1 / 35

IPICS2003 Computer security Security of Distributed Information Systems G. Pangalos Informatics Laboratory Aristo

Topics for discussion:. The security problem - Basic security conceptsThe security of internet based ISAcceptable approaches to internet securityA methodology

Anita
Download Presentation

IPICS2003 Computer security Security of Distributed Information Systems G. Pangalos Informatics Laboratory Aristo

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. IPICS2003 Computer security (Security of Distributed Information Systems) G. Pangalos Informatics Laboratory Aristotelean University of Thessaloniki

    3. 1. Basic Security Issues

    4. the need for security Many I.S. handle sensitive information that should be protected. Without an appropriate level of security in place, no such a system can be operational. A secure operational environment is thus required. Security is therefore an important issue for most I.S.s

    5. What is Security? Confidentiality: The protection of information from unauthorized access or unintended disclosure. Integrity: The protection of information from unauthorized modification. Availability: Resources are in the place, at the time and in the form the user needs them.

    6. need for security As organizations increase their reliance on the information systems and the Internet for daily business, they become more vornurable to security breaches

    7. Several major questions arise, for example: How to safeguard the confidentiality of the information (i.e. who should be allowed to see what and under what conditions), How to safeguard the integrity of the information, - How to improve its availability to legitimate users, etc..

    8. In order to answer those questions it is necessary to: 1. Identify the security requirements / threats / vulnerabilities associated to the various categories of users and data types 2. Study the related security technology available 3. Study the impact of adding security on the availability / performance / cost of the system 4. Propose specific measures required to improve the security of the system. 5. Define an appropriate security policy for accessing the information

    9. Some problems to think on... Confidentiality vs Availability vs Integrity (vs Accountability) The Ease of Attack (e.g. through internet) The emergence of new applications (internet based, electronic commerce, e – payments, …) Holistic Approach necessary

    10. Why is this still a problem? We: Have been working on it for 30 years Have A Good Theoretical Foundation Understand the Problem Have Products Continue to Make Progress We have Ethics classes

    11. . . . But! Products Do Not Match Problems Security Controls Have Operational Impact No Flexibility Rapidly Evolving Technology No security culture

    12. Computer Security Topics Operating Systems Security Program Security Formal Models of Secure Systems Database Security Internet Security Network Security Electronic Commerce security Office Automation Security Risk Analysis/Threat Analysis Encryption (symmetric and asymmetric) …

    13. So, Why Aren’t Systems Secure? Security is fundamentally hard to address Security is usually an afterthought False solutions Belief that computers are the problem - not people (teach ethics) Technology is oversold Security can be expensive

    14. Possible Information States ... Processing Storage Transmission

    16. Security Threats - Risks

    17. A threat is any circumstance or event with the potential to cause harm to an organisation (through the disclosure, modification or destruction of information, or by the denial of critical services). The presence of a threat does not mean that it will necessarily cause actual harm. To become a risk a threat must take advantage of a vulnerability in the system security controls

    18. Why not just Encrypt ? Encryption is likely the most powerful tool available - but does not solve all problems. Steganography + Encryption + …..

    19. What Tends to Work ... User Education Strong “holistic” approach Good Risk Analysis Plans and Procedures Enforcement Strong Identification and Authentication Firewalls on networks Law and Regulation

    20. Basic Concepts: Access control. There is a need to protect resources against unauthorised access. The access control components decide whether an subject can access a particular resource (object). This functionality is related to both the secrecy and integrity.. Authentication . Verification of the identity of users. This is of crucial importance in distributed systems due to the inherent ability of these systems to allow access to remote resources via physically untrusted communication environments. Auditing . Users that access resources should be accountable The audit components should record the identities and actions of them.

    21. Basic Concepts: Non-repudiation. For some applications it is important to provide evidence of actions. Typical examples of this are proof of receipt of a message or proof of sending a message. Security management . This is the management of information related to the security of a system. Typically this determines the security characteristics of a system. Cryptography. The provision of the above mentioned functionality is usualy based on cryptography which is essential in distributed systems where communication is based on insecure links.

    22. 2. The Internet Security Problem:

    23. Facts: The Internet is the fastest growing telecommunications medium in history It provides unprecedented opportunities for interaction and data sharing.

    24. Advantages of using Internet/Web browsers to provide access to information Ease of deployment of information: No specific network infrastructure is required. Everybody has a navigation program for the WWW (Netscape Navigator, Internet Explorer etc.) User-friendly environment: Users need not specific knowledge to access data. Everybody knows how to use a Web browser. Ease of administration: The Web server handles all of the communications and simply passes the data back to the client.

    25. The Internet Security problem

    26. Vulnerable TCP/IP services a number of the TCP/IP services are not designed to be secure and can be compromised by knowledgeable intruders Ease of eavesdropping and spoofing the majority of Internet traffic is not encrypted Lack of policy many sites are configured unintentionally for wide-open Internet access without regard for the potential for abuse from the Internet Complexity of configuration host security access controls are often complex to configure and monitor

    27. Threats in Internet Information Browsing Unauthorised viewing of sensitive information by intruders or legitimate users may occur through a variety of mechanisms Misuse The use of information assets for other than authorised purposes can result in denial of service, increased cost, or damage to reputations. Component Failure Failure due to design flaws or hardware/software faults can lead to denial of service or security compromises through the malfunction of a system component.

    28. Threats in Internet Unauthorised deletion, modification or disclosure Intentional damage to information assets that result in the loss of integrity or confidentiality of business functions and information. Penetration Attacks by unauthorised persons or systems that may result in denial of service or significant increases in incident handling costs. Misrepresentation Attempts to masquerade as a legitimate user to steal services or information, or to initiate transactions that result in financial loss or embarrassment to the organisation.

    29. Internet Security Riscs: The advantages provided by the Internet come with a significantly greater element of risk to the confidentiality and integrity of information (open environment, uncontrolled platforms, etc.). The very nature of the Internet means that security risks cannot be totally eliminated.

    30. !!! Because of these security risks and the need to research security requirements vis-a-vis the Internet, some organizations (e.g. HCFA) had even prohibited until recently the use of the Internet for the transmission of sensitive data.

    31. There is a growing demand for using the Internet for fast and inexpensive transmission of information. On the other hand:

    32. It is therefore necessary to accommodate this need, provided that it can be assured that proper steps are being taken to maintain an acceptable level of security for the information involved.

    33. Solving the problem requires: A. To activate the necessary security tools B. To have an adequate Internet Security Policy in place

    34. A. Activate the necessary security tools

    35. Levels of Internet security: Security at the Application Layer 2. Security at the Transport Layer 3. Security at the Physical Layer

    36. Hierarchical Layers of Internet Security:

    37. Security at level 1: (Aplication Layer) Tools available: a. Use of a ‘Secure’ Transfer Protocol (e.g. S-HTTP) b. Use of end-to-end Encryption c. Use of Digital Signatures and user Certificates ……….

    38. Security at level 2: (Transport Layer) Method: Activate an SSL connection Set up a PKI / TTP infrastructure Provide SERVER / CLIENT / USER certificates Use them to activate an SSL / https connection between client / server

    39. B. Have an adequate Internet Security Policy in place

    40. That is …. To establish the basic security requirements that must be satisfied in order to use the Internet to safely transmit sensitive information.

    41. What is needed: To define a suitable Internet Security Policy, and To describe the set of technical measures that are needed for its implementation.

    42. A. Development of an Internet Security Policy: Acceptable Security Approaches

    43. Basic Security Principles for the transmission of sensitive data over the Internet

    44. 1. Access and modification of information: Sensitive information sent over the Internet must be accessed and modified only by authorized parties

    45. 2. Use of Acceptable technologies Appropriate technologies must be used to ensure that data travels safely over the Internet and is only disclosed to authorised parties. These technologies should: allow users to prove they are who they say they are (identification and authentication), and allow the organized scrambling of data (encryption) to avoid inappropriate disclosure or modification  

    46. As seen later: The Internet can be used for the safe transmission of sensitive data, provided that: a suitable Internet Security Policy is in place, an acceptable method of encryption is utilized to provide for confidentiality and integrity of the data, and Suitable identification and authentication procedures are employed to assure that both the sender and recipient of the data are known to each other and are authorized to receive and decrypt such information.

    47. II. Acceptable Security Methods

    48. Acceptable Security Methods: In order to safely use the internet for the transmission of sensitive data, the method(s) employed by all users must come under one of the acceptable approaches to security described below.

    49. These approaches: …... Are as generic as possible and as open to specific implementations as possible, to provide maximum user flexibility within the allowable limits of security and manageability Have been based on a detailed study of the existing security framework and guidelines in the EU countries, USA and Canada.

    50. Major sources: Development of a H.L. Security Policy for the processing and transmission of data through the INTERNET, Medical informatics and internet applications Journal, 2000. The Intranet Health Clinic project, WP6 report: security, The IHC project, EU, 2002. European prestandard CEN/TC 251/SEC-COM “Security for Healthcare Communication”, 1999 Recommendation No. R (99)5 ‘for the protection of privacy on the Internet’,1999. Directive 95/46/EC ‘on the protection of individuals with regard to the processing of personal data and on the free movement of such data’. Recommendation N° R(95)4 ‘on the protection of personal data in the area of telecommunication services’. Recommendation N° R(97)5 ‘protection of medical data’. February 1997. CEN/TC 251 technical report N98-110, “framework for security protection of healthcare communication”, 1998 CSA standard CAN/CSA –Q830, ‘Model Code for the Protection of Personal Information’, 1995 Canadian Organisation for the Advancement of Computers in Health (COACH), Security and Privacy Guidelines for Health Information Systems, Canada’s Health Informatics Association, 1995. TrusthHelath1, Examination of the Implications of the EU Data Protection Directive to a TrustHealth Information System, Deliverable D6.2, INFOSEC/TrustHealth Project, 1996. Department of Health and Human Services, “Security and electronic Signature standards”, Federal Register/Vol. 63, No. 155, 1998 HCFA, “Internet Communications Security and Appropriate Use Policy and Guidelines”, 1998. Report and Recommendations from the Provincial Steering Committee on the Health Information protection Act, 2000 FOIP Policy and Practices, USA, 1998.

    51. 0. Acceptable Approaches to Internet Usage

    52. I. General statement It is permissible to use the Internet for the transmission of sensitive information, as long as: an acceptable method of encryption is utilised to provide for confidentiality and integrity of this data, and adequate identification and authentication procedures are employed to assure that both the sender and recipient of the data are known to each other and are authorised to receive and decrypt such information.

    53. II. Acceptable Technical Measures (to achieve those objectives)

    54. ACCEPTABLE TECHNICAL MEASURES: 1. Acceptable Identification and Authentication approaches 2. Acceptable WEB server usage 3. Acceptable mail usage 4. Acceptable protection from virus and Interactive software 5. Acceptable Intrusion Detection methods 6. Acceptable Encryption approaches

    55. 1. Acceptable Identification and Authentication approaches

    56. The problem: Authentication over the Internet presents several problems. e.g. It is relatively easy to capture identification and authentication data (or any data) and replay it in order to impersonate a user.

    57. Acceptable Identification and Authentication approaches:

    58. 1. use of digital certificates: Any site must use digital certificates to validate the identity of both the user and the server. Certificates at the user end must be used in conjunction with standard technologies such as Secure Sockets Layer (SSL).

    59. Only the use of Formal Certificate Authority - based digital certificates is acceptable. Certificates can be issued only by the organization or by a Trusted Third Party. Access to digital Certificates stored on PCs should be protected by passwords.

