More Books
Introduction to Computer Security
Introduction to Computer Security
Table of Contents
Copyright
Preface
Goals
Philosophy
Organization
Differences Between this Book and Computer Security: Art and Science
Special Acknowledgment
Acknowledgments
Chapter 1. An Overview of Computer Security
Section 1.1.  The Basic Components
Section 1.2.  Threats
Section 1.3.  Policy and Mechanism
Section 1.4.  Assumptions and Trust
Section 1.5.  Assurance
Section 1.6.  Operational Issues
Section 1.7.  Human Issues
Section 1.8.  Tying It All Together
Section 1.9.  Summary
Section 1.10.  Further Reading
Section 1.11.  Exercises
Chapter 2. Access Control Matrix
Section 2.1.  Protection State
Section 2.2.  Access Control Matrix Model
Section 2.3.  Protection State Transitions
Section 2.4.  Summary
Section 2.5.  Further Reading
Section 2.6.  Exercises
Chapter 3. Foundational Results
Section 3.1.  The General Question
Section 3.2.  Basic Results
Section 3.3.  Summary
Section 3.4.  Further Reading
Section 3.5.  Exercises
Chapter 4. Security Policies
Section 4.1.  Security Policies
Section 4.2.  Types of Security Policies
Section 4.3.  The Role of Trust
Section 4.4.  Types of Access Control
Section 4.5.  Example: Academic Computer Security Policy
Section 4.6.  Summary
Section 4.7.  Further Reading
Section 4.8.  Exercises
Chapter 5. Confidentiality Policies
Section 5.1.  Goals of Confidentiality Policies
Section 5.2.  The Bell-LaPadula Model
Section 5.3.  Summary
Section 5.4.  Further Reading
Section 5.5.  Exercises
Chapter 6. Integrity Policies
Section 6.1.  Goals
Section 6.2.  Biba Integrity Model
Section 6.3.  Clark-Wilson Integrity Model
Section 6.4.  Summary
Section 6.5.  Further Reading
Section 6.6.  Exercises
Chapter 7. Hybrid Policies
Section 7.1.  Chinese Wall Model
Section 7.2.  Clinical Information Systems Security Policy
Section 7.3.  Originator Controlled Access Control
Section 7.4.  Role-Based Access Control
Section 7.5.  Summary
Section 7.6.  Further Reading
Section 7.7.  Exercises
Chapter 8. Basic Cryptography
Section 8.1.  What Is Cryptography?
Section 8.2.  Classical Cryptosystems
Section 8.3.  Public Key Cryptography
Section 8.4.  Cryptographic Checksums
Section 8.5.  Summary
Section 8.6.  Further Reading
Section 8.7.  Exercises
Chapter 9. Key Management
Section 9.1.  Session and Interchange Keys
Section 9.2.  Key Exchange
Section 9.3.  Cryptographic Key Infrastructures
Section 9.4.  Storing and Revoking Keys
Section 9.5.  Digital Signatures
Section 9.6.  Summary
Section 9.7.  Further Reading
Section 9.8.  Exercises
Chapter 10. Cipher Techniques
Section 10.1.  Problems
Section 10.2.  Stream and Block Ciphers
Section 10.3.  Networks and Cryptography
Section 10.4.  Example Protocols
Section 10.5.  Summary
Section 10.6.  Further Reading
Section 10.7.  Exercises
Chapter 11. Authentication
Section 11.1.  Authentication Basics
Section 11.2.  Passwords
Section 11.3.  Challenge-Response
Section 11.4.  Biometrics
Section 11.5.  Location
Section 11.6.  Multiple Methods
Section 11.7.  Summary
Section 11.8.  Further Reading
Section 11.9.  Exercises
Chapter 12. Design Principles
Section 12.1.  Overview
Section 12.2.  Design Principles
Section 12.3.  Summary
Section 12.4.  Further Reading
Section 12.5.  Exercises
Chapte 13. Representing Identity
Section 13.1.  What Is Identity?
Section 13.2.  Files and Objects
Section 13.3.  Users
Section 13.4.  Groups and Roles
Section 13.5.  Naming and Certificates
Section 13.6.  Identity on the Web
Section 13.7.  Summary
Section 13.8.  Further Reading
Section 13.9.  Exercises
Chapter 14. Access Control Mechanisms
Section 14.1.  Access Control Lists
Section 14.2.  Capabilities
Section 14.3.  Locks and Keys
Section 14.4.  Ring-Based Access Control
Section 14.5.  Propagated Access Control Lists
Section 14.6.  Summary
Section 14.7.  Further Reading
Section 14.8.  Exercises
Chapter 15. Information Flow
Section 15.1.  Basics and Background
