Module (4 1,2) 2015 2016
Module (4 1,2) 2015 2016
Module (4 1,2) 2015 2016
• There are many aspects of a system that can be secured, and security can
happen at various levels and to varying degrees.
• We have stated in previous chapters that information security is made up of
the following main attributes:
System Architecture
• Designing a system from the ground up is a complicated task and has many
intricate and abstract goals that have to be achieved through mathematics,
logic, design, programming code, and implementation.
• There are fundamental design decisions that need to be made when
constructing a system.
• Availability, integrity, and confidentiality can be enforced at different places
within an enterprise.
For example, a company may store customer credit card information in a database
that many users can access. This information, obviously, requires protection to
ensure that it is not accessed or modified in an unauthorized manner. We start with
general questions and gradually drill down into the details.
The first and most general question is “Where should the protection take place: at
the user’s end, where the data is stored, or by restricting user activities within the
environment?”
• Once these general questions have been answered, the placement of the
mechanisms needs to be addressed.
• Security mechanisms can be placed at the hardware, kernel, operating
system, services, or program layers. At which layer(s) should security
mechanisms be implemented? If protection is implemented at the hardware
layer, the protection mechanisms will be more simplistic and provide broad
and general protection. As we ascend up the layers, more complexity is
added, and functionality becomes more specific and granular.
• The top layer holds the most complexity because it is directed toward
providing the user with a vast amount of functionality and options.
• Functionality and complexity of security increases as it approaches the
layers that are closer to the user. The increased complexity lowers the
assurance levels of the security mechanisms.
• The more complex a security mechanism becomes, the less assurance it
provides. This is because the complexity of the mechanism demands more
technical understanding from the individuals who install, test, maintain, and
use it. The more complex the tools, the more chances there are for errors,
and therefore increased chances for security compromises.
• The more complex the security mechanism, the harder it is to fully test it
under all possible conditions.
• On the other hand, simplistic mechanisms cannot provide the desired
richness of functionality and options, although they are easier to install,
maintain, use, and test. So the tradeoffs between functionality and assurance
need to be fully understood.
• Once the designers have an idea of what the security mechanisms should
focus on (users, operations, or data), what layer(s) the mechanisms should be
placed at (hardware, kernel, operating system, services, or program), and the
complexity of each mechanism, the mechanisms need to be built and
integrated in a way to have a proper relationship with other parts of the
system.
• The first step is to decide what system mechanisms need to be trusted and
specify how these entities can interact in a secure manner. Although it might
seem that you would want to trust all the components within the system, this
would cause too much overhead, complexity, and performance bottlenecks.
• For a mechanism to be trusted, it means that it protects itself and the data it
is processing, it performs in predictable and secure manners, and it does not
adversely affect other trusted or untrusted mechanisms. In return, these
trusted components have access to more privileged services, have direct
access to memory,usually have higher priority when requesting CPU
processing time, and have more control over system resources.
• The components that do fall under the TCB need to be identified and their
accepted capabilities defined.
• For example, a system that has a lower trust level rating may permit all
authenticated users to access and modify all files on the computer. This
subset of subjects and objects is large and the relationship between them is
loose and relaxed. A system with a much higher trust level rating may permit
only two subjects to access all files on a computer system, and only one of
those subjects can actually modify all the files. This subset is much smaller
and the rules being enforced are more stringent and detailed.
• Again, it depends upon what type of system the developers are aiming at
building.
Security Perimeter As stated previously, not every component and resource falls
within the TCB, so some resources fall outside of this imaginary boundary referred
to as the security perimeter.
• A perimeter is a boundary that divides the trusted from the untrusted.
• For the system to stay in a secure and trusted state when a component
within the TCB needs to communicate with a component outside of the
TCB, precise communication standards must be developed to ensure that
this type of communication cannot bring on unexpected security
compromises. This type of communication is handled and controlled through
interfaces.
Domains
A subject needs to be able to access and use objects (resources) to perform tasks,
and the domain defines which objects are available to the subject and which
objects are untouchable and therefore unusable by the subject.
Security Policy
• A security policy is a document that expresses clearly and concisely what the
protection mechanisms are to achieve. Its a statement of the security we
expect the system to enforce.
• A security model is a specification of a security policy:
Background
Cookies
ABrowser
cookie is aform
Enters name/value
data pair
Server
created by a website
Response + cookies to store
information
Requeston
Browser + your computer
cookies Server
Returns data
Http
CS526is stateless protocol;
Fall 2011/Topic 8 cookies add state
Cookies Fields
• An example cookie
– Name session-token
– Content "s7yZiOvFm4YymG….”
– Domain .amazon.com
– Path /
– Send For Any type of connection
– Expires Monday, September 08, 2031 7:19:41 PM
• Stored by the browser
• Used by the web applications
– used for authenticating, tracking, and maintaining specific
information about users
• e.g., site preferences, contents of shopping carts
– data may be sensitive
– may be used to gather information about specific users
– Cookie ownership
– Once a cookie is saved on your computer, only the website
that created the cookie can read it
• HTTP is stateless
– How does the server recognize a user who has signed in?
– Servers can use cookies to store state on client
– After client successfully authenticates, server computes an
authenticator and gives it to browser in a cookie
• Client cannot forge authenticator on his own (session
id)
– With each request, browser presents the cookie
– Server verifies the authenticator
Securing Components
Subject and
attacked
Object of
Attack
The Systems Development Life Cycle
Investigation
Logical Design
Physical Design
Implementation
Desktop Security
Your network and Internet connections link your computer to the outside
world and the outside world back to your computer. With the
proliferation of viruses, worms, Trojans, and identity theft, it's possible
that someone besides you is looking at your data. In this environment,
it's necessary for all members of the University community to be
proactive in protecting the data and personal information stored on
computers on the University network. The links below describe desktop
security measures designed to thwart Internet predators.
E-mail Security
• E-mail is one of the most widely used network services
– killer application of the Internet
• Normally message contents not secured
– Can be read/modified either in transit or at destination by the
attacker
• E-mail service is like postcard service
– just pick it and read it
• Long answer
That’s another talk entirely.
• Short answer
Secure email uses a set cryptographic tools to encapsulate a
message into a specially
formatted envelope.
Encryption
• Think CryptoQuip
• Means of hiding a message through
substitution or rearranging letters
• Requires a “key” to unlock the original
message
Digital Signatures
• A string of characters that uniquely identifies
• the signer of an electronic message.
Recipients are able to
• Verify message was from purported sender
• Verify message was not modified in transit
• Sender cannot deny being originator of message
Most popular secure email standards
• S/MIME
• OpenPGP
How are these different?
• Similar services
• Different trust models
There are two ways to encrypt or sign messages. The first one is
using S/MIME, a very similar method to SSL connections. The way
this works is with a digital certificate that is issued to you by a
trusted authority. The actual protocol is derived from the PKCS #7
data format, and most email clients support S/MIME. Once you get
a certificate, many of which are free from firms like Comodo or
InstantSSL, you download a file ending with a .p7s extension and
you add it to your e-mail application. Then, you gain the ability to
sign messages to prove that they come from you, at which point the
recipient will receive a message with an attachment. This
attachment is your signature and can be read by any email reader
which supports S/MIME.
Confidentiality
Digital Signature
PGP supports message authentication and integrity checking.the
latter is used to detect whether a message has been altered since it
was completed and former to determine whether it was actually sent
by the person .Because the content is encrypted ,any change in the
message will result in failure of the decryption with the appropriate
key. The sender uses PGP to create a digital signature for the
message with either the RSA or DSA algorithms.
What Is SSL?
SSL allows sensitive information such as credit card numbers, social security
numbers, and login credentials to be transmitted securely. Normally, data sent
between browsers and web servers is sent in plain text—leaving you vulnerable to
eavesdropping. If an attacker is able to intercept all data being sent between a
browser and a web server they can see and use that information.
What is an SSL Certificate and How Does it Work?
SSL Certificates have a key pair: a public and a private key. These keys work
together to establish an encrypted connection. The certificate also contains what is
called the “subject,” which is the identity of the certificate/website owner. To get a
certificate, you must create a Certificate Signing Request (CSR) on your server.
This process creates a private key and public key on your server. The CSR data file
that you send to the SSL Certificate issuer (called a Certificate Authority or CA)
contains the public key. The CA uses the CSR data file to create a data structure to
match your private key without compromising the key itself. The CA never sees
the private key. Once you receive the SSL Certificate, you install it on your server.
You also install an intermediate certificate that establishes the credibility of your
SSL Certificate by tying it to your CA’s root certificate. The instructions for
installing and testing your certificate will be different depending on your server.
When a browser attempts to access a website that is secured by SSL, the browser
and the web server establish an SSL connection using a process called an “SSL
Handshake” (see diagram below). Note that the SSL Handshake is invisible to the
user and happens instantaneously.
Essentially, three keys are used to set up the SSL connection: the public, private,
and session keys. Anything encrypted with the public key can only be decrypted
with the private key, and vice versa.
Because encrypting and decrypting with private and public key takes a lot of
processing power, they are only used during the SSL Handshake to create a
symmetric session key. After the secure connection is made, the session key is
used to encrypt all transmitted data.
Web Authentication
Problem:
1) Phishing: In this problem ,attackers set up the fake website,which
look like real websites.It is quite simple to do so,since creating
web pages involves relatively simple technologies such as
HTML,javascript ,CSS(cascading style sheets),etc.
