Building Secure Systems: Problems and Principles. Dennis Kafura

Similar documents
Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

COMPUTER NETWORK SECURITY

CS6501: Great Works in Computer Science

Security+ SY0-501 Study Guide Table of Contents

Trustwave Managed Security Testing

Layer Security White Paper

Computer Security Policy

Rethinking Authentication. Steven M. Bellovin

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 1 Introduction to Security

RSA DISTRIBUTED CREDENTIAL PROTECTION

Introduction to Security and User Authentication

Issues of Operating Systems Security

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

CSWAE Certified Secure Web Application Engineer

A practical guide to IT security

Security Fundamentals for your Privileged Account Security Deployment

QuickBooks Online Security White Paper July 2017

E-guide Getting your CISSP Certification

Position Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED

RiskSense Attack Surface Validation for IoT Systems

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Big and Bright - Security

IMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Cyber Criminal Methods & Prevention Techniques. By

Post-Class Quiz: Access Control Domain

Computers and Security

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Software Vulnerability Assessment & Secure Storage

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 1 Introduction to Security

Introduction to Assurance

Management Information Systems. B15. Managing Information Resources and IT Security

Cloud Security Standards and Guidelines

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

Audit Report. The Prince s Trust. 27 September 2017

ISO/IEC Common Criteria. Threat Categories

Security Principles & Sandboxes

Cyber Security Experts Association of Nigeria (CSEAN) CYBER SECURE NIGERIA 2016 Conference

Effective Threat Modeling using TAM

T Salausjärjestelmät (Cryptosystems) Introduction to the second part of the course. Outline. What we'll cover. Requirements and design issues

The Honest Advantage

Gujarat Forensic Sciences University

TEL2813/IS2820 Security Management

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Cloud Security Standards Supplier Survey. Version 1

Attacking CAPTCHAs for Fun and Profit

CUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE

Cybersecurity in Government

Preventing Insider Sabotage: Lessons Learned From Actual Attacks

INTRODUCTION TO CLOAKWARE/TRS TECHNOLOGY

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

System Structure. Steven M. Bellovin December 14,

C1: Define Security Requirements

Cloud Security Standards

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Best Practices in ICS Security for System Operators

NEN The Education Network

Secure Access & SWIFT Customer Security Controls Framework

Lecture Embedded System Security Introduction to Trusted Computing

Nine Steps to Smart Security for Small Businesses

Designing a System. We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin April 10,

Protect Your Organization from Cyber Attacks

2. INTRUDER DETECTION SYSTEMS

Security: The Key to Affordable Unmanned Aircraft Systems

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Unit code: D/601/1956 QCF Level 5: BTEC Higher National Credit value: 15

10 FOCUS AREAS FOR BREACH PREVENTION

Secure Development Lifecycle

Copyright

Public-key Cryptography: Theory and Practice

PROTECTION FOR WORKSTATIONS, SERVERS, AND TERMINAL DEVICES ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Software Architectural Risk Analysis (SARA) Frédéric Painchaud Robustness and Software Analysis Group

Development*Process*for*Secure* So2ware

18-642: Security Mitigation & Validation

The Common Controls Framework BY ADOBE

Operating systems and security - Overview

Operating systems and security - Overview

Defining Computer Security Incident Response Teams

HOST Authentication Overview ECE 525

Penetration testing.

Kaspersky Security Awareness

Modelling Cyber Security Risk Across the Organization Hierarchy

COMPUTER FORENSICS (CFRS)

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Security Policies and Procedures Principles and Practices

Security Management Models And Practices Feb 5, 2008

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Transcription:

Building Secure Systems: Problems and Principles Dennis Kafura 1

Barriers to Secure Systems Secure systems depend on more than the discovery of more advanced technologies Security also depends on the widespread and correct deployment of the technology and its appropriate use by people and organizations 2 2

State of Crytographic Solutions (1) Cryptographic technology to build secure systems is known Crytographic algorithms Digital signatures Hash functions/digests Protocols System weaknesses are at the interface with the system s human users Usability issues inhibit effective employment by ordinary users and perhaps security personnel Key management Access control Related disciplines not well developed (e.g., engineering software 3 for security) 3

State of Crytographic Solutions (2) Initial impetus derived from secretive government security services Commercial sector fears loss of confidence and customers Feedback to the security community is weak compared to other design communities (e.g., transportation failures are thoroughly scrutinized and the underlying failures documented and disseminated so that the community learns over time and their designs/products improve over time) 4 4

Competing Philosophies railway model trusted kernel formal verification reductionist in spirit system in control airline model rich sources of feedback incremental improvement holistic in spirit human in control 5 5

Design principles (1) security is fundamental to the conception of the system and cannot be bolted on as an afterthought no system is perfectly secure; must engineer a balance between achievable security and acceptable security (100% risk acceptance not 100% security) defense in depth 6 6

Design principles (2) proprietary measures less secure than public ones ( security by obscurity does not work) need detection, confinement, and recovery strategies in addition to prevention every system will eventually fail against a determined attacker detection may be available but not used (e.g., error response codes indicating potential intrusion was ignored) minimize results of failure (e.g., recovering the key for one file/user should not compromise other files/users) create audit logs/trail testing will not reveal security flaws (functionality!= quality) 7 7

Design Principles (3) economy of mechanism fail-safe defaults complete mediation open design separation of privilege least privilege least common mechanism psychological acceptability two others work factor (cost of attack vs. resources of attacker) compromise recording (evidence of tampering gathered to render 8 disclosed information harmless) from: Saltzer/Schroeder(1975) 8

Ideal development process specify all security failure modes identify strategy for each mode (to prevent failure of make acceptable) for each strategy document its implementation determine consequences of failure assessment by independent experts test whether personnel using system can operate 9 the system correctly 9

Organizational Issues organizations lack expertise to correctly design/deploy existing technologies issues are complex, subtle, highly technical well intentioned optimizations break the security exploits continue to be effective due to lack of community learning no natural home in the organization to put a security team (like testing/iv&v in software 10 engineering) 10

Threat Model threat model identifies what is to be protected, from whom (against what), and for how long includes assessment of people and their motivations most bank fraud committed by insiders bank clerk issued extra credit cards technical staff recorded ATM entries on concealed hand-held device users concerned more about simplicity/convenience (e.g., choosing weak passwords) often insufficient feedback to develop realistic threat model we know how systems fail in theory, not how they fail in practice 11 11

Bypassing cryptographic defenses (1) plaintext may be retained (e.g., for reliability and/or recovery) tamper resistant hardware may be vulnerable timing attacks side channel attacks (power consumption, radiation, etc.) trust model development and deployment assumptions might 12be different (e.g., outsourcing of functions) 12

Bypassing cryptographic defenses (2) key hygiene /key management keys exposed by implementation (virtual memory, user interface) key recovery mechanisms can be attacked strong keys protected only by weak passwords/passphrases keys known to technical staff for testing/debugging even when special hardware ( security modules are used 13 maintenance staff may have access to keys 13

Implementation issues valid cryptographic algorithms/protocols may be undermined by flawed implementations problems with keys key values too short (e.g., banks using RSA with 100-400 bit keys while at least 500 bits are needed) inadequate/inappropriate use of random number generators badly designed to produce weak keys (e.g, using the time of day clock giving only 20 bits rather than 54 bits of randomness) paired with weak cryptographic algorithm reuse issues (not all RNG s perform equally well with all cryptographic algorithms) 14 14

Protection Mechanisms list oriented (access control list) Guard holds list of identifiers of authorized users User carries unique unforgeable identifier ticket-oriented (capabilities) Guard hold the description of a single identifier Each user has a collection of unforgeable identifiers, or tickets 15 from: Saltzer/Schroeder(1975) 15

Capability System (1) 16 from: Saltzer/Schroeder(1975) Figure 5 16

Capability System (2) 17 from: Saltzer/Schroeder(1975) Figure 7 17

Access Control Lists (1) 18 from: Saltzer/Schroeder(1975) Figure 9 18

Access control list (2) 19 from: Saltzer/Schroeder(1975) Figure 10 19

Comparison and Projection Capability lists Easy sharing, flexible management of privileges Difficult revocation Access control lists Easy revocation More cumbersome management/sharing Contemporary projections Capability lists credentials/privileges Access control lists policy-based system 20 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback