TTM4185: Sikkerhet og robusthet i IKT-systemer
Introduction
This course is introductory and concerns complex ICT-systems and how secure and robust they are for attacks.
This article is mostly english as most of the published content (slides) are in english. The course itself is norwegian. The articles are in norwegian.
Complex systems
Complex systems are made up of components, which can be information, content, software, equipment or a complete subsystems. Most systems are complex today: They have multiple components, and does not run on one machine alone.
Challenges in complex ICT-systems:
- Integration and interdependence:
- Uncoordinated operation
- Interaction between domains
There are various dependencies within the system, which can lead to various errors:
- Physical
- Logical
- Geographical, e.g. natural disaster
- Escalating failures, when failures occurs they may lead to other failiures
Taxonomy
So there we have all these complex systems, and we want to estimate how robust and secure they are. How do we do that? We need to assign some properties and values to them, and to do that we need some definitions:
security | denotes the protection of ICT infrastructure in this course, that is protect the information infrastructure, the services and the physical infrastructure against unwanted events. |
safety | can be defined as the inability of the sytem to have an undesired effect on its environment, or the avoidance of catastrophic failiures. So: A system may be secure because it has a lot of great encryption etc., but if some failiure causes Oslo to explode, then it's not safe. |
privacy | a individual, or group of people can determine when, how and to what extent information about them is communicated to others. In other words the right to control personal data. |
dependability | the trustworthiness of a system such that reliance can justifiably be place don the service it delivers. It has three attributes: Availability, reliability and maintainability. |
availability | an attribute of dependability, and it's the ability to provide service at a given time instance or time interval. |
reliability | an attribute of dependability, and it's is the ability to provide uninterrupted services. It can be defined by the time to system's first failure, or the time of fialiure. |
maintainability | an attribute of dependability, and it's is the ability of a system to be restored to a state which it can deliver its required service |
performance | the ability of a system to provide the resources needed to deliver its service |
quality of service (QoS) | degree of compliance of a service to the agreement that exists between the user and the provider of the service |
functional requirement | something the system should do |
non-functional requirement | how the system should behave, i.e. it says something about its quality characteristics |
Threats
fault | adjudged or hypothesized cause of an error. In other words: It's a defect in a system that we think caused' an error. |
error | a deviation from how the system is required to operate. A fault can lead to an error. |
failure | transition from working service to a service that's not working. In other words: The service goes down, or does not work as expected. |
Fault and failiure timeline:
Fault leads to error leads to failiure :
Type of threats
Random threats
- Technical Software failures
- Faults embedded in software
- Outdated back-ups
- Technical hardware failures
- Short circuit in electronic devices
- Hard drives stop working
- Forces of nature
- Storms and strong winds can cause power failures.
- Flooding can cause power failures and fiber cable ruptures.
Unintentional threats
- Accidently deletion on files
- Users enters incorrect data into system
Intentional threats
- Espionage
- Software attacks
- Malware aka malicious software
- Designed to damage, disrupt, steal etc.
- Types of malware
- Virus: Propagates by inserting a copy of itself into and becoming a part of another program. Requires a user to run an executable for it to be activated.
- Worm: Standalone software, replicated itself, exploits vulnerability in target system to spread itself or use social engineering
- Trjoan: User is triced into loading/executing it. Known to create backdoors. Does not self-replicate or spread. Must spread through user interaction.
- Bot: Self-propegating robot designed to e.g. connect back to a command central. etc.
- Types of malware
- Designed to damage, disrupt, steal etc.
- Direct attacks
- Buffer overflow
- SQL Injection
- Man in the middle attackk: A third party goes between two communicating parties and reads and relays the communication
- Phishing
- (Distributed) Denial of Service
- Malware aka malicious software
- Social engineering
Top three vulnerabilities in Norway 2015
- Injection
- Broken authentication and session management
- Cross-Site-Scripting (XSS)
Countermeasures
Security
- Preventive, detective and corrective security controls
- Administrative, technical and physical security controls.
Dependability
- Fault avoidance, forecasting and removal
- Fault – tolerant design.
Safety
- Fail-safe design
Privacy
- Privacy enhancing technologies
- “Privacy by design”
- Privacy legislation
Security controls
- Are countermeasures that can be used to avoid, detect, mitigate or minimize the risk to assets.
- Three types of usages
- Preventive: Prevents an incident from occurring.
- Detective: Identify and classify an incident when occurring.
- Corrective: Limit the damage caused by an incident.
Security controls can also be classified in terms of their nature
- Administrative controls:
- Incidents response procedures
- Security awareness training
- Technical controls:
- Anti-virus software
- Authentication mechanisms
- Physical controls:
- Locked doors
- Surveillance cameras
- Guards
Technical controls
Authentication
Three means of authenticating
- Something you know:
- Password
- Pin code
- Something you own:
- BankID
- Mobile phone
- Something you are:
- Face recognition
- Fingerprint
Encryption
- Is a security control used primarily to provide confidentiality protection for data.
- It is a mathematical transformation to scramble data requiring protection (plaintext) into a form not easily understood by unauthorized people or machines (cipertext).
Cryptographic key:
- String of binary digits used as an input to encryption and decryption functions.
Symmetric encryption:
- Both sender and receiver share the cryptographic key.
- Extremely fast.
- Some problems:
- How do you know the two parties share the key?
