Computer Security:

Principles and Practice

IS-820: Computer Security
Dr. Mehdi Hussain
MSIS
Credit to Professor Hosseain, Dr. Brown,
and Dr. Shahzad for the slides.
Outline
• Computer Security Concepts
• A Model of Computer Security
• Threats, Attacks, and Assets
• OSI Security Architecture
• Security Functional Requirements
• Fundamental Security Design Principles
• Attack Surfaces and Attack Trees
• Computer Security Strategy
• Activities
Let’s Refresh
• A good security professional should have
• Sense of Security
• Knowledge of Security Principles
Risks when using computer systems:
• You go to a public lab and wants to use a computer there to remotely login to your
department’s computer or conduct online banking; what is the risk that you are facing?
Risks when setting up computer systems:
• You are system administrator, and turn several programs into privileged programs, so you
will not be bothered by some of the tasks. What is the risk?
Risks when developing computer systems:
• Your program has a few buffer-overflow problem, but you are under pressure to release the
software product in time, and decide not to fix this bug for this release. What is the risk?
Let’s Refresh
Countermeasures How does prevention work?
Methods: There are three lines of • Policies
defense. • Cryptography
• 1. Prevention • Control HW/SW
• Prevent it: make it impossible How could prevention not work correctly?
• Deter it: make it harder • Vulnerabilities
• 2. Detection • Malicious program: virus, trap doors, etc.
• Monitoring • Incorrect use of controls
• Intrusion detection • Users’ mistakes
• 3. Recovery How to achieve correct prevention?
• Recover the data • Security engineering principles
• Identify the damage • Awareness of risk
• Find the culprit: forensics • Secure programming
Learning Objectives
• Describe the key security requirements of confidentiality, integrity
and availability
• Discuss the types of security threats and attacks that must be dealt
with
• Summarize the functional requirements for computer security
• Explain the fundamental security design principles
• Discuss the use of attack surfaces and attack trees
• Understand the principle aspects of a comprehensive security
strategy
Computer Security Concepts
• As computer security deals with computer related assets that are
subject to variety of threats, attacks and have to protect to those
assets by taking measures.

• Three fundamental questions are

1- What assets do we need to protect?

2- How are those assets threatened?
3- What can we do to counter those threats?
A Definition of Computer Security
• Computer Security: The protection afforded to an automated
information system in order to attain the applicable objectives
of preserving the integrity, availability and confidentiality of
information system resources (includes hardware, software,
firmware, information/data, and telecommunications)
NIST 1995

• Computer Security: is the process of detecting and preventing

any unauthorized use of computer resources.
Key Security Concepts (CIA triad)

NIST standard FIPS 199 (Standards for security categorization of federal

information and information system)
Three key objectives (the CIA triad)
• Confidentiality:
• Refers to protecting information from being accessed by unauthorized
parties.
• The concealment of information or resources.
• The term confidentiality extracted from the word ‘confidence’ which means ‘trust’.
In other words:
• Preserving authorized restrictions on information access and disclosure,
including means for protecting personal privacy and proprietary
information.
• A loss of confidentiality is the unauthorized disclosure of information.
Three key objectives (the CIA triad)
• Integrity:
• Is the trustworthiness of data in the systems or resources by preventing
of unauthorized and improper changes.
• Example: File permission, access controls, checksum, hashing.
In other words
• Guarding against improper information modification/destruction, and includes
ensuring information non-repudiation and authenticity.
• A loss of integrity is the unauthorized modification or destruction of information..
Three key objectives (the CIA triad)
• Availability:
• Refers to the ability to access data of a resource when it is needed.
• Authorized access on right time.
OR
• Ensuring timely and reliable access to the information.
• A loss of availability is the disruption of access to or use of information or an
information system.

• Denying access to data nowadays

has become a common attack.
• Imagine a downtime of a live server
how costly it can be?
Three key objectives (Revision)
• Confidentiality
• Data Confidentiality: Assures that confidential (private) information is not
disclosed to unauthorized entity.
• Privacy: Assures that individual control or influence what information related to
them may be collected/stored by whom and to whom that information may be
disclosed.
• E.g. Encryption, two factor authentication, security token, key fobs/RFID (ATM card with PIN)

• Integrity
• Data Integrity: assures that information and programs are changed only in a
specified and authorized manner.
• System Integrity: Assures that a system performs its operations in
unimpaired/not damaged manner.
• Availability:
• Assures that systems works promptly and service is not denied to authorized
users.
Additional Concepts to a Complete Security
Picture
• Authenticity:
• The property of being genuine and being able to be verified and trusted;
confident in the validity of a transmission, or a message, or its originator.
• e.g. Verifying the users who they say they are from trusted source.

