Computer System Security

Tutor
Dr Prasanna B T
Dept. of Computer Science and Engineering
 Learning Objectives After studying
Unit 1, you should be able to:
◆ Describe the key security requirements of
confidentiality, integrity, and availability.
◆ Discuss the types of security threats and attacks that
must be dealt with and give examples of the types of
threats and attacks that apply to different categories of
computer and network assets.
◆ Summarize the functional requirements for computer
security.
◆ Explain the fundamental security design principles.
◆ Discuss the use of attack surfaces and attack trees.
◆ Understand the principle aspects of a comprehensive
security strategy.
The focus of this Unit-1, is on three fundamental
questions:
1. What assets do we need to protect?
2. How are those assets threatened?
3. What can we do to counter those threats?
 NIST Defines:
Computer Security: protection afforded to an
automated information system in order to attain the
applicable objectives of preserving the integrity,
availability and confidentiality of information system
resources (includes hardware, software, firmware,
information/data, and telecommunications).
Key Security Concepts
CIA Triad
These three concepts form what is often referred to as the CIA triad .The
three concepts embody the fundamental security objectives for both data and
for information and computing services. FIPS PUB 199 provides a useful
characterization of these three objectives in terms of requirements and the
definition of a loss of security in each category:
• Confidentiality: Preserving authorized restrictions on information access
and disclosure, including means for protecting personal privacy and
proprietary information. A loss of confidentiality is the unauthorized
disclosure of information.
• Integrity: Guarding against improper information modification or
destruction, and includes ensuring information non-repudiation and
authenticity. A loss of integrity is the unauthorized modification or destruction
of information.
• Availability: Ensuring timely and reliable access to and use of information.
A loss of availability is the disruption of access to or use of information or an
information system.
Although the use of the CIA triad to define security objectives is well
established, some in the security field feel that additional concepts are needed
to present a complete picture. Two of the most commonly mentioned are:
Although the use of the CIA triad to define security
objectives is well established, some in the security
field feel that additional concepts are needed to
present a complete picture. Two of the most
commonly mentioned are:
• Authenticity: The property of being genuine and
being able to be verified and trusted; confidence in the
validity of a transmission, a message, or message
originator.
• Accountability: The security goal that generates the
requirement for actions of an entity to be traced
uniquely to that entity.
Examples:
• Examples of applications that illustrate the
requirements just enumerated.
• For these examples, there are three levels of
impact on organizations or individuals.
• These levels are defined in FIPS 199
• Low, Moderate and High
Levels of Impact:
• Low: The loss could be expected to have a
limited adverse effect on organizational
operations, organizational assets, or
individuals.
• Moderate: The loss could be expected to have
a serious adverse effect on organizational
operations, organizational assets, or
individuals.
• High: The loss could be expected to have a
severe or catastrophic adverse effect on
organizational operations, organizational
assets, or individuals.
Confidentiality:
Student grade information is an asset whose
confidentiality is considered to be highly important by
students.

Student enrolment information may have a moderate

confidentiality rating.

Directory information, such as lists of students or

faculty or departmental lists, may be assigned a low
confidentiality rating or indeed no rating.
Integrity:
Several aspects of integrity are illustrated by the example of a
hospital patient’s allergy information stored in a database.
Considered as high.

An example of an asset that may be assigned a moderate level

of integrity requirement is a Web site that offers a forum to
registered users to discuss some specific topic.

An example of a low integrity requirement is an anonymous

online poll.
Availability:
The more critical a component or service, the higher
the level of availability required.

An example of an asset that would typically be rated

as having a moderate availability requirement is a
public Web site for a university

An online telephone directory lookup application

would be classified as a low availability requirement.
Attacks Threatening Confidentiality
Snooping refers to unauthorized access to or
interception of data.

Traffic analysis refers to obtaining some other

type of information by monitoring online
traffic.
Attacks Threatening Integrity
Modification means that the attacker intercepts the
message and changes it.

Masquerading or spoofing happens when the attacker

impersonates somebody else.

