IT system security principles practices

The NIST Computer Security
Handbook defines the term
Computer Security as:

Key Security Concepts
Confidentiality
•Preserving
authorized
restrictions on
information
access and
disclosure,
including means
for protecting
personal privacy
and proprietary
information
Integrity
•Guarding against
improper
information
modification or
destruction,
including ensuring
information
nonrepudiation
and authenticity
Availability
•Ensuring timely
and reliable
access to and use
of information

Levels of Impact
Low
The loss could be
expected to have a
limited adverse
effect on
organizational
operations,
organizational
assets, or
individuals
Moderate
The loss could be
expected to have a
serious adverse
effect on
organizational
operations,
organizational
assets, or
individuals
High
The loss could be
expected to have a
severe or
catastrophic
adverse effect on
organizational
operations,
organizational
assets, or
individuals

• Computer security is not as
simple as it might first
appear to the novice
• Potential attacks on the
security features must be
considered
• Procedures used to provide
particular services are often
counterintuitive
• Physical and logical
placement needs to be
determined
• Additional algorithms or
protocols may be involved
• Attackers only need to find
a single weakness, the
developer needs to find all
weaknesses
• Users and system managers
tend to not see the benefits
of security until a failure
occurs
• Security requires regular
and constant monitoring
• Is often an afterthought to
be incorporated into a
system after the design is
complete
• Thought of as an
impediment to efficient
and user-friendly operation

Table 1.1
Computer
Security
Terminology
RFC 4949, Internet
Security Glossary,
May 2000

assets
threats
Figure 1.1 Security Concepts and Relationships
Threat agents
wish to
minimize
wish to abuse
and/or
may damage
to
to
that
increase
give
rise to
Owners
countermeasures
risk
impose
value
to
reduce

Availability Confidentiality Integrity
Hardware
Equipment is stolen or
disabled, thus denying
service.
An unencrypted CD-
ROM or DVD is stolen.
Software
Programs are deleted,
denying access to users.
An unauthorized copy
of software is made.
A working program is
modified, either to
cause it to fail during
execution or to cause it
to do some unintended
task.
Data
Files are deleted,
denying access to users.
An unauthorized read
of data is performed.
An analysis of
statistical data reveals
underlying data.
Existing files are
modified or new files
are fabricated.
Communication
Lines and
Networks
Messages are destroyed
or deleted.
Communication lines
or networks are
rendered unavailable.
Messages are read. The
traffic pattern of
messages is observed.
Messages are modified,
delayed, reordered, or
duplicated. False
messages are
fabricated.
Table 1.3
Computer and Network Assets, with Examples of Threats

Vulnerabilities, Threats
and Attacks
• Categories of vulnerabilities
• Corrupted (loss of integrity)
• Leaky (loss of confidentiality)
• Unavailable or very slow (loss of availability)
• Threats
• Capable of exploiting vulnerabilities
• Represent potential security harm to an asset
• Attacks (threats carried out)
• Passive – attempt to learn or make use of information from the system
that does not affect system resources
• Active – attempt to alter system resources or affect their operation
• Insider – initiated by an entity inside the security parameter
• Outsider – initiated from outside the perimeter

Table 1.4
Security
Requirements
(FIPS PUB 200)
(page 2 of 2)
(Table can be found on page 27 in the
textbook.)

**Table is on page 20 in the textbook.
Table 1.2
Threat
Consequences,
and the
Types of
Threat Actions
That Cause
Each
Consequence
Based on
RFC 4949
Threat Consequence Threat Action (Attack)
Unauthorized
Disclosure
A circumstance or
event whereby an
entity gains access to
data for which the
entity is not
authorized.
Exposure: Sensitive data are directly released to an
unauthorized entity.
Interception: An unauthorized entity directly accesses
sensitive data traveling between authorized sources and
destinations.
Inference: A threat action whereby an unauthorized entity
indirectly accesses sensitive data (but not necessarily the
data contained in the communication) by reasoning from
characteristics or byproducts of communications.
Intrusion: An unauthorized entity gains access to sensitive
data by circumventing a system's security protections.
Deception
A circumstance or
event that may result
in an authorized entity
receiving false data
and believing it to be
true.
Masquerade: An unauthorized entity gains access to a
system or performs a malicious act by posing as an
authorized entity.
Falsification: False data deceive an authorized entity.
Repudiation: An entity deceives another by falsely denying
responsibility for an act.
Disruption
A circumstance or
event that interrupts
or prevents the correct
operation of system
services and
functions.
Incapacitation: Prevents or interrupts system operation by
disabling a system component.
Corruption: Undesirably alters system operation by
adversely modifying system functions or data.
Obstruction: A threat action that interrupts delivery of
system services by hindering system operation.
Usurpation
A circumstance or
event that results in
control of system
services or functions
by an unauthorized
entity.
Misappropriation: An entity assumes unauthorized logical
or physical control of a system resource.
Misuse: Causes a system component to perform a function
or service that is detrimental to system security.

Passive and Active
Attacks
Passive Attack Active Attack
• Attempts to learn or make
use of information from the
system but does not affect
system resources
• Eavesdropping on, or
monitoring of, transmissions
• Goal of attacker is to obtain
information that is being
transmitted
• Two types:
o Release of message contents
o Traffic analysis
• Attempts to alter system
resources or affect their
operation
• Involve some modification
of the data stream or the
creation of a false stream
• Four categories:
o Replay
o Masquerade
o Modification of messages
o Denial of service

Table 1.4
Security
Requirements
(FIPS PUB 200)
(page 1 of 2)
(Table can be found on page 26 in the
textbook.)

Attack Surfaces
Consist of the reachable and exploitable vulnerabilities in
a system
Examples:
Open ports on
outward facing Web
and other servers,
and code listening
on those ports
Services available on
the inside of a
firewall
Code that processes
incoming data,
email, XML, office
documents, and
industry-specific
custom data
exchange formats
Interfaces, SQL, and
Web forms
An employee with
access to sensitive
information
vulnerable to a
social engineering
attack

Fundamental Security
Design Principles
Economy of
mechanism
Fail-safe
defaults
Complete
mediation
Open design
Separation of
privilege
Least privilege
Least common
mechanism
Psychological
acceptability
Isolation Encapsulation Modularity Layering
Least
astonishment

Attack Surface Categories
Network
Attack Surface
Vulnerabilities over an
enterprise network, wide-area
network, or the Internet
Included in this category are
network protocol vulnerabilities,
such as those used for a denial-
of-service attack, disruption of
communications links, and
various forms of intruder attacks
Software
Attack Surface
Vulnerabilities in application,
utility, or operating system
code
Particular focus is Web server
software
Human Attack
Surface
Vulnerabilities created by
personnel or outsiders, such as
social engineering, human
error, and trusted insiders

Figure 1.3 Defense in Depth and Attack Surface
Attack Surface
Medium
Security Risk
High
Security Risk
Low
Security Risk
Deep
Layering
Shallow
Small Large
Medium
Security Risk

Figure 1.4 An Attack Tree for Internet Banking Authentication
Bank Account Compromise
User credential compromise
User credential guessing
UT/U1a User surveillance
UT/U1b Theft of token and
handwritten notes
Malicious software
installation
Vulnerability exploit
UT/U2a Hidden code
UT/U2b Worms
UT/U3a Smartcard analyzers
UT/U2c E-mails with
malicious code
UT/U3b Smartcard reader
manipulator
UT/U3c Brute force attacks
with PIN calculators
CC2 Sniffing
UT/U4a Social engineering
IBS3 Web site manipulation
UT/U4b Web page
obfuscation
CC1 Pharming
Redirection of
communication toward
fraudulent site
CC3 Active man-in-the
middle attacks
IBS1 Brute force attacks
User communication
with attacker
Injection of commands
Use of known authenticated
session by attacker
Normal user authentication
with specified session ID
CC4 Pre-defined session
IDs (session hijacking)
IBS2 Security policy
violation

Table 2.1
Comparison of Three Popular Symmetric
Encryption Algorithms
DES Triple DES AES
Plaintext block size (bits) 64 64 128
Ciphertext block size (bits) 64 64 128
Key size (bits) 56 112 or 168 128, 192, or 256
DES = Data Encryption Standard
AES = Advanced Encryption Standard

Symmetric Encryption
• The universal technique for providing confidentiality
for transmitted or stored data
• Also referred to as conventional encryption or
single-key encryption
• Two requirements for secure use:
• Need a strong encryption algorithm
• Sender and receiver must have obtained copies
of the secret key in a secure fashion and must
keep the key secure

Plaintext
input
Y = E[K, X] X = D[K, Y]
X
K K
Transmitted
ciphertext
Plaintext
output
Secret key shared by
sender and recipient
Secret key shared by
sender and recipient
Encryption algorithm
(e.g., DES)
Decryption algorithm
(reverse of encryption
algorithm)
Figure 2.1 Simplified Model of Symmetric Encryption

Attacking Symmetric
Encryption
Cryptanalytic Attacks Brute-Force Attack
⚫ Rely on:
⚫ Nature of the algorithm
⚫ Some knowledge of the
general characteristics of the
plaintext
⚫ Some sample plaintext-
ciphertext pairs
⚫ Exploits the characteristics of
the algorithm to attempt to
deduce a specific plaintext or
the key being used
⚫ If successful all future and past
messages encrypted with that
key are compromised
⚫ Try all possible keys on some
ciphertext until an intelligible
translation into plaintext is
obtained
⚫ On average half of all possible
keys must be tried to achieve
success

Data Encryption Standard
(DES)
The most widely used encryption scheme
FIPS PUB 46
Referred to as the Data Encryption
Algorithm (DEA)
Uses 64 bit plaintext block and 56 bit key to
produce a 64 bit ciphertext block
Strength concerns:
Concerns about algorithm
DES is the most studied encryption algorithm in
existence
Use of 56-bit key
Electronic Frontier Foundation (EFF) announced
in July 1998 that it had broken a DES encryption

Table 2.2
Average Time Required for Exhaustive Key Search
Key size
(bits) Cipher
Number of
Alternative
Keys
Time Required at 109
decryptions/s
Time Required
at 1013
decryptions/s
56 DES 256 ≈ 7.2 ´ 1016 255 ns = 1.125 years 1 hour
128
AES
2128 ≈ 3.4 ´ 1038 2127 ns = 5.3 ´ 1021
years
5.3 ´ 1017 years
168
Triple DES
2168 ≈ 3.7 ´ 1050 2167 ns = 5.8 ´ 1033
years
5.8 ´ 1029 years
192 AES 2192 ≈ 6.3 ´ 1057 2191 ns = 9.8 ´ 1040
years
9.8 ´ 1036 years
256 AES 2256 ≈ 1.2 ´ 1077 2255 ns = 1.8 ´ 1060
years
1.8 ´ 1056 years

Triple DES (3DES)
⚫ Repeats basic DES algorithm three times using either
two or three unique keys
⚫ First standardized for use in financial applications in
ANSI standard X9.17 in 1985
⚫ Attractions:
⚫ 168-bit key length overcomes the vulnerability to brute-force
attack of DES
⚫ Underlying encryption algorithm is the same as in DES
⚫ Drawbacks:
⚫ Algorithm is sluggish in software
⚫ Uses a 64-bit block size

