CSE4303 Introduction to Computer Security (Lecture 2)
Course introduction and security fundamentals
Other security goals
Authenticity: identity of an entity (issuer of info/message) is verified
Anonymity: identity of an entity remains unknown
Non-repudiation: messages can’t be denied or taken back (e.g. online transaction commitments)
Security foundations
Security is about people, processes, technology
- need all 3 to be secure!
Security is about trust in people, processes, technology
- Fundamental question: where is trust being placed, and is it justified?
- Computing stack: compromise at a given level can impact any higher level
Attackers often exploit assumptions
“I assumed everyone would log out when they leave”
“I didn’t expect anyone to do that”
The assumptions we make are often hidden or implicit, making them easy to forget when reasoning about security of a system
Reasoning about security requires properly defining security relative to the particular system:
- What assets are being secured?
- What properties should the system enforce?
- CIA triad, anonymity, non-repudiation
- What capabilities does the threat have?
- Where does the system place trust?
- What assumptions are being made?
Modeling attacks
Common components:
- System being attacked
- Architecture of the system, trust model, assumptions, assets
- Threat model
- Attack surface: what can be attacked
- Open ports and exposed services
- Public APIs and their parameters
- Web endpoints, forms, cookies
- File system permissions
- Hardware interfaces (USB, JTAG)
- User roles and privilege boundaries
- Attack vector: how the attacker attacks
- SQL injection via POST /login
- Phishing to steal credentials, then SSH login
- Buffer overflow in a network daemon
- Cross-site scripting through a comment field
- Supply-chain poisoning of a dependency
- Vulnerability: what the attacker can do
- Exploit: how the attacker exploits the vulnerability
- Damage: what the attacker can do
- Mitigation: mitigate vulnerability
- Defense: close vulnerability gap
Example
Stealing credit card info via hidden scanner (“skimming”)
- System being attacked: card-swipe payment kiosk (alternative models?)
- Threat model: professional criminal gang with substantial knowledge and resources
- Attack surface: magstripe scanner
- Attack vector: rogue scanner inserted into machine (e.g. at pay-at-the-pump gas station), or on top of existing scanner
- Vulnerability: physical scanner easy(ish) to remove, and magstripes easy to read
- Exploit: record card info as it’s scanned, then store/exfiltrate
- Mitigation: 2FA in addition to magstripe (chip, PIN, zip code, etc.)
- Defense: anti-tamper strips on card swiper
Importance of correct modeling
- Attack-surface awareness guides defenses
- E.g. pre-Covid-19 vs. post-Covid attack surface of company servers
- Match resources to expected threat actors
- Common threat actors
- “Script kiddie”: individual or group running off-the-shelf attacks
- Caveat: off-the-shelf attacks can still be quite powerful! Metasploit, Shodan, dark web market.
- “Insider attack”: employee with access to internal machines/networks
- “Advanced Persistent Threat (APT)”: nation-state level resources and patience
- All these threats have different motivations, require different defenses/responses!
- “Script kiddie”: individual or group running off-the-shelf attacks
Specific vulnerabilities
Goal of the course: exposure to common threats in broad range of areas of computing stack
- Hardware
- OSes
- Networks
- Apps: web, AI/ML
Studio time!