CSE 4380 Exam 1

Information Security

The protection of information from accidental or intentional misuse by persons inside or outside an organization

Key Security Concepts

Confidentiality, integrity, availability

Confidentiality

Assurance that confidential information is not disclosed to unauthorized individuals

Integrtiy

Assures that information and programs changes only in an authorized or specified manor. Maintains trustworthiness of the data.

Availability

Assures that data works promptly and service is not denied to authorized users.

Types of attacks

-Passive: Learn about the system

-Active: Attempt to alter system

-Insider: Initiated by someone inside security perimeter

-Outside: Initiated outside the perimeter

Attack surface

Consists of the reachable and exploitable vulnerabilities in a system (Network, Software, and Human Attack)

Countermeasures

Prevent, Detect, Recover

Cryptographic tools

-Symmetric Encryption (Confidentiality)

-Secure Hash Functions (Integrity)

-Asymmetric Encryption (Confidentiality & Integrity)

Symmetric Encryption

the same key is used to encode and decode

Block Ciphers

-encrypt data in blocks and most common symmetric encryption algorithms

-Good for when you are sending blocks of data such as email, file transfer, etc.

Data Encryption Standard (DES)

A symmetric block cipher that uses a 56-bit key and encrypts data in 64-bit blocks.

Triple DES

Repeats basic DES algorithm three times using either two or three unique keys, using a key size of 112 or 168 bits. More secure than DES but slower

Advanced Encryption Standard (AES)

A symmetric cipher that was approved by the NIST as a replacement for DES. Efficiency and security. Supports key lengths of 128 and 256 bits

Two requirements for secure use of symmetric encryption

-Need strong encryption algorithm

-Sender and receiver must have obtained copies of secret keys in a secure fashion

Cryptanalysis Attack

-Rely on nature of the algorithm and knowledge of the plain text

-If successful all future and past messages are jeopardized

Brute Force attack

An attack on passwords or encryption that tries every possible password or encryption key.

Average time required for exhaustive key search

AES takes more time than DES and triple DES

Stream Cipher

-An encryption method that encrypts a single bit at a time.

-Good for when data is sent over a communications channel such as a web links.

Stream Cipher vs Block Cipher

Stream Ciphers have higher throughput

Advantages of a block cipher

You can reuse keys

Message authentication

-Protects against active attacks

-Verifies received message is authentic

-Can use conventional encryption

Replay Attack

An attack where the data is captured and replayed. Attacker resends message since they have the hash and the receiver could potentially send information back.

Hash Function

Accepts a variable size message M as input and produces a fixed size message digest h= H(M) as output.

Hash Function Properties

-Applied to any size data

-H produces a fixed-length

-H(x) easy to compute for a given x

-One-way resistant (Infeasible to reverse hash)

-Weak collision resistance

-Strong Collision resistance (Prevents the same hash from being found)

Attacking Hash Functions

-Exploit weaknesses in algorithm

-Strength of hash code depends on length of code

Public Key Encryption

uses two keys: a public key that everyone can have and a private key for only the recipient

Misconceptions of Public Key Encryption

-Public Key is more secure from cryptanalysis attacks than symmetric encryption

-Public-Key has made symmetric encryption obsolete

-Key distribution is trivial

Public-Key for confidentiality

If someone sends a message using another person's public key, then only that person can decrypt the message using their private key.

Public-Key for Integrity and Authentication

If someone uses their private key to send a message to someone else. Then that other person can decrypt using the senders public key and verify that the message was sent from them.

Digital Signature

Asymmetric encryption of a hash of message

What is the purpose of a hash function in a digital signature?

Makes the signature faster to compute

Public key for both integrity and confidentiality

Sender encrypts hash using private key as the digital signature. Receiver decrypts message using their own private key. After decrypting the digital signature of the sender then if the result is equal to the hash function ,then integrity is validated.

Public Key Certificates

Used to validate if a public key belongs to a certain person. Certificate Authority is passed in a message.

Digital Envelope

a technique that uses symmetric encryption for large documents, but public key encryption to encrypt and send the symmetric key

RSA Encryption

The system used an algorithm that involves multiplying two large prime numbers to generate a public key, used to encrypt data and decrypt an authentication, and a private key, used to decrypt the data and encrypt an authentication.

What makes it hard for hackers to generate private key for RSA?

-Easy to compute modulus if chi(n) is known, but they do not have it

-If p and q are big enough then it is very hard to factorize n

Security of RSA

-Brute force attacks that try all possible keys

-Mathematical approach with figuring out the prime factorization

User Authentication

-The process of verifying an identity claimed by or for a system entity

-Fundamental building block and first line of defense

Steps of authentication

Identification and Verification

Problems with various forms of authentication

-Password can be stolen

-Tokens could be stolen or forged

-A lot of overhead for managing passwords and tokens

Password Authentication

- widely used line of defense against intruders

> user provides name/login and password

> system compares password with the one stored for that specified login

- the user ID:

> determines that the user is authorized to access the system

> determines the user's privileges

> is used in discretionary access control

Password Vulnerabilities

Offline dictionary attack (System Files)

Specific account attack

Popular password attack

Password guessing against a single user

Workstation hijacking

Exploiting user mistakes

Exploiting multiple password use

Electronic monitoring

Password Vulnerability Countermeasures

-Enforcing password policies

-System logon protocols

-Etc.

Hashed Passwords with Salt Value

-Password is combined with a fixed-length salt value to make attacks harder

-MD5 and Bcrypt are common hash/salt schemes used

Advantages of salt value

-Without salt, attacker can pre-compute hashes of all common passwords once

-With salt, attacker must compute hashes of all common passwords for each possible salt value.

