System Security SPM 602

Muhammad Arsal Latif

arsal.latif@iiu.edu.pk

Course Outline

Contents
Examine security risks Consider available counter measures Stimulate thought about uncovered risks Possibly identify areas of more work

Use of Cell phones Plagiarism Why are you here ??

Meet your friends (X) Stare at the teacher (X) To learn and share ()

Teaching Methodology
Facilitator

Books [but not limited to]

Cryptography & network security William Stallings 4th edition Security in computing - Charles P. Pfleeger, Shari Lawrence Pfleeger 4th edition Notes as provided by Facilitator

Activity
Ice breaking What do you understand by system ? What do you understand by computing system ? What do you understand by the term security ?

Activity
What are the basic assets of computing system ? How is computer security different from bank security ? Define the following in terms of computer security: exposure, vulnerability, threat, control Define 4 threats in computer security:

hint: interruption, interception, modification, fabrication

Define 3 goals of computer security: hint: confidentiality, integrity, availability

Computing System

Hardware, software, storage media, data, communication media, people 4 basic assets:
Hardware, software, data, people

Exposure: possible loss or harm e.g unauthorized access, modification Vulnerability: weakness in security system Threat: circumstances having potential to cause loss or harm e.g human attacks, natural disasters Control: protective measure (action, device, procedure) to reduce vulnerability

Computer Security Vs Bank security

Size & portability Ability to avoid physical contact Value of assets

Threats to computing system

1.

Interruption
An asset becomes lost, unavailable, unusable

2.

Interception
Unauthorized access by person/program

3.

Modification
Unauthorized access + tamper/change

4.

Fabrication
Unauthorized access + add new

Security Goals
1.

Confidentiality
Only authorized access

2.

Integrity
Only authorized access + modification

3.

Availability
Non-prevention of authorized access

Group Activity

Define the following:

trojan horse, virus, trap door, logic bomb, salami attack

Identify 3 broad classes of computer criminals

Software Threats
Trojan horse: appears to do certain task Virus: similar to TH, spreads rapidly Trap door: secret entry point Logic bomb: inbuilt program Salami attack: little ++

Computer criminals

Amateurs : accidental observation of flaw,

disgruntled employee

Crackers: large number of youngsters,

hacking emails, school networks, etc. software cracks, etc.

Career criminals: computer professionals

engaged in computer crime, finding good payoff

OSI Security Architecture

ITU Standardization Sector Assess security needs Evaluate/select security products/policies Focus on:

Security attacks: violation/assault on system

security

Security mechanisms: process/device to

detect, prevent, recover

Security services: uses security mechanisms

to counter attacks processing or

Security Attacks

Passive attacks: learn/use information

without affecting resources Release of message contents Traffic analysis (e.g. conversation in foreign language)

Active attacks: alter/affect resources

Masquerade (deceive) Replay Modification of message Denial of service ; DoS (prevents normal use
of communication facilities)

Security Mechanisms
Encryption Digital signature Access control

Assignment

Security Services
Ensure security of data/systems/data transfer Make use of security mechanisms Divided into 5 categories

Authentication Access control Data confidentiality Data integrity Non-repudiation

Security Services contd..

Five categories:
Authentication: service authenticates sender/receiver;
ensure no interference

Access control: limit/control access to system via

communication link; identify sender/receiver

Data confidentiality: protection of data being

transmitted; protection from traffic analysis

Data integrity: ensure messages received without

duplication/insertion/replays/deletion; concerned with active attacks focus detection

Non-repudiation: prevent sender/receiver from denying

transmission

Assignment contd.

Explain terms:
Cryptography Cryptanalysis Cipher text Encryption algorithm Secret key Brute force attack

Key terms for today

plaintext: original intelligible message ciphertext: coded message encrypt: process of converting plaintext to

ciphertext (securing message in an insecure environment)

decrypt: restore plaintext from ciphertext encipher/decipher encode/decode cryptography: study of various schemes

for encryption

Cryptography
3 independent dimensions Transforming plaintext to ciphertext

Substitution: each element mapped into another Transposition: elements are rearranged

Number of keys
Symmetric/single-key/secret-key/conventional encryption Asymmetric/two-key/public-key encryption

Processing of plaintext
Stream cipher: individual input elements continuously Block cipher: block of elements

Conventional cipher/cryptographic system

Plaintext: original message Encryption algorithm: transform P Secret key: diff key ; diff C Ciphertext: scrambled message Decryption algorithm: reverse E Diagram 2 requirements:

Strong encryption algorithm Secret key secret channel

Substitution Caesar cipher

Earliest known cipher Used by Julius Caesar C = E(k,p) ; k= 3 (or 1-25)

Plaintext: a b c d e f g Ciphertext: D E F G H I J Activity: our security is fool proof and up to date k=7

Disadvantages of Caesar Cipher

E.g. security is easy !!! Blank/space is translated into itself Small words 2 letter words are easy to decrypt Only 25 keys to try ; e.g. Possible solution - use blocks of equal size e.g. 5

Vernam Cipher (One-time pad)

Developed by Gilbert Vernam for AT&T Assign numbers to alphabets Add non-repeating random numbers mod 26 E.g vernam cipher Activity: P = this is the best known encryption XOR logical function

0010 XOR 1010 = 1000

Activity

P
No. R No. 76 48 16 82 44 03 58 11 60 05 48 88

What will be the Plaintext?

Sum
Mod 26 C T A H R S P I T X M A B

Transposition (permutation)
Re-arrangement of letters E.g. columnar transposition

c1 c2 c3 c4 c5 c6 c7 c8 c1 c5 c2 c6 c3 c7 c4 c8

THIS MESS AGE1 SFOR YORK

TMAS YHEG FOIS EORS SIRK

Cryptanalyst

Cryptanalysis
Some knowledge of plaintext Samples of plaintext-ciphertext pairs Exploit characteristics of encryption algorithm

Brute-force attack
Encryption algorithm is known Try all possible keys to obtain intelligible plaintext

Cryptanalytic Attacks

Ciphertext only (good defense)

Ciphertext known Encryption algorithm known Key unknown

Known Plaintext
Plaintext ; ciphertext Compute encryption/decryption algorithm + key

Chosen Plaintext
Uses plaintext to generate ciphertext Compute encryption/decryption algorithm + key
Assumption : LANGUAGE SHOULD BE KNOWN

Security of Encryption

Security can be assured through powerful encryption algorithms cryptographer

Cost of breaking cipher exceeds value of information 2. Time required to break cipher exceeds lifetime of information
1.

Stream Cipher
one symbol of plaintext one symbol of ciphertext e.g. vernam cipher (diagram) Advantages:

Speed encryption Low error (effects only 1 character)

Disadvantages:
Attempt to break by analyzing individual symbols Susceptibility to insertions and modifications

Block Cipher
Group of plaintext as one block e.g. columnar transposition (diagram) Advantages:

Difficult to analyze (one cipher block depends on several plaintext letters/symbols) Immunity to insertions (difficult to insert symbols into blocks block size changes)

Disadvantages:
Slow encryption High error (effects entire block)

Confusion & Diffusion

2 techniques introduced by Claude Shannon to conceal information Confusion

Relationship b/w P+K & C should be complex Cryptanalyst should not be able to predict what changing one character of P will do to C Substitution e.g. vernam cipher

Confusion & Diffusion contd.

Diffusion
Relationship b/w P & C should be complex Changes in plaintext should effect many parts of ciphertext & vice versa Transposition (permutation) Cryptanalyst needs large amount of ciphertext to be able to predict

Feistel Cipher
Proposed by Feistel Based on SPN (subsititutionpermutation network) proposed by Claude Shannon Block cipher using product cipher (2 or more ciphers)

Feistel Cipher Structure

Plaintext Divide into half Left half & right half Perform substitution/round function F (using key K) XOR of left half & output of F Perform permutation/interchange the 2 halves of data Start round 2 .

Feistel Cipher Structure contd

Feistel cipher structure depends on choice of :

Block size Key size No. of rounds Key generation algorithm Round function

Activity
P = 101100001011010111 F = vernam cipher k (round i) = 000110111 k (round ii) = 100101110 k (round iii)= 001101010

Data Encryption Standard (DES)

Adopted by NIST (NBS) in 1977 as FIPS (federal information processing standard) Block cipher (product cipher) based on Feistel block cipher LUCIFER Block size = 64 bits Key length = 56 bits Rounds = 16

DES Structure
Initial Permutation Divide into (32 bits each) Expansion permutation (output 48 bits) k = 64 bits (drop every 8th bit); 56 bits Divide into (left shift) Permuted choice 2 (k) = 48 bits Xor right half and k

DES Structure contd

S-box (8 boxes 6 bits each) Output 4 bits = 32 bits e.g. 011001, the row is 01 (row 1) and the column is 1100 (column 12). The value in row 1, column 12 is 12, so the output is 1100. Permutation End of round function F Xor left half and output from F Permutation (interchange left and right) End of 16 round. inverse initial permutation