Advanced Encryption
Standard (AES)
Needed a
replacement for
3DES
3DES was not
reasonable for
long term use
NIST called for
proposals for a
new AES in 1997
Should have a security
strength equal to or
better than 3DES
Significantly improved
efficiency
Symmetric block cipher
128 bit data and
128/192/256 bit keys
Selected
Rijndael in
November 2001
Published as
FIPS 197

⚫ Typically symmetric encryption is applied to a unit of
data larger than a single 64-bit or 128-bit block
⚫ Electronic codebook (ECB) mode is the simplest
approach to multiple-block encryption
⚫ Each block of plaintext is encrypted using the same key
⚫ Cryptanalysts may be able to exploit regularities in the
plaintext
⚫ Modes of operation
⚫ Alternative techniques developed to increase the security
of symmetric block encryption for large sequences
⚫ Overcomes the weaknesses of ECB

Encrypt
Encryption
K
Figure 2.2 Types of Symmetric Encryption
b
b
b
b
P1
C1
P2
C2
b
b
Pn
Cn
Encrypt
K Encrypt
K
Decrypt
Decryption
K
b
b
b
b
C1
P1
C2
P2
b
b
Cn
Pn
Decrypt
(a) Block cipher encryption (electronic codebook mode)
(b) Stream encryption
K Decrypt
K
Pseudorandom byte
generator
(key stream generator)
Plaintext
byte stream
M
Key
K
Key
K
k k
Plaintext
byte stream
M
Ciphertext
byte stream
C
ENCRYPTION
Pseudorandom byte
generator
(key stream generator)
DECRYPTION
k

Block & Stream Ciphers
• Processes the input one block of elements at a time
• Produces an output block for each input block
• Can reuse keys
• More common
Block Cipher
• Processes the input elements continuously
• Produces output one element at a time
• Primary advantage is that they are almost always faster
and use far less code
• Encrypts plaintext one byte at a time
• Pseudorandom stream is one that is unpredictable without
knowledge of the input key
Stream Cipher

Message Authentication
Protects against
active attacks
Verifies received
message is
authentic
Can use
conventional
encryption
•Contents have not been
altered
•From authentic source
•Timely and in correct
sequence
•Only sender & receiver
share a key

Message
MAC
K
K
Transmit
MAC
algorithm
MAC
algorithm
Compare
Figure 2.3 Message Authentication Using a Message
Authentication Code (MAC).

Message
Message
Message
K
E
K
(a) Using symmetric encryption
Compare
D
H
H
H
H
H
Message
Message
Message
PRa
E
PUa
(b) Using public-key encryption
Compare
D
Message
Message
Message
(c) Using secret value
Compare
K
K
K
K
Source A Destination B
Figure 2.5 Message Authentication Using a One-Way Hash Function.
H

Hash Function Requirements
Can be applied to a block of data of any size
Produces a fixed-length output
H(x) is relatively easy to compute for any given x
One-way or pre-image resistant
•Computationally infeasible to find x such that H(x) = h
Computationally infeasible to find y ≠ x such that H(y) = H(x)
Collision resistant or strong collision resistance
•Computationally infeasible to find any pair (x,y) such that H(x) = H(y)

⚫ Plaintext
⚫ Readable message or data that is fed into the algorithm as input
⚫ Encryption algorithm
⚫ Performs transformations on the plaintext
⚫ Public and private key
⚫ Pair of keys, one for encryption, one for decryption
⚫ Ciphertext
⚫ Scrambled message produced as output
⚫ Decryption key
⚫ Produces the original plaintext

Publicly
proposed by
Diffie and
Hellman in
1976
Based on
mathematical
functions
Asymmetric
•Uses two
separate keys
•Public key
and private
key
•Public key is
made public
for others to
use
Some form of
protocol is
needed for
distribution

⚫ User encrypts data using his or her own
private key
⚫ Anyone who knows the corresponding
public key will be able to decrypt the
message
Mike Bob
(a) Encryption with public key
Plaintext
input
Transmitted
ciphertext
Plaintext
output
Encryption algorithm
(e.g., RSA)
Decryption algorithm
Bob's private
key
Bob
Bob's public
key
Alice's
public key
ring
Joy
Ted
(b) Encryption with private key
X
PUb
PRb
Y = E[PRb, X]
X =
D[PUb, Y]
Figure 2.6 Public-Key Cryptography
Alice
Bob Alice

Algorithm Digital Signature Symmetric Key
Distribution
Encryption of
Secret Keys
RSA Yes Yes Yes
Diffie-Hellman No Yes No
DSS Yes No No
Elliptic Curve Yes Yes Yes
Table 2.3
Applications for Public-Key Cryptosystems

Computationally easy
to create key pairs
Computationally
easy for sender
knowing public key
to encrypt messages
Computationally
easy for receiver
knowing private key
to decrypt
ciphertext
Computationally
infeasible for
opponent to
determine private key
from public key
Computationally
infeasible for
opponent to
otherwise recover
original message
Useful if either key
can be used for
each role

RSA (Rivest,
Shamir,
Adleman)
Developed in 1977
Most widely accepted and
implemented approach to
public-key encryption
Block cipher in which the
plaintext and ciphertext
are integers between 0 and
n-1 for some n.
Diffie-Hellman
key exchange
algorithm
Enables two users to
securely reach agreement
about a shared secret that
can be used as a secret
key for subsequent
symmetric encryption of
messages
Limited to the exchange of
the keys
Digital
Signature
Standard (DSS)
Provides only a digital
signature function with
SHA-1
Cannot be used for
encryption or key
exchange
Elliptic curve
cryptography
(ECC)
Security like RSA, but with
much smaller keys

Digital Signatures
⚫ Used for authenticating both source and data
integrity
⚫ Created by encrypting hash code with private key
⚫ Does not provide confidentiality
⚫ Even in the case of complete encryption
⚫ Message is safe from alteration but not eavesdropping

Unsigned certificate:
contains user ID,
user's public key,
as well as information
concerning the CA
Signed certificate
Recipient can verify
signature by comparing
hash code values
Figure 2.7 Public-Key Certificate Use
Generate hash
code of unsigned
certificate
Encrypt hash code
with CA's private key
to form signature
H
H
Bob's ID
information
CA
information
Bob's public key
E D
Decrypt signature
with CA's public key
to recover hash code
Use certificate to
verify Bob's public key
Create signed
digital certificate

⚫ Protects a message
without needing to
first arrange for sender
and receiver to have
the same secret key
⚫ Equates to the same
thing as a sealed
envelope containing
an unsigned letter
Random
symmetric
key
Receiver's
public
key
Encrypted
symmetric
key
Encrypted
message
Encrypted
message
Digital
envelope
Figure 2.8 Digital Envelopes
(a) Creation of a digital envelope
E
E
Message
Random
symmetric
key
Receiver's
private
key
Encrypted
symmetric
key
(b) Opening a digital envelope
D
D
Digital
envelope
Message

Random
Numbers
⚫ Keys for public-key
algorithms
⚫ Stream key for symmetric
stream cipher
⚫ Symmetric key for use as
a temporary session key
or in creating a digital
envelope
⚫ Handshaking to prevent
replay attacks
⚫ Session key
Uses include
generation of:

Random Number
Requirements
Randomness Unpredictability
⚫ Criteria:
⚫ Uniform distribution
⚫ Frequency of occurrence
of each of the numbers
should be approximately
the same
⚫ Independence
⚫ No one value in the
sequence can be inferred
from the others
⚫ Each number is
statistically independent
of other numbers in the
sequence
⚫ Opponent should not be
able to predict future
elements of the
sequence on the basis of
earlier elements

Random versus
Pseudorandom
Cryptographic applications typically make use of
algorithmic techniques for random number generation
•Algorithms are deterministic and therefore produce sequences of numbers
that are not statistically random
Pseudorandom numbers are:
•Sequences produced that satisfy statistical randomness tests
•Likely to be predictable
True random number generator (TRNG):
•Uses a nondeterministic source to produce randomness
•Most operate by measuring unpredictable natural processes
•e.g. radiation, gas discharge, leaky capacitors
•Increasingly provided on modern processors

Practical Application:
Encryption of Stored Data
Common to encrypt transmitted data
Much less common for stored data
There is often little protection
beyond domain
authentication and operating
system access controls
Data are archived for
indefinite periods
Even though erased, until disk
sectors are reused data are
recoverable
Approaches to encrypt stored data:
Use a commercially
available encryption
package
Back-end appliance
Library based tape
encryption
Background laptop/PC
data encryption

Summary
• Public-key
encryption
▪ Structure
▪ Applications for public-
key cryptosystems
▪ Requirements for public-
key cryptography
▪ Asymmetric encryption
algorithms
• Digital signatures
and key
management
▪ Digital signature
▪ Public-key certificates
▪ Symmetric key exchange
using public-key
encryption
▪ Digital envelopes
• Confidentiality with
symmetric encryption
▪ Symmetric encryption
▪ Symmetric block encryption
algorithms
▪ Stream ciphers
• Message
authentication and
hash functions
▪ Authentication using
symmetric encryption
▪ Message authentication
without message encryption
▪ Secure hash functions
▪ Other applications of hash
functions
• Random and
pseudorandom
numbers
▪ The use of random numbers
▪ Random versus
pseudorandom

RFC 4949
RFC 4949 defines user authentication as:
“The process of verifying an identity claimed
by or for a system entity.”

Authentication Process
• Fundamental
building block
and primary
line of defense
• Basis for
access control
and user
accountability
• Identification step
⚫ Presenting an
identifier to the
security system
• Verification step
⚫ Presenting or
generating
authentication
information that
corroborates the
binding between
the entity and the
identifier

Figure 3.1 The NIST SP 800-63-2 E-Authentication Architectural Model
Registration
Authority (RA)
Registration, Credential Issuance,
and Maintenance
E-Authentication using
Token and Credential
Identity Proofing
User Registration
Token, Credential
Registration/Issuance
Authenticated Session
Authenticated
Protocol
Exchange
Authenticated
Assertion
Registration
Confirmation
Token/Credential
Validation
Relying
Party (RP)
Verifier
Subscriber/
Claimant
Credential
Service
Provider (RA)

The four means of authenticating
user identity are based on:
•Password, PIN,
answers to
prearranged
questions
•Smartcard,
electronic
keycard,
physical key
•Fingerprint,
retina, face •Voice pattern,
handwriting,
typing rhythm

Risk Assessment for
User Authentication
• There are
three
separate
concepts:
Assurance
Level
Potential
impact
Areas of
risk

Describes an
organization’s
degree of
certainty that a
user has
presented a
credential that
refers to his or her
identity
More specifically
is defined as:
The degree of confidence
in the vetting process
used to establish the
identity of the individual
to whom the credential
was issued
The degree of confidence
that the individual who
uses the credential is the
individual to whom the
credential was issued
Four levels of
assurance
Level 1
•Little or no confidence in the
asserted identity's validity
Level 2
•Some confidence in the asserted
identity’s validity
Level 3
•High confidence in the asserted
identity's validity
Level 4
•Very high confidence in the
asserted identity’s validity

• FIPS 199 defines three levels of potential
impact on organizations or individuals
should there be a breach of security:
o Low
• An authentication error could be expected to have a
limited adverse effect on organizational operations,
organizational assets, or individuals
o Moderate
serious adverse effect
o High
severe or catastrophic adverse effect

