CSU 07426 / ITU_07426
LECTURE 4
�ATTACK SURFACES
• An attack surface consists of the reachable and exploitable vulnerabilities in a system. Examples of attack
surfaces are the following:
✓ Open ports on outward-facing web and other servers, and code listening on those ports
✓ Services available on the inside of a firewall
✓ Code that processes incoming data, e-mail, XML, office documents, and industry-specific custom
data exchange formats
✓ Interfaces, SQL, and web forms
✓ An employee with access to sensitive information vulnerable to a social engineering attack
• Attack surfaces can be categorized in the following way:
✓ Network attack surface: This category refers to vulnerabilities over an enterprise network, wide-area
network, or the Internet. Included in this category are network protocol vulnerabilities, such as those
used for a denial-of-service attack, disruption of communications links, and various forms of intruder
attacks.
✓ Software attack surface: This refers to vulnerabilities in application, utility, or operating system
codes. A particular focus in this category is web server software.
✓ Human attack surface: This category refers to vulnerabilities created by personnel or outsiders, such as
social engineering, human error, and trusted insiders.
�ATTACK TREES
• An attack tree is a branching, hierarchical data structure that represents
a set of potential techniques for exploiting security vulnerabilities.
• The security incident that is the goal of the attack is represented as the root
node of the tree, and the ways by which an attacker could reach that goal are
iteratively and incrementally represented as branches and subnodes of the
tree.
�� • There are a number of ways of classifying
and characterizing the countermeasures
that may be used to reduce vulnerabilities
and deal with threats to system assets.
• In this section, we view counter measures
SECURITY in terms of functional requirements, and
FUNCTIONAL we follow the classification defined in FIPS
200 (Minimum Security Requirements for
REQUIREMENTS Federal Information and Information
Systems).
• This standard enumerates 17 security-
related areas with regard to protecting the
confidentiality, integrity, and availability of
information systems and the information
processed, stored, and transmitted by
those systems.
�Security Requirements
1. Access Control: Limit information system access to authorized users, processes acting on behalf of authorized
users, or devices (including other information systems), and to the types of transactions and functions that
authorized users are permitted to exercise.
2. Awareness and Training: (i) Ensure that managers and users of organizational information systems are made
aware of the security risks associated with their activities and of the applicable laws, regulations, and policies
related to the security of organizational information systems; and (ii) ensure that personnel are adequately
trained to carry out their assigned information security-related duties and responsibilities.
3. Audit and Accountability: (i) Create, protect, and retain information system audit records to the extent needed
to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate
information system activity; and (ii) ensure that the actions of individual information system users can be
uniquely traced to those users so they can be held accountable for their actions.
4. Certification, Accreditation, and Security Assessments: (i) Periodically assess the security controls in
organizational information systems to determine if the controls are effective in their application; (ii) develop
and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in
organizational information systems; (iii) authorize the operation of organizational information systems and
any associated information system connections; and (iv) monitor information system security controls on an
ongoing basis to ensure the continued effectiveness of the controls.
�Security Requirements
4. Configuration Management: (i) Establish and maintain baseline configurations and inventories of
organizational information systems (including hardware, software, firmware, and documentation) throughout
the respective system development life cycles; and (ii) establish and enforce security configuration settings for
information technology products employed in organizational information systems.
5. Contingency Planning: Establish, maintain, and implement plans for emergency response, backup operations,
and post-disaster recovery for organizational information systems to ensure the availability of critical information
resources and continuity of operations in emergency situations.
6. Identification and Authentication: Identify information system users, and processes acting on behalf of users, or
devices, and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to
allowing access to organizational information systems.
7. Incident Response: (i) Establish an operational incident-handling capability for organizational information
systems that includes adequate preparation, detection, analysis, containment, recovery, and user-response
activities; and (ii) track, document, and report incidents to appropriate organizational officials and/or authorities.
8. Maintenance: (i) Perform periodic and timely maintenance on organizational information systems; and(ii)
provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information
system maintenance.
9. Media Protection: (i) Protect information system media, both paper and digital; (ii) limit access to information
on information system media to authorized users; and (iii) sanitize or destroy information system media before
disposal or release for reuse.
�Security Requirements
10. Physical and Environmental Protection: (i) Limit physical access to information systems, equipment, and the
respective operating environments to authorized individuals; (ii) protect the physical plant and support
infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect
information systems against environmental hazards; and (v) provide appropriate environmental controls in
facilities containing information systems.
11. Planning: Develop, document, periodically update, and implement security plans for organizational information
systems that describe the security controls in place or planned for the information systems and the rules of
behavior for individuals accessing the information systems.
12. Personnel Security: (i) Ensure that individuals occupying positions of responsibility within organizations(including
third-party service providers) are trustworthy and meet established security criteria for those positions; (ii)
ensure that organizational information and information systems are protected during and after personnel actions
such as terminations and transfers, and (iii) employ formal sanctions for personnel failing to comply with
organizational security policies and procedures.
13. Risk Assessment: Periodically assess the risk to organizational operations (including mission, functions, image, or
reputation), organizational assets, and individuals, resulting from the operation of organizational information
systems and the associated processing, storage, or transmission of organizational information.
�Security Requirements
14. Systems and Services Acquisition: (i) Allocate sufficient resources to adequately protect organizational
information systems; (ii) employ system development life cycle processes that incorporate information security
considerations; (iii) employ software usage and installation restrictions; and (iv) ensure that third-party providers
employ adequate security measures to protect the information, applications, and/or services outsourced from
the organization.
