SENG 411

Cyber Security

Dr. Emin Emrah Özsavaş

[email protected]

1
Warm up
Which of the following refers to the violation of the principle if a computer is no more
accessible?

a) Access control
b) Confidentiality
c) Availability
d) All of the above

2
Warm up
Which one of the following refers to the technique used for verifying the integrity of the
message?

a) Digital signature
b) Decryption algorithm
c) Protocol
d) Message digest

3
Warm up
Which is potential for loss, damage, or destruction of an asset?

a) Threat
b) Attack
c) Risk
d) Vulnerability

4
Warm up
Which is not a class of attacks?

a) Passive
b) Close-in
c) Authentic
c) Distribution

5
Warm up
Which is a passive attack?

a) Eavesdropping
b) Spoofing
c) Code execution
d) Privilege escalation

6
Warm up
Which is a step in System Hacking?

a) Scanning
b) Enumeration
c) Exploitation
d) Footprinting

7
Warm up
We can identify vulnerabilities and implement defensive measures in advance by the help
of _________.

a) Tactics
b) Policies
c) Techniques
d) Procedures

8
Warm up
Which is not true about White Box testing?

a) We can maximize testing time

b) We can extend testing area
c) We can simulate a realistic scenario
d) We can accomplish a deep test

9
Warm up
Which can not be an IoC?

a) Hash values
b) Links
c) DNS requests
d) Threat intelligence

10
Warm up
Backdoors belong to _________ attacks.

a) Close-in
b) DDoS
c) Distribution
d) Wiretapping

11
 Syllabus
Week Topic Sub-topics
1 Introduction and Basics Language of security, overview
Identity and Access Identification, authentication,
2 Management, System authorization, access control, system
Architectures architecture concepts
Symmetric and asymmetric encryption,
3 Cryptography
hash functions, digital signatures
Network attacks, security
4 Network Security
architectures, countermeasures
Footprinting and reconnaissance,
5 Hacking Methodology scanning networks, enumeration,
vulnerability analysis
System hacking (gaining access,
Hacking Methodology escalating privileges, maintaining
6
and Sniffing access, clearing logs), sniffing concepts
and techniques
12
Protection of Information

* Information classification: a process, assess the data

and the level of protection, usually in terms of
confidentiality
* Information confidentiality:
a sample classification w.r.t. conf.
- Confidential: only senior management
- Restricted: limited # of employees
- Internal: all employees
- Public: everyone
* Maybe more levels: larger and more complex
organizations

13
Protection of Information

Hospital example:

patients’ medical histories: sensitive or not? Who needs

access to?

hospital’s financial records: sensitive or not? Doctors

need access to?

Do we need separate levels created according to specific

job functions?

14
Protection of Information

Another sample set of classification

- open to the general public - access must be - protected because of laws,

- no legal restrictions guarded (privacy) policies or regulations
- e.g. reports with generalised - e.g. student ID - e.g. business confidential info
info
15
Protection of Information

* ISO 27001: Information Security Management System

(ISMS) standard
* Annex A 8.2: ‘Information Classification’
4-step process:
- Enter your assets into an inventory
- Classification
- Labelling
- Handling

16
Protection of Information

1. Enter your assets into an inventory

collate all information into an inventory, define
responsibilities and its format

2. Classification
asset owners are responsible, management can provide
guidelines

3. Labelling
e.g. paper docs can be labelled on the top-right corner,
digital docs?

17
Protection of Information

4. Handling:

Define rules for classes and format (e.g. restricted documents must be
placed in a locked cabinet)

18
Protection of Information

* Handling:
different rules/precautions for different situations w.r.t.
different info classes
• View
• Update
• Delete
• Transfer (digital and paper)
• Mail
• Store
• Destroy

19
Protection of Information

A few handling examples

• Creation and Access
- privately owned equipment cannot be used to create or access
Restricted Data unless a secure form of remote access is used
- anyone accessing Restricted Data remotely should ensure:
--the computer is not a public computer
--user ID and pw are not observed when logging on
--open sessions are not left unattended
--…
• Disclosure
• Storage
• Copying and Transmitting
• Printing
• Backup
•…

20
Protection of Information

Basic responsibilities in info classification:

* Management: policies, procedures, guidelines

* IT: needed infrastructure and training
* Data owner: identify & classify data

21
Protection of Information
- manuel or automatic
classification (discovery)
- apply handling rules
- allow or deny, log, audit

22
Identity and Access Management

• Object: a passive entity contains information

• Subject: a user, program or process requests access to
an object
• Access: flow of information between a subject and an
object
• Access control: security features, included in defense-
in-depth

23
Identity and Access Management

24
Identity and Access Management

• Identification: method by which a subject claims to

have a specific identity
• Authentication: method to validate a subject’s claim,
trust between the user and the system (next step:
allocation of privileges)

25
Identity and Access Management
• Authorization: providing access to an authenticated subject
based on its rights
• Accountability: keeping track of actions performed by the
subject on an object

all or nothing aspects of a.c.

wide range of variations

26
Identity and Access Management

• Permissions: access granted to subject for an object,

determines what you can do with, tagged to object
• Rights: ability to take an action on an object – tagged to
subject
• Privileges: combination of permissions and rights

27
Identity and Access Management
* Identity - 3 aspects:
- Uniqueness: to be accountable
- Non-descriptive: should not indicate the purpose of
the account
- Issuance: an authority should be providing the
identity
* IdM: management of uniquely identified entities, their
attributes, credentials and entitlements
* Directories: main components of IdM, special dbs
- X.500 standard based hierarchical database format
- LDAP as the protocol

28
Identity and Access Management

- sample directory schema

- OU: container of other OUs, users, groups, and resources
- CN: common name (e.g. Carlos Ramirez)
- DN: distinguished name (e.g. CN= Carlos Ramirez, OU=Sales,
OU=Employees, DC=Microsoft, DC=com
29
Identity and Access Management

- Single Sign-On:
a user provide credentials one time and be able to access all
resources, interoperability is an issue, is it more secure?
- Federated IdM:
allows a user to be authenticated across multiple IT systems and
enterprises, trust establishment is an important issue

30
Identity and Access Management
* General factors for authentication:
• Something a person knows
• Something a person has
• Something a person is
* Multi-factor authentication
* 1:1 Verification: Measurement of an identity against a
single claimed identity (e.g. smart card)
* 1:N verification: Measurement of an identity against
multiple identities (e.g. fp db)
* Mutual Authentication: Two communicating entities
must be authenticated to each other

31
Identity and Access Management
General factors for authentication:
• Something a person knows – knowledge based
- pw, passphrase (longer pw), cognitive pw (several questions,
call centers)
- recommendations for pws:
increased length
special characters, complexity
disallow hints
- techniques used by attackers:
monitoring, listening (copy pws and use again, replay
attack)
access pw file
brute-force
dictionary
social eng
rainbow table: hash format 32
Identity and Access Management

1. Eavesdrop on a secure network communication

2. Intercept it
3. Delay or resend it to misdirect the receiver
no need advanced skills
- Alice wants to prove her identity to Bob
- Bob requests her password (hashed)
- Eve is eavesdropping and keeps pw
- Eve (posing as Alice) connects to Bob; sends Alice's pw, grants Eve
access
solution: completely random session keys, timestamps, pw for each
transaction
33
Identity and Access Management
General factors for authentication:
• Something a person has – ownership based
- OTP: dynamic, generated by a token device
- smart cards

34
Identity and Access Management
General factors for authentication:
• Something a person is – biometric
- fp
- retina
- face
- palm
- hand geometry
- keystroke dynamics
- voice print

35
Identity and Access Management

36
 Identity and Access Management
Authorization:
- access should be based on the ‘level of trust’ and ‘need-to-know’
- can be enforced by roles, groups, location, time and transaction types

37
Identity and Access Management

Important aspects of authorization:

- Default to No Access: if no spesific configuration implicit
deny rule
- Need to Know: grant access only to required info, like least-
privilege
- Excessive Privileges: more privileges than required
- Authorization Creep (creeping privileges): accumulation of
excessive rights over time, results in Excessive Privileges (solution:
least-privilege)

38
Identity and Access Management
Access Control categories:
- Administrative (Management) Access Control
Focuses on people and business practices
Policy, procedures, hiring practices, background checks, data
classification, awareness training, reports, testing …

- Logical (Technical) Access Control

Hardware and software mechanisms
Encryption, constrained interfaces, firewalls, IDS, biometric,
passwords, ACLs …

- Physical Access Control

Items that can be physically touched
Guards, fences, motion detectors, locks, lights, cable
protection, video camera, mantraps …

39
Identity and Access Management

* Access Control Models: frameworks that dictate how

a subject access an object
• Discretionary access control
• Mandatory access control
• Role based access control
• Rule based access control
• Attribute based access control
• Risk based access control
* Model decision is based on:
• Business and security goals
• Culture
• Habits of conducting business
40
Identity and Access Management

Discretionary Access Control (DAC):

• identity based access control type
• can be applied to both directory tree structure and the
files in it
• based on the discretion of the owner, owner specifies
which subjects can access specific resources
• Access Control Lists (ACL)