Section 15.2.  Compiler-Based Mechanisms
Section 15.3.  Execution-Based Mechanisms
Section 15.4.  Example Information Flow Controls
Section 15.5.  Summary
Section 15.6.  Further Reading
Section 15.7.  Exercises
Chapter 16. Confinement Problem
Section 16.1.  The Confinement Problem
Section 16.2.  Isolation
Section 16.3.  Covert Channels
Section 16.4.  Summary
Section 16.5.  Further Reading
Section 16.6.  Exercises
Chapter 17. Introduction to Assurance
Section 17.1.  Assurance and Trust
Section 17.2.  Building Secure and Trusted Systems
Section 17.3.  Building Security In or Adding Security Later
Section 17.4.  Summary
Section 17.5.  Further Reading
Section 17.6.  Exercises
Chapter 18. Evaluating Systems
Section 18.1.  Goals of Formal Evaluation
Section 18.2.  TCSEC: 19831999
Section 18.3.  FIPS 140: 1994Present
Section 18.4.  The Common Criteria: 1998Present
Section 18.5.  SSE-CMM: 1997Present
Section 18.6.  Summary
Section 18.7.  Further Reading
Section 18.8.  Exercises
Chapter 19. Malicious Logic
Section 19.1.  Introduction
Section 19.2.  Trojan Horses
Section 19.3.  Computer Viruses
Section 19.4.  Computer Worms
Section 19.5.  Other Forms of Malicious Logic
Section 19.6.  Defenses
Section 19.7.  Summary
Section 19.8.  Further Reading
Section 19.9.  Exercises
Chapter 20. Vulnerability Analysis
Section 20.1.  Introduction
Section 20.2.  Penetration Studies
Section 20.3.  Vulnerability Classification
Section 20.4.  Frameworks
Section 20.5.  Summary
Section 20.6.  Further Reading
Section 20.7.  Exercises
Chapter 21. Auditing
Section 21.1.  Definitions
Section 21.2.  Anatomy of an Auditing System
Section 21.3.  Designing an Auditing System
Section 21.4.  A Posteriori Design
Section 21.5.  Auditing Mechanisms
Section 21.6.  Examples: Auditing File Systems
Section 21.7.  Audit Browsing
Section 21.8.  Summary
Section 21.9.  Further Reading
Section 21.10.  Exercises
Chapter 22. Intrusion Detection
Section 22.1.  Principles
Section 22.2.  Basic Intrusion Detection
Section 22.3.  Models
Section 22.4.  Architecture
Section 22.5.  Organization of Intrusion Detection Systems
Section 22.6.  Intrusion Response
Section 22.7.  Summary
Section 22.8.  Further Reading
Section 22.9.  Exercises
Chapter 23. Network Security
Section 23.1.  Introduction
Section 23.2.  Policy Development
Section 23.3.  Network Organization
Section 23.4.  Availability and Network Flooding
Section 23.5.  Anticipating Attacks
Section 23.6.  Summary
Section 23.7.  Further Reading
Section 23.8.  Exercises
Chapter 24. System Security
Section 24.1.  Introduction
Section 24.2.  Policy
Section 24.3.  Networks
Section 24.4.  Users
Section 24.5.  Authentication
Section 24.6.  Processes
Section 24.7.  Files
Section 24.8.  Retrospective
Section 24.9.  Summary
Section 24.10.  Further Reading
Section 24.11.  Exercises
Chapter 25. User Security
Section 25.1.  Policy
Section 25.2.  Access
Section 25.3.  Files and Devices
Section 25.4.  Processes
Section 25.5.  Electronic Communications
Section 25.6.  Summary
Section 25.7.  Further Reading
Section 25.8.  Exercises
Chapter 26. Program Security
Section 26.1.  Introduction
Section 26.2.  Requirements and Policy
Section 26.3.  Design
Section 26.4.  Refinement and Implementation
Section 26.5.  Common Security-Related Programming Problems
Section 26.6.  Testing, Maintenance, and Operation
Section 26.7.  Distribution
Section 26.8.  Conclusion
Section 26.9.  Summary
Section 26.10.  Further Reading
Section 26.11.  Exercises
Chapter 27. Lattices
Section 27.1.  Basics
Section 27.2.  Lattices
Section 27.3.  Exercises
Chapter 28. The Extended Euclidean Algorithm
Section 28.1.  The Euclidean Algorithm
Section 28.2.  The Extended Euclidean Algorithm
Section 28.3.  Solving ax mod n = 1
Section 28.4.  Solving ax mod n = b
Section 28.5.  Exercises
Chapter 29. Virtual Machines
Section 29.1.  Virtual Machine Structure
Section 29.2.  Virtual Machine Monitor
Section 29.3.  Exercises
Bibliography
Index
SYMBOL
A
E
F
I
L
T

