QMCS 490 - Class Today

March 2005 1R. Smith - University of St Thomas - Minnesota

QMCS 490 - Class TodayQMCS 490 - Class Today• Information Security life cycleInformation Security life cycle• IntroductionsIntroductions• Security perimetersSecurity perimeters• AssignmentAssignment


The life cycleThe life cycle• Identify your practical goalsIdentify your practical goals

– What “real” things do you want to accomplish?What “real” things do you want to accomplish?– What threats interfere with them?What threats interfere with them?

• Implement security measuresImplement security measures– What weaknesses exist?What weaknesses exist?– What security measures might work?What security measures might work?– What are the trade-offs against goals?What are the trade-offs against goals?

• Measure successMeasure success– Monitor for attacks or other failuresMonitor for attacks or other failures– Recover from problemsRecover from problems– Reassess goals and trade-offsReassess goals and trade-offs


So what will the class look at?So what will the class look at?• How to assess security in generalHow to assess security in general• Analyzing risk trade-offsAnalyzing risk trade-offs• Specific security issues and techniquesSpecific security issues and techniques

– WorkstationsWorkstations– LANsLANs– Distributed networksDistributed networks– Internet accessInternet access– E-commerceE-commerce– If time, DRM and ‘extreme security’If time, DRM and ‘extreme security’


Who are you, who am IWho are you, who am I

• Ask your neighbor:Ask your neighbor:– Name, majorName, major– Why are you taking this class?Why are you taking this class?– Do you “0wn” a computer?Do you “0wn” a computer?

• I.e. can you log in as admin?I.e. can you log in as admin?– Give a personal, security related fact.Give a personal, security related fact.

• Experience, skill, incident, etc.Experience, skill, incident, etc.


Why this course existsWhy this course exists• Start of an Information Security majorStart of an Information Security major• Will be US govt certifiedWill be US govt certified• Four principal ‘special’ coursesFour principal ‘special’ courses

– Intro course = this oneIntro course = this one– Operating SystemsOperating Systems– NetworkingNetworking– Infosec Analysis = capstone courseInfosec Analysis = capstone course

• Analysis courseAnalysis course– More labs and toolsMore labs and tools– More (very dry) government policy stuffMore (very dry) government policy stuff– Info Warfare exercise at the endInfo Warfare exercise at the end


The Syllabus: nuts and boltsThe Syllabus: nuts and bolts• Grade = assignments + testsGrade = assignments + tests

– Also a ‘participation’ gradeAlso a ‘participation’ grade– Attend class, hand in work = good test gradeAttend class, hand in work = good test grade– Good grade <= assignments, attend classGood grade <= assignments, attend class

• Typical homeworkTypical homework– Analyze a security problem, draw a diagramAnalyze a security problem, draw a diagram

• I am planning a couple of labsI am planning a couple of labs– We have limited lab space (5 machines)We have limited lab space (5 machines)– May do 30 minute shots at the labsMay do 30 minute shots at the labs

• I typically have people do research projectsI typically have people do research projects– An outline, a paper, and a presentation.An outline, a paper, and a presentation.– Not sure this timeNot sure this time


The SyllabusThe Syllabus• Concepts we’ll coverConcepts we’ll cover

– ““Practical” security planning and assessmentPractical” security planning and assessment– Risk trade offs - the conceptRisk trade offs - the concept– Role of security policiesRole of security policies

• Environments - in order of breadthEnvironments - in order of breadth– Personal desktop/laptopPersonal desktop/laptop– Shared computerShared computer– Local networkLocal network– Internet access from LANInternet access from LAN– Distributed LANsDistributed LANs– E-commerceE-commerce


Two security assessment techniquesTwo security assessment techniques• Perimeter analysisPerimeter analysis

– Look at the boundary protecting an assetLook at the boundary protecting an asset– Look at access points in the boundaryLook at access points in the boundary– Who might want the asset?Who might want the asset?– What attacks will break the boundary?What attacks will break the boundary?– What attacks will break the access points?What attacks will break the access points?– Is the inside benign itself? Can it be hacked?Is the inside benign itself? Can it be hacked?

• Flow analysis (data flow, execution flow)Flow analysis (data flow, execution flow)– Look at where data might flowLook at where data might flow– Assess mechanisms to restrict the flowAssess mechanisms to restrict the flow– Assess attacks that can divert the flowAssess attacks that can divert the flow– Look at “flow of execution” and possible diversionLook at “flow of execution” and possible diversion


Part of this semester’s agendaPart of this semester’s agenda• I’m writing a book on elementary securityI’m writing a book on elementary security• We’ll look at chapters in this classWe’ll look at chapters in this class

– I thought I’d have one ready for todayI thought I’d have one ready for today– It’s not finished yet.It’s not finished yet.

• Internet CryptographyInternet Cryptography– An “old” book, but …An “old” book, but …– It talks about security, perimeters, and information flowIt talks about security, perimeters, and information flow– Provides the basics and concepts for networking & cryptoProvides the basics and concepts for networking & crypto


Personal Computer SecurityPersonal Computer Security• Share a dorm room?Share a dorm room?• Share an apartment?Share an apartment?• Share a home?Share a home?

• ““My” computer - a security objectiveMy” computer - a security objective• ““I’ll kill you if you touch it” I’ll kill you if you touch it”

– a policy statement?a policy statement?


Extreme Workstation SecurityExtreme Workstation Security

Does this achieve our goals? Does this achieve our goals?