Replaying means the attacker obtains a copy

of a message sent by a user and later tries to replay
it.
Repudiation means that sender of the message might
later deny that she has sent the message; the receiver
of the message might later deny that he has received
the message.
Attacks Threatening Availability
Denial of service (DoS) is a very common attack.
It may slow down or totally interrupt the service
of a system.
Security Mechanisms (X.800)
• specific security mechanisms:
– encipherment, digital signatures, access
controls, data integrity, authentication
exchange, traffic padding, routing control,
notarization
• pervasive security mechanisms: – trusted
functionality, security labels, event detection,
security audit trails, security recovery
Computer Security Challenges
Computer security is both fascinating and complex. Some of
the reasons follow:
1. not simple
2. must consider potential attacks
3. procedures used counter-intuitive
4. Where to use security mechanisms
5. involve algorithms and secret information, must decide
where to deploy mechanisms
6. battle of wits between perpetrator(attacker) / admin
7. not perceived on benefit until fails
8. requires regular monitoring
9. too often an after-thought to be incorporated into a
system after the design
10. regarded as impediment to using system
Aspects of Security

• consider 3 aspects of information security:

– security attack
– security mechanism
– security service
• note terms
– threat – a potential for violation of security
– attack – an assault on system security, a
deliberate attempt to evade security services
Computer Security Terminology
Adversary (threat agent) An entity that attacks, or is a threat to, a
system.
Attack An assault on system security that derives from an intelligent
threat; that is, an intelligent act that is a deliberate attempt (especially
in the sense of a method or technique) to evade security services and
violate the security policy of a system.
Countermeasure An action, device, procedure, or technique that
reduces a threat, a vulnerability, or an attack by eliminating or
preventing it, by minimizing the harm it can cause, or by discovering and
reporting it so that corrective action can be taken.
Risk An expectation of loss expressed as the probability that a particular
threat will exploit a particular vulnerability with a particular harmful
result.
Security Policy A set of rules and practices that specify or regulate how
a system or organization provides security services to protect sensitive
and critical system resources.
System Resource (Asset) Data contained in an information
system; or a service provided by a system; or a system
capability, such as processing power or communication
bandwidth; or an item of system equipment (i.e., a system
component— hardware, firmware, software, or
documentation); or a facility that houses system operations
and equipment.
Threat A potential for violation of security, which exists when
there is a circumstance, capability, action, or event, that could
breach security and cause harm. That is, a threat is a possible
danger that might exploit a vulnerability.
Vulnerability A flaw or weakness in a system’s design,
implementation, or operation and management that could be
exploited to violate the system’s security policy.
Security Concepts and Relationships
The assets of a computer system can be categorized
as follows:
• Hardware: Including computer systems and other
data processing, data storage, and data
communications devices
• Software: Including the operating system, system
utilities, and applications.
• Data: Including files and databases, as well as
security-related data, such as password files.
• Communication facilities and networks: Local and
wide area network communication links, bridges,
routers, and so on.
General Categories of Vulnerabilities and Attacks
system resource vulnerabilities may
be corrupted (loss of integrity)
become leaky (loss of confidentiality)
become unavailable (loss of availability)
attacks are threats carried out and may be
passive
active
Based on origin
insider
outsider
 Countermeasures
means used to deal with security attacks
prevent
detect
recover
may result in new vulnerabilities
will have residual vulnerability
goal is to minimize risk given constraints
Threats Attacks and Assets
Threats and Attacks
Threat Consequences:
unauthorized disclosure (threat to confidentiality)
exposure, interception, inference, intrusion
Deception (threat to system or data integrity)
masquerade, falsification, repudiation
Disruption(threat to system integrity and availability)
incapacitation, corruption, obstruction
Usurpation (threat to system integrity)
misappropriation, misuse
Threats and Assests:
Scope of Computer Security
 Network Security Attacks
• classify as passive or active
• passive attacks are eavesdropping
– release of message contents
– traffic analysis
– are hard to detect so aim to prevent
• active attacks modify/fake data
– masquerade
– replay
– modification
– denial of service
– hard to prevent so aim to detect
 Security Functional Requirements
• technical measures:
– access control; identification & authentication; system &
communication protection; system & information integrity
• management controls and procedures
– awareness & training; audit & accountability; certification,
accreditation, & security assessments; contingency planning;
maintenance; physical & environmental protection; planning;
personnel security; risk assessment; systems & services
acquisition
• overlapping technical and management:
– configuration management; incident response; media
protection
Fundamental Security Design Principles
Economy of Mechanism
Fail-safe Defaults
Complete Mediation
Open Design
Separation of Privilege
Least Privilege
Least Common Mechanism
Psychological Acceptability
Isolation
Encapsulation
Modularity
Layering
Least Astonishment
1. Economy of Mechanism
This fundamental security principle defines that the security
measures implemented in the software and the hardware
must be simple and small. This would ease the testers to
test the security measures thoroughly.
If the designed security mechanism is complex then it is
likely that the tester would get a chance to exploit the
weakness in the design.
So more the design is simple less are the opportunities for
the tester to discover the flaws and more the complex is the
design more are the chances to exploit flaws in the design.
2. Fail-safe Defaults
This principle says that if any user wants access to any
mechanism then whether the access is permitted or denied
should be based on authorization rather than elimination.
By default, all the mechanism should have a lack of access
and the function of a security mechanism is to identify the
condition where the access to the security mechanism
should be permitted. This means by default access to all
mechanism should be denied, unless any privilege attribute
is provided.
This principle denies unauthorized access. If there occurs
any mistake while designing the security mechanism which
grants access based on permission or authorization. That
