Scsc 455 computer security 2010 spring
Download
1 / 53

SCSC 455 Computer Security - PowerPoint PPT Presentation


  • 269 Views
  • Uploaded on

SCSC 455 Computer Security 2010 Spring. Chapter 1 Overview of Computer Security Dr. Frank Li. Index. Overview security risks in computer systems Privacy in computer security Risk assessment and security policy Security-focused organizations Government’s security and privacy role

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'SCSC 455 Computer Security ' - Roberta


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Scsc 455 computer security 2010 spring l.jpg

SCSC 455 Computer Security2010 Spring

Chapter 1 Overview of Computer Security

Dr. Frank Li


Index l.jpg
Index

  • Overview security risks in computer systems

  • Privacy in computer security

  • Risk assessment and security policy

  • Security-focused organizations

  • Government’s security and privacy role

  • Security-Focused Linux Products

  • Security certifications


Overview computer security l.jpg
Overview Computer Security

  • Computer security is a large and specialized field

    • Computer security separates in many ways from the day-to-day operation of a network server

    • There are many unauthorized computer access events and attacks on computer networks.

      Do you know …

    • Carlos Felipe Salgado used sniffing technique to collect over 100,000 credit card numbers from online merchants.

      • He was arrested in June 1997 as he tried to sell them to undercover FBI agents.

    • On Nov. 3, 1988, system administrators all over the U.S. found that their systems were running abnormally slowly.


Overview computer security4 l.jpg
Overview Computer Security

Do you know …

  • In early 2000, a series of attacks attempt to shut down many web sites (Yahoo, eBay, Microsoft Network, etc.) by overwhelming them with bogus requests.

    Q: What are the causes of so many attacks on networks and computer systems?


Evolution of computing and security l.jpg
Evolution of computing and security

  • Mainframe era

    • The only computers were a few mainframes, which are used for specialized tasks.

      • Users access the mainframes through “dumb” terminals

    • Little threat of security breaches or vulnerabilities being exploited at that time.

      Why?


Mainframe era l.jpg
Mainframe era

Because …

  • Only a handful of people, who knew how to operate the computer, work in a closed environment.

  • Although some mainframes are networked, it was done in a crude fashion for specific tasks.

  • Although the OS of that time had problems, software bugs, and vulnerabilities, not many people were interested in taking advantage of them.


Pc and networking era l.jpg
PC and networking era

  • PC and networking era (1980 -- )

    • Personal computers (PCs) become more efficient and cheaper

    • The functionality of the system grew, various applications were developed

    • Millions individuals have access to computers

    • Millions of computers are networked and birth of the client / server computing model

  • Many security issues emerge

    • Data got corrupted accidentally due to individual mistakes

    • unexpected inputs from users

    • malicious attempts from crackers


Pros and cons of networking l.jpg
Pros and cons of Networking

  • A large number of computers are networked nowadays.

    • This broad access represents the power of networked computers, but also represents opportunities for malicious intent.

    • The more broadly a computer is networked, the more potential for access to that computer

  • A great deal of valuable information (personal, financial …) are stored on computers.

    • Two terms are commonly used to persons who break into computer systems: hacker vs. cracker.

    • The motivations: for fun or for profit


Other causes of computer attacks l.jpg
Other causes of computer attacks

  • Cyber-terrorism:the use of computing resources to intimidate or coerce others.

    • E.g. Hacking into a hospital computer system and changing someone's medicine prescription to a lethal dosage as an act of revenge.

  • Information warfare is the offensive and defensive use of information and information systems to deny, exploit, corrupt, or destroy, an adversary's information, information-based processes, information systems, and computer-based networks while protecting one's own. Such actions are designed to achieve advantages over military, political or business adversaries.

    -- Dr. Ivan Goldberg

  • Computer Crime: unauthorized access to a computer system.

    • Gathering accurate statistics of the damages caused by computer crime is difficult. Why?


The difficulties of gathering accurate statistics of computer crime l.jpg
The difficulties of gathering accurate statistics of computer crime

  • Computer break-ins are not always reported

    • are not discovered

    • are Discovered long after the break-in occurred

  • The company was broken into may not want to risk negative publicity by reporting the incident

  • Computer crimes are prosecuted using a number of different laws

    • Matching a crime with a law is difficult


How are nations affected l.jpg
How are nations affected? computer crime

We are increasingly dependent on computer /network

technology for communication, funds transfers, utility

management, government services, military action, and maintaining

confidential information.

  • E.g. 1, A majority of the military vehicles, weapons systems, and communication systems are controlled by computer systems.