Asset

Threats & VulnerabilitiesThreats & Vulnerabilities

Threat

Defense,Safeguard, or

“Countermeasure”

An attempt to steal or harm the asset is an attackattack

Vul

nera

bilit

yV

ulne

rabi

lity


A real world exampleA real world example• There is a companyThere is a company• Thieves walk into their buildings every dayThieves walk into their buildings every day• The front door is unlocked all day longThe front door is unlocked all day long• Valuable company property is just lying aroundValuable company property is just lying around• The thieves pick it up and carry it awayThe thieves pick it up and carry it away• Most thieves, but not all, get away?Most thieves, but not all, get away?

• WHAT IS THIS STUPID COMPANY?WHAT IS THIS STUPID COMPANY?• Why don’t they lock the door, at least?Why don’t they lock the door, at least?


Security analysis: your PCSecurity analysis: your PC• Threats?Threats?

– Who, why?Who, why?

• Vulnerabilities?Vulnerabilities?– What bad can happen?What bad can happen?– What allows the badness to happen?What allows the badness to happen?

• Can we just lock it up?Can we just lock it up?– Put it in a roomPut it in a room– Put a lock on the door.Put a lock on the door.– Don’t share the keyDon’t share the key

• Does this work?Does this work?


Physically securing an areaPhysically securing an area• What is a secure perimeter?What is a secure perimeter?

– Contiguous - no breaksContiguous - no breaks– A barrier - actually blocks some attacksA barrier - actually blocks some attacks– Minimal number of openingsMinimal number of openings– Access restrictions on the openingsAccess restrictions on the openings

• Example: my houseExample: my house– Wooden frame building - keeps out wild dogsWooden frame building - keeps out wild dogs– Glass windows with storms - dittoGlass windows with storms - ditto– Locked doors - dittoLocked doors - ditto– Metal fence - dittoMetal fence - ditto– Gates in the fence - dittoGates in the fence - ditto


Security AnalysisSecurity Analysis• What are the threats?What are the threats?

– Wild dogsWild dogs– BurglarsBurglars– People collecting for nasty charitiesPeople collecting for nasty charities

• What are the defenses?What are the defenses?• Are there effective attacks on them?Are there effective attacks on them?

– Effective = threats might use themEffective = threats might use them


Is this a complete list of threats?Is this a complete list of threats?• Of course not.Of course not.

– Study history, the news, experience, introspectionStudy history, the news, experience, introspection– Generate a ‘better’ listGenerate a ‘better’ list

• A notion of “threats”A notion of “threats”– Threat = anyone with strongly different goalsThreat = anyone with strongly different goals– Example: Burger King vs McDonald’sExample: Burger King vs McDonald’s

• Both “sort of” have the same goal: sell burgersBoth “sort of” have the same goal: sell burgers• In fact, BK wants to sell BK burgers, while Mac In fact, BK wants to sell BK burgers, while Mac

wants to sell Mac burgerswants to sell Mac burgers• BK people are not trusted in McDonald’s placesBK people are not trusted in McDonald’s places


Potential vs Real ThreatsPotential vs Real Threats• Potential Threat = strongly different goalsPotential Threat = strongly different goals

– Not a member of the family, company, communityNot a member of the family, company, community– Member of competing entityMember of competing entity– But not necessarily motivated to do you harmBut not necessarily motivated to do you harm

• Real Threat = history of attacksReal Threat = history of attacks– ““Good” neighborhood = neighbors not a threatGood” neighborhood = neighbors not a threat– ““Bad” neighborhood = neighbors have caused Bad” neighborhood = neighbors have caused

trouble in the pasttrouble in the past


Now, the DefensesNow, the Defenses• Physical worldPhysical world

– Physical barriers, slows them down a lotPhysical barriers, slows them down a lot– Locks - slow them down, restricts accessLocks - slow them down, restricts access– Alarms - calls for helpAlarms - calls for help– Warnings - shows you careWarnings - shows you care

• Computer worldComputer world– Examples?Examples?


What defenses are “effective”?What defenses are “effective”?• Concept of “work factor”Concept of “work factor”

– How hard does the attacker have to work to overcome the How hard does the attacker have to work to overcome the defense?defense?

– May be computed in hoursMay be computed in hours– May be computed in likelihood over timeMay be computed in likelihood over time

• Example: average of 3 days, $.25M to crack DESExample: average of 3 days, $.25M to crack DES

• Effective =Effective =– Work Factor > threat’s motivation or skillWork Factor > threat’s motivation or skill– My Home ExampleMy Home Example

• Wild dogs motivated but not resourcefulWild dogs motivated but not resourceful• Charity people resourceful but not motivatedCharity people resourceful but not motivated• Burglars may be both, but hopefully not too much soBurglars may be both, but hopefully not too much so

– Or, deterred by the alarm, and the large dogOr, deterred by the alarm, and the large dog


How does this relate to How does this relate to computers?computers?

• Defenses are always a trade offDefenses are always a trade off

• The same reasoning applies to bothThe same reasoning applies to both

• All security begins with physical securityAll security begins with physical security


Evolution of Evolution of Attacks and DefensesAttacks and Defenses

Attacks Defenses

Remote TerminalsMasquerade

PasswordsSteal the Password File

Password HashingGuessing

Guess DetectionKeystroke Sniffing

Memory ProtectionPassword Sharing

Password TokensNetwork Sniffing

One-Time Passwords??

Example: Passwords on Computers


The homework assignmentThe homework assignment• Two partsTwo parts• A: describe your computer sharing “policy”A: describe your computer sharing “policy”• B: describe physical protection of your B: describe physical protection of your

computercomputer


Creative Commons LicenseCreative Commons License

This work is licensed under the Creative This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United Commons Attribution-Share Alike 3.0 United

States License. To view a copy of this license, States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-visit http://creativecommons.org/licenses/by-

sa/3.0/us/ or send a letter to Creative sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Commons, 171 Second Street, Suite 300, San

Francisco, California, 94105, USA.Francisco, California, 94105, USA.

Documents

QMCS 490 - Class Today