Module IV Ppt

Embed Size (px)

Citation preview

  • 8/17/2019 Module IV Ppt

    1/59

    Introduction to Cyber Se&

     Information Securit

    Module 4: System and Application Security

    Chapter 1: Security Architectures and Models

    Chapter 2: System Security

    Chapter 3: OS Security

    Chapter 4: Wireless Network and Security

  • 8/17/2019 Module IV Ppt

    2/59

    Chapter :Security Architectures and M

    1! "esi#nin# Secure Operatin# Systems

    2! n$ormation Security Models

  • 8/17/2019 Module IV Ppt

    3/59

    1! "esi#nin# Secured%&rustedOperatin# Systems!

    What makes an operatin# system 'sec'trustworthy)

    *ow are trusted systems desi#ned+ an

    o$ those desi#n principles carry o,er nto other pro#ram de,elopment tasks)

    *ow do we de,elop 'assurance( o$ thcorrectness o$ a trusted operatin# sys

  • 8/17/2019 Module IV Ppt

    4/59

    -rimiti,e security ser,ices

    Memory protection

    .ile protection

    /eneral o0ect access control

    ser authentication

    OS is trusted i$ we ha,e condence that it pro,ides these $oin a consistent and eecti,e way!

  • 8/17/2019 Module IV Ppt

    5/59

    2! n$ormation Security Models

    5ell67a-adula

    5i0a

    Clark6Wilson

    Chinese Wall

    /ood 0rie$ summary on *arris p!248

  • 8/17/2019 Module IV Ppt

    6/59

    5ell67a-adula 957- Model

    57- is $ormal 9mathematical description o$ mandatorycontrol

     &hree properties:

    ds6property 9discretionary security

    ss6property 9simple security ; no 'read down(

  • 8/17/2019 Module IV Ppt

    7/59

    5ell67a-adula Model 9Continued

    *oneywell Multics kernel was only true implementation o$ ne,er took hold

    "O" in$ormation security re=uirements currently achie,eddiscretionary access control and se#re#ation o$ systems racompliant computers

  • 8/17/2019 Module IV Ppt

    8/59

    5i0a Model

    Similar to 57- 0ut $ocus is on inte#rity+ not condentiality

    >esult is to turn the 57- model upside down

    *i#h inte#rity su0ects cannot read lower inte#rity o0ects 9no

    Su0ects cannot  mo,e low inte#rity data to hi#h6inte#rity en,i'write up(

    Mc7ean notes that a0ility to ?ip models essentially renders

    assurance properties useless

  • 8/17/2019 Module IV Ppt

    9/59

    Clark6Wilson Model

    >e,iews distinction 0etween military and commercial polic

    Military policy $ocus on condentiality

    Commercial policy $ocus on inte#rity

    Mandatory commercial controls typically in,ol,e who #ets type o$ transaction rather than who sees what 9@ample: ca0o,e a certain dollar amount

  • 8/17/2019 Module IV Ppt

    10/59

    Clark6Wilson Model 9Continued

     &wo types o$ o0ects:

    Constrained "ata tems 9C"s

    nconstrained "ata tems 9"s

     &wo types o$ transactions on C"s in model

    nte#rity Berication -rocedures 9B-s

     &rans$ormation -rocedures 9&-s

    B-s certi$y that &-s on C"s result in ,alid state

    All &-s must 0e certied to result in ,alid trans$orma

  • 8/17/2019 Module IV Ppt

    11/59

    Clark6Wilson Model 9Continued

    System maintains list o$ ,alid relations o$ the $orm:ser"+ &-+ C"%"D

    Only permitted manipulation o$ C" is ,ia an authoriE

    $ a &- takes a " as an input+ then it must result in or the &- will 0e reected

    Additional re=uirements Auditin#: &-s must write to an append6only C" 9l

    Separation o$ duties

  • 8/17/2019 Module IV Ppt

    12/59

    Clark6Wilson ,ersus 5i0a

    n 5i0aFs model+ " to C" con,ersion is per$ormed 0y truonly 9e!#!+ a security oGcer+ 0ut this is pro0lematic $or dat$unction!

    n Clark6Wilson+ &-s are specied $or particular users and $u5i0aFs model does not oer this le,el o$ #ranularity!

  • 8/17/2019 Module IV Ppt

    13/59

    Chinese Wall

    .ocus is on con?icts o$ interest!

