Security Concepts and

Principles

Computer Security | Lecture One

Recommended Text (Major)

▪ Computer Security and the Internet

▪ Paul C. van Oorschot
 Objective

▪ Explore primary objectives or fundamental goals of

Computer Security.
▪ Many of these can be viewed as security services provided to users
and other system components.
▪ Consider the design principles for security
▪ Useful in building systems that deliver such Services.

3
 Lecture Outline
▪ Introduction ▪ Cost-benefit Analysis
▪ Fundamental Goals of Computer ▪ Risk Management Vs. Mitigation
Security ▪ Adversary Modelling and Security
▪ Computer Security Policies and Attacks Analysis
▪ Assets and Security Policies ▪ Adversary Attributes and Schemas
▪ Attacks and Agents ▪ Security Evaluations and Penetration
▪ Threat + Controls Testing
▪ Risk and Risk Assessment ▪ Pen Testing
▪ Security Analysis
▪ Risk Modelling
▪ Risk Assessment Questions ▪ Threat Modelling and Approaches
▪ Design Principles for Computer Security
 Lecture Outline | Progress
▪ Introduction ▪ Risk Management Vs. Mitigation

▪ Fundamental Goals of Computer Security ▪ Adversary Modelling and Security Analysis

▪ Computer Security Policies and Attacks ▪ Adversary Attributes and Schemas

▪ Assets and Security Policies ▪ Security Evaluations and Penetration

▪ Attacks and Agents Testing
▪ Threat + Controls ▪ Pen Testing
▪ Security Analysis
▪ Risk and Risk Assessment
▪ Risk Modelling ▪ Threat Modelling and Approaches
▪ Risk Assessment Questions ▪ Design Principles for Computer Security
▪ Cost-benefit Analysis
 Introduction

▪ Main objective is to explore Computer and Internet

Security
▪ The Security of:
▪ Software
▪ Computers + Files stored on Computers
▪ Computer Networks + Information transmitted over the Network
 Introduction

▪ Computer is broadly includes ▪ Servers include

▪ Front-end servers that host
▪ Programmable
web sites,
computing/communications ▪ Back-end servers that contain
devices such as a personal databases, and intermediary
computer or mobile device (e.g., nodes for storing or
laptop, tablet, smartphone) forwarding information such as
email, text messages, voice,
▪ Machines they communicate and video content.
with including Servers and ▪ Network devices include
Network devices. firewalls, routers and switches.
 8
Principals, Privileges and Resources

▪ In discussing security, Principals are

▪ Agents representing users
▪ Communicating entities
▪ System processes
▪ A principal has associated Privileges specifying the
resources it is authorized to access.
▪ The identity of a Principal is thus important
▪ However, claimed identities must be Verified
 Lecture Outline | Progress
▪ Introduction ▪ Cost-benefit Analysis

▪ Fundamental Goals of Computer ▪ Risk Management Vs. Mitigation

Security ▪ Adversary Modelling and Security Analysis
▪ Computer Security Policies and Attacks ▪ Adversary Attributes and Schemas
▪ Assets and Security Policies ▪ Security Evaluations and Penetration
▪ Attacks and Agents Testing
▪ Threat + Controls ▪ Pen Testing

▪ Risk and Risk Assessment ▪ Security Analysis

▪ Risk Modelling ▪ Threat Modelling and Approaches

▪ Risk Assessment Questions ▪ Design Principles for Computer Security
 Fundamental Goals of Computer Security
▪ Computer security combines intentional misuse by
Art, Science and Engineering unauthorized parties by
▪ It is practice of protecting protecting
computer-related assets from ▪ Data
unauthorized actions and their ▪ Computer hardware and
consequences either by software
▪ Preventing such actions
▪ Related communications
▪ Detecting and then recovering networks
from them.
▪ Physical-world devices and
▪ Computer Security guards from elements they control

