SS-1

advertisement
Overview of Computer
Security
4/13/2015
Madhumita. Chatterjee
1
Security concerns on the Internet









Highly contagious viruses
Defacing web pages
Credit card no theft
On-line scams
Intellectual property theft
Wiping out data
Denial of service
Spam emails
Etc etc etc………….
4/13/2015
Madhumita. Chatterjee
2
Who are the attackers?







Unintended blunders
Hackers driven by technical challenges
Disgrunted employees or customers
Petty criminals
Organized crimes
Organized terror groups
Information warfare
4/13/2015
M. Chatterjee
3
Vulnerabilities

Application security



Host security




Buggy code
Buffer overflows
Server side
Client side
Transmission security
Network Security
4/13/2015
M. Chatterjee
4
Security Requirements
Confidentiality Protection from
disclosure to unauthorized persons
 Authenticity is the identification and
assurance of the origin of information.
 Integrity refers to the trustworthiness
of data or resources in terms of
preventing improper and unauthorized
changes.
 Non-Repudiation: Originator cannot
4/13/2015
5
deny sending theM. Chatterjee
message

Security Requirements……



Availability refers to the ability to use
the information or resource desired.
Access control
Anonymity
4/13/2015
M. Chatterjee
6
Security Mechanisms

System security: “Nothing bad happens to
my computers and equipment”
Virus, trojan horse, logic/time bombs.

Network Security:
Authentication Mechanisms: “you say who you say you
are”
Access control: Firewalls, proxies…..who can do what?

Data Security: “For your eyes only”
Encryption, digests, signatures…..
4/13/2015
M. Chatterjee
7
Security Mechanisms….

Encipherment


Data Integrity


Appends a checkvalue to data
Digital Signature


Hiding or covering data
Electronic signature
Authentication exchange

Two parties exchange messages to prove their
identities
4/13/2015
Madhumita. Chatterjee
8
Security Mechanisms….



Traffic padding
 Inserting bogus data into traffic
Routing control
 Changing different available routes
between sender and receiver
Notarization


Selecting a trusted third party to control
communication
Access control
4/13/2015
Madhumita. Chatterjee
9
Security Threats and Attacks

A threat is a potential violation of
security.


Flaws in design, implementation, and
operation.
An attack is any action that violates
security.

Active adversary.
4/13/2015
M. Chatterjee
10

Threat to confidentiality



Snooping
Traffic Analysis
Threat to Integrity




Modification
Masquerading
Replaying
Repudiation
4/13/2015
Madhumita. Chatterjee
11

Threat to availibility

Denial of Service
4/13/2015
Madhumita. Chatterjee
12
Eavesdropping - Message
Interception (Attack on
Confidentiality)



Unauthorized access to information
Packet sniffers and wiretappers
Illicit copying of files and programs
R
S
Eavesdropper
4/13/2015
M. Chatterjee
13
Integrity Attack - Tampering
With Messages



Stop the flow of the message
Delay and optionally modify the
message
Release the message again
R
S
Perpetrator
4/13/2015
M. Chatterjee
14
Authenticity Attack Fabrication


Unauthorized assumption of other’s
identity
Generate and distribute objects under
this identity
R
S
Masquerader: from S
4/13/2015
M. Chatterjee
15
Attack on Availability



Destroy hardware (cutting fiber) or software
Modify software in a subtle way (alias
commands)
Corrupt packets in transit
S

R
Blatant denial of service (DoS):
Crashing the server
4/13/2015
M. Chatterjee
 Overwhelm the server
(use up its resource)

16
Impact of Attacks


Theft of confidential information
Unauthorized use of




Network bandwidth
Computing resource
Spread of false information
Disruption of legitimate services
All attacks can be related and are
dangerous!
4/13/2015
M. Chatterjee
17
Passive vs Active Attacks
Attacks
Passive/Active
Threatening
Snooping,Traffic
Analysis
Passive
Confidentiality
Modification,Masquerad Active
ing,Replaying,Repudiati
on
Integrity
Denial of Service
Availibility
4/13/2015
Active
Madhumita. Chatterjee
18
Close-knit Attack Family
Active Attacks
Passive attacks
re-target
sniff for
content
capture &
modify
re-target
traffic analysis
- who is talking
4/13/2015
jam/cut it
who to
impersonate
M. Chatterjee
pretend
I need to
be Bill
19
Security Policy and Mechanism

Policy: a statement of what is, and is not

Mechanism: a procedure, tool, or method of
allowed.
enforcing a policy.
 Security mechanisms implement functions
that help prevent, detect, and respond to
recovery from security attacks.
 Security functions are typically made available
to users as a set of security services through
APIs or integrated interfaces.
 Cryptography underlies many security
mechanisms.
4/13/2015
M. Chatterjee
20
Security Services

Confidentiality: protection of any
information from being exposed to
unintended entities.



Information content.
Parties involved.
Where they are, how they communicate,
how often, etc.
4/13/2015
M. Chatterjee
21
Security Services - Cont’d



Authentication: assurance that an entity
of concern or the origin of a
communication is authentic - it’s what it
claims to be or from
Integrity: assurance that the
information has not been tampered with
Non-repudiation: offer of evidence that
a party indeed is the sender or a
receiver of certain information
4/13/2015
M. Chatterjee
22
Security Services - Cont’d


Access control: facilities to determine
and enforce who is allowed access to
what resources, hosts, software,
network connections
Monitor & response: facilities for
monitoring security attacks, generating
indications, surviving (tolerating) and
recovering from attacks
4/13/2015
M. Chatterjee
23
Security Services - Cont’d

Security management: facilities for
coordinating users’ service requirements
and mechanism implementations
throughout the enterprise network and
across the Internet



Trust model
Trust communication protocol
Trust management infrastructure
4/13/2015
M. Chatterjee
24
Relation between security
services and mechanisms
Security
Service
Security Mechanisms
Data
Confidentiality
Encipherment and routing control
Data Integrity
Encipherment, digital signature, data integrity
Authentication
Encipherment, digital signature, authentication
exchanges
Non-repudiation
Digital signature, data integrity and notarization
Access control
Access control mechanisms
4/13/2015
Madhumita. Chatterjee
25
Security
Goals
Confidentiality
Integrity
4/13/2015
Avalaibility
M. Chatterjee
26
Security Techniques

Cryptography




Symmetric key encipherment
Asymmetric key encipherment
Hashing
Steganography

Covered writing
4/13/2015
Madhumita. Chatterjee
27
4/13/2015
M. Chatterjee
28
4/13/2015
M. Chatterjee
29
Methods of Defence





Encryption
Software Controls (access limitations
in a data base, in operating system
protect each user from other users)
Hardware Controls (smartcard)
Policies (frequent changes of
passwords)
Physical Controls
4/13/2015
M. Chatterjee
30
Download