  • E.g. 2, Critical infrastructures and industries, such as power grid and communication channels, are controlled by computer systems. Most governments have recognized this vulnerability and have started taking steps to evade these types of attacks.


How are companies affected l.jpg
How are companies affected? computer crime

Many companies are finding out how security affects their

bottom line in ways they never expected.

  • If a company suffers a security breach, it will have to deal with a wide range of issues, such as sued by the customers.

  • Organizations have had trade secrets and intellectual property stolen by employees who left to work for a competitor.

  • A company can lose money and time is by its lack of readiness to react to a situation.

  • To get a good insurance rate, companies must prove that they have a solid security program and that they are doing all that they can to protect their own investments.


The evolution of hacking l.jpg
The Evolution of Hacking computer crime

  • What is hacking?

    • Joyriding hacking, profit-driven hacking, and ethical hacking

    • Hackers’ profile: Baby hacker, tool hacker, and god father hacker

  • Not only hacking activity on the rise, but the sophistication of the attacks is advancing

    • Steal financial information, military secret

    • Defacing web sites

    • Extortion

    • Phishing

    • Etc.


Index14 l.jpg
Index computer crime

  • Overview security risks in computer systems

  • Privacy in computer security

  • Risk assessment and security policy

  • Security-focused organizations

  • Government’s security and privacy role

  • Security-Focused Linux Products

  • Security certifications


The privacy issue l.jpg
The Privacy Issue computer crime

  • Privacy issues arise when personal information stored in computers

    • Any personal information stored on a computer is threatened by someone cracking the system where it is stored.

      • E.g., Credit card numbers, tax records, medical files, military records

    • Privacy makes computer security an issue of personal concern.


The privacy debate l.jpg
The Privacy Debate computer crime

Privacy advocates vs. those advocating a free flow of information

Opt-in vs. Opt-out

  • In opt-in: will not receive ads unless you specify say “yes, put me on the mailing list.”

  • Opt-out: receive ads unless you contact a company and say “take me off the mailing list”

    E.g.

    • Who should be able to obtain your credit records?

    • Who should be allowed to see your medical records?

    • How can a company that gathers information about you use that information?


Privacy policy l.jpg
Privacy Policy computer crime

  • A privacy policy is a voluntary statement by a company about how it will and will not use data that is collects about users or customers.

  • Privacy policies usually contain the following information:

    • We don’t collect or save any information about visitors to our web site

    • We collect information in order to complete a sale or register users, but we do not share that data

    • We collect information on visitors and use patterns to determine if a visitor might be interested in some of our other products

    • We collect information and share it with our partners who may have products that interest you



Example of privacy policy19 l.jpg
Example of Privacy Policy computer crime

  • Personal information

    • In all marketing channels we do collect information you choose to submit,

    • We use common Internet technologies, such as cookies, on our Web sites and in our e-mails.

  • Uses of information

    • We may share information about you with vendors we have hired to provide services on our behalf.

      ...

  • Your privacy choices

    • You may unsubscribe from our e-mail newsletters and promotions.

    • You may direct us not to send you direct mail promotional materials or call you about Consumer Reports products, programs and services.


Ethics and system administrators l.jpg
Ethics and System Administrators computer crime

Privacy policies are usually created by enforced by lawyers

and marketing VP, and executed by the system

administrators.

  • The burden of ethical use of data typically falls on the system administrator

  • Ethics deals with the issue of doing the right thing at the right time, for the right reason

    • Ethics codes were developed to define the role of system administrators in organizations and to increase the respectability and raise standards of behavior in the profession


  • Index21 l.jpg
    Index computer crime

    • Overview security risks in computer systems

    • Privacy in computer security

    • Risk assessment and security policy

    • Security-focused organizations

    • Government’s security and privacy role

    • Security-Focused Linux Products

    • Security certifications


    The approaches to security l.jpg
    The approaches to security computer crime

    • A paradox of computer security: the more secure a system is, the less usable it is.

      • The best approach to security is to make a system highly secure without undue annoyance to authorized users.

    • “Security through obscurity” assumes that if no one knows about your system, you are safe,

      • Is it a good approach? Why?


    Risk assessment l.jpg
    Risk Assessment computer crime

    • “Security through obscurity” must be avoided.

      Because …

      The key to good security is not to hope that no one finds the security weaknesses of your system, but rather to eliminate those weaknesses.

    • Hardware, software and data are primary targets of attack

      • of these three, data presents the most serious threat


    Outsider vs insider l.jpg
    Outsider vs. Insider computer crime

    • Crackers break into systems in order to:

      • steal data

        • e.g. credit card

      • corrupt data

        • maybe unintentionally, but often for malicious reasons

      • block access to the system

        • as in a Denial-of-Service (DoS) attack

    • Crackers are not the only threat to systems, a majority of security incidents result from the actions of users within an organization


    Computer attack techniques the details will be covered in later chapters l.jpg
    Computer attack techniques computer crime(The details will be covered in later chapters.)

    • Password cracking

      • obtaining a password by using a password cracking program or social engineering

    • Trojan horse attacks

      • an illicit program is run from an untrustworthy source

    • Buffer overflow attacks

      • rely on a weakness in the design of a program dealing with buffer (memory space) management

    • Denial-of-Service attacks

      • try to overwhelm your system so that valid users cannot access it


    Risk assessment26 l.jpg
    Risk Assessment computer crime

    • Security should begin with a careful analysis of the assets being protected and their value

      • These assets can include reputation, revenue generation, secret data, or other factors

      • What is risk ?

    • Four layers of security (will be covered in the later chapters)

      • Physical security – e.g., physical access to Linux server

      • User security - e.g., user authorization and privileges

      • File security - e.g., file access limitations

      • Network security - e.g., secure network configuration


    Creating a security policy l.jpg
    Creating a Security Policy computer crime

    • A security policy is a written document that may do any of the following:

      • Analyze what assets are at risk

      • Provide network danger statistics to end users

      • Describe security procedures

      • Outline user access levels

      • List specific actions to make the system secure after a reboot

      • Outline procedures to follow when an intrusion by a cracker has been detected

      • Merge the security policy with disaster recovery plan


    Computer security is really about people l.jpg
    Computer security is really about people computer crime

    • In one sense, computer security is really about people

      • knowing why they act as they do and knowing whom to trust

      • is true from the perspective of the system administrator and the cracker

    • The system administrator must proceed with caution regarding where they obtain Linux and other software

      • A back door is a method of accessing a program that is known to its creator but not to other users

    • Social engineering involves a cracker manipulating a user to extract needed access information

      • E.g., A cracker will simply obtain a user’s name and call them in order to obtain information.

      • E.g. A cracker could walk past an employee’s workstation and gather information from posted data


    Index29 l.jpg
    Index computer crime

    • Overview security risks in computer systems

    • Privacy in computer security

    • Risk assessment and security policy

    • Security-focused organizations

    • Government’s security and privacy role

    • Security-Focused Linux Products

    • Security certifications


    How to stay security l.jpg
    How to stay security computer crime

    • Upgrading the Linux system regularly

      • to keep your system upgraded, including the Linux kernel and programs that run on Linux.

        • Most of the updates for security problems come in the form of a patch

          Q: update vs. patch ?

      • The best way to stay informed about upgrades and patches is to subscribe to the security notification service of a reputable Linux vendor

    • Taking advantage of professional organizations which act as clearinghouses for recent security information

      • E.g., Red Hat has a service “Red Hat Network”, which informs the subscribers new patches and upgrades


    Security focused organizations l.jpg
    Security-focused organizations computer crime

    • Two organizations are known as bastions of computer security information:

      • The CERT Coordination Center (Computer Emergency Response Team)

      • The System Administration, Networking, and Security (SANS) Institute


    Cert cc l.jpg
    CERT/CC computer crime

    The CERT Coordination Center (CERT/CC)

    • Is a federally funded software engineering institute operated by Carnegie-Mellon University

    • Was formerly called the Computer Emergency Response Team

    • The CERT/CC website maintains lists of security vulnerabilities, alerts, incident reports.


    Cert cc website l.jpg
    CERT/CC Website computer crime


    Slide34 l.jpg
    SANS computer crime

    • The System Administration, Audit, Network, and Security Institute(SANS)

      • Is a prestigious education and research organization whose staff includes most of the leading security experts in the country www.sans.org

      • Contains a top 20 list of the most widely used strategies being used to attack computer systems – updated annually

      • Security training and certificate in SANS

    • SANS Internet storm center at www.incidents.org

      • A statistical summary of what attacks are taking place at more than 3,000 firewalls in over 60 countries around the world.

      • Today's Internet Threat Level: GREEN  RED


    Sans website l.jpg
    SANS Website computer crime


    Index36 l.jpg
    Index computer crime

    • Overview security risks in computer systems

    • Privacy in computer security

    • Risk assessment and security policy

    • Security-focused organizations

    • Government’s security and privacy role

    • Security-Focused Linux Products

    • Security certifications


    The u s government and computer security l.jpg
    The U.S. Government and Computer Security computer crime

    • Computer security is increasingly viewed as part of our national security

      • the U.S. federal government continues to increase its involvement with the computer security industry

    • Two new roles the government is playing are

      • prosecutor of computer crimes

      • an information clearinghouse to encourage good security practices


    Security and the law l.jpg
    Security and the Law computer crime

    • When congress passed the Computer Fraud and Abuse Act (1986), it became a crime to access a computer without authorization

    • Additional laws have been passed to help stop the acts of crackers, including

      • the Computer Security Act (1987)

      • the National Information Infrastructure Protection Act (1996)

      • the Patriot Act (2002)

    • Prosecuting a cracker is different from prosecuting other criminals.

