1 / 28

Introduction to Computer Security

Introduction to Computer Security. Week 1: The security problem. Admin stuff …. Workload (Tentative) See syllabus Ethics caveat: Any of the following violations may result in an “ F ” grade (or worse):

adanne
Download Presentation

Introduction to Computer Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Computer Security Week 1: The security problem

  2. Admin stuff … • Workload (Tentative) • See syllabus • Ethics caveat: • Any of the following violations may result in an “F”grade (or worse): • Plagiarism or un-authorized collaboration. Collaboration allowed only if I state so explicitly. • Violating the University Honor Policy (incl. honesty) Violating the University’s computing usage policy and in particular the white hat agreement, including • Installing software such as password crackers and network sniffers. • Illegally accessing other’s accounts (on or off campus). • Breaking any of the cyber crime laws such as ECPA or CFAA. • Even if intended and received “as a joke”.

  3. Admin stuff… • Textbook: • Security in Computing by Pfleeger and Pfleeger 4th edition. • Available through Safari Online catalog in the library. • http://proquest.safaribooksonline.com.lib-proxy.radford.edu/0132390779

  4. User Network User Desktops /Workstations/LANs User User Why study security? • Security threats in computing are everywhere! Stealing laptops/disks etc Accessing private data Sniffing, DOS attacks Social engineering: giving out password Changing data e.g., adding a new user/password

  5. Why study security?Security threats: cost and other threats. • Security violations are costly. • Cyber crime • Cyber espionage, Industrial espionage • Cyberwar (e.g., stuxnet worm) • Accidental damage (Petraeus emails)

  6. Careers in Security. • Application Security Engineer • Software Engineers (with secure software development). • ISOs (Information Security Officers) • Administrators (system, database etc.) • Good outlook for jobs/career: http://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts-web-developers-and-computer-network-architects.htm

  7. Next: • An overview of what it means to “secure” a system.

  8. Securing a computing infrastructure. Suppose your boss asks you to secure a specific computing infrastructure. To do this we need to ask (and answer) three questions. • Secure what aspects?(define security) • Secure against what threats?(threat assessment) • Secure against whom?

  9. The word “secure” is abstract. We need to define it for each context. • Examples: • Alice and Bob want to communicate something private. We need to secure this communication. What exactly do we mean by this? • A software company sends out an update to all its users over the Web. What does it mean to “secure” this update?

  10. Defining security:goals that security must achieve. • Depending on the specific infrastructure that must be secured, the common goals of security are: • Confidentiality (if you can see it, you’re allowed to see it.) • Availability (if you’re allowed to see it, you can) • Integrity (“it” is really it.) • Authentication (“you” are really you.) • Non-repudiation (If you say it, you can’t un-say it.) • Accountability (if something goes wrong – whose fault?) Malicious, or non-malicious? • Identifying security goals is the first step in securing systems. (Ask yourself: of all these goals, which are necessary for your situation?)

  11. Confidentiality • “only authorized people have access to certain data” • Different views allowed, depending on role. • Anonymity preserved. • N.B. Determining identity is so important, it gets its own separate “authentification” category.

  12. Integrity • if we say that we have preserved the integrity of an item, we may mean that the item is • accurate • unmodified • modified only in acceptable ways • modified only by authorized people • modified only by authorized processes • consistent • internally consistent • meaningful and usable

  13. Availability • We say a data item, service, or system is available if • There is a timely response to our request. • Resources are allocated fairly so that some requesters are not favored over others. • The service or system involved follows a philosophy of fault tolerance, whereby hardware or software faults lead to graceful cessation of service or to work-arounds rather than to crashes and abrupt loss of information. • The service or system can be used easily and in the way it was intended to be used. • Concurrency is controlled; that is, simultaneous access, deadlock management, and exclusive access are supported as required.