10
Six high-level computer security goals (properties delivered as a service).
Icons denote end-goals.
Important supporting mechanisms are shown in rectangles.
11
 Goals of Computer Security
Confidentiality
▪ Confidentiality is the property of ▪ Technical means:
non-public information ▪ Data encryption: involves keyed
cryptographic algorithms; access to
remaining accessible only to a secret key allows recovery of
authorized parties, meaningful information from
▪ Whether Stored (at rest) or in encrypted data.
Transit (in motion). ▪ Procedural means
▪ This is supported by access control, ▪ E.g. Allowing offline storage media
or mechanisms enforced by an to be physically accessed only by
authorized individuals.
operating system.
▪ Confidentiality can be achieved by

12
 Goals of Computer Security
Integrity

▪ Integrity is the property of data, software or hardware

remaining unaltered, except by authorized parties.
▪ Access Controls and Cryptographic Checksums are used to
combat malicious integrity violations.
▪ Cryptographic Checksums: A mathematical value created using a cryptographic
algorithm that is assigned to data and later used to test the data to verify that the
data has not changed

13
 Goals of Computer Security
Authorization
▪ Authorization is also known as authorized access
▪ The property of computing resources being accessible Only by
Authorized Entities,
▪ i.e. those approved by the resource owner or domain administrator.
▪ Authorized access is achieved through Access Control
Mechanisms
▪ Restrict access to physical devices, software services, and
information
14
 Goals of Computer Security
Availability

▪ Availability is the immediate Accessibility of information,

services and computing resources for authorized use.
▪ Aside from reliable hardware and software, this requires protection
from
▪ Intentional Deletion
▪ Intentional Disruption
▪ Denial of Service attacks aiming to overwhelm resources

15
 Goals of Computer Security
Authentication
▪ Authentication is the Assurance of data or software is as asserted; it
that a Principal, Data, or also implies data integrity.
Software is genuine relative to ▪ Note that Data modification by an
expectations arising from Entity other than the original source
changes the source.
appearances or context.
▪ Entity Authentication provides
▪ Authentication supports
assurances that the identity of a attribution and thus
principal involved in a transaction is Accountability
as asserted; this supports ▪ Indicating to whom an action can be
authorization. ascribed
▪ Data Origin Authentication
provides assurances that the source

16
 Goals of Computer Security
Accountability
▪ Accountability is the ability to identify Principals responsible
for past actions.
▪ However, the electronic world lacks conventional evidence
▪ Such as Paper trails, human memory of observed events
▪ Accountability is achieved by transaction evidence or Electronic
Logs that
▪ Identify the Principals involved
▪ And such that Principals cannot later credibly deny (repudiate/deny)
previous commitments or actions

17
 Lecture Outline | Progress
▪ Introduction ▪ Risk Management Vs. Mitigation

▪ Fundamental Goals of Computer Security ▪ Adversary Modelling and Security Analysis

▪ Computer Security Policies and Attacks ▪ Adversary Attributes and Schemas

▪ Assets and Security Policies ▪ Security Evaluations and Penetration

▪ Attacks and Agents Testing
▪ Threat + Controls ▪ Pen Testing
▪ Security Analysis
▪ Risk and Risk Assessment
▪ Risk Modelling ▪ Threat Modelling and Approaches
▪ Risk Assessment Questions ▪ Design Principles for Computer Security
▪ Cost-benefit Analysis
 Computer Security Policies and Attacks

Consider these
Statements:
▪ Ambiguity is security’s enemy
This computer is secure.
▪ To remove ambiguity, more
This Network is secure.
Precise Definitions, and a
This Website is secure. richer vocabulary of security-
Would you and a friend independently specific terminology is required
write down the same thing if asked to
explain what this means?

19
 Lecture Outline | Progress
▪ Introduction ▪ Risk Management Vs. Mitigation

▪ Fundamental Goals of Computer Security ▪ Adversary Modelling and Security Analysis

▪ Computer Security Policies and Attacks ▪ Adversary Attributes and Schemas

▪ Assets and Security Policies ▪ Security Evaluations and Penetration

▪ Attacks and Agents Testing
▪ Threat + Controls ▪ Pen Testing
▪ Security Analysis
▪ Risk and Risk Assessment
▪ Risk Modelling ▪ Threat Modelling and Approaches
▪ Risk Assessment Questions ▪ Design Principles for Computer Security
▪ Cost-benefit Analysis
 Assets and Security Policies
▪ Computer security protects the design intent of a system’s rules
Resources or Assets: and practices—what is, and is not
▪ Asset: Information, software, (supposed to be) allowed.
hardware, and computing and ▪ The policy may explicitly specify
communications services.
▪ Assets requiring protection
▪ Also, Computer-based data
manipulation allows control of many ▪ Specific users allowed to access
physical-world resources such as specific assets,
financial assets, physical property, and ▪ The allowed means of access;
infrastructure. ▪ Security services to be provided;
▪ Security is formally defined relative ▪ System controls that must be in place.
to a Security Policy, which specifies

