Sicurezza Informatica Prof. Stefano Bistarelli

Prof. Stefano Bistarelli - Sicurezza Informatica2 Chapter 1: Introduction

Prof. Stefano Bistarelli - Sicurezza Informatica3 Outline Security (confidentiality, integrity, availability) to protect from threats!! Security policies identify threats and and define requirements (assumptions) Security mechanisms are methods to detect/prevent/recover threats Which security countermeasure we want to apply? Security Risk analysis!!

Prof. Stefano Bistarelli - Sicurezza Informatica4 Sicurezza Informatica abilità di un sistema di proteggere informazioni, risorse ed il sistema stesso, rispetto alle nozioni di Confidentialità (confidentiality) Integrità (integrity) e Autenticazione (authentication) Disponibilità (availability) Controllo degli Accessi (control access) Non ripudio (no-repudiaton) Privatezza (privacy)

Prof. Stefano Bistarelli - Sicurezza Informatica5 Alice, Bob, e … Trudy “Hello-world” nel mondo della sicurezza Bob e Alice hanno la necessità di comunicare tra loro in modo sicuro Trudy, “intruder” è in grado di intercettare e modificare i messaggi Figure 7.1 goes here

Prof. Stefano Bistarelli - Sicurezza Informatica6 Main goals Confidentialità (confidentiality) Assicurare che le informazioni non siano accessibili ad utenti non autorizzati Integrità (integrity) Assicurare che le informazioni non siano alterabili da persona non autorizzate (in maniera invisibile agli utenti autorizzati) Autenticazione (athentication) Assicurare che gli utenti siano effettivamente chi dichiarano di essere Disponibilità (availability) Assicurare che un sistema sia operativo e funzionale in ogni momento (non deny-of-service)

Prof. Stefano Bistarelli - Sicurezza Informatica7 Additional goals Controllo degli accessi (access control) Assicurare che gli utenti abbiano accesso a tutte le risorse ed a tutti i servizi cui sono autorizzati e solo a questi Non ripudio (non-repudiation) Assicurare che il mittente di un messaggio non possa negare il fatto di aver spedito il messaggio Privatezza (privacy) Assicurare che gli utenti possano controllare quali informazioni su di lui vengono raccolte, come vengono usate, chi le usa, chi le mantiene, e per quale scopo vengono usate

Prof. Stefano Bistarelli - Sicurezza Informatica8 Security is not safety!!

Prof. Stefano Bistarelli - Sicurezza Informatica9 Security “is not” Safety Reliability (affidabilità) “non sbaglia!” Availability (disponibilità) “non da crash!” Maintainability (manutenibilità) “E’ facilmente gestibile” Safety (sicurezza) “non muore nessuno usandolo”

Prof. Stefano Bistarelli - Sicurezza Informatica10 Basic Components Confidentiality, Integrity, Availability Interpretation ALWAYS depends from the context!!

Prof. Stefano Bistarelli - Sicurezza Informatica11 Confidentiality Keeping data (and resources) hidden Military and commercial motivations! Mechanisms: Access control (cryptography) System dependent mechanism (safer when working … but may fail!!) Assumptions and trust of the mechanisms!! Confidentiality of content vs existence of data!! For resource hiding: firewalls!!

Prof. Stefano Bistarelli - Sicurezza Informatica12 Integrity Preventing improper/unauthorized changes Trustworthiness of data Data integrity (integrity) Origin integrity (authentication) Mechanisms: Prevention To change data To change data in an unauthorized way Difficult!! Detection Only detection Provide explanation

Prof. Stefano Bistarelli - Sicurezza Informatica13 Availability Enabling access to data and resources Availability vs reliability ?? (disponibilità vs affidabilità) Threats: Manipulate the use of the data/resource Can be captured Denial of Service Difficult to capture!!

