introduction to computer and network security session 1

Introduction to computer and network security

Session 1 : Introduction and definition of main concepts

Jean Leneutre

[email protected]

Tél.: 01 45 81 78 81

I- Introduction Context Security trends in the US

Picture taken from "CSI/FBI 2010-11, Computer crime and security survey", http://www.gocsi.com/

I- Introduction Context Security trends in the US

Picture taken from "CSI/FBI 2008, Computer crime and security survey", http://www.gocsi.com/

I- Introduction Context Common computer exploits

Common exploits (http://cwe.mitre.org/documents/vuln-trends/)

Cross-site scripting

Buffer overflow

SQL injection

PHP remote file inclusion

Directory traversal

Information leak

DoS caused by Malformed input

Symbolic link following

Format string vulnerability

Cryptographic error

I- Introduction Context Evolution of security (1/2)

q  Security in the military domain (communications) §  Jamming §  Confidentiality of messages through the use of cryptology (Enigma machine)

q  System security §  MULTICS: "computer security by design" §  "Orange Book" (TCSEC, DoD, 1983)

q  Distributed system security §  Kerberos (Athena project 1983-91)

q  Advances in cryptology §  DES (symmetric, 1976), then RSA (asymmetric, 1977)

q  Network security §  Public Key Infrastructures (PKIs) §  Security protocols (IPSEC in 1995, SSL in 1996, …) and architecture (firewalls,

VPNs, IDSs, …)

I- Introduction Context Evolution of security (2/2)

q  Introduction of trusted modules/devices §  Smartcards

q  Content security §  DRM (Digital Right Management), Steganography (Watermarking)

q  Security nowadays §  Identity Federation, "Single-Sign-On" (SSO) §  Evolution of cryptology (AES, elliptical curves, hash function …) §  Trusted Computing (TPM) §  Information privacy (RFID) §  Cloud Computing security

q  Security in the future §  Security of open and mobile systems : vehicular networks (VANETs) §  Quantum cryptography?

I- Introduction Perimeter of security Security vs. Safety

q  Security (« Sécurité »):

§  Security = Confidentiality + Integrity + Availability

§  Protect information against intentional and non-intentional threats (virus, Trojans, users errors, …)

§  Assets Ø  Immaterial entities (contents and services) Ø  Material entities linked to the Information System (IS)

q  Safety (« Innocuité »)

§  Protect against harmful events

§  Assets Ø  Security of humans Ø  Tangible possessions

I- Introduction Perimeter of security Security vs. Dependability

q Dependability (« Sûreté de Fonctionnement ») § Definition : Dependability = integrity + availability + safety + reliability + maintenability

Confidentiality

Integrity

Availability

Safety

Reliability

Maintenability

DEPENDABILITY

SECURITY

I - Introduction Perimeter of security Security of information system vs computer security

q  Information System:

§  An Information System is the set of entities that store, process, manage, and distribute information in an organisation.

§  Entities = personnel, data, hardware, software, ..

q  Information System Security includes:

§  Computer and network security

§  Physical security (buildings)

I- Introduction Perimeter of security Potential targets

q  Information System

§  From state institutions, or private enterprises

q  Networks

§  Home networks

§  LANs

§  Wireless networks: WiFI, WiMax, Bluetooth, RFID

q  Telecom networks

§  Telephone network

§  Mobile phone networks (GSM, GPRS, UMTS)

q  Broadcasting networks

§  Television, Satellite networks, localisation networks (GPS)

I- Introduction Security sectors

q  Different sectors of security in France with their own requirements

1.  Restricted sector with classified data (« secteur réglementé ») Ø  « Secret de Défense »: French ministry of Defence, SGDN

(Secrétariat Général de la Défense et de la sécurité Nationale), …

2.  Non restricted but controlled sector Ø  Sensitive sectors: companies working with Ministry of Defence

(Thales, Dassault, …)

3.  Non restricted and non controlled sector (sensitive but non classified data) Ø  All the other activity sectors

I- Introduction Objectives of the course

q  Introduction of the fundamental concepts of Information Security + Presentation of the main vulnerabilities/attacks (lecture 1 & practical session 1)

q  Introduction to cryptography (lecture 2 & practical session 2)

q  Presentation of authentification function and mechanisms (lesson 3)

q  Presentation of Access control models and mechanisms (lesson 4)

Ø  Reference Book :

§  Dieter Gollman, Computer Security, 2nd edition, Wiley, 2006, ISBN 0 470 86293 9.

