Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download SECURITY
Document related concepts
Cross-site scripting wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Distributed firewall wikipedia , lookup
Unix security wikipedia , lookup
Information security wikipedia , lookup
Cyberwarfare wikipedia , lookup
Cryptography wikipedia , lookup
Airport security wikipedia , lookup
Wireless security wikipedia , lookup
History of cryptography wikipedia , lookup
Cryptanalysis wikipedia , lookup
Cyberattack wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Mobile security wikipedia , lookup
Security-focused operating system wikipedia , lookup
Social engineering (security) wikipedia , lookup
Post-quantum cryptography wikipedia , lookup
Transcript
SECURITY: THE BIG PICTURE Ayal Rosenberg PDEV “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” Sun Tzu – The Art of War “A new military revolution has emerged. The revolution is essentially a Transformation from the mechanized warfare of the industrial age to the information warfare of the information age. Information warfare is a war of decisions and control, a war of knowledge, and a war of intellect. The aim of information warfare will be gradually changed from ‘preserving oneself and wiping out the enemy’ to ‘preserving oneself and controlling the opponent’. Information warfare includes electronic warfare, tactical deception, strategic deterrence, propaganda warfare, psychological warfare, network warfare and structural sabotage. Under today’s technological conditions, the ‘all conquering stratagems’ of Sun Tzu more than two millennia ago – ‘vanquishing the enemy without fighting’ and subduing the enemy by ‘soft strike’ or ‘soft destruction’ – could finally be truly realized.” Chinese Army newspaper Jiefangjun Bao – May 1996 • • • • • • ATTACKS ADVERSARIES SECURITY NEEDS TECHNOLOGIES NETWORKED COMPUTER SECURITY PROCESSES “Security is a process not a product” - Bruce Scheier • • • • • • ATTACKS ADVERSARIES SECURITY NEEDS TECHNOLOGIES NETWORKED COMPUTER SECURITY PROCESSES • CRIMINAL ATTACKS • PRIVACY VIOLATIONS • PUBLICITY ATTACKS How can I acquire the maximum financial return by attacking the system? • • • • • Fraud Scams Destructive Attacks Intellectual Property Theft (Piracy) Brand Theft • • • • • • Targeted Attacks Data Harvesting Surveillance Databases Traffic Analysis Massive Electronic Surveillance How can I get famous by attacking the system? • Bad Press costs more than theft • Inform criminals who can exploit the news • Denial of Service • • • • • • ATTACKS ADVERSARIES SECURITY NEEDS TECHNOLOGIES NETWORKED COMPUTER SECURITY PROCESSES Crooks haven’t changed. It’s just that cyberspace is the new place for them to ply their trade. • • • • • Objectives Access Resources Expertise Risk • • • • • • • • • • HACKERS LONE CRIMINALS MALICIOUS INSIDERS INDUSTRIAL ESPIONAGE PRESS ORGANIZED CRIME POLICE TERRORISTS NATIONAL INTELLIGENCE INFO-WARRIORS • • • • • • ATTACKS ADVERSARIES SECURITY NEEDS TECHNOLOGIES NETWORKED COMPUTER SECURITY PROCESSES • • • • • • • • Privacy Multi-Level Security Anonymity Authentication Integrity Audit Electronic Currency Proactive Solutions • • • • • • ATTACKS ADVERSARIES SECURITY NEEDS TECHNOLOGIES NETWORKED COMPUTER SECURITY PROCESSES • CRYPTOGRAPHY • COMPUTER SECURITY • IDENTIFICATION & AUTHORIZATION A group of people use private knowledge to keep messages secret from third parties. Cryptography is not a panacea. You need more than it for security – but it is essential. You don’t have to understand the math. You do have to understand the ramifications. • • • • • Distribution of keys Storing of keys Destruction of keys Proliferation of pair-wise keys in symmetric mode Performance degradation in asymmetric mode Receive Encrypted Message Compose Message Fund Manager Broker Decrypt with Key Encrypt Message withMessage key Generate Public key and distribute Send Message Compose Message Encrypt Message with Public key key Decrypt Message with Private Broker • • • • Cipher Text Only Attack Known Plain Text Attacks Chosen Plain Text Attacks Brute Force Attacks • • • • • Distribution of keys Storing of keys Destruction of keys Proliferation of pair-wise keys in symmetric mode Performance degradation in asymmetric mode • Message Authentication Codes • Symmetric Algorithms: HMAC or NMAC • One-Way Hash Functions • Secure Hash Algorithm (SHA1) • Secure Hash Standard (SHS) • RIPEMD-160 (EU) • MD5 (?) MD4 - obsolete • Digital Signatures • Public and private keys. • Sender encrypts with private and receiver decrypts with public. • Allows for non-repudiation. •Digital