mechanism fails by simply denying access, which is the
safest condition.
If there occurs any mistake while designing the
security mechanism which grants access based on
exclusion. That mechanism fails by simply granting
access which can not be considered as the safest
situation.
3. Complete Mediation
Some systems are designed to operate
continuously such systems remember access
decision. So, there must be an access control
mechanism which would check every access
occurring on the system.
This principle says that the system should not trust
the access decisions it recovers from the system
cache. This particular security design principle says
that there must be a mechanism in the system that
checks each access through the access control
mechanism.
However, this is an exhaustive approach and is
rarely considered while designing a security
4. Open Design
This security principle suggests that the security
mechanism design should be open to the public.
Like in the cryptographic algorithm, the encryption
key is kept secret while the encryption algorithm is
opened for a public investigation.
This principle is followed by the NIST (National
Institute of Standards and Technology) to
standardize the algorithms because it helps in
worldwide adoption of NIST approved algorithms.
5. Separation of Privilege
This security principle states that whenever a user
tries to gain access to a system, the access should
not be granted based on a single attribute or
condition.
Instead, there must be multiple situations or
conditions or attribute which should be verified to
grant access to the system. We also term this as a
multifactor user authentication as this principle says
that multiple techniques must be implemented to
authenticate a user.
For example, while conducting online money transfer
we require user-id, password, transaction password
along with OTP.
6. Least Privilege
The least privilege security design principle
states that each user should be able to access
the system with the least privilege. Only those
limited privileges should be assigned to the user
which are essential to perform the desired task.
An example of considering and implementing
this principle is role-based access control.
The role-based designed security mechanism
should discover and describe various roles of
the users or processes.
Now, the least set of privileges should be assigned to
each role which is essential to perform its functions.
So, the access control mechanism enables each
role only those privileges for which it is
authorized. The least set of privileges assigned
to each role describes the resources available
each role can access.
In this way, unauthentic roles are unable to
access the protected resources. Like, the
users accessing database has privilege only to
retrieve the data they are not authorized to
modify the data.
7. Least Common Mechanism
Following the least common mechanism, a
security design principle there should be
minimum common functions to share between
the different user. This principle reduces the
count of communication paths and therefore
further reduces the hardware and software
implementation.
Ultimately this principle reduces the threat of
unwanted access to the system as it becomes
easy to verify if there are some unwanted
access to the shared function.
8. Psychological Acceptability
This security design principle says that the security
mechanisms design to protect the system should not
interfere with the working of the user every now and
then.
As this would irritate the user ad user may disable this
security mechanism on the system. Therefore, it is
suggested that the security mechanism should introduce
minimum hurdles to the user of the system.
The security mechanism should not be designed such
that it becomes difficult for the user to access the
resources in the system.
9. Isolation
This security design principle is considered in three
circumstances. The first condition, the system that has
critical data, processes or resources must be isolated
such that it restricts public access. It can be done in
two ways.
The system with critical resources can be isolated in
two ways physical and logical isolation. The physical
isolation is one where the system with critical
information is isolated from the system with public
access information.
In logical isolation, the security services layers are
established between the public system and the critical
systems.
The second isolation condition is that the files or
data of one user must be kept isolated with the
files or data of another user. Nowadays the new
operating system has this functionality.
Each user operating the system have an
isolated memory space, process space, file
space along with the mechanism to prevent
unwanted access.
And the third isolation condition is where the
security mechanism must be isolated from such
that they are prevented from unwanted access.
10. Encapsulation
This security design principle is a form of
isolation which is designed on the principle of
object-oriented principles. Here the processes
of the protected system can only access the
data object of the system and these processes
can only be invoked from a domain entry
point.
11. Modularity
This security designing principle says that the
security mechanism must be generated as
separate and protected modules and the
security mechanism must be generated using
the modular architecture.
This principle helps in updating the security
mechanism independently without modifying
the entire system.
12. Layering
Multiple security layers must be used in order to
protect the opponent from accessing crucial
information. Applying multiple security layers provides
multiple barriers to the adversary if he tries to access
the protected system.
13. Least Astonishment
This security design principle states that the
user interface of the system must not amaze
the user while accessing the secure system.
He should be able to understand how the
security mechanism is essential to protect the
system.
So, this is all about the security design
principles which should be considered while
designing the security mechanism for a
system.
 • Attack Trees and Attack Surfaces
An attack surface consists of the reachable and exploitable
vulnerabilities in a system.
Examples of attack surfaces are the following:
• Open ports on outward facing Web and other servers, and
code listening on those ports
• Services available on the inside of a firewall
• Code that processes incoming data, email, XML, office
documents, and industry specific custom data exchange
formats
• Interfaces, SQL, and Web forms
• An employee with access to sensitive information vulnerable
to a social engineering attack
Attack Surface:
Attack surface is the total sum of separate
points which can be easily accessiblefor a
hacker or attacker. If a hacker wants to access
the system he has to do by scanning thetarget’s
attack surface. These attack surface has three
categories they are network, software,
andphysical attack surface. These attack
surface can be reduced by reducing the codes.
Attack surfaces can be categorized in the following way:

• Network attack surface: This category refers to vulnerabilities over an

enterprise
network, wide-area network, or the Internet. Included in this category
are network protocol vulnerabilities, such as those used for a denial-of-
service
attack,
disruption of communications links, and various forms of intruder attacks.
• Software attack surface: This refers to vulnerabilities in application,
utility,
or operating system code. A particular focus in this category is Web server
software.
• Human attack surface: This category refers to vulnerabilities created
by personnel
or outsiders, such as social engineering, human error, and trusted insiders.
An attack surface analysis is a useful technique for
assessing the scale and severity of threats to a
system.
A systematic analysis of points of vulnerability
makes developers and security analysts aware of
where security mechanisms are required.
Once an attack surface is defined, designers may
be able to find ways to make the surface smaller,
thus making the task of the adversary more difficult.
The attack surface also provides guidance on
setting priorities for testing, strengthening
security measures, or modifying the service or
application
Attack Trees

An attack tree is a branching, hierarchical data structure that represents a set

of potential techniques for exploiting security
The security incident that is the goal of the attack is represented as the
root node of the tree, and the ways that an attacker could reach that goal are
iteratively and incrementally represented as branches and sub nodes of the
tree.
Each subnode defines a sub goal, and each sub goal may have its own set
of further sub goals,etc.
The final nodes on the paths outward from the root, i.e., the leaf nodes,
represent different ways to initiate an attack. Each node other than a leaf is
either an AND-node or an OR-node.
To achieve the goal represented by an AND-node, the sub goals represented
by all of that node’s subnodes must be achieved; and for an OR-node, at
least one of the subgoals must be achieved.
Branches can be labeled with values representing difficulty, cost, or other
attack attributes, so that alternative attacks can be compared.
Security analysts can use the attack tree to document
security attacks in a structured form that reveals key
vulnerabilities.

