Introduction to Information Security

Transcription

1 Introduction to Information Security Chapter 1 Information Security Basics Winter 2015/2016 Stefan Mangard,

2 What is Information Security? 2

3 Security vs. Safety The German word Sicherheit includes Security and Safety Security Safety 3

4 Buzzwords and Their Definitions 4

5 Information Security always starts with assets. An asset is anything (e.g. an information, a service or a device) that has value to an entity (e.g. an organization or a person). Fotos Documents Website 5

6 Security Properties Security properties of assets define what makes the asset valueable The three central security properties are Confidentiality Integrity Availability 6

7 Confidentiality Confidentiality is a property that applies to information. Preserving the confidentiality of information means that is not made available or disclosed to unauthorized entities. Example A picture must only be available to a certain group of people 7

8 Integrity Integrity can apply to information or a service/system. Preserving the integrity means that changes can only be done in a specified and authorized manner. Example A website must not be altered by hackers 8

9 Availability Availability can apply to information or a service/system. Ensuring availability means that there is timely and reliable access to the information or service. Example A picture or website should be viewable whenever you like to see it 9

10 More Security Properties There are many more security properties in literature on IT security that partly overlap with the three main properties Prominent examples Authenticity: to assure that information is from the source it claims to be from. Non-Repudiation: to assure that someone cannot deny something (e.g. having received some information). Privacy, anonymity: typically map to other security properties, such as the confidentiality of personal information. 10

11 Assets and Security Properties Assets and security properties define what we care about Finding the assets and their security properties is a crucial first step of every security analysis You should always dig for the low-level assets don t simply state the mobile phone is an asset, but determine what assets on your mobile phone make your phone an asset 11

12 What assets do you have on your mobile phone? Stefan Mangard, 12

13 Threats Threats define what can go wrong A threat describes a potential violation of security. The sum of all threats describes everything that can lead to a violation of a security property of the asset. Typically threats can be grouped to hierarchical classes of a threats that form an attack tree 13

14 An Attack Tree for a Safe Assume we place a confidential document in a safe What are the threats? Let s build a complete attack tree 14

15 Attack Surface The larger, the attack tree, the larger is the attack surface How would the attack tree look like, if you placed the document not in a safe, but in a room of your apartment/your car/your garden/your work place? Clearly the goal is always to minimize the attack surface 15

16 Attacks Trees for Large Systems can become and Complex Stefan Mangard, Example branch that could lead to the disclosure of a confidential file on a mobile phone Attack via network vs. local attack Software bug vs. side-channel vs. trojan vs.. Application level vs. OS level Asset. 16

17 When Threats Become Reality Vulnerability: A concrete flaw or weakness in system security that can be exploited by one or more threats Attack: A concrete attempt to violate one of the security properties of an asset. Asset with a certain value and certain security properties Threats Vulnerabilities Attack 17

18 The Path From an Asset to an Attack Asset with a certain value and certain security properties Threats Vulnerabilities Attack Minimize the attack surface Verification and checks Updates and Patches The goal when designing a secure system is to break these links 18

19 Do We have to Break All Links? No Each link is associated with a certain probability The sum of the probabilities for the paths that lead from an asset to an attack constitute the risk of a security violation In practical settings, this probability is not zero 19

20 Secure Systems Security is about risk management. It is about finding balance between risks and the effort for security measures 20

21 The Door to Your Apartment 21

22 A Safe 22

23 Fort Knox, Kentucky, USA [1] 23

24 How do we build a secure IT system? 24

25 General Guidelines General guidelines to breaking the links from assets to attacks in practice Asset Threat Design systems with security in mind adding security on top of an existing design typically leads to a large attack surface Threat Vulnerability Use established standardized security mechanisms and use them correctly Proofing, verification, testing of security features Vulnerability Attack Prepare for the fact that things can go wrong Update mechanisms, logging, tracing mechanisms 25

26 The Typical Design Is an Iterative System Definition Stefan Mangard, Identification of assets, threat modeling and rating of risks System definition Threats including risk rating Accept risks Final system definition update of security mechanisms 26

27 The Nature of Security Mechanisms Security mechanisms shift the problem of protecting one asset to protecting another (new) asset that is more easy to protect Example Asset is a confidential file Security mechanism is to protect the access by a password New assets: password, password checking function Security mechanism is to encrypt the files New assets: the cryptographic key, the encryption software Nothing is for free ;-) 27

28 Threat Modeling The process of collecting all assets, threats and risks is called Threat Modeling Threat modeling takes a lot of time it is worth the time! Do not start implementing security mechanisms without having done threat modeling Threat modeling can be done at different levels of abstraction Security requirements definition System level Device level Software Hardware 28

29 Tools Microsoft offers the free tool SDL Threat Modeling Tool STRIDE Threat Model Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege 29

30 Checklist for Threat Modeling List of assets complete? Where are the assets processed (which devices)? Does the threat modeling indeed fit to the implementation? Are all standard threats (STRIDE) mitigated? Are mitigations done right? 30

31 Security Policy A security policy is a statement of what is allowed and of what is not allowed Security policies for persons Define what the person is allowed to do or not Example: The password must be at least 10 characters long and include numbers, lowercase and uppercase letters and a punctuation mark Don t write down your password Lock confidential documents in a safe when leaving the work place Printed confidential documents must not leave the workplace (e.g. to work at home) Security are vital and every company needs to have one 31

32 Security Policy Security policies can also be technical and formal Formal definitions of a security policy are used to do a formal verification of the security of software/hardware Examples Access to this file must only be granted, if The content of register xy must always be cleared, when there is a task switch 32

33 Security Mechanisms and Policies When designing security mechanisms and policies, do not forget about the humans! [2] 33

34 Security Mechanisms and Policies When designing security mechanisms and policies, do not forget about the humans! [2] 34

35 Security Mechanisms in a Typical System Computer Security (Part 2 of IIS) Communication (e.g. network) Computation (the CPUs) Cryptography Cryptography (Part 1 of IIS) Storage (e.g. hard disk, memories, flash, cloud) 35

36 Supplementary Material 36

37 Supplementary Material Books Matt Bishop: Computer Security: Art and Science, ISBN-13: William Stallings and Lawrie Brown: Computer Security Principles and Practice, ISBN-13: Web Threat modeling at Microsoft 37

38 Credits 38

39 Images [1] Fort Knox: By Cliff [CC BY 2.0 ( via Wikimedia Commons [2] Crypto Nerd Comic: via xkcd 39