Introduction to Security
To develop a sense of what the big questions are in security and to gain a little vocabulary surrounding the goals, issues, and techniques for “doing security.”
The Big Ideas
Networks are shared resources and need to be convenient to use. Convenience is often at odds with security.
- How do we defend? (That is, how do we protect our assets?)
- How do we attack? (Because knowing this helps us defend—and besides, maybe sometimes, the attackers are the good people...)
Security is about asset protection. Assets can be:
- Tangible Assets: people, buildings, equipment
- Intangible Assets: code, data, intellectual property, service availability, reputation
Asset protection involves:
- Prevention, or designing systems immune to attack. Locks, passwords, authentication and authorization, firewalls, secure programming practices, etc.
- Detection. Alarms for intruders, performance degradation, malware, weird traffic patterns, fraud, and so on
- Reaction. Implementing the disaster recovery plan, doing repairs, replacing assets, ...
Exercise: (Philosophical) Is money tangible or intangible?
Exercise: What other kinds of assets should be protected?
What Can Attackers Do?
Here is a very incomplete list, but it gets you started:
- Eavesdrop: Tap into a communication line and steal personal info, credit card data, credentials, etc.
- Spoof: Modify data in transit, making it look like the sender said something they didn’t, replace the source IP address to make it look like the packet came from somewhere else, or change purchase shipping address to the attacker’s secret PO Box.
- Deny service: Preventing data from getting to the target (rerouting the packets), or flooding one of the hosts or routers with so many packets nothing effectively gets through.
- Break In: Install a keylogger or other malware on a device that records everything the victim does. The data can be sent (replayed) to another server that collects stolen data. Malware can also have the host join a botnet. Malware can arrive from a virus or worm.
Exercise: Find out the difference between a virus and a worm.
How these things are done (packet sniffing, physical line tapping, connection hijacking, router compromising, packet flooding, etc.) will be covered later.
Exercise: If you’re impatient, look up “SYN flooding.” Why is that effective as a denial-of-service attack?
Don’t forget about non-technical dimensions
Phishing is a problem too. Humans can fall for lots of stuff.
To make systems secure we have many things to consider. We need:
|Dimension||What it is||Techniques|
|Confidentiality||Preventing data from being disclosed (leaked) to the wrong people, either accidentally or by malicious eavesdroppers||Encryption (both at rest and in transit)|
|Integrity||Preventing data from being accidentally or maliciously modified or corrupted (or if there is tampering, to know that it happened)||Message Authentication Codes (MACs), CRCs, Checksums, Secure programming practices|
|Authentication||Ensuring users (both senders and receivers) are who they say they are||Passwords, Passphrases, Tokens, Keys, Cryptographic digital signatures, Certificates|
|Authorization||Restricting what users are allowed to do||Roles, Permissions|
|Accountability||Tracing actions back to the person that performed them||Logs|
|Availability||Services must always be accessible and up as much as possible.||Monitoring, Fault tolerance, Restore/restart, Scaling (scale-out so attackers cannot block all paths), Upstream filtering|
Exercise: Describe a scenario in which Authentication and Integrity are required but Confidentiality is not.
Exercise: How is “non-deniability” related? Is it even possible?
Security is System-Wide
There is no one security module in a system. You have to think about security everywhere: in your day-to-day programming, at the application level, the transport level, the network level, etc.
At this level you will find:
- User and Supervisor (Kernel) modes on processors
- Memory protection (partially implement in the processor instruction set architecture)
Operating System Level
The O.S. can provide:
- Per-user or per-group protections on files, processes, devices, etc.
- Password files are stored encrypted (with one-way hash functions and salts)
- A shadow password file scheme to make dictionary attacks harder. Here
-rw-r--r-- root and holds everything but the passwords, while
-r-------- root and has uids and passwords.
Here you will see things like:
- Smart router software that can detect denial of service attempts
- Implementation of protocols such as IPsec at the network level, SSL at transport, and others at the link layer (secure ethernet, wireless security...), and even application level protocols such as PGP to secure email.
- Use of VPNs
- Keeping networks analyzer tools (like packet filters, packet sniffers,
tcpdump and others out of the hands of nontrusted people
Applications can implement password schemes (disallowing weak passwords, expiring passwords (controversial), supporting security questions (controversial), implementing email links to secure password reset).
Programmers should be aware of as many known categories of vulnerabilities as possible and know how to avoid them. There are zillions of known vulnerabilities; some are related to C programming (pointers, etc.) and some specific to webapps, such as the OWASP Top Ten (But don’t just focus on the top 10, focus on all of them.)
We’ll cover secure software development later.
The Human Level
Be wary about phishing and other personal scams. People can pretend to be someone else (misrepresentation) and just ask you for credentials or even money. These may incidentally use a network but can also happen over other communication channels, including face-to-face.
Learning and Studying Security
We’ll be looking at:
- Cryptography: Mathematics, usage, and implementation. How to prevent eavesdropping. How to ensure the integrity of (non-tampering with) messages. Signatures. Symmetric vs. asymmetric. Secure distribution of keys.
- Security Architecture: Defense, intrusion and malware detection, auditing; using firewalls and similar things. Configuring security groups, etc. Security Protocols, such as IPsec and others. Management, governance, compliance, ethical, and legal issues. Enterprise cyberoperations and privacy.
- Current Knowledge: What are some of the known vulnerabilities out there, and what are the methods to mitigate them?
- Programming: How do we use existing security APIs in our favorite programming languages? How do we practice secure software development (at all levels)?
Some Nice Resources
- Key ideas and vocabulary
- Characteristics of secure systems
- Security dimensions
- How security as applied at many levels system-wide
- Topics in the study of security