Potential Impact Categories for Authentication Errors
Inconvenience, distress, or damage to standing or
reputation
Financial loss or organization liability
Harm to organization programs or interests
Unauthorized release of sensitive information
Personal safety
Civil or criminal violations
Assurance Level Impact Profiles
1 2 3 4
Low Mod Mod High
Low Mod Mod High
None Low Mod High
None Low Mod High
None None Low
Mod/
High
None Low Mod High
Maximum Potential Impacts for Each
Assurance Level
Table 3.1

Password Authentication
• Widely used line of defense against
intruders
o User provides name/login and password
o System compares password with the one stored for that
specified login
• The user ID:
o Determines that the user is authorized to access the system
o Determines the user’s privileges
o Is used in discretionary access control

Password Vulnerabilities
Offline
dictionary
attack
Specific
account
attack
Popular
password
attack
Password
guessing
against
single user
Workstation
hijacking
Exploiting
user
mistakes
Exploiting
multiple
password
use
Eectronic
monitoring

Password Cracking
Dictionary attacks
•Develop a large dictionary
of possible passwords and
try each against the
password file
•Each password must be
hashed using each salt
value and then compared
to stored hash values
Rainbow table attacks
•Pre-compute tables of
hash values for all salts
•A mammoth table of hash
values
•Can be countered by using
a sufficiently large salt
value and a sufficiently
large hash length
Password crackers
exploit the fact that
people choose easily
guessable passwords
•Shorter password lengths
are also easier to crack
John the Ripper
•Open-source password
cracker first developed in
in 1996
•Uses a combination of
brute-force and dictionary
techniques

Modern Approaches
• Complex password policy
o Forcing users to pick stronger passwords
• However password-cracking techniques
have also improved
o The processing capacity available for password cracking has
increased dramatically
o The use of sophisticated algorithms to generate potential
passwords
o Studying examples and structures of actual passwords in use

Figure 3.3 The Percentage of Passwords Guessed After
a Given Number of Guesses
0%
104
107
1010
1013
10%
Percent
guessed
Number of guesses
20%
30%
40%
50%

Password File Access Control
Can block offline guessing attacks by denying access to
encrypted passwords
Make
available
only to
privileged
users
Shadow
password
file
Vulnerabilities
Weakness
in the OS
that allows
access to the
file
Accident
with
permissions
making it
readable
Users with
same
password
on other
systems
Access from
backup
media
Sniff
passwords
in network
traffic

Access Control Principles
RFC 4949 defines computer security as:
“Measures that implement and assure security
services in a computer system, particularly
those that assure access control service.”

Proactive Password
Checking
Bloom filter
•Used to build a table
based on dictionary
using hashes
•Check desired
password against this
table
Password
cracker
•Compile a large
dictionary of
passwords not to use
Rule enforcement
•Specific rules that
passwords must
adhere to

Table 3.2
Card Type Defining Feature Example
Embossed Raised characters only, on
front
Old credit card
Magnetic stripe Magnetic bar on back, characters on front Bank card
Memory Electronic memory inside Prepaid phone card
Smart
Contact
Contactless
Electronic memory and processor inside
Electrical contacts exposed on surface
Radio antenna embedded inside
Biometric ID card
Types of Cards Used as Tokens

Memory Cards
• Can store but do not process data
• The most common is the magnetic stripe card
• Can include an internal electronic memory
• Can be used alone for physical access
o Hotel room
o ATM
• Provides significantly greater security when combined
with a password or PIN
• Drawbacks of memory cards include:
o Requires a special reader
o Loss of token
o User dissatisfaction

Smart Tokens
• Physical characteristics:
o Include an embedded microprocessor
o A smart token that looks like a bank card
o Can look like calculators, keys, small portable objects
• Interface:
o Manual interfaces include a keypad and display for interaction
o Electronic interfaces communicate with a compatible
reader/writer
• Authentication protocol:
o Classified into three categories:
• Static
• Dynamic password generator
• Challenge-response

Smart Cards
• Most important category of smart token
o Has the appearance of a credit card
o Has an electronic interface
o May use any of the smart token protocols
• Contain:
o An entire microprocessor
• Processor
• Memory
• I/O ports
• Typically include three types of memory:
o Read-only memory (ROM)
• Stores data that does not change during the card’s life
o Electrically erasable programmable ROM (EEPROM)
• Holds application data and programs
o Random access memory (RAM)
• Holds temporary data generated when applications are executed

Electronic Identity Cards
(eID)
Use of a smart card as a national
identity card for citizens
Can serve the same purposes as other national
ID cards, and similar cards such as a driver’s
license, for access to government and
commercial services
Can provide stronger proof of identity and can
be used in a wider variety of applications
In effect, is a smart card that has been verified
by the national government as valid and
authentic
Most advanced deployment is the
German card neuer Personalausweis
Has human-readable data printed on its
surface
•Personal data
•Document number
•Card access number (CAN)
•Machine readable zone (MRZ)

Table 3.3
Electronic
Functions
and Data
for
eID Cards
CAN = card access number
MRZ = machine readable zone
PACE = password authenticated connection establishment
PIN = personal identification number

Figure 3.6 User Authentication with eID
eID
server
Host/application
server
6. User enters PIN
1. User requests service
(e.g., via Web browser)
4. Authentication request
5. PIN request
7. Authentication protocol exchange
8. Authentication result for redirect
2. Service request
3. Redirect to eID message
9. Authentication result forwarded
10. Service granted

Password Authenticated
Connection Establishment (PACE)
Ensures that the
contactless RF chip in
the eID card cannot be
read without explicit
access control
For online applications,
access is established by
the user entering the 6-
digit PIN (which should
only be known to the
holder of the card)
For offline applications,
either the MRZ printed
on the back of the card
or the six-digit card
access number (CAN)
printed on the front is
used

Biometric Authentication
• Attempts to authenticate an individual based on
unique physical characteristics
• Based on pattern recognition
• Is technically complex and expensive when
compared to passwords and tokens
• Physical characteristics used include:
o Facial characteristics
o Fingerprints
o Hand geometry
o Retinal pattern
o Iris
o Signature
o Voice

Biometric
sensor Biometric
database
Name (PIN)
User interface
(a) Enrollment
Feature
extractor
Biometric
sensor
Name (PIN)
User interface
(b) Verification
One template
N templates
user's identity or
"user unidentified"
Feature
extractor
Feature
matcher
Biometric
sensor
User interface
(c) Identification
Feature
extractor
Feature
matcher
true/false
Figure 3.8 A Generic Biometric System. Enrollment creates
an association between a user and the user's biometric
characteristics. Depending on the application, user
authentication either involves verifying that a claimed user is
the actual user or identifying an unknown user.
Biometric
database
Biometric
database

Remote User Authentication
• Authentication over a network, the Internet, or a
communications link is more complex
• Additional security threats such as:
o Eavesdropping, capturing a password, replaying an
authentication sequence that has been observed
• Generally rely on some form of a challenge-
response protocol to counter threats

Table 3.4
Some Potential
Attacks,
Susceptible
Authenticators,
and
Typical
Defenses

Eavesdropping
Adversary attempts to
learn the password by
some sort of attack that
involves the physical
proximity of user and
adversary
Host Attacks
Directed at the user
file at the host where
passwords, token
passcodes, or
biometric templates
are stored
Replay
Adversary repeats a
previously captured
user response
Client Attacks
Adversary attempts to
achieve user
authentication
without access to the
remote host or the
intervening
communications path
Trojan Horse
An application or
physical device
masquerades as an
authentic application
or device for the
purpose of capturing a
user password,
passcode, or biometric
Denial-of-Service
Attempts to disable a
user authentication
service by flooding the
service with numerous
authentication
attempts

Figure 3.13 General Iris Scan Site Architecture for UAE System
Iris workstation
Iris Engine 1 Iris Engine 2
Iris Merge
Remote
Iris
scanner
Iris workstation
LAN switch
Network
switch
Iris
scanner
Iris workstation
Iris
scanner
Iris
database

Case Study:
ATM
Security
Problems

Authentication
function
Authentication
Auditing
Figure 4.1 Relationship Among Access Control and Other Security Functions
System resources
Authorization
database
Security administrator
User
Access control
Access
control
function

Access Control Policies
• Role-based access
control (RBAC)
o Controls access based on the
roles that users have within the
system and on rules stating
what accesses are allowed to
users in given roles
• Attribute-based access
control (ABAC)
o Controls access based on
attributes of the user, the
resource to be accessed, and
current environmental
conditions
• Discretionary access
control (DAC)
o Controls access based on the
identity of the requestor and on
access rules (authorizations)
stating what requestors are (or
are not) allowed to do
• Mandatory access
control (MAC)
o Controls access based on
comparing security labels with
security clearances

Subjects, Objects, and
Access Rights
Subject
An entity capable of
accessing objects
Three classes
•Owner
•Group
•World
Object
A resource to which
access is controlled
Entity used to contain
and/or receive
information
Access
right
Describes the way in
which a subject may
access an object
Could include:
•Read
•Write
•Execute
•Delete
•Create
•Search

Discretionary Access Control
(DAC)
• Scheme in which an entity may enable another
entity to access some resource
• Often provided using an access matrix
o One dimension consists of identified subjects that may
attempt data access to the resources
o The other dimension lists the objects that may be
accessed
• Each entry in the matrix indicates the access rights
of a particular subject for a particular object

Own
Read
Write
Read
Write
Own
Read
Write
A
File 1
Read
Read
Write Read
Own
Read
Write
Own
Read
Write
User A
User B
SUBJECTS
OBJECTS
User C
File 2
File 1
(a) Access matrix
File 3 File 4
B C File 1
User A Fil

Own
R
W
A
File 1
•
(a) Access matrix
Figure 4.2 Example of Access Control Structures
(b) Access control lists for files of part (a)
(c) Capability lists for files of part (a)
R
B
•
R
W
C
File 1
User C
•
R
File 2
•
R
W
File 4
File 1
User B
•
R W
File 2
• •
File 3 File 4
Own
R
W
B
File 2
•
R
C
Own
R
W
Own
R
W
Own
R
W
Own
R
W
File 1
User A
•
File 3
Own
R
W
A
File 3
•
W
B
Own
R
W
B
R
File 4
•
C
R

Subject Access
Mode
Object
A Own File 1
A Read File 1
A Write File 1
A Own File 3
A Read File 3
A Write File 3
B Read File 1
B Own File 2
B Read File 2
B Write File 2
B Write File 3
B Read File 4
C Read File 1
C Write File 1
C Read File 2
C Own File 4
C Read File 4
C Write File 4
Table 4.1
Authorization
Table
for Files in
Figure 4.2

control wakeup seek
owner
owner
wakeup
read
owner
owner
control
execute
write stop
owner
control
control
read *
write *
* - copy flag set
seek *
S1
S2
SUBJECTS
OBJECTS
subjects files processes disk drives
S3
S2
S1
Figure 4.3 Extended Access Control Matrix
S3 F1 F2 P1 P2 D1 D2

File
system
Memory
addressing
hardware
Process
manager
Terminal
& device
manager
Instruction
decoding
hardware
Access
matrix
monitor
Access
matrix
write read
Files
Segments
& pages
Processes
Terminal
& devices
Instructions
delete b from Sp, Y (Sm, delete, b, Sp, Y)
(Sk, grant, a, Sn, X)
grant a to Sn, X
Sm
wakeup P (Sj, wakeup, P)
Sj
read F
Subjects Access control mechanisms
Figure 4.4 An Organization of the Access Control Function
Objects
(Si, read, F)
Si
Sk
System intervention

Protection Domains
• Set of objects together with access rights to those objects
• More flexibility when associating capabilities with
protection domains
• In terms of the access matrix, a row defines a protection
domain
• User can spawn processes with a subset of the access
rights of the user
• Association between a process and a domain can be
static or dynamic
• In user mode certain areas of memory are protected
from use and certain instructions may not be executed
• In kernel mode privileged instructions may be executed
and protected areas of memory may be accessed

Role 1
Users Roles
Figure 4.6 Users, Roles, and Resources
Resources
Role 2
Role 3

control wakeup seek
owner
owner
wakeup
read
owner
owner
control
execute
write stop
owner
control
control
read *
write * seek *
R1
R2
ROLES
OBJECTS
Rn
R2
R1
Figure 4.7 Access Control Matrix Representation of RBAC
Rn
R2
R1 Rn
F1 F1 P1 P2 D1 D2
U1
U2
U3
U4
U5
U6
Um

Permissions
(a) Relationship among RBAC models
(b) RBAC models
RBAC0
Base model
RBAC3
Consolidated model
RBAC1
Role hierarchies
RBAC2
Constraints
Figure 4.8 A Family of Role-Based Access Control Models.
Users
user_sessions session_roles
(UA) User
Assignment
(PA) Permission
Assignment
(RH) Role
Hierarchy
Sessions
Objects
Oper-
ations
Roles

Director
Engineer 1 Engineer 2
Engineering Dept
Figure 4.9 Example of Role Hierarchy
Project Lead 1 Project Lead 2
Production
Engineer 1
Quality
Engineer 1
Production
Engineer 2
Quality
Engineer 2

Constraints - RBAC
• Provide a means of adapting RBAC to the specifics
of administrative and security policies of an
organization
• A defined relationship among roles or a condition
related to roles
• Types:
Mutually exclusive
roles
•A user can only be
assigned to one role
in the set (either
during a session or
statically)
•Any permission
(access right) can
be granted to only
one role in the set
Cardinality
•Setting a maximum
number with respect
to roles
Prerequisite roles
•Dictates that a user
can only be
assigned to a
particular role if it is
already assigned to
some other specified
role

Attribute-Based Access
Control (ABAC)
Can define
authorizations
that express
conditions on
properties of
both the
resource and the
subject
Strength is its
flexibility and
expressive
power
Main obstacle to
its adoption in
real systems has
been concern
about the
performance
impact of
evaluating
predicates on
both resource
and user
properties for
each access
Web services
have been
pioneering
technologies
through the
introduction of
the eXtensible
Access Control
Markup
Language
(XAMCL)
There is
considerable
interest in
applying the
model to cloud
services

ABAC Model: Attributes
Subject
attributes
• A subject is an
active entity that
causes information
to flow among
objects or changes
the system state
• Attributes define the
identity and
characteristics of
the subject
Object
attributes
• An object (or
resource) is a
passive information
system-related
entity containing or
receiving
information
• Objects have
attributes that can
be leverages to
make access
control decisions
Environment
attributes
• Describe the
operational,
technical, and even
situational
environment or
context in which the
information access
occurs
• These attributes
have so far been
largely ignored in
most access control
policies

ABAC
Distinguishable because it
controls access to objects
by evaluating rules against
the attributes of entities,
operations, and the
environment relevant to a
request
Relies upon the evaluation
of attributes of the subject,
attributes of the object,
and a formal relationship
or access control rule
defining the allowable
operations for subject-
object attribute
combinations in a given
environment
Systems are capable of
enforcing DAC, RBAC,
and MAC concepts
Allows an unlimited
number of attributes to be
combined to satisfy any
access control rule

Figure 4.10 Simple ABAC Scenario
1
2a
2b
2c
2d
3
Access Control
Policy
Subject Attributes
ObjectAttributes
Access Control
Mechanism
Decision
Enforce
Environmental
Conditions
Affiliation
Clearance
Name
Etc. Classification
Owner
Type
Etc.
Rules
Subject
Object

Proper
Credential Issuance
Credential Validation
Network
Authentication
Object Access Rule Enforcement
Access Provisioning
Group Management
Network
Credential
Digital Identity
Provisioning
Strength of
Credential Protection
Physical
Access
Figure 4.11 ACL and ABAC Trust Relationships
(a) ACL Trust Chain
Identity
Credential
Subject Object
Authentication
Network Access Access Control List
Access Control
Decision
Access Control
Enforcement
Proper
Credential Issuance
Credential Validation
Network
Authentication
Authoritative
Object Attributes
Object Access Rule Enforcement
Access Provisioning
Group Management
Network
Credential
Digital Identity
Provisioning
Strength of
Credential Protection
Physical
Access
(b) ABAC Trust Chain
Authoritative Subject
Attribute Stores
Attribute Provisioning
Attribute Integrity
Common Subject
Attribute Taxonomy
Common Object
Attribute Taxonomy
Attribute Integrity
Identity
Credential
Subject
Attributes
Object
Attributes
Subject Object
Authentication
Network Access Rules
Access Control
Decision
Access Control
Enforcement

ABAC Policies
A policy is a set of rules and relationships that govern allowable behavior
within an organization, based on the privileges of subjects and how
resources or objects are to be protected under which environment conditions
Typically
written
from the
perspective
of the
object that
needs
protecting
and the
privileges
available to
subjects
Privileges represent the authorized behavior of a subject
and are defined by an authority and embodied in a policy
Other terms commonly used instead of privileges are: rights,
authorizations, and entitlements

Identity, Credential, and
Access Management (ICAM)
• A comprehensive approach to managing and
implementing digital identities, credentials, and
access control
• Developed by the U.S. government
• Designed to:
o Create trusted digital identity representations of individuals and
nonperson entities (NPEs)
o Bind those identities to credentials that may serve as a proxy for the
individual of NPE in access transactions
• A credential is an object or data structure that authoritatively binds
an identity to a token possessed and controlled by a subscriber
o Use the credentials to provide authorized access to an agency’s
resources

• NIST developed the reference architecture with the
following objectives in mind:
o To illustrate and understand the various cloud services in the
context of an overall cloud computing conceptual model
o To provide a technical reference for consumers to understand,
discuss, categorize, and compare cloud services
o To facilitate the analysis of candidate standards for security,
interoperability, and portability and reference implementations

Identity Management
Concerned with assigning attributes to a
digital identity and connecting that digital
identity to an individual or NPE
Goal is to establish a trustworthy digital
identity that is independent of a specific
application or context
Most common approach to access control for
applications and programs is to create a
digital representation of an identity for the
specific use of the application or program
Maintenance and protection of the identity
itself is treated as secondary to the mission
associated with the application
Final element is lifecycle management which
includes:
•Mechanisms, policies, and procedures for protecting personal identity
information
•Controlling access to identity data
•Techniques for sharing authoritative identity data with applications
that need it
•Revocation of an enterprise identity

Credential Management
The management of the
life cycle of the credential
Examples of credentials are smart cards, private/public
cryptographic keys, and digital certificates
Encompasses five logical
components:
An authorized individual sponsors an individual or entity
for a credential to establish the need for the credential
The sponsored individual enrolls for the credential
• Process typically consists of identity proofing and the capture of biographic
and biometric data
• This step may also involve incorporating authoritative attribute data,
maintained by the identity management component
A credential is produced
• Depending on the credential type, production may involve encryption, the
use of a digital signature, the production of a smart card or other functions
The credential is issued to the individual or NPE
A credential must be maintained over its life cycle
• Might include revocation, reissuance/replacement, reenrollment, expiration,
personal identification number (PIN) reset, suspension, or reinstatement

Access Management
Deals with the management
and control of the ways
entities are granted access to
resources
Covers both logical and
physical access
May be internal to a system
or an external element
Purpose is to ensure that the
proper identity verification
is made when an individual
attempts to access a security
sensitive building, computer
systems, or data
Three support elements are
needed for an enterprise-
wide access control facility:
•Resource management
•Privilege management
•Policy management

Three support elements are needed for an
enterprise-wide access control facility:
• Concerned with defining rules for a resource that requires access control
• Rules would include credential requirements and what user attributes,
resource attributes, and environmental conditions are required for access
of a given resource for a given function
Resource management
• Concerned with establishing and maintaining the entitlement or privilege
attributes that comprise an individual’s access profile
• These attributes represent features of an individual that can be used as the
basis for determining access decisions to both physical and logical
resources
• Privileges are considered attributes that can be linked to a digital identity
Privilege management
• Governs what is allowable and unallowable in an access transaction
Policy management

Identity Federation
• Term used to describe the technology, standards,
policies, and processes that allow an organization
to trust digital identities, identity attributes, and
credentials created and issued by another
organization
• Addresses two questions:
o How do you trust identities of individuals from external
organizations who need access to your systems
o How do you vouch for identities of individuals in your
organization when they need to collaborate with external
organizations

(a) Traditional triangle of parties involved in an exchange of identity information
(Possible contract)
Term
s of Service
(TO
S) agreem
ent
T
e
r
m
s
o
f
S
e
r
v
i
c
e
(
T
O
S
)
a
g
r
e
e
m
e
n
t
Identity
Service
Provider
Relying
Party
Users
Trust Framework
Providers
Figure 4.13 Identity Information Exchange Approaches
(a) Traditional triangle of parties involved in an exchange of identity information
(B) Identity attribute exchange elements
(Possible contract)
T
e
r
m
s
o
f
S
e
r
v
i
c
e
(
T
O
S
)
a
g
r
e
e
m
e
n
t
T
e
r
m
s
o
f
S
e
r
v
i
c
e
(
T
O
S
)
a
g
r
e
e
m
e
n
t
Identity
Service
Provider
Identity
Service
Providers
Relying
Party
Relying
Parties
Users
Users
Trust Framework
Providers
Assessors
& Auditors
Dispute
Resolvers
Attribute Providers
Attribute Exchange
Network

Open Identity Trust
Framework
OpenID
•An open standard that allows users to be
authenticated by certain cooperating sites
using a third party service
OIDF
•OpenID Foundation is an international
nonprofit organization of individuals
and companies committed to enabling,
promoting, and protecting OpenID
technologies
ICF
•Information Card Foundation is a
nonprofit community of companies and
individuals working together to evolve
the Information Card ecosystem
OITF
•Open Identity Trust Framework is a
standardized, open specification of a
trust framework for identity and
attribute exchange, developed jointly by
OIDF and ICF
OIX
•Open Identity Exchange Corporation is
an independent, neutral, international
provider of certification trust frameworks
conforming to the OITF model
AXN
•Attribute Exchange Network is an online
Internet-scale gateway for identity
service providers and relying parties to
efficiently access user asserted,
permissioned, and verified online
identity attributes in high volumes at
affordable costs

Figure 4.13 Identity Information Exchange Approaches
(B) Identity attribute exchange elements
Identity
Service
Providers
Relying
Parties
Users
Trust Framework
Providers
Assessors
& Auditors
Dispute
Resolvers
Attribute Providers
Attribute Exchange
Network

Figure 4.14 Example of Access Control Administration
User
IDs
Human Resources Department Application Administration
Authorization Administration
Roles
Functions
Application
Role Application
Access
Right
Positions
Assigns
1 N M
1-4
N M

Advanced Persistent
Threats (APTs)
• Well-resourced, persistent application of a wide
variety of intrusion technologies and malware to
selected targets (usually business or political)
• Typically attributed to state-sponsored organizations
and criminal enterprises
• Differ from other types of attack by their careful
target selection and stealthy intrusion efforts over
extended periods
• High profile attacks include Aurora, RSA, APT1, and
Stuxnet

