Introduction to Information and System Security Overview
1. Administrivia
Setting the stage...
Case studies
Introduction to Information and System
Security
First lecture
Hugh Anderson
National University of Singapore
School of Computing
June, 2012
Hugh Anderson Introduction to Information and System Security First lecture
1
3. Administrivia
Setting the stage...
Case studies
Outline
1 Administrivia
Coordinates, officialdom, assessment
What you’ll be learning
Why should you learn?
2 Setting the stage...
In the news earlier this year...
Context for security studies
3 Case studies
Airports, banks, the military, hospitals, homes
Term definitions
Hugh Anderson Introduction to Information and System Security First lecture
3
4. Administrivia Coordinates, officialdom, assessment
Setting the stage... What you’ll be learning
Case studies Why should you learn?
Hugh’s coordinates
Room COM2 #03-24
Telephone 6516-4262
E-mail hugh@comp.nus.edu.sg
Open-door policy (I have one!)
Please call me Hugh, and visit me in my room if you have any
questions...
Hugh Anderson Introduction to Information and System Security First lecture
4
5. Administrivia Coordinates, officialdom, assessment
Setting the stage... What you’ll be learning
Case studies Why should you learn?
Official SOC description
From the official course description...
This module serves as an introductory module on information and computer
system security. It illustrates the fundamentals of how systems fail due to
malicious activities and how they can be protected. The module also places
emphasis on the practices of secure programming and implementation.
Topics covered include classical/historical ciphers, introduction to modern
ciphers and cryptosystems, ethical, legal and organisational aspects, classic
examples of direct attacks on computer systems such as input validation
vulnerability, examples of other forms of attack such as social
engineering/phishing attacks, and the practice of secure programming.
Hugh Anderson Introduction to Information and System Security First lecture
5
6. Administrivia Coordinates, officialdom, assessment
Setting the stage... What you’ll be learning
Case studies Why should you learn?
Assessment
Assessment Grade
Homework 15%
Group project 20%
Tests MCQ (Closed book - on the 9th July) 15%
Final Exam Open Book 50%
Total marks 100%
Hugh Anderson Introduction to Information and System Security First lecture
6
7. Timetable
Lectures, tutorials and project...
June July
18 25 2 9 16 23
Lectures
Tutorials
Project
EXAM
(Fri, 27th, a.m.)
Project will be a group one (up to 4 members in each group), with a
presentation in the last week.
8. Administrivia Coordinates, officialdom, assessment
Setting the stage... What you’ll be learning
Case studies Why should you learn?
Tutorials
Tutorials/demos/discussions start next week...
Give a written answer to the homework as you enter the tutorial room
for assessment (A,B,C or F)
There will be four assessed homework/assignments.
Hugh Anderson Introduction to Information and System Security First lecture
8
9. Administrivia Coordinates, officialdom, assessment
Setting the stage... What you’ll be learning
Case studies Why should you learn?
Resources
Resources
No textbook, but you may find the following texts useful:
Ross Anderson’s “Security Engineering” book:
http://www.cl.cam.ac.uk/˜rja14/musicfiles/manuscripts/SEv1.pdf
Computer Security, Matt Bishop
Directed readings - all available on the Internet.
IVLE at http://ivle.nus.edu.sg/
Hugh Anderson Introduction to Information and System Security First lecture
9
10. Administrivia Coordinates, officialdom, assessment
Setting the stage... What you’ll be learning
Case studies Why should you learn?
General area of the course topics
In short...
History and background
Classical and modern cryptography
Security of systems
Building safer systems - secure programming techniques for programs,
web sites...
Hugh Anderson Introduction to Information and System Security First lecture
10
11. What you should learn...
What you are expected to know...
To be able to put security systems in context.
For example: history, understanding of the “big picture”.
To describe “security related” things using some technical terms.
For example: keysize, PK, man-in-the-middle.
To understand the roles of the components of security systems,
understanding the underlying reasons for their properties.
For example: certifying authorities.
To aquire some practical skills that would help in programming more
secure computer systems.
12. Why should you learn...
...and why should you care?
