception
An unauthorised party gains access to an asset Release of message contents: an attack on confidentiality Traffic analysis: an attack on covertness
Active Attacks
Those which involve some modification of the data stream or creation of a false stream Fabrication
An unauthorised party inserts counterfeit objects into the system Examples include masquerading as an entity to gain access to the system An attack on authenticity
Interruption
An asset of the system is destroyed or becomes unavailable or unusable Examples include denial-of-service attacks on networks An attack on availability
Modification
An unauthorised party not only gains access to but tampers with an asset Examples include changing values in a data file or a virus An attack on integrity
Definitions
Secrecy
A technical term which refers to the effect of actions to limit access to information
Confidentiality
An obligation to protect someone or some organization's secrets
Privacy
The ability and/or right to protect the personal secrets of you or your family; including invasions of your personal space Privacy does not extend to corporations
Anonymity
The ability/desire to keep message source/destination confidentiality
Trust
A trusted system is one whose failure can break security policy. A trustworthy system is one which wont fail. A NSA employee caught selling US nuclear secrets to a foreign diplomat is trusted but not trustworthy. In information security trust is your enemy.
Case Study
Voting Do electronic voting machines meet the reasonable expectations of society to provide a technology that is trustworthy and cost effective?
Expectations of Voting
Vote is by secret ballot
Confidentiality
The vote should be correctly tallied; all votes cast should be counted in the election
Integrity
Every eligible voter who presents themselves at the polling place should be able to vote
Availability
Voting Mechanisms
Paper ballot in a ballot box (or mail)
May be implemented as a scan form
Punch cards Mechanical voting machines Direct Recording Electronic Voter-verifiable paper audit trail
Evaluating mechanisms
How do we evaluate these options? Evaluation must be relevant to a threat model
Key points
Security engineering is concerned with how to develop systems that can resist malicious attacks Security threats can be threats to confidentiality, integrity or availability of a system or its data Design for security involves architectural design, following good design practice and minimizing the introduction of system vulnerabilities Key issues when designing a secure architecture include organizing the structure to protect assets and distributing assets to minimize losses General security guidelines sensitive designers to security issues and serve as review checklists
References
Stallings
Interesting Websites
http://www.csl.sri.com/users/neumann/illustrative.html http://www.packetstormsecurity.org http://www.securityfocus.com http://www.digicrime.com http://www.cryptome.org http://www.phrack.org http://www.eff.org