Signature Algorithm (DSA) • Digital Signature Standard (DSS) Confidentiality !!! Stop unauthorized users from reading sensitive information. Integrity !!! Every piece of data should be as the last authorized modifier left it. Availability!! The property of being accessible and useable upon demand by an authorized entity. Access Control = Confidentiality + Integrity + Availability • Security Kernels • Reference Monitor • Trusted Computing Base • Secure Kernel • OS Evaluation Criteria • C2 • ISO 15408 Who are you and can you prove it!! Allow authorized users in! Keep unauthorized users out! • Username and Password • Username – identification • Password - proof of identification • Biometrics • Biometric came from the person at verification time • Biometric matches master on file • Access Tokens • Password for tokens -> PIN • Authentication Protocols • Cryptographic authentication over a network • Salt • Kerberos • Single Sign On • Incompatible legacy • Single point of failure Kerberos Server Session key Request to logon onto Machine X Long term key Check Kerberos to Server see ifsends Client ticket has with permission anda session to key logkey on forby to authentication Server X to Client X issues long term Kerbros Session key Server X validates ticket and session key with long term key Client Send authenticator and session key to Server X Use the session key to create an authenticator Server X • • • • • • ATTACKS ADVERSARIES SECURITY NEEDS TECHNOLOGIES NETWORKED COMPUTER SECURITY PROCESSES • MALICIOUS SOFTWARE • NETWORK SECURITY • NETWORK DEFENCES • Payload and Propagation • Classifications • Viruses • Worms • Trojan Horses • Modular Code Problem • Isolation and Memory Safety • Access Control at the interfaces • Code Signing • Mobile Code • Web Security • • • • SSL Cross Site Scripting Cookie Abuse Web Service Scripts Mainly TCP/IP protocol Post office not Telephone company! • Router Vulnerability • Password Sniffing • IP Spoofing • DNS Security • Denial of Service Attacks • Distributed Denial of Service Attacks • FIRE-WALLS • Attacks • Go around • Sneak key in • Take over • Types: Packet Filters & Proxy Gateways • DEMILITARIZED ZONES (DMZ) • Connect disjointed pieces of network • Connect mobile, roaming users • VIRTUAL PRIVATE NETWORKS (VPN) • Misuse detection • Anomaly detection • INTRUSION DETECTION SYSTEMS (IDSs) • HONEY POTS & ALARMS • VULNERABILITY SCANNERS • • • • • • ATTACKS ADVERSARIES SECURITY NEEDS TECHNOLOGIES NETWORKED COMPUTER SECURITY PROCESSES “The problem is that security measures such as cryptography, secure kernels, Firewalls and everything else work much better in theory than they do in practice. In other words: Security flaws in the implementation are much more common and much more serious than security flaws in design. Design is about software reliability” - Bruce Schneier “Products have problems - and they are getting worse. The only reasonable thing to do is to create processes that accept this reality. We must implement these processes to get as much safety as possible.” - Bruce Schneier • PRINCIPLES • DETECTION & RESPONSE • COUNTER-ATTACK • RISK MANAGEMENT • Compartmentalize • Secure the weakest link • Use Choke Points • In-depth Defense • Fail Securely • Leverage Unpredictability • Embrace Simplicity •“Complexity is the worst enemy if security!” • “Be as simple as possible but no simpler” - Einstein • Enlist Users • Assure • Question • Trust no one – especially yourself!!!! “Detection is more important than prevention!” • Detect Attacks • Analyze Attacks • Detection • Localization • Identification • Assessment • Respond to Attacks • Make the problem go away • Catch the Attacker • Be Vigilant • Continuous • Immediateness • Prteparedness • Watch the Watchers • Recover from Attacks • Recover from compromise “The best defense is attack!!!” “Attacker is a tortoise; Defender must be a fox!” “There is no 100% security!” “Identify the risk then either accept it, or reduce it or insure against it.” “Security does not have to be perfect but risks have to be manageable.” “Outsource to experts!” “How big is the potential loss?” “We don’t know!!” “How likely is the loss to occur?” “We don’t know.” “How much is your company worth?” “One billion rands!” “The premium will be one billion rands!” “I’ve realized that the fundamental problems in security are no longer about technology; they’re about how to use technology.” “There is no way to turn security into a product.” “It’s more and more about process.” - Bruce Schneier • • • • • • ATTACKS ADVERSARIES SECURITY NEEDS TECHNOLOGIES NETWORKED COMPUTER SECURITY PROCESSES