15. System and Communications Protection: (i) Monitor, control, and protect organizational communications(i.e.,
information transmitted or received by organizational information systems) at the external boundaries and key
internal boundaries of the information systems; and (ii) employ architectural designs, software development
techniques, and systems engineering principles that promote effective information security within organizational
information systems.
16. System and Information Integrity: (i) Identify, report, and correct information and information system flaws in a
timely manner; (ii) provide protection from malicious code at appropriate locations within organizational
information systems; and (iii) monitor information system security alerts and advisories and take appropriate
actions in response.
�FUNDAMENTAL SECURITY DESIGN PRINCIPLES
• Despite years of research and development, it has not been possible to develop
security design and implementation techniques that systematically exclude
security flaws and prevent all unauthorized actions.
• In the absence of such foolproof techniques, it is useful to have a set of widely
agreed design principles that can guide the development of protection
mechanisms.
• The National Centers of Academic Excellence in Information Assurance/Cyber
Defense, which is jointly sponsored by the U.S. National Security Agency and
the U. S. Department of Homeland Security, list the following as fundamental
security design principles:
� 1. Economy of mechanism
2. Fail-safe defaults
3. Complete mediation
4. Open design
5. Separation of privilege
FUNDAMENTAL
6. Least privilege
SECURITY 7. Least common mechanism
DESIGN 8. Psychological acceptability
PRINCIPLES 9. Isolation
10. Encapsulation
11. Modularity
12. Layering
13. Least astonishment
�FUNDAMENTAL SECURITY DESIGN PRINCIPLES
• Economy of mechanism means the design of security measures embodied in both
hardware and software should be as simple and small as possible. The motivation for this
principle is that a relatively simple, small design is easier to test and verify thoroughly.
With a complex design, there are many more opportunities for an adversary to discover
subtle weaknesses to exploit that may be difficult to spot ahead of time. The more
complex the mechanism is, the more likely it is to possess exploitable flaws.
• Fail-safe defaults mean access decisions at default should be based on permission rather
than exclusion. That is, the default situation is lack of access, and the protection scheme
identifies conditions under which access is permitted. This approach exhibits a better
failure mode than the alternative approach, where the default is to permit access. A
design or implementation mistake in a mechanism that gives explicit permission tends to
fail by refusing permission, a safe situation that can be quickly detected.
�FUNDAMENTAL SECURITY DESIGN PRINCIPLES
• Complete mediation means every access must be checked against the access
control mechanism. Systems should not rely on access decisions retrieved from a
cache. In a system designed to operate continuously, this principle requires that,
if access decisions are remembered for future use, careful consideration be given
to how changes in authority are propagated into such local memories. File access
systems appear to provide an example of a system that complies with this
principle.
• Open design means the design of a security mechanism should be open rather
than secret. For example, although encryption keys must be secret, encryption
algorithms should be open to public scrutiny. The algorithms can then be
reviewed by many experts, and users can therefore have high confidence in them.
�FUNDAMENTAL SECURITY DESIGN PRINCIPLES
• Separation of privilege is defined as a practice in which multiple privilege
attributes are required to achieve access to a restricted resource. A good example
of this is multifactor user authentication, which requires the use of multiple
techniques, such as a password and a smart card, to authorize a user. The term is
also now applied to any technique in which a program is divided into parts that
are limited to the specific privileges they require to perform a specific task.
• Least privilege means every process and every user of the system should
operate using the least set of privileges necessary to perform the task. A good
example of the use of this principle is role-based access control.
�FUNDAMENTAL SECURITY DESIGN PRINCIPLES
• Least common mechanism means the design should minimize the functions
shared by different users, providing mutual security. This principle helps reduce
the number of unintended communication paths and reduces the amount of
hardware and software on which all users depend, thus making it easier to verify
if there are any undesirable security implications.
• Psychological acceptability implies the security mechanisms should not
interfere unduly with the work of users, and at the same time meet the
needs of those who authorize access. If security mechanisms hinder the
usability or accessibility of resources, users may opt to turn off those
mechanisms.
�FUNDAMENTAL SECURITY DESIGN PRINCIPLES
• Isolation is a principle that applies in three contexts. First, public access systems
should be isolated from critical resources (data, processes, etc.) to prevent
disclosure or tampering. Second, the processes and files of individual users
should be isolated from one another except where it is explicitly desired. And
finally, security mechanisms should be isolated in the sense of preventing access
to those mechanisms.
• Encapsulation can be viewed as a specific form of isolation based on object-
oriented functionality. Protection is provided by encapsulating a collection of
procedures and data objects in a domain of its own so that the internal structure
of a data object is accessible only to the procedures of the protected subsystem
and the procedures may be called only at designated domain entry points.
�FUNDAMENTAL SECURITY DESIGN PRINCIPLES
• Modularity in the context of security refers both to the development of security
functions as separate, protected modules, and to the use of a modular
architecture for mechanism design and implementation. With respect to the
use of separate security modules, the design goal here is to provide common
security functions and services, such as cryptographic functions, as common
modules.
• Layering refers to the use of multiple, overlapping protection approaches
addressing the people, technology, and operational aspects of information
systems. By using multiple, overlapping protection approaches, the failure or
circumvention of any individual protection approach will not leave the system
unprotected.
�FUNDAMENTAL SECURITY DESIGN PRINCIPLES
• Least astonishment means a program or user interface should always respond in
the way that is least likely to astonish the user. For example, the mechanism for
authorization should be transparent enough to a user that the user has a good
intuitive understanding of how the security goals map to the provided security
mechanism.
• More examples: Computer Security Principles And Practice, Fourth Edition, By
William Stallings, Lawrie Brown pg. 55
