750 likes | 765 Views
Explore the history of computer security from mainframes to the internet era, covering milestones, threats, and advancements in confidentiality, integrity, and availability. Understand the evolution of security practices over different epochs.
E N D
CSCD 434 Lecture 2 Spring 2019 Computer Security Overview Chapter 1 – Security+ Guide Text
Overview • History of Computer Security • Definitions • Confidentiality, Integrity, Availability • Examples • Threats to Computer Systems • How bad is it? • Vulnerabilities • Defined, Statistics • Examples
History of Computer Security • Computer Security http://di.ionio.gr/~emagos/security/0/Gollmann%27s%20Chapter%201-%20History%20of%20Computer%20Security.pdf Computer security can trace its origins back to 1960s Multi-user systems Needed mechanisms for protecting the system from its users, and the users from each other • We observe that computer security has passed through the following epochs: • 1970s: Age of the Mainframe, • 1980s: Age of the PC, • 1990s: Age of the Internet, • 2000s: Age of the Web
History of Computer Security • Age of the Mainframes • Mainframes were deployed in government departments and in large commercial organizations, prior to individual PC’s • Defense sector saw potential benefits of using computers • Yet, their main concern was • How do we protect classified information from unauthorized use in a mainframe environment? • Developed a formal statemachine model for multi-level security policies regulating access to classified data, • Bell–LaPadula model was highly influential for computer security research into 1980’s • Multics project developed an operating system that had security as one of its main design objectives
History of Computer Security Age of the Mainframes • The solution was to first, model this problem of separation between users with different classifications • Then prove mathematically, data was safe • Developed a formal statemachine model for multi-level security policies regulating access to classified data, Bell–LaPadula modelwas highly influential for computersecurity research into 1980’s • Developed an Operating System based in part on security prinicples of separation of users Multics projectdeveloped an operating system that had security as one of its main design objectives
History of Computer Security Multics, first OS to formally separate users and data https://en.wikipedia.org/wiki/Protection_ring
Time out for a Quiz • What popular operating system was developed based on the Multics Operating System? Unix !!!!
History of Computer Security • Mainframes continued • Multi-level Security(MLS) dominated security research into following decades • Leading to development of high-assurance systems whose design had to be verified employing formal methods Started with the Orange Book, and migrated to the Common Criteria … all governed by NSA • However, these high-assurance systems did not solve problems of following epochs
History of Computer Security • Military dominated computer security • Obsessed with (Multi Level Security) = Confidentiality • Wanted to Prove formally that secrets could remain secret in presence of unclassified people in multi-user environment • Concerned with detecting covert channels where spies or insiders would signal each other • Great Collection of early security papers http://seclab.cs.ucdavis.edu/projects/history/
Multi-level Security in a NutshellBell-Lapadula Model There are security classifications or security levels – Users/principals/subjects have security clearances – Objects have security classifications • Example Top Secret Secret Confidential Unclassified • Top Secret > Secret > Confidential > Unclassified • Security goal (confidentiality): Ensures that information does not flow to those not cleared for that level
Summary of Traditional View 1. Computers were not as networked • Many standalone and mainframe systems 2. Multi-user systems • Concerned with multi-level security • Secrecy - confidentiality of primary concern • Second, was data integrity and maintaining access 3. Adversaries were at the highest levels
History of Computer Security Age of the PC • PC was single user machine, first successful applications were word processors and spreadsheet programs … plus email !!! • Private, so no longer were concerned with classified data • At a stroke, multi-level security and multiuser security became irrelevant … for most users • 1980s also saw first worms and viruses • Proposed in research papers before they later appeared in wild
Second Quiz … Who was the first to use term “computer worm” in print? John Brunner's 1975 novel, The Shockwave Rider
History of Computer Security • Age of the Internet • World Wide Web (1991) and Graphical Web Browsers, 1993 created a whole new paradigm • Both developments fostered a whole new range of applications • Typical end system was PC, not stand-alone or connected to a LAN, but connected to Internet • Connecting a machine to Internet has major ramifications ... 1. System owner no longer controls who can send inputs to this machine 2. System owner no longer controls what input is sent to machine 3. Inputs can come from anywhere in the world
History of Computer Security • Age of the Internet continued ... • Malformed packets could be sent to private computers attached to Internet • Exploit vulnerabilities in software • On-line denial-of-service attacks became possible towards end of 1990’s • This was greatly expanded into 2000's with World Wide Web ...
History of Computer Security • Age of the World Wide Web • Application-level software for Web services has become main target for attacks • Major attack patterns are: • SQL injection • Crosssite scripting • Attacks against domain name system • Application software accounts for increasing number of reported vulnerabilities and real attacks • Attacks have stolen contact data from pretty much everyone …. ransomeware attacks for businesses
History of Computer Security • World Wide Web Continued • Picture of attacker has changed • Hackers of 1990s often matched stereotype • Male in his teens or twenties with limited social skills • In rare cases, attacks were for financial gain • Today, criminal organizations dominate • Criminals have no interest in high profile fast spreading worm attacks … for fun !!! • Place trojans on victims’ machines to harvest sensitive data, passwords, PINs, or Credit Cards or use victims’ machines as part of a botnet • Ransomeware has recently become common
Modern State of Computer Security 1. Computers are Connected and Interdependent This codependency magnifies effects of any failures Slammer worm, 2003, Infected 75,000 computers in 11 minutes Continued to scan 55 million computers / sec Blaster worm, 2003, Infected 138,000 in first 4 hours Over 1.4 million computers worldwide Many others ....
