University of London / MSc Computer Science: Information security(後半)

University of London / MSc Computer Science: Information security(後半)

January 3, 2024

ロンドン大学で MSc Computer Science: Information security モジュールを履修中。

講義内容に関して記録した個人的なスタディノートです。

全 12 週のうち 6〜12 週目の内容を記録します。(6 週目開始:2023 年 11 月 13 日 / 12 週目終了:2024 年 1 月 3 日)

Week 6: Access control mechanisms #

メモ

  • アクセスコントロールに関する内容だった。第2週目で学んだ内容と似ていた。
  • CISSP 取得の際に勉強した内容以上のものは出てこなかったため、講義内容記録はさくっと済ませる。
  • ラボの実習内容は、ZAP(OWASP ZAP, Zed Attack Proxy)と SSL Server Test by Qualys SSL Labs と Njsscan を使用した脆弱性のスキャニングについて。

レクチャー内容

  • Overview of access control mechanisms
    • Lecture 1: Introduction to access control mechanisms
    • Lecture 2: How access control works
    • Lecture 3: Types of access control(MAC, DAC, RBAC, rule and attribute-based)
  • Implementing access control mechanisms
    • Lecture 4: Challenges of access control
    • Lecture 5: Access control management software
  • Labs
    • Scanning

Week 7: Assurance and trust #

メモ

  • セキュリティの保証や評価制度に関する内容だった。
  • CISSP 取得の際に勉強した内容以上のものは出てこなかったため、講義内容記録はさくっと済ませる。
  • ラボの実習内容は、Linux のオーナーやグループを用いた基本 ACL(chmod コマンドなど)と、拡張 ACL(setfacl コマンドなど)によるアクセスコントロールについて。

レクチャー内容

  • Introduction to assurance
    • Lecture 1: Introduction to assurance and trust
    • Lecture 2: Issues concerning assurance
    • Lecture 3: Issues concerning trust
  • Evaluation
    • Lecture 4: Performing an evaluation
    • Lecture 5: Trusted Computer System Evaluation Criteria (TCSEC)
    • Lecture 6: Exploring common criteria
  • Labs
    • Access Control Mechanisms in Linux

Assurance, trust

  • A technical definition of assurance is:
    • Evidencing that an information system’s mechanisms meet the requirements of the security policy.
    • Estimating risk of system failure whether due to natural disaster or an attack.
    • Risk assessments are part of the assurance process.
  • Trust is an abstract concept in information security. For example, it could refer to:
    • A system that is trusted because if enforces a required security policy.
    • Transaction procedures in the Clark Wilson Integrity model which leave data in a valid state.

About TLS/SSL

  • TLS/SSL stands for:
    • TLS = Transport Layer Security
    • SSL = Secure Sockets Layer
  • Despite the order, SSL predates TLS a few years.
  • Both SSL and TLS exchange public and private keys to create secure sessions.
  • SSL
    • The first released version of SSL was developed in 1995 by Netscape as internet use was exploding.
    • SSL v1 was never released due to serious security flaws that were quickly identified during its development.
    • SSL v2 was released in 1995, but quickly withdrawn due to miltiple usability and vulnerability issues.
    • SSL v3 was released in 1996 survived for much longer. However, the POODLE vulnerability contributed to its deprecation in 2015.
    • POODLE stands for Padding Oracle On Downgraded Legacy Encryption, and allows part of the ciphertext to be revealed through the use of multiple SSL 3 requests.
  • TLS
    • TLS v1.0 was released 1999, which was built on SSLs designs. It was actually a reworking of SSL version 3.
    • Although the TSL 1.0 and SSL version 3 were not compatible with one another.
    • TLS v1.1 released in 2006, fixed some vulnerability issues found in TLS v1.0.
    • TSL v1.2 released in 2008 had a stronger secure hash algorithm (the original being considered vulnerable to state actors).
    • TLS v1.3 released in 2018, closed a number of loopholes and its in use today.

