Upload
ashish-sharma
View
222
Download
0
Embed Size (px)
Citation preview
8/17/2019 Module IV Ppt
1/59
Introduction to Cyber Se&
Information Securit
Module 4: System and Application Security
Chapter 1: Security Architectures and Models
Chapter 2: System Security
Chapter 3: OS Security
Chapter 4: Wireless Network and Security
8/17/2019 Module IV Ppt
2/59
Chapter :Security Architectures and M
1! "esi#nin# Secure Operatin# Systems
2! n$ormation Security Models
8/17/2019 Module IV Ppt
3/59
1! "esi#nin# Secured%&rustedOperatin# Systems!
What makes an operatin# system 'sec'trustworthy)
*ow are trusted systems desi#ned+ an
o$ those desi#n principles carry o,er nto other pro#ram de,elopment tasks)
*ow do we de,elop 'assurance( o$ thcorrectness o$ a trusted operatin# sys
8/17/2019 Module IV Ppt
4/59
-rimiti,e security ser,ices
Memory protection
.ile protection
/eneral o0ect access control
ser authentication
OS is trusted i$ we ha,e condence that it pro,ides these $oin a consistent and eecti,e way!
8/17/2019 Module IV Ppt
5/59
2! n$ormation Security Models
5ell67a-adula
5i0a
Clark6Wilson
Chinese Wall
/ood 0rie$ summary on *arris p!248
8/17/2019 Module IV Ppt
6/59
5ell67a-adula 957- Model
57- is $ormal 9mathematical description o$ mandatorycontrol
&hree properties:
ds6property 9discretionary security
ss6property 9simple security ; no 'read down(
8/17/2019 Module IV Ppt
7/59
5ell67a-adula Model 9Continued
*oneywell Multics kernel was only true implementation o$ ne,er took hold
"O" in$ormation security re=uirements currently achie,eddiscretionary access control and se#re#ation o$ systems racompliant computers
8/17/2019 Module IV Ppt
8/59
5i0a Model
Similar to 57- 0ut $ocus is on inte#rity+ not condentiality
>esult is to turn the 57- model upside down
*i#h inte#rity su0ects cannot read lower inte#rity o0ects 9no
Su0ects cannot mo,e low inte#rity data to hi#h6inte#rity en,i'write up(
Mc7ean notes that a0ility to ?ip models essentially renders
assurance properties useless
8/17/2019 Module IV Ppt
9/59
Clark6Wilson Model
>e,iews distinction 0etween military and commercial polic
Military policy $ocus on condentiality
Commercial policy $ocus on inte#rity
Mandatory commercial controls typically in,ol,e who #ets type o$ transaction rather than who sees what 9@ample: ca0o,e a certain dollar amount
8/17/2019 Module IV Ppt
10/59
Clark6Wilson Model 9Continued
&wo types o$ o0ects:
Constrained "ata tems 9C"s
nconstrained "ata tems 9"s
&wo types o$ transactions on C"s in model
nte#rity Berication -rocedures 9B-s
&rans$ormation -rocedures 9&-s
B-s certi$y that &-s on C"s result in ,alid state
All &-s must 0e certied to result in ,alid trans$orma
8/17/2019 Module IV Ppt
11/59
Clark6Wilson Model 9Continued
System maintains list o$ ,alid relations o$ the $orm:ser"+ &-+ C"%"D
Only permitted manipulation o$ C" is ,ia an authoriE
$ a &- takes a " as an input+ then it must result in or the &- will 0e reected
Additional re=uirements Auditin#: &-s must write to an append6only C" 9l
Separation o$ duties
8/17/2019 Module IV Ppt
12/59
Clark6Wilson ,ersus 5i0a
n 5i0aFs model+ " to C" con,ersion is per$ormed 0y truonly 9e!#!+ a security oGcer+ 0ut this is pro0lematic $or dat$unction!
n Clark6Wilson+ &-s are specied $or particular users and $u5i0aFs model does not oer this le,el o$ #ranularity!
8/17/2019 Module IV Ppt
13/59
Chinese Wall
.ocus is on con?icts o$ interest!
