Security

Basic Principles

Confidentiality - ensure that access to information ins only given to authorized entities

Integerity - ensure that the information is integer (consistent, accurate etc)

Availability - ensure that a service is available in the future when needed

Intruder

Masquerader - unauthorized individual penetrating access control to exploit a legitimate user

Misfeasor - legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but miuses his or her privilges

Clandestine user - an individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection

0day exploit - an exploit not publicly known before announced; software vendor has zero time to create a patch

Intrusion Detection System (IDS)

  • A system monitor that analyze system events to identify anomalies

Authentication

Identification - providing an identifier to identify an entity

Verification - validate that the entity showing the identifier is actually that entity

Methods of Authentication

  • Something that individual knows (e.g. pawword, PIN)
  • Something the individual possesses (e.g. physical key, smart card etc.)
  • Something that the individual is (static biometrical) (e.g. retina, fingerprint, face)
  • Something that the individual does (dynamic biometrics) (e.g. voice pattern, handwriting, typing rhythm)

Access Control

  • Specifies which identifier is permitted to perform what action
  • Requires authentication to ensure that the identifier is correct

Firewall

  • Shield a system from threats from outside
  • Classic firewalls are network firewalls
    • Choke point to control traffic
    • Enforce local security policy
    • Secure against attacks

Compile-time Defenses

  • Programming language (e.g. static typing and array checking)
  • Safe coding techniques
  • Languag extesnions and safe libraries
  • Stack protection mechanisms (e.g. canary code around function entry and exit)

Runtime Defenses

  • Address space protection (e.g. mark areas to be non-executable)
  • Address space randomization (e.g. attacker needs to be able to predict approximate location of target buffers)
  • Guard pages - place guard pages between critical regions of memory

File System Access Control

  • Access matrix
    • Subject - identifies the entity
    • Object - specifies the element that is currently controlled
    • Access right - the method in which it is accessed

Access Control Policies

Discretion access control (DAC) - access control based on identity and access rules; access right can be passed to another entity

Mandatory access (MAC) - access control based on labels (high/low sensitivity); cannot be passed on

Role-based access control (RBAC) - access based on roles and rules of roles

Hardening of an Operating System

  • Install and patch the operating system
  • Harden and configure the system to only address the needs
    • Remove unnecessary services, daemons, users, groups, control ect.
  • Install and configure additional security controls
  • Test the security

Security Maintenance

  • Logging - log data for post-mortem analysis
  • Data backup and archive - automatic

results matching ""

    No results matching ""