Lecture 1: 05-02-19
Security is often defined with respect to a policy describing which kinds of actions are authorized
➔ Security is about protecting assets: things one values. Assets can be anything (hardware, software, data,
processes etc.). Not all assets are equally valuable
➔ Security cannot be isolated into a single system component as this can result in a single point of failure.
Vulnerability-threat-control paradigm
Valuation is one of the important factors to determine how you will handle your risks (20$ lock on a locker
containing a Rolex)
Threats
The two dimensions (perspectives) of threats:
A. What bad things can occur that affect assets? E.g. Security policies that are endangered
B. Who/what can cause/allow bad things to occur? E.g. Who/what should we defend ourselves from?
What bad things can occur that affect assets?
Basic three properties of security: C-I-A triad (Security triad)
Ability of a system to ensure that an asset:
- Is viewed only by authorized parties (Confidentiality)
- Is modified only by authorized parties (Integrity)
- Can be used by any authorized parties (Availability)
Two additional properties:
- Ability of a system to confirm identity of a sender (authentication)
- Ability of a system to confirm that a sender cannot convincingly deny having sent something (non-
repudiation or accountability)
Who/what can cause or allow those bad things to occur?
Interception: if I send you an email, attacker could block it & change it slightly; unauthorized viewing
Modification: modify; unauthorized change
Interruption: entirely blocking a system, preventing availability; preventing authorized access
Fabrication: if I never sent an email, attacker can create & send one for you; unauthorized creation
Threat types
,Harm & its consequences
Harm: the (negative) consequences a threat can cause; the impact on something
What contributes to a successful attack?
- Method: skills, knowledge, etc. to realize the attack
- Opportunity: time and access to execute the attack
- Motive: reason for attacking
Risk
Risk: possibility/the event of causing damage or losing something
Risk(e) = impact(e) x likelihood(e), where the impact of event e’s occurring is multiplied by the
likelihood of its occurrence
Impossible to provide an exact quantitative evaluation of risk because probability of events or their impact are
not easily known. Qualitative risk assessment better: Qualitative categories of impact and likelihood are low,
medium and high
Risk analysis (technical activity): identifying and estimating risk for objects of interest
Risk management (managerial activity): builds on risk analysis & concerns reducing/handling risks
Risk management sketch of processes: OWASP risk rating methodology
Vulnerability & controls
Vulnerability: weakness that can occur harm. Often found in computer systems and software
Attack surface: full set of vulnerabilities of a system, actual and potential
Control/Countermeasure: a means to counter threats
We can deal with harm/threats in several ways:
- Prevention: blocking the attack or closing the vulnerability
- Deterrence: by making the attack harder but not impossible
- Deflection: by making another target more attractive (or this one less so)
- Mitigation: by making its impact less severe
- Detection: either as it happens or sometime after the fact
- Recovery: recover from its effects
Secure design principles
Applying secure design principles from the outset:
- Minimizes vulnerabilities
- Enables us to analyze systems
Main secure design principles:
1. Simplicity: keep things simple; easy to analyze and review, less likely to have bugs
2. Open design: security of system should never depend on design of system; secrets hard to protect &
attackers will figure system out→ minimize & protect secrets (keys, PIN’s etc.)
, 3. Compartmentalization: organize resources into groups of similar needs, and isolate them
4. Exposure minimization: minimize the attack surface a system presents to the adversary; limit information
given to the attacker (general error instead of error log), minimize windows of opportunity (timer on it so
not possible to attempt many actions at once), reject as early as possible (reduce amount of code
exposed to potential malicious input)
5. Principles of least privilege: every component and user of a system should have only those privileges to
do their jobs, no more
6. Minimize trust: but maximize trustworthiness. Trust is a negative thing; trust in a component implies that
if that component fails, the system fails. Trust is transitive: A trusts B, B trusts C, now A trusts C
7. Secure defaults & fail safe: system should start in a secure state, and return to this state in case of
failure; firewall with default deny policy (whitelisting), clean-up of cryptography
8. Complete mediation: access to any object must be monitored and controlled; access control must apply
to all relevant objects, access control must not be circumventable (booting different operating system→
file encryption& skipping access control in a protocol→link to every message)
9. Defense in depth: build redundant security mechanism whenever possible; avoid single point of failure,
separate duties→ use 2FA
10. Traceability: log security-relevant system events; needed for accountability, incident analysis and
recovery, and auditing
11. Generate secrets with maximum entropy: use proper cryptographically secure random number
generators, use password managers
12. Usability: design usable security systems; hard to use→will be circumvented, nobody knows what a
certificate is or how to check it
Lecture 2: 07-02-19
A subject is authorized to take some action on something/someone. Subject in this context can be a person,
computer process, network connection, device, etc.