1.7. Human Issues

Implementing computer security controls is complex, and in a large organization procedural controls often become vague or cumbersome. Regardless of the strength of the technical controls, if nontechnical considerations affect their implementation and use, the effect on security can be severe. Moreover, if configured or used incorrectly, even the best security control is useless at best and dangerous at worst. Thus, the designers, implementers, and maintainers of security controls are essential to the correct operation of those controls.

1.7.1. Organizational Problems

Security provides no direct financial rewards to the user. It limits losses, but it also requires the expenditure of resources that could be used elsewhere. Unless losses occur, organizations often believe they are wasting effort related to security. After a loss, the value of these controls suddenly becomes appreciated. Furthermore, security controls often add complexity to otherwise simple operations. For example, if concluding a stock trade takes two minutes without security controls and three minutes with security controls, adding those controls results in a 50% loss of productivity.

Losses occur when security protections are in place, but such losses are expected to be less than they would have been without the security mechanisms. The key question is whether such a loss, combined with the resulting loss in productivity, would be greater than a financial loss or loss of confidence should one of the nonsecured transactions suffer a breach of security.

Compounding this problem is the question of who is responsible for the security of the company's computers. The power to implement appropriate controls must reside with those who are responsible; the consequence of not doing so is that the people who can most clearly see the need for security measures, and who are responsible for implementing them, will be unable to do so. This is simply sound business practice; responsibility without power causes problems in any organization, just as does power without responsibility.

Once clear chains of responsibility and power have been established, the need for security can compete on an equal footing with other needs of the organization. The most common problem a security manager faces is the lack of people trained in the area of computer security. Another common problem is that knowledgeable people are overloaded with work. At many organizations, the "security administrator" is also involved in system administration, development, or some other secondary function. In fact, the security aspect of the job is often secondary. The problem is that indications of security problems often are not obvious and require time and skill to spot. Preparation for an attack makes dealing with it less chaotic, but such preparation takes enough time and requires enough attention so that treating it as a secondary aspect of a job means that it will not be performed well, with the expected consequences.

Lack of resources is another common problem. Securing a system requires resources as well as people. It requires time to design a configuration that will provide an adequate level of security, to implement the configuration, and to administer the system. It requires money to purchase products that are needed to build an adequate security system or to pay someone else to design and implement security measures. It requires computer resources to implement and execute the security mechanisms and procedures. It requires training to ensure that employees understand how to use the security tools, how to interpret the results, and how to implement the nontechnical aspects of the security policy.

1.7.2. People Problems

The heart of any security system is people. This is particularly true in computer security, which deals mainly with technological controls that can usually be bypassed by human intervention. For example, a computer system authenticates a user by asking that user for a secret code; if the correct secret code is supplied, the computer assumes that the user is authorized to use the system. If an authorized user tells another person his secret code, the unauthorized user can masquerade as the authorized user with significantly less likelihood of detection.

People who have some motive to attack an organization and are not authorized to use that organization's systems are called outsiders and can pose a serious threat. Experts agree, however, that a far more dangerous threat comes from disgruntled employees and other insiders who are authorized to use the computers. Insiders typically know the organization of the company's systems and what procedures the operators and users follow and often know enough passwords to bypass many security controls that would detect an attack launched by an outsider. Insider misuse of authorized privileges is a very difficult problem to solve.

Untrained personnel also pose a threat to system security. As an example, one operator did not realize that the contents of backup tapes needed to be verified before the tapes were stored. When attackers deleted several critical system files, she discovered that none of the backup tapes could be read.

System administrators who misread the output of security mechanisms, or do not analyze that output, contribute to the probability of successful attacks against their systems. Similarly, administrators who misconfigure security-related features of a system can weaken the site security. Users can also weaken site security by misusing security mechanisms (such as selecting passwords that are easy to guess).

Lack of training need not be in the technical arena. Many successful break-ins have arisen from the art of social engineering. If operators will change passwords based on telephone requests, all an attacker needs to do is to determine the name of someone who uses the computer. A common tactic is to pick someone fairly far above the operator (such as a vice president of the company) and to feign an emergency (such as calling at night and saying that a report to the president of the company is due the next morning) so that the operator will be reluctant to refuse the request. Once the password has been changed to one that the attacker knows, he can simply log in as a normal user. Social engineering attacks are remarkably successful and often devastating.

The problem of misconfiguration is aggravated by the complexity of many security-related configuration files. For instance, a typographical error can disable key protection features. Even worse, software does not always work as advertised.

One widely used system had a vulnerability that arose when an administrator made too long a list that named systems with access to certain files. Because the list was too long, the system simply assumed that the administrator meant to allow those files to be accessed without restriction on who could access themexactly the opposite of what was intended.