Saturday, June 20, 2009

Intro to Security, Security Design and Security Threats

Introduction:

Most of organizations has data which it doest want it to be read or compromised by any one without authorization and in order to do so they have to employee security , but most of the organization don’t think about security as a goal but as a feature to be added to their product or environment or so.
In this article we will be talking about security, security design and security threats and we are going to mention some frameworks used to achieve our goal.
By security here we mean computer security, we will also see how to design a secure solution and how to think like an attacker to be able to design such solution.

Meet the Hacker:

The Presenter: After serving a five-year prison term for breaking into the computers of several high-tech firms, stealing software and causing millions of dollars in damage, the famous Programmer 1 has renounced his old ways and launched a career as a public speaker and computer security consultant , he now owns a security company, please welcome Programmer 1. (…audience screaming…)

Programmer 1: thank you, thank you

The Presenter: so in today’s subject we will be talking about security, so what do you have?

Programmer 1: well if it were not for Alice and Bob nothing would have gone wrong (laughing), in all security books you will find that Alice want to send Bob some text and she is not sure whether this is bob or no or if Bob is a good or bad guy, if they have got married from the beginning they would have trusted each other and solved a lot of problems and all our systems would have been secured by now, but nothing goes as we like

Secure software:

Security in the first place was introduced to protect information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction protect, In order to achieve that we need to make sure that we apply the following principles in our system:


Application security:

An application can suffer from security problems. For example if the application allows only certain users to download valuable documents. So attacker can have access if there is a bug in how it ascertains the identity of the user. If the user’s identity is not ascertained properly, it may be possible for an attacker to get access to valuable documents to which she would not otherwise be granted access.

The creators of the application can issue patches that can be installed to eliminate the vulnerabilities in the application. A patch is an updated version of the software. The patch does not have to consist of an entirely updated version, but may contain only components that have been fixed to eliminate security-related bugs.

Host Security (AKA OS security):

Operating system security is an important thing and the OS you are working in must be secure, most of the time this is not true (that’s why windows team always release security path every now and then and the patch is installed through the automatic update) so it is possible that attacker can exploit some vulnerability in the operation system so even if you are running a secure application, the attacker can still attack it since your application will relay on the operating system all the time.

Communication Layer security (AKA Network security):

Network security is as important as the OS and application security we need to allow authorized and safe traffic and ban any suspicious traffic, in here we are talking about the packet level as there might be packets that would cause an unexpected behavior when handled by the software we need to secure which might enable the attacker to obtain restricted information , in order to get over this we could use firewalls and intrusion detection systems (but that is not granted 100% , some attacks might bypass the firewall and put his hand on the data we need to secure.

Security Concepts:

Ok now after we saw what security is and what does it take to make a secure system, we need to get involved with the security concepts which are as follow:

Authentication:

Authentication is the act of verifying someone’s identity. For example when Alice is communicating with Bob she wants to make sure that she is communicating with Bob for real and not someone who impersonates Bob.
Authentication can be done in three ways so that Alice knows it is truly Bob who is communicating with her:

  • Something the user has:

    ATM card: is an example of the something the user has authentication; an ATM card is a magnetic stripe that stores data (user’s account number). This data is used as part of the authentication process when a user wants to use the ATM.

    ATM is not that secure if anyone who has a magnetic stripe reader can access the information stored on the card, without any additional information, such as a PIN. It is also not that difficult to make a copy of an ATM card onto a blank magnetic stripe card. Since the magnetic stripe on an ATM card is so easy to copy, credit card companies also sometimes incorporate holograms or other hard-to-copy elements on the cards themselves to address such issue.

    Smart card: is another example for the something the user has, the smart card is not like ATM card, it is more difficult to make a copy of it or read its information the microprocessor, memory, and other components that make up the “smart” part of the smart card are glued together such that there is no easy way to take the card apart. The only feasible way to communicate with the microprocessor is through its electronic interface. Smart cards were designed with the idea that the information stored in the card’s memory would only be accessible through the microprocessor. A smart card’s microprocessor runs software that can authenticate a user while guarding any secret information stored on the card. In a typical scenario, a user enters a smart card into a smart card reader, which contains a numeric keypad.