    60. 2. Use of passwords: Passwords may be sent over the Internet only when encrypted Passwords and user logon IDs must be unique to each authorized user. Passwords must be changed at a suitable period (eg 90 days).

    61. 3. Logon procedures: User accounts will be frozen after 3 failed logon attempts. All erroneous password entries will be recorded in an audit log for later inspection and action, as necessary. Sessions will be suspended after 15 minutes (or other specified period) of inactivity and require the password to be re-entered.

    62. Successful logons should display the date and time of the last logon and logoff. Logon IDs and passwords should be suspended after a specified period of disuse. Each site would be required to be able to prove that data in its possession has not been altered or destroyed in an unauthorised manner.

    63. Acceptable approaches for WEB server usage

    64. There shall be no remote control of the Web server. All administrator operations (e.g., security changes) shall be done from the console. Supervisor-level logon shall not be done at any device other than the console. The Web server software, and the software of the underlying operating system, shall contain all manufacturer recommended patches for the version in use.

    65. The Web server must be located internal to the firewall. The Web servers shall be configured so that users cannot install CGI scripts. All network applications other than HTTP should be disabled from the WEB server (e.g., SMTP, ftp, etc.)

    66. Acceptable usage of UNIX WEB servers: Unix Web servers shall not be run as root. The implementation and use of CGI scripts shall be monitored and controlled. CGI scripts shall not accept unchecked input.

    67. Any programs that run externally with arguments should not contain metacharacters. The developer is responsible for devising the proper regular expression to scan for shell metacharacters and shall strip out special characters before passing external input to the server software or the underlying operating system.

    68. Acceptable approaches to mail usage

    69. Objective: Implement suitable policies for e-mail usage to help users: use electronic mail properly, reduce the risk of intentional or unintentional misuse, and assure that sensitive records transferred via electronic mail are properly handled.

    70. acceptable approaches for e-mail usage:

    71. If confidential or proprietary information must be sent via email, it must be encrypted so that it is only readable by the intended recipient, using digital signatures.

    72. All incoming messages will be scanned for viruses and other malign content. The mail server, or other mail server which is servicing users, will be configured to accept only encrypted passwords from local machines using SSL 3.0 or other encrypted channel.

    73. e-mail servers shall be configured to refuse e-mail addressed to non-organizational systems. E-mail clients will be configured so that every message is signed using the digital signature of the sender.

    74. 4. Acceptable approaches for protection from virus and interactive software

    75. The problem: Internet provides another channel for virus infections, one that can often bypass traditional virus controls.

    76. The security service policy for viruses: has to prevent the introduction of viruses into a computing environment, and must be able to determine that an executable, boot record, or data file is contaminated with a virus.

    77. i. acceptable approaches for virus protection:

    78. Anti-virus software should be installed in the servers to limit the spread of viruses within the network. Scanning of all files and executables will occur daily (or weekly) on the servers. Workstations will have memory resident anti-virus software installed and configured to scan data as it enters the computer. Programs will not be executed, nor files opened by applications prone to macro viruses without prior scanning.

    79. All incoming mail and files received from the Internet must be scanned for viruses as they are received. Virus checking will be performed if applicable at firewalls that control access to networks. This will allow centralised virus scanning for the entire organisation. It also allows for centralised administration of the virus scanning software.

    80. All data imported on a computer (e-mail, or file transfer) will be scanned before being used. Use off-the-shelf scanning software should be enhanced by state of the art virtual machine emulation for polymorphic virus detection. All other new virus detection methods will be incorporated into the detection test bed. To keep abreast of the latest viruses which have been identified, scanning software will be updated monthly or as updates arrive.

    81. Users will inform the system administrator of any virus that is detected, configuration change, or different behaviour of a computer or application. When informed that a virus has been detected, the system administrator will inform all users that a virus may have also infected their system. The users will be informed of the steps necessary to determine if their system is infected and the steps to take to remove the virus.