• Accountability:
• Generates the requirement for actions of an entity to be traced uniquely to
that individual to support nonrepudiation, deterrence (prevent offender from committing
same crime in future), fault isolation (self checking), forensics, IDS, IDP etc.

• Because truly secure system are not yet an achievable goal, we must be able
to trace security breach to a responsible party. Keep records for activities.

Note that FIPS 199 includes authenticity under integrity.

Impact: Levels of Security Breach
(defined in FIPS 199)

• Low: the loss will have a limited impact

• Cost a minor damage to org. assets, or minor financial loss or minor harm
to individual.
• The data is intended for public disclosure.

• Moderate: the loss has a serious effect

• Significance degradation on mission capability or significant harm to
individuals, assets, financial loss but no loss of life or threatening injuries.

• High:
• The loss has severe or catastrophic adverse effect on operations,
organizational assets or on individuals (e.g., loss of life)
• Protection of the data is required by law/regulation
 Examples of security requirements:
Confidentiality
• Student grade/exam information is an asset whose
confidentiality is considered to be ?? level
• The US FERPA* Act: grades should only be available to students, their parents, and their
employers (when required for the job)

• Student enrollment information: may have ?? level

confidentiality rating; less damage instead of grade info.

• Directory information: lists of student, faculty are ?? level

confidentiality rating; often available publicly

*Family Education Right and Privacy Act

Examples of security requirements: Integrity
• A hospital patient’s allergy information: a doctor should be able to
trust that the info is correct and current.
• If a nurse have access that deliberately falsifies the data, & inaccurate info
could result in serious harm, i.e. loss of life (?? level ). And expose the
hospital to massive liability.

• An online newsgroup/forum for discussion current issues:

• A member/hacker falsify data is considered as ?? level of integrity.

• Anonymous online poll (inaccuracy is well understood in this type of pool).

• If some users may falsify input data is considered ?? level of integrity.
Examples of security requirements: Availability
• A system that provides authentication: ?? availability
requirement
• If customers cannot access resources (for critical tasks), the loss of
services could result in financial loss.

• A public website for a University

• A ?? availably requirement; not critical but causes embarrassment

• An online telephone directory lookup

• A ?? availability requirement because unavailability is mostly
annoyance (there are alternative sources, hard forms)
Challenges of Computer Security
1. Computer security is not simple
• Requirements are straightforward i.e. security services, but mechanisms are difficult to map

2. Must consider potential (unexpected) attacks

• On security features during designing phase, unexpected weakness in the mechanism

3. Used procedures are counter-intuitive

• Mechanisms are complex, not obvious so elaborate them clearly.

4. Must decide where to deploy mechanisms

• Decide physical (network point) or logical (TCP/IP layer) etc. would be used.

5. Involve multiple algorithms and secret info (keys)

• Creation, distribution of key etc.
• Assume one mechanism required time limit, but used protocol may add unpredictable delays so time limit
failed.

6. A battle of wits between attacker / admin

• Attacker need to find one single hole but admin have to cover all.
Challenges of Computer Security
7. Natural tendency to consider security investment less
beneficial until fails.
8. Requires regular and constant monitoring
• Difficult to manage in short-term overloaded environments

9. Too often an after-thought (not integral)

• During designing of system it added into last rather than being an integral part.
10. Strong security is regarded as impediment/hindrance to
using system
• To reduce the efficiency and user friendly operation.
What we covered so far……

• Security Services
• CIA
• Security Concepts
• Security Breaches Levels
• Security Challenges
Activity
• Consider an automated teller machine (ATM) in which users provide a
personal identification number (PIN) and a card for account access.

