Computer Security

44 downloads 31956 Views 1MB Size Report
Cyber Security & Future Cyberspace: Mission Based Access Control (Keynote & paper in Japan) ... CloudGOOGLE: https://cloud.google.com/solutions/big-data/.
Agenda • Research Interests • Computer security concepts – Definition – Examples

• Breatch of Security Level Impact • The OSI security architecture – Active and passive attacks

• Security services – Authentication – Data confidentiality – Access control • Mission Based Access Control

• Future Challenges – Mobile & Wireless Security

• Conclusions 2

Research Interests •

Computer Security • • • • •

2017 Security Workshop Attended SEED 2016 Workshop, University of Syracure Teaching graduate course on Computer Security Habilitation Work: https://dk.upce.cz/handle/10195/41055 Recent publications: • • • • • • • •



Papers in progress: • • •



An Analytical Perspective to Traffic Engineering in Anonymous Communication Systems (PROCSIT 2016 paper) On Detecting Unidentified Network Traffic Using Pattern-based Random Walk (Wiley paper) The Secure Role Based Mission System (RBMS) (Keynote & paper in Japan) THE SECURE MANUFACTURING IT SYSTEM (Keynote & paper in progress in US) Future e-Health, QoS Provision and Cyber security Challenges (paper) Cyber Security & Future Cyberspace: Mission Based Access Control (Keynote & paper in Japan) Pacific Cyberspace (Keynote) Cyberspace Security and Importance of CERTS (Keynote)

Cybersecurity Issues in South Korea Image Multimedia Communication & Encryption Secure Manufacturing

The IoT, Ubiquity, Smart Cyberspace, ICT, e-Services • •

Editorial Boards: • IoT Elsevier and IoT India Journals Reviewer: • • • •



IEEE Communications Letter Elsevier Medical Informatics EDAS & EASYCHAIR Computer Networking and QoS Provision

Research Publications: •

Researchgate

3

Earlier Work • I taught the graduate courses on Computer Security and Networking in Iowa, US as Professor of Computer Science (http://www.icontact-archive.com/muTXAz3b2H7v5t9_KiDZ4gIqQbmAZdg?w=3 ) • I collaborate with colleagues at the Kyushu Institute of Technology in Japan (http://aries3a.cse.kyutech.ac.jp/~disc/en/160213_DISC-Sympo_2016-2-5.pdf & http://www2.ia-engineers.org/iciae2016/wpcontent/uploads/ICIAE2016program.pdf ) • At Sungkyunkwan University (SKKU) in South Korea, I was awarded the 2012-2013 Research Grant on: Cyberspace Security and Computer Emergency Readiness Team (CERT), while working on the Eurostar project proposal in Cybersecure Physical Systems (http://ww.slideslive.com/s/eduard-babulak228?locale=cs & http://uksim.info/cimsim2013/cimsim2013.htm ) • In South Pacific, I served as a Head of School and: • Director of Japan Pacific ICT Centre: http://www.mict.ynu.ac.jp/datafiles/mict_nl09.pdf • Chair of the Board of Director for Pacific Computer Emergency Response Team (PACCert): http://linc.mit.edu/linc2010/proceedings/session9Babulak.pdf 4



Readings Distributed Systems – – – – – – – –



Definition Examples: HADUB: IBM ANALYTICS: http://www.ibm.com/analytics/us/en/ SPRING CLOUD: http://projects.spring.io/spring-cloud/ GitHUB: https://github.com/ CloudGOOGLE: https://cloud.google.com/solutions/big-data/ SAP: http://go.sap.com/index.html OpenSAP: https://open.sap.com/

Security Engineering – – – – – – – – – – –

Definition & Examples & Study Sources: Stallings: http://williamstallings.com/ComputerSecurity/CompSec3e-Student/ Tanenbaum: http://www.cs.vu.nl/~ast/ Comer: https://www.cs.purdue.edu/homes/comer/netbooks.html UCDavis: http://dipakghosal.cs.ucdavis.edu/research Cambridge: https://www.cl.cam.ac.uk/research/ Stanford: https://seclab.stanford.edu/ Imperial College: http://www.imperial.ac.uk/security-institute/ Oxford: https://www.cybersecurity.ox.ac.uk/ EPSRC UK: https://www.epsrc.ac.uk/research/centres/acecybersecurity/ NSA: https://www.nsa.gov/ & https://www.nsa.gov/resources/educators/centers-academic-excellence/ 5

Computer Security Objectives Confidentiality • Data confidentiality • Assures that private or confidential information is not made available or disclosed to unauthorized individuals

• Privacy • Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed

Integrity • Data integrity • Assures that information and programs are changed only in a specified and authorized manner

