Tuomas Aura
T-110.4206 Information security technology
Lecture 1:
Computer security overview
Aalto University, autumn 2013
Outline
Timeline of computer security
What is security anyway?
2
TIMELINE OF COMPUTER SECURITY
3
70s
Multi-user operating systems
need for protection
Access control models: multi-level security, Bell- LaPadula 1976, BIBA 1977
DES encryption algorithm 1976
cryptanalysis, need for key distribution
Public-key cryptosystems:
Diffie-Hellman 1976, RSA 1978
Key distribution:
certificates 1978
key exchange protocols: Needham-Schroeder 1978
4
80s
Anonymity, mixes 1981
Orange Book 1985: mandatory access control
Commercial security models from accounting and auditing rules: Clark-Wilson 1987
X.509 PKI 1988
IBM PC
software copy protection
floppy disk virus 1987
Internet Morris worm 1988
5
90s
More methodological approach to security research:
Information flow security
Secure operating systems: SEVMS until 1996
Formal analysis of key exchange protocols
Wider availability of cryptography – GSM cellular network 1991
– Open-source cryptography: PGP 1991 – Password sniffers SSH 1995
– Commercial Internet SSL and VeriSign CA 1995 – RSA patent expired in 2000
Windows 95 insecure PCs connected to Internet
Spam: Cantor and Siegel 1994
PKI criticism trust management research
Research on trust management, intrusion detection
Macro virus: Melissa 1999
DRM
6
2000s
Malware
– Fast-spreading Internet worms: Code Red 2001
secure programming, safe languages
security analysis and testing tools – Botnets, spyware, malware analysis
Computer crime: phishing
Total information awareness 2002
Mobile device operating systems
Enterprise identity management
Research on security in mobility, ah-hoc networks, sensor networks
Security has become integral part of most areas of computing and computer science
Connections to law, sosiology, psychology, management, usability, design
Social networks, privacy concerns
7
2010s
Cyber defence and attack
– Stuxnet 2010, malware business – Snowden and PRISM 2013
Critical infrastructure protection, smart grid security
Mobile app security
Cloud computing
Mobile payments
Research on Internet of Things, vehicular communication
8
WHAT IS SECURITY
9
What is security
When talking about security, we are concerned about bad events caused with malicious intent
– Security vs. reliability
Terminology:
– Threat = bad event that might happen
– Attack = someone intentionally causes the bad thing to happen
– Vulnerability = weakness in an information system that enables an attack
– Exploit = implementation of an attack
– Risk = probability of an attack × damage in dollars
Security is a non-functional property
11
Security Goals
CIA = confidentiality, integrity, availability
– Confidentiality — protection of secrets
– Integrity — only authorized modification of data and system configuration
– Availability — no denial of service, business continuity
Examples: secret agent names, web server
The CIA model is a good starting point but not all:
– Access control — no unauthorized use of resources – Privacy — control of personal data and space
– What else?
Some other goals
Authentication for access control
Accounting, payment
Content protection
Protection of services and infrastructure in a hostile environment (e.g. Internet)
Control and monitoring
13
Areas of IT security
[Gollmann]
Computer security — security of end hosts and client/server systems
– Focus: access control in operating systems – Example: access control lists for file systems
Network security — security of communication
– Focus: protecting data on the wire
– Example: encryption to prevent sniffing
Application security — security of services to end users and businesses
– Focus: application-specific trust relations
– Example: secure and legally binding bank transactions
14
Viewpoints to security
Cryptography (mathematics)
Computer security (systems research)
Network security (computer networking)
Software security (software engineering, programming languages and tools)
Formal methods for security (theoretical CS)
Hardware security (HW engineering)
Human aspects of security (usability, sociology)
Security management (information-systems management, enterprise security)
Economics of security, laws and regulation
You cannot be just a security expert! Need broader
understanding of the systems and applications
15
Security is a continuous process
Continuous race between attackers and defenders
– Attackers are creative
No security mechanisms will stop all attacks; attackers just move to new methods and targets
– Some types of attacks can be eliminated but others will take their place
– Compare with crime statistics: Do locks or prisons reduce crime in the long term?
Security mechanisms will fail and new threats will arise
→ Monitoring and auditing for new attacks
→ Contingency planning: how to recover from a breach
16
Cost vs. benefit
Rational attackers compare the cost of an attack with the gains from it
– Attackers look for the weakest link; thus, little is gained by strengthening the already strong bits
Rational defenders compare the risk of an attack with the cost of implementing defenses
– Lampson: “Perfect security is the enemy of good security”
But human behavior is not always rational:
– Attackers follow each other and flock all to the same path – Defenders buy a peace of mind; avoid personal liability by
doing what everyone else does
→ Many things are explained better by group behavior than
rational choice
17
Proactive vs. reactive security
Technical prevention: design systems to prevent, discourage and mitigate attacks
– If attack cannot be prevented, increase its cost and control damage
Detection and reaction: detect attacks and take measures to stop them, or to punish the guilty
In open networks, attacks happen all the time
– We can detect port scans, spam, phishing etc., yet can do little to stop it or to punish attackers
→ Technical prevention and mitigation must be the primary defence
However, detection is needed to monitor the
effectiveness of the technical prevention
18
Who is the attacker?
We partition the world into good and bad entities
– Honest parties vs. attackers, red vs. blue
– Good ones follow specification, bad ones do not
– Different partitions lead to different perspectives on the security of the same system
Typical attackers:
– Curious or dishonest individuals — for personal gain – Friends and family
– Hackers, crackers, script kiddies — for challenge and reputation – Companies — for business intelligence and marketing
– Organized criminals — for money
– Security agencies — NSA, SVR, GCHQ, DGSE, etc.
– Military SIGINT — strategic and tactical intelligence, cyber defence
Often, not all types of attackers matter
– Who would you not want to read your diary or email?
Reading material
Dieter Gollmann: Computer Security, 2nd ed.
chapters 1–2; 3rd ed. chapters 1 and 3
Matt Bishop: Introduction to computer security, chapter 1
(http://nob.cs.ucdavis.edu/book/book-intro/intro01.pdf)
Edward Amoroso: Fundamentals of Computer Security Technology, chapter 1
Ross Anderson: Security Engineering, 2nd ed., chapter 1
(1st ed. http://www.cl.cam.ac.uk/~rja14/Papers/SE-01.pdf)
19
Exercises
What security threats and goals are there in the postal (paper mail) system?
– What different entities are there in the postal system?
– Do they have the same of different security concerns?
– Who could be the attacker? Does the answer change if you think from a different entity’s viewpoint? Who are insiders?
– Can you think of attacks where it is necessary for two or more malicious parties to collude?
What is the role of laws and punishment in computer security?
Can the development of information security technology be unethical, or is engineering value neutral? Give examples.
When is it (or when could it be) ok for you to attack against IT systems? Give examples.
How do the viewpoints of security practitioners (e.g. system admin or company security officer) and academic researchers differ?
How have the Snowden leaks in 2013 changed the overall picture of information security?
20