Outline

I- Introduction

II- Definitions

III- Vulnerabilities and attacks

II- Definitions 1. Security properties

q  Usual definition : Security = set of properties including at least

§  Confidentiality (« Confidentialité »): no non-authorized divulgation of information

§  Integrity (« Intégrité »): no non-authorized modification of information

§  Availability (« Disponibilité »): no non-authorized retention of information or resources

q  In one sentence

§  No non-authorized actions

è  Authorized actions are defined in the security policy


q  Confidentiality

§  No non-authorized divulgation of information Ø  Only authorized entities are able to observe information

Ø  Access operations: read, print, list a directory, …

Ø  Examples: confidentiality of a text, confidentiality of a network flow, …

Ø  Attacks: eavesdropping, password cracking, cryptanalysis of a ciphering algorithm, …

§  Secrecy / Privacy (« Intimité ») Ø  Confidentiality of personal information in the latter case


q  Integrity §  No non-authorized modification of information

Ø  Only authorized entities are able to modify information

Ø  Access operations: write, delete, creation, change status, …

Ø  Examples: integrity of a message, integrity of a program, integrity of a database, …

Ø  Attacks: insertion of a virus, modification of an access control list, …

§  Several meanings depending on the context Ø  No modification: integrity of communications (detection and correction of

modifications due to transmission errors or intentional manipulation) Ø  Modifications must satisfy some properties: integrity of relations in a

database (consistency), integrity of a variable in a program, … Ø  Modifications must only be performed by trusted entities (human,

process)

q  Availability §  No retention of information or resources

Ø  Authorized entities can obtain information or use a resource Ø  Access type: execute, download, … Ø  Example: availability of a server, availability of a network Ø  Attacks: jamming attack in a wireless network, Denial of Service (DoS)

caused by a flooding attack on a server, …

§  Several aspects Ø  Presence of information or usability of services Ø  Ability to answer to a request, Ø  Ability to answer to a request in bounded time, Ø  Fairness in resource allocation

§  Usually in security Ø  Availability = no Denial of Service



q  Interdependencies between confidentiality, integrity & availability

§  Mutual exclusion

Ø  Example: a strong confidentiality protection based on robust cryptographic mechanisms may impact availability

§  Causality relation Ø  Example: integrity must be a pre-requisite to ensure confidentiality

Ø  An attacker may bypass read access control mechanisms to files by modifying an access control table used by the OS

Integrity Availability

Confidentiality


q  Other security properties

§  Accountability (« Imputabilité »): to be able to determine who is responsible for any action against the security policy

Ø  Requires Auditability: to be able to trace the events impacting security during a given period

Ø  Requires user Identification/Authentication

§  Non-repudiation: to be able to provide a proof that an action has been performed by a given entity

Ø  Impossibility for an entity to deny the reception or emission of a message

Ø  Requires use of digital signatures and time-stamps


q  Properties related to dependability

§  Reliability (« Fiabilité ») Ø  Capacity of a system to provide a correct service Ø  Characterized by the probability that a component or the system works

on a time interval [0,t] Ø  Metrics: Mean Time Between Failures (MTBF)

§  Maintenability (« Maintenabilité ») Ø  Capacity of a system to work again after a fault Ø  Metrics: Mean Time To Repair (MTTR)


q  How to assess security ?

§  Quantitative approach

Ø  Use the number of vulnerabilities already detected and the time required for detection to predict the discovery time for next vulnerability

Ø  Measure the attack surface of a system (number of interfaces, number of dangerous instructions used in a code, …)

è  Quantitative approaches rarely used to assess security

§  Qualitative approach Ø  Risk analysis: assess risks that threats assets è  Methods: EBIOS (DCSSI), MEHARI (CLUSIF), CRAMM, OCTAVE, …

II- Definitions 2. Asset, vulnerability, threat and risk

q  Asset (« Actif» ou « Bien»): everything which has a value §  Medium assets or entities

Ø  Hardware, Ø  Software, Ø  Include also locations (server room) and humans (system administrator)

§  Essential assets Ø  Information

–  example: a list of names Ø  Function processing information

–  example: a ciphering algorithm

q  Asset valuation §  Supposing the asset is compromised

Ø  Medium asset: financial cost Ø  Essential assets: Impact (loss of reputation, loss of competitive

advantage, …)


q  Vulnerability §  Security flaw in a component of the system (medium asset)

Ø  Problem in the requirements, functional specification, design, implementation or during the deployment

§  Examples : Ø  Program with known flaws (no verification of buffer size) Ø  Account providing privileges, with password set at default value

§  Principle of the weakest link in a chain (Principe du maillon faible) : Ø  vulnerability level of a system = vulnerability level of its weakest component

(easier to exploit for the attacker)

§  Vulnerability analysis: find the vulnerabilities in a system Ø  Vulnerability databases: CERTs (Computer Emergency Response Teams,

http://www.cert.org), SANS (http://www.sans.org) Ø  Vulnerability scanner: tool automating the identification of vulnerabilites using

a vulnerabilities database (example: Nessus)


q  Source of a threat

§  Type Ø  Human origin (user or hacker), natural origin (river, …) Ø  Non intentional cause or intentional cause (attacker) Ø  Internal vs. external

§  Attacker model or Attacker potential (in case of an intentional origin) Ø  Motivation Ø  Expertise (technical skills, …) Ø  Available resources (financial resources, time, exploits…)


q  Threat (Menace)

§  Method used by the source of the attack Intentional threat = attack Non intentional threat = errors

§  Exemples : Ø  Eavesdropping, Ø  River flooding, Ø  Buffer overflow attack, …


q  Attack types §  Passive attack:

Ø  Attack only requiring interception §  Active attack:

Ø  Attack requiring interruption or modification or forging

q  Steps during an attack: §  Information gathering §  Identification of vulnerabilities §  Implementation and execution of the attack

q  Threat scenario §  Scenario with a likelihood, grouping a threat, its source, a vulnerability

exploited by the threat, and a medium asset.