    82. ii. acceptable approaches for using Interactive Software

    83. Use of Interactive Software: In an Interactive Software environment a user accesses a server across a network. The server downloads an application (applet) onto the user’s computer that is then executed. ? There are significant risks involved in this strategy. Fundamentally, one must trust that what is downloaded will do what has been promised.

    84. Users should configure their browsers to accept applets only from the servers. If this is not possible, then browsers should be configured not to accept applets. ?

    85. 5. Acceptable Intrusion Detection methods

    86. Intrusion detection plays an important role in implementing the Internet Security Policy.

    87. acceptable approaches for Intrusion detection :

    88. i. Normal logging processes: Normal logging processes shall be enabled on all systems. Alarm and alert functions, as well as logging, of any firewalls and other network perimeter access control systems shall be enabled.

    89. ii. additional monitoring tools: In addition to the activity logging process provided by the operating system, All servers shall have additional monitoring tools (eg. tripwire or appropriate software wrappers) installed.

    90. iii. perimeter access control: System integrity checks of the firewalls and other network perimeter access control systems must be performed on a routine basis.

    91. iv. Review: Audit logs from the perimeter access control systems shall be reviewed daily. Audit logs for servers shall be reviewed on a daily basis. User education shall be provided in order to train users to report any anomalies in system performance to their system administration staff.

    92. 6. Acceptable encryption approaches

    93. i. Level of Encryption: A level of encryption protection equivalent to that provided by an algorithm as follows, is recognised as minimally acceptable: Triple 56 bit DES (defined as 112 bit equivalent) for symmetric encryption, 1024 bit algorithms for asymmetric systems, and 160 bits for the emerging Elliptical Curve systems

    94. The organization will have however to increase these minimum levels when deemed necessary by advances in techniques and capabilities associated with the processes used by attackers to break encryption.

    95. ii. Hardware-Based Encryption: Hardware encryptors are acceptable (While likely to be reserved for the largest traffic volumes to a very limited number of Internet sites). symmetric password "private" key devices (such as link encryptors)

    96. iii. Acceptable Software-Based Encryption: Secure Sockets Layer (SSL) implementations at a minimum SSL level of Version 3.0, standard commercial implementations of PKI, or some variation of, implemented in the SSL. S-MIME - Standard commercial implementations of encryption in the e-mail layer

    97. Acceptable Software-Based Encryption-2: In-stream - Encryption implementations in the transport layer, such as pre-agreed passwords Offline - Encryption/decryption of files at the user sites before entering the data communications process

    98. III. Basic Security Principles for the transmission of sensitive (database) data over the Internet

    99. Basic Security Principle : Sensitive information sent over the Internet must be accessed and modified only by authorized parties

    100. Basic Security Guidelines for the transmission of sensitive data over the Internet: The Internet can be used for the transmission of sensitive data, provided that: a suitable Internet Security Policy is in place, an acceptable method of encryption is utilized to provide for confidentiality and integrity of the data, and suitable authentication or identification procedures are employed to assure that both the sender and recipient of the data are known to each other and are authorized to receive and decrypt such information.

    101. Related Security Guidelines:

    102. G7.1 Acceptable technologies Appropriate technologies must be used to insure that data travels safely over the Internet and is only disclosed to authorised parties. These technologies should: allow users to prove they are who they say they are (identification and authentication), and allow the organized scrambling of data (encryption) to avoid inappropriate disclosure or modification  

    103. G7.2 Encryption In order to make the Internet adequately safe, a complete Internet communications implementation must include adequate encryption Encryption must be at a sufficient level of security to protect against the cipher being readily broken and the data compromised. The length of the key and the quality of the encryption framework and algorithm must be increased over time as new weaknesses are discovered and processing power increases.  

    104. G7.4 Authentication and Identification In order to make the Internet adequately safe, a complete Internet communications implementation must include employment of sufficient authentication or identification of communications partners.  

    105. G7.5 Password/key management systems In order to make the Internet adequately safe, a complete Internet communications implementation must include a management scheme which incorporates effective password/key management systems

More Related