⚫ Structured collection of data
stored for use by one or more
applications
⚫ Contains the relationships
between data items and
groups of data items
⚫ Can sometimes contain
sensitive data that needs to
be secured
Query language
⚫ Provides a uniform interface
to the database
Database management
system (DBMS)
• Suite of programs for
constructing and
maintaining the
database
• Offers ad hoc query
facilities to multiple users
and applications

User
queries
User
applications
Database
utilities
DDL
processor DML and query
language processor
DBMS
DDL = data definition language
DML = data manipulation language
Figure 5.1 DBMS Architecture
Transaction
manager
File manager
Database
description
tables
Authorization
tables
Concurrent
access
tables
Physical
database

⚫ Standardized language to define schema, manipulate,
and query data in a relational database
⚫ Several similar versions of ANSI/ISO standard
⚫ All follow the same basic syntax and semantics
SQL statements can be used to:
• Create tables
• Insert and delete data in tables
• Create views
• Retrieve data with query statements

SQL Injection Attacks
(SQLi)
• One of the most
prevalent and
dangerous network-
based security threats
• Designed to exploit the
nature of Web
application pages
• Sends malicious SQL
commands to the
database server
• Most common attack
goal is bulk extraction
of data
• Depending on the
environment SQL
injection can also be
exploited to:
o Modify or delete data
o Execute arbitrary operating
system commands
o Launch denial-of-service (DoS)
attacks

Figure 5.5 Typical SQL Injection Attack
Legend:.
Internet
Router
Firewall
Switch
Wireless
access point
Web servers
Web
application
server
Database servers
Database
Data exchanged
between hacker
and servers
Two-way traffic
between hacker
and Web server
Credit card data is
retrieved from
database

Injection Technique
Subsequent text is ignored at execution time
The SQLi attack typically works by prematurely
terminating a text string and appending a new command
Because the inserted command may have additional strings appended to
it before it is executed the attacker terminates the injected string with a
comment mark “- -”

•Attackers inject SQL commands by providing suitable crafted user input
User input
•Attackers can forge the values that are placed in HTTP and network headers and exploit this
vulnerability by placing data directly into the headers
Server variables
•A malicious user could rely on data already present in the system or database to trigger an
SQL injection attack, so when the attack occurs, the input that modifies the query to cause an
attack does not come from the user, but from within the system itself
Second-order injection
•An attacker could alter cookies such that when the application server builds an SQL query
based on the cookie’s content, the structure and function of the query is modified
Cookies
•Applying user input that constructs an attack outside the realm of web requests
Physical user input

• Uses the same communication channel for injecting SQL
code and retrieving results
• The retrieved data are presented directly in application
Web page
• Include:
Tautology
This form of attack
injects code in one
or more conditional
statements so that
they always evaluate
to true
End-of-line
comment
After injecting code
into a particular
field, legitimate
code that follows are
nullified through
usage of end of line
comments
Piggybacked
queries
The attacker adds
additional queries
beyond the intended
query, piggy-
backing the attack
on top of a
legitimate request

• There is no actual transfer of data, but the attacker is
able to reconstruct the information by sending particular
requests and observing the resulting behavior of the
Website/database server
• Include:
o Illegal/logically incorrect queries
• This attack lets an attacker gather important information
about the type and structure of the backend database of a
Web application
• The attack is considered a preliminary, information-gathering
step for other attacks
o Blind SQL injection
• Allows attackers to infer the data present in a database
system even when the system is sufficiently secure to not
display any erroneous information back to the attacker

• Data are retrieved using a different channel
• This can be used when there are limitations on
information retrieval, but outbound connectivity
from the database server is lax

Worm Replication
•Worm e-mails a copy of itself to other systems
•Sends itself as an attachment via an instant message
service
Electronic mail or
instant messenger
facility
•Creates a copy of itself or infects a file as a virus on
removable media
File sharing
•Worm executes a copy of itself on another system
Remote execution
capability
•Worm uses a remote file access or transfer service to copy
itself from one system to the other
Remote file access or
transfer capability
•Worm logs onto a remote system as a user and then uses
commands to copy itself from one system to the other
Remote login
capability

Database access control
system determines:
If the user has access to the entire database
or just portions of it
What access rights the user has (create,
insert, delete, update, read, write)
Can support a range of
administrative policies
Centralized administration
•Small number of privileged users may grant and
revoke access rights
Ownership-based administration
•The creator of a table may grant and revoke access
rights to the table
Decentralized administration
•The owner of the table may grant and revoke
authorization rights to other users, allowing them to
grant and revoke access rights to the table

• Two commands for managing access rights:
• Grant
o Used to grant one or more access rights or can be
used to assign a user to a role
• Revoke
o Revokes the access rights
• Typical access rights are:
• Select
• Insert
• Update
• Delete
• References

Ann David Frank
Ellen Jim
Bob
Chris
t = 10
t = 50
t = 40
t = 20
t = 30
t = 70
t = 60
Ann David Frank
Bob
Chris
t = 10
t = 50
t = 20
t = 60
Figure 5.6 Bob Revokes Privilege from David

• Role-based access control eases administrative burden and improves
security
• A database RBAC needs to provide the following capabilities:
• Create and delete roles
• Define permissions for a role
• Assign and cancel assignment of users to roles
• Categories of database users:
Application owner
•An end user who owns
database objects as part
of an application
End user
•An end user who operates
on database objects via
a particular application
but does not own any of
the database objects
Administrator
•User who has
administrative
responsibility for part or all
of the database

• Exploits browser vulnerabilities to download and
installs malware on the system when the user views
a Web page controlled by the attacker
• In most cases does not actively propagate
• Spreads when users visit the malicious Web page

Name Position Salary ($) Department Dept. Manager
Andy senior 43,000 strip Cathy
Calvin junior 35,000 strip Cathy
Cathy senior 48,000 strip Cathy
Dennis junior 38,000 panel Herman
Herman senior 55,000 panel Herman
Ziggy senior 67,000 panel Herman
(a) Employee table
Position Salary ($) Name Department
senior 43, 000 Andy strip
junior 35,000 Calvin strip
senior 48,000 Cathy strip
(b) Two views
Name Position Salary ($) Department
Andy senior 43,000 strip
Calvin junior 35,000 strip
Cathy senior 48,000 strip
(c) Table derived from combining query answers
Figure 5.8 Inference Example

Inference Detection
• Some inference detection algorithm is needed for either of these approaches
• Progress has been made in devising specific inference detection techniques for
multilevel secure databases and statistical databases
Two approaches
Inference detection during
database design
Approach removes an
inference channel by
altering the database
structure or by changing the
access control regime to
prevent inference
Techniques in this category
often result in unnecessarily
stricter access controls that
reduce availability
Inference detection at query
time
Approach seeks to eliminate
an inference channel
violation during a query or
series of queries
If an inference channel is
detected, the query is
denied or altered

⚫ The database is typically the most valuable information resource for any
organization
⚫ Protected by multiple layers of security
⚫ Firewalls, authentication, general access control systems, DB access
control systems, database encryption
⚫ Encryption becomes the last line of defense in database security
⚫ Can be applied to the entire database, at the record level, the
attribute level, or level of the individual field
⚫ Disadvantages to encryption:
⚫ Key management
⚫ Authorized users must have access to the decryption key for the data for which
they have access
⚫ Inflexibility
⚫ When part or all of the database is encrypted it becomes more difficult to
perform record searching

–
organization that
produces data to be
made available for
controlled release
– human entity
that presents queries to
the system
– frontend that
transforms user queries
into queries on the
encrypted data stored
on the server
– an
organization that
receives the encrypted
data from a data owner
and makes them
available for distribution
to clients
Query
Processor
1. Original query
metadata
4. Plaintext
result
2. Transformed
query
3. Encrypted
result
Client
User
Data owner
Server
Figure 5.9 A Database Encryption Scheme
Encrypt/
Decrypt
Query
Executor
Meta
Data
Meta
Data
Encrypted
database
Data-
base

Cloud Security
NIST SP-800-145 defines cloud computing as:
“A model for enabling ubiquitous, convenient,
on-demand network access to a shared pool of
configurable computing resources (e.g.,
networks, servers, storage, applications, and
services) that can be rapidly provisioned and
released with minimal management effort or
service provider interaction. This cloud model
promotes availability and is composed of five
essential characteristics, three service models,
and four deployment models.”

Figure 5.11 Cloud Computing Elements
Broad
Network Access
Resource Pooling
Rapid
Elasticity
Essential
Characteristics
Service
Models
Deployment
Models
Measured
Service
On-Demand
Self-Service
Public Private Hybrid Community
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)

Figure 5.12 Cloud Service Models
(a) SaaS
Cloud
Infrastructure
(visible only
to provider)
Cloud Platform
(visible only to provider)
Cloud Application Software
(provided by cloud, visible to subscriber)
(b) PaaS
Cloud
Infrastructure
(visible only
to provider)
Cloud Platform
(visible to subscriber)
(developed by subscriber)
(c) IaaS
Cloud
Infrastructure
(visible to
subscriber)
Cloud Platform
(visible to subscriber)
(developed by subscriber)

Public cloud
•The cloud infrastructure is
made available to the general
public or a large industry group
and is owned by an
organization selling cloud
services
•The cloud provider is
responsible both for the cloud
infrastructure and for the
control of data and operations
within the cloud
Private cloud
operated solely for an
organization
•It may be managed by the
organization or a third party
and may exist on premise or off
premise
•The cloud provider is
responsible only for the
infrastructure and not for the
control
Community cloud
shared by several organizations
and supports a specific
community that has shared
concerns
•It may be managed by the
organizations or a third party
and may exist on premise or off
premise
Hybrid cloud
•The cloud infrastructure is a
composition of two or more
clouds that remain unique
entities but are bound together
by standardized or proprietary
technology that enables data
and application portability

Network
or Internet
Router
Router
Servers
LAN
switch
LAN
switch
Enterprise -
Cloud User
Cloud
service
provider
Figure 5.13 Cloud Computing Context

Figure 5.14 NIST Cloud Computing Reference Architecture
Cloud
Consumer
Cloud
Auditor
Service
Intermediation
Service
Aggregation
Service
Arbitrage
Cloud
Broker
Cloud Provider
Security
Audit
Performance
Audit
Privacy
Impact Audit
SaaS
Service Layer
Service Orchestration Cloud
Service
Management
PaaS
Hardware
Physical Resource Layer
Facility
Resource Abstraction
and Control Layer
IaaS
Business
Support
Provisioning/
Configuration
Portability/
Interoperability
Security
Privacy
Cloud Carrier

Cloud Security Risks
The Cloud Security Alliance lists the following as the
top cloud specific security threats:
Abuse and
nefarious use of
cloud computing
Insecure
interfaces and
APIs
Malicious
insiders
Shared
technology issues
Data loss or
leakage
Account or
service hijacking
Unknown risk
profile

Data Protection in the
Cloud
The threat of data compromise
increases in the cloud
Risks and
challenges
that are
unique to the
cloud
Architectural
or operational
characteristics
of the cloud
environment
Multi-instance model
Provides a unique
DBMS running on a
virtual machine
instance for each
cloud subscriber
Gives the subscriber
complete control
over administrative
tasks related to
security
Multi-tenant model
Provides a predefined environment
for the cloud subscriber that is
shared with other tenants typically
through tagging data with a
subscriber identifier
Gives the appearance of exclusive
use of the instance but relies on the
cloud provider to establish and
maintain a secure database
environment

Payload - Stealthing
Rootkit
• Set of hidden programs installed on a system
to maintain covert access to that system
• Hides by subverting the mechanisms that
monitor and report on the processes, files,
and registries on a computer
• Gives administrator (or root) privileges to
attacker
• Can add or change programs and files, monitor
processes, send and receive network traffic, and
get backdoor access on demand

Figure 5.15 Elements of Cloud Security as a Service
Cloud service clients and adversaries
Identity and access management
Network security
Data loss
prevention
Web security
Intrusion
management
Encryption
E-mail security
Security assessments
Security information and
event management
Business continuity and
disaster recovery

[SOUP13] defines malware as:
“a program that is inserted into a system,
usually covertly, with the intent of
compromising the confidentiality, integrity,
or availability of the victim’s data,
applications, or operating system or
otherwise annoying or disrupting
the victim.”

