Security by liaoqinmei


    You understand this if you can:

    • State the goals & principles of security
    • List consequences of poor security
    • Apply threat modelling
        • DFD Modelling
        • Analysis using STRIDE

    Security: Why Bother?
    • Legal Issues
      • Data protection
      • Computer misuse
    • Commercial Issues
      • Loss of commercial information
      • Theft
      • Denial of Service

    Security Goals
    • Confidentiality
       • Data is only available to those intended to access it.
    • Integrity
       • Resources are only changed in appropriate ways
    • Availability
       • System ready when needed and performs acceptably
    • Authentication & Authorization
       • The identity of users is established.
       • Explicitly allow or deny access to resources.
    • Non-repudiation
       • Users can’t deny an action they’ve performed
    Threats & Effects 1
               Threat                           Effects
    Modification of data in transit Financial losses, Inconsistent
    Denial of Service Attacks    Prevent business
    crashing servers or networks
    Penetration attacks resulting   Legal requirements to maintain
    in theft of information         confidentiality
    Unauthorized use of             Financial loss.
    resources                       Liability (Lack of due diligence)
    Tampering: modifying data       Inconsistent & incorrect

    Threats & Effects 2
               Threat                           Effects
    Spoofing: Impersonating          Financial or data losses or
    Monitoring Network traffic for   Illegal Access
    information e.g. passwords
    Viruses                          Added business expense and
                                     lost productivity
    Physical destruction of         Prevent business
    systems, infrastructure or data

    Security Management Goals
    1. Prevention
      • Firewall
    2. Detection
      • Intrusion Detection
    3. Tolerance
      • Unavoidable intrusions
        • Internal threats
    • Consequence management
        • Graceful degradation not catastrophic failure
        • Back-up systems & recovery

    Security is difficult
    • Flaws may have no effect in normal use
      • Attackers induce failures by creating the
        specific conditions to trigger a flaw.
    • Flaws at many different levels
      • Not just in your software
      • Weaknesses in protocols, operating
        systems, applications, Web server, …
      • Network traffic is transmitted in clear text,
        passwords and data can be recovered
      • Ease of Downloading software at work
     The Couch Potato’s Summary
    • Legal & commercial reasons for security
    • Security is more than keeping secrets
      • Ensure data is consistent and available
      • Ensure users can do what they are entitled to
      • Ensure users can’t deny what they’ve done
    • Difficult
      • Must be right all the time
      • Many possible sources of weaknesses
         • People, business processes, design
         • Implementation, networks, operating systems
    Threat Modelling
    • Methodical review of a design or
      architecture to discover and correct
      potential security problems

     Security Principles
     • Manage security policies centrally.
     • Locate security in the architecture to
       maximise usability and minimise modifications
     • Perform a business driven risk assessment.
     • Apply security levels commensurate to the
       resources and the risk.
     • Handle varying security needs.
     • Implement a security awareness program.
     • Maintain a single, accurate date and time

     •   Identification
     •   Authentication
     •   Authorization and Access Control
     •   Administration
     •   Attacks
     •   Detection
     •   Audit

     Design Principles for Security
     • Open design
        • Assume attackers have the sources and the specs.
     • Fail-safe defaults
        • Deny access by default. No single point of failure.
     • Least privilege
        • No more rights than needed.
     • Simplicity
     • Check everything, every time.
     • Least common mechanism
        • Beware of shared resources.
     • Psychological acceptability
     Threat Modelling Approach
     • Asset-driven threat modelling
       • List assets & how they might be attacked
          • What an attacker wants to read, tamper or deny you use of
     • Attacker-driven threat modelling
       • Potential attackers & their approaches
     • Design-driven threat modelling
       • Identify components & trust boundaries
          • E.g. sockets, remote procedure call services, AJAX APIs.
          • A data flow diagram can help identify
       • Identify weaknesses

     STRIDE Threat Model
            Threat             Affected property
     Spoofing                 Authentication
     Tampering                Integrity
     Repudiation              Non-repudiation
     Information disclosure Confidentiality
     Denial of service        Availability
     Elevation of privilege   Authorization

     STRIDE Approach
     • Break system into relevant components
     • Model the system with Data Flow Diagrams
       • Analyse components for susceptibility to STRIDE
       • Mitigate the threats.
     • Consider threats that emerge when systems
       combine to create larger systems
       • Combining subsystems into larger systems may
         violate the assumptions of the subsystem
       • E.g. A system that wasn’t designed for Internet use,
         may have problems when exposed it.

     Data Flow Components
     • Data Flow

     • Data Store       Student Records

     • Process          Select Students

     • Actor               Applicant

     • Trust Boundary
     DFD & STRIDE Analysis
                 Spoofing                             Possibly safe
                                          Trusted      (Trusted)
     Applicant                 Collect          Applicant Records

                     Disclosure                  Tampering
                                           Information Disclosure
                                              Denial of Service

                                                 Student Records
      Client        Server

     Threats and Data Flow Items
                              Data Flow   Data Store   Process   Actor

     Spoofing                                                   
     Tampering                                       
     Repudiation                                                
     Information Disclosure                          
     Denial of Service                               
     Elevation of Privilege                            

     Threat Modelling Steps
     • Dataflow diagram with trust boundaries
       • Threats, mitigations & more threats:
          • First order threat is opening the door
     • Identify threats by brainstorming.
          • First order mitigation each component
       • Apply STRIDE model to is a lock.
          • Second order threat is picking the lock.
     • Consider redesign to reduce threats
          • Second order mitigation strong lock
     • Mitigate the first order threats.
          • Third order mitigation – alarm
         • Concentrate on the first order threats first
     • Track & check for completeness
     • Write code & check against model
     Ensuring Security 1
     • Organisational
       • Policies and practice
     • Personal
       • Recruitment & training
       • Processes people can follow (e.g. passwords)
     • Application
       • Security designed in
       • Freedom from bugs

     Ensuring Security 2
     • Operating System
       • File protection
       • Authentication
     • Infrastructure
       • Network, hardware
     • IT Management
       • Technicians
          • Administrator passwords
       • Back-ups
          • Improve reliability, but may be easy to access

      The Couch Potato’s Summary
     • Systematic analysis is needed
     • STRIDE can help generate threats
       • Consider threat types against components
     • Use dataflow diagram to represent system
       • External entities, data stores
       • Data flows, processes
     • Require response at many levels
       • People are often weakest link
       • Bugs can be vulnerabilities
       • Build security into the design
     Security Summary
     • Security is important
     • STRIDE
       • Spoofing, Tampering, Repudiation
       • Information loss, Denial of service
       • Elevation of privilege
     • Threat Modelling
       • Analyse Design
       • Identify threats using STRIDE
       • Fix


To top