Password Cracking

-Dictionary Attacks

-Rainbow Table Attacks(Not feasible with larger salt values)

-Custom GPU Hardware and cloud-based cracking tools exist

Multi-Factor Authentication

-A method of confirming users claimed identities by using a combination of two or more different factors

Remote User authentication

- Authentication over a network, the Internet, or a communications link is more complex

- Additional security threats such as:

eavesdropping, capturing a password, replaying an

authentication sequence that has been observed

Authentication Security Issues

-Client Attacks

-Host Attacks

-Eavesdropping, Theft, copying

-Replay(Repeats previous user response)

-Mitigated with longer unpredictable passwords and multi factor authentication.

Access Control

-Constraints what a user can do directly as well as what programs executing on behalf of the users are allowed to do.

-Coexists with identification and verification

Access Control Elements

subject, object, and access right

Discretionary Access Control (DAC)

-User oriented security policy

-Entity has rights to enable another entity to access a resource

-Uses a control matrix, which has subjects for rows and objects for columns

Access Control List (ACL)

-Access rights stored with objects

-ACL can contrain default entries

-Elements of ACL include individuals and groups

-Linked list with each node containing the subject and the access rights for each object

-ACL requires authentication

-Used in UNIX and Windows

Capability List

- The subject is stored with the access right for each subject.

- A linked list where each node is an object and access right and the head is the subject

DAC Security Issues

It is prone to trojan horse attacks to grant an attacker privileges

Role-Based Access Control (RBAC)

-Access control based on employee job functions rather than data ownership since company owns objects.

-Based on roles users assume in organization

Role

Represents users and defines permissions

Security Management with RBAC

-User-role relationship changes over time

-Roles are likely to be static

-Role Permissions relatively stable

Advantages of RBAC

-Authorization management (Easy revocation of rights)

-Hierarchal roles

-Least Privilege

-Separation of duties

Attribute-based access control (ABAC)

This is an access control paradigm whereby access rights are granted to users with policies that combine attributes together.

Subject Attributes

-A subject is an active entity that causes

information to flow among objects

- Attributes define the identity and characteristics of the

subject

Object Attributes

-Information system-related entity containing or receiving information

-Can make access control decisions

Environment Attribues

-Describes operation or technical environment in which information access occurs

ABAC Logical access control model

-Relies on evaluation of attributes of subject and object

-Can enforce any access control rule

ABAC Policies

Set of rules and relationships that govern allowable behavior within an organization, based on privileges of subjects

Intrusion

A security event, in which an intruder gains or attempts to gain access to a system

Anomaly Detection

Current observed behavior is analyzed to determine whether this behavior is that of a legitimate user or that of an intruder

Signature/Heuristic Detection

Uses a set of known malicious data patterns or attack rules that are compared with current behavior. Also known as misuse detection. Can only identify known attacks for which it has patterns or rules.

Signature Detection (Misuse Detection)

-IDS uses attack signatures to detect intrusion

-Signatures are events that describe a known attack

-Attacks of the same kind show the same patterns

Signature Detection (Misuse Detection) Advantages

Very good at detecting attacks without creating false alarms

Signature Detection (Misuse Detection) Disadvantages

-Can only detect attacks they know of, so system must be constantly updated to detect new attacks

-Some misuse detection cannot detect variants of a certain attack

Anomaly Detection Advantages

-Can detect unusual behavior

-Can produce information used to identify attack signatures

Anomaly Detection Disadvantages

-Produce a large number of false alarms

-Require event records to identify normal behavior patterns

host-based intrusion detection system (HIDS)

-Adds specialized layer of security to vulnerable systems

-Can use anomaly or signature based approaches

-Monitors suspicious behavior (intrusions, suspicious events, sends alerts)

Network-Based Intrusion Detection System (NIDS)

-Deploying sensors at strategic locations

-Inspect network traffic and user activities

Network Based vs. Host Based

-Network based can detect intrusions that cross a network segment

-Host Based can examine log files and inbound/outbound packets

-In an organization it is best to use both.

Confusion Matrix

A matrix that has if an intrusion is made in the columns and if there was an alarm in the rows. The data in the matrix consists of if there were true positives or false alarms.

Firewall

Hardware and software that isolates an organizations internal network from the internet at large.

Need for firewalls

-Protecting LANs

-Establish a controlled link

-Used as perimeter defense

Firewall goals

-Traffic inside and outside the firewall must pass through it

-Only authorized traffic will be allowed to pass

Firewall Filter Characterisitcs

-IP Address

-Application protocol

-User identity

-Network Activity

packet-filtering firewall

- Applies rules to each incoming and outgoing IP packet

- Typically a list of rules based on matches in the IP or TCP header

- Forwards or discards the packet based on rules match

Packet Filter Advantages

-Simplicity

-Typically transparent to users and are very fast

Packet Filter Disadvantages

-Cannot prevent attacks that are application specific

-Limited logging functionality

-Does not support advanced user authentication

-Vulnerable to TCP/IP protocol bugs

-Improper configuration can lead to breaches

Stateful Inspection Firewall

-Tightens rules for TCP traffic by creating a directory of outbound TCP connections:

-There is an entry for each currently established connection.

-Reviews packet information but also records information about TCP connections

-Keeps track of TCP sequence numbers to prevent attacks that depend on the sequence number

-Inspects data for protocols like FTP, IM, and SIPS commands

Application level gateway

-Acts as a relay to application level traffic

-Must have proxy code for each application

-Tends to be more secure than packet filter

-Disadvantage is the additional processing and overhead.