Information (Cyber Security)
Information security is about protecting the CIA properties of the services
- Confidentiality: only those entitled may access the service
- Integrity: services should always behave correctly
- Availability: authorized clients should always have access and also ensuring Privacy and Accountability
Authentication
Identity Verification:
Something you know
Example: password
Pros:
- Simple to implement
- Simple for users to understand
Cons:
- Easy to crack
- Passwords are reused anytime
OTP: different password used each time, but it is difficult to remember all of them
Something you have
Example:
- OTP Cards (e.g. SecurID): generates new
- password each time user logs in
- Smart Card: tamper-resistant, stores secret
information, entered into a card-reader - Token / Key (i.e., iButton)
- ATM Card
Strength of authentication depends on difficulty
of forging
Something you are
Example: biometrics
Pros:
- Raises the bar
Cons:
- false negatives/positives, social acceptance, key management
– false positive: authentic user rejected
– false negative: impostor accepted
Multi-Authentication
Two-factor Authentication: Methods can be combined (i.e. ATM card & PIN)
Three types (e.g. SSL):
- Client Authentication: server verifies client’s id
- Server Authentication: client verifies server’s id
- Mutual Authentication (Client & Server)
Authenticated user is a “Principal”
Authorization
Checking whether a user has permission to conduct some action
Access Control Models
Mechanism used by many operating systems to determine whether users
are authorized to conduct different actions
Mandatory: computer system decides exactly who has access to which resources
Discretionary: users are authorized to determine which other users can access files or other resources that they create, use, or own
Role-Based (Non-Discretionary): user’s access & privileges determined by role
Bell-LaPadula Model
Confidentiality
Goal: Keep the contents of communication or data on storage secret
Example: Alice and Bob want their communications to be secret from Eve
Key — a secret shared between Alice & Bob
Sometimes accomplished with Cryptography, Steganography, Access Controls, Database Views
Message/Data Integrity
Data integrity = No corruption
Man in the middle attack: Has Mallory tampered with the message that Alice sends to Bob?
Integrity Check: Add redundancy to data/message
Techniques:
Hashing, checksums, Message authentication codes
Accountability
Able to determine the attacker or principal
Logging & Audit Trails
Requirements:
- Secure Timestamping (OS vs. Network)
- Data integrity in logs & audit trails, must not be able to change trails, or be able to detect changes to logs
- Otherwise attacker can cover their tracks
Availability
Uptime, Free Storage
e.g. Dial tone availability, System downtime limit, Web server response time
Solutions:
- Add redundancy to remove single point of failure
- Impose “limits” that legitimate users can use
Goal of DoS (Denial of Service) attacks are to reduce availability
- Malware used to send excessive traffic to victim site
- Overwhelmed servers can’t process legitimate traffic
