Computer security overview Tuomas Aura CSE-C3400 Information security Aalto University, autumn 2014
Outline • Timeline of computer security • What is security anyway?
70s • Multi-user operating systems need for protection • Access control models: multi-level security, Bell-LaPadula 1976, BIBA 1977 • DES encryption algorithm 1976 cryptanalysis, need for key distribution • Public-key cryptosystems:Diffie-Hellman 1976, RSA 1978 • Key distribution: certificates 1978 key exchange protocols: Needham-Schroeder 1978
80s • Anonymity, Chaum’s mixes 1981, anonymous payment 1982 • Orange Book 1985: mandatory access control • Commercial security models from accounting and auditing rules: Clark-Wilson 1987 • X.509 PKI 1988 • IBM PC software copy protection floppy disk virus 1987 • Internet Morris worm 1988
90s • More methodological approach to security research: Information flow security Secure operating systems: SEVMS until 1996 Formal analysis of key exchange protocols • Wider availability of cryptography • GSM cellular network 1991 • Open-source cryptography: PGP 1991 • Password sniffers SSH 1995 • Commercial Internet SSL and VeriSign CA 1995 • RSA patent expired in 2000 • Windows 95 insecure PCs connected to Internet • Spam: Cantor and Siegel 1994 • PKI criticism trust management research • Research intrusion detection • Macro virus: Melissa 1999 • DRM
2000s • Malware • Fast-spreading Internet worms: Code Red 2001 secure programming, safe languages security analysis and testing tools • Botnets, spyware, malware analysis • Computer crime: phishing • Total information awareness 2002- • Mobile device operating systems, app permissions • Enterprise identity management • Research on security in mobility, ah-hoc networks, sensor networks • Security has become integral part of most areas of computing and computer science • Connections to law, sociology, psychology, management, usability, design • Social networks, privacy concerns
2010s • Cyber defense and attack • Stuxnet 2010, malware business, government sponsors • Snowden 2013, PRISM (2007-) • Advanced persistent threat • Flaws still found in key security technologies: Heartbleed 2014, fake SSL certificates • Critical infrastructure protection, smart grid security • Mobile app security, cloud computing • Mobile payments • Bitcoin, ransomware • Research on Internet of Things, vehicular communication • What else?
What is security • When talking about security, we are concerned about bad eventscaused with malicious intent • Security vs. reliability • Terminology: • Threat = bad event that might happen • Attack = someone intentionally causes the bad thing to happen • Vulnerability = weakness in an information system that enables an attack • Exploit = implementation of an attack • Risk = probability of an attack × damage in dollars • Security is a non-functional property of a system
Security Goals • CIA = confidentiality, integrity, availability • Confidentiality — protection of secrets • Integrity — only authorized modification of data and system configuration • Availability — no denial of service, business continuity • Examples: secret agent names, web server • The CIA model is a good starting point but not all: • Access control — no unauthorized use of resources • Privacy — control of personal data and space • What else?
Security is a continuous process • Continuous race between attackers and defenders • Attackers are creative • No security mechanisms will stop all attacks; attackers just move to new methods and targets • Some types of attacks can be eliminated but others will take their place • Compare with crime statistics: Do locks or prisons reduce crime in the long term? • Security mechanisms will fail and new threats will arise → Monitoring and auditing for new attacks → Contingency planning: how to recover from a breach
Cost vs. benefit • Rational attackers compare the cost of an attack with the gains from it • Attackers look for the weakest link; thus, little is gained by strengthening the already strong bits • Rational defenders compare the risk of an attack with the cost of implementing defenses • Lampson: “Perfect security is the enemy of good security” • But human behavior is not always rational: • Attackers follow each other and flock all to the same path • Defenders buy a peace of mind; avoid personal liability by doing what everyone else does → Many things are explained better by group behavior than rational choice
Who is the attacker? • We partition the world into good and bad entities • Honest parties vs. attackers, red vs. blue • Good ones follow specification, bad ones do not • Different partitions lead to different perspectives on the security of the same system • Typical attackers: • Curious or dishonest individuals — for personal gain • Friends and family • Hackers, crackers, script kiddies — for challenge and reputation • Companies — for business intelligence and marketing • Organized criminals — for money • Governments and security agencies — NSA, SVR, GCHQ, DGSE, etc. • Military SIGINT — strategic and tactical intelligence, cyber defense • Insiders are often the greatest threat • Employee, administrator, service provider, customer, family member • Often, not all types of attackers matter • Who would you not want to read your diary or email?
Reading material • Dieter Gollmann: Computer Security, 2nd ed. chapters 1–2; 3rd ed. chapters 1 and 3 • Matt Bishop: Introduction to computer security, chapter 1 (http://nob.cs.ucdavis.edu/book/book-intro/intro01.pdf) • Edward Amoroso: Fundamentals of Computer Security Technology, chapter 1 • Ross Anderson: Security Engineering, 2nd ed., chapter 1 (1st ed. http://www.cl.cam.ac.uk/~rja14/Papers/SE-01.pdf)
Exercises • What security threats and goals are there in the postal (paper mail) system? • What different entities are there in the postal system? • Do they have the same of different security concerns? • Who could be the attacker? Does the answer change if you think from a different entity’s viewpoint? Who are insiders? • Can you think of attacks where it is necessary for two or more malicious parties to collude? • What is the role of laws and punishment in computer security? • Can the development of information security technology be unethical, or is engineering value neutral? Give examples. • When is it (or when could it be) ok for you to attack against IT systems? Give examples. • How do the viewpoints of security practitioners (e.g. system admin or company security officer) differ from academic researchers? • How have the Snowden leaks in 2013 changed the overall picture of information security?