21
 Lecture Outline | Progress
▪ Introduction ▪ Risk Management Vs. Mitigation

▪ Fundamental Goals of Computer Security ▪ Adversary Modelling and Security Analysis

▪ Computer Security Policies and Attacks ▪ Adversary Attributes and Schemas

▪ Assets and Security Policies ▪ Security Evaluations & Penetration Testing

▪ Attacks and Agents ▪ Pen Testing
▪ Threat + Controls ▪ Security Analysis

▪ Risk and Risk Assessment ▪ Threat Modelling and Approaches

▪ Risk Modelling ▪ Design Principles for Computer Security
▪ Risk Assessment Questions
▪ Cost-benefit Analysis
 Theory and Practice of Security Policy
▪ In Theory, a formal security secure state.
policy precisely defines each ▪ System Actions cause state
possible system state as transitions
▪ e.g., related to input/output,
either authorized (secure) or data transfer, or accessing
unauthorized (non-secure). ports
▪ Non-secure states may bring ▪ A security policy is violated if
harm to assets. the system moves into an
▪ The system should start in a unauthorized state.

23
 Theory and Practice of Security Policy

▪ In Practice, security policies are often informal documents

including guidelines and expectations related to known
security issues.
▪ Formulating precise policies is more difficult and time-consuming.
▪ Their value is typically under-appreciated until security incidents
occur.
▪ Nonetheless, security is defined relative to a policy, ideally in
Written Form

24
 Lecture Outline | Progress
▪ Introduction ▪ Risk Management Vs. Mitigation

▪ Fundamental Goals of Computer Security ▪ Adversary Modelling and Security Analysis

▪ Computer Security Policies and Attacks ▪ Adversary Attributes and Schemas

▪ Assets and Security Policies ▪ Security Evaluations & Penetration Testing

▪ Attacks and Agents ▪ Pen Testing
▪ Threat + Controls ▪ Security Analysis

▪ Risk and Risk Assessment ▪ Threat Modelling and Approaches

▪ Risk Modelling ▪ Design Principles for Computer Security
▪ Risk Assessment Questions
▪ Cost-benefit Analysis
 Attacks and Agents
▪ An Attack is the deliberate issues
execution of one of more steps ▪ For Example lack of physical
isolation, ongoing use of known
intended to cause a Security default passwords, debugging
Violation interfaces left enabled
▪ Such as unauthorized control of a ▪ The source behind an attack is a
client device Threat Agent
▪ Attacks exploit specific system ▪ Adversary at the stage of Potential
characteristics called attack
Vulnerabilities, including ▪ Attacker once a threat is activated
▪ Design flaws, Implementation flaws, into an Actual attack.
and Deployment or Configuration

26
Security policy violations and attacks.
a) A Policy violation results in a non-secure state.
b) A Threat Agent becomes active by launching an attack, aiming to exploit
a vulnerability through a particular attack vector

27
 Lecture Outline | Progress
▪ Introduction ▪ Risk Management Vs. Mitigation

▪ Fundamental Goals of Computer Security ▪ Adversary Modelling and Security Analysis

▪ Computer Security Policies and Attacks ▪ Adversary Attributes and Schemas

▪ Assets and Security Policies ▪ Security Evaluations and Penetration

▪ Attacks and Agents Testing
▪ Threat + Controls ▪ Pen Testing
▪ Security Analysis
▪ Risk and Risk Assessment
▪ Risk Modelling ▪ Threat Modelling and Approaches
▪ Risk Assessment Questions ▪ Design Principles for Computer Security
▪ Cost-benefit Analysis
 29
Threat