Modern State of Computer Security 2. Computing today is very Homogeneous • A single architecture and a handful of OS's dominate • Linux, Mac OS and Windows • In biology, homogeneous populations ... terrible idea • A single disease or virus can wipe them out because they all share the same weakness • The disease needs one infection method!! - Potaoe famine of Ireland • Computers are the animals ... think cows • Internet provides the infection vector ... virus that sickens cows ... Mad Cow disease
Modern State of Computer Security 3. Adversaries are all levels and Global • Range from script kiddies to serious groups such as those that steal defense secrets or industrial espionage • Global reach with many attackers in countries where we can't extradite them • China, Eastern Europe, Russia and S. America Hacker Timeline http://en.wikipedia.org/wiki/Timeline_of_computer_security_hacker_history
Modern State of Computer Security 4. All Data is Vulnerable There have been so many data breeches, nearly everyone is affected A few recent examples: • Equifax, global credit ratings agency who experienced a data breach that affected a staggering 147 Million customers • Yahoo, web giant that suffered a breach affecting every one of its three Billion customer accounts.
Security Defined • System is Secure if … • Has these properties • Confidentiality • Integrity • Availability C.I.A
Confidentiality Defined • Confidentiality • What does it mean for data to be confidential? • Data must only be accessed, used, copied, or disclosed by persons who have been authorized • To access, use, copy, or disclose information … • You ensure information is not accessed by unauthorized users
Confidentiality Example • Communication between two people should not be compromised Threats We have made an important discovery … Eavesdropping, packet sniffing, illegal copying network
Definitions • More on Confidentiality • How do you prevent confidentiality loss? • Confidentiality is maintained by preventing disclosure of information to unauthorized individuals or systems • Example, credit card transaction on the Internet • System enforces confidentiality by encrypting card number during transmission
Integrity Defined • Integrity • What is Data Integrity? • Data must not be • Created • Changed, or • Deleted without authorization • Ensuring that information is not altered by unauthorized persons
Integrity Defined • Messages should be received as originally intended Threats Intercept messages, tamper, release again I love you darling!! I don’t want to see you again network
Definitions More on Integrity • Integrity means that data cannot be modified without authorization • Example of violation • Integrity is Violated • When an employee (accidentally or with malicious intent) deletes important data files, • When a computer virus infects a computer, • When an employee is able to modify his own salary in a payroll database, • When unauthorized user vandalizes web site
Availability Defined • Availability • Systems function correctly when information is provided when its needed • The opposite of availability is denial of service (DoS)
Availability Example • Disrupting communications completely Threats Overwhelm or crash servers, disrupt infrastructure network
Definitions More on Availability • Information must be available when it is needed. • High availability systems goal is remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades • Example of violation? • Ensuring availability also involves preventing DoS attacks denial-of-service attacks
CIA • While a good way to measure system security • DOD environment • Not sufficient for modern computers • Today’s world, computers are more complex • Many more layers of applications and uses • More difficult to both define and measure security
Simple View Computer Security • You have something you want to protect • You have someone or something you want to protect it from • You are willing to expend effort and resources in order to protect it
Question • Is Computer Security a Process or a State?
Security Defined • It is a process, not a state There is no fundamental point when system is secure • Have Risk, • Do Assessment • Manage risk, • Mitigate what can't be managed • Need to identify what’s “Good Enough” • Security is a tradeoff, can't protect everything
ATM Machine Example • ATM Machine • User asks for cash, spits it out • Door opens, user takes cash, door closes • What happens if user doesn’t take cash?
ATM Machine Example • Assumption if this happens, subsequent user shouldn’t get cash that doesn’t belong to him • All following transactions, machine refuses to open door • Cash could go to wrong user • Creates a DoS for rest of users
Security Protocols Difficult • Hard to get security protocols right • Designers don’t anticipate everything that could go wrong • Users or attackers frequently seem to find the flaw • Even something seemingly simple can have flaws
US Tax System Example • Tax refunds, how hard is that? • Algorithm for processing form • Verify identity of form filled out by a given person • Verify income and with-holding are correct • If these two steps ok && amount of Withholding > tax owed • then send person refund check • What could go wrong?
US Tax System Example • Except … no rule against duplicate checks • Person could file for multiple refund checks under this system • And, that happened for a while • Was eventually caught …
Threats to Computer Security • So, what are the threats? • Passive • Sniffing of data • Viewing of information – physical • Over your shoulder, taking pictures of screens • Dumpster diving • Social Engineering • Active • Interception of data, injection of data • Virus, worm, trojan horse program • DOS or DDOS
Measuring Computer Security • How do you measure security? • How would you do it? • Several ways to estimate computer status • Vulnerabilities in software and systems • Severity of the vulnerability • Reported incidents – Data breeches, attacks • Numbers of malware “signatures” • Reported social engineering explooits
Is Security that Bad? License
US Government Security Incidents https://digital.gov/2016/10/25/federal-cybersecurity-challenges/
How big is the security problem? CERT Vulnerabilities reported http://www.cert.org/stats/