Evaluation

  • An evaluation differs from the risk assessment.
  • A risk assessment determines the level of risk present.
  • An evaluation determines if the level of risk AND the design of the system complies with the security model or security standard being used.
  • Evaluations are perfermed by:
    • Analysing detailed designs of the software and process, with verification and validation, where necessary.
    • Observing the behaviour of the system, including the use of penetration studies.
    • Ideally, independent assessors.

The Trusted Computer System Evaluation Criteria (TCSEC)

  • TCSEC or “Orange Book” was published by the Department of Defense, the latest version in 1985.
  • It provided an objective standard for evaluating system security. It is guidance to hardware and software vendors on certification requirements from the U.S. Government.
  • The Orange Book did not result in the creation of many highly secure systems.
  • Most evaluations were below A1 (best score of Orange book), But, it did motivate vendors to include security controls in their products.
  • It was a US-only standard which was replaced by the internationally recognised Common Criteria in 1999.

Common Criteria

  • “Common Criteria” is shorthand for “Common Criteria for Information Technology Security Evaluation”.
  • Provides assurance that a product has been tested in a rigorous, standard and repeatable way for intended user base.
  • Adopted internationally in 1999.
  • Accredited under ISO 15408.

Week 8: Network intruders and intrusion detection #

メモ

  • ネットワークの各レイヤーのプロトコルや、ネットワークに関連する攻撃の種類とその対策に関する内容だった。
  • CISSP 取得の際に勉強した内容以上のものは出てこなかったため、講義内容記録はさくっと済ませる。
  • ラボの実習内容は、Python による機械学習を用いたネットワーク侵入検知モデルの作成について。

レクチャー内容

  • Introduction to network intrusion
    • Lecture 1: Introduction to network intrusion
    • Lecture 2: Vulnerabilities in network protocols and attacks on local networks
    • Lecture 3: Attacks on local networks
  • Defence against network attacks
    • Lecture 4: Preventing network attacks
    • Lecture 5: Intrusion detection
    • Lecture 6: The role of encryption
  • Labs
    • Intruder detection

Week 9: Firewalls and malicious software #

メモ

  • ファイヤーウォールについて、およびマルウェアに関する内容だった。
  • CISSP 取得の際に勉強した内容以上のものは出てこなかったため、講義内容記録はさくっと済ませる。
  • ラボの実習内容は、Linux の iptables を用いたパケットフィルタリングの設定方法と、脆弱性のある Python コードを例に SQL インジェクションのやり方について。

レクチャー内容

  • Firewalls
    • Lecture 1: Introduction to firewalls
    • Lecture 2: Packet filtering
    • Lecture 3: Application-layer firewall
  • Malicious software
    • Lecture 4: Introduction to malicious software
    • Lecture 5: Malware
    • Lecture 6: Ransomware
  • Labs
    • Configuring a Firewall in Linux and SQL Injection with Python

Week 10: Economics of information security (a case study) #

メモ

  • クラッカーの所属や動機についてと、クラッキングの被害額や対策費についての経済的な調査結果、ランサムウェア「WannaCry」が実際にどのような被害を(特にイギリス国民保健サービス(NHS)を例として)をもたらしたかに関する内容だった。
  • 具体的な事例を学ぶのは面白かったが、講義内容記録としてはさくっと済ませる。
  • ラボの実習内容は、TShark(Terminal 版の Wireshark)を用いたネットワークトレースと分析の方法について。

レクチャー内容

  • Economics of information security
    • Lecture 1: Introduction to the economics of information security
    • Lecture 2: Economics of hacking
    • Lecture 3: Economic impact of hacking
  • NHS case study
    • Lecture 4: Introduction to WannaCry cyber attack on the NHS
    • Lecture 5: The attack methodology
    • Lecture 6: The economic impact
  • Labs
    • Reading network traces to identify attacks

Week 11, 12 #

最終課題の期間。課題は、大学が用意した「OWASP Juice Shop(https://owasp.org/www-project-juice-shop/)」を模した脆弱なウェブサイトに対して、「ZAP(OWASP ZAP, Zed Attack Proxy)、SSL Server Test by Qualys SSL Labs、Njsscan」のツールを用いてスキャニングを行い、見つかった脆弱性やその重大度およびそれらの解決策などについてセキュリティコンサルタントの立場でレポートを書くもの。