▪ A Threat is any combination of ▪ The agent may fail to take action,

e.g., due to indifference or
circumstances and entities that insufficient incentive.
might harm assets, or cause
▪ Computer Security aims to protect
security violations.
assets by Mitigating threats
▪ A credible threat has both capable
▪ By identifying and eliminating
means and intentions.
vulnerabilities to disable viable
▪ Existence of a threat agent and a Attack vectors
vulnerability does not imply that an
▪ Attack Vectors: specific methods, or
attack will be instantiated in a given sequences of steps, by which attacks
time period; are carried out.
 30
Threat
▪ Attacks typically have specific objectives such as:
▪ Extraction of strategic or personal information;
▪ Disruption of the integrity of data or software
▪ including installation of rogue programs
▪ Remotely Harnessing a resource
▪ Such as malicious control of a computer
▪ Denial of Service
▪ Resulting in blocked access to system resources by authorized users.
▪ Key Question: Threat agents and attack vectors raise the
questions: secure against whom, from what types of attacks?
 Lecture Outline | Progress
▪ Introduction ▪ Risk Management Vs. Mitigation

▪ Fundamental Goals of Computer Security ▪ Adversary Modelling and Security Analysis

▪ Computer Security Policies and Attacks ▪ Adversary Attributes and Schemas

▪ Assets and Security Policies ▪ Security Evaluations and Penetration

▪ Attacks and Agents Testing
▪ Threat + Controls ▪ Pen Testing
▪ Security Analysis
▪ Risk and Risk Assessment
▪ Risk Modelling ▪ Threat Modelling and Approaches
▪ Risk Assessment Questions ▪ Design Principles for Computer Security
▪ Cost-benefit Analysis
 32
Controls
▪ A Security Policy helps in ▪ These Controls are called
determining when a security Security Mechanisms
violation has occurred, but by ▪ Technical means of enforcement
itself does not preclude such involving
violations. ▪ Specialized devices,
▪ To support and enforce security ▪ Software techniques,
policies—that is, to prevent ▪ Algorithms or
violations, or detect violations in ▪ Protocols
order to react to limit damage,
and recover—Controls and
Countermeasures are needed.
 33
Example | House Security Policy
▪ House Security Policy ▪ A stranger (Attacker) entering
▪ No one is allowed in the house through such a door, and
unless accompanied by a Family removing an item is an Attack.
Member
▪ The Attack Vector is the entry
▪ Only Family Members are through the unlocked door.
authorized to remove physical
objects from the house. ▪ A Threat is the existence of an
▪ An unaccompanied Stranger in individual motivated to profit by
the house is a Security Violation. stealing an asset and selling it for
cash
▪ An unlocked back door is a
Vulnerability.
 Lecture Outline | Progress
▪ Introduction ▪ Risk Management Vs. Mitigation

▪ Fundamental Goals of Computer Security ▪ Adversary Modelling and Security Analysis

▪ Computer Security Policies and Attacks ▪ Adversary Attributes and Schemas

▪ Assets and Security Policies ▪ Security Evaluations and Penetration

▪ Attacks and Agents Testing
▪ Threat + Controls ▪ Pen Testing
▪ Security Analysis
▪ Risk and Risk Assessment
▪ Risk Modelling ▪ Threat Modelling and Approaches
▪ Risk Assessment Questions ▪ Design Principles for Computer Security
▪ Cost-benefit Analysis
 35
Risk and Risk Assessment
▪ Risk is the expected loss due to harmful future events, relative to
an implied set of assets and over a fixed time period.
▪ Most large organizations are obligated, interested, or advised to
understand the losses that might result from security violations
▪ Risk depends on:
▪ Threat Agents
▪ The Probability of an attack
▪ and of its success, which requires vulnerabilities
▪ Expected Losses in that case
 36
Risk and Risk Assessment

▪ Risk Assessment involves analysing these factors in order

to estimate Risk.
▪ Quantitative Risk Assessment
▪ Goal: Compute numerical estimates of risk;
▪ Precise such estimates are rarely possible in practice.
▪ Qualitative Risk Assessment
▪ Goal: Compare risks relative to each other and rank them,
▪ E.g. to allow informed decisions on how to prioritize a limited defensive
budget across assets
 37
Risk Modelling | The RISK Equation