    -rinciple: sers should not access the condential in0oth a client or#aniEation and one or more o$ its com

    *ow it works

    sers ha,e no 'wall( initially!

    Once any #i,en le is accessed+ les with competin$ormation 0ecome inaccessi0le!

    nlike other models+ access control rules chan#e 0eha,ior

  • 8/17/2019 Module IV Ppt

    14/59

    Chapter 2:System Securit

    1! email security: -/- and SMM@

    2! We0 Security: we0 authentication+ SSS@&

    3! "ata0ase Security

  • 8/17/2019 Module IV Ppt

    15/59

    1! email security: -/- and SMM

    @6mail is one o$ the most widely used network ser,ices killer application o$ the nternet

    Normally messa#e contents not secured

    Can 0e read%modied either in transit or at destination 0y theattacker

    @6mail ser,ice is like postcard ser,ice

     ust pick it and read it

  • 8/17/2019 Module IV Ppt

    16/59

    @mail Security @nhancements

    condentiality

    protection $rom disclosure

    authentication

    o$ sender o$ messa#e

    messa#e inte#rity

    protection $rom modication

    non6repudiation o$ ori#in

    protection $rom denial 0y sender

  • 8/17/2019 Module IV Ppt

    17/59

    -retty /ood -ri,acy 9-/-

    widely used secure e6mail so$tware

    ori#inally a le encryption%decryption $acility

    de,eloped 0y -hil Himmermann

    a security acti,ist who has had le#al pro0lems due t-/-

    0est a,aila0le crypto al#orithms are employed

    a,aila0le on se,eral plat$orms with source code ori#inally $ree+ now commercial ,ersions eist

    not controlled 0y a standardiEation 0ody

    althou#h there are >.Cs

  • 8/17/2019 Module IV Ppt

    18/59

    -/- Mechanisms

    "i#ital Si#natures 9and conse=uently

    messa#e authentication and inte#rity >SA+ "SS

    Messa#e @ncryption

    CAS&+ "@A+ 3"@S+ A@S 9all at least 12I 0its

    symmetric keys are used once and encrypted

    usin# >SA or @l/amal 90ased on discrete lo#s Compression usin# H-

    >adi6J4 con,ersion 9to ASC

    $or e6mail compati0ility

  • 8/17/2019 Module IV Ppt

    19/59

    S%MM@

    Secure%Multipurpose nternet Mail @tensions

    A standard way $or email encryption and si#nin#

    @&. eort 9>.Cs 2J32+ 2J33 ; $or ,ersion 3!KL>.Cs 3IK+ 3I1 $or ,ersion 3!1L 8K+ 81 $or,ersion 3!2

    ndustry support

    Not a standalone so$tware+ a system that is to 0supported 0y email clients

    such as MS Outlook and &hunder0ird

    S%MM@ handles di#ital si#natures

    Also pro,ides encryption

  • 8/17/2019 Module IV Ppt

    20/59

    S%MM@ .unctions

    en,eloped data

    encrypted content and associated keys

    si#ned data

    encoded messa#e encoded si#ned messa#edi#est

    clear6si#ned data

    cleartet messa#e encoded si#ned messa#edi#est

    si#ned and en,eloped data

    Nested si#ned and encrypted entities

  • 8/17/2019 Module IV Ppt

    21/59

    2! We0 Security: we0 authentication+SS7 and S@&

    SSL (Secure Sockets Layer)

    NO& a payment protocol 66 can 0e used $or any securecommunications+ like credit card num0ers

    SS7 is a secure data echan#e protocol pro,idin# -ri,acy 0etween two nternet applications

    Authentication o$ ser,er 9authentication o$ 0rowser optional

    ses en,elopin#: >SA used to echan#e "@S keys

    SS7 *andshake -rotocol Ne#otiates symmetric encryption protocol+ authenticates

    SS7 >ecord -rotocol -acks%unpacks records+ per$orms encryption%decryption

    "oes not pro,ide non6repudiation

  • 8/17/2019 Module IV Ppt

    22/59

    Secure Sockets 7ayer 9SS7

    7ayered on top o$ &C-%- 0ut 0elow the

    application layer! 9>e=uires relia0le transportto operate!

    SS7 is increasin# in importance $or nternetsecurity

    n,ented 0y -hil arlton 9CM -h!"! andothers at Netscape

    Biew protocol 9J3 pa#es

    http://www.iie.edu.uy/~mazzara/pgp/draft-ietf-tls-ssl-version3-00.htmlhttp://www.iie.edu.uy/~mazzara/pgp/draft-ietf-tls-ssl-version3-00.html

  • 8/17/2019 Module IV Ppt

    23/59

    SS7 9Secure Sockets 7ayer

    *AN"7@S COMW&* &*@ A--

    -rotocolsN&A7H@S CO5@&W@@N C7@

    N&A7H@S S@C>@COMMNCA&ON

    *AN"7@S "A&ACOM->@SSON

    @>>O> *AN"

  • 8/17/2019 Module IV Ppt

    24/59

  • 8/17/2019 Module IV Ppt

    25/59

    S@& O0ecti,es

    Condentiality o$ payment and order in$ormation @ncryption

    nte#rity o$ all data 9di#ital si#natures Authentication o$ cardholder P account 9certicates

    Authentication o$ merchant 9certicates

    No reliance on secure transport protocols 9uses &C-%-

    nteropera0ility 0etween S@& so$tware and network StandardiEed messa#e $ormats

    S@& is a payment protocol Messa#es relate to ,arious steps in a credit card transaction

  • 8/17/2019 Module IV Ppt

    26/59

    S@& Security

    "i#ital en,elopes+ nonces+ salt

     &wo pu0lic6pri,ate key pairs $or each party

    One $or di#ital si#naturesL one $or key echan#e messa#e 1JK60it messa#e di#ests

    Statistically #lo0ally uni=ue "s 9Q"s

    Certicates 9 kinds

    Cardholder+ Merchant+ Ac=uirer+ ssuer+ -ayment /ateway

    *ardware crypto#raphic modules 9$or hi#h security

    dempotency 9messa#e can 0e recei,ed many times 0ut isonly processed once f  9f  9 x  R f  9 x  Comple protocol! O,er JKK pa#es o$ detail

    "ual si#natures

    http://www.setco.org/download/set_bk2.pdfhttp://www.setco.org/download/set_bk2.pdf

  • 8/17/2019 Module IV Ppt

    27/59

    S@& -rocess Steps 9Simplied

    1! Merchant sends in,oice and uni=ue transaction " 9Q"

    2! Merchant sends merchant certicate and 0ank certicate 9encrypte with CAFs pri,ate key

    3! Customer decrypts certicates+ o0tains pu0lic keys

    4! Customer #enerates order in$ormation 9O and payment in$o 9- encrypted with dierent session keys and dual6si#ned

    ! Merchant sends payment re=uest to 0ank encrypted with 0ank6 merchant session key+ -+ di#est o$ O and merchantFs certicate

    J! 5ank ,eries that the Q" matches the one in the -

    8! 5ank sends authoriEation re=uest to issuin# 0ank ,ia card network

    I! 5ank sends appro,al to merchant

    ! Merchant sends acknowled#ement to customer

  • 8/17/2019 Module IV Ppt

    28/59

    S@& Supported &ransactions

    • card holder re#istration

    • merchant re#istration

    • purchase re=uest

    • payment authoriEation

    • payment capture

    • certicate =uery

    • purchase in=uiry

    •   purchase notication

    •   sale transaction•   authoriEation re,ersal

    •   capture re,ersal

    •   credit re,ersal

  • 8/17/2019 Module IV Ppt

    29/59

    29

    3. Database Security

    Security Objectives

    Secrecy

    Prevent/detect/deter impro

    Disclosure of information

     Availability

    Prevent/detect/deter improper 

    Denial of access to services

     Integrity

    Prevent/detect/deter

    Improper modification

    of information

  • 8/17/2019 Module IV Ppt

    30/59

    30

    Policy

    r!ani"ational

    Information systems policy

  • 8/17/2019 Module IV Ppt

    31/59

    "ata0ases

    Collection o$ interrelated data and

    set o$ pro#rams to access the data

    Con,enient and eGcient processin# o$ data

    "ata0ase Application So$tware

    31

  • 8/17/2019 Module IV Ppt

    32/59

    "ata0ase Security

    -rotect Sensiti,e "ata $rom

    nauthoriEed disclosure

    nauthoriEed modication

    "enial o$ ser,ice attacks

    Security Controls

    Security -olicy

    Access control models

    nte#rity protection

    -ri,acy pro0lems

    .ault tolerance and reco,ery

    Auditin# and intrusion detection

    32

  • 8/17/2019 Module IV Ppt

    33/59

    33

    Protection of Data Confidentiality

    Access control – which data users canaccess

    Information flow control – what users can

    do with the accessed data

    Data inin!