Assignment

Controversial issues of DES (weakness)

Key length Design of algorithm

Differential and linear cryptanalysis

Application on DES

3DES
3DES with 3 keys 3Des with 2 keys

EDE function

C = E (K1, D (K2, E (K1,P))) Adv 56 x 3 key length (overcomes brute-force ; algorithm has been scrutinized) Disadv slow for software ; 64-bit block

AES (Advanced Encryption Standard)

NIST call for proposal (1997)

Security => 3DES Improved efficiency (computational + memory) Approved Rijndael Nov 2001 Dr. Daemen & Dr. Rijmen (Belgium)

Symmetric + block product cipher Not feistel structure Block=128 ;key=128/192/256 ;round=10/12/14

AES contd.
128-bit block = 16 bytes Square matrix 4 x 4 (State array) Key 128-bit = 16 bytes Expanded key 44 words (1 word = 4 bytes) 4 words = 128-bit key for each round

AES contd.

Plaintext AddRoundKey (Xor with key) SubstituteByte

Table lookup 16 x 16 matrix (1-4 row; 5-8 col) 0-F

ShiftRows
matrix 4 x 4 (1 row no shift; 2 row 1 byte shift)

MixColumns
Each column operated individually ; each byte replaced

AddRoundKey (XOR 4words with state array) Round 10 no MixColumns Read Appendix 5B (page 165)

Public-key Cryptography
Conditions for public-key proposed by Diffie & Hellman Should be computationally:

Easy to generate pair Easy to generate C using public key/private key Easy to generate P using private key/public key Difficult to produce private key using public key Difficult to produce P using public key + C

Components of PKC
Plaintext Encryption algorithm Public and private keys Ciphertext Decryption algorithm

Steps in PKC

Each user generates a pair of keys one for encryption and one for decryption Place one key in public register/folder i.e. public key The other pair remains private All user public keys are accessible from the public register/folder Encrypt message with PU, decrypt with PR C = E (Pub,P) ; P = D (PRb,C) C = E (Pra,P) ; P = D (PUa,C)

RSA algorithm
Rivest, Shamir, Adleman in MIT (1977) Most widely use PKE Block cipher PU = {e,n} PR = {d,n} C = Pe mod n P = Cd mod n

RSA algorithm contd.

Ingredients of RSA
p, q (2 prime numbers, private) n = p.q (public, calculated) e (chosen, public) d = (1 mod (p-1)(q-1)) / e (calculated, private)

A simple e.g. p = 7; q = 11 ; P = 2 n = 77 ; e = 37 ; d = 13 C = 237 mod 77 = 51

Hash Function
h = H(P) h = hash value (fixed length) P = variable length message Properties :

Applied to variable size block of data Produces fixed length output Easy to compute h for harware/software implementation

SHA 1 (digest = 160 bits; message < 264; block size = 512 bits ; rounds = 80)

Digital Signature

Authentication provides verification of sender and receiver + protects data from any 3rd party Trust is required in communicating b/w 2 parties Scenario 1 : EFT takes place and receiver increases amount Scenario 2 : e-mail instructs stock broker for transaction & disowns message Digital signature a step beyond mere authentication

Digital Signature contd.

Properties :
Must verify author, date, time Must authenticate contents at time of signature Must be verifiable by 3rd party

Requirements :
Must use some information unique to sender Must be easy to generate Computationally infeasible to forge Must be practical to retain a copy in storage

Digital Signature contd.

2 broad categories : Direct digital signature

2 parties (sender / receiver) Signature = encrypt message with sender private key OR apply hash algorithm to message + encrypt using private key Confidentiality = encrypt message + signature with receiver public key, or secret key In case of dispute, 3rd party must view message e.g. sender claims key was stolen control = include timestamp, report lost key

Arbitrated Digital Signature

Every signed message goes to arbiter (A) A tests message for origin + content A dates message + forwards Sender cant disown message, trusted arbitration mechanism Scenario 1 : X & Y use symmetric encryp. Scenario 2 : X & Y use double symmet. Scenario 3 : X double encrypts with PR & PU then PU again for A A forwards with PR + time stamp Assignment DSS & DSA

E-mail security
2 broad approaches PGP S/MIME (multipurpose internet mail

extension)

Free available software Based on algorithm such as RSA, 3DES, SHA 1 Not developed or controlled by any govt. organization

PGP contd . (homepages.gold.ac.uk)

