1 / 30

Introduction to Computer Security Slide Set 1

CS498IA Spring 2007 Nikita Borisov. Introduction to Computer Security Slide Set 1. Based on slides provided by Matt Bishop for use with Computer Security: Art and Science. Outline. Administrative Issues Class Overview Information Assurance Overview Components of computer security

Jims
Download Presentation

Introduction to Computer Security Slide Set 1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS498IA Spring 2007 Nikita Borisov Introduction to Computer SecuritySlide Set 1 Based on slides provided by Matt Bishop for use with Computer Security: Art and Science

  2. Outline • Administrative Issues • Class Overview • Information Assurance Overview • Components of computer security • Threats • Policies and mechanisms • The role of trust • Assurance • Operational Issues • Human Issues

  3. Reading • For this lecture: • First Chapter of Computer Security: Art and Science • For next lecture: • Read Chapter 2 of Computer Security: Art and Science

  4. Administrivia • Instructor • Nikita Borisov • Communications • Class web page http://www.cs.uiuc.edu/class/sp07/cs498ia • Newsgroup class.cs498ia • Office Hours: • TBA • Grades • 2 midterms • 1 final • approx. bi-weekly homeworks • extra project for graduate students taking IA4

  5. Grading Scheme

  6. Security Classes at UIUC • Security course roadmap • http://iti.uiuc.edu/roadmaps/security-roadmap.html • Two course security introduction sequence • Cover “Computer Security: Art and Science” by Matt Bishop • Introduction to Computer Security (CS461) • Covers NSA 4011 security professional requirements • A broad overview of security. • Computer Security (CS463) • Covers more advanced topics • Covers introductory topics in greater depth

  7. Security Classes at UIUC • Applied Computer Security Lab - CS460 • Taught in spring • With CS461 covers NSA 4013 system administrator requirements • Project oriented course. Hands on experience to reinforce how basic security concepts are implemented today. • Advanced Computer Security - CS598cag • Prepares students for research in computer security • Seminar style course • Cryptography • Math 595/ECE 559 • Reading Group • Listed as CS591rhc • Student lead group. Reads and discusses current security research papers.

  8. Write on Card • Your name & netid • Your year (if undergrad) or advisor (if grad) • 400- & 500- level courses you’ve taken • Why you’re interested in computer security

  9. Why I Like Security • You get to be paranoid • You get to look at systems in a broad context

  10. Brief History of Computer Security “With the explosive growth of the Internet, there has been a rise in importance of computer security”

  11. Time Lag • Internet is 35 years old • Was designed without security provisions • “Explosive growth” started in mid-’90s • Security not a priority until much later • Explosive growth of desktops started in ’80s • Also no emphasis on security

  12. A less brief history • Interest in computer security very old • But largely confined to the military • Other communities did not care • Internet - it’s only a research network, who would attack it? • Desktops - who needs military security, I just want to run my spreadsheet!

  13. Important Events • Morris worm - 1988 • Brought down a large fraction of the Internet • Academic interest in network security • E-commerce - mid ‘90s • Industrial interest in network security protocols • Resurgence of worms - early ‘00s • Made computer security a household term

  14. Class Topics • Introduction and motivation • Security Policies: Access Control Matrix, Confidentiality and integrity policies • Trusted Operating Systems • Risk Analysis • Legislation and security • Applied Cryptography: basic crypto, key management, cipher techniques, authentication • Network security mechanisms • Legal and ethical issues in security • Security design principles, assurance techniques, Auditing • System evaluation • Code vulnerabilities and malicious programs • Physical security • EMSEC • Hardware-enforced security

  15. Basic Components • Confidentiality • Keeping data and resources hidden • Integrity • Data integrity (integrity) • Origin integrity (authentication) • Availability • Enabling access to data and resources

  16. Classes of Threats • Disclosure • Snooping • Deception • Modification, spoofing, repudiation of origin, denial of receipt • Disruption • Modification • Usurpation • Modification, spoofing, delay, denial of service

  17. Types of Attackers • Unskilled hacker (“script-kiddie”) • Skilled hacker • Organized crime • Nation-states

  18. Policies and Mechanisms • Policy says what is, and is not, allowed • This defines “security” for the site/system/etc. • Mechanisms enforce policies • Composition of policies • If policies conflict, discrepancies may create security vulnerabilities

  19. Goals of Security • Prevention • Prevent attackers from violating security policy • Detection • Detect attackers’ violation of security policy • Recovery • Stop attack, assess and repair damage • Continue to function correctly even if attack succeeds

  20. Trust and Assumptions • Underlie all aspects of security • Policies • Unambiguously partition system states • Correctly capture security requirements • Mechanisms • Assumed to enforce policy • Support mechanisms work correctly

  21. A Login Program check_password(user, pass) { if (user = “ken” and password = “xyzzy”) { return OK } ... }

  22. B Compiler Program compile(source) { if (match(source, “check_password”)) { insert(source, A) } ... }

  23. B Compiler Program compile(source) { if (match(source, “check_password”)) { insert(source, A) } if (match(source, “compile”)) { insert(source, B); } ... }

  24. Compiler Program compile(source) { if (match(source, “check_password”)) { insert(source, A) } if (match(source, “compile”)) { insert(source, B); } ... } B

  25. Types of Mechanisms secure broad precise set of reachable states set of secure states

  26. Assurance • Specification • Requirements analysis • Statement of desired functionality • Design • How system will meet specification • Implementation • Programs/systems that carry out design

  27. Operational Issues • Cost-Benefit Analysis • Is it cheaper to prevent or recover? • Risk Analysis • Should we protect something? • How much should we protect this thing? • Laws and Customs • Are desired security measures illegal? • Will people do them?

  28. Human Issues • Organizational Problems • Power and responsibility • Financial benefits • People problems • Outsiders and insiders • Social engineering

  29. Tying Together Information Threats Policy Specification Design Implementation Operation

  30. Key Points • Policy defines security, and mechanisms enforce security • Confidentiality • Integrity • Availability • Trust and knowing assumptions • Importance of assurance • The human factor

More Related