Prof. Stefano Bistarelli - Sicurezza Informatica14 Attack Vs Threat A threat is a “potential” violation of security The violation need not actually occur The fact that the violation might occur makes it a threat It is important to guard against threats and be prepared for the actual violation The actual violation of security is called an attack

Prof. Stefano Bistarelli - Sicurezza Informatica15 Classes of Threats Threat= potential violation of security. Classes: 1. Disclosure (unauthorized access to information) 2. Deception (acceptance of false data) 3. Disruption (DoS) 4. Usurpation (unauthorized control of (part of) a system)

Prof. Stefano Bistarelli - Sicurezza Informatica16 Threats in comunications..

Prof. Stefano Bistarelli - Sicurezza Informatica17 Classes of Threats, ex: Snooping/sniffing disclosure of data Modification/Alteration Deception of data Disruption/usurpation of systems Spoofing/masquerading (impersonation) Deception/usurpation Notice that “delegation”= authorized masquerading Repudiation of origin/send/receipt Inibition of service Delay denial of service

Prof. Stefano Bistarelli - Sicurezza Informatica18 Policies and Mechanisms Policy says what is, and is not, allowed This defines “security” for the site/system/etc. Assumption: definition of the set of secure/insecure states! Composition of policies (ex: for cooperation among sites) If policies conflict, discrepancies may create security vulnerabilities Mechanisms are methods/tools/procedure to enforce policies

Prof. Stefano Bistarelli - Sicurezza Informatica19 Mechanism for Prevention Prevent attackers from violating security policy Detection Detect attackers’ violation of security policy Recovery 1: Stop attack, assess and repair damage 2: Continue to function correctly even if attack succeeds Retaliation as a form of recovery

Prof. Stefano Bistarelli - Sicurezza Informatica20 Trust and Assumptions A policy correctly describe the required security for a site? The mechanism can enforce the policy needs? Security rests on assumptions! Ex: per aprire una porta occorre la chiave (assunzione) Se c’e’ scassinatore, assunzione non valida! A meno che lo scassinatore apra solo le porte dietro richiesta del proprietario! Trust verso scassinatore! Policies assumptions Unambiguously partition system states (secure/non secure) Correctly capture security requirements Mechanisms Assumed to enforce policy if mechanisms work correctly

Prof. Stefano Bistarelli - Sicurezza Informatica21 Types of Mechanisms Let P be the set of all the reachable states Let Q be a set of secure states identified by a policy: Q  P Let the set of states that an enforcement mechanism restricts a system to be R The enforcement mechanism is Secure if R  Q Precise if R = Q Broad if there are some states in R that are not in Q

Prof. Stefano Bistarelli - Sicurezza Informatica22 Types of Mechanisms secure precise broad set Rset Q (secure states)

Prof. Stefano Bistarelli - Sicurezza Informatica23 Assurance how well the system meets its requirements? how much you can trust the system to do what it is supposed to do. It does not say what the system is to do; rather, it only covers how well the system does it.

Prof. Stefano Bistarelli - Sicurezza Informatica24 Assurance To reach assurance: Detailed Specification Design of the HW and SW and show that does not violate specification Implementation that satisfy the design Proof that the implementation produce the desidered behavior (difficult!) Test (easier)

Prof. Stefano Bistarelli - Sicurezza Informatica25 Operational Issues Cost-Benefit Analysis Is it cheaper to prevent or recover? Risk Analysis Should we protect something? How much should we protect this thing? Laws and Customs Are desired security measures illegal? Will people do them?

Prof. Stefano Bistarelli - Sicurezza Informatica26 Human Issues People are THE security problem!! Organizational Problems Power without responsibility (and viceversa) Security officer make therule, system administrator is responsible … No Financial benefits  Untrained users! Password revealed Outsiders and insiders Social engineering

Prof. Stefano Bistarelli - Sicurezza Informatica27 Key Points Policy defines security, and mechanisms enforce security Confidentiality Integrity Availability Trust and knowing assumptions Importance of assurance The human factor

Prof. Stefano Bistarelli - Sicurezza Informatica28 Discussion: