1 01-InfoSecOverview

Previous: 00-Inspiration.html

Random side note:
Many Vim users (and others) just remap Caps-lock to Ctrl…
Mine is actually a mouse overlay layer.

Show these in class:
https://en.wikipedia.org/wiki/Information_security
https://en.wikipedia.org/wiki/Timeline_of_computer_security_hacker_history
https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

1.1 Screencasts

• Password for the Vimeo videos is in Zulip chat.
• SP21: https://vimeo.com/503183836
• FS20: https://vimeo.com/452293994
• Tip: If anyone want to speed up the lecture videos a little, inspect the page, go to the browser console, and paste this in: document.querySelector('video').playbackRate = 1.2

1.2 Example of a recent hack

Which impacted cyber-physical infrastructure, hospitals, etc.

1.2.1 WannaCry, what went wrong?

Overview: Ransomware cryptoworm targeted computers running Microsoft Windows OS by encrypting data and demanding ransom payments in Bitcoin. Those still running older, unsupported versions of Microsoft Windows, such as Windows XP and Windows Server 2003, were initially at particular risk. May 12, 2017, UK’s National Health Service was affected.

Exploit: WannaCry propagates using EternalBlue, an exploit of Windows’ Server Message Block (SMB) protocol. Much of the attention and comment around the event was occasioned by the fact that the U.S. National Security Agency (NSA) had already discovered the vulnerability, but used it to create an exploit for its own offensive work, rather than report it to Microsoft. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.

President and Chief Legal Officer (CLO) of Microsoft in an official public statement announced, quote:
“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem.”
https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/

How to protect cyber-physical infrastructure?

1.3 Definitions

1.3.1 What is computer security?

The NIST Computer Security Handbook defines the term Computer Security as:

“The protection afforded to an automated information system,
in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources”,
including hardware, software, firmware, information/data, and telecommunications

1.3.2 “CIA triad”

Confidentiality:
Preserving authorized restrictions on information access and disclosure,
including means for protecting personal privacy and proprietary information

Integrity:
Guarding against improper information modification or destruction,
including ensuring information non-repudiation and authenticity

Availability:
Ensuring timely and reliable access to and use of information

Authenticity:
is sometimes included,
as the property of being genuine, verifiable, and trusted.

CIA triad applied

Hardware integrity is a growing area of concern (empty box above).
Ex: Supply chain compromise.

Discuss/Ask: What else could result in this?

I would tell you an information security joke…
But it’s confidential.

1.4 Difficulties in computer security

Computer security is not simple!

Security is simultaneously one of the most and least formal disciplines in computation.
e.g., human factors versus cryptography

Many algorithms, protocols, operating systems, technical layers, and parties may be involved.

Attackers only need to find a single weakness,
but the developer needs to find all weaknesses.
Why? Mobility matters:

Model a national lab that can’t keep it’s resources mobile?
Model a person who can move around?

Users and system managers tend to not see the benefits of security until a failure occurs.
Security is often an afterthought,
in being incorporated into a system,
after the design is complete.
Security is thought of as an impediment to efficient and user-friendly operation.
Does it have to be?

Arms race requires regular and constant monitoring.

1.5 Security relationships

• Students read this: https://sec.eff.org/topics/threat-modeling

1.5.1 Practical security and threat modeling are hard

In class, ponder and define each element in this diagram.

1.5.2 What is your threat model?

For any given piece of information you may want to protect,
each party who might access or manipulate that information must be considered,
along with that party’s capabilities, motivations, consequences, and
probabilities of mechanisms of compromise.

1.5.2.1 Example 1

Imagine being you, protecting your web traffic,
considering mechanisms of compromise,
for various parties with varying degrees of access,
and varying motivations:

Assets (and their relative values):

• All the data, bit by bit!

Threat agents (with associated probabilities):

• Your parents? (probability?)
• The public at large? (probability?)
• Your employer? (probability?)
• Your university? (probability?)
• The MPAA? (probability?)
• Your ISP? (probability?)
• Your government? (probability?)
• Foreign government? (probability?)
• Others?