Reason #1: Pick up these skills and pass the final exam :)
Reason #2: It is fun in a kind of “You did what?” way.
Reason #3: Knowing the issues, and underlying mechanisms, helps you
... build better systems in future.
... explain to the person on the helpdesk why their system is
flawed, and what needs to be done to fix it.
... avoid being the victim of (computer) fraud.
... realistically assess threats to you, your organization, your
country.
... fly with the eagles.
13. Administrivia Coordinates, officialdom, assessment
Setting the stage... What you’ll be learning
Case studies Why should you learn?
My expectation...
Please, please, please....
Attend classes and tutorials
Ask if you don’t know
Read references and handouts...
Get interested in the subject
Dont do anything you know is plain wrong...
Hugh Anderson Introduction to Information and System Security First lecture
13
15. Administrivia
In the news earlier this year...
Setting the stage...
Context for security studies
Case studies
And a few days later...
Tracked down...
Hugh Anderson Introduction to Information and System Security First lecture
15
16. DBS/POSB attacks
How was it done?
Through the use of card skimmers on two machines in Bugis.
Card skimming involves trying to collect your card details from the
magnetic strip:
17. DBS/POSB attacks
Card skimmers
Magnetic strip read as it passes through the capture “shell”.
The electronics includes a magnetic strip reader head, a small amount
of electronics, a battery, a microcomputer and storage (an SD card).
18. DBS/POSB attacks
Getting the PIN?
Either
a small (pinhole) camera looking down on the keypad, with an SD
card memory, or
an overlay over the keyboard, with a small microcomputer and
memory.
22. Administrivia
In the news earlier this year...
Setting the stage...
Context for security studies
Case studies
NUS attacks
What was done?
Firstly - it was not NUS, but a departmental web server at NUS that was
hacked.
The hackers got irritated by a message on the web site, and made it a
mission to hack it.
They reported that the web site had minimal security.
The attack was a SQL injection attack, which allowed them to download
usercode/password hash entries stored in the SQL database attached
to the web server.
The passwords were not NUSNET ones, but ones specifically for the
application on the departmental server.
Hugh Anderson Introduction to Information and System Security First lecture
22
23. Administrivia
In the news earlier this year...
Setting the stage...
Context for security studies
Case studies
Key points/jargon
Summary:
Card skimmers
SQL injection
Keystroke logging using cameras, or keypad overlays
Passwords versus password hashes
Hugh Anderson Introduction to Information and System Security First lecture
23
24. Administrivia
In the news earlier this year...
Setting the stage...
Context for security studies
Case studies
Hard to find the boundaries of “Security”
It is not "one thing"...
Security is complex:
Security can involve elements such as computers, people, locks,
communication links and so on.
The goals of security might involve authentication, integrity,
accountability, and so on.
A security system may involve an arbitrary combination of these
elements and goals.
Security is everyone’s poor relation...
not perceived as a benefit until something goes wrong
requires regular monitoring
too often an after-thought
regarded as impediment to using system
Hugh Anderson Introduction to Information and System Security First lecture
24
25. Framework to hang our understanding on...
Ross Anderson’s book suggests this framework:
Differentiate between security policies and mechanisms
policy: what is allowed/disallowed. What you are supposed to do.
mechanism: ways of enforcing a policy. Ciphers, controls...
assurance: how much reliance you place on each mechanism.
incentives: motives of the people guarding and maintaining the system, and
the attackers.
26. A quick quiz...
Which of these two vehicles has a door lock?
Value SING$ 20,000 Value SING$ 350,000,000
Answer?
27. Administrivia
Airports, banks, the military, hospitals, homes
Setting the stage...
Term definitions
Case studies
Airport security - 2001 attacks and afterwards
Consider the 911 attacks...
There was actually not any failure of the security systems in place at the
time:
Knives with blades less than 3 inches were OK in 2001.
A failure of policy, not mechanism.
Since 911? Still poor policy choices:
passenger screening is aggressive and costly, (approx $15 billion),
whereas strongly reinforced cockpit doors could remove most risk
(est $100 million).
Ground staff are seldom screened, planes do not have locks.
Why such poor policy choices?
Incentives for policy makers favour visible controls over effective
ones.
Assurance? System screening picks up less than half the weapons.
Hugh Anderson Introduction to Information and System Security First lecture
27
28. Administrivia
Airports, banks, the military, hospitals, homes
Setting the stage...
Term definitions
Case studies
Bank security
Policy in banks: "The bank never loses!"
Mechanism: banks maintain a kind of distributed bookkeeping system.
Customer accounts, and (daily) transactions.
Internal:
Main threats to banks are internal - their own staff.
Main defenses are double-entry bookkeeping (First described in
the 15th century), controls on large transactions, and staff
required to take vacations.
External:
Buildings built to look imposing, but just a facade - “security
theatre” - (a thief with a gun wins). ATMs (as we have seen) are
susceptible to attacks.
Bank websites use a mix of techniques - 2-factor authentication,
HTTPS. Phishing attempts to bypass this by attacking clients.
Cryptography for communication.
Hugh Anderson Introduction to Information and System Security First lecture
28
29. Administrivia
Airports, banks, the military, hospitals, homes
Setting the stage...
Term definitions
Case studies
Military security
In all sorts of areas...
Electronic warfare and defense - jamming of radar, so opponent cannot
see your planes; jamming trigger systems for IEDs.
Military communications - not just encryption, but also hiding the source
(the location of a transmitter can be attacked, so the military use LPI -
low probability of intercept - radio links).
Military logistics - who can mobilize 10,000 people and 30,000 meals in
a day? Management systems for the military have different
requirements from commercial systems - basic rule is that restricted
information cannot flow to an unrestricted area.
Weapons control (eg nuclear weapons) need much higher levels of
assurance than (say) commercial areas.
Hugh Anderson Introduction to Information and System Security First lecture
29
30. Administrivia
Airports, banks, the military, hospitals, homes
Setting the stage...
Term definitions
Case studies
Hospital security
Policies mostly to ensure patient safety and privacy
Consider patient record systems:
A mechanism might be that “Nurses can see the patient record for
patients cared in their own department over the last 90 days”.
However, this might be tricky to implement given that Nurses can
move departments - the patient record system would become
dependent on the hospital personnel system.
Record anonymizing for research can be tricky. Consider the next
slide on database attacks.
A requirement for accuracy of web based data (reference texts, drug
side effects).
Hugh Anderson Introduction to Information and System Security First lecture
30
31. During the SARS outbreak...
Releasing (unexpected) information from databases
Day’s average temperature of SOC staff by nationality:
Singaporean PRC Poland German Australian NZ ....
36.8 36.9 37.1 36.5 38.2 38.1 ....
Numbers of SOC staff by nationality...
Singaporean PRC Poland German Australian NZ ....
23 14 3 5 2 1 ....
By inference you can deduce that Hugh’s temperature was too
high!
32. Administrivia
Airports, banks, the military, hospitals, homes
Setting the stage...
Term definitions
Case studies
Home security
Really? Consider...
Web-based banking, over your home wifi.
Your car key/immobliizer.
Your (GSM) phone (much harder to clone now than it was five years
ago). No unexpected charges.
Your TV set-top box, electronic gas/electricity meter and so on.
In some Condos, burglar alarm, lock and security systems.
Hugh Anderson Introduction to Information and System Security First lecture
32
33. Administrivia
Airports, banks, the military, hospitals, homes
Setting the stage...
Term definitions
Case studies
Key points/jargon
Summary:
Policy, mechanism, assurance and incentives
Controls, visible and effective controls, security theatre
2-factor authentication, HTTPS, Phishing
Database attacks
Hugh Anderson Introduction to Information and System Security First lecture
33
34. Administrivia
Airports, banks, the military, hospitals, homes
Setting the stage...
Term definitions
Case studies
What is a system?
It can vary...
1 Product or component: such as a smartcard, a PC, or a
communication protocol.
2 Collection: some products/components, and an OS, network, making
up an organization’s infrastructure.
