SOEN 321, Information System Security, Tutorial 1 ================================================= September 17, 2002 Prepared by Serguei Mokhov, mokhov@cs.concordia.ca Update: September 19, 2002, typos Update: September 23, 2002, typos Update: October 01, 2002, link to mailing list archives Update: for new semester, 2003. Update: Fall 2004 $Id: 01-intro.txt,v 1.3 2004/12/12 22:05:57 mokhov Exp $ $Revision: 1.3 $ Credits ------- [1] David K. Probst, probst@vax2.concordia.ca [2] Michael Spanner, spanner@cs.concordia.ca [3] Cybersecurity Today and Tomorrow: Pay Now Or Pay Later Topics: ------- SOEN Review: Trust Model, CIA^2 Key Terms Review: 10 Pages : Cybersecurity Today and Tomorrow: Pay Now Or Pay Later SOEN: The Lesson About the Iron Ring ------------------------------------ - The amount of thought and planning put into software coincides with how well it performs not just in known circumstances, but in unknown circumstances... [2] *EXAMPLE* Bridge Building Analogy to a SOEN Process [2] - Unknown circumstances: the bridge that collapsed - In the real world: - building bridges is a methodical scientific progressive process. - In the real world, software is _somewhat_ made in a process, but *not really*. - It can be argued that bridge building has come a long way, while software engineering has not. You should remember that you're engineers and they should design and implement software as if it were a bridge. Someone has to be able to take responsibility for the work done. One of Murphy's Laws (or an anecdote? citation may not be exact). "If construction workers were constructing buildings as programmers build software, the Universe would have collapsed already." There's no smoke w/o fire, right? Trust [1] ===== Let there be an (IS) environment with trustworthy (TE) and untrustworthy entities (UE). Efficiency implications: TE --> cheaper protocols to use UE --> should we consider a cheap protocol at all? --> buy security (Example: user management computers at CS) e-Tailer example: web server || OS __ -- DB || - internal firewall Trustworthiness can only be achieved by software-engineering methods and systematic design practices, including articulating trustworthiness requirements, subsystem integration, and testing. The human element must not be neglected. [1] IS Requirements: ---------------- CIA^2 [1] ----- o Confidentiality (C) - Unauthorized parties (UP) must not have access to the stored/transmitted information - Typical methods of enforcement: crypto o Integrity (I) - UP must not be able to alter the stored/transmitted information - Tools to detect: digital signatures and certificates o Authentication (A1) - Ability to prove one's identity, which grants access to the information and other (confidential) resources o Availability (A2) - The system should be accessible at all times to the authorized parties to perform their work. Related: o Non-repudiation - Inability of somebody to deny actions that somebody performed o Accountability - People should be have a responsibility of taking necessary security measures Security vs. Cryptography ------------------------- Uses of crypto: - Confidentiality - Authentication - Integrity check It's somewhat CIA, but is more narrow subject and is used as a *tool* in security mechanisms. What can go wrong with a comp. system or a network? [3: p.3] --------------------------------------------------- o Unavail. or very slow (A2) o Corrupted (I) o Leaky (C,A1) Common Cybersecurity Terms: [1, 3: p.6, myself] --------------------------- VULNERABILITY: - an error or a weakness in the design, implementation, configuration, or operation of a system. The more vulnerabilities a system has, the more freedom and possibilities an attacker has to circumvent the system's security mechanisms and gain unauthorized access to the system's information and resources. *EXAMPLE* - DOS -> Windows 3.1 -> Windows 9X/Me (Basically, Windows is a GUI "wrapper" around DOS) The underlying philosophy of a Windows machine is that it is single user, not multi-user. One PC, one logon, one samba session. This makes the most money for Micro$oft. The multiuser aspect of modern Windows OS's is like a bandaid or an afterthought, that's why it will never be secure and will always be vulnerable to viruses, etc... [2] THREAT: - somebody motivated and is capable to exploit a vulnerability. *EXAMPLE* - Crackers - Viruses: conventional, macro-, - Trojan horses RISK - a possibility of a vulnerability being exploited; further, a possibility of a threat to become harmful RISK MANAGEMENT - Realistic assessment of possible risks to an IS, and a strategy dealing with the security issues. ATTACK - an attempt gain unauthorized access to the information and other resources of an IS and/or to disrupt it's services and render it inaccessible. Basically, a result of a successful attack makes the system be even less non-conformant to the CIA^2 requirements than it was before. *EXAMPLE* - DoS (Denial of Service) attacks (recall eBay, Yahoo, etc.) - Recovering encryption keys of transmitted messages by an attacker spoofing stuff at the intermediate node on a network. In symmetric cryptology, it would seem in theory that everything is OK. But in the real world, users send many small messages, all with the same key. This introduces a little commonness to the encrypted messages and makes them statistically a little easier to decipher. [2] ATTACKER - a deliberate (tedious [1]) entity (evil genius [1]) seeking ways of threatening a system. HACKER - often incorrectly referred to people performing the nasty stuff, by breaking into ISs with malevolent goals. That definition is not exact, because hackers just a curious bunch of people. See CRACKER CRACKER - The person "attacking" the system *with* malevolent goals. RED TEAM - attacks conducted by independent party to reveal and report vulnerabilities of a system to fix them later on Accidental vs. Deliberate Causes of IS and Network Problems [3: p.3] ----------------------------------------------------------- o Accidental: - Natural causes (lightening, storm, earthquake) - Human non-deliberate Causes - programming errors - (accidentally) cut/unplugged cables --> Trustworthiness aspects: safety, reliability, etc --> May introduce new flaws into the system o Deliberate: - Conscious Human Choice - Hiding traces The Internet allows do that remotely, anonymously, on a large scale *EXAMPLE* An attack may come from a different country to disable air traffic control. (Not so good example, but makes a point) The Harm [3: p. 4, 5] -------- What can happen when a system was broken into? Diff between Physical and Cyber worlds: - Physical attack is quite "noticeable" - Hole in the Wall - Cut Lock - Sept. 11, 2001 - etc. - Cyber - MIGHT NEVER BE SPOTTED - As a result may cause severe physical damages when it's too late to prevent - Medicine - Finance - Comm - May come from any location in the World - Other Ways to Cause problems: - trust: insider - physical destruction of some key element creating additional vulnerabilities Current State of Cybersecurity ------------------------------ [gen] - Tech. and operational complexity growth results in faster growing number of IS vulnerabilities - THERE IS NO TOTAL SECURITY Every security system can be penetrated. Why do we need it then? To slow attackers down and feel somewhat secure psychologically better than insecure at all. - More secure systems are more expensive --> many companies are not willing invest much into it. Banks also choose to give insurance instead of total security. Red team attacks. - The Weakest Link (tech, mana, org, econo, and socio aspects) - Experience of poor risk management: perfect vs. concrete; - Game: action <-> reaction *EXAMPLE* telnet, rlogin, and FTP are disabled in CS servers - Many potential points of vulnerability (see VULNERAILITY above) --> system level vs. piecemeal basis - Many organizations prefer to hide the facts of being successfully attacked to do not lose reputation, etc. --> A lot less problems reported and fixed. [mng] - operational state is worse from known best practices than it could simply because users don't take appropriate steps a achieve it - fin./budget limitations for businesses and gov. agencies - uncertain payoff of security investments due to rareness of serious attacks - off-the-shelf systems: performance and features vs. security - accountability: 0 --> users and operators must be help responsible for ignoring security measures [op] - penetration testing, red teaming --> promotes accountability - improper config - lack of installed critical OS patches - unaccounted equipment attached to the network - open ports on a firewall - invalid permissions settings - ... --> labor intensive --> requires mng tools, which are not fully adequate today - need for security updates with hot fixes en masse - need to have concrete fallbacks ("failsoftness" [1]) should an attack happen Recommended Readings (for your education and enjoyment) -------------------- (1) Mailing List Archives from the past term http://mailhost.cs.concordia.ca/pipermail/soen321ml/ (2) Computer Security at Concordia: Past Problems, Proposed Plans http://alcor.concordia.ca/~anne/security-report/main.html Anne Bennett, IITS, Concordia University anne@alcor.concordia.ca, Michael J. Assels, Computer Science, Concordia University, mjassels@cs.concordia.ca