620 likes | 858 Views
ITIS 6010/8010 Security and Privacy Overview. Lecture 3 Dr. Mohamed Shehab mshehab@uncc.edu Woodward Hall 333F. Lecture Outline. Security Overview Security Design Principles Privacy Overview Cryptography Overview . Information Protection - Why?.
E N D
ITIS 6010/8010Security and Privacy Overview Lecture 3 Dr. Mohamed Shehab mshehab@uncc.edu Woodward Hall 333F
Lecture Outline • Security Overview • Security Design Principles • Privacy Overview • Cryptography Overview
Information Protection - Why? • Information is an important strategic and operational asset for any organization. • Damages and misuses of information affect not only a single user or an application; they may have disastrous consequences on the entire organization. • Additionally, the advent of the Internet as well as networking capabilities has made the access to information much easier.
Information Security: Examples • Consider a payroll database in a corporation, it must be ensured that: • Salaries of individual employees are not disclosed to arbitrary users of the database. • Salaries are modified by only those individuals that are properly authorized. • Paychecks are verified by individuals different than the ones who issued them. • Paychecks are printed on time at the end of each pay period.
What is Information Security? • Confidentiality • Is this all? • Why not? • Availability • To whom? • Authentication • Still not there • Integrity
Confidentiality • Refers to information protection from unauthorized read operations. • First formal work in computer security was motivated by the military’s attempt to implement controls to enforce a “need to know” principle. • Confidentiality also applies to the existence of data, which is sometimes more revealing than the data itself.
Integrity • Refers to information protection from modifications; it involves several goals: • Data integrity, ensuring the integrity of information with respect to the original information. • Origin integrity, ensuring source of the data, often referred to as authentication. • Semantic Integrity, protecting information from incorrect modifications.
Integrity Example • A newspaper may print information obtained from a leak at the White house, but attributes it to the wrong source. • This obeys data integrity. • Violates origin integrity.
Availability • It ensures that access to information is not denied to authorized subjects. • Attempts to block availability, are called denial of service attacks. • Example, SMURF attack.
Additional Information Security Requirements • Information Quality – it is not considered traditionally as part of information security but it is very relevant. • Completeness – it refers to ensure that subjects receive all information they are entitled to access, according to the stated security policies.
Classes of Threats • Disclosure • Snooping,Trojan Horses • Deception • Modification, spoofing, repudiation of origin, denial of receipt • Disruption • Modification • Usurpation (Unauthorized Control) • Modification, spoofing, delay, denial of service
Goals of Security • Prevention • Prevent attackers from violating security policy • Detection • Detect attackers’ violation of security policy • Recovery • Stop attack, assess and repair damage • Continue to function correctly even if attack succeeds
Policy and Mechanism • A Security Policy: • Is a statement of what is and what is not allowed. • A Security Mechanism: • Is a method, tool, or procedure for enforcing a security policy. • Example: • Policy - “Students should not copy from each other”. • Mechanism – Use an online paper correlator.
Policy and Mechanism (Cont.) • Policies define security, and mechanisms enforce security • Confidentiality • Integrity • Availability • Composition of policies • If policies conflict, discrepancies may create security vulnerabilities
Policy and Mechanism (Cont.) • Policies • Unambiguously partition system states • Correctly capture security requirements • Mechanisms • Assumed to enforce policy • Support mechanisms work correctly
Types of Mechanism Secure Precise Broad Set of reachable states Set of secure states
Information Security – Mechanisms • Confidentiality is enforced by the access control mechanism. • Integrity is enforced by the access control mechanism and by the semantic integrity constraints • Availability is enforced by the recovery mechanism and by detection techniques for DoS attacks – an example of which is query flood
Information Security- Additional Mechanisms: • User authentication - to verify the identity of subjects wishing to access the information. • Information authentication - to ensure information authenticity - it is supported by signature mechanisms. • Encryption - to protect information when being transmitted across systems and when being stored on secondary storage. • Intrusion detection – to protect against impersonation of legitimate users and also against insider threats.