3 Application: the above and some set of applications.
4 Composite: the above and IT staff, and perhaps users, management,
clients, customers...
A system can thus refer to small things or big things. This indeterminacy
about even basic words leads to confusion, and errors.
Salespeople might concentrate their efforts on (say) the first two areas,
whereas a business may think of it’s system in terms of the fourth area.
Hugh Anderson Introduction to Information and System Security First lecture
34
35. Administrivia
Airports, banks, the military, hospitals, homes
Setting the stage...
Term definitions
Case studies
Services/Goals, Attacks and Threats
Basic terms:
Vulnerability/Threats: If there is a weakness (vulnerability), then a
potentially harmful situation (threat) may occur.
Services/Goals: ensuring adequate service in a computer system
CIA! Good guys need ’em.
Attacks/Controls: An attack=threat+vulnerability. A control is a way of
reducing the effect of a vulnerability.
MOM! Bad guys need ’em.
Hugh Anderson Introduction to Information and System Security First lecture
35
36. The CIA triad...
FIPS specify three objectives/goals:
confidentiality: concealing information - resources may only be
accessed by authorized parties;
integrity: trustworthiness of data - resources may only be modified by
authorized parties in authorized ways;
availability: preventing DOS/denial-of-service - resources are
accessible in a timely manner.
37. The CIAAA gang-of-five...
Many observers identify more...
Authenticity: logins, password checks
Accountability: non-repudiation of a prior commitment
38. Administrivia
Airports, banks, the military, hospitals, homes
Setting the stage...
Term definitions
Case studies
Services/Goals, Real world analogues: CIA
(Computer versions much faster)
Security problems in society reoccur in computers
Confidentiality = locks/encoding/secrecy/privacy.
Integrity = handshakes/signature
Availability = Union go-slows...
But...
The goals can conflict... (Consider ease of confidentiality versus lack of
availability)
The goals may not be met... (Consider password length versus human
memory)
Hugh Anderson Introduction to Information and System Security First lecture
38
39. Administrivia
Airports, banks, the military, hospitals, homes
Setting the stage...
Term definitions
Case studies
Attacks: MOM!
Three aspects of attacks:
Method: tools, knowledge;
Opportunity: time, access;
Motive: what advantage is there?
An important basic principle for attacks:
The weakest link: An attacker only needs one small flaw in a system.
Hugh Anderson Introduction to Information and System Security First lecture
39
40. Administrivia
Airports, banks, the military, hospitals, homes
Setting the stage...
Term definitions
Case studies
Types of threats
Threats
disclosure: unauthorized access (snooping/interception);
deception: accept false data (man-in-the-middle/modification);
disruption: prevent correct operation (denial-of-service/interruption);
usurpation: unauthorized control (spoofing/fabrication).
Hugh Anderson Introduction to Information and System Security First lecture
40
41. Administrivia
Airports, banks, the military, hospitals, homes
Setting the stage...
Term definitions
Case studies
Types of attacks
Snooping/Interception
Alice Bob
Ted
Hugh Anderson Introduction to Information and System Security First lecture
41
42. Administrivia
Airports, banks, the military, hospitals, homes
Setting the stage...
Term definitions
Case studies
Types of attacks
Man-in-the-middle/Modification
Alice Bob
Ted
Hugh Anderson Introduction to Information and System Security First lecture
42
43. Administrivia
Airports, banks, the military, hospitals, homes
Setting the stage...
Term definitions
Case studies
Types of attacks
Denial of Service/Interruption
Alice Bob
Ted
Hugh Anderson Introduction to Information and System Security First lecture
43
44. Administrivia
Airports, banks, the military, hospitals, homes
Setting the stage...
Term definitions
Case studies
Types of attacks
Spoofing/Fabrication
Alice Bob
Ted
Hugh Anderson Introduction to Information and System Security First lecture
44
45. Administrivia
Airports, banks, the military, hospitals, homes
Setting the stage...
Term definitions
Case studies
Types of attacks
And persuasion
human factors and social engineering:
Hugh Anderson Introduction to Information and System Security First lecture
45