• Map examples of confidentiality, integrity, and availability

requirements associated with the system, and indicate the degree of
importance of the requirement in each case

• Think……………………..
Activity II
• Sniffing
• Faked identity
• ATM machine spoofing
• Saving passwords in a plaintext file

• Think……………………..
Overview
• Why and What to Secure?
• Computer Security Concepts
• A Model of Computer Security
• Threats, Attacks, and Assets
• OSI Security Architecture
• Security Functional Requirements
• Fundamental Security Design Principles
• Attack Surfaces and Attack Trees
• Computer Security Strategy
A model for computer security
• Lets start with the concept of Systems resources or assets that
user/owner wish to protect.
• Hardware: computer system, data storage/processing, communication device
• Software :OS, apps, system utilities
• Data: Files, database, i.e. password files
• Communication facilities and network: LAN, bridges, routers
• In context of security our concern is with vulnerability of these
resources w.r.t CIA. Its categories
• Corrupted: system can be corrupted it does wrong things, gives wrong
answers, i.e. database values modified
• Leaky: Unauthorized access to files through network
• Unavailable: Very slow or becomes impossible to reach/access.
Countermeasures may itself introduce new vulnerability. https://msrc.microsoft.com/update-guide/vulnerability
Recent: Top 10 Vulnerabilities for OWASP* 2023
*OWASP: Open Web Application Security Project

1. Broken Access control

Access controls limit users to the resources and functionalities they are authorized to use, i.e. putting a limit on what sections or pages visitors can reach. denial by default

2. Cryptographic Failures Weak encryption algorithms or short encryption keys which can make it easier for attackers to decrypt sensitive data, weak SSL/TLS
protocols

3. Injection SQL Injection, Cross-Site Scripting (XSS)

4. Insecure Design Overly detailed error messages, path transversal or SQL injection

5. Security Misconfigurations Default configuration, Unpatched vulnerabilities, Unnecessary services

6. Vulnerable and Outdated Components Attackers are looking for websites with vulnerable components which they can exploit to spread malware

7. Identification and Authentication Failures A session ID configured without a validity period can run and run

8. Software and Data Integrity Failures Vulnerabilities Legacy code used in third party application, improper update

9. Security Logging and Monitoring Failures Not having an efficient logging and monitoring , process, missed and alerts aren’t generated

10. Server-Side Request Forgery (SSRF) Unauthorized requests from the server to other internal or external resources, manipulate input fields or
parameters in the application to trick the server into sending requests to arbitrary URLs
Computer
Security
Terminology
Lets understand…again
• Asset ?
• Vulnerability ?
• Risk ?
• Threat ?
Computer Security Terminology
• Threats exploit vulnerabilities

• Attack is a threat that is carried out (threat actions)

• Active: Alter system operation
• Passive: Not effect the system operation
• Inside Attack
• Outside Attack

• Countermeasures: actions taken to prevent, detect, recover and

minimize risks, may some time introduce new vulnerabilities.
Security Concepts and Relationships
Threats, Attacks, and Assets
• Lets see the type of security threats that must be dealt…

• Types of threats that apply to different categories of assets

• Can look at RFC 4949

Remember:
• Threat: Potential violation of security, possible danger
• Attacks: Intelligent act deliberately evade security services
Threats and Attacks
Unauthorized disclosure:
threat to confidentiality
Exposure (hardware error,
release data, sensitive info,
credit card etc.)

Interception (a device receive a

copy of packets intended for
other, i.e. email traffic)

Inference (traffic analysis,

observing pattern, database
inference)

Intrusion (gain access to system

by overcome the security
protections)
Threats and Attacks
Deception:
threat to system integrity
Masquerade
(unauthorized user poses
as authorized, user id,
Trojan horse)
Falsification (alter data,
replacing, e.g. student
alter his grade database)
Repudiation (denies of
sending/receiving of data)
Threats and Attacks
Disruption: threat to system
integrity and availability
Incapacitation
(destruction/disable services
physical destruction, virus)

Corruption (modify, backdoor

logic)

Obstruction (interface with

communication, disabling
communication link or
overload a line by excessive
traffic)
Threats and Attacks
Usurpation:
threat to system integrity
Misappropriation (theft of
service, DOS attack i.e.
malicious software using
unauthorized use of
processor, resources)

Misuse (malicious logic,

hacker gaining unauthorized
access to disable or
thwarted security functions)
Threats and Assets
• The computer assets can be categorized hardware, software, data,
communication line

• Hardware (Major Threat to H/W is Availability and Confidentiality)

• Most vulnerable attack and least susceptible to automated control.
• Theft, accidentally damage, unauthorized control (unencrypted USB)
• Physical and administrative security measures needed

• Software (CIA)
• OS, utilities and application programs (easily delete)
• Altered (Virus), Software Piracy (modified functioning)

• Data (CIA)
• Database – Confidentiality (unauthorized reading of file), integrity and availability. E.g.
salary aggregate database table
Threats and Assets
• Communication Lines and Network: threat to CIA
• Message can be destroyed deleted
• Message can be read, traffic pattern
• Message can be modified, reordered