• System integrity • Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system

Availability • Assures that systems work promptly and service is not denied to authorized users Credit: Stallings Computer Security 3e

6

Breach of Security Levels of Impact High

• The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals

Moderate Low

• The loss could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals • The loss could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals 7

Credit: Stallings Computer Security 3e

OSI Security Architecture • Security attack – Any action that compromises the security of information owned by an organization

• Security mechanism – A process (or a device incorporating such a process) that is designed to detect, prevent, or recover from a security attack

• Security service – A processing or communication service that enhances the security of the data processing systems and the information transfers of an organization – Intended to counter security attacks, and they make use of one or more security mechanisms to provide the service Credit: Stallings Computer Security 3e

8

Active Attacks •





Involve some modification of the data stream or the creation of a false stream Difficult to prevent because of the wide variety of potential physical, software, and network vulnerabilities Goal is to detect attacks and to recover from any disruption or delays caused by them

Credit: Stallings Computer Security 3e

Masquerade

• Takes place when one entity pretends to be a different entity • Usually includes one of the other forms of active attack

Replay

• Involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect

Modification of messages

• Some portion of a legitimate message is altered, or messages are delayed or reordered to produce an unauthorized effect

Denial of service

• Prevents or inhibits the normal use or management of communications facilities 9

Passive Attacks

• Are in the nature of eavesdropping on, or monitoring of, transmissions • Goal of the opponent is to obtain information that is being transmitted

Credit: Stallings Computer Security 3e

• Two types of passive attacks are: – The release of message contents – Traffic analysis

10

X.800 Service Categories • • • • •

Authentication Access control Data confidentiality Data integrity Nonrepudiation

Credit: Stallings Computer Security 3e

11

Authentication • Concerned with assuring that a communication is authentic – In the case of a single message, assures the recipient that the message is from the source that it claims to be from – In the case of ongoing interaction, assures the two entities are authentic and that the connection is not interfered with in such a way that a third party can masquerade as one of the two legitimate parties Two specific authentication services are defined in X.800:

• Peer entity authentication • Data origin authentication Credit: Stallings Computer Security 3e

12

Future e-Health, QoS Provision and Cybersecurity Challenges Eduard Babulak, Ming Jin, Yoon Sang Kim https://www2.ia-engineers.org/Journal_E/index.php/jiiae/article/view/40

Data Confidentiality • The protection of transmitted data from passive attacks – Broadest service protects all user data transmitted between two users over a period of time – Narrower forms of service includes the protection of a single message or even specific fields within a message

• The protection of traffic flow from analysis – This requires that an attacker not be able to observe the source and destination, frequency, length, or other characteristics of the traffic on a communications facility Credit: Stallings Computer Security 3e

13

RESEARCH ARTICLE On Detecting Unidentified Network Traffic Using Pattern-based Random Walk Mehran Alidoost Nia1, Reza Ebrahimi Atani*1, Benjamin Fabian2 and Eduard Babulak3 1 Department of Computer Engineering, University of Guilan, Rasht, Iran 2 Information Systems, Humboldt University of Berlin, Berlin, Germany 3 Computer Science & Engineering, VSTE, Czech Republic and Maharishi University of Management, Iowa, USA Article (PDF Available) in Security and Communication Networks · July 2016 DOI: 10.1002/sec.1557

Model for Network Security

Credit: Stallings Computer Security 3e

14

RESEARCH ARTICLE On Detecting Unidentified Network Traffic Using Pattern-based Random Walk Mehran Alidoost Nia1, Reza Ebrahimi Atani*1, Benjamin Fabian2 and Eduard Babulak3 1 Department of Computer Engineering, University of Guilan, Rasht, Iran 2 Information Systems, Humboldt University of Berlin, Berlin, Germany 3 Computer Science & Engineering, VSTE, Czech Republic and Maharishi University of Management, Iowa, USA Article (PDF Available) in Security and Communication Networks · July 2016 DOI: 10.1002/sec.1557

Network Access Security Model

Credit: Stallings Computer Security 3e

15

Access Control • The ability to limit and control the access to host systems and applications via communications links • To achieve this, each entity trying to gain access must first be indentified, or authenticated, so that access rights can be tailored to the individual

Credit: Stallings Computer Security 3e

16

Unwanted Access • Placement in a computer system of logic that exploits vulnerabilities in the system and that can affect application programs as well as utility programs such as editors and compilers • Programs can present two kinds of threats: – Information access threats • Intercept or modify data on behalf of users who should not have access to that data

