Foils1

AdministriviaSetting the stage...

Case studies

Introduction to Information and SystemSecurity

First lecture

Hugh Anderson

National University of SingaporeSchool of Computing

June, 2012

Hugh Anderson Introduction to Information and System Security First lecture1

Isolation...


Case studies

Outline

1 AdministriviaCoordinates, officialdom, assessmentWhat you’ll be learningWhy should you learn?

2 Setting the stage...In the news earlier this year...Context for security studies

3 Case studiesAirports, banks, the military, hospitals, homesTerm definitions



Case studies

Coordinates, officialdom, assessmentWhat you’ll be learningWhy should you learn?

Hugh’s coordinates

Room COM2 #03-24Telephone 6516-4262E-mail [email protected]

Open-door policy (I have one!)Please call me Hugh, and visit me in my room if you have anyquestions...



Case studies


Official SOC description

From the official course description...This module serves as an introductory module on information and computersystem security. It illustrates the fundamentals of how systems fail due tomalicious activities and how they can be protected. The module also placesemphasis on the practices of secure programming and implementation.Topics covered include classical/historical ciphers, introduction to modernciphers and cryptosystems, ethical, legal and organisational aspects, classicexamples of direct attacks on computer systems such as input validationvulnerability, examples of other forms of attack such as socialengineering/phishing attacks, and the practice of secure programming.



Case studies


Assessment

Assessment Grade

Homework 15%Group project 20%Tests MCQ (Closed book - on the 9th July) 15%Final Exam Open Book 50%

Total marks 100%


Timetable

Lectures, tutorials and project...

Project

June

18 25 2 9 16 23

July

(Fri, 27th, a.m.)

EXAM

Lectures

Tutorials

Project will be a group one (up to 4 members in each group), with apresentation in the last week.


Case studies


Tutorials

Tutorials/demos/discussions start next week...Give a written answer to the homework as you enter the tutorial roomfor assessment (A,B,C or F)

There will be four assessed homework/assignments.



Case studies


Resources

ResourcesNo textbook, but you may find the following texts useful:

Ross Anderson’s “Security Engineering” book:http://www.cl.cam.ac.uk/˜rja14/musicfiles/manuscripts/SEv1.pdfComputer Security, Matt Bishop

Directed readings - all available on the Internet.

IVLE at http://ivle.nus.edu.sg/


http://www.cl.cam.ac.uk/~rja14/musicfiles/manuscripts/SEv1.pdf

http://ivle.nus.edu.sg/


Case studies


General area of the course topics

In short...History and background

Classical and modern cryptography

Security of systems

Building safer systems - secure programming techniques for programs,web sites...


What you should learn...

What you are expected to know...To be able to put security systems in context.

For example: history, understanding of the “big picture”.

To describe “security related” things using some technical terms.

For example: keysize, PK, man-in-the-middle.

To understand the roles of the components of security systems,understanding the underlying reasons for their properties.

For example: certifying authorities.

To aquire some practical skills that would help in programming moresecure computer systems.

Why should you learn...

...and why should you care?Reason #1: Pick up these skills and pass the final exam :)

Reason #2: It is fun in a kind of “You did what?” way.

Reason #3: Knowing the issues, and underlying mechanisms, helps you

... build better systems in future.

... explain to the person on the helpdesk why their system isflawed, and what needs to be done to fix it.... avoid being the victim of (computer) fraud.... realistically assess threats to you, your organization, yourcountry.... fly with the eagles.


Case studies


My expectation...

Please, please, please....Attend classes and tutorials

Ask if you don’t know

Read references and handouts...

Get interested in the subject

Dont do anything you know is plain wrong...


DBS/POSB attacks

Big news last week...


Case studies

In the news earlier this year...Context for security studies

And a few days later...

Tracked down...


DBS/POSB attacks

How was it done?Through the use of card skimmers on two machines in Bugis.

Card skimming involves trying to collect your card details from themagnetic strip:

DBS/POSB attacks

Card skimmers

Magnetic strip read as it passes through the capture “shell”.

The electronics includes a magnetic strip reader head, a small amountof electronics, a battery, a microcomputer and storage (an SD card).

DBS/POSB attacks

Getting the PIN?

Either

a small (pinhole) camera looking down on the keypad, with an SDcard memory, oran overlay over the keyboard, with a small microcomputer andmemory.

Installing a skimmer...

More things to worry about:

NUS attacks

News in January...


Case studies


NUS attacks

What was done?Firstly - it was not NUS, but a departmental web server at NUS that washacked.

The hackers got irritated by a message on the web site, and made it amission to hack it.

They reported that the web site had minimal security.

The attack was a SQL injection attack, which allowed them to downloadusercode/password hash entries stored in the SQL database attachedto the web server.

The passwords were not NUSNET ones, but ones specifically for theapplication on the departmental server.



Case studies


Key points/jargon

Summary:Card skimmers

SQL injection

Keystroke logging using cameras, or keypad overlays

Passwords versus password hashes



Case studies


Hard to find the boundaries of “Security”

It is not "one thing"...Security is complex:

Security can involve elements such as computers, people, locks,communication links and so on.The goals of security might involve authentication, integrity,accountability, and so on.A security system may involve an arbitrary combination of theseelements and goals.

Security is everyone’s poor relation...

not perceived as a benefit until something goes wrongrequires regular monitoringtoo often an after-thoughtregarded as impediment to using system


Framework to hang our understanding on...

Ross Anderson’s book suggests this framework:

Differentiate between security policies and mechanismspolicy: what is allowed/disallowed. What you are supposed to do.mechanism: ways of enforcing a policy. Ciphers, controls...assurance: how much reliance you place on each mechanism.incentives: motives of the people guarding and maintaining the system, andthe attackers.

A quick quiz...

Which of these two vehicles has a door lock?

Value SING$ 20,000 Value SING$ 350,000,000

Answer?


Case studies

Airports, banks, the military, hospitals, homesTerm definitions

Airport security - 2001 attacks and afterwards

Consider the 911 attacks...There was actually not any failure of the security systems in place at thetime:

Knives with blades less than 3 inches were OK in 2001.A failure of policy, not mechanism.

Since 911? Still poor policy choices:

passenger screening is aggressive and costly, (approx $15 billion),whereas strongly reinforced cockpit doors could remove most risk(est $100 million).Ground staff are seldom screened, planes do not have locks.

Why such poor policy choices?

Incentives for policy makers favour visible controls over effectiveones.

Assurance? System screening picks up less than half the weapons.



Case studies


Bank security

Policy in banks: "The bank never loses!"Mechanism: banks maintain a kind of distributed bookkeeping system.

Customer accounts, and (daily) transactions.

Internal:

Main threats to banks are internal - their own staff.Main defenses are double-entry bookkeeping (First described inthe 15th century), controls on large transactions, and staffrequired to take vacations.

External:

Buildings built to look imposing, but just a facade - “securitytheatre” - (a thief with a gun wins). ATMs (as we have seen) aresusceptible to attacks.Bank websites use a mix of techniques - 2-factor authentication,HTTPS. Phishing attempts to bypass this by attacking clients.Cryptography for communication.



Case studies


Military security

In all sorts of areas...Electronic warfare and defense - jamming of radar, so opponent cannotsee your planes; jamming trigger systems for IEDs.

Military communications - not just encryption, but also hiding the source(the location of a transmitter can be attacked, so the military use LPI -low probability of intercept - radio links).

Military logistics - who can mobilize 10,000 people and 30,000 meals ina day? Management systems for the military have differentrequirements from commercial systems - basic rule is that restrictedinformation cannot flow to an unrestricted area.

Weapons control (eg nuclear weapons) need much higher levels ofassurance than (say) commercial areas.



Case studies


Hospital security

Policies mostly to ensure patient safety and privacyConsider patient record systems:

A mechanism might be that “Nurses can see the patient record forpatients cared in their own department over the last 90 days”.However, this might be tricky to implement given that Nurses canmove departments - the patient record system would becomedependent on the hospital personnel system.Record anonymizing for research can be tricky. Consider the nextslide on database attacks.