    A hacker was able to find a way to hack the smart card and obtain the pin code without any subspecies acts (without faking anything at all), when a microprocessor process the pin code entered by the user, the hacker found that each character entered have a different electrical signal than the other characters and by observing the signals we can have the pin code but as we can see this is really a headache and takes a lot of time

  • Something the user knows:

    Alice will ask Bob to supply something he only knows (we hope he didn’t get drunk and tell other people the password) for example this might be a password or a PIN code.

    For password managed system, it is easy to implement and to be used by users but there are many disadvantages for this type of authentications as most of users use a simple password (so that they can easily remember it) it might be common word, birth date , wife’s name ,…

    Some systems forces the user to change his/her password every while and then but that would force the user to write down his password in a paper so that he wont forget the password (which attacker might find)

  • Something the user is or does:

    Most of the authentication techniques here are related to biometric techniques, in other words user’s biological activities are measured and taken as a way to authenticate the user.

    For example palm scan, facial and iris recognition, voice identification,…

    In the palm scan, the user will have to put his hand on a scanner which will scan the user hand, size of the fingers and hand and the curves in the hand (it is more efficient that finger prints).

    In facial and iris recognition, the user stands in front of a camera and this camera takes a picture for the user (or scan iris in case of iris recognition) and sends it to the computer so that the computer can recognize and extract features from the picture or scanned image

    In the voice identification, the computer ask the user to say a particular phrase and compare the taken sample with any previous stored sample to find a match or a close match to the sample.

The disadvantages of these methods are:

  • social acceptance: people might reject the usage of such authentication method as they are not comfortable with it.

  • false positive and negative: false positive occur when a valid user is rejected by the biometric device, while the false negative occurs when an attacker manage to impersonate himself as a valid user (the biometric methods suffer from this problem a lot as for example I might put a wax on my fingers to overcome finger prints scan devices).
  • key management: measurements of the user’s biological activates are used to construct a key to a particular user. If an attacker is able to obtain a user’s biological measurements,
    The attacker will be able to impersonate the user. Issue in this case is that we cannot revoke the user’s key because the user cannot get a new fingerprint (unless you get a new hand)

As we have seen here that we can’t revoke the user key but the keys in password systems are generated from passwords, and users can easily have their passwords changed if they are ever stolen or compromised. Biometric authentication becomes ineffective once attackers are able to impersonate biometric measurements.

Some systems combine the two methods so that if the biometric authentication was broken as the attacker was able to impersonate the user he will still have another step to do before granting access to him( which in this case the password and if it was broken also , it can be easily changed)

Authorization:

It is the act of checking if the user is allowed to carry on some action or no.

For example Alice want to read a file or write in a file , before she make the action , the operating system validates her against this action to see if she is allowed to do it or no.

For the operating system to do so, it uses something called access control list (ACL); the ACL is a set of users and a corresponding set of resources they are allowed to access or do action on, In a typical ACL, each entry in the list specifies a subject and an operation: for example, the entry (Alice, delete) on the ACL for file WXY gives Alice permission to delete file WXY

In some ACL implementations another piece of information called a role is added, which enables a user or principal to access particular resource, for example all the users in the group programmer will be allowed to read the contents of a specific folder and won’t have the privilege of writing anything contained in this folder.

ACL can be used to implement one of the three access control models:

-Mandatory access control (MAC):

Is an access policy determined by the system, not the owner. MAC is used in multilevel systems that process highly sensitive data, such as classified government and military information. A multilevel system is a single computer system that handles multiple classification levels between subjects (people who do action for example Alice) and objects (things action will be applied on for example document file).

Sensitivity labels: In a MAC-based system, all subjects and objects must have labels assigned to them. A subject's sensitivity label specifies its level of trust. An object's sensitivity label specifies the level of trust required for access. In order to access a given object, the subject must have a sensitivity level equal to or higher than the requested object.
Data import and export: Controlling the import of information from other systems and export to other systems (including printers) is a critical function of MAC-based systems, which must ensure that sensitivity labels are properly maintained and implemented so that sensitive information is appropriately protected at all times.

If Alice creates a new document, the system can decide that no one but Alice is allowed to access that document. Alice herself does not have the right to decide who else is allowed to access the file that she authored. Even if she wants to share the document she authored with her friend Bob, she is not authorized to make that decision. For instance, if Alice creates a file /home/Alice/document.txt in a system with a MAC model, there would be no way for Alice to decide on her own to allow Bob to see that file. In a MAC model, only the computer system determines who is authorized to access documents that Alice creates.

-Discretionary access control (DAC):

Is an access policy determined by the owner of an object. The owner decides who is allowed to access the object and what privileges they have.

Two important concepts in DAC are

  • File and data ownership: Every object in the system has an owner. In most DAC systems, each object's initial owner is the subject that caused it to be created. The access policy for an object is determined by its owner.

  • Access rights and permissions: These are the controls that an owner can assign to other subjects for specific resources.
    In a discretionary access system, Alice could let Bob access a file at her discretion by issuing a command to the system, and then Bob would be given access to that file. For instance, in UNIX, which uses a DAC model, Alice could issue the command chmod a+r /home/Alice/document.txt to allow all users on the system to read the file.

-Role based access control (RBAC):

Is an access policy determined by the system, not the owner. RBAC is used in commercial applications and also in military systems, where multi-level security requirements may also exist. RBAC differs from DAC in that DAC allows users to control access to their resources, while in RBAC, access is controlled at the system level, outside of the user's control. Although RBAC is non-discretionary, it can be distinguished from MAC primarily in the way permissions are handled. MAC controls read and write permissions based on a user's clearance level and additional labels. RBAC controls collections of permissions that may include complex operations such as an e-commerce transaction, or may be as simple as read or write. A role in RBAC can be viewed as a set of permissions.

Three primary rules are defined for RBAC:

1. Role assignment: A subject can execute a transaction only if the subject has selected or been assigned a role.

2. Role authorization: A subject's active role must be authorized for the subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized.

3. Transaction authorization: A subject can execute a transaction only if the transaction is authorized for the subject's active role. With rules 1 and 2, this rule ensures that users can execute only transactions for which they are authorized.

Additional constraints may be applied as well, and roles can be combined in a hierarchy where higher-level roles subsume permissions owned by sub-roles.

Most IT vendors offer RBAC in one or more products.

We will see RBAC in action through this example, the CEO may be allowed to access salary information about any employee in the company, whereas a manager may only be able to access salary information about his or her subordinates.

Another example might use the concept of a group in the UNIX operating system to implement RBAC. All users with a particular role would be placed in a group with the same name as their role (e.g., Alice and Bob would be members of the group programmer).

To make the file /home/Alice/document.txt available to all programmers, one could use the command chgrp programmer /home/Alice/document.txt. As long as the file has group read privileges, all users within the programmer group will have read privileges for the file

-Bell-LaPadula Model (BLM):

The Bell-La Padula Model is a state machine model used for enforcing access control in government and military applications. It was developed by David Elliott Bell and Leonard J. La Padula, to formalize the U.S. Department of Defense (DoD) multilevel security (MLS) policy.

In such applications, subjects and objects are often partitioned into different security levels.

A subject (Alice for example) can only access objects (document.txt file for example) at certain levels determined by his security level. For example: Unclassified personnel cannot read data at confidential levels'' and Top-Secret data cannot be written into the files at unclassified levels.

There are three rules that guide the decisions about which users are allowed to access which files: the simple property, the star property, and the tranquility property.

The simple property: states that if a user has a particular level of access, then that user is not allowed to access any information resources that have a higher classification than the user does. In essence, a user that has only unclassified access will only be able to access unclassified files

The star property: If a user has secret level access, then the user is not allowed to write any files or create any resources that have a lower level of access. For example, if a user logs into a system and has secret level access, that user is not allowed to write any files that would be accessible by someone with only confidential or unclassified access

The tranquility property: states that the classification of a file cannot be changed while that file is in use by any user of the system. (The file is not considered to be tranquil while it is being edited or written.).

In the model, an access request (subj, obj, acc) is granted if and only if all of the following properties are satisfied:

Simple security property (no read up): if acc is read, then level(subj) should dominate level(obj).