Classified into two
broad categories:
Based first on how it spreads or
propagates to reach the
desired targets
Then on the actions or
payloads it performs once a
target is reached
Also classified by:
Those that need a host
program (parasitic code such
as viruses)
Those that are independent,
self-contained programs
(worms, trojans, and bots)
Malware that does not
replicate (trojans and spam e-
mail)
Malware that does replicate
(viruses and worms)

Propagation mechanisms include:
•Infection of existing content by viruses that is
subsequently spread to other systems
•Exploit of software vulnerabilities by worms or drive-by-
downloads to allow the malware to replicate
•Social engineering attacks that convince users to
bypass security mechanisms to install Trojans or to
respond to phishing attacks
Payload actions performed by
malware once it reaches a target
system can include:
•Corruption of system or data files
•Theft of service/make the system a zombie agent
of attack as part of a botnet
•Theft of information from the system/keylogging
•Stealthing/hiding its presence on the system

Attack Kits
• Initially the development and deployment of
malware required considerable technical skill by
software authors
o The development of virus-creation toolkits in the early 1990s and then
more general attack kits in the 2000s greatly assisted in the development
and deployment of malware
• Toolkits are often known as “crimeware”
o Include a variety of propagation mechanisms and payload modules that
even novices can deploy
o Variants that can be generated by attackers using these toolkits creates a
significant problem for those defending systems against them
• Widely used toolkits include:
o Zeus
o Blackhole
o Sakura
o Phoenix

• Another significant malware development is the change
from attackers being individuals often motivated to
demonstrate their technical competence to their peers
to more organized and dangerous attack sources such
as:
• This has significantly changed the resources available
and motivation behind the rise of malware and has led
to development of a large underground economy
involving the sale of attack kits, access to compromised
hosts, and to stolen information
Politically
motivated
attackers
Criminals
Organized
crime
Organizations
that sell their
services to
companies
and nations
National
government
agencies

APT Attacks
• Aim:
o Varies from theft of intellectual property or security and infrastructure
related data to the physical disruption of infrastructure
• Techniques used:
o Social engineering
o Spear-phishing email
o Drive-by-downloads from selected compromised websites likely to be
visited by personnel in the target organization
• Intent:
o To infect the target with sophisticated malware with multiple propagation
mechanisms and payloads
o Once they have gained initial access to systems in the target organization
a further range of attack tools are used to maintain and extend their
access

Viruses
• Piece of software that infects programs
o Modifies them to include a copy of the virus
o Replicates and goes on to infect other content
o Easily spread through network environments
• When attached to an executable program
a virus can do anything that the program is
permitted to do
o Executes secretly when the host program is run
• Specific to operating system and hardware
o Takes advantage of their details and weaknesses

program V
1234567;
procedure attach-to-program;
begin
repeat
file := get-random-program;
until first-program-line ≠ 1234567;
prepend V to file;
end;
procedure execute-payload;
begin
(* perform payload actions *)
end;
procedure trigger-condition;
begin
(* return true if trigger condition is true *)
end;
begin (* main action block *)
attach-to-program;
if trigger-condition then execute-payload;
goto main;
end;
program CV
1234567;
procedure attach-to-program;
begin
repeat
file := get-random-program;
until first-program-line ≠ 1234567;
compress file; (* t1 *)
prepend CV to file; (* t2 *)
end;
begin (* main action block *)
attach-to-program;
uncompress rest of this file into tempfile; (* t3 *)
execute tempfile; (* t4 *)
end;
(a) A simple virus (b) A compression virus
Figure 6.1 Example Virus Logic

P1 P2
Figure 6.2 A Compression Virus
t0: P1 is infected version of P1;
P2 is clean
CV
'
'
P2
P2
t1: P2 is compressed into P2
'
'
P1
t2: CV attaches itself to P2
CV
' P2
CV
'
'
P1 P1
t3: P1 is decompressed into the
original program P1
CV
'
'

Virus Classifications
Classification by target
Classification by
concealment strategy
• Boot sector infector
o Infects a master boot record
or boot record and spreads
when a system is booted
from the disk containing the
virus
• File infector
o Infects files that the
operating system or shell
considers to be executable
• Macro virus
o Infects files with macro or
scripting code that is
interpreted by an
application
• Multipartite virus
o Infects files in multiple ways
• Encrypted virus
o A portion of the virus creates
a random encryption key and
encrypts the remainder of the
virus
• Stealth virus
o A form of virus explicitly
designed to hide itself from
detection by anti-virus
software
• Polymorphic virus
o A virus that mutates with
every infection
• Metamorphic virus
o A virus that mutates and
rewrites itself completely at
each iteration and may
change behavior as well as
appearance

• Program that actively seeks out more machines to infect and each
infected machine serves as an automated launching pad for attacks
on other machines
• Exploits software vulnerabilities in client or server programs
• Can use network connections to spread from system to system
• Spreads through shared media (USB drives, CD, DVD data disks)
• E-mail worms spread in macro or script code included in attachments
and instant messenger file transfers
• Upon activation the worm may replicate and propagate again
• Usually carries some form of payload
• First known implementation was done in Xerox Palo Alto Labs in the
early 1980s

Mobile Code
• Programs that can be shipped unchanged to a variety
of platforms
• Transmitted from a remote system to a local system and
then executed on the local system
• Often acts as a mechanism for a virus, worm, or Trojan
horse
• Takes advantage of vulnerabilities to perform its own
exploits
• Popular vehicles include Java applets, ActiveX,
JavaScript and VBScript

Mobile Phone Worms
• First discovery was Cabir worm in 2004
• Then Lasco and CommWarrior in 2005
• Communicate through Bluetooth wireless connections or
MMS
• Target is the smartphone
• Can completely disable the phone, delete data on the
phone, or force the device to send costly messages
• CommWarrior replicates by means of Bluetooth to other
phones, sends itself as an MMS file to contacts and as an
auto reply to incoming text messages

Clickjacking
• Also known as a user-
interface (UI) redress
attack
• Using a similar technique,
keystrokes can also be
hijacked
o A user can be led to believe they
are typing in the password to their
email or bank account, but are
instead typing into an invisible
frame controlled by the attacker
• Vulnerability used by an
attacker to collect an infected
user’s clicks
o The attacker can force the user to
do a variety of things from adjusting
the user’s computer setters to
unwittingly sending the user to Web
sites that might have malicious code
o By taking advantage of Adobe Flash
or JavaScript an attacker could
even place a button under or over a
legitimate button making it difficult
for users to detect
o A typical attack uses multiple
transparent or opaque layers to trick
a user into clicking on a button or
link on another page when they
were intending to click on the top
level page
o The attacker is hijacking clicks
meant for one page and routing
them to another page

• “Tricking” users to assist in the compromise of their
own systems
Spam
Unsolicited bulk
e-mail
Significant carrier of
malware
Used for phishing
attacks
Trojan horse
Program or utility
containing harmful
hidden code
Used to
accomplish
functions that the
attacker could not
accomplish directly
Mobile
phone trojans
First appeared in
2004 (Skuller)
Target is the
smartphone

• Real-world damage
• Causes damage to physical equipment
o Chernobyl virus rewrites BIOS code
• Stuxnet worm
o Targets specific industrial control system software
• There are concerns about using sophisticated targeted
malware for industrial sabotage
• Logic bomb
• Code embedded in the malware that is set to
“explode” when certain conditions are met

• Takes over another Internet attached computer and
uses that computer to launch or manage attacks
• Botnet - collection of bots capable of acting in a
coordinated manner
• Uses:
• Distributed denial-of-service (DDoS) attacks
• Spamming
• Sniffing traffic
• Keylogging
• Spreading new malware
• Installing advertisement add-ons and browser helper
objects (BHOs)
• Attacking IRC chat networks
• Manipulating online polls/games

• Distinguishes a bot from a worm
• Worm propagates itself and activates itself
• Bot is initially controlled from some central facility
• Typical means of implementing the remote control
facility is on an IRC server
• Bots join a specific channel on this server and treat
incoming messages as commands
• More recent botnets use covert communication
channels via protocols such as HTTP
• Distributed control mechanisms use peer-to-peer
protocols to avoid a single point of failure

Keylogger
•Captures keystrokes to allow attacker to monitor sensitive
information
•Typically uses some form of filtering mechanism that only returns
information close to keywords (“login”, “password”)
Spyware
•Subverts the compromised machine to allow monitoring of a
wide range of activity on the system
•Monitoring history and content of browsing activity
•Redirecting certain Web page requests to fake sites
•Dynamically modifying data exchanged between the browser and
certain Web sites of interest

• Exploits social engineering to
leverage the user’s trust by
masquerading as
communication from a trusted
source
• Include a URL in a spam e-
mail that links to a fake Web
site that mimics the login
page of a banking, gaming,
or similar site
• Suggests that urgent action
is required by the user to
authenticate their account
• Attacker exploits the
account using the captured
credentials
• Spear-phishing
• Recipients are
carefully researched
by the attacker
• E-mail is crafted to
specifically suit its
recipient, often
quoting a range of
information
to convince them of
its authenticity

• Considerable overlap in techniques for dealing with viruses and
worms
• Once a worm is resident on a machine anti-virus software can
be used to detect and possibly remove it
• Perimeter network activity and usage monitoring can form the
basis of a worm defense
• Worm defense approaches include:
o Signature-based worm scan filtering
o Filter-based worm containment
o Payload-classification-based worm containment
o Threshold random walk (TRW) scan detection
o Rate limiting
o Rate halting

Payload – Stealthing
Backdoor
• Also known as a trapdoor
• Secret entry point into a program allowing the
attacker to gain access and bypass the security
access procedures
• Maintenance hook is a backdoor used by
Programmers to debug and test programs
• Difficult to implement operating system
controls for backdoors in applications

• Ideal solution to the threat of malware is prevention
• If prevention fails, technical mechanisms can be
used to support the following threat mitigation
options:
• Detection
• Identification
• Removal
•Policy
•Awareness
•Vulnerability mitigation
•Threat mitigation
Four main elements of prevention:

Generic Decryption (GD)
• Enables the anti-virus program to easily detect
complex polymorphic viruses and other malware
while maintaining fast scanning speeds
• Executable files are run through a GD scanner
which contains the following elements:
• CPU emulator
• Virus signature scanner
• Emulation control module
• The most difficult design issue with a GD scanner is
to determine how long to run each interpretation

• Integrates with the operating system of a host
computer and monitors program behavior in real
time for malicious action
• Blocks potentially malicious actions before they have a chance to
affect the system
• Blocks software in real time so it has an advantage over anti-virus
detection techniques such as fingerprinting or heuristics
Limitations
• Because malicious code must run on the target
machine before all its behaviors can be identified, it
can cause harm before it has been detected and
blocked

• Anti-virus software
typically included in
e-mail and Web proxy
services running on an
organization’s firewall
and IDS
• May also be included
in the traffic analysis
component of an IDS
• May include intrusion
prevention measures,
blocking the flow of
any suspicious traffic
• Approach is limited to
scanning malware
Ingress
monitors
Located at the
border between the
enterprise network
and the Internet
One technique is to
look for incoming
traffic to unused
local IP addresses
Egress
monitors
Located at the egress
point of individual
LANs as well as at
the border between
the enterprise
network and the
Internet
Monitors outgoing
traffic for signs of
scanning or other
suspicious behavior
Two types of monitoring software

Chapter 7
Denial-of-Service Attacks

Denial-of-Service (DoS)
Attack
The NIST Computer Security Incident Handling
Guide defines a DoS attack as:
“An action that prevents or impairs the
authorized use of networks, systems, or
applications by exhausting resources such as
central processing units (CPU), memory,
bandwidth, and disk space.”