Information Security – How? • Information must be protected at various levels: • The operating system • The network • The data management system • Physical protection is also important
Data vs Information • Computer security is about controlling access to information and resources • Controlling access to information can sometimes be quite elusive and it is often replaced by the more straightforward goal of controlling access to data • The distinction between data and information is subtle but it is also the root of some of the more difficult problems in computer security • Data represents information. Information is the (subjective) interpretation of data
Data vs Information (Cont.) Data Physical phenomena chosen by convention to represent certain aspects of our conceptual and real world. The meaning we assign to data are called information. Data is used to transmit and store information and to derive new information by manipulating the data according to formal rules. from: P.Brinch Hansen. Operating Systems Principles. Prentice-Hall, 1973.
Data vs Information (Cont.) • Protecting information means to protect not only the data directly representing the information • Information must be protected also against transmissions through: • Covert channels • Inference • It is typical of database systems • It refers to the derivation of sensitive information from non-sensitive data
Inference – Example (Cont.) • Assume that there is a policy stating that the average grade of a single student cannot be disclosed; however statistical summaries can be disclosed • Suppose that an attacker knows that Carol is a female CS student • By combining the results of the following legitimate queries: • Q1: SELECT Count (*) FROM Students WHERE Sex =‘F’ AND Programme = ‘CS’ • Q2: SELECT Avg (Grade Ave) FROM Students WHERE Sex =‘F’ AND Programme = ‘CS’ • The attacker learns from Q1 that there is only one female student so the value 70 returned by Q2 is precisely her average grade
Information Security:A Complete Solution. • It consists of: • First defining a security policy. • Then choosing some mechanism to enforce the policy. • Finally providing assurance that both the mechanism and the policy are sound.
Overview • Saltzer and Schroeder [1975] defined the 8 principles that are based on the ideas of simplicity and restriction • Simplicity • Less to go wrong • Fewer possible inconsistencies • Easy to understand • Restriction • Minimize access – an entity can access only information it needs (also known as “need to know” principle) • Inhibit communication – an entity can communicate with other entities only when necessary, and in few (and narrow) ways as possible
Principle of Least Privilege • The principle of least privilege states that an entity should be given only those privileges that it needs in order to complete its task • The function of an entity, and not its identity, should control the assignment of rights • Rights should be added as needed, discarded after use
Principle of Fail-Safe Defaults • The principle of fail-safe defaults state that, unless an entity is given explicit access to an object, it should be denied access to that object • This principle requires that the default access permission to an object be none
Principle of Economy of Mechanism • The principle of economy of mechanism states that security mechanisms should be as simple as possible • Simpler means less can go wrong • And when errors occur, they are easier to understand and fix • Interfaces and interactions • Interfaces to other modules are crucial, because modules often make implicit assumptions about input or output parameters or the current system state
Principle of Complete Mediation • The principle of complete mediation requires that all accesses to objects be checked to ensure that they are allowed • Usually done once, on first action • UNIX: access checked on open, not checked thereafter • If permissions change after, may get unauthorized access • This approach violates the principle of complete mediation
Principle of Open Design • The principle of open design states that the security of a mechanism should not depend on secrecy of its design or implementation • If the strength of a program’s security depends on the ignorance of user, a knowledgeable user can defeat the security mechanism • “Security through obscurity” is not a good principle • This principles does not apply to information such as passwords or cryptographic keys (these are data and not algorithms)
Principle of Open Design (Cont.) • Issues of proprietary software and trade secrets complicate the application of this principle • In some cases companies do not want their designs made public to protect them from competitors • The principle then requires that the design and implementation be available to people barred from disclosing it outside the company
Principle of Separation of Privilege • The principle of separation of privileges states that a system should not grant permission based on a single condition. • In other words: more than one condition must be verified in order to gain access • Separation of duty • Example: company check for more than $75,000 must be signed by two officers of the company • Example: On Berkeley-based versions of Unix, a user is not allowed to change from his accounts to the root account unless two conditions are verified: (i) the user knows the root password; (ii) the user is in the wheel group (with GID 0)
Principle of Least Common Mechanism • The principle of least common mechanism states that mechanisms used to access resources should not be shared • Information can flow along shared channels • Covert channels • Isolation • Virtual machines • Sandboxes
Principle of Least Common Mechanism(Example) • For example, serving an application on the Internet allows both attackers and users to gain access to the application. Sensitive information can potentially be shared between the subjects via the mechanism. • A different mechanism for each subject or class of subjects can provide flexibility of access control among various users and prevent potential security violations that would otherwise occur if only one mechanism was implemented.
