Computer Security

Lecture 5
Security Practices

Syed Naqvi
snaqvi@ieee.org

Outline
♦ Risk Management
♦ Watermarking
♦ Intrusion Detection Systems
♦ Computer Forensics
♦ Legal and Ethical Issues

16 November 2010 Lecture 5: Security Practices 2

1
Risk
♦ The likelihood that a particular threat using a
specific attack, will exploit a particular
vulnerability of a system that results in an
undesirable consequence

– likelihood of the threat occurring is the estimation of

the probability that a threat will succeed in achieving an
undesirable event

16 November 2010 Lecture 5: Security Practices 3

Risk Management
♦ The process concerned with identification, measurement, control and
minimization of security risks in information systems to a level
commensurate with the value of the assets protected
Identify
the
Risk Areas

Re-
Re-evaluate
the Risks Assess the
Risk Risks

Management
Cycle Risk Assessment
Implement Risk
Management Develop Risk
Actions Risk Mitigation
Management
Plan

16 November 2010 Lecture 5: Security Practices 4

2
Risk Assessment/Analysis
♦ A process of analyzing threats to and vulnerabilities of an
information system and the potential impact the loss of
information or capabilities of a system would have
– List the threats and vulnerabilities
– List possible control and their cost
– Do cost-benefit analysis
• Is cost of control more than the expected cost of loss?

♦ The resulting analysis is used as a basis for identifying

appropriate and cost-effective counter-measures
– Leads to proper security plan

16 November 2010 Lecture 5: Security Practices 5

Risk Assessment – Benefits

♦ Improve awareness of security issues among employees
♦ Identify assets, vulnerabilities, and controls
– A systematic analysis produces a comprehensive list of assets and
risks
♦ Improve basis for decisions
– Controls may reduce productivity
– Controls need to be justified
– Some risks are serious enough
♦ Justify expenditures for security
– Some controls may be too expensive without any obvious benefit

16 November 2010 Lecture 5: Security Practices 6

3
Risk Assessment – Steps
♦ Identify assets
– Hardware, software, data, people, supplies
♦ Determine vulnerabilities
– Intentional errors, malicious attacks, natural disasters
♦ Estimate likelihood of exploitation
– Considerations include
• Presence of threats
• Tenacity/strength of threats
• Effectiveness of safeguards
– Delphi approach
• Raters provide estimates that are distributed and re-estimated

16 November 2010 Lecture 5: Security Practices 7

Risk Assessment – Steps

♦ Compute expected annual loss
– Physical assets can be estimated
– Data protection for legal reasons

♦ Survey applicable (new) controls

– If the risks of unauthorized access is too high, access control
hardware, software and procedures need to be re-evaluated

♦ Project annual savings of control

16 November 2010 Lecture 5: Security Practices 8

4
Risk Mitigation
♦ Risk Mitigation is any step taken to reduce risk

♦ Residual Risk (RR)

– Portion of risk remaining after security measures have been
applied

♦ Safeguards for RR
– Difficult to completely eliminate RR
– Keep RR minimum, at acceptable level

16 November 2010 Lecture 5: Security Practices 9

Watermarking

16 November 2010 Lecture 5: Security Practices 10

5
Watermarking – A Scenario …
♦ Alice owns object A.

♦ Bob gets hold of object A.

♦ Bob claims A is his.

♦ Alice has to fight Bob in court and prove that A

belongs to (or is created by) Alice.

16 November 2010 Lecture 5: Security Practices 11

Watermarking – A Scenario …
♦ Alice encodes a secret message W inside object A such
that:
– She can retrieve W from A whenever she wants (and hence prove
ownership).
– Bob cannot tamper W (by meddling with O) so as to:
• Make W unreadable.
• Introduce W` on top of W and confuse the reader.
• Remove W and introduce W` and claim object A is his own.

♦ W has to be stealthy
♦ W has to be resilient

16 November 2010 Lecture 5: Security Practices 12

6
Watermarking

16 November 2010 Lecture 5: Security Practices 13

Watermarking
♦ Visible watermarks
– Similar to physical counterpart
(digitally stamped!)
♦ Invisible watermarks
– Useful as for identifying the
source, author, owner, distributor
or authorized consumer
– Permanently, unalterably mark the
image
♦ Also used for tracing images in
the event of their illicit
distribution
– Unique watermark for each buyer

16 November 2010 Lecture 5: Security Practices 14

7
Watermarking
♦ Spatial domain watermarking
– Simplest: flip the lowest order bit of chosen pixels
– Superimpose a watermark
– Color separation – watermark in only one color band
– Picture cropping can be used to eliminate some spatial
watermark
♦ Frequency domain watermarking
– Use Fast Fourier Transform – alter the values of chose
frequencies
– Watermarks will be dispersed spatially (cropping or
spatial technique will not defeat it)

16 November 2010 Lecture 5: Security Practices 15

Watermarking
♦ Text-line coding
– Text lines of a document
page are shifted
imperceptibly up or
down
♦ Word-shift coding
– Spacing between words
in a line text is altered
♦ Character coding
– E.g., endline at the top of
a letter, say “t” is
extended

16 November 2010 Lecture 5: Security Practices 16

8
Intrusion Detection System (IDS)
♦ Practical goals of intrusion detection systems:
– Detect a wide variety of intrusions (known + unknown)
– Detect in a timely fashion
– Present analysis in a useful manner
• Need to monitor many components; proper interfaces needed

– Be (sufficiently) accurate
• Minimize false positives and false negatives
False Positive: Not intrusive but being detected as intrusive.
False Negative: Intrusive but not being detected.

16 November 2010 Lecture 5: Security Practices 17

Intrusion Detection System (IDS)

Attack Sophistication vs. Intruder Technical Knowledge

16 November 2010 Lecture 5: Security Practices 18

9
Intrusion Detection System (IDS)
IDS Configuration
Indication
Warning
Alarms Intrusion
Response
IDS Function Function
Audit Trail,
Packets,
Results from other IDSs Responses

Each function can be implemented in a

a centralized or distributed fashion

16 November 2010 Lecture 5: Security Practices 19

IDS Types : Anomaly Detection

♦ Compare characteristics of system with expected values
– report when statistics do not match
♦ Threshold metric: when statistics deviate from normal by
threshold, sound alarm
– E.g., Number of failed logins
♦ Statistical moments: based on mean/standard deviation of
observations
– Number of user events in a system
– Time periods of user activity
– Resource usages profiles
♦ Markov model: based on state, expected likelihood of
transition to new states
– If a low probability event occurs then it is considered suspicious

16 November 2010 Lecture 5: Security Practices 20

10
IDS Types : Misuse Modeling
♦ Does sequence of instructions violate security policy?
– Problem: How do we know all violating sequences?

♦ Solution: capture known violating sequences

– Generate a rule set for an intrusion signature
• But won’t the attacker just do something different?
• Often, no: kiddie scripts, Rootkit, …

♦ Alternate solution: State-transition approach

– Known “bad” state transition from attack (e.g. use petri-nets)
– Capture when transition has occurred (user
root)

16 November 2010 Lecture 5: Security Practices 21

IDS Problem
♦ IDS useless unless accurate
– Significant fraction of intrusions detected
– Significant number of alarms correspond to intrusions

♦ Goal is
– Reduce false positives
• Reports an attack, but no attack underway

– Reduce false negatives

• An attack occurs but IDS fails to report

16 November 2010 Lecture 5: Security Practices 22

11
Intrusion Response
♦ Incident Prevention
– Stop attack before it succeeds
– Measures to detect attacker
– Example: Jailing (also Honey pots)
• Make attacker think they are succeeding and confine to an area
♦ Intrusion handling
– Preparation for detecting attacks
– Identification of an attack
– Contain attack
– Eradicate attack (terminate processes / network connection, close ports,
disallow specific IP addresses, wrappers around attacked applications)
– Recover to secure state
– Follow-up to the attack - Punish attacker

16 November 2010 Lecture 5: Security Practices 23

Host based IDS

♦ Using OS auditing mechanisms
– E.g., BSM (Basic Security Module) on Solaris: logs all direct or
indirect events generated by a user
– strace for system calls made by a program

♦ Monitoring user activities

– E.g., Analyze shell commands

♦ Monitoring executions of system programs

– E.g., Analyze system calls made by sendmail

16 November 2010 Lecture 5: Security Practices 24

12
Network based IDS
♦ Deploying special sensors at strategic locations
– E.g., Packet sniffing via tcpdump at routers

♦ Inspecting network traffic

– Watch for violations of protocols and unusual connection patterns

♦ Monitoring user activities

– Look into the data portions of the packets for malicious command
sequences

16 November 2010 Lecture 5: Security Practices 25

Characteristics of a Good IDS

♦ Run continuously
♦ Fault tolerant
♦ Resist subversion
♦ Minimal overhead
♦ Observe deviations
♦ Easily tailored
♦ Cope with changing system behavior
♦ Difficult to fool

16 November 2010 Lecture 5: Security Practices 26

13
Computer Forensics
♦ Forensics:
– The use of science and technology to investigate and establish
facts in criminal or civil courts of law.

♦ Computer Forensics:
– Commonly defined as the collection, preservation, analysis
and court presentation of computer-related evidence.
– Gathering and analyzing data in a manner as free from
distortion or bias as possible to reconstruct data or what has
happened in the past on a computer system.

16 November 2010 Lecture 5: Security Practices 27

Computer Forensics
♦ Who needs the Computer Forensics?
– The victim
– The Law Enforcement
– Insurance Carriers
– The Legal System

♦ Who are the victims?

– Private Business
– Government
– Individuals

16 November 2010 Lecture 5: Security Practices 28

14
Reasons for a Forensic Analysis
♦ Identify the perpetrator.

♦ Identify the method/vulnerability of the network that

allowed the perpetrator to gain access into the system.
♦ Conduct a damage assessment of the victimized network.

♦ Preserve the Evidence for Judicial action.

16 November 2010 Lecture 5: Security Practices 29

Enterprise Security Timeline

Perimeter Vulnerability Content & Incident Response

Defense Assessment Intrusion Detection and Forensics

 Firewalls  Vulnerability  IDS  Computer Forensics

scanners
 VPNs  Network Traffic  Enterprise Forensics
 Threat Assessments Monitors
 Access Control
 Authentication

16 November 2010 Lecture 5: Security Practices 30

15
Types of Forensic Requests
♦ Intrusion Analysis

♦ Damage Assessment

♦ Suspect Examination

♦ Tool Analysis

♦ Log File Analysis

♦ Evidence Search

16 November 2010 Lecture 5: Security Practices 31

Types of Forensic Requests

♦ Intrusion Analysis
– Who gained entry?
– What did they do?
– When did this happen?
– Where did they go?
– What network they chose?
– How did they do this?

♦ Damage Assessment
– What was available for the intruder to see?
– What did he take?
– What did he leave behind?
– Where did he go?

16 November 2010 Lecture 5: Security Practices 32

16
Types of Forensic Requests
♦ Suspect Examination

♦ Tool Analysis
– What tools were used?
– How were the executed?
– What language were they written in?
– File Comparison with Suspect’s File.