Network security attack classified into

• Passive attacks
• Active attacks
Examples: Computer Assets with threats
The scope of computer security
Overview
• Computer Security Concepts
• Threats, Attacks, and Assets
• A Model of Computer Security
• OSI Security Architecture
• Security Functional Requirements
• Fundamental Security Design Principles
• Attack Surfaces and Attack Trees
• Computer Security Strategy
OSI Security Architecture (ITU-T define
X.800)
• To assess effective security needs of an organization.
• OSI security architecture: Systematic way of defining requirements for security and
characterizing approaches to satisfy above
• It is useful to Security manager to organized task of providing security
• As core responsible is to assess effective security needs, evaluate various security products,
tools for organizations.
• Different vendors, organizations follow the standard services and mechanism for its
product/services.
1. Security Attack
• Any action that can cause a compromise for organization security.
2. Security Service
• A service that enhances the security of the data. Can counter to security attacks, and they make use
of one or more security mechanisms to provide the service.
3. Security Mechanism
• A process designed to detect, prevent or recover from an attack
1- Security Attack
We have already covered in detail e.g. threats, attacks, assets.
Passive Attacks
• Nature of eavesdropping, or monitoring of transmissions. The goal of the opponent is to
obtain information that is being transmitted. It does not effect the system resources.
• Release of message content (email/telephone)
• Traffic analysis (pattern of messages, host identity, guessing the nature of
communication, length of message even encrypted).
• Difficult to detect
1- Security - Active Attacks
Active Attacks
• Involve some modification of the data stream or the creation of a false stream. Generally
happens through masquerading, replay, modification of messages, and denial of service.
• Replay
• Capture a message and retransmit it later to produce an unauthorized effects
• Masquerading
• Takes place when one entity pretends to be a different entity. Happens through
defeating authentication, obtaining privileges etc.
• i.e. capture authentications sequence and replay for impersonating
• Modification of messages
• Messages are entirely or partially modified.
• i.e. $500 to $5000
• Denial of Service
• Block services to cause unavailability of services. Can happen by flooding a server
with requests. Particularly dangerous in internet systems like e-health systems.
Traffic Analysis

Example:
Look for particular patterns in communications.
Solution:
Strong confidentiality, message padding, random message when no message is being
transmitted
Masquerading

Example:
Stolen username and password used for masquerading
Solution:
Strong Authentication and identity protection
Replay Attack

Example:
Capture a message and then replay it later.
Solution:
Strong Authentication, packet sequencing, confidentiality, nonce
Modification of Messages

Example:
Capture a message. Modify it. Then send it to receiver.
Solution:
Intrusion detection and prevention systems. Strong authentication and confidentiality.
Denial of Service

Example:
Disable/ hinder connections or data services. Make a server busy by overloading.
Solution:
Intrusion detection and prevention systems. Roll back services, fail safe systems, backup
services etc.
2- Security Services: OSI Security Architecture
• X.800 defines the security service as a service at protocol layer of communication
open system that ensure adequate security of system and data. However, clear
definition can be found in RFC 2828.

• A processing or communication service that is provided by a system to give specific

kind of protection to system resources; security services implement security policies
and are implemented by security mechanism.

• X.800 divides these services into 6 categories and 14 specific services

1. AUTHENTICATION
2. ACCESS CONTROL
3. DATA CONFIDENTIALITY
4. AVAILABILITY
5. DATA INTEGRITY
6. NONREPUDIATION
2- Security Services: AUTHENTICATION
OSI Security Architecture
• Assuring the communication is authentic.
• Function of the authentication service is to assure the
recipient, and source (claims) of message is from.
• First time of connection initiation (service assure that two
entities are authentic)
• Second connection is not interferes during communication

• Peer entity authentication

• Confirm the identity of a peer entity in an association.

• Data origin authentication

• Confirm the source of data unit, service support application i.e.
mail server
2- Security Services: ACCESS CONTROL
OSI Security Architecture
• Ability to limit and control the access of host system/application.

• Each identify trying to get access must first be identified, or

authentic
• So rights can be tailored to the individual
• i.e. Web admin.
2- Security Services: DATA CONFIDENTIALITY
OSI Security Architecture

• Protection of data from unauthorized disclosure

• In network security, Protection of transmitted data
from passive attacks

• Protection of traffic flow from anomaly, attacker could

not observe the source and destination
2- Security Services: DATA INTEGRITY
OSI Security Architecture
• Total stream protection, relate to active attacks and
concerns with detection rather than prevention
• Avoid distraction of data
• Protection against message modification only
• Identify the violation
2- Security Services: NONREPUDIATION
OSI Security Architecture
• Prevents either sender or receiver from denying a
transmission message.