Principle of Psychological Acceptability • The principle of psychological acceptability states that security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present • Hide complexity introduced by security mechanisms • Ease of installation, configuration, use • Human factors critical here • On the other hand, security requires that the messages impart no unnecessary information • For example, if a user supplies the wrong password, the system should reject the attempt with a message saying that the login failed. If it were to say that the password was incorrect, the user would know that the account name was legitimate
Privacy ?? • Information Privacy is the ability of an individual to control the use and dissemination of information that relates to himself or herself. • The word “Privacy” means different things in different contexts: • Freedom from intrusion. • Control of personal information. • Control of one’s image or name. • The historic driver of the privacy problem is the “bad people” problem.
Approaches to Privacy Enforcement • Governmental Standards • Enforcement by regulatory agencies, states, etc. • Industry Standards • “Codes of conduct” • Limited enforcement through licensing • Limited enforcement from government • Unregulated Market • Reputation • Technology can help in all of these cases.
Fair Credit Reporting Act, 1970 • Right to: • See your credit report. • Challenge incorrect information. • Information automatically expire after 7 years. • Know who accesses your report. • Free credit report if you are denied credit.
The Code of Fair Information Practice (1973) • Included: • No Secret record-keeping systems. • Right to see your record. • Information obtained for one purpose may not be used for another purpose. • Right to correct or amend incorrect records. • Organizations must assure the reliability of data and take precautions to prevent misuse.
Other Privacy Acts • HIPAA: Health Insurance Portability and Accountability Act • COPPA: Children’s Online Privacy Protection Act • Applies to online collection of info on children under 13. • Gramm-Leach-Bliley Act • Sarbanes-Oxley: Public Company Accounting Reform and Investor Protection Act
Other Privacy Acts • Gramm-Leach-Bliley Act • Consumers must be informed of privacy policies • Initial notice • Annual notice • Notices were mostly ignored! • Consumers must have a chance to “opt-out” • Many different ways to “opt-out” • Have you ever opted out?
Other Privacy Acts • Sarbanes-Oxley: Public Company Accounting Reform and Investor Protection Act • Insider Trading • Conflict of Interest • Public disclosures • Assessment of internal controls • Mandatory disclosures
Example: Patient Records Voter Registration Data Released Medical Data
Cryptography • Basic assumptions • Message to be encrypted • Algorithms (publicly known) to encrypt/decrypt message • Key (known only to sender/recipient) • Given only algorithms and encrypted message, nobody knows a method to decrypt that is significantly faster than trying all keys • Types of attacks • Ciphertext only • Known plaintext • Chosen plaintext • Real attacks generally don’t break cryptography! • Don’t pick the lock, tunnel into the vault
Symmetric Cryptography • The secret key that seals also unseals • M’ = f(M,key) encryption or sealing • M = f’(M’,key) decryption or unsealing • Uses: • Prevent eavesdropping • Must be secure channel for key exchange • Secure storage • I have to remember my key • Authentication • Challenge/response • Integrity Check • Checksum on the message • Encrypt the checksum
Public Key (Assymetric) Cryptography • First published in 1976 (Diffie-Hellman) • More common today: RSA • Matched pair of keys • Public key (e) to encrypt • Private key (d) to decrypt • For integrity, encrypt checksum with sender’s private key • Only sender’s public key will decrypt properly