Determining who a subject really is consists of two separate steps:
1. Identification: is the act of asserting who a subject is
2. Authentication: is the act of proving that asserted identity
→ Identification asserts your identity, authentication confirms that you are who you claim to be
→ Identities are typically public or well-known. E.g.: name, e-mail address, bank account number
Authentication mechanisms
Authentication mechanisms use any of the following three qualities to confirm a user’s identity:
- Something only the user knows (passwords, PIN)
- Something only the user is (biometrics)
- Something only the user has (student card, passport)
Attacking passwords by guessing
A list of steps an attacker can try in order to determine a password:
- No password
- Same as user ID
- Derived from user’s name
- From a common word list (e.g. password), and common names and patterns (e.g. qwerty, 12345)
- English and non-English dictionaries (with different combinations of capitalizations)
- Brute force, trying all possible combinations of alphanumeric characters
Attacking passwords by reuse
Users reuse passwords. So, if a user has a password for website A, then it might occur that it is nearly the same as
the password for website B
, Attacking passwords by keyloggers
Hardware or software that records every keystroke made by the user
- Hardware: small device
o USB adapter, wireless keyboard sniffer
- Software:
o piece of code that can be embedded in a harmless-looking program (high-level)
o piece of software that is already introduced in the operating system itself (low-level)
Attacking passwords via side-channels
Passwords can also be derived from side-channel leaks: information gained from the physical implementation of
a computer system. E.g.: timing information, power consumption, electromagnetic leaks or even sound
- Pat and Roz chose the same password, which hashed to the same value. If such a password table is
intercepted by an attacker, they can look up the passwords in a rainbow table (a space-saving list of
precomputed hashed passwords)
➔ Use of salt value is a countermeasure to such problem
Salt for better concealment
Salt: adding extra field different for user in concealment process. E.g.: username, registration date
- Even if salted, if the computation of the password is fast, the attack is fast
- Password hashing functions should be used for password concealment
o = Special case of hash functions (= a function that takes a piece of input and creates a random
looking fix-length output for an input) and password-based key derivation functions
▪ Not encryption!
▪ Designed to be slow!
▪ Designed to take a lot of memory!
▪ Automatically include a random salt!
Remembering passwords is a bad mechanism. Secure design principles that are being violated are:
- Compartmentalization (through password reuse)
- Generate secrets with maximum entropy
- Usability
Security is often defined with respect to a policy describing which kinds of actions are authorized
➔ Security is about protecting assets: things one values. Assets can be anything (hardware, software, data,
processes etc.). Not all assets are equally valuable
➔ Security cannot be isolated into a single system component as this can result in a single point of failure.
Vulnerability-threat-control paradigm
Valuation is one of the important factors to determine how you will handle your risks (20$ lock on a locker
containing a Rolex)
Threats
The two dimensions (perspectives) of threats:
A. What bad things can occur that affect assets? E.g. Security policies that are endangered
B. Who/what can cause/allow bad things to occur? E.g. Who/what should we defend ourselves from?
What bad things can occur that affect assets?
Basic three properties of security: C-I-A triad (Security triad)
Ability of a system to ensure that an asset:
- Is viewed only by authorized parties (Confidentiality)
- Is modified only by authorized parties (Integrity)
- Can be used by any authorized parties (Availability)
Two additional properties:
- Ability of a system to confirm identity of a sender (authentication)
- Ability of a system to confirm that a sender cannot convincingly deny having sent something (non-
repudiation or accountability)
Who/what can cause or allow those bad things to occur?
Interception: if I send you an email, attacker could block it & change it slightly; unauthorized viewing
Modification: modify; unauthorized change
Interruption: entirely blocking a system, preventing availability; preventing authorized access
Fabrication: if I never sent an email, attacker can create & send one for you; unauthorized creation
Threat types
,Harm & its consequences
Harm: the (negative) consequences a threat can cause; the impact on something
What contributes to a successful attack?
- Method: skills, knowledge, etc. to realize the attack
- Opportunity: time and access to execute the attack
- Motive: reason for attacking
Risk
Risk: possibility/the event of causing damage or losing something
Risk(e) = impact(e) x likelihood(e), where the impact of event e’s occurring is multiplied by the
likelihood of its occurrence
Impossible to provide an exact quantitative evaluation of risk because probability of events or their impact are
not easily known. Qualitative risk assessment better: Qualitative categories of impact and likelihood are low,
medium and high
Risk analysis (technical activity): identifying and estimating risk for objects of interest
Risk management (managerial activity): builds on risk analysis & concerns reducing/handling risks
Risk management sketch of processes: OWASP risk rating methodology
Vulnerability & controls
Vulnerability: weakness that can occur harm. Often found in computer systems and software
Attack surface: full set of vulnerabilities of a system, actual and potential
Control/Countermeasure: a means to counter threats
We can deal with harm/threats in several ways:
- Prevention: blocking the attack or closing the vulnerability
- Deterrence: by making the attack harder but not impossible
- Deflection: by making another target more attractive (or this one less so)
- Mitigation: by making its impact less severe
- Detection: either as it happens or sometime after the fact
- Recovery: recover from its effects
Secure design principles
Applying secure design principles from the outset:
- Minimizes vulnerabilities
- Enables us to analyze systems
Main secure design principles:
1. Simplicity: keep things simple; easy to analyze and review, less likely to have bugs
2. Open design: security of system should never depend on design of system; secrets hard to protect &
attackers will figure system out→ minimize & protect secrets (keys, PIN’s etc.)
, 3. Compartmentalization: organize resources into groups of similar needs, and isolate them
4. Exposure minimization: minimize the attack surface a system presents to the adversary; limit information
given to the attacker (general error instead of error log), minimize windows of opportunity (timer on it so
not possible to attempt many actions at once), reject as early as possible (reduce amount of code
exposed to potential malicious input)
5. Principles of least privilege: every component and user of a system should have only those privileges to
do their jobs, no more
6. Minimize trust: but maximize trustworthiness. Trust is a negative thing; trust in a component implies that
if that component fails, the system fails. Trust is transitive: A trusts B, B trusts C, now A trusts C
7. Secure defaults & fail safe: system should start in a secure state, and return to this state in case of
failure; firewall with default deny policy (whitelisting), clean-up of cryptography
8. Complete mediation: access to any object must be monitored and controlled; access control must apply
to all relevant objects, access control must not be circumventable (booting different operating system→
file encryption& skipping access control in a protocol→link to every message)
9. Defense in depth: build redundant security mechanism whenever possible; avoid single point of failure,
separate duties→ use 2FA
10. Traceability: log security-relevant system events; needed for accountability, incident analysis and
recovery, and auditing
11. Generate secrets with maximum entropy: use proper cryptographically secure random number
generators, use password managers
12. Usability: design usable security systems; hard to use→will be circumvented, nobody knows what a
certificate is or how to check it
Lecture 2: 07-02-19
A subject is authorized to take some action on something/someone. Subject in this context can be a person,
computer process, network connection, device, etc.
Determining who a subject really is consists of two separate steps:
1. Identification: is the act of asserting who a subject is
2. Authentication: is the act of proving that asserted identity
→ Identification asserts your identity, authentication confirms that you are who you claim to be
→ Identities are typically public or well-known. E.g.: name, e-mail address, bank account number
Authentication mechanisms
Authentication mechanisms use any of the following three qualities to confirm a user’s identity:
- Something only the user knows (passwords, PIN)
- Something only the user is (biometrics)
- Something only the user has (student card, passport)
Attacking passwords by guessing
A list of steps an attacker can try in order to determine a password:
- No password
- Same as user ID
- Derived from user’s name
- From a common word list (e.g. password), and common names and patterns (e.g. qwerty, 12345)
- English and non-English dictionaries (with different combinations of capitalizations)
- Brute force, trying all possible combinations of alphanumeric characters
Attacking passwords by reuse
Users reuse passwords. So, if a user has a password for website A, then it might occur that it is nearly the same as
the password for website B
, Attacking passwords by keyloggers
Hardware or software that records every keystroke made by the user
- Hardware: small device
o USB adapter, wireless keyboard sniffer
- Software:
o piece of code that can be embedded in a harmless-looking program (high-level)
o piece of software that is already introduced in the operating system itself (low-level)
Attacking passwords via side-channels
Passwords can also be derived from side-channel leaks: information gained from the physical implementation of
a computer system. E.g.: timing information, power consumption, electromagnetic leaks or even sound
- Pat and Roz chose the same password, which hashed to the same value. If such a password table is
intercepted by an attacker, they can look up the passwords in a rainbow table (a space-saving list of
precomputed hashed passwords)
➔ Use of salt value is a countermeasure to such problem
Salt for better concealment
Salt: adding extra field different for user in concealment process. E.g.: username, registration date
- Even if salted, if the computation of the password is fast, the attack is fast
- Password hashing functions should be used for password concealment
o = Special case of hash functions (= a function that takes a piece of input and creates a random
looking fix-length output for an input) and password-based key derivation functions
▪ Not encryption!
▪ Designed to be slow!
▪ Designed to take a lot of memory!
▪ Automatically include a random salt!
Remembering passwords is a bad mechanism. Secure design principles that are being violated are:
- Compartmentalization (through password reuse)
- Generate secrets with maximum entropy
- Usability