𝑅 = 𝑇. 𝑉. 𝐶
▪ T = Threat information
The probability that particular threats are ▪ Risk increases with
threats
instantiated by attackers in a given
▪ And with the likelihood of
period attacks being launched

▪ V = The existence of Vulnerabilities. ▪ Risk requires the presence

of a vulnerability;
▪ C = Asset value, and the Cost or ▪ Risk increases with the
impact of a successful attack value of target assets
 38
Risk Assessment Questions

1. What assets are most valuable, and what are their values?
2. What system vulnerabilities exist?
3. What are the relevant threat agents and attack vectors?
4. What are the associated estimates of attack probabilities,
or frequencies?
 39
Cost-benefit Analysis
▪ The cost of deploying security ▪ If forcing users to change their
mechanisms should be accounted passwords every 90 days reduces
monthly company losses (from
for unauthorized account access) by
▪ If the total cost of a new defence $1000
exceeds the anticipated benefits,
▪ But increases monthly help-desk
then the defence is unjustifiable
costs by $2500 (from users being
from a cost-benefit analysis
locked out of their accounts as a
viewpoint.
result of forgetting their new
▪ Example: passwords),
▪ Cost-benefit of Password ▪ Then the cost exceeds the benefit
Expiration Policies before even accounting for usability
costs such as end-user time.
 40
Read Up:

▪ Challenges of Risk Assessment

▪ Quantitative Risk assessment
▪ Qualitative Risk assessment
 41
Risk Management Vs. Mitigation
▪ Risk management combines
▪ Technical Activity: estimating risk or simply identifying threats of major
concern,
▪ Business Activity: “managing” the risk, i.e., making an informed
response.
▪ Options include
▪ Mitigating risk by technical or procedural countermeasures
▪ Transferring risk to third parties, through insurance;
▪ Accepting risk in the hope that doing so is less costly than (a) or (b);
▪ Eliminating risk by decommissioning the system
 Lecture Outline | Progress
▪ Introduction ▪ Risk Management Vs. Mitigation

▪ Fundamental Goals of Computer Security ▪ Adversary Modelling and Security

▪ Computer Security Policies and Attacks Analysis
▪ Adversary Attributes and Schemas
▪ Assets and Security Policies
▪ Attacks and Agents ▪ Security Evaluations and Penetration
▪ Threat + Controls
Testing
▪ Pen Testing
▪ Risk and Risk Assessment
▪ Security Analysis
▪ Risk Modelling
▪ Risk Assessment Questions
▪ Threat Modelling and Approaches

▪ Cost-benefit Analysis ▪ Design Principles for Computer Security

 43
Adversary Modelling and Security Analysis

▪ An important part of any computer security analysis is building

out an Adversary Model
▪ This involves identifying which Adversary Classes a target system aims
to defend against
▪ It is also useful to distinguish
▪ Targeted attacks: aimed at specific individuals or organizations
▪ May use generic tools or leverage target-specific personal information
▪ Opportunistic attacks: (or generic attacks) aimed at arbitrary victims.
 44
Adversary Attributes
1. Objective 4. Funding level
▪ these often suggest target assets ▪ Influences attacker determination,
requiring special protection; methods and capabilities;
2. Methods 5. Outsider vs. insider
▪ e.g., the anticipated attack ▪ Outsider attack:
techniques, or types of attacks; ▪ An attack launched without any
3. Capabilities prior special access to the target
network
▪ Computing resources (CPU, storage,
▪ Insider attacks:
bandwidth), Skills, Knowledge,
Personnel, Opportunity e.g., physical ▪ Originate from parties having some
starting advantage, e.g., employees
access to target machines
 45
Schemas
▪ Various Schemas are used in modelling adversaries.
▪ Categorical Schema: Classifies adversaries into Named Groups
▪ Capability-Level Schema
▪ Groups generic adversaries from Level 1 to 4 (weakest to strongest) based
on a combination of
▪ Capability (Opportunity and Resources)
▪ Intent (Motivation)
▪ Capability-level schema may also be used to sub-classify Named Groups.
▪ E.g. Intelligence agencies from the U.S. and China may be in Level 4, Insiders
could range from Level 1 to 4 based on their capabilities
Named groups of Adversaries.
The popular media uses the term Hackers, which others use for
computer system experts knowledgeable about low-level details