Denial-of-Service (DoS)
⚫ A form of attack on the availability of some
service
⚫ Categories of resources that could be attacked
are:
Network
bandwidth
Relates to the capacity
of the network links
connecting a server to
the Internet
For most organizations
this is their connection to
their Internet Service
Provider (ISP)
System resources
Aims to overload or
crash the network
handling software
Application
resources
Typically involves a
number of valid
requests, each of which
consumes significant
resources, thus limiting
the ability of the server
to respond to requests
from other users

Medium Size Company
LAN
Figure 7.1 Example Network to Illustrate DoS Attacks
Web Server
LAN PCs
and workstations
Broadband
subscribers
Broadband
users
Internet service
provider (ISP) A
Internet
Router
Large Company LAN
Broadband
users
Internet service
provider (ISP) B Broadband
subscribers
Web Server

Classic DoS Attacks
⚫ Flooding ping command
⚫ Aim of this attack is to overwhelm the capacity of the
network connection to the target organization
⚫ Traffic can be handled by higher capacity links on the
path, but packets are discarded as capacity
decreases
⚫ Source of the attack is clearly identified unless a
spoofed address is used
⚫ Network performance is noticeably affected

Source Address Spoofing
⚫ Use forged source addresses
⚫ Usually via the raw socket interface on operating systems
⚫ Makes attacking systems harder to identify
⚫ Attacker generates large volumes of packets that have the
target system as the destination address
⚫ Congestion would result in the router connected to the
final, lower capacity link
⚫ Requires network engineers to specifically query flow
information from their routers
⚫ Backscatter traffic
⚫ Advertise routes to unused IP addresses to monitor attack traffic

SYN Spoofing
⚫ Common DoS attack
⚫ Attacks the ability of a server to respond to future
connection requests by overflowing the tables used
to manage them
⚫ Thus legitimate users are denied access to the server
⚫ Hence an attack on system resources, specifically the
network handling code in the operating system

Client Server
Send SYN
(seq = x)
Receive SYN
(seq = x)
Send SYN-ACK
(seq = y, ack = x+1)
Receive SYN-ACK
Send ACK
(ack = y+1)
Receive ACK
(ack = y+1)
1
2
3
Figure 7.2 TCP Three-Way Connection Handshake

Attacker Server
Send SYN
with spoofed src
(seq = x)
Send SYN-ACK
1
2
Spoofed Client
Resend SYN-ACK
after timeouts
Assume failed
connection
request
SYN-ACK’s to
non-existant client
discarded
Figure7.3 TCP SYN Spoofing Attack

Flooding Attacks
⚫ Classified based on network protocol used
⚫ Intent is to overload the network capacity on some link to a
server
⚫ Virtually any type of network packet can be used
•Ping flood using ICMP echo request packets
•Traditionally network administrators allow such packets into their
networks because ping is a useful network diagnostic tool
ICMP flood
•Uses UDP packets directed to some port number on the target
system
UDP flood
•Sends TCP packets to the target system
•Total volume of packets is the aim of the attack rather than the
system code
TCP SYN
flood

Distributed Denial of Service DDoS
Attacks
Use of multiple
systems to
generate attacks
Attacker uses a
flaw in operating
system or in a
common
application to gain
access and installs
their program on it
(zombie)
Large collections
of such systems
under the control
of one attacker’s
control can be
created, forming a
botnet

Attacker
Target
Handler
Zombies
Agent
Zombies
Figure 7.4 DDoS Attack Architecture

DNS Query:
biloxi.com
Returns IP
address of bob’s
proxy server
DNS
Server
User Agent alice User Agent bob
Proxy
Server
Proxy
Server
Figure 7.5 SIP INVITE Scenario
Internet
Wireless
Network
LAN
INVITE sip:bob@biloxi.com
From: sip:alice@atlanta.com
1
2
3
4
5

Hypertext Transfer Protocol
(HTTP) Based Attacks
HTTP flood Slowloris
⚫ Attack that bombards Web
servers with HTTP requests
⚫ Consumes considerable
resources
⚫ Spidering
⚫ Bots starting from a given HTTP link
and following all links on the
provided Web site in a recursive
way
⚫ Attempts to monopolize by
sending HTTP requests that
never complete
⚫ Eventually consumes Web
server’s connection capacity
⚫ Utilizes legitimate HTTP traffic
⚫ Existing intrusion detection
and prevention solutions that
rely on signatures to detect
attacks will generally not
recognize Slowloris

Reflection Attacks
⚫ Attacker sends packets to a known service on the
intermediary with a spoofed source address of the
actual target system
⚫ When intermediary responds, the response is sent to
the target
⚫ “Reflects” the attack off the intermediary (reflector)
⚫ Goal is to generate enough volumes of packets to
flood the link to the target system without alerting
the intermediary
⚫ The basic defense against these attacks is blocking
spoofed-source packets

Figure 7.6 DNS Reflection Attack
IP: a.b.c.d
IP: a.b.c.d
IP: j.k.l.m
Victim
Loop
possible
DNS
Server
Normal
User
Attacker
DNS
Server
IP: w.x.y.z
From: a.b.c.d:1792
To: w.x.y.z.53
From: w.x.y.z.53
To: a.b.c.d:1792
From: j.k.l.m:7
To: w.x.y.z.53
From: w.x.y.z.53
To: j.k.l.m:7
From: j.k.l.m:7
To: w.x.y.z.53
1
1
2
2
3
IP: w.x.y.z

Attacker
Reflector
intermediaries
Target
Zombies
Figure 7.7 Amplification Attack

DNS Amplification Attacks
⚫ Use packets directed at a legitimate DNS server as the
intermediary system
⚫ Attacker creates a series of DNS requests containing the
spoofed source address of the target system
⚫ Exploit DNS behavior to convert a small request to a
much larger response (amplification)
⚫ Target is flooded with responses
⚫ Basic defense against this attack is to prevent the use of
spoofed source addresses

DoS Attack Defenses
⚫ These attacks cannot be
prevented entirely
⚫ High traffic volumes may
be legitimate
⚫ High publicity about a specific
site
⚫ Activity on a very popular site
⚫ Described as slashdotted, flash
crowd, or flash event
Attack prevention and
preemption
•Before attack
Attack detection and filtering
•During the attack
Attack source traceback and
identification
•During and after the attack
Attack reaction
•After the attack
Four lines of defense against DDoS attacks

DoS Attack Prevention
⚫ Block spoofed source addresses
⚫ On routers as close to source as possible
⚫ Filters may be used to ensure path back to the claimed
source address is the one being used by the current
packet
⚫ Filters must be applied to traffic before it leaves the ISP’s
network or at the point of entry to their network
⚫ Use modified TCP connection handling code
⚫ Cryptographically encode critical information in a cookie
that is sent as the server’s initial sequence number
⚫ Legitimate client responds with an ACK packet containing the
incremented sequence number cookie
⚫ Drop an entry for an incomplete connection from the TCP
connections table when it overflows

DoS Attack Prevention
⚫ Block IP directed broadcasts
⚫ Block suspicious services and combinations
⚫ Manage application attacks with a form of
graphical puzzle (captcha) to distinguish
legitimate human requests
⚫ Good general system security practices
⚫ Use mirrored and replicated servers when high-
performance and reliability is required

Digital Immune System
• Comprehensive defense against malicious behavior
caused by malware
• Developed by IBM and refined by Symantec
• Motivation for this development includes the rising
threat of Internet-based malware, the increasing
speed of its propagation provided by the Internet,
and the need to acquire a global view of the
situation
• Success depends on the ability of the malware
analysis system to detect new and innovative
malware strains

Responding to DoS Attacks
⚫ Identify type of attack
⚫ Capture and analyze packets
⚫ Design filters to block attack traffic upstream
⚫ Or identify and correct system/application bug
⚫ Have ISP trace packet flow back to source
⚫ May be difficult and time consuming
⚫ Necessary if planning legal action
⚫ Implement contingency plan
⚫ Switch to alternate backup servers
⚫ Commission new servers at a new site with new addresses
⚫ Update incident response plan
⚫ Analyze the attack and the response for future handling

Classes of Intruders –
Cyber Criminals
⚫ Individuals or members of an organized crime group with
a goal of financial reward
⚫ Their activities may include:
⚫ Identity theft
⚫ Theft of financial credentials
⚫ Corporate espionage
⚫ Data theft
⚫ Data ransoming
⚫ Typically they are young, often Eastern European,
Russian, or southeast Asian hackers, who do business on
the Web
⚫ They meet in underground forums to trade tips and data
and coordinate attacks

Activists
⚫ Are either individuals, usually working as insiders, or
members of a larger group of outsider attackers, who
are motivated by social or political causes
⚫ Also know as hacktivists
⚫ Skill level is often quite low
⚫ Aim of their attacks is often to promote and publicize
their cause typically through:
⚫ Website defacement
⚫ Denial of service attacks
⚫ Theft and distribution of data that results in
negative publicity or compromise of their targets

State-Sponsored Organizations
⚫ Groups of hackers sponsored by governments to
conduct espionage or sabotage activities
⚫ Also known as Advanced Persistent Threats (APTs) due to
the covert nature and persistence over extended
periods involved with any attacks in this class
⚫ Widespread nature and scope of these
activities by a wide range of countries
from China to the USA, UK, and their
intelligence allies

⚫ Hackers with motivations other than those previously
listed
⚫ Include classic hackers or crackers who are motivated
by technical challenge or by peer-group esteem and
reputation
⚫ Many of those responsible for discovering new
categories of buffer overflow vulnerabilities could be
regarded as members of this class
⚫ Given the wide availability of attack toolkits, there is a
pool of “hobby hackers” using them to explore system
and network security

Examples of Intrusion
• Remote root compromise
• Web server defacement
• Guessing/cracking passwords
• Copying databases containing
credit card numbers
• Viewing sensitive data without authorization
• Running a packet sniffer
• Distributing pirated software
• Using an unsecured modem to access internal
network
• Impersonating an executive to get information
• Using an unattended workstation