Star property (no write down): if acc = append, then level(obj) should dominate level(subj); if acc = write, then level(obj) should be equal to level(subj).

Confidentiality:

The ISO(International Organization for Standardization) defines confidentiality as “ensuring that information is accessible only to those authorized to have access" and is one of the cornerstones of information security.” In other words: the goal of confidentiality is to keep the contents of a transient communication or data on temporary or persistent storage secret.

If Alice and Bob want to exchange some information that they do not want the attacker to see, the challenge is to make sure that attacker is not able to understand that information, even if attacker can see the bits that are being transferred over the network.

Usually, some kind of encryption technology is used to achieve confidentiality which we will cover in the upcoming parts.For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network.

The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored.

On an Ethernet network that uses a hub (as opposed to a switch), for instance, each computer is capable of actually seeing all the network traffic that is generated and received by any other computer. A computer’s operating system is typically responsible for only allowing applications running on that computer to access traffic that is directed to or from that computer, and filtering out traffic that originates or is destined for other computers on the same network. However, if a user has root or administrator privileges on a computer, that user can use a software package such as Ethereal, tcpdump, or dsniff to access network traffic.

These software packages are run in a “promiscuous mode,” in which the operating system provides the software access to all traffic on the network instead of providing filtered traffic that is just directed to or from the computer on which it is running. While such packages exist to help network administrators and engineers debug problems but they can be used for eavesdropping.

Integrity:

Integrity means that data cannot be modified without authorization.

Alice and Bob can use an integrity check to detect if an attacker has missed up or modified the messages in their conversation.

One approach that they can take to ensure message integrity is to add redundancy to the messages which would not be that effective as it will require a lot of communication overhead (and still won’t solve the problem).

Another approach is to use CRCs (cyclic redundancy checks) to achieve integrity and detect when bits in a message have been lost or altered due to inadvertent communications failures. These techniques compute short codes that are functions of the message being sent.

But this is still not sufficient because if the attacker knew that CRC is being used he can still change the CRC code so that it matches the modified message.

The ultimate solution for this is to use message authentication codes (MACs)
A MAC is not only a function of the message itself, but is also a function of a key known only to Alice and Bob, such that even if attacker is able to modify the bytes of a message, he will not be able to appropriately modify the corresponding MAC.

Accountability:

The goal of accountability is to ensure that you are able to determine who the attacker or principal is in the case that something goes wrong or an erroneous transaction is identified so in case of anything gone wrong you could have something that would prove that the attacker did illegal actions, this can be done by logging each action an authorized user does to keep track for every action user did.

It is also important to make sure that once the logs are written they can’t be modified (the attacker wont be able to clear these logs or modify them) MAC (message authentication code) can be used to achieve such check.

You can also use write once, read many (WORM) media to store system logs, since once written, these logs may be hard (or even physically impossible) to modify.

Availability:

If an attacker is able to make a system unavailable, a company may lose its ability to earn revenue, for any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times.

An attacker that is interested in reducing the availability of a system typically launches a denial-of-service (DoS) attack. If the web site were run on a single web server, and an attacker transmitted data to the web server to cause it to crash, it would result in a DoS attack in which legitimate customers would be unable to make their activities until the web server was started again.

Most web sites are not run using just a single web server, but even multiple web servers
running a web site can be vulnerable to an attack against availability.

In a distributed denial-of-service (DDoS) attack, perpetrators commandeer weakly protected personal computers and install malicious software (malware) on them that sends excessive amounts of network traffic to the victim web sites.

The servers running the victim web sites are then overwhelmed with the large number of packets arriving from the commandeered computers, and are unable to respond to legitimate users.

Non-repudiation:

It implies that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction.
Electronic commerce uses technology such as digital signatures and encryption to establish authenticity and non-repudiation
For example Alice wants to make a transaction and don’t want Bob to deny the transaction (let’s say she will give Bob 100$) so she needs something or someone to make sure that Bob got the 100$ and he can’t deny that he got money from Alice

Conclusion:

In this part we have seen what security is and what are concepts of security, in the next part we will be looking about how to design and build a secure solution so stay tuned.


Read more!