Administrivia Setting the stage... Case studies Introduction to Information and System Security First lecture Hugh Anderson National University of Singapore School of Computing June, 2012 Hugh Anderson Introduction to Information and System Security First lecture 1
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
AdministriviaSetting the stage...
Case studies
Introduction to Information and SystemSecurity
First lecture
Hugh Anderson
National University of SingaporeSchool of Computing
June, 2012
Hugh Anderson Introduction to Information and System Security First lecture1
Isolation...
AdministriviaSetting the stage...
Case studies
Outline
1 AdministriviaCoordinates, officialdom, assessmentWhat you’ll be learningWhy should you learn?
2 Setting the stage...In the news earlier this year...Context for security studies
3 Case studiesAirports, banks, the military, hospitals, homesTerm definitions
Hugh Anderson Introduction to Information and System Security First lecture3
AdministriviaSetting the stage...
Case studies
Coordinates, officialdom, assessmentWhat you’ll be learningWhy should you learn?
Open-door policy (I have one!)Please call me Hugh, and visit me in my room if you have anyquestions...
Hugh Anderson Introduction to Information and System Security First lecture4
AdministriviaSetting the stage...
Case studies
Coordinates, officialdom, assessmentWhat you’ll be learningWhy should you learn?
Official SOC description
From the official course description...This module serves as an introductory module on information and computersystem security. It illustrates the fundamentals of how systems fail due tomalicious activities and how they can be protected. The module also placesemphasis on the practices of secure programming and implementation.Topics covered include classical/historical ciphers, introduction to modernciphers and cryptosystems, ethical, legal and organisational aspects, classicexamples of direct attacks on computer systems such as input validationvulnerability, examples of other forms of attack such as socialengineering/phishing attacks, and the practice of secure programming.
Hugh Anderson Introduction to Information and System Security First lecture5
AdministriviaSetting the stage...
Case studies
Coordinates, officialdom, assessmentWhat you’ll be learningWhy should you learn?
Assessment
Assessment Grade
Homework 15%Group project 20%Tests MCQ (Closed book - on the 9th July) 15%Final Exam Open Book 50%
Total marks 100%
Hugh Anderson Introduction to Information and System Security First lecture6
Timetable
Lectures, tutorials and project...
Project
June
18 25 2 9 16 23
July
(Fri, 27th, a.m.)
EXAM
Lectures
Tutorials
Project will be a group one (up to 4 members in each group), with apresentation in the last week.
AdministriviaSetting the stage...
Case studies
Coordinates, officialdom, assessmentWhat you’ll be learningWhy should you learn?
Tutorials
Tutorials/demos/discussions start next week...Give a written answer to the homework as you enter the tutorial roomfor assessment (A,B,C or F)
There will be four assessed homework/assignments.
Hugh Anderson Introduction to Information and System Security First lecture8
AdministriviaSetting the stage...
Case studies
Coordinates, officialdom, assessmentWhat you’ll be learningWhy should you learn?
Resources
ResourcesNo textbook, but you may find the following texts useful:
Ross Anderson’s “Security Engineering” book:http://www.cl.cam.ac.uk/˜rja14/musicfiles/manuscripts/SEv1.pdfComputer Security, Matt Bishop
Directed readings - all available on the Internet.
IVLE at http://ivle.nus.edu.sg/
Hugh Anderson Introduction to Information and System Security First lecture9
Coordinates, officialdom, assessmentWhat you’ll be learningWhy should you learn?
General area of the course topics
In short...History and background
Classical and modern cryptography
Security of systems
Building safer systems - secure programming techniques for programs,web sites...
Hugh Anderson Introduction to Information and System Security First lecture10
What you should learn...
What you are expected to know...To be able to put security systems in context.
For example: history, understanding of the “big picture”.
To describe “security related” things using some technical terms.
For example: keysize, PK, man-in-the-middle.
To understand the roles of the components of security systems,understanding the underlying reasons for their properties.
For example: certifying authorities.
To aquire some practical skills that would help in programming moresecure computer systems.
Why should you learn...
...and why should you care?Reason #1: Pick up these skills and pass the final exam :)
Reason #2: It is fun in a kind of “You did what?” way.
Reason #3: Knowing the issues, and underlying mechanisms, helps you
... build better systems in future.
... explain to the person on the helpdesk why their system isflawed, and what needs to be done to fix it.... avoid being the victim of (computer) fraud.... realistically assess threats to you, your organization, yourcountry.... fly with the eagles.
AdministriviaSetting the stage...
Case studies
Coordinates, officialdom, assessmentWhat you’ll be learningWhy should you learn?
My expectation...
Please, please, please....Attend classes and tutorials
Ask if you don’t know
Read references and handouts...
Get interested in the subject
Dont do anything you know is plain wrong...
Hugh Anderson Introduction to Information and System Security First lecture13
DBS/POSB attacks
Big news last week...
AdministriviaSetting the stage...
Case studies
In the news earlier this year...Context for security studies
And a few days later...
Tracked down...
Hugh Anderson Introduction to Information and System Security First lecture15
DBS/POSB attacks
How was it done?Through the use of card skimmers on two machines in Bugis.
Card skimming involves trying to collect your card details from themagnetic strip:
DBS/POSB attacks
Card skimmers
Magnetic strip read as it passes through the capture “shell”.
The electronics includes a magnetic strip reader head, a small amountof electronics, a battery, a microcomputer and storage (an SD card).
DBS/POSB attacks
Getting the PIN?
Either
a small (pinhole) camera looking down on the keypad, with an SDcard memory, oran overlay over the keyboard, with a small microcomputer andmemory.
Installing a skimmer...
More things to worry about:
NUS attacks
News in January...
AdministriviaSetting the stage...
Case studies
In the news earlier this year...Context for security studies
NUS attacks
What was done?Firstly - it was not NUS, but a departmental web server at NUS that washacked.
The hackers got irritated by a message on the web site, and made it amission to hack it.
They reported that the web site had minimal security.
The attack was a SQL injection attack, which allowed them to downloadusercode/password hash entries stored in the SQL database attachedto the web server.
The passwords were not NUSNET ones, but ones specifically for theapplication on the departmental server.
Hugh Anderson Introduction to Information and System Security First lecture22
AdministriviaSetting the stage...
Case studies
In the news earlier this year...Context for security studies
Key points/jargon
Summary:Card skimmers
SQL injection
Keystroke logging using cameras, or keypad overlays
Passwords versus password hashes
Hugh Anderson Introduction to Information and System Security First lecture23
AdministriviaSetting the stage...
Case studies
In the news earlier this year...Context for security studies
Hard to find the boundaries of “Security”
It is not "one thing"...Security is complex:
Security can involve elements such as computers, people, locks,communication links and so on.The goals of security might involve authentication, integrity,accountability, and so on.A security system may involve an arbitrary combination of theseelements and goals.
Security is everyone’s poor relation...
not perceived as a benefit until something goes wrongrequires regular monitoringtoo often an after-thoughtregarded as impediment to using system
Hugh Anderson Introduction to Information and System Security First lecture24
Framework to hang our understanding on...
Ross Anderson’s book suggests this framework:
Differentiate between security policies and mechanismspolicy: what is allowed/disallowed. What you are supposed to do.mechanism: ways of enforcing a policy. Ciphers, controls...assurance: how much reliance you place on each mechanism.incentives: motives of the people guarding and maintaining the system, andthe attackers.
A quick quiz...
Which of these two vehicles has a door lock?
Value SING$ 20,000 Value SING$ 350,000,000
Answer?
AdministriviaSetting the stage...
Case studies
Airports, banks, the military, hospitals, homesTerm definitions
Airport security - 2001 attacks and afterwards
Consider the 911 attacks...There was actually not any failure of the security systems in place at thetime:
Knives with blades less than 3 inches were OK in 2001.A failure of policy, not mechanism.
Since 911? Still poor policy choices:
passenger screening is aggressive and costly, (approx $15 billion),whereas strongly reinforced cockpit doors could remove most risk(est $100 million).Ground staff are seldom screened, planes do not have locks.
Why such poor policy choices?
Incentives for policy makers favour visible controls over effectiveones.
Assurance? System screening picks up less than half the weapons.
Hugh Anderson Introduction to Information and System Security First lecture27
AdministriviaSetting the stage...
Case studies
Airports, banks, the military, hospitals, homesTerm definitions
Bank security
Policy in banks: "The bank never loses!"Mechanism: banks maintain a kind of distributed bookkeeping system.
Customer accounts, and (daily) transactions.
Internal:
Main threats to banks are internal - their own staff.Main defenses are double-entry bookkeeping (First described inthe 15th century), controls on large transactions, and staffrequired to take vacations.
External:
Buildings built to look imposing, but just a facade - “securitytheatre” - (a thief with a gun wins). ATMs (as we have seen) aresusceptible to attacks.Bank websites use a mix of techniques - 2-factor authentication,HTTPS. Phishing attempts to bypass this by attacking clients.Cryptography for communication.
Hugh Anderson Introduction to Information and System Security First lecture28
AdministriviaSetting the stage...
Case studies
Airports, banks, the military, hospitals, homesTerm definitions
Military security
In all sorts of areas...Electronic warfare and defense - jamming of radar, so opponent cannotsee your planes; jamming trigger systems for IEDs.
Military communications - not just encryption, but also hiding the source(the location of a transmitter can be attacked, so the military use LPI -low probability of intercept - radio links).
Military logistics - who can mobilize 10,000 people and 30,000 meals ina day? Management systems for the military have differentrequirements from commercial systems - basic rule is that restrictedinformation cannot flow to an unrestricted area.
Weapons control (eg nuclear weapons) need much higher levels ofassurance than (say) commercial areas.
Hugh Anderson Introduction to Information and System Security First lecture29
AdministriviaSetting the stage...
Case studies
Airports, banks, the military, hospitals, homesTerm definitions
Hospital security
Policies mostly to ensure patient safety and privacyConsider patient record systems:
A mechanism might be that “Nurses can see the patient record forpatients cared in their own department over the last 90 days”.However, this might be tricky to implement given that Nurses canmove departments - the patient record system would becomedependent on the hospital personnel system.Record anonymizing for research can be tricky. Consider the nextslide on database attacks.
A requirement for accuracy of web based data (reference texts, drugside effects).
Hugh Anderson Introduction to Information and System Security First lecture30
During the SARS outbreak...
Releasing (unexpected) information from databasesDay’s average temperature of SOC staff by nationality:
Singaporean PRC Poland German Australian NZ ....
36.8 36.9 37.1 36.5 38.2 38.1 ....
Numbers of SOC staff by nationality...
Singaporean PRC Poland German Australian NZ ....
23 14 3 5 2 1 ....
By inference you can deduce that Hugh’s temperature was toohigh!
AdministriviaSetting the stage...
Case studies
Airports, banks, the military, hospitals, homesTerm definitions
Home security
Really? Consider...Web-based banking, over your home wifi.
Your car key/immobliizer.
Your (GSM) phone (much harder to clone now than it was five yearsago). No unexpected charges.
Your TV set-top box, electronic gas/electricity meter and so on.
In some Condos, burglar alarm, lock and security systems.
Hugh Anderson Introduction to Information and System Security First lecture32
AdministriviaSetting the stage...
Case studies
Airports, banks, the military, hospitals, homesTerm definitions
Key points/jargon
Summary:Policy, mechanism, assurance and incentives
Controls, visible and effective controls, security theatre
2-factor authentication, HTTPS, Phishing
Database attacks
Hugh Anderson Introduction to Information and System Security First lecture33
AdministriviaSetting the stage...
Case studies
Airports, banks, the military, hospitals, homesTerm definitions
What is a system?
It can vary...1 Product or component: such as a smartcard, a PC, or a
communication protocol.2 Collection: some products/components, and an OS, network, making
up an organization’s infrastructure.3 Application: the above and some set of applications.4 Composite: the above and IT staff, and perhaps users, management,
clients, customers...
A system can thus refer to small things or big things. This indeterminacyabout even basic words leads to confusion, and errors.Salespeople might concentrate their efforts on (say) the first two areas,whereas a business may think of it’s system in terms of the fourth area.
Hugh Anderson Introduction to Information and System Security First lecture34
AdministriviaSetting the stage...
Case studies
Airports, banks, the military, hospitals, homesTerm definitions
Services/Goals, Attacks and Threats
Basic terms:Vulnerability/Threats: If there is a weakness (vulnerability), then apotentially harmful situation (threat) may occur.
Services/Goals: ensuring adequate service in a computer system
CIA! Good guys need ’em.
Attacks/Controls: An attack=threat+vulnerability. A control is a way ofreducing the effect of a vulnerability.
MOM! Bad guys need ’em.
Hugh Anderson Introduction to Information and System Security First lecture35
The CIA triad...
FIPS specify three objectives/goals:
confidentiality: concealing information - resources may only beaccessed by authorized parties;
integrity: trustworthiness of data - resources may only be modified byauthorized parties in authorized ways;
availability: preventing DOS/denial-of-service - resources areaccessible in a timely manner.
The CIAAA gang-of-five...
Many observers identify more...
Authenticity: logins, password checks
Accountability: non-repudiation of a prior commitment
AdministriviaSetting the stage...
Case studies
Airports, banks, the military, hospitals, homesTerm definitions
Services/Goals, Real world analogues: CIA
(Computer versions much faster)
Security problems in society reoccur in computersConfidentiality = locks/encoding/secrecy/privacy.
Integrity = handshakes/signature
Availability = Union go-slows...
But...The goals can conflict... (Consider ease of confidentiality versus lack ofavailability)
The goals may not be met... (Consider password length versus humanmemory)
Hugh Anderson Introduction to Information and System Security First lecture38
AdministriviaSetting the stage...
Case studies
Airports, banks, the military, hospitals, homesTerm definitions
Attacks: MOM!
Three aspects of attacks:Method: tools, knowledge;
Opportunity: time, access;
Motive: what advantage is there?
An important basic principle for attacks:
The weakest link: An attacker only needs one small flaw in a system.
Hugh Anderson Introduction to Information and System Security First lecture39
AdministriviaSetting the stage...
Case studies
Airports, banks, the military, hospitals, homesTerm definitions