Comprises three logical
components:
•Sensors - collect data
•Analyzers - determine if
intrusion has occurred
•User interface - view
output or control system
behavior
⚫ Host-based IDS (HIDS)
⚫ Monitors the characteristics of
a single host for suspicious
activity
⚫ Network-based IDS
(NIDS)
⚫ Monitors network traffic and
analyzes network, transport,
and application protocols to
identify suspicious activity
⚫ Distributed or hybrid IDS
⚫ Combines information from a
number of sensors, often both
host and network based, in a
central analyzer that is able to
better identify and respond to
intrusion activity

Analysis Approaches
Anomaly detection
Signature/Heuristic
detection
• Involves the collection of
data relating to the
behavior of legitimate
users over a period of
time
• Current observed
behavior is analyzed to
determine whether this
behavior is that of a
legitimate user or that of
an intruder
• Uses a set of known
malicious data patterns
or attack rules that are
compared with current
behavior
• Also known as misuse
detection
• Can only identify known
attacks for which it has
patterns or rules

Anomaly Detection
A variety of classification approaches are
used:
Statistical
•Analysis of the
observed
behavior using
univariate,
multivariate, or
time-series
models of
observed metrics
Knowledge based
•Approaches use
an expert system
that classifies
observed
behavior
according to a
set of rules that
model legitimate
behavior
Machine-learning
•Approaches
automatically
determine a
suitable
classification
model from the
training data
using data
mining
techniques

Central Manager
LAN Monitor Host Host
Agent
module
Router
Internet
Figure 8.2 Architecture for Distributed Intrusion Detection
Manager
module

Intrusion Detection
Techniques
Attacks suitable for
Signature detection
Attacks suitable for
Anomaly detection
• Application layer
reconnaissance and attacks
• Transport layer
• Network layer
• Unexpected application
services
• Policy violations
• Denial-of-service (DoS)
attacks
• Scanning
• Worms

Chapter 9
Firewalls and Intrusion
Prevention Systems

⚫ Internet connectivity is essential
⚫ However it creates a threat
⚫ Effective means of protecting LANs
⚫ Inserted between the premises network and
the Internet to establish a controlled link
⚫ Can be a single computer system or a set of two or more systems
working together
⚫ Used as a perimeter defense
⚫ Single choke point to impose security and auditing
⚫ Insulates the internal systems from external networks

Design goals
All traffic from inside to outside, and vice versa, must pass through
the firewall
Only authorized traffic as defined by the local security policy will
be allowed to pass
The firewall itself is immune to penetration

Firewall Access Policy
• A critical component in the planning and
implementation of a firewall is specifying a suitable
access policy
o This lists the types of traffic authorized to pass through the firewall
o Includes address ranges, protocols, applications and content types
• This policy should be developed from the
organization’s information security risk assessment
and policy
• Should be developed from a broad specification of
which traffic types the organization needs to
support
o Then refined to detail the filter elements which can then be implemented
within an appropriate firewall topology

Firewall Filter
Characteristics
• Characteristics that a firewall access policy could use to
filter traffic include:
IP address
and protocol
values
This type of
filtering is used by
packet filter and
stateful inspection
firewalls
Typically used to
limit access to
specific services
Application
protocol
This type of
filtering is used by
an application-
level gateway that
relays and
monitors the
exchange of
information for
specific
application
protocols
User
identity
Typically for
inside users who
identify
themselves using
some form of
secure
authentication
technology
Network
activity
Controls access
based on
considerations
such as the time or
request, rate of
requests, or other
activity patterns

External (untrusted) network
(e.g. Internet)
Internal (protected) network
(e.g. enterprise network) Firewall
Figure 9.1 Types of Firewalls
(a) General model
(d) Application proxy firewall
Physical
Network
access
Internet
Transport
Application
Physical
Network
access
Internet
Transport
Application
Application proxy
External
transport
connection
Internal
transport
connection
(b) Packet filtering firewall
Physical
Network
access
Internet
Transport
Application
End-to-end
transport
connection
End-to-end
transport
connection
(c) Stateful inspection firewall
Physical
Network
access
Internet
Transport
Application
End-to-end
transport
connection
End-to-end
transport
connection
(e) Circuit-level proxy firewall
Physical
Network
access
Internet
Transport
Application
Physical
Network
access
Internet
Transport
Application
Circuit-level proxy
External
transport
connection
Internal
transport
connection
State
info

Packet Filtering Firewall
• Applies rules to each incoming and outgoing IP packet
o Typically a list of rules based on matches in the IP or TCP
header
o Forwards or discards the packet based on rules match
• Two default policies:
o Discard - prohibit unless expressly permitted
• More conservative, controlled, visible to users
o Forward - permit unless expressly prohibited
• Easier to manage and use but less secure
Filtering rules are based on information contained in a network packet
• Source IP address
• Destination IP address
• Source and destination transport-level address
• IP protocol field
• Interface

Stateful Inspection
Firewall
Tightens rules for TCP traffic
by creating a directory of
outbound TCP connections
•There is an entry for each
currently established connection
•Packet filter allows incoming
traffic to high numbered ports
only for those packets that fit the
profile of one of the entries in this
directory
Reviews packet information
but also records information
about TCP connections
•Keeps track of TCP sequence
numbers to prevent attacks that
depend on the sequence number
•Inspects data for protocols like
FTP, IM and SIPS commands

Table 9.2
Example Stateful Firewall
Connection State Table

Host-Based Firewalls
• Used to secure an individual host
• Available in operating systems or can be provided as
an add-on package
• Filter and restrict packet flows
• Common location is a server
Advantages:
• Filtering rules can be tailored to the host
environment
• Protection is provided independent of topology
• Provides an additional layer of protection

Personal Firewall
⚫ Controls traffic between a personal computer or
workstation and the Internet or enterprise network
⚫ For both home or corporate use
⚫ Typically is a software module on a personal computer
⚫ Can be housed in a router that connects all of the home
computers to a DSL, cable modem, or other Internet
interface
⚫ Typically much less complex than server-based or stand-
alone firewalls
⚫ Primary role is to deny unauthorized remote access
⚫ May also monitor outgoing traffic to detect and block
worms and malware activity

Figure 9.2 Example Firewall Configuration
Workstations
Application and database servers
Web
server(s)
Email
server
Internal DMZ network
Boundary
router
External
firewall
LAN
switch
LAN
switch
Internal
firewall
Internal protected network
DNS
server
Internet

IP
Header
IP
Payload
IP
Header
IPSec
Header
Secure IP
Payload
I
P
H
e
a
d
e
r
I
P
S
e
c
H
e
a
d
e
r
S
e
c
u
r
e
I
P
P
a
y
l
o
a
d
I
P
H
e
a
d
e
r
I
P
S
e
c
H
e
a
d
e
r
S
e
c
u
r
e
I
P
P
a
y
l
o
a
d
IP
Header
IP
Payload
Firewall
with IPSec
Ethernet
switch
Ethernet
switch
User system
with IPSec
Firewall
with IPSec
Figure 9.3 A VPN Security Scenario
Public (Internet)
or Private
Network

Figure 9.4 Example Distributed Firewall Configuration
Workstations
Application and database servers
Web
server(s)
Email
server
Internal DMZ network
Boundary
router
External
firewall
LAN
switch
LAN
switch
host-resident
firewall
Internal
firewall
Internal protected network
DNS
server
Internet
Web
server(s)
External
DMZ network
Remote
users

Firewall Topologies
•Includes personal firewall software and firewall software
on servers
Host-resident firewall
•Single router between internal and external networks with
stateless or full packet filtering
Screening router
•Single firewall device between an internal and external
router
Single bastion inline
•Has a third network interface on bastion to a DMZ where
externally visible servers are placed
Single bastion T
•DMZ is sandwiched between bastion firewalls
Double bastion inline
•DMZ is on a separate network interface on the bastion
firewall
Double bastion T
•Used by large businesses and government organizations
Distributed firewall
configuration

Intrusion Prevention Systems
(IPS)
⚫ Also known as Intrusion Detection and Prevention System
(IDPS)
⚫ Is an extension of an IDS that includes the capability to
attempt to block or prevent detected malicious activity
⚫ Can be host-based, network-based, or distributed/hybrid
⚫ Can use anomaly detection to identify behavior that is
not that of legitimate users, or signature/heuristic
detection to identify known malicious behavior can
block traffic as a firewall does, but makes use of the
types of algorithms developed for IDSs to determine
when to do so

Host-Based IPS
(HIPS)
• Can make use of either signature/heuristic or anomaly
detection techniques to identify attacks
• Signature: focus is on the specific content of application
network traffic, or of sequences of system calls, looking for
patterns that have been identified as malicious
• Anomaly: IPS is looking for behavior patterns that indicate
malware
• Examples of the types of malicious behavior addressed by
a HIPS include:
• Modification of system resources
• Privilege-escalation exploits
• Buffer-overflow exploits
• Access to e-mail contact list
• Directory traversal

HIPS
• Capability can be tailored to the specific platform
• A set of general purpose tools may be used for a desktop
or server system
• Some packages are designed to protect specific types of
servers, such as Web servers and database servers
• In this case the HIPS looks for particular application attacks
• Can use a sandbox approach
• Sandboxes are especially suited to mobile code such as
Java applets and scripting languages
• HIPS quarantines such code in an isolated system area then
runs the code and monitors its behavior
• Areas for which a HIPS typically offers desktop protection:
• System calls
• File system access
• System registry settings
• Host input/output

Network-Based IPS
(NIPS)
⚫ Inline NIDS with the authority to modify or discard
packets and tear down TCP connections
⚫ Makes use of signature/heuristic detection and
anomaly detection
⚫ May provide flow data protection
⚫ Requires that the application payload in a sequence of
packets be reassembled
⚫ Methods used to identify malicious packets:
Pattern
matching
Stateful
matching
Protocol
anomaly
Traffic
anomaly
Statistical
anomaly

Internet
Figure 9.5 Placement of Worm Monitors
Remote sensor
Honeypot
Passive
sensor
Firewall
sensor 1. Malware scans or
infection attempts
1. Malware
execution
Correlation
server
Application
server
Instrumented applications
Sandboxed
environment
Enterprise network
Hypothesis testing
and analysis
Patch
generation
3. Forward
features
5. Possible fix generation
6. Application update
4. Vulnerability
testing and
identification
2. Notifications

Snort Inline
⚫ Enables Snort to function
as an intrusion
prevention system
⚫ Includes a replace
option which allows the
Snort user to modify
packets rather than drop
them
⚫ Useful for a honeypot
implementation
⚫ Attackers see the
failure but cannot
figure out why it
occurred
Drop
Snort
rejects a
packet
based on
the
options
defined
in the
rule and
logs the
result
Reject
Packet is
rejected
and
result is
logged
and an
error
message
is
returned
Sdrop
Packet is
rejected
but not
logged

Bandwidth shaping module
VPN module
Antispam module
Web filtering module
Data
analysis
engine
Logging
and
reporting
module
Firewall module
VPN module
Routing module
Raw incoming traffic
Clean controlled traffic
Figure 9.6 Unified Threat Management Appliance
(based on [JAME06])
IPS engine
Activity
inspection
engine
IDS engine
Anomaly
detection
Antivirus
engine
Heuristic
scan
engine

IT system security principles practices

More Related Content

What's hot (20)

Similar to IT system security principles practices (20)

More from gufranresearcher (20)

Recently uploaded (20)

IT system security principles practices