HTTP Authentication
• Protect web content from those who don’t have a “need to know”
• Require users to authenticate using a userid/password before they
are allowed access to certain URLs
• HTTP/1.1 requires that when a user makes a request for a protected
resource the server responds with a authentication request header
– WWW-Authenticate
• contains enough pertinent information to carry out a
“challenge-response” session between the user and the
server
Client
Web
Server responds with a 401 (not Server
authorized and a challenge request
for the client to authenticate
Client Response
– Well established clients like Firefox, Internet Explorer ….
will respond to the challenge request (WWW-Authenticate)
by presenting the user with a small pop-up window with data
entry fields for
– userid ,password ,a Submit button and a Cancel button
• entering a valid userid and password will post the data to the
server, the server will attempt authentication and if authenticated
will serve the originally requested resource.
Database Security and Privacy
Databases
• Collection of
– interrelated data and
– set of programs to access the data
• Convenient and efficient processing of data
• Database Application Software
Database Security
• Protect Sensitive Data from
– Unauthorized disclosure
– Unauthorized modification
– Denial of service attacks
• Security Controls
– Security Policy
– Access control models
– Integrity protection
– Privacy problems
– Fault tolerance and recovery
– Auditing and intrusion detection
Protection of Data Confidentiality
• Access control – which data users can access
• Information flow control – what users can do with the accessed
data
• Data Mining
The two main issues with database privacy are the actual security of the database
itself and the legal and ethical implications of what can/should be stored on the
databases in the first place. Also there should be a consideration of the intrinsic
ethical duty placed on database security professionals to secure a database system.
SQL Injection - One of the best known database exploits around, SQL
injection involves sending unexpected data to a webserver which interacts
with a database. The data may be sent through a few methods, but is always
specially formed, containing SQL statements which can compromise any
unprotected data source. Data is generally passed through either the address
or through form variables.
o Browser Method: When data is passed through the address to a page
which interacts with a database, the data is passed in the form of
variables appended to the end of the address. For example
"www.cnn.com?id=1234" would pass 1234 as data to cnn.com If this
data is directly used in a database command, one could alter 1234 in a
specific way as to introduce a SQL command to be executed by the
database. This ability could give the attacker a powerful tool to
compromise data and accounts of an unprotected database. The users
ability to change the address variables at will makes this an extremely
easy database leak anyone can exploit
o Form Method: Forms take data on one page and pass that data directly
to another page for processing, usually with a backend database
involved. The ease of the user’s ability to modify address variables is
prevented since the form data, if passed properly, is hidden from the
user. Since the transfer is hidden, sites will believe they have
satisfactorily sanitized user input by enforcing rules (digits only for
certain fields, length limits) with client side JavaScript. This is
supposed to prevent users from entering SQL statements disguised as
bad input, but a savvy user could download the source of the file and
modify the data subverting any JavaScript. Entering erroneous SQL
statements such as '; drop table users --could compromise an entire
database and its users.
Preventing SQL Injection
o Syntax Checking: The trick of any SQL injection attack is the user’s
ability to insert malicious statements into invalidated user input. To
protect against this problem users must sanitize input collected from
the user on the server side. The types of sanitation that must be
performed is the removal of any semicolons or back tick marks since
these are the stronghold of the syntax required for a proper SQL
injection.
o While checking syntax is good, the best prevention of SQL injection
is the use of something called a prepared statement. When using
prepared statements, also known as stored procedures, every
interaction with a database is prewritten allowing only enough rights
as are required for any given command. Thus when an unexpected,
powerful command is run there are not enough rights allocated for the
malicious command under the ruse of a stored procedure to be
properly executed even if it is properly inserted.
Database Security
Identity Privacy
The other and much more publicized area of database privacy is in the content that
is availible for public use. This is divided up into two areas, data driven for
marketing, and data driven for public records.
Targeted Marketing
Identity Theft
Just by spending a few minutes and possibly a few dollars on sites like
peoplefind one can get to nearly anyone in the US and abroad. The ease with
which a malicious person can assume someone's identity both online and in
real life can be startling. Most people don't even realize that their names,
home telephone numbers and home addresses are already probably
populated on several public records search databases across the web. Often
times the reason it is so easy to find information is not the fault of the
subject of the search. Companies often use very powerful information as the
key to customer records, such as a person's social security number or the use
of a drivers license number. All of this information once obtained can be
used quickly and often unchecked to assume the identity of a person. A
hacker by the name Kevin Mitnick has written several articles on the ease
with which one can obtain all the details of a person's life from public online
databases (one, two).
Deontologists and Utilitarians would both agree that the developer is wrong
for not completely securing a private database when the techniques used to
compromise it are well-known. Utilitarians would argue that since databases
must be secured to prevent someone from compromising it and thus
committing an ethical wrong, developers have an ethical responsibility to
ensure the security of systems they develop where security is a requirement.
Define
• 1)Security Model
• 2)Security policy
• 3)Security Perimeter
• 4) Trusted computing base (TCB)
• 5) Reference Monitor
• 6)Security Kernel
• 7) Resource Isolation
• 8)Domain
• Answer in short
• 1)Short note on SSL
• 2)Short note on SET
• 3)Explain PGP and SMIME
• 4)How desktop security is maintain?