Includes 5 services : Authentication

Message + SHA 1 -> RSA with PR

Confidentiality
Message + session key (3DES) Session key -> RSA with PU

Compression
ZIP algortihm

E-mail compatibility
Radix-64 conversion binary stream to stream of printable ASCII

Segmentation
Message broken into smaller chunks

Assignment (S/MIME; email message header file)

Role of People in IS

Chain is only as strong as its weakest link Systems, application, products, etc are developed for people Goal of marketing plan ? Get employees committed to + be aware of their roles and security program Trained and diligent employees become strongest link in security infrastructure Machine enforces rule it doesnt understand people react, adapt, absorb, respond to changing conditions

Role of People in IS contd

Review organization chart Right person in right position might be able to overcome weaknesses of a poor structure Security department buried within one branch of an organization Contents IS program risk assessment, policy, roles, disaster recovery plan Is the IS program crisis management ??

Role of People in IS contd

Big debate security placement ?? Physical / technical security can be outsourced ?? CSO / CRO member of senior management ISS director / S director law enforcement agency + certification Training & awareness of employees e.g. email ; false alarms Job rotation

Security Certifications
CISSP certified information systems security professional (ISC)2 international information systems security certification consortium SSCP systems security certified practitioner SANS Institute systems administration, networking, and security Institute GIAC global information assurance certification CISA certified information systems auditor CSSLP certified secure software lifecycle professional

Security Assessment

Company doing e-commerce security is a key concern

Customers cite security for online purchasing Data resides on various systems within IT environment

Security program a business process or a technology ?!? Best security technology will not yield a secure environment without sound security processes

Security Team Justification

Maintain competitive edge Protection of organizations reputation e.g. Pakistan Mandates by govt. regulations

Security Assessment contd.

Few considerations while deciding appropriate security measures :

What needs to be protected ? How valuable is it ? How much does downtime cost ? Damage to companys reputation in case of security breach ? The probability of breach occurrence ?

Answers can be determined through security assessment :

Identify security needs Framework for enhancing & developing security program

Security Assessment contd.

Is security assessment an audit ?? Can security assessment be third party ?? Results of security assessment determine short-term & long-term security initiatives Third party evaluation :

Client references Sample deliverables Qualifications of consulting team Methodology & tools

Quality assessment after selection :

Scope e.g. network, servers, business units, etc Timing e.g. deadlines, contact persons Documentation e.g. risks & recommendations

Security Assessment contd.

Meeting standards :
ISO 17799 information security best practices
Access control Asset classification & control Personnel security Physical & environmental security

Common criteria http://www.commoncriteria.org/ Top 20 Internet vulnerabilities http://www.sans.org/top-cyber-security-risks/?ref=top20 ISO 27001

provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System E.g. Netsol Technologies (http://www.netsoltech.com/services/information-security.php)

Security Assessment contd.

Understanding
1. 2. 3. 4. 5.

the business for effective security assessment :

Inherent risks Business strategy Organizational structure Business processes Technology environment

Inherent risks
Exist in business without considering any controls E.g. regulatory concerns E.g. cotton mills Executives are a good source for information on risks

Business Strategy

long-term, short-term strategy determines what is important to a company How will IT support the long-term & short-term strategies E.g. consolidated business units ; integration issues in security assessment E.g. remote access from homes, hotels, etc.
Security assessment of infrastructure How will users access network (dial in, VPN) What resources to access e.g. email, shared files How much bandwidth required Tolerable downtime of remote access

Executives importance of security

Organizational Structure
Placement of security Having a CSO/CRO indicates a high level awareness of security issues Clearly defined roles of security personnel process owner ! E.g. process of employee termination

Payroll is stopped All user access is eliminated All assets returned (computer, ID badge) Common IDs & passwords are changed Each step requires inter-dept coordination Process owner ensures smooth termination

Organizational Structure contd .

Backup management control ; periodic review of IDs Internal audit : Check compliance of processes Continuous security assessment Independent evaluation of process, risk, policy

Business processes
E.g. supply-chain management in B2B relationship Business partners might have access to manufacturing & inventory information Security controls

Need-to-know basis Secure communication Connection reliability

Technology environment
The technology supporting business processes E.g. industry specific applications, LAN, WAN, NOS, firewalls, IDS, AV Final step gap analysis

Reflects the security position of company at a given time Findings, security exposures/risks, controls in place, recommendations

Todays Topics
Threats in networks Firewall Disaster recovery

Threats in Networks

Reasons for threats

Sharing Complexity of system Changing/unclear perimeter Anonymity Local nodes connected via Local communications links to a Local area network, which has Local data storage, local processes, local devices Network gateway, which gives access via Network communications link to network control resources Network routers, and resources such as database

Some network components

Threats in Networks contd.