  14. Next: threat assessment. • Once you decide what goals need to be achieved, next step: • Identify the threats. • Why?

  15. Some terminology:Threats vs.Vulnerabilities vs. Exploits/Attacks • vulnerabilityis a weakness in the security system • threatto a computing system is a set of circumstances that has the potential to cause loss or harm • Consider the picture Threats: water can rise and overflow the wall. Water can break the wall and drown the person. Vulnerability: crack in the wall.

  16. Discuss. • Consider bank security. • What are some of the threats? • What are some of the vulnerabilities? • What are some possible attacks?

  17. Bank security • Threats: • Bank robbery. • Stealing account information/personal information online. • Vulnerabilities: • Insecure web-page. • A bank-guard with proclivity to take frequent donut-breaks. • Exploits/attacks: • Something that takes advantage of the vulnerabilities to steal money/information.

  18. Threat categories Figure 1-2  System Security Threats. What goals (C., I., A.) does each category apply to?

  19. Vulnerabilities Hardware, software and data vulnerabilities. Figure 1-4   Vulnerabilities of Computing Systems.

  20. Threat Assessment • “Keep your friends close, your enemies closer”– Sun Tzu • To truly secure a system: we need to know who the enemy is. Specifically1, • Who are the attackers? • Why will they attack the system? • How will they attack it? What are the resources they have available to them. • Threat assessment is hard: Need to realistically gauge threats with the probability of the threats being exploited. • E.g., Will a car thief spend $1000 to break into a car and steal a $200 radio?1 • Do we care about denial-of-service for our radios? • What about military radios? 1Material derived from Joseph/Tygar/Vairani/Wagner

  21. Part of Threat Assessment • Do a security analysis1. • Which of the threats in threat model will violate the security goals? One formulation1: “The security goals and threat models define the game. The threat model defines the set of moves the adversary is allowed to make, and the design of the system defines how the defender will play the game. The security goals define the success condition: if the adversary violates any security goal, he [sic] wins: otherwise, the defender wins. The security analysis involves examining all moves and counter-moves to see who has a winning strategy”. • Security analysis requires a thorough knowledge of all countermeasures. 1Material derived from Joseph/Tygar/Vairani/Wagner

  22. Enemies/Attackers • Who are they? • Amateurs (Script kiddies) • Crackers or Malicious hackers • Career Criminals • Industrial Spies • Terrorists

  23. Controls/countermeasures • How to prevent vulnerabilities from being exploited? • Security is holistic; needs three types of controls.Ignoring one level can render the entire system insecure. • Physical security -- against physical loss of data. • Protection against stealing (e.g. VA data theft) and nature. • Technological security • { hardware, software, network, data } x { interception, interruption, modification, fabrication } • Administrative Security – policies, procedures re behaviorEven if a system is secured against physical and technological threats, there can still be vulnerabilities. • Ensure employees really do lock doors when leaving, etc. • Social engineering; blackmail • Rumours(undermine stock price, or customer confidence) • Shaping popular opinion (GMOs, drone attacks, …)

  24. Security is holistic: Multiple controls Figure 1-6  Multiple Controls.

  25. In Summary, studying security involves: • Ability to analyze threats • Usually requires knowledge of: • Threats • Vulnerabilities (that threats could exploit) • Actual attacks (threats that exploit vulnerabilties). • Ability to perform risk management • Threats vs.cost of controlling them • Ability to apply countermeasures • Physical, technical and administrative.

  26. What we will study in the class … • This class is an introduction! • Will cover all the aspects from the previous slide…without going into depth. • Two security courses: ITEC 445 (System security) ITEC 455 (Network Security)look into some of the topics in greater depth. • RU offers an Undergraduate Certificate in Information Security

  27. Class Discussion • Consider a program that allows a surgeon in one city to assist in an operation on a patient in another city via an Internet connection. Who might want to attack the program? What types of harm might they want to cause? What kinds of vulnerabilities might they exploit to cause harm?

  28. Next class: • Linux/Windows OS • Next class: intro to using Linux • Please bring your laptops to class if you can!

More Related