  • 8/17/2019 Module IV Ppt

    34/59

    34

    Access Control

    "nsures that all direct accesses to ob#ect are

    authori$ed

    Protects a!ainst accidental and malicious

    threats by re!ulatin! the read% write ande&ecution of data and pro!rams

  • 8/17/2019 Module IV Ppt

    35/59

    35

    Access Control

    'e(uires)

    * Proper user identification

    * Information specifyin! the access ri!hts is

     protected form modification

  • 8/17/2019 Module IV Ppt

    36/59

    36

    Access control components)

    - Access control policy) specifies the

    authori$ed accesses of a system

    - Access control mechanism) implements

    and enforces the policy

    Access Control

  • 8/17/2019 Module IV Ppt

    37/59

    Chapter 3:peratin! System Security

    1! Anti6,irus so$tware

    2! Con#urin# the OS $or security

  • 8/17/2019 Module IV Ppt

    38/59

    1. Antivirus Software.

    What is a Virus?

    a virus is software that spreads from program to program, or from disuses eah infeted program or disk to make opies of itse!f. "as

    sa"otage.

  • 8/17/2019 Module IV Ppt

    39/59

    $ow does a %irus Spread&

    first a programmer writes the virus most often "eingattahed to a norma! program' unknown to the userthe virus spreads to other software. then the virusis passed "# disk or network to other users who

    use other omputers. the virus then remainsdormant as it is passed on.

    #he Internet

  • 8/17/2019 Module IV Ppt

    40/59

    (hat is Anti%irus Software&

    omputer programs intended to identif# and e!iminate ompute

  • 8/17/2019 Module IV Ppt

    41/59

    )he *est +efense

    this #ears "est defense against omputer viruses, sp#ware, spam is an antivirus program a!!ed *it+efender.

    has a userfriend!# interfae that sans a!! e-isting fi!es on #a!! inoming and outgoing emai!s, and even / transfers.

    features in!ude priva# protetion and we" sanning for int#ears su"sription is a"out 24.99.

  • 8/17/2019 Module IV Ppt

    42/59

    A%

    the most wide!# used software is the orton Anti%irus. A%

    sine its re!ease in 1990, over 100 mi!!ion peop!e around theused it.

    its a free program "ut in order to reeive !ive updates, a va!iis needed.

    a #ear!# su"sription is on!# 29.99.

  • 8/17/2019 Module IV Ppt

    43/59

    /Afee

    /Afee %irusSan is another popu!ar antivirus program.

    its designed for home and homeoffie use.

    its used speifia!!# on a /irosoft (indows p!atform.

    the 200 edition in!udes a num"er of features in!uding on

    sharing, in"ound and out"ound firewa!! protetion, and dai!#updates.

  • 8/17/2019 Module IV Ppt

    44/59

    asperski

    for the average home user and advaned users the asperssoftware has an eas# to use interfae.

    the program uses 3 ta"s for protetion, settings and support

    it updates itse!f on an hour!# "asis and is one of the fastest aprograms avai!a"!e.

    however, 7ua!it# omes at a prie and #ear su"sription is

    8Antivirus software is the e7uiva!ent to

  • 8/17/2019 Module IV Ppt

    45/59

    Antivirus software is the e7uiva!ent topenii!!in of the omputer wor!d. 

    !ike penii!!in, antivirus app!iations at as aover #our s#stem, sanning inoming fi!es aapp!iations, 87uarantining or !eaning up viruses !ooking to ause harm to #our s#ste

    antivirus software is onsidered to "e an aidetets, fi-es and even prevents viruses anfrom spreading to #our omputer as we!! asonneting omputers.

  • 8/17/2019 Module IV Ppt

    46/59

    2! Con#urin# the OS $or secur

    -urpose o$ the system+ type o$ in$ormation sapplications and ser,ices pro,ided

    sers o$ the system and their pri,ile#es

    *ow are users authenticated

    *ow in$ormation on system is mana#ed

    What other hosts % "5s are accessed 0y syst

    Who will mana#e system and how 9remote o

    Additional measures such as: rewall+ anti6,ilo##in#

    d i h

  • 8/17/2019 Module IV Ppt

    47/59

    *ardenin# the OS

    "e$ault OS con#urations are $or ease o$ us Measures ha,e to 0e done at all sta#es

    nstallin# and patchin#

    Con#urin#

    >emo,e unnecessary applications+ ser,ices and protoc

    sers+ #roups+ controls and pri,ile#es

    nstall additional so$tware 9anti6,irus+ rewall+ indetection system+ etc!