Threat mechanisms (with associated probabilities, costs):

• Cookie inspection at local machine (probability, cost?)
• Wiretapping legal (probability, cost?)
• Wiretapping illegal (probability, cost?)
• ISP logs (probability, cost?)
• Correlation attacks / watermarking (probability, cost?)

Countermeasures (with associated probabilities of being effictive and costs):

• Deleting your cookies? (probability, cost?)
• Private mode? (probability, cost?)
• Tor browser (probability, cost?)
• VPN (probability, cost?)
• Self-censoring (probability, cost?)

Risk/Consequences (with associated probabilities and costs)

• Getting grounded (probability, cost?)
• Getting embarrassed (probability, cost?)
• Getting imprisoned (probability, cost?)
• Getting robbed (probability, cost?)
• Getting killed (probability, cost?)

Diagram all of these into a network like above.
Do all countermeasures work against all threat agents?
In a perfect world, you protect everything with all countermeasures.
Now, given your limited time and resources,
how to balance the costs and probabilities?
How does this differ depending on where you are browsing from?

1.5.2.2 Example 2

Imagine being an engineer who works on power grid infrastructure operations designs and schedules?

Discuss/Ask:

Assets (and their relative values):
* ?
Threat agents (with associated probabilities):
* ?
Threat mechanisms (with associated probabilities and costs):
* ?
Countermeasures (with associated probabilities of being effictive and costs):
* ?
Risk/Consequences (with associated probabilities and costs)
* ?

Note:
This kind of threat modeling is one thing the non-free Pfleeger book really emphasizes well.

+++++++++++++++++++++
Cahoot-01.1

1.5.3 Assets of a Computer System

Hardware: storage, processing, and communications
Software: OS, system utilities, applications
Data: files, databases, password databases
Communication facilities and networks: LAN, WAN, bridges, routers, etc

Discuss/Ask:
Any other assets we missed?
What are all the inputs to computers?

1.5.4 Vulnerabilities, threats, attacks

1.5.4.1 Vulnerabilities

lead to several categories of fault:

Corrupted (loss of integrity): wrong answers
Leaky (loss of confidentiality): information leaks
Unavailable or very slow (loss of availability): server down

1.5.4.2 Threats

(potential):

Capable of exploiting vulnerabilities
Represent potential security harm to an asset

1.5.4.3 Attacks

(threats carried out):

Passive – attempt to learn or make use of information from the system that does not affect system resources
Active – attempt to alter system resources or affect their operation

Insider – initiated by an entity inside the security parameter
Outsider – initiated from outside the perimeter

1.5.5 Countermeasures

• Means used to deal with security attacks:
  • Prevent
  • Detect
  • Respond
  • Recover
• Goal is to minimize residual level of risk to assets
• Residual vulnerabilities may remain
• Countermeasures themselves introduce new vulnerabilities

1.5.6 Scope of security

Slowly ponder the parts of this in class:

1.5.7 Threats and attacks

Actually review these:

1.5.7.1 Passive attacks

Attempt to learn or make use of information from the system,
but does not affect system resources.
Eavesdrop on, or monitor transmissions.
Goal of attacker is to obtain information that is being transmitted.

Two categories:

1. Release of message contents
   • For example, a telephone conversation, an electronic mail message, and a transferred file may contain sensitive or confidential information.
   • We would like to prevent an opponent from learning the contents of these transmissions.
2. Traffic analysis
   • We want to mask the contents of messages or other information traffic so that opponents, even if they captured the message, could not extract the information from the message.
   • If we had encryption protection in place, an opponent might still be able to observe the pattern of these messages.
   • The opponent could potentially determine the location and identity of communicating hosts and could observe the frequency and length of messages being exchanged.
   • Passive attacks are very difficult to detect because they do not involve any alteration of the data.
   • Typically, the message traffic is sent and received in an apparently normal fashion and neither the sender nor receiver is aware that a third party has read the messages or observed the traffic pattern.
   • Discuss: bandwidth watermarking Tor traffic

1.5.7.2 Active attacks

Attempt to alter system resources or affect their operation.
Involve some modification of the data stream or the creation of a false stream.