46
 Lecture Outline | Progress
▪ Introduction ▪ Risk Management Vs. Mitigation

▪ Fundamental Goals of Computer Security ▪ Adversary Modelling and Security Analysis

▪ Computer Security Policies and Attacks ▪ Adversary Attributes and Schemas

▪ Assets and Security Policies ▪ Security Evaluations and Penetration

▪ Attacks and Agents Testing
▪ Threat + Controls ▪ Pen Testing
▪ Security Analysis
▪ Risk and Risk Assessment
▪ Risk Modelling ▪ Threat Modelling and Approaches
▪ Risk Assessment Questions ▪ Design Principles for Computer Security
▪ Cost-benefit Analysis
 48
Security Evaluations and Penetration Testing

▪ Formal Security Evaluation Process

▪ Goal: to formally Certify Products or Systems and ascertain
Conformance with detailed Evaluation Criteria as specified in
relevant standards before Purchase or Deployment
▪ A third party Lab conducts the reviews
▪ Done at considerable Cost and Time
▪ Recertification is required once changes are made to Product or
System
▪ Process used by some government departments and organizations
 49
Penetration Testing

▪ Penetration Testing (Pen Testing or Ethical Hacking)

involve customers or hired consultants (with prior
permission) finding vulnerabilities in deployed products by
demonstrating exploits on their own live systems;
▪ Interactive and automated toolsets run attack suites that pursue
known design, implementation and configuration errors compiled
from previous experience
 50
Types of Pen Testing
▪ A Pen Testing may be
▪ White box: Background and system information are provided in
advance to the tester
▪ Black box: Only basic information is provided
▪ Gray box: Combines the two; limited knowledge of the target is shared
with the auditor
▪ The Tests carried out by product vendors prior to product
release, remain important
▪ However, they cannot find issues arising from customer-specific
configuration choices and deployment environments
 Lecture Outline | Progress
▪ Introduction ▪ Risk Management Vs. Mitigation

▪ Fundamental Goals of Computer Security ▪ Adversary Modelling and Security Analysis

▪ Computer Security Policies and Attacks ▪ Adversary Attributes and Schemas

▪ Assets and Security Policies ▪ Security Evaluations and Penetration

▪ Attacks and Agents Testing
▪ Threat + Controls ▪ Pen Testing
▪ Security Analysis
▪ Risk and Risk Assessment
▪ Risk Modelling ▪ Threat Modelling and Approaches
▪ Risk Assessment Questions ▪ Design Principles for Computer Security
▪ Cost-benefit Analysis
 Security Analysis
▪ Primary aim is to identify vulnerabilities related to design, and
overlooked threats;
▪ Security analysis ideally begins early in a product’s lifecycle, and
continues in parallel with design and implementation
▪ Secondary aim is to suggest ways to improve defences when
weaknesses are found.
▪ The term Vulnerability Assessment refers to identifying weaknesses in
deployed systems e.g. using Pen Testing
▪ Threat Modelling is the cornerstone of Security Analysis
52
Security analysis and the Software Development Lifecycle.
The goal is to provide confidence in a system’s ability to resist attacks,
including by direct testing against known attacks
53
 Lecture Outline | Progress
▪ Introduction ▪ Risk Management Vs. Mitigation

▪ Fundamental Goals of Computer Security ▪ Adversary Modelling and Security Analysis

▪ Computer Security Policies and Attacks ▪ Adversary Attributes and Schemas

▪ Assets and Security Policies ▪ Security Evaluations and Penetration

▪ Attacks and Agents Testing
▪ Threat + Controls ▪ Pen Testing
▪ Security Analysis
▪ Risk and Risk Assessment
▪ Risk Modelling ▪ Threat Modelling and Approaches
▪ Risk Assessment Questions ▪ Design Principles for Computer Security
▪ Cost-benefit Analysis
 Threat Modelling 55