     &est Security

    lli d - hi

  • 8/17/2019 Module IV Ppt

    48/59

    nstallin# and -atchin#

    nstallation Machines should not connect to network until secured

    *owe,er remo,a0le media may 0e in$ected as well

    7imited network 9rewall is accepta0le+ ideally:

    No in0ound connections

    Only out to certain key sites

    nstall only re=uired ser,ices and dri,ers 9$rom trusted sources

    Set up automatic updates 9only i$ update time is not an issue

    5ootin#

    -rotect 5OS chan#es with password

    "isa0le some 0oota0le media

    Crypto#raphic hard dri,es) -ros and Cons

    C %/ A th ti ti

  • 8/17/2019 Module IV Ppt

    49/59

    Con#ure %/ Authentication

    "ene user types and pri,ile#es Admin 9ideally only temporary

    Normal

    7imited

    Authentication

    .orce de$ault password chan#e

    -assword denition -assword li$espan

    >emo,e or disa0le old accounts

    Allow $or remote connections)

    Additi l S it d & ti

  • 8/17/2019 Module IV Ppt

    50/59

    Additional Security and &estin#

    Anti6,irus

    .irewalls+ "S+ -S

    White list

    $ attackers mana#e to install a pro#ram what will happen)

    >un some test cases which attempt to 0reak security 9stre#ood hackers make a lot o$ money here

    A li ti S it

  • 8/17/2019 Module IV Ppt

    51/59

    Application Security

    Con#ure applications properly se encryption when possi0le as seen earlier

    .or storin#

    .or transmit 9SS* connections

    7imit pri,ile#es as with users

    >emem0er what we ha,e said a0out security in An5lack0erry+ and i-hone

    Applications may pro,ide 0ackdoors i$ not coproperly

    M i t

  • 8/17/2019 Module IV Ppt

    52/59

    Maintenance

    Now that system is set+ keep it secure

     &his in,ol,es

    Monitorin# and analyEin# lo##in# in$ormation

    -er$ormin# re#ular 0ackups

    >eco,erin# $rom security compromises

    >e#ular testin# o$ security

    -atch+ update+ and re,ise critical so$tware

    7o##in#

  • 8/17/2019 Module IV Ppt

    53/59

    7o##in#

    eep a record o$ important e,ents in the computer

    -ro0lems

    Need to make sure to ha,e enou#h space

    Manual analysis is hard+ so these lo#s should contain a $ormatpro#ram 9e!#! in -erl can parse messa#es

    "ata 5ackup

  • 8/17/2019 Module IV Ppt

    54/59

    "ata 5ackup

    5ackup is the act o$ creatin# copies o$ in$ormathat it may 0e reco,ered

    Archi,e is to keep these 0ackups $or a lon# petime in order to meet some le#al aspects

    Should the 0ackup 0e kept online or oTine) Online makes easier access+ $aster reco,er

    OTine is more secure+ harder to reco,er Why not 0oth): sers should keep their own oTine

    case online 0ackup #ets remo,ed

    "ata may 0e lost accidentally 9hardware $ailumistake or intentionally

    Chapter 4

  • 8/17/2019 Module IV Ppt

    55/59

    Chapter 4:$ireless %etorks and Sec

    1! Components o$ wireless networks

    2! Security issues in wireless

    1 Components o$ Wireless Net

  • 8/17/2019 Module IV Ppt

    56/59

    1! Components o$ Wireless Net

    1 @=uipment

    2 Network

    3 So$tware

    4 Ser,ices

    Mo0ile Worker!

  • 8/17/2019 Module IV Ppt

    57/59

    2 Security ssues in Wireless N

  • 8/17/2019 Module IV Ppt

    58/59

    2! Security ssues in Wireless N

     +etwor, security issues% whether wired or wireless% fall into three main cate!ories)

    availability% confidentiality and inte!rity)

     

    •Confidentiality: is the information bein! sent across the networ, transmitted in such

    the intended recipient-s can read it.

    •Integrity: is the information reachin! the recipient intact•Availability: is the networ, available to users whenever it is supposed to be

  • 8/17/2019 Module IV Ppt

    59/59