• Receiver and sender can prove apposite messages

2- Security Services: AVAILABILITY
OSI Security Architecture
• A services ensure its availability of service

• Denial-of-service attacks

• Depends on proper management and control of

system resources and access control services and
other security services
3- Security Mechanisms
• Security mechanisms are used to implement security services.
• X.800 lists the security mechanisms that are divided and are implemented in protocol
layer.
• SPECIFIC SECURITY MECHANISMS
• Are incorporated into the appropriate protocol layer in order to provide some of
the OSI security services.
• Encipherment (encryption)
• Digital Signature (appended in encryption to prove identity)
• Access Control (access rights to resource)
• Data Integrity (hashing)
• Authentication Exchange (identity of an entity by means of information exchange)
• Traffic Padding (insertion of bits into gaps in a data stream)
• Routing Control(Enables selection of particular physically secure routes)
• Notarization (a trusted third party to assure)
Overview
• Computer Security Concepts
• Threats, Attacks, and Assets
• OSI Security Architecture
• Security Functional Requirements
• Fundamental Security Design Principles
• Attack Surfaces and Attack Trees
• Computer Security Strategy
Security Functional Requirements
• Lets see the countermeasures in terms of functional requirements.
• No. of ways of countermeasures exists for security vulnerabilities and threats and its
classification and characterizations.

• Minimum security requirements for Federal Information and information system, FIPS PUB
200.

“If you think technology can solve your security problems, then you don’t understand the
problems and you don’t understand the technology”.

• Because both technical and managerial approaches are required to achieve effective
computer security.
Security Functional Requirements (FIPS PUB 200)
• Technical measures
• Access control; identification & authentication; system & communication
protection; system & information integrity

• Management controls and procedures

• Awareness & training; audit & accountability; certification, accreditation, &
security assessments; contingency planning; maintenance; physical &
environmental protection; planning; personnel security; risk assessment; systems
& services acquisition

• Overlapping technical and management

• Configuration management; incident response; media protection
Security Functional Requirements (FIPS PUB 200)
• Technical measures
• Access control:
• Limit the info. to authorized entity (transactions/functions).
• Identification & authentication:
• Identify the user on behalf of user account (uniquely), and each time
authenticate from system
• System & communication protection:
• Monitor/control the organization communication both internal and external
level. Employ the architectural design or software technique to protect the
organization security.
• System & information integrity:
• Identify, report the system flaws timely, malicious code and take timely
protections.
Security Functional Requirements (FIPS PUB 200)
• Management controls and procedures
• Awareness & training;
• Ensure the user/manager are well aware of security risk and have proper trainings
• Audit & accountability;
• System has trace back mechanism of activities, i.e. logs for forensic.
• Individuals also have been uniquely identified for accountability.
• Certification, accreditation, & security assessments;
• Periodically assess the security controls through governance bodies to overcome.
• Contingency planning;
• Must have emergency plan, backups, post disaster recovery to ensure availability of
resources
• Maintenance;
• Periodically maintenance of software and tools, install security patches, passwords
• Physical & environmental protection;
• Limit the physical access, Protect the system (access control), heat/cold protection
Security Functional Requirements (FIPS PUB 200)
• Management controls and procedures
• Planning;
• Periodically develop/design plans against security threats, i.e. rules, user access,
monitor the employee behaviors of accessing the resources etc.
• Personnel security;
• Ensure the individual occupying position is trustworthy before and after
terminations…
• Risk assessment;
• Periodically assess the org. assets, resources and reputations from the operations
of org. system associated with processing, storage, transmission of content.
• Systems & services acquisition
• Provide adequate resources to employee, make ensure the security incorporation
in SDLC and also ensure the adequately security of third party tools used in org.
Security Functional Requirements (FIPS PUB 200)
• Overlapping technical and management
• Incident response:
• Ensure operational incident handling capability in org. sys. like preparations,
detection, analysis and recovery.
• Track document and report incidents for analysis
• Media protection:
• Protect both paper and digital data,
• Limit access to information to authorized users
• Capability to sanitized and destroy info after and before release of use.
• Configuration management:
• Enforce security configurations setting for IT products
• Establish and maintain baseline configuration and inventories of org. info. System
(including h/w, s/w, data and doc.) throughout the respective SDLC
Overview
• Computer Security Concepts
• Threats, Attacks, and Assets
• OSI Security Architecture
• Security Functional Requirements
• Fundamental Security Design Principles
• Attack Surfaces and Attack Trees
• Computer Security Strategy
Case study
A college rule requires any teaching assistant who becomes aware of cheating to
report it. A different rule ensures the privacy of student files. A TA contacts a
student, pointing out that some files for a program were not submitted. The
student tells the TA that the files are in the student’s directory, and asks the TA to
get the files. The TA does so, and while looking for the files notices two sets, one
with names beginning with “x” and the other set not. Unsure of which set to use,
the TA takes the first set. The comments show that they were written by a second
student. The TA gets the second set, and the comments show that they were
written by the first student.
On comparing the two sets, the TA notes that they are identical except for the
names in the comments. Although concerned about a possible countercharge for
violation of privacy, the TA reports the student for cheating.
As expected, the student charges the TA with violating his privacy by reading the
first set of files. The rules conflict. Which charge or charges should be sustained?
Restriction minimizes the power of an entity. The entity can access only information
it needs.
Fundamental Security Design Principles *
• Despite years of research, it is still difficult to design systems that comprehensively
prevent security flaws