16 November 2010 Lecture 5: Security Practices 33

Types of Forensic Requests

♦ Log File Analysis
– Events.
– What Events are monitored?
– What do the event records reveal?
– Firewall/Router/Server log files?
– TripWire Database?
– Modem/FTP/Telnet/RAS
♦ Evidence Search
– Software applications
– Files (Image, Deleted, Hidden, Encrypted)
– Hidden partitions
– Keyword Search
– Known Remote Access Tools

16 November 2010 Lecture 5: Security Practices 34

17
Legal Issues
♦ Laws regulate the use, development and ownership of data
and programs
– Copyright: Gives an author exclusive rights to make copies of his
original ideas/work and sell them to public.
– Patent law: Protects novel innovations – applies to results of
science, technology and engineering.
– Trade secret: Prevents only misappropriation (wrongful taking) of
ideas, facts and know-how, whether in tangible form or not – can
be used in conjunction with copyright law and sometimes with
patent law.

♦ Certainly greater protection is available when a

combination of legal areas is used!

16 November 2010 Lecture 5: Security Practices 35

Legal Issues
Copyright Patent Trade secret

Protects Expression of idea Invention Secret information

Object made Yes: intention is to Design filed at No

public promote patent office

Requirement Yes No No
to distribute
Ease of filing Very easy, do-it- Very complicated; No filing
yourself specialist lawyer
suggested
Duration Life of human 19 years Indefinite
originator or 75 years
of company
Legal Sue if copy sold Sue if invention Sue if secret improperly
protection copied obtained

Examples Object code, Hardware Source code

documentation

16 November 2010 Lecture 5: Security Practices 36

18
Ownership Issues
♦ Ownership is an issue in computer security
♦ Ownership of products
– Eve writes programs at night and sells it herself
– If Eve is a programmer in a company and the program remotely
corresponds to her job,
• Employer may claim it!
– If Eve is self-employed but an earlier version was developed for a
company
• Company may show that it had paid for the program and then claim
ownership

16 November 2010 Lecture 5: Security Practices 37

Ownership Issues
♦ Ownership of patents
– If employee lets employer file the patent employer is
deemed to own the patent and therefore the rights to the
innovation
– Employer has right to patent if the employee’s job
function includes inventing the product
♦ Ownership of copyrights
– Work-for-hire
• Employer is the author of the work
– License
• Programmer owns the product – sells license to company

16 November 2010 Lecture 5: Security Practices 38

19
Digital Rights Management
♦ Digital rights determine who can do what under
which conditions.
♦ Digital rights are not static.
– E.g. The author of an academic paper has intellectual
property rights, the publisher holds copyright, readers
will have usage rights when the paper is purchased or
acquired.

♦ Many of these rights may change over time.

16 November 2010 Lecture 5: Security Practices 39

Digital Rights Management

♦ Digital Rights Management (DRM) is the process of
recording, transmitting, interpreting and enforcing digital
rights.

♦ The aim of DRM is to prevent unauthorized use and to

preserve the integrity of digital information.

♦ DRM products were developed in response to the rapid

increase in online piracy of commercially marketed
material, which proliferated through the widespread use of
Napster and other peer-to-peer file exchange programs.

16 November 2010 Lecture 5: Security Practices 40

20
Computer Crime
♦ Hard to predict for the following reason
– Low computer literacy among lawyers, police
agents, jurors, etc.
– Tangible evidence like fingerprints and
physical clues may not exist
– Forms of asset different
• Is computer time an asset?
– Juveniles
• Many involve juveniles

16 November 2010 Lecture 5: Security Practices 41

16 November 2010 Lecture 5: Security Practices 42

21
Cyber Crime
♦ Any illegal act committed using a computer
network (especially the Internet).
♦ A subset of Computer Crime.

♦ Cyber Criminals: Persons using a network as a

tool of the crime
– includes Hackers, Crackers, & Network Attackers.

♦ Trans-Frontiers Attacks
– Jurisdictions problems

16 November 2010 Lecture 5: Security Practices 43

Exercise
♦ Search for some Risk Analysis Tools on the internet OR

♦ Search for some Forensics Analysis Tools on the internet

– Study their parameters
• Support functions, cost, HW/SW requirements, GUI, API, …

– Look on the reviews related to these tools (if any)

– Prepare a comparative table of these tools
• Not longer than a single page

16 November 2010 Lecture 5: Security Practices 44

22