The attack tree can guide both the design of systems

and applications,
and the choice and strength of countermeasures.
Figure 1.4, is an example of an attack tree analysis for an
Internet banking authentication application. The root of the tree is
the objective of the attacker, which is to compromise a user’s
account.
The shaded boxes on the tree are the leaf nodes, which represent
events that comprise the attacks. The white boxes are categories
which consist of one or more specific attack events (leaf nodes).
Note that in this tree, all the nodes other than leaf nodes are OR-
nodes.
The analysis used to generate this tree considered the three
components involved in authentication:
User terminal and user (UT/U): These attacks target
the user equipment, including
the tokens that may be involved, such as smartcards or
other password generators, as well as the actions of the
user.

• Communications channel (CC): This type of attack

focuses on communication links.

• Internet banking server (IBS): These types of

attacks are offline attack against the servers that host
the Internet banking application.
Diffrence between Attack Surface and Attack TreeAttack
Tree:

The main theme of attack tree is to structure the process

of identifying threats ininformation security. In these
attack tree we have several nodes like AND, OR and
Leaf nodeswhich illustrates the process of identifying
threats. Firstly we have to know the goals to completean
attack tree because these goals form trees with subtrees
and nodes. These attack tree can becomplex which
depends upon the type of attacks.
Five overall attack strategies can be identified, each of which
exploits one or more of the three components. The five strategies
are as follows:

User credential compromise

Injection of commands
User credential guessing
Security policy violation
Use of known authenticated session
User credential compromise: This strategy can be used
against many elements of the attack surface.
There are procedural attacks, such as monitoring a user’s action
to observe a PIN or other credential, or theft of the user’s token or
handwritten notes.

An adversary may also compromise token information using

a variety of token attack tools, such as hacking the smartcard or
using a brute force approach to guess the PIN.

Another possible strategy is to embed malicious software to

compromise the user’s login and password.

An adversary may also attempt to obtain credential information via

the communication channel (sniffing).

Finally, an adversary may use various means to engage in

communication with the target user, as shown in Figure 1.4.
Injection of commands: In this type of attack, the attacker
is able to intercept communication between the UT and the
IBS.
Various schemes can be used to be able to impersonate the
valid user and so gain access to the banking system.

User credential guessing: It is reported that brute force

attacks
against some banking authentication schemes are feasible by
sending random usernames and passwords.
The attack mechanism is based on distributed zombie
personal computers, hosting automated programs for
username- or password-based calculation.
Security policy violation: For example, violating the
bank’s security policy in
combination with weak access control and logging
mechanisms, an employee may cause an internal security
incident and expose a customer’s account.

Use of known authenticated session: This type of

attack persuades or forces
the user to connect to the IBS with a preset session ID.
Once the user authenticates to the server, the attacker
may utilize the known session ID to send packets to the
IBS, spoofing the user’s identity.
Computer Security Strategy:
comprehensive security strategy involves three aspects:

• Specification/policy: What is the security scheme

supposed to do?
• Implementation/mechanisms: How does it do it?
• Correctness/assurance: Does it really work?
Security Policy
The first step in devising security services and mechanisms is to
develop a security policy. Those involved with computer security
use the term security policy in various ways.

At the least, a security policy is an informal description of desired

system behavior. Such informal policies may reference
requirements for security, integrity, and availability.

More usefully, a security policy is a formal statement of rules and

practices that specify or regulate how a system or organization
provides security services to protect sensitive and critical system
resources (RFC4949).

Such a formal security policy lends itself to being enforced by the

system’s technical controls as well as its management and
operational controls.
 The manager must consider the following trade-offs

Ease of use versus security: Virtually all security measures

involve some penalty in the area of ease of use.
The following are some examples.
Access control mechanisms require users to remember
passwords and perhaps perform other access control actions.
Firewalls and other network security measures may reduce
available transmission capacity or slow response time.
Virus-checking software reduces available processing power
and introduces the possibility of system crashes or malfunctions
due to improper interaction between the security software and
the operating system.
Cost of security versus cost of failure and recovery:

In addition to ease of use and performance costs, there are

direct monetary costs in implementing and maintaining security
measures. All of these costs must be balanced against the cost of
security failure and recovery if certain security measures are
lacking.

The cost of security failure and recovery must take into account
not only the value of the assets being protected and the damages
resulting from a security violation, but also the risk, which is the
probability that a particular threat will exploit a particular
vulnerability with a particular harmful result.

Security policy is thus a business decision, possibly influenced by

legal requirements
Security Implementation
Security implementation involves four complementary courses of
action:
• Prevention: An ideal security scheme is one in which no
attack is successful.

Although this is not practical in all cases, there is a wide range of

threats in
which prevention is a reasonable goal.

For example, consider the transmission of encrypted data. If a

secure encryption algorithm is used, and if measures are in
place to prevent unauthorized access to encryption keys, then
attacks on confidentiality of the transmitted data will be
prevented.
• Detection: In a number of cases, absolute protection is not
feasible, but it is practical to detect security attacks.
For example, there are intrusion detection systems designed to
detect the presence of unauthorized individuals logged onto a
system.

Another example is detection of a denial of service attack, in

which communications or processing resources are consumed so
that they are unavailable to legitimate users.

Response: If security mechanisms detect an ongoing attack,

such as a denial of service attack, the system may be able to
respond in such a way as to halt the attack and prevent further
damage.

Recovery: An example of recovery is the use of backup

systems, so that if data integrity is compromised, a prior, correct
copy of the data can be reloaded.
Assurance and Evaluation
Those who are “consumers” of computer security services and mechanisms
(e.g.,
System managers, vendors, customers, and end users) desire a belief that the
security
measures in place work as intended.
That is, security consumers want to feel that the
security infrastructure of their systems meet security requirements and enforce
security
policies.
These considerations bring us to the concepts of assurance and evaluation.

The NIST Computer Security Handbook defines assurance as the

degree of confidence one has that the security measures, both technical and
operational, work as intended to protect the system and the information it
processes. This encompasses both system design and system implementation.

Thus, assurance deals with the questions,

“Does the security system design meet its requirements?” and
“Does the security system implementation meet its specification
Note that assurance is expressed as a degree of confidence,
not in terms of a formal
proof that a design or implementation is correct.

The state of the art in proving designs and implementations is

such that it is not possible to provide absolute proof.

Much work has been done in developing formal models that

define requirements and
characterize designs and implementations, together with logical
and mathematical
techniques for addressing these issues. But assurance is still a
matter of degree.
Evaluation is the process of examining a computer product
or system with respect to certain criteria. Evaluation involves
testing and may also involve formal analytic or mathematical
techniques.

The central thrust of work in this area is the development of

evaluation criteria that can be applied to any security system
(encompassing security services and mechanisms) and that are
broadly supported for making product comparisons.
Security Technologies Used
 Summary
• security concepts
• terminology
• functional requirements
• security architecture
• security trends
• security strategy
Review Questions

1.1 Define computer security.

1.2 What is the difference between passive and

active security threats?

1.3 List and briefly define categories of passive and

active network security attacks.

1.5 List and briefly define the fundamental security

design principles.

1.6 Explain the difference between an attack

surface and an attack tree.
1.1 Consider an automated teller machine (ATM) in which users
provide a personal identification number (PIN) and a card for account
access. Give examples of confidentiality, integrity, and availability
requirements associated with the system and, in each case, indicate the
degree of importance of the requirement.

1.2 Repeat Problem 1.1 for a telephone switching system that routes
calls through a switching network based on the telephone number
requested by the caller.

1.3 Consider a desktop publishing system used to produce

documents for various organizations.
a. Give an example of a type of publication for which confidentiality
of the stored data is the most important requirement.
b. Give an example of a type of publication in which data integrity is
the most important requirement.
c. Give an example in which system availability is the most
important requirement.
Consider a company whose operations are housed in two
buildings on the same property, one building is headquarters, the
other building contains network and computer services.
The property is physically protected by a fence around the
perimeter.
The only entrance to the property is through the fenced perimeter.
In addition to the perimeter fence, physical security consists of a
guarded front gate.
The local networks are split between the Headquarters’ LAN and
the Network Services’ LAN.
Internet users connect to the Web server through a firewall. Dial-
up users get access to a particular server on the Network
Services’ LAN.
Develop an attack tree in which the root node represents
disclosure of proprietary secrets. Include physical, social
engineering, and technical attacks. The tree may contain both
AND and OR nodes. Develop a tree that has at least 15 leaf
nodes.