Intro: Threats, Vulnerabilities, Risk and Security Models Professor Aftab Ahmad aftab@acm.org What you need to know 1. What is the state of the art in computer security? 2. What are best practices? 3. What is an adversary and what tool s/he has? 4. What is US-CERT? How to benefit from it? 5. Definition of threat 6. Definitions of vulnerability, risk and risk management 7. How to assess risk? 8. What is security life cycle? 9. What is a security model in access control? 10. How do the following security models work: Bell LaPadula (BLP), Biba, etc. What is the state-of-the-art in computer security? • Internet is only a few decades old (started in late 1960s) • Security is even newer. Wi-Fi first edition (1999) required no security • We do not have a theory about computer or cyber security • This means that we can’t design a computer with a given level of security • We secure an information system (software, hardware) as much as we can and need • We use recommendations, experience, tools and best practices • Example of recommendations: NIST Special Publication 800-54r3 on security controls, NIST Cyber Security Framework, Cisco Cyber Security Framework • Example of experience: don’t leave unattended computer for long time • Example of tools: Anti-virus, Firewalls, Analysis tools (Wireshark), IDS (Snort) • Best Practices: Nist Special Publication 800-14, Password enforcement, etc. What are best practices? • These are related to user, administrator or developer’s behavior to avoid common pitfalls • Password strength may be enforced and tested (e.g., at least 6 letters) – both user and admin • Not use default password – both user and admin • Turn off a login session if no keyboard input for 10 minutes - admin • Turn off Wi-Fi when a laptops closed – manufacturer / OS vendor / developer • Not to advertise SSID in setting up a Wi-Fi access point – user / admin / developer • Each device to be configured with the SSID • Patch up Operating System with up-to-date patch – user and admin • Read emails about network attacks from known sources – user and admin • Such as your own administrator - user • Never give critical information to emails claiming to be from admin - user • Not click on links in emails - everybody • …the list goes on and on What is an adversary and what tool s/he has? • Adversary is the party that wants to attack a system • Adversary does not have a stereotypical existence • It could be a lone hacker, an organization, a Government, an enemy, even a friend! • Adversary’s motivation is not universal • Money, revenge, political relations, sociopathy, even self-perceived fun, etc. • An attack does not have to have immediate effect, or devastating • Attempt to login, getting in, sending large packets, setting up a trojan, etc. • Adversary can use indigenous and available attack tools • Using password checking software for password cracking, port checking for enumeration of OS and network, vulnerability database What is US-CERT? How to benefit from it? • US-CERT is the United States Computer Emergency Readiness Team • According to the RFC 2350 • US-CERT publishes four information products on its website and pushes the content of each to subscribers of the National Cyber Awareness System (NCAS) • By signing up for an NCAS subscription, users receive information about vulnerabilities, incidents, and mitigations • There is no fee for this service • Users can learn about as well as report new incidents on US-CERT website • To learn more or receive one or more NCAS products via email, visit https://www.us-cert.gov/mailing-lists-and-feeds Definition of threat • A threat is a potential for loss • The source of manmade threat can be anything • Vulnerability in software, hardware, protocol, procedure, humans • Unique advantage of enemy or adversary, e.g., insider threat from employees • The impact of threat can be measured in terms of risk • Risk is a measurement of possible damage • Risk assessment can be used to prioritize threat countermeasures • Threat could be natural • Information systems destroyed due to earthquake • Threats could be accidental • Data washed out due to high magnetic fields on airport security equipment Vulnerability, risk and risk management • Vulnerabilities are weaknesses in sw, hw, protocols, organization, etc. • They are the biggest sources of threats • Risk is a measure of the impact of vulnerability • Risk can be quantitative or qualitative • It can be measures in dollars, severity, or reputation • Risk can be eliminated, or mitigated, or accepted, or averted • There could be a price for each way of dealing with the risk • Elimination may require backup systems, mitigation may require security controls, acceptance may cause controlled damage, and aversion may require insurance • Dealing with risk is called risk management • Deciding how to manage risk requires an analysis of damage • Such an analysis is called risk assessment How to assess risk? • If a system is attacked, there could be multiple sources of damage • Lost business due to reputation, broken software/hardware, employees salaries, premises and infrastructure cost during recovery, etc. • To assess risk due to surveillance video broken for three hours, know • What is the probability of that – suppose 0.1 • How crucial is it to have the surveillance – let’s say extremely crucial • What are countermeasures – say standby system versus, extra security guard • What are the costs of countermeasures – say, $1000 for back up, $100/hr for security guard • Risk assessment is one of the two - $1000, or 0.1 x $300 = $30 (making extra security guard as a better choice) • If extra security guard is not available anytime needed then back up system may be cheaper What is security life cycle? • Security life cycle (SLC) covers all steps from assessment of security needs to managing day-to-day security • International Standard ISO17799 defines four stages of SLC: assessment, design, deploy, and manage • Assessment is done via data gathering activities, such as reviews, penetration testing, audits, etc. Risk assessment is computed from the gathered data • Design relates to security configuration and process definition – such as how many IDS, firewalls, Honeypot systems may be needed, and how things should flow between personnel within the organization if an incident happens • Deploy relates to actual implementation of the design with experts in charge • Manage relates to operational and change monitoring, incident response, etc. What is a security model in access control? • Security models in access control relate to how the confidentiality and integrity of information can be protected while making the information available to legitimate use. • We will make the case for access control, discuss its components and then discuss some security models • In the next Module, we will discuss more classification of access control. Access Control • Password weaknesses can result in adversary having access to protected information • Elaborate access control techniques are required to protect information and information sources • Access control includes authorization in addition to authentication • Authentication: Verification of identity • Identity = public, e.g., email address, name • authentication = private, e.g., password, driver’s license • Authorization: Permissions of accessible resource • Access control should be applied within and external to the organization Computer Security Models • Security models define access policies • A security model may classify users in terms of access privilege, or resources, or both • A simplified security model is access control list (ACL) • An ACL consists of a list of permissions or blocking of permissions • There are many security models • Biba provides data integrity • Bell-LaPadula provides data confidentiality • Bell-LaPadula and Biba are part of US military Multi-level Security (MLS) architecture Bell-LaPadula Model (BLP) • BLP has three security properties • Simple Security Property, Star (*) Security Property and Discretionary Security Property • Simple Security Property blocks a person from having read access to a level higher than his/her clearance • Top secret report can’t be read by those with clearance of secret and below • Star (*) Security Property prohibits writing to a level below your clearance • Top secret clearance can’t write a report with secret or lower clearance level • Discretionary Security Property restricts access of only specific items • You are only allowed to read or write specific documents and nothing else Bell-LaPadula Model (BLP) - II • Implementation of BLP means • Someone from lower clearance can write documents of higher clearance level • This is a problem of integrity – the higher level information is not protected from lower level clearance • Also, a person with higher clearance may read documents of lower clearance • This can result in unverified information added to highly sensitive documents • It just cares of confidentiality • If you write an article for a high quality journal but your references are lower in quality – you have the same problem as BLP has • In terms of Operating Systems security, a kernel level process can’t be read by a malicious application (e.g., a virus), it can modify an application. The Biba Security Model • The Biba Model has three rules: Simple Integrity Property, Star (*) Integrity Property, and Invocation Property • Simple Integrity Property specifies that you can’t read from a source that has lower clearance level than yours • Star (*) Integrity Property specifies that you can’t write to a level that is higher than your clearance • Invocation Property requires an equal or higher privilege level to be the only way for a process to access a service Biba Security Model - II • Biba fixes the problem of BLP by providing security • However, it allows you to read from a source that has a higher level of clearance than yours • This is like making administrator privileges available to lower ranked employees as long as they can’t change anything • In terms of the example of writing an article to a high quality journal, Biba allows you write to a low quality journal as long the material you read (references) are of equal or higher quality than yours. • In Operating Systems: Biba protects kernel level processes from being modified by applications but can’t protect them from being read by a malicious application such as a virus For further reading… • There is some discussion in Chapter 1 of Buchanan on risk. • NIST has many publications on Risk assessment and management. Two of particular importance are special publication 800-30 and 800-39. • For security models, the Wikipedia page does a good job. URL to this page is https://en.wikipedia.org/wiki/Computer_security_model • For Security Life Cycle, refer to the SANS article at https://www.sans.org/reading-room/whitepapers/testing/security-lifecycle-1-diy-assessment-260 • Finally, you should not be shocked to read that several governments are training people to attack US systems. See discussion on vulnerabilities here http://www.wrc.noaa.gov/wrso/security_guide/intro-15.htm