Lecture 2 - Security Overview

CSE497b - Spring 2007

Introduction Computer and Network Security
Professor Jaeger

www.cse.psu.edu/~tjaeger/cse497b-s07
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger
Readings
• Books
– Perlman et al
– Gollmann
– Both are listed on calendar
• Readings
– Please check the calendar for the class readings
– Today
• Gollmann Chs. 1 and 2
• Next, Perlman Ch. 10, Gollmann Ch. 3

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 2
What is security?
• “the property that a system behaves as expected”
– G. Spafford and many others ....

• Note that this does not say what a system should or

should not do.
– Implication -- there is no universal definition or test for
security (why?)
– Apply this definition to the ATM
• How do you think an ATM should behave?
• What should it do?
• What should it not do?

• We talk about expectations often in terms of

confidentiality, integrity, and availability.
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 3
Risk
• At-risk valued resources that can be misused
– Monetary
– Data (loss or integrity)
– Time
– Confidence
– Trust

• What does being misused mean?

– Confidentiality (privacy or communication)
– Integrity (personal or communication)
– Availability (existential or fidelity)

• Q: What is at stake in your life?

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 4
Adversary
• An adversary is any entity trying to
circumvent the security infrastructure
– The curious and otherwise generally clueless (e.g., script-
kiddies)
– Casual attackers seeking to understand systems
– Venal people with an ax to grind
– Malicious groups of largely sophisticated users (e.g,
chaos clubs)
– Competitors (industrial espionage)
– Governments (seeking to monitor activities)

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 5
Threats
• A threat is a specific means by which a risk can be
realized by an adversary
– Context specific (a fact of the environment)
– An attack vector is a specific threat (e.g., key logger)

• A threat model is a collection of threats that deemed

important for a particular environment
– E.g., should be addressed
– A set of “security requirements” for a system

• Q: What were (unaddressed) risks/threats in the

introductory examples?
– SQL Slammer
– Yale/Princeton

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 6
Vulnerabilities (attack vectors)
• A vulnerability is a systematic artifact that exposes
the user, data, or system to a threat
– E.g., buffer-overflow, WEP key leakage
• What is the source of a vulnerability?
– Bad software (or hardware)
– Bad design, requirements
– Bad policy/configuration
– System Misuse
• unintended purpose or environment
• E.g., student IDs for liquor store

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 7
Are users adversaries?
• Have you ever tried to circumvent the security of a
system you were authorized to access?
• Have you ever violated a security policy (knowingly
or through carelessness)?

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 8
Attacks
• An attack occurs when someone attempts to exploit
a vulnerability
• Kinds of attacks
– Passive (e.g., eavesdropping)
– Active (e.g., password guessing)
– Denial of Service (DOS)
• Distributed DOS – using many endpoints

• A compromise occurs when an attack is successful

– Typically associated with taking over/altering resources
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 9
Participants
• Participants are expected system entities
– Computers, agents, people, enterprises, …
– Depending on context referred to as: servers, clients,
users, entities, hosts, routers, …
– Security is defined with respect to these entitles
• Implication: every party may have unique view
• A trusted trusted third party
– Trusted by all parties for some set of actions
– Often used as introducer or arbiter

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 10
Trust
• Trust refers to the degree to
which an entity is expected to behave
– What the entity not expected to do?
• E.g., not expose password
– What the entity is expected to do (obligations)?
• E.g., obtain permission, refresh
• A trust model describes, for a particular
environment, who is trusted to do what?
• Note: you make trust decisions every day
– Q: What are they?
– Q: Whom do you trust?

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 11
Related Terminology
• Reliability - property of a system that indicates it will
continue to function for long periods of time under
varying circumstances
• Survivability - ability of a system to maintain function
during abnormal or environmentally troubling events
• Privacy - the ability to stop information from
becoming known to people other than those they
choose to give the information
• Assurance - confidence that system meets its
security requirements
• as typically evidenced by some evaluation methodology
(FIPs 192, Common Criteria)

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 12
Security Model
• A security model is the combination of a trust and threat
models that address the set of perceived risks
– The “security requirements” used to develop some cogent and
comprehensive design
– Every design must have security model
• LAN network or global information system
• Java applet or operating system
– The single biggest mistake seen in use of security is the lack of a
coherent security model
– It is very hard to retrofit security (design time)
• This class is going to talk a lot about security models
– What are the security concerns (risks)?
– What are the threats?
– Who are our adversaries?
– Who do we trust and to do what?
• Systems must be explicit about these things to be secure.
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 13
Review
• An adversary is a subject who tries to gain unauthorized
access
• A threat is a mechanism that the adversary is capable of
employing to gain unauthorized access
• A risk is a loss due to an adversary gaining unauthorized
access
• A vulnerability is a flaw in a that enables a threat to allow
the adversary unauthorized access
• A threat model describes all the mechanisms available to
the adversaries
• A trust model describes all the subjects that are trusted not
to have vulnerabilities that can be abused or be adversaries
• A security model consists of a threat model and a trust
model (functional and security goals as well)
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 14
Security Overview
• Security can be separated into many ways, e.g.,
threats, sensitivity levels, domains
• This class will focus on three interrelated domains of
security that encompass nearly all security issues

1. Network Security
2. Systems Security
3. Program Security

• There are other areas, e.g., physical security, privacy,

etc. that will not directly be covered.
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 15
Common problems in network security
• Network security attempts to protect communication
between hosts carried by the (often untrusted)
network.
– Eavesdropping communication (confidentiality)
– Modifying communication (integrity)
– Preventing communication (availability)

• Example: securing application traffic (Web)

– Protecting on network (HTTP requests/responses)
– As passing through intermediaries (proxies)
– In server (from malicious requests)
– Protecting the client (from malicious content)

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 16
Common problems in systems security
• Systems security attempts to protect data held on
hosts and sometimes (sometimes untrusted) storage.
– Prevention of sensitive data leakage (confidentiality)
• Also known as information flow governance
– Prevention of data corruption (integrity)
– Controlling data response (availability)
• Systems Security: Controlling Data Leakage
• on disk (key in clear -- encrypt with pass phrase)
• provide pass-phrase (window manager)
• memory of program
• swap memory to swap space
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 17
Common problems in program security
• Program security attempts to protect data received,
held, and output on a (sometimes untrusted) host.
– Prevention of sensitive data leakage (confidentiality)
• Also known as information flow governance
– Prevention of data corruption (integrity)
– Controlling data access (availability)

• Example: Handling A Remote Request

• process user request (authenticate, authorize)
• data-driven attack from request
• buffer overflows

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 18
The remainder ....
• The remaining weeks will explore the design and use
of these approaches
– Always ask yourself what tools are appropriate for a
particular environment.
– For example, which of then proceeding is appropriate for
SPAM mitigation
• Authentication
• Access Control
• Transport/Data Security
• Audit/Detection
– What about protecting the confidentiality of your email?

• Next week: Passwords and Authentication

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 19