-rinciple: sers should not access the condential in0oth a client or#aniEation and one or more o$ its com
*ow it works
sers ha,e no 'wall( initially!
Once any #i,en le is accessed+ les with competin$ormation 0ecome inaccessi0le!
nlike other models+ access control rules chan#e 0eha,ior
8/17/2019 Module IV Ppt
14/59
Chapter 2:System Securit
1! email security: -/- and SMM@
2! We0 Security: we0 authentication+ SSS@&
3! "ata0ase Security
8/17/2019 Module IV Ppt
15/59
1! email security: -/- and SMM
@6mail is one o$ the most widely used network ser,ices killer application o$ the nternet
Normally messa#e contents not secured
Can 0e read%modied either in transit or at destination 0y theattacker
@6mail ser,ice is like postcard ser,ice
ust pick it and read it
8/17/2019 Module IV Ppt
16/59
@mail Security @nhancements
condentiality
protection $rom disclosure
authentication
o$ sender o$ messa#e
messa#e inte#rity
protection $rom modication
non6repudiation o$ ori#in
protection $rom denial 0y sender
8/17/2019 Module IV Ppt
17/59
-retty /ood -ri,acy 9-/-
widely used secure e6mail so$tware
ori#inally a le encryption%decryption $acility
de,eloped 0y -hil Himmermann
a security acti,ist who has had le#al pro0lems due t-/-
0est a,aila0le crypto al#orithms are employed
a,aila0le on se,eral plat$orms with source code ori#inally $ree+ now commercial ,ersions eist
not controlled 0y a standardiEation 0ody
althou#h there are >.Cs
8/17/2019 Module IV Ppt
18/59
-/- Mechanisms
"i#ital Si#natures 9and conse=uently
messa#e authentication and inte#rity >SA+ "SS
Messa#e @ncryption
CAS&+ "@A+ 3"@S+ A@S 9all at least 12I 0its
symmetric keys are used once and encrypted
usin# >SA or @l/amal 90ased on discrete lo#s Compression usin# H-
>adi6J4 con,ersion 9to ASC
$or e6mail compati0ility
8/17/2019 Module IV Ppt
19/59
S%MM@
Secure%Multipurpose nternet Mail @tensions
A standard way $or email encryption and si#nin#
@&. eort 9>.Cs 2J32+ 2J33 ; $or ,ersion 3!KL>.Cs 3IK+ 3I1 $or ,ersion 3!1L 8K+ 81 $or,ersion 3!2
ndustry support
Not a standalone so$tware+ a system that is to 0supported 0y email clients
such as MS Outlook and &hunder0ird
S%MM@ handles di#ital si#natures
Also pro,ides encryption
8/17/2019 Module IV Ppt
20/59
S%MM@ .unctions
en,eloped data
encrypted content and associated keys
si#ned data
encoded messa#e encoded si#ned messa#edi#est
clear6si#ned data
cleartet messa#e encoded si#ned messa#edi#est
si#ned and en,eloped data
Nested si#ned and encrypted entities
8/17/2019 Module IV Ppt
21/59
2! We0 Security: we0 authentication+SS7 and S@&
SSL (Secure Sockets Layer)
NO& a payment protocol 66 can 0e used $or any securecommunications+ like credit card num0ers
SS7 is a secure data echan#e protocol pro,idin# -ri,acy 0etween two nternet applications
Authentication o$ ser,er 9authentication o$ 0rowser optional
ses en,elopin#: >SA used to echan#e "@S keys
SS7 *andshake -rotocol Ne#otiates symmetric encryption protocol+ authenticates
SS7 >ecord -rotocol -acks%unpacks records+ per$orms encryption%decryption
"oes not pro,ide non6repudiation
8/17/2019 Module IV Ppt
22/59
Secure Sockets 7ayer 9SS7
7ayered on top o$ &C-%- 0ut 0elow the
application layer! 9>e=uires relia0le transportto operate!
SS7 is increasin# in importance $or nternetsecurity
n,ented 0y -hil arlton 9CM -h!"! andothers at Netscape
Biew protocol 9J3 pa#es
http://www.iie.edu.uy/~mazzara/pgp/draft-ietf-tls-ssl-version3-00.htmlhttp://www.iie.edu.uy/~mazzara/pgp/draft-ietf-tls-ssl-version3-00.html
8/17/2019 Module IV Ppt
23/59
SS7 9Secure Sockets 7ayer
*AN"7@S COMW&* &*@ A--
-rotocolsN&A7H@S CO5@&W@@N C7@
N&A7H@S S@C>@COMMNCA&ON
*AN"7@S "A&ACOM->@SSON
@>>O> *AN"
8/17/2019 Module IV Ppt
24/59
8/17/2019 Module IV Ppt
25/59
S@& O0ecti,es
Condentiality o$ payment and order in$ormation @ncryption
nte#rity o$ all data 9di#ital si#natures Authentication o$ cardholder P account 9certicates
Authentication o$ merchant 9certicates
No reliance on secure transport protocols 9uses &C-%-
nteropera0ility 0etween S@& so$tware and network StandardiEed messa#e $ormats
S@& is a payment protocol Messa#es relate to ,arious steps in a credit card transaction
8/17/2019 Module IV Ppt
26/59
S@& Security
"i#ital en,elopes+ nonces+ salt
&wo pu0lic6pri,ate key pairs $or each party
One $or di#ital si#naturesL one $or key echan#e messa#e 1JK60it messa#e di#ests
Statistically #lo0ally uni=ue "s 9Q"s
Certicates 9 kinds
Cardholder+ Merchant+ Ac=uirer+ ssuer+ -ayment /ateway
*ardware crypto#raphic modules 9$or hi#h security
dempotency 9messa#e can 0e recei,ed many times 0ut isonly processed once f 9f 9 x R f 9 x Comple protocol! O,er JKK pa#es o$ detail
"ual si#natures
http://www.setco.org/download/set_bk2.pdfhttp://www.setco.org/download/set_bk2.pdf
8/17/2019 Module IV Ppt
27/59
S@& -rocess Steps 9Simplied
1! Merchant sends in,oice and uni=ue transaction " 9Q"
2! Merchant sends merchant certicate and 0ank certicate 9encrypte with CAFs pri,ate key
3! Customer decrypts certicates+ o0tains pu0lic keys
4! Customer #enerates order in$ormation 9O and payment in$o 9- encrypted with dierent session keys and dual6si#ned
! Merchant sends payment re=uest to 0ank encrypted with 0ank6 merchant session key+ -+ di#est o$ O and merchantFs certicate
J! 5ank ,eries that the Q" matches the one in the -
8! 5ank sends authoriEation re=uest to issuin# 0ank ,ia card network
I! 5ank sends appro,al to merchant
! Merchant sends acknowled#ement to customer
8/17/2019 Module IV Ppt
28/59
S@& Supported &ransactions
• card holder re#istration
• merchant re#istration
• purchase re=uest
• payment authoriEation
• payment capture
• certicate =uery
• purchase in=uiry
• purchase notication
• sale transaction• authoriEation re,ersal
• capture re,ersal
• credit re,ersal
8/17/2019 Module IV Ppt
29/59
29
3. Database Security
Security Objectives
Secrecy
Prevent/detect/deter impro
Disclosure of information
Availability
Prevent/detect/deter improper
Denial of access to services
Integrity
Prevent/detect/deter
Improper modification
of information
8/17/2019 Module IV Ppt
30/59
30
Policy
r!ani"ational
Information systems policy
8/17/2019 Module IV Ppt
31/59
"ata0ases
Collection o$ interrelated data and
set o$ pro#rams to access the data
Con,enient and eGcient processin# o$ data
"ata0ase Application So$tware
31
8/17/2019 Module IV Ppt
32/59
"ata0ase Security
-rotect Sensiti,e "ata $rom
nauthoriEed disclosure
nauthoriEed modication
"enial o$ ser,ice attacks
Security Controls
Security -olicy
Access control models
nte#rity protection
-ri,acy pro0lems
.ault tolerance and reco,ery
Auditin# and intrusion detection
32
8/17/2019 Module IV Ppt
33/59
33
Protection of Data Confidentiality
Access control – which data users canaccess
Information flow control – what users can
do with the accessed data
Data inin!