      • Investigators need to have a strong understanding of the technology involved;

      • Special computer crime units

        • The FBI’s National Computer Crime Squad

        • The U.S. Department of Justice, Criminal Division

        • The FBI’s National Infrastructure Protection Center (NIPC)

        • The Department of the Treasury runs the Secret Service and the Financial Crimes Enforcement Network (FinCEN)


    Index39 l.jpg
    Index computer crime

    • Overview security risks in computer systems

    • Privacy in computer security

    • Risk assessment and security policy

    • Security-focused organizations

    • Government’s security and privacy role

    • Security-Focused Linux Products

    • Security certifications


    Security focused linux products l.jpg
    Security-Focused Linux Products computer crime

    • The development of several security-focused versions of Linux

      • NSA security-enhanced Linux

      • Trustix Secure Linux

      • Bastille Linux hardening package

    • NSA security-enhanced Linux (selinux)

      • NSA selinux is a research project,

      • Runs the Linux kernel on top of another kernel microkernel

        • allows each process in Linux kernel to be controlled and handled in isolation.

      • http://www.nsa.gov/selinux/ for more information and source code


    Security focused linux products41 l.jpg
    Security-Focused Linux Products computer crime

    • Trustix Secure Linux

      • Uses a standard Linux kernel, but it is thoroughly configured to be a server with tight security

        • No GUI, network service are disabled by default, high level of firewall protection

      • http://www.trustix.net/

    • Another security-conscious Linux is the Bastille Linux hardening package

      • Contains a set of scripts that can be run on some Linux distributions

      • Bastille scripts examine your installed Linux system, checking for configurations that present a security hazard

      • http://www.trustix.org/



    Index43 l.jpg
    Index computer crime

    • Overview security risks in computer systems

    • Privacy in computer security

    • Risk assessment and security policy

    • Security-focused organizations

    • Government’s security and privacy role

    • Security-Focused Linux Products

    • Security certifications


    The purpose of security certification l.jpg
    The purpose of security certification computer crime

    Two purpose of Security Certification

    • helps companies identify individuals who have the ability, knowledge, and experience

      • To perform risk analysis,

      • To identify necessary countermeasures,

      • To implement solid security practices,

      • To help the organization as a whole protect its facility, network, systems, and information.

    • also provides security professionals with the credential that represents the skill set they want to offer to employers.


    Popular it security certifications l.jpg
    Popular IT security certifications computer crime

    • CompTIA Security+ and Network+ certifications (or equivalent knowledge) are helpful to prepare advanced security certifications. ( www.comptia.org )

      • CompTIA has more than 22,000 member companies in over 100 countries around the world;

      • also serves the IT industry as the world's largest developer of vendor-neutral IT certification exams.

    • Advanced security certifications (details next …)

      • Certified information systems security professional (CISSP)

      • SANS Institute offers training and information security certifications through Global Information Assurance Certification (GIAC)

      • The international council of electronic commerce consultants (EC-Council) offers Certified ethical hacker (CEH)


    Compare security certifications l.jpg
    Compare security certifications computer crime

    • CISSP

      • More concerned with policies and procedures

      • Although it is not geared toward the technical IT professional, it has become one of the standards for many security professionals.

    • GIAC certifications are classified in five subject areas:

      • Security Administration

      • Management

      • Operations

      • Legal

      • Audit

  • CEH certifications

    • People with this certification will most likely be placed on a team called a “red team” that conducts network penetration test.

      • Probing vulnerability of the networks and computer systems.


  • The cissp requirements l.jpg
    The CISSP Requirements computer crime

    • CISSP exam requires one of the following professional experience requirements:

      • At least three years of experience in one (or more) of the ten domains and a college degree

      • Four years of professional experience in one (or more) of the domains within the Common Body of Knowledge (CBK)

      • Two years of experience plus a bachelor’s degree or a master’s degree in information security from a National Center of Excellence

    • Associate of CISSP

      • For candidates who do not meet professional experience requirements


    The common body of knowledge cbk l.jpg
    The Common Body of Knowledge (CBK) computer crime

    • CISSP exam covers the ten domains that make up the CISSP CBK







    ad