• But good practices for good design have been documented (analogous to software
engineering)
• Economy of mechanism, fail-safe defaults, complete mediation, open design,
separation of privileges, least privilege, least common mechanism, psychological
accountability, isolation, encapsulation, modularity, layering, least astonishment

• Key point: Restriction may minimizes the control, Access only that needs

* Ref: Design Principles: Introduction to Computer Security by Bishop

Fundamental Security Design Principles [1/4]
• Economy of mechanism: security measures should be as simple as possible
• Simpler to implement and to verify (H/W and S/W)
• Fewer vulnerabilities, checking and testing would be less
• E.g. stock exchange news using Message authentication code

• Fail-safe default: restricts how privileges are initialized when a subject or object is
created i.e. default access to an object is none
• (e.g. spool directory fail should stop not write any other )

• Complete mediation: every access must be checked against the access, restricts
the caching of information,
• E.g. DNS cache “poison” may redirect to another IP.
Fundamental Security Design Principles [1/4]
• Open design: the design should be open rather than secret (e.g. encryption
algorithms).
• Complexity does not add security
• “security through obscurity”

• Separation of privilege: multiple privileges should be needed to achieve access (or

complete a task)
• Don't grant permission based on a single condition, ($10,000 transactions,
ATM verifications, bank mobile apps)

• Least common mechanism: mechanisms used to access resources should not be

shared (providing mutual security; reduce deadlock) e.g. Cover channel.
• Sharing resources provides a channel along which information can be
transmitted, and so such sharing should be minimized
Fundamental Security Design Principles [1/4]
• Psychological acceptability: security mechanisms should not interfere unduly with
the work of users
• Configuring and executing a program should be as easy and as intuitive as
possible and output should be clear, direct, and useful.
• E.g. if password incorrect don’t come up with cryptographic error.
• If too complicated admin may skip the s/w in unsecure manner.
• Layering (defense in depth): use of multiple, overlapping protection approaches
• Bank transaction, two way authentication.
• Least astonishment: a program or interface should always respond in a way that is
least likely to surprise a user
• As normal not amazed typed.
Fundamental Security Design Principles [4/4]
• Encapsulation: similar to object concepts (hide internal structures)
• Modularity: modular structure, www4
• Isolation
• Public access should be isolated from critical resources (no connection
between public and critical information, i.e. data, process, to avoid
tempering). May logically divide the data/system for critical data.
• Users files should be isolated from one another (except when desired)
• Security mechanism should be isolated (i.e., preventing access to those
mechanisms)
• Least privilege: every user (process) should have the least privilege to perform
a task (role based access control, e.g. windows), restrict privileges. i.e. Append
not write access
Key points of Security Design Principles
• Principles of Secure Design underlie all security-related mechanisms. It
required:
• Good understanding of environment in which it is to be used

• Careful analysis and design

• Careful implementation
Overview
• Why and What to Secure?
• Computer Security Concepts
• Threats, Attacks, and Assets
• OSI Security Architecture
• Security Functional Requirements
• Fundamental Security Design Principles
• Attack Surfaces and Attack Trees
• Elaborate on two concepts that are useful in evaluating and classifying threats.