41
Identity and Access Management

Mandatory Access Control (MAC):

• users do not have the rights to decide who can access
objects
• more structured and stricter than DAC model
• rules are defined via the security policy of org
• user cannot install software, change permissions, add
new users
• secure but not flexible nor scalable
• very few systems technically capable of
implementing this mode (e.g. military systems)

42
Identity and Access Management

Role Based (Task Based) Access Control (RBAC):

• access is based on the role/task of users
• centrally administered, implemented using groups
• rights and permissions are assigned implicitly to the
user via the role or group the user inherits
• the best system for companies (pay attention to high
employee turnover)

43
Identity and Access Management
Rule Based Access Control (RB-RBAC):
• built on top of traditional RBAC
• based on the simple concept of “if this, then that”
• before a subject can access an object in a certain circumstance,
subject must meet a set of predefined rules
simple: “If the subject’s ID matches the unique ID value in the
provided digital certificate, then the subject can gain access.”
complex: “If the subject is accessing the object on a weekday
between 8 a.m. and 5 p.m., and if the subject is accessing the object
while physically in the office, and if the subject is in the
procurement role, then the subject can access the object.”

44
Identity and Access Management

Attribute Based Access Control (ABAC):

• uses attributes of any part of a system (subject,
object, actions …) to define access
• “only directors to comment on (but not edit) files
pertaining to a project that is currently being audited”
• two-edged sword:
provides the most granularity
can lead to an excessive number of policies interact
with each other

45
Identity and Access Management
Risk Based Access Control:
• dynamic: estimate the risk about request in real time, if it
doesn’t exceed a threshold, grant access
• “David works for a technology manufacturer, a super-secret
new product will be released.
If the details of this product are leaked before the announcement,
it will negatively impact revenues.
So the product’s specification sheet will be very sensitive until
the announcement.
Should David be granted access it?”
• question: how likely it is that David’s request will
lead to a leak?
• evaluate his role, trustworthiness, need to access  estimate &
compare

46
Identity and Access Management

create AD groups, place users in groups

can users have more than one group membership?

47
Identity and Access Management
Accountability:
- ensure users are accountable for their actions
- tracked by recording user, system and application activities
- event-oriented audit review: review logs after event
- integrity of logs: how we provide?
- organizational culture is the most important

48
System Architectures

system: a set of things, working together, a common goal

architecture: designed structure, how we put them together

* Client-based systems:
- simplest architecture
- applications that execute entirely on one user device
- no network connectivity except for patches and updates
- core features require no processing on a remote device
- have weak authentication mechanisms, data is stored in
plaintext

49
System Architectures

* Server-based (client-server) systems:

- at least two separate applications interact with each other
across a network connection
- client requests, server fulfills
- n-tear architectures, for users two tears
- multiple potential security issues; each tier should be
controlled, establish and maintain trust with the others

50
System Architectures

* Database systems:
- DBMS: software system that allows us to create, read,
update, and delete any data
- efficient and organized storage, faster searches, preventing
accidental corruption of data
- security measures that are applied to server-based systems
are required

51
System Architectures

* Industrial control systems:

- control physical devices in industrial processes
- control things that can directly cause physical harm to
humans, their uptime or availability is critical (are used in
manufacturing and infrastructure)
- require a slightly different approach than that used to secure
traditional IT systems

52
System Architectures

* Virtualized systems:
- allows us to run multiple services or full computers
simultaneously on the same hardware
- vulnerabilities in the hypervisor would give an attacker
power to compromise C.I.A. of VMs running on it (not an
hypothetical scenario) --- any component of an information system
could be compromised

53
System Architectures

* Cloud-based systems:
- use of shared, remote computing devices
- three service models:
Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)
Software as a Service (SaaS)

54
System Architectures
Some sub services:

- IaaS: DBaaS (database-as-a-service)

- IaaS: CCaaS (compute capacity-as-a-service)
- PaaS: STaaS (storage-as-a-service)
- PaaS: DTaaS (desktop-as-a-service)
- SaaS: CaaS (communications-as-a-service)
- SaaS: SECaaS (security-as-a-service)
- SaaS: MaaS (monitoring-as-a-service)

55
System Architectures
Four deployment models:

- Public: available to the general public

- Private: for single organization only
- Hybrid
- Community: multiple organizations (e.g. universities) part
of a community share computing resources

56
System Architectures
Cloud-unique threats

- Consumers have reduced visibility and control

- On-demand self service simplifies unauthorized use (without
consent, shadow IT)
- Internet-accessible management APIs can be compromised
- Separation among multiple tenants fails
- Data deletion is incomplete

57