- Need some sort of key management to deliver keys securely.
- Does not scale well.
Asymmetric encryption:
- Uses two keys: one public and one private.
- Public key for encryption
- Private key for decryption
- Scales better than symmetric, and its key management is also superior.
- Problems:
- Slower
Hybrid approach:
- The best of both worlds
Cryptographic key’s golden rules:
- Keep the cryptographic key secret:
- The security of the encryption depends on the secrecy of the cryptographic key.
- Protect the cryptographic key from modification:
- If the cryptographic key is modified, the plaintext cannot be reproduced.
- Any system using encryption should have a key recovery mechanism to recover the cryptographic key if it is lost or modified.
- Know the importance of cryptographic key length:
- The longer the key, the more possible key combinations the attacker must try.
- Generate a strong cryptographic key and transport it securely:
- If an attacker gets information about certain bits of the key, then the key is much easier to hack.
- Ideally the encryption key is generated randomly
- The safest way to share the key is through a physical device such as a USB drive.
Symmetric signature:
- Is created using a shared secret to sign and verify the message.
- Signing a message using symmetric signature involves the following steps:
- The sender creates a MAC using a shared secret key and attaches it to the message.
- The sender sent the message and MAC to the recipient.
- The recipient verifies that the MAC that was sent with the message by using the same shared secret key that was used to create the MAC.
MAC = Message Authentication Code
Asymmetric signature:
- Is processed with two keys: one key to create the signature (private) and one to verify the signature (public).
- The public key is sent with the message
- Asymmetric signature is commonly known as digital signature.
- Signing a message with asymmetric signature involves the following steps:
- The sender signs the message content using the sender’s private key and attaches it to the message.
- The sender sends the message and digital signature to the recipient
- The recipient verifies the signature using the senders public key that corresponds to the private key that was used to sign message.
Network security protocol
TLS/SSL: Transport Level Security:
- Is based on SSLV3. It is a 4-layer protocol as it runs directly on top of TCP only. It uses PKI (Public Key Infrastructure) to provide user authentication as well as symmetric keying for confidentiality protection.
-
It is designed to prevent eavesdropping, tampering and message forgery.
-
TLS can be used in two methods:
- Mutual authentication:
- Both user and server authenticate themselves when establishing a session
- Extremely expensive.
- Server-side authentication:
- Only the server provides a certificate when establishing a session.
- Avoids PKI overhead on user side.
- Mutual authentication:
SSH: Secure Shell:
- An application layer solution. It is a connection-oriented service and thus uses TCP only.
- Primarily used on shell based solution and ideally won’t be used to protect web browsing sessions.
- Uses public key cryptography to prove the authenticity of the remote user.
- SSH will maintain a list of trusted hosts.
IPsec:
- Is a protocol suite that runs at the network layer (L3).
-
It provides confidentiality, integrity protection, data origin authentication and replay protection of each message by encrypting and signing every message.
-
IPsec defines two main protocols:
- Authentication Header (AH)
- Encapsulating Security Payload (ESP)
- ESP is preferred since it provides both authentication and confidentiality, while AH only provides authentication.
Some characteristics on IPsec:
- Doesn’t mandate PKI
- Application independent
- Transparent to application
- Most VPN uses IPsec.
Administrative security controls
- Examples
- Security policies
- Security awareness training
- The “four-eye principle”
- Incident response procedures.
Physical security controls
- Examples
- Locked doors
- Fences
- Surveillance cameras
- Fire alarms
- Picture ID
- Security guards
Fault handling
In a dependable system, there are four types of means towards fault handling:
- Fault avoidance:
- Means to prevent the occurrence or introduction of faults.
- Fault tolerance:
- To avoid service failures in the presence of faults.
- Fault removal:
- To reduce the number and severity of faults
- Fault forecasting:
- To estimate the present number, the future incidence, and the likely consequences of faults.
The objective of fault avoidance and fault tolerance strategies is to deliver the specified service in spite of the occurrence and activation of faults in the system.
Fault tolerant system can operate at a reduced level when parts of the system has failed.
Fault tolerance is achieved by redundancy in:
- Hardware
- Software
- Information
The golden rule: Redundancy (No single point of failure)
Two types of redundancy:
- Modular redundancy:
- One or more copies of the system is running, and kept up to date with all interaction with the system.
- Stand-By-Redundancy
- Many copies of the system, but only one copy getting real-time updates from the original. The other replicas are updated frequently.
Triple Modular Redundancy (TMR)
- Three subsystems compute a result and that result is processed by a majority voter to produce a single output. If one of the three subsystem fails, the system will still have two subsystems to generate correct output.
Failure and recovery
- Four phases in recovering from a failure:
- Detections: need to find out that the system is not working
- Localization: Where is the failure?
- Isolation: isolate the failure to prevent more damage.
- Repair/Restore: Bring the system into a working state again.
ICT to support power grid will give the following advantages:
- Few power outages can be achieved by:
- Continuous monitoring
- Preventive maintenance
- Using redundancy on sub system components.
- High maintainability can be achieved by:
- early warnings
- continuous warnings
- fast localization of errors
- the possibility of automatic repair
Risk analysis:
- Is a tool that can be used to evaluate the impact and consequences of incidents that may occur.
Graph analysis:
- Is a tool that can be used to model the consequences of failures of nodes and links in a network.