Four categories:

1. Replay: involves the passive capture of a data unit and its subsequent re-transmission to produce an unauthorized effect.

2. Masquerade: one entity pretends to be a different entity. For example, authentication sequences can be captured and replayed after a valid authentication sequence has taken place

3. Modification of messages: some portion of a legitimate ­message is altered, or that messages are delayed or reordered, to produce an ­unauthorized effect.

4. Denial of service: prevents or inhibits the normal use or management of communication

+++++++++++++++++++++
Cahoot-01.2

1.6 Security design aspirations

1.6.1 Fundamental Security Design Principles

Can we think of examples of each?

• Compartmentalization: separate system components
• Layering: Multiple overlapping protections!
• Modularity: design modularity allows fixing and upgrading easily
• Encapsulation: type of object oriented isolation of internals
• Isolation: isolate users, processes, and data
• Localization: Keep keys and software on local machines.
• Open design: why?
• Economy of mechanism: as simple and small as possible, e.g., OpenBSD, microkernel, Minix3, Redox
• Fail-safe defaults: default is lack of access; very common problem “in the wild”
• Complete mediation: don’t cache access, check every time
• Separation of privilege: multi-factor authorization, process separation
• Least privilege: processes and users have least access needed for their job
• Least common mechanism: each user has their own mechanism/config/software, etc
• Psychological acceptability: don’t over-burden the user
• Least astonishment: Intuitive designs allow user understanding

Discuss/ask?
What about security via obscurity?

1.7 Attack surfaces

Reachable and exploitable vulnerabilities in a system.

Examples are:

• Open ports on outward facing servers, and code listening on those ports, e.g., Web server
• Services available inside a firewall
• Code that processes incoming data, email, XML, office documents, and industry-specific custom data exchange formats
• Interfaces, SQL, and Web forms
• An employee with access to sensitive information vulnerable to a social engineering attack!

Discuss/ask:
What are the two biggest attack surfaces for:

• your personal computer,
• for a work computer?

1.7.1 Attack Surface Categories

Network Attack Surface

• Vulnerabilities over an enterprise network, wide-area network, or the Internet
• Included in this category are network protocol vulnerabilities, such as those used for a denial-of-service attack, disruption of communications links, and various forms of intruder attacks

Software Attack Surface

• Vulnerabilities in application, utility, or operating system code
• Particular focus is Web server software

Human Attack Surface

• Vulnerabilities created by personnel or outsiders, such as social engineering, human error, and trusted insiders

Browser Attack Surface

• While this is an application, it is important enough to deserve it’s own category.
• This is the most common way computers run random code
• Primary interface for most computing devices
• Browser is core, battleground, a crux component for privacy, security, and control of the Web

1.7.2 Minimize attack surfaces, increase layering

+++++++++++++++++++++
Cahoot-01.3

1.8 Attack trees

Another method of modeling threats and exploits/attacks

Attack tree for internet banking

Green: attack;
UT/U: user equipment;
CC: communication links;
IBS: Internet Banking Server;
White: category of attack

Discuss/Ask:
Attack tree for the following?

• FERPA protected data at the university
• HIPPA protected data at a hospital

Side-note:
what is actually written in FERPA/HIPPA?

1.9 Computer Security Strategy

Within an organization/institution:

Security Policy:
Formal statement of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources

Assurance/Trust:
The degree of confidence one has that the security measures, both technical and operational, work as intended to protect the system and the information it processes

Discuss/Ask:
Is this form of trust formal, statistical, provable, or subjective? Both?

Evaluation:
Process of examining a computer product or system with respect to certain criteria

Discuss/Ask:
Is this formal, statistical, provable, or subjective? Both?

Security Implementation:
Involves four complementary courses of action:

• Prevention
• Detection
• Response
• Recovery

1.9.1 Protections

• Cryptography
• Physical protection

All security is ultimately either cryptographic or physical
(including threats of physical),
BUT there is a messy landscape of technical and practical considerations.

Using physical and cryptographic considerations,
design of accessible software interfaces
(often remote, or protected from physical access) is also critical.

1.10 Task for next time

Read the first chapter of the cryptography book!

Next: 02-IntroCryptoCaesar.html