– Service threats • Exploit service flaws in computers to use by legitimate users Credit: Stallings Computer Security 3e

inhibit 17

DYNAMIC ROLE BASED ACCESS CONTROL

Credit to: David F Ferraiolo et all (Role Based Access Control 2edition

MISSION BASED ACCESS CONTROL (MBAC) • Purpose – Develop a secure web application which authenticates the user based on specified authorization privileges – Provide access to a very specific task – Keep access logging – Backtracking the user activities

The Secure Role Based Mission System (SRBMS) Eduard Babulak, Waqas Ahmed, Cen Dai, Chen Pan, Amanuel Hailu https://www2.ia-engineers.org/Journal_E/index.php/jiiae/article/view/92

MBAC APPLICATION LAYOUTS & TEMPLATES

The Secure Role Based Mission System (SRBMS) Eduard Babulak, Waqas Ahmed, Cen Dai, Chen Pan, Amanuel Hailu https://www2.ia-engineers.org/Journal_E/index.php/jiiae/article/view/92

MBAC APPLICATION LAYOUTS & TEMPLATES

The Secure Role Based Mission System (SRBMS) Eduard Babulak, Waqas Ahmed, Cen Dai, Chen Pan, Amanuel Hailu https://www2.ia-engineers.org/Journal_E/index.php/jiiae/article/view/92

MBAC SYSTEM IMPLEMENTATION

The Secure Role Based Mission System (SRBMS) Eduard Babulak, Waqas Ahmed, Cen Dai, Chen Pan, Amanuel Hailu https://www2.ia-engineers.org/Journal_E/index.php/jiiae/article/view/92

Keynote: Digital Medial Broadcasting, Smart TV & Cyber Security, Shanghai, 2012-11-14 http://icc.skku.ac.kr/ice/eng/outstanding?tag=DTV&listPage=1

Computer Security Challenges • Security is not simple • Potential attacks on the security features need to be considered • Procedures used to provide particular services are often counter-intuitive • It is necessary to decide where to use the various security mechanisms • Requires constant monitoring • Is too often an afterthought

• Security mechanisms typically involve more than a particular algorithm or protocol • Security is essentially a battle of wits between a perpetrator and the designer • Little benefit from security investment is perceived until a security failure occurs • Strong security is often viewed as an impediment to efficient and userfriendly operation 23

Seven Cyber Scenarios To Keep You Awake At Night Scenario 1. Collateral damage from cyberwar; Scenario 2. Political protestors enlist social media to target attacks; Scenario 3. An insider uses privileged access to steal customer data; Scenario 4. Malicious software updates; Scenario 5. Hardware backdoors; Scenario 6. Insider abuse; Scenario 7. State sponsored spying; What does this mean? It is hard to propose a Cyber Security scenario that has not already occurred somewhere in the world. While doomsday scenarios of economic devastation and complete loss of critical infrastructure for extended periods is highly unlikely it is still important to be cognizant of past incidents and thus become better armed to think about how these scenarios could play out in your own organization. http://www.e-ir.info/2013/09/02/the-threat-of-cyberterrorism-to-critical-infrastructure/

JAPAN PACIFIC ICT CENTRE & ICT FOR HUMAN DEVELOPMENT & SECURITY AT USP http://linc.mit.edu/linc2010/proceedings/session9Babulak.pdf

POSSIBLE RISKS 1 • Hardware: – Connectivity; – Reliability;

• Software: – Malware(s) and/or spam(s); – Configuration; – Interoperability;

25

POSSIBLE RISKS 2 • Human factor: – Terrorist driven attack(s); – Politically and Economically driven attack(s); – War(s), etc.;

• Natural disasters: – Flooding; – Earthquake(s); – Volcanic explosion(s), etc.

26

FUTURE CHALLENGES FOR SECURITY AND PRIVACY ‣

Tracking It also can lead to unwanted intrusion into personal lives The tools to mitigate intrusion are confusing to novices and inconsistent Tracking and profiling of users can lead to beneficial value-added services The balance between these are hotly debated, poorly understood, and vary by culture

๏ ๏ ๏ ๏

Identity





‣ ๏

Identity now part of core web architecture. Need for consistent experience through browser.

Security in general WebApps & Future Web

Credit to: Jeff Jaffe

MOBILE SECURITY: WHO'S LISTENING?

Source: Trend Micro Mobile Security Credit to: Karen McDowell

Credit to: Aaron Isaki

Summary • Computer security concepts – Definition – Examples

• The OSI security architecture • Security attacks – Passive attacks – Active attacks

• Security services – – – – –

Authentication Data confidentiality Data integrity Nonrepudiation Access control • Mission Based Access Control

• Future Challenges – Mobile & Wireless Security

• Conclusions 29