8/17/2019 Module IV Ppt
34/59
34
Access Control
"nsures that all direct accesses to ob#ect are
authori$ed
Protects a!ainst accidental and malicious
threats by re!ulatin! the read% write ande&ecution of data and pro!rams
8/17/2019 Module IV Ppt
35/59
35
Access Control
'e(uires)
* Proper user identification
* Information specifyin! the access ri!hts is
protected form modification
8/17/2019 Module IV Ppt
36/59
36
Access control components)
- Access control policy) specifies the
authori$ed accesses of a system
- Access control mechanism) implements
and enforces the policy
Access Control
8/17/2019 Module IV Ppt
37/59
Chapter 3:peratin! System Security
1! Anti6,irus so$tware
2! Con#urin# the OS $or security
8/17/2019 Module IV Ppt
38/59
1. Antivirus Software.
What is a Virus?
a virus is software that spreads from program to program, or from disuses eah infeted program or disk to make opies of itse!f. "as
sa"otage.
8/17/2019 Module IV Ppt
39/59
$ow does a %irus Spread&
first a programmer writes the virus most often "eingattahed to a norma! program' unknown to the userthe virus spreads to other software. then the virusis passed "# disk or network to other users who
use other omputers. the virus then remainsdormant as it is passed on.
#he Internet
8/17/2019 Module IV Ppt
40/59
(hat is Anti%irus Software&
omputer programs intended to identif# and e!iminate ompute
8/17/2019 Module IV Ppt
41/59
)he *est +efense
this #ears "est defense against omputer viruses, sp#ware, spam is an antivirus program a!!ed *it+efender.
has a userfriend!# interfae that sans a!! e-isting fi!es on #a!! inoming and outgoing emai!s, and even / transfers.
features in!ude priva# protetion and we" sanning for int#ears su"sription is a"out 24.99.
8/17/2019 Module IV Ppt
42/59
A%
the most wide!# used software is the orton Anti%irus. A%
sine its re!ease in 1990, over 100 mi!!ion peop!e around theused it.
its a free program "ut in order to reeive !ive updates, a va!iis needed.
a #ear!# su"sription is on!# 29.99.
8/17/2019 Module IV Ppt
43/59
/Afee
/Afee %irusSan is another popu!ar antivirus program.
its designed for home and homeoffie use.
its used speifia!!# on a /irosoft (indows p!atform.
the 200 edition in!udes a num"er of features in!uding on
sharing, in"ound and out"ound firewa!! protetion, and dai!#updates.
8/17/2019 Module IV Ppt
44/59
asperski
for the average home user and advaned users the asperssoftware has an eas# to use interfae.
the program uses 3 ta"s for protetion, settings and support
it updates itse!f on an hour!# "asis and is one of the fastest aprograms avai!a"!e.
however, 7ua!it# omes at a prie and #ear su"sription is
8Antivirus software is the e7uiva!ent to
8/17/2019 Module IV Ppt
45/59
Antivirus software is the e7uiva!ent topenii!!in of the omputer wor!d.
!ike penii!!in, antivirus app!iations at as aover #our s#stem, sanning inoming fi!es aapp!iations, 87uarantining or !eaning up viruses !ooking to ause harm to #our s#ste
antivirus software is onsidered to "e an aidetets, fi-es and even prevents viruses anfrom spreading to #our omputer as we!! asonneting omputers.
8/17/2019 Module IV Ppt
46/59
2! Con#urin# the OS $or secur
-urpose o$ the system+ type o$ in$ormation sapplications and ser,ices pro,ided
sers o$ the system and their pri,ile#es
*ow are users authenticated
*ow in$ormation on system is mana#ed
What other hosts % "5s are accessed 0y syst
Who will mana#e system and how 9remote o
Additional measures such as: rewall+ anti6,ilo##in#
d i h
8/17/2019 Module IV Ppt
47/59
*ardenin# the OS
"e$ault OS con#urations are $or ease o$ us Measures ha,e to 0e done at all sta#es
nstallin# and patchin#
Con#urin#
>emo,e unnecessary applications+ ser,ices and protoc
sers+ #roups+ controls and pri,ile#es
nstall additional so$tware 9anti6,irus+ rewall+ indetection system+ etc!
&est Security
lli d - hi
8/17/2019 Module IV Ppt
48/59
nstallin# and -atchin#
nstallation Machines should not connect to network until secured
*owe,er remo,a0le media may 0e in$ected as well
7imited network 9rewall is accepta0le+ ideally:
No in0ound connections
Only out to certain key sites
nstall only re=uired ser,ices and dri,ers 9$rom trusted sources
Set up automatic updates 9only i$ update time is not an issue
5ootin#
-rotect 5OS chan#es with password
"isa0le some 0oota0le media
Crypto#raphic hard dri,es) -ros and Cons
C %/ A th ti ti
8/17/2019 Module IV Ppt
49/59
Con#ure %/ Authentication
"ene user types and pri,ile#es Admin 9ideally only temporary
Normal
7imited
Authentication
.orce de$ault password chan#e
-assword denition -assword li$espan
>emo,e or disa0le old accounts
Allow $or remote connections)
Additi l S it d & ti
8/17/2019 Module IV Ppt
50/59
Additional Security and &estin#
Anti6,irus
.irewalls+ "S+ -S
White list
$ attackers mana#e to install a pro#ram what will happen)
>un some test cases which attempt to 0reak security 9stre#ood hackers make a lot o$ money here
A li ti S it
8/17/2019 Module IV Ppt
51/59
Application Security
Con#ure applications properly se encryption when possi0le as seen earlier
.or storin#
.or transmit 9SS* connections
7imit pri,ile#es as with users
>emem0er what we ha,e said a0out security in An5lack0erry+ and i-hone
Applications may pro,ide 0ackdoors i$ not coproperly
M i t
8/17/2019 Module IV Ppt
52/59
Maintenance
Now that system is set+ keep it secure
&his in,ol,es
Monitorin# and analyEin# lo##in# in$ormation
-er$ormin# re#ular 0ackups
>eco,erin# $rom security compromises
>e#ular testin# o$ security
-atch+ update+ and re,ise critical so$tware
7o##in#
8/17/2019 Module IV Ppt
53/59
7o##in#
eep a record o$ important e,ents in the computer
-ro0lems
Need to make sure to ha,e enou#h space
Manual analysis is hard+ so these lo#s should contain a $ormatpro#ram 9e!#! in -erl can parse messa#es
"ata 5ackup
8/17/2019 Module IV Ppt
54/59
"ata 5ackup
5ackup is the act o$ creatin# copies o$ in$ormathat it may 0e reco,ered
Archi,e is to keep these 0ackups $or a lon# petime in order to meet some le#al aspects
Should the 0ackup 0e kept online or oTine) Online makes easier access+ $aster reco,er
OTine is more secure+ harder to reco,er Why not 0oth): sers should keep their own oTine
case online 0ackup #ets remo,ed
"ata may 0e lost accidentally 9hardware $ailumistake or intentionally
Chapter 4
8/17/2019 Module IV Ppt
55/59
Chapter 4:$ireless %etorks and Sec
1! Components o$ wireless networks
2! Security issues in wireless
1 Components o$ Wireless Net
8/17/2019 Module IV Ppt
56/59
1! Components o$ Wireless Net
1 @=uipment
2 Network
3 So$tware
4 Ser,ices
Mo0ile Worker!
8/17/2019 Module IV Ppt
57/59
2 Security ssues in Wireless N
8/17/2019 Module IV Ppt
58/59
2! Security ssues in Wireless N
+etwor, security issues% whether wired or wireless% fall into three main cate!ories)
availability% confidentiality and inte!rity)
•Confidentiality: is the information bein! sent across the networ, transmitted in such
the intended recipient-s can read it.
•Integrity: is the information reachin! the recipient intact•Availability: is the networ, available to users whenever it is supposed to be
8/17/2019 Module IV Ppt
59/59