Overview of Computer Security 4/13/2015 Madhumita. Chatterjee 1 Security concerns on the Internet Highly contagious viruses Defacing web pages Credit card no theft On-line scams Intellectual property theft Wiping out data Denial of service Spam emails Etc etc etc…………. 4/13/2015 Madhumita. Chatterjee 2 Who are the attackers? Unintended blunders Hackers driven by technical challenges Disgrunted employees or customers Petty criminals Organized crimes Organized terror groups Information warfare 4/13/2015 M. Chatterjee 3 Vulnerabilities Application security Host security Buggy code Buffer overflows Server side Client side Transmission security Network Security 4/13/2015 M. Chatterjee 4 Security Requirements Confidentiality Protection from disclosure to unauthorized persons Authenticity is the identification and assurance of the origin of information. Integrity refers to the trustworthiness of data or resources in terms of preventing improper and unauthorized changes. Non-Repudiation: Originator cannot 4/13/2015 5 deny sending theM. Chatterjee message Security Requirements…… Availability refers to the ability to use the information or resource desired. Access control Anonymity 4/13/2015 M. Chatterjee 6 Security Mechanisms System security: “Nothing bad happens to my computers and equipment” Virus, trojan horse, logic/time bombs. Network Security: Authentication Mechanisms: “you say who you say you are” Access control: Firewalls, proxies…..who can do what? Data Security: “For your eyes only” Encryption, digests, signatures….. 4/13/2015 M. Chatterjee 7 Security Mechanisms…. Encipherment Data Integrity Appends a checkvalue to data Digital Signature Hiding or covering data Electronic signature Authentication exchange Two parties exchange messages to prove their identities 4/13/2015 Madhumita. Chatterjee 8 Security Mechanisms…. Traffic padding Inserting bogus data into traffic Routing control Changing different available routes between sender and receiver Notarization Selecting a trusted third party to control communication Access control 4/13/2015 Madhumita. Chatterjee 9 Security Threats and Attacks A threat is a potential violation of security. Flaws in design, implementation, and operation. An attack is any action that violates security. Active adversary. 4/13/2015 M. Chatterjee 10 Threat to confidentiality Snooping Traffic Analysis Threat to Integrity Modification Masquerading Replaying Repudiation 4/13/2015 Madhumita. Chatterjee 11 Threat to availibility Denial of Service 4/13/2015 Madhumita. Chatterjee 12 Eavesdropping - Message Interception (Attack on Confidentiality) Unauthorized access to information Packet sniffers and wiretappers Illicit copying of files and programs R S Eavesdropper 4/13/2015 M. Chatterjee 13 Integrity Attack - Tampering With Messages Stop the flow of the message Delay and optionally modify the message Release the message again R S Perpetrator 4/13/2015 M. Chatterjee 14 Authenticity Attack Fabrication Unauthorized assumption of other’s identity Generate and distribute objects under this identity R S Masquerader: from S 4/13/2015 M. Chatterjee 15 Attack on Availability Destroy hardware (cutting fiber) or software Modify software in a subtle way (alias commands) Corrupt packets in transit S R Blatant denial of service (DoS): Crashing the server 4/13/2015 M. Chatterjee Overwhelm the server (use up its resource) 16 Impact of Attacks Theft of confidential information Unauthorized use of Network bandwidth Computing resource Spread of false information Disruption of legitimate services All attacks can be related and are dangerous! 4/13/2015 M. Chatterjee 17 Passive vs Active Attacks Attacks Passive/Active Threatening Snooping,Traffic Analysis Passive Confidentiality Modification,Masquerad Active ing,Replaying,Repudiati on Integrity Denial of Service Availibility 4/13/2015 Active Madhumita. Chatterjee 18 Close-knit Attack Family Active Attacks Passive attacks re-target sniff for content capture & modify re-target traffic analysis - who is talking 4/13/2015 jam/cut it who to impersonate M. Chatterjee pretend I need to be Bill 19 Security Policy and Mechanism Policy: a statement of what is, and is not Mechanism: a procedure, tool, or method of allowed. enforcing a policy. Security mechanisms implement functions that help prevent, detect, and respond to recovery from security attacks. Security functions are typically made available to users as a set of security services through APIs or integrated interfaces. Cryptography underlies many security mechanisms. 4/13/2015 M. Chatterjee 20 Security Services Confidentiality: protection of any information from being exposed to unintended entities. Information content. Parties involved. Where they are, how they communicate, how often, etc. 4/13/2015 M. Chatterjee 21 Security Services - Cont’d Authentication: assurance that an entity of concern or the origin of a communication is authentic - it’s what it claims to be or from Integrity: assurance that the information has not been tampered with Non-repudiation: offer of evidence that a party indeed is the sender or a receiver of certain information 4/13/2015 M. Chatterjee 22 Security Services - Cont’d Access control: facilities to determine and enforce who is allowed access to what resources, hosts, software, network connections Monitor & response: facilities for monitoring security attacks, generating indications, surviving (tolerating) and recovering from attacks 4/13/2015 M. Chatterjee 23 Security Services - Cont’d Security management: facilities for coordinating users’ service requirements and mechanism implementations throughout the enterprise network and across the Internet Trust model Trust communication protocol Trust management infrastructure 4/13/2015 M. Chatterjee 24 Relation between security services and mechanisms Security Service Security Mechanisms Data Confidentiality Encipherment and routing control Data Integrity Encipherment, digital signature, data integrity Authentication Encipherment, digital signature, authentication exchanges Non-repudiation Digital signature, data integrity and notarization Access control Access control mechanisms 4/13/2015 Madhumita. Chatterjee 25 Security Goals Confidentiality Integrity 4/13/2015 Avalaibility M. Chatterjee 26 Security Techniques Cryptography Symmetric key encipherment Asymmetric key encipherment Hashing Steganography Covered writing 4/13/2015 Madhumita. Chatterjee 27 4/13/2015 M. Chatterjee 28 4/13/2015 M. Chatterjee 29 Methods of Defence Encryption Software Controls (access limitations in a data base, in operating system protect each user from other users) Hardware Controls (smartcard) Policies (frequent changes of passwords) Physical Controls 4/13/2015 M. Chatterjee 30