§  Example: Ø  A hacker perform a buffer overflow attack exploiting a non verification of

input size in a system program (moderatly likely)



q  Risk §  Likelihood of a threat scenario + importance of the impact §  Risk assessment using a table

§  Risk management

Ø  Reducing, transferring or taking the risk Ø  Residual risk: risk still existing after the risk processing Ø  Risk analysis methods: Ebios, Mehari, Cramm, Octave, …

1 2 3 4 1 1 1 2 2 2 1 2 2 3 3 2 2 3 4 4 2 3 4 4

Impact

Threat

Risk


may induce

uses

linked to

Owner

Source of attack

Attack

Asset

Counter-measures

Vulnerability Impact loss produces

Likelihood: L

reduces

applies

protects

exploits

Threat scenario

Loss rating: LR

II- Definitions 3. Security policy, measure, function, mechanism

q  Security objective

§  Define the security properties required for a given essential asset (information)

§  Example: confidentiality of the specification of the new software

q  Security measure or counter-measure

§  Physical, organisational or technical measure

§  Technical counter-measures: security function and mechanisms in order to satisfy security objectives

§  Reduce vulnerabilities or the impact and thus risks

§  May induce new vulnerabilities


q  Prevention: measures to avoid an incident §  Training of non expert users to security

§  Dissuasion Ø  Watermarking (insert copyright statement in an electronic

image)

§  Protection Ø  Cryptography (art of secret): hide information to third parties Ø  Steganography (art of dissimulation): hide information in

another content (hide both information and its existence) Ø  Acces control (filtering using a firewall)

§  Misinformation (of attacker) Ø  Use deception techniques to counter or slow down attacker

(Honeypots)

Before the incident


q  Detection: measures to detect the incident §  Intrusion detection (IDS)

q  Correction : measures to mitigate the consequences of an incident §  Confinement: quarantine isolation, modification of filtering

rules (IPS, Intrusion Prevention System) §  Ensure availability during an attack (load balancing)

q  Recovery: measures to recover the losses after the incident §  Understand the incident and search evidence: Computer

Forensics §  Repair the damages (restore the resources in their initial

state) §  Fix the vulnerabilities to prevent future similar attacks §  Legal action against cyber-criminals, against a third party

Beginning of the incident

During the incident

After the incident


q  Security Policy (Politique de sécurité) §  Set of laws, rules and usages that specify how assets must be managed,

and protected inside an organization Ø  Specifies the authorizations, forbidden actions and obligations of subjects

that access to the SIs

Ø  Includes organisational, physical and technical aspects of security

II- Terminologie de la sécurité 3. Security policy, measure, function, mechanism

q  Security function

§  Technical measure providing a security objective

§  Example : classes of security functions introduced in Common Criteria (CC)

Ø  FIA: Identification and Authentication

Ø  FTA: Target of Evaluation Access

Ø  FAU: Security Audit

Ø  FPR: Privacy

Ø  FCO: Communication security

Ø  FDP: Protection of user datas

Ø  … and others (11 classes)


q  Identification : declaration of an identity by an entity §  Example: entering your login

q  Authentication (Entity authentication): process that checks the identity §  Verifies that a user is indeed the person he pretends to be §  Example : verification of password entered after the login §  Pre-requisite for access control §  Functionalities associated to authentication

Ø  Identity management: add new identities, remove, … Ø  Ensure integrity of authentication credentials / information Ø  Allow authorized users to access to information requiredto check users’

identity Ø  Limit the number of online successive attempts to establish a false identity Ø  Reuse of authentication (single-sign-on)


q  Access Control:

§  Function controlling that subjects (users and processes) can only access to information and resources, if they have the corresponding authorizations

§  Functionalities associated to access control Ø  functions that manage the authorization specifications

q  Flow Control:

§  Function that controls the information flows between objects


q  Audit §  Function ensuring that information concerning events potentially impacting

security is recorded, so that a further examination is able to determine whether there has been a security problem

q  Acountability §  Function ensuring that actions from a user (or user’s process) are recorded

so that it is possible in the future to determine who was responsible for a given event

q  Privacy §  Function ensuring the privacy of the data and actions of a user

Ø  May be in conflict with other functions (audit and accountability)


q  Security mechanism

§  Algorithm or protocol implemented via hardware or software to provide a security function

§  Ensure that the system does not accept non-authorized actions

§  Example: authentication mechanisms Ø  One-time password protocol HOTP Ø  Challenge response protocol KERBEROS

  Security mechanism must also be secured


Owner

Assets

defines objectives on Security

Policy

defines

Security Functions

Security Mechanisms

enforced by

Implemented with

Attacker

Système sécurisé

threats

introduction to computer and network security session 1

Documents