Diagrams, Trees, Lists and STRIDE

▪ A Threat Model identifies threats, threat agents, and attack

vectors that the target system considers in scope to defend
against
▪ Which may be known from the past, or anticipated.
▪ Those considered out of scope should be explicitly recorded as such.
▪ Threat Modelling takes into account Adversary Modelling and
should identify and consider all assumptions made about the target
system, environment, and attackers
 56
Approaches to Threat Modelling
 57
Diagram-driven Threat Modelling
▪ A visual approach to threat modelling starts with an architectural
representation of the system to be built or analysed
▪ Draw a diagram showing target-system components and all
communications links used for data flows between them.
▪ Identify and mark system gateways where system restrict or filter
communications.
▪ Use these to delimit what might informally be called trust domains
▪ Create Data flow Diagrams
▪ Consider User Workflows
▪ Consider the Lifecycle of Data, Software and Account
 58
Attack Trees for Threat Modelling
▪ Attack trees are useful ▪ e.g., enter through a window,
through a door, tunnel into the
threat modelling tool, basement
especially to identify Attack ▪ Each may similarly be broken
Vectors. down further and subtrees end in
LEAF NODES
▪ A Tree starts with a ROOT node at
▪ e.g., open an unlocked window,
the top, labelled with an overall break a locked window
attack goal (e.g., enter a house).
▪ A Path connecting a leaf node to
▪ Lower nodes break out alternative the root lists the steps (Attack
ways to reach their parent’s goal Vector) composing one full attack
Attack tree. An attack vector is a full path from root to leaf
59
 Benefits of Attack Tree

▪ An Attack tree can

▪ Can aid in forming a security policy and in security analysis to
check that mechanisms are in place to counter all identified attack
vectors
▪ Used to prioritize attack vectors as high or low
▪ e.g., based on their ease, and relevant classes of adversary
▪ Encourages a form of directed brainstorming
▪ Motivate security architects to “think like attackers”

60
 Example
Enumerating Password Authentication Attacks

61
 Other Threat Modelling Approaches | Read Up

▪ Other threat Modelling approaches:

▪ Attack/Threat Checklists
▪ A Checklist created based on past experience by larger communities
▪ STRIDE
▪ Uses a small set of keywords to stimulate thought
▪ An acronym Spoofing, Tampering, Repudiation, Information disclosure,
Denial of service, Escalation of privilege

62
 Assignment

▪ Threat Modelling is Difficult.

▪ Discuss with Examples
▪ One Page

63
 Lecture Outline | Progress
▪ Introduction ▪ Risk Management Vs. Mitigation

▪ Fundamental Goals of Computer Security ▪ Adversary Modelling and Security Analysis

▪ Computer Security Policies and Attacks ▪ Adversary Attributes and Schemas

▪ Assets and Security Policies ▪ Security Evaluations and Penetration

▪ Attacks and Agents Testing
▪ Threat + Controls ▪ Pen Testing
▪ Security Analysis
▪ Risk and Risk Assessment
▪ Risk Modelling ▪ Threat Modelling and Approaches
▪ Risk Assessment Questions ▪ Design Principles for Computer Security
▪ Cost-benefit Analysis
 65
Design Principles for Computer Security

▪ The security design principles are considered while

designing any security mechanism for a system.
▪ Next Slides contains the Inexhaustive List of 22 Security Design
Principles
 Design Principles for Computer Security
1. Simplicity-and-necessity 8. Small-trusted-bases
2. Safe-defaults 9. Time-tested-tools
3. Open-design 10. Least-surprise
4. Complete-mediation 11. User-buy-in
5. Isolated-compartments 12. Sufficient-work-factor
6. Least-privilege 13. Defense-in-depth
7. Modular-design
66
 Design Principles for Computer Security
14. Evidence-production 20. Request-response-integrity
15. Datatype-validation 21. Reluctant-allocation
16. Remnant-removal 22. Security-by-design
17. Trust-anchor-justification
18. Independent-confirmation
19. Domains or over untrusted
channels
67
 Design Principles for Computer Security
▪ Simplicity-and-necessity: Keep designs as simple and small as
possible.
▪ Safe-defaults: Use safe default settings (beware, defaults often go
unchanged).
▪ For access control, deny-by-default.
▪ Design services to be fail-safe, here meaning that when they fail, they fail
“closed” (e.g., denying access)
▪ Open-design: Do not rely on secret designs, attacker ignorance, or
security by obscurity;
▪ Kerckhoffs’ principle—a system’s security should not rely on the secrecy of its
design details

68
 Design Principles for Computer Security

▪ Complete-mediation: For each access to every object, and

ideally immediately before the access is to be granted,
verify proper authority
▪ Isolated-compartments: Compartmentalize system
components using strong isolation structures (containers)
that manage or prevent cross-component communication,
information leakage, and control

69
 Design Principles for Computer Security
▪ Least-privilege: Allocate the fewest privileges needed for a
task, and for the shortest duration necessary
▪ Modular-design: Avoid monolithic designs that embed full
privileges into large single components;
▪ Favour object-oriented and finer-grained designs that segregate
privileges across smaller units or processes
▪ Small-trusted-bases: Strive for small code size in components
that must be trusted,
▪ i.e., components on which a larger system strongly depends for security
70
 Design Principles for Computer Security
▪ Time-tested-tools: Rely wherever possible on time-tested,
expert-built security tools including protocols, cryptographic
primitives and toolkits, rather than designing and
implementing your own.
▪ Least-surprise: Design mechanisms, and their user interfaces, to
behave as users expect.
▪ User-buy-in: Design security mechanisms that users are
motivated to use rather than bypass
▪ Users’ path of least resistance must be a Safe Path.
71
 Design Principles for Computer Security

▪ Sufficient-work-factor: For configurable security mechanisms

where the probability of attack success increases predictably
with effort
▪ Tune the mechanism so that the cost to defeat it clearly exceeds the
resources of anticipated classes of adversaries
▪ Defense-in-depth: Build defences in multiple layers backing
each other up
▪ Forces attackers to defeat independent layers, thereby avoiding Single
Points Of Failure

72
 Design Principles for Computer Security

▪ Evidence-production: Record system activities through

event logs, monitoring tools, and other means to promote
Accountability
▪ helps to understand and recover from system failures, and support
intrusion detection tools.
▪ Datatype-validation: Verify that all received data meets
expected (assumed) properties or data type

73
 Design Principles for Computer Security

▪ Remnant-removal: On termination of a session or program,

remove all traces of sensitive data associated with a task,
▪ Including secret keys and any remnants recoverable from secondary
storage, RAM and cache memory
▪ Trust-anchor-justification: Ensure or justify confidence placed in
any base point of assumed trust,
▪ Especially when mechanisms iteratively or transitively extend trust from
a base point

74
 Design Principles for Computer Security
▪ Independent-confirmation: Use simple, independent (e.g., local
device) crosschecks to increase confidence in code or data,
▪ Especially if it may arrive from outside domains or over untrusted
channels.
▪ Request-response-integrity: Verify that responses match
requests in name resolution and other distributed protocols
▪ Reluctant-allocation: Be reluctant to allocate resources or
expend effort in interactions with unauthenticated, external
agents.
75
 Design Principles for Computer Security
Higher-level Principles and a Maxim

▪ Security-by-design: Build security in, starting at the initial

design stage of a development cycle
▪ Since secure design often requires core architectural support absent
if security is a late-stage add-on
▪ Design-for-evolution: Design base architectures,
mechanisms, and protocols to support evolution,
▪ Including algorithm agility for graceful upgrades of crypto
algorithms (e.g., encryption, hashing) with minimal impact on related
components
76
 Lecture Outline | End
▪ Introduction ▪ Cost-benefit Analysis
▪ Fundamental Goals of Computer ▪ Risk Management Vs. Mitigation
Security ▪ Adversary Modelling and Security
▪ Computer Security Policies and Attacks Analysis
▪ Assets and Security Policies ▪ Adversary Attributes and Schemas
▪ Attacks and Agents ▪ Security Evaluations and Penetration
▪ Threat + Controls Testing
▪ Risk and Risk Assessment ▪ Pen Testing
▪ Security Analysis
▪ Risk Modelling
▪ Risk Assessment Questions ▪ Threat Modelling and Approaches
▪ Design Principles for Computer Security