• Computer Security Strategy

 Attack Surfaces
What would be Attack surfaces of your office/business ???
• Doors, windows, safe boxes etc.
• The entire network and software environment is exposed to remote or local
attacks. Everything running on the digital side of any company
• Includes software applications, networks, ports, operating system services, web
and desktop applications and more..
• In short, consist of reachable and exploitable vulnerabilities in a system
• An attack surface refers to all the ways your apps can possibly be exploited by
attackers
• What about Web servers?
• Open ports (outward facing Web and other servers, and code listening)
• Code that processes incoming data XML, email, office documents, and industry specific
custom data exchange formats.
• An employee with access to sensitive info (i.e. social engineering)
• Interfaces, SQL, and Web forms…
 Attack Surfaces: Categories
• Network attack surface (i.e. network vulnerability, DOS, disruption of communication links)
• Software attack surface (i.e., software vulnerabilities, OS code, utilities, Web server software)
• Human attack surface (e.g., social engineering, human error)
• Digital attack surface
• Related to software
• Physical attack surface
• Everything related to hardware, routers, switches, desktop computers, notebooks,
tablets and mobile phones, surveillance cameras
• Once attacker gain the access of physical device can explore
• Create a digital map of all the network, ports and services
• Inspect the source code of the running software, if found
• Check the running databases and the information stored there
• Upload virus, malware or backdoors to infect the operating system
• Crack login credentials to gain access to privileged areas
• Copy sensitive information to removable devices or send it to remote servers
 Attack surfaces analysis
• Attack surface analysis: assessing the scale
and severity of threats.
• A systematic analysis of vulnerability makes
developer and security expert to aware where
is the security mechanism required.

• Once the attack surface is defined, designer

may able to reduce the attack surface smaller
through security mechanism.

• The identification of attack surface provide

guidance on setting priorities and security
mechanism.
How can we reduce the attack surface?
• There are several ways to reduce the attack surface.
• Less code, less software attack surface
• In short reducing the entry point, Turn off, disable or remove unnecessary software
features
• Remove unnecessary OS software and services
• Do you really need a printing service running if you don’t use a printer? (MSQL server
3306 port).
• Inspect your domain, IPs and DNS zones
• Audit all your IP address space, i.e. DNS toolkit
• Scan your network ports
• Scanning the open ports in your public IP addresses is the first attack, can explore
Nmap command.
• Analyze your SSL certificates
• How hardened are your SSL certificates? Are you keeping your SSL chains complete
and well-secured?
• SSL certificate expiration and validity?
• Audit your software, network and traffic
Attack Surface tools

• OWASP Attack Surface Detector: OWASP tool

• Can highlight the weak web application endpoints, accepted parameters
and type of data accepted

• Sandbox Attack Surface Analysis Tools:

Google’s attack surface tool
• Windows-based users unveil the real attack surface of your OS, services
and web applications running on the Microsoft platforms
Attack trees
• Attack trees are conceptual diagrams showing how an asset, or target,
might be attacked
• A branching, hierarchical data structure that represents a set of potential
vulnerabilities
• Objective: to effectively exploit the information available on attack
patterns
• published on CERT (security adversaries) or similar forums
• Security analysts can use the tree to guide design and strengthen
countermeasures

• Use case: Bank Account Compromise

• Following three components involved in authentications.
• User terminal and user (UT/U): Token, equipment, smartcards, action of user
• Communications channel (CC) :
• Internet banking server (IBS): Offline attacks on banking servers
Attack trees: Use Case
• Use case: Bank Account Compromise

• Target: Internet banking authentication application

• Following three components involved in authentications.

• User terminal and user (UT/U): Token, equipment, smartcards, action of
user
• Communications channel (CC) :
• Internet banking server (IBS): Offline attacks on banking servers
An attack tree
Root: Objective of attacker

Purpose: Identify the key

vulnerabilities

Shaded Node: Event that

might comprise the attack

White Node: One/more

specific events
Computer Security Strategy
• Lets see an overall strategy for providing security

• Specification/policy:
• What security scheme supposed to do?
• Implementation/mechanisms:
• How does it do it?
• Correctness/assurance:
• Does it really work?
Computer security strategy
• Policy (specs): First step is to develop Policy (informal and formal
specification). So security manager focus on what security schemes are
supposed to do. Following key point must ensure.
• The value of the assets being protected
• The vulnerabilities of the system
• Potential threats and the likelihood of attacks

• May consider following trade-offs:

• Ease of use vs. security
• e.g. Firewalls or network security measure may reduce time and but add delay.
• Virus checking software may consume power etc.
• Access control required remembering of passwords.
• Cost of security vs. cost of failure/recovery
• Ensure the implementing and maintenance cost in security measures. All cost must
be balanced.
Computer security strategy
• Implementation/mechanism: how to enforce
• Prevention
• An ideal security scheme is one in which no attack is successful. But not practical
• e.g. encrypted transmitted data prevent the attack of confidentially.
• Detection
• Absolute protection is not feasible, but practically security detection attacks are possible.
• E.g. IDS designed to detect the unauthorized user in logs, detection of DOS attack (but resources
consuming)
• Response
• If security mechanisms detect an ongoing attack, i.e. DOS, the system may be able to respond in
such a way as to halt the attack and prevent further damage.
• Recovery
• Use of backup systems, so that if data integrity is compromised, a prior, correct copy of the data
can be reloaded
Computer security strategy
• Assurance/Evaluation:
• Does the security system design meet its requirements?
• Examining a system with respect to certain criteria, NIST standards.
Recent Security Losses

• https://purplesec.us/resources/cyber-security-statistics/

We can further explore

Activity
• Consider a student information system (SIS) in which students provide a student
registration number and a card for account access.
• Give examples of confidentiality, integrity, and availability requirements associated
with the system and, in each case, indicate the degree of the importance of the
requirement.

• Confidentiality: high, card has personal information and only available to authorized
student.
• Integrity: high, Card # only used by student
• Availability: high, Card # is only available to authenticate student
Activity
Consider a company whose operations are housed in two buildings on the same property:
one building is headquarters, the other building contains network and computer services.
• The property is physically protected by a fence around the perimeter.
• The only entrance to the property is through a guarded front gate.
• The local networks are split between the Headquarters’ LAN and the Network Services’
LAN.
• Internet users connect to the Web server through a firewall.
• Develop an attack tree in which the root node represents disclosure of proprietary
secrets. Include physical, social engineering, and technical attacks.
• The tree may contain both AND and OR nodes. Develop a tree that has at least 10 leaf
nodes.
Activity
1. Physical Attacks
• Bypassing the Perimeter Fence 1.1.1. Cutting the fence 1.1.2. Climbing over the fence 1.1.3. Tunneling under the fence
• Gate Access Breach 1.2.1. Social engineering attack on the guard 1.2.2. Forging access credentials 1.2.3. Tailgating behind
authorized personnel
2. Social Engineering Attacks
• Phishing Attacks 2.1.1. Email phishing targeting employees 2.1.2. Phone phishing (vishing) targeting employees
• Impersonation Attacks 2.2.1. Impersonating an employee or vendor 2.2.2. Impersonating a maintenance worker
3. Technical Attacks 3.1.
• LAN Network Attacks 3.1.1. LAN eavesdropping 3.1.2. LAN-injection attacks 3.2.
• Web Server and Firewall Attacks 3.2.1. Web server vulnerabilities exploitation 3.2.2. Firewall misconfigurations
4. Insider Threats 4.1.
• Employee Data Theft 4.1.1. Unauthorized access by disgruntled employee 4.1.2. Insider sharing login credentials
• Vendor or Contractor Breach 4.2.1. Unauthorized access by a contractor/vendor 4.2.2. Insider collusion with a contractor/vendor
5. USB/Removable Media Attacks 5.1.
• Malicious USB Insertion 5.1.1. Inserting malware-infected USB drives 5.1.2. Dropping infected USBs in parking lots
6. Physical Break-ins 6.1.
• Breaking into Buildings 6.1.1. Breaking into the headquarters building 6.1.2. Breaking into the network services building 6.2.
Server Room Access 6.2.1. Gaining physical access to server rooms
7. Internet-based Attacks 7.1.
• External Network Attacks 7.1.1. DDoS attacks on the web server 7.1.2. Exploiting web application vulnerabilities 7.2.
• Remote Employee Compromise 7.2.1. Exploiting vulnerabilities in remote employee systems 7.2.2. Phishing remote employees
8. Physical Surveillance and Espionage 8.1.
• Eavesdropping on Conversations 8.1.1. Planting listening devices 8.1.2. Intercepting phone calls 8.2.
• Physical Espionage 8.2.1. Infiltrating the company as a spy
Summary
• Why and What to Secure?
• Computer Security Concepts
• A Model of Computer Security
• Threats, Attacks, and Assets
• OSI Security Architecture
• Security Functional Requirements
• Fundamental Security Design Principles
• Attack Surfaces and Attack Trees
• Computer Security Strategy
• Activities
Reference
• Chapter 1
• (Computer Security Principles & Practice)