A requirement for accuracy of web based data (reference texts, drugside effects).


During the SARS outbreak...

Releasing (unexpected) information from databasesDay’s average temperature of SOC staff by nationality:

Singaporean PRC Poland German Australian NZ ....

36.8 36.9 37.1 36.5 38.2 38.1 ....

Numbers of SOC staff by nationality...

Singaporean PRC Poland German Australian NZ ....

23 14 3 5 2 1 ....

By inference you can deduce that Hugh’s temperature was toohigh!


Case studies


Home security

Really? Consider...Web-based banking, over your home wifi.

Your car key/immobliizer.

Your (GSM) phone (much harder to clone now than it was five yearsago). No unexpected charges.

Your TV set-top box, electronic gas/electricity meter and so on.

In some Condos, burglar alarm, lock and security systems.



Case studies


Key points/jargon

Summary:Policy, mechanism, assurance and incentives

Controls, visible and effective controls, security theatre

2-factor authentication, HTTPS, Phishing

Database attacks



Case studies


What is a system?

It can vary...1 Product or component: such as a smartcard, a PC, or a

communication protocol.2 Collection: some products/components, and an OS, network, making

up an organization’s infrastructure.3 Application: the above and some set of applications.4 Composite: the above and IT staff, and perhaps users, management,

clients, customers...

A system can thus refer to small things or big things. This indeterminacyabout even basic words leads to confusion, and errors.Salespeople might concentrate their efforts on (say) the first two areas,whereas a business may think of it’s system in terms of the fourth area.



Case studies


Services/Goals, Attacks and Threats

Basic terms:Vulnerability/Threats: If there is a weakness (vulnerability), then apotentially harmful situation (threat) may occur.

Services/Goals: ensuring adequate service in a computer system

CIA! Good guys need ’em.

Attacks/Controls: An attack=threat+vulnerability. A control is a way ofreducing the effect of a vulnerability.

MOM! Bad guys need ’em.


The CIA triad...

FIPS specify three objectives/goals:

confidentiality: concealing information - resources may only beaccessed by authorized parties;

integrity: trustworthiness of data - resources may only be modified byauthorized parties in authorized ways;

availability: preventing DOS/denial-of-service - resources areaccessible in a timely manner.

The CIAAA gang-of-five...

Many observers identify more...

Authenticity: logins, password checks

Accountability: non-repudiation of a prior commitment


Case studies


Services/Goals, Real world analogues: CIA

(Computer versions much faster)

Security problems in society reoccur in computersConfidentiality = locks/encoding/secrecy/privacy.

Integrity = handshakes/signature

Availability = Union go-slows...

But...The goals can conflict... (Consider ease of confidentiality versus lack ofavailability)

The goals may not be met... (Consider password length versus humanmemory)



Case studies


Attacks: MOM!

Three aspects of attacks:Method: tools, knowledge;

Opportunity: time, access;

Motive: what advantage is there?

An important basic principle for attacks:

The weakest link: An attacker only needs one small flaw in a system.



Case studies


Types of threats

Threatsdisclosure: unauthorized access (snooping/interception);

deception: accept false data (man-in-the-middle/modification);

disruption: prevent correct operation (denial-of-service/interruption);

usurpation: unauthorized control (spoofing/fabrication).



Case studies


Types of attacks

Snooping/Interception

Alice Bob

Ted



Case studies


Types of attacks

Man-in-the-middle/Modification

Alice Bob

Ted



Case studies


Types of attacks

Denial of Service/Interruption

Alice Bob

Ted



Case studies


Types of attacks

Spoofing/Fabrication

Alice Bob

Ted



Case studies


Types of attacks

And persuasionhuman factors and social engineering:


Foils1

Education

computer security

computersystem security

components of security

learningcase studies

security related things

hugh anderson introduction

assessmentwhat youll

better systems