Wire tapping
Packet sniffer (reprogrammable board for addresses) Inductance Multiplexing Microwave Optical fiber

Impersonation
WAN & LAN e.g. using empty workstation

Message confidentiality violations

Mis-delivery (e.g. wrong email address) Exposure (temporary buffers, switches, routers, etc)

Executable code
Viruses, trojan horse etc. downloaded

Threats in Networks contd.

Denial of service
Connectivity (multiple paths, critical path, node) Flooding (degrade service to users) Routing problems (routing table modification, e.g. Arpanet) Disruption of service (tamper flow of messages)

Firewall

Qualities :
Always invoked Tamper-proof Small and simple

Firewall is a process that filters all traffic between a protected or inside network and a less trustworthy or outside network That which is not expressly forbidden is permitted That which is not expressly permitted is forbidden

Firewall contd .
3 broad categories : Screening routers

Consulting routing table Screening addresses

Proxy gateways (bastion host)

Online price list Monitor FTP data

Guards
Virus scan for uploading/downloading files Digital resources with fee

Disaster Recovery

Preventing things that can be prevented Recovering from things that cannot be prevented Physical security
Guards, locks, fences, shock resistant structures, etc

Flood
Starts from ground-level Data should be marked with colors

Falling water
Plastic bags for machines Water proof storage for media

Fire
Dangerous than water plan for shut-down Sprinkler systems ?? Carbon dioxide or other gases to smother fire

Disaster Recovery contd .

Heat Back up
Complete / selective Off-site back up Cold site Hot site

Human theft
Prevent access (guards, passwords, cards, finger print, RF tags, etc) Prevent portability

Monitor exit

Media disposal
Shredders Over-writing data

degaussers

Ethics
An objectively defined standard for right or wrong Ethics is not universal may vary from society to society or from person to person within society Some ethics are universal e.g. murder, theft, etc. Ethical behavior can also be defined by religion Ethics and law are not same , e.g.

Law is described by formal documents, whereas ethics are unwritten principles / customs / moral attitudes Law is interpreted by courts, whereas ethics are interpreted by each individual Law is enforced by a governing authority, and are largely drawn from ethics of a particular society

US information security laws

National Information Infrastructure Protection Act (NIIPA 1996) - significant revision of U.S. computer crime law. Provides federal criminal liability for theft of trade secrets and for anyone who intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage. USA PATRIOT Act (2001) - increases the ability of law enforcement agencies to search telephone, e-mail communications, medical, financial, and other records. Eases restrictions on foreign intelligence gathering within the United States Computer Fraud and Abuse Act (1986, 1994, 1996, 2001) Fraud and related activity in connection with computers 47 (Whoever, having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information)

Law contd

Export and espionage laws

US Bureau of Industry and Security http://www.bis.doc.gov/

U.S. Copyright Law http://www.copyright.gov/title17/ U.S. Intellectual Property Law http://managementhelp.org/legal/ntlcl_pr/ntlcl_p r.htm Federal communications commission Telecommunications Act of 1996 ; http://www.fcc.gov/telecom.html

Policy vs. Law

Policy description of acceptable and unacceptable employee behavior Policy is a law within an organization penalties, sanctions, judicial practices Ignorance is an acceptable defense Policies must be:

Distributed to all Available as reference Easily understood , with translations Signed acknowledgement of employee

10 commandments of computer ethics

1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

Thou shalt not use a computer to harm other people. Thou shalt not interfere with other people's computer work. Thou shalt not snoop around in other people's files. Thou shalt not use a computer to steal. Thou shalt not use a computer to bear false witness. Thou shalt not use or copy software for which you have not paid. Thou shalt not use other people's computer resources without authorization. Thou shalt not appropriate other people's intellectual output. Thou shalt think about the social consequences of the program you write. Thou shalt use a computer in ways that show consideration and respect.

(ISC)2 Code of Ethics

1.

2.
3. 4. 5. 6.

7.

Act honestly, justly, responsibly, and legally, and protecting the commonwealth. Work diligently and provide competent services and advance the security profession. Encourage the growth of research teach, mentor, and value the certification. Discourage unsafe practices, and preserve and strengthen the integrity of public infrastructures. Observe and abide by all contracts, expressed or implied, and give prudent advice. Avoid any conflict of interest, respect the trust that others put in you, and take on only those jobs you are qualified to perform. Stay current on skills, and do not become involved with activities that could injure the reputation of other security professionals.