csci 370 fall 2013 dr ram basnet n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Computer Security PowerPoint Presentation
Download Presentation
Computer Security

Loading in 2 Seconds...

play fullscreen
1 / 34

Computer Security - PowerPoint PPT Presentation


  • 148 Views
  • Uploaded on

CSCI 370 Fall 2013 Dr. Ram Basnet. Computer Security. Outline. Class Overview Information Assurance Overview Components of information security Threats, Vulnerabilities, Attacks, and Controls Policy. More Administrivia. Grades

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Computer Security' - armine


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
csci 370 fall 2013 dr ram basnet
CSCI 370

Fall 2013

Dr. Ram Basnet

Computer Security
outline
Outline
  • Class Overview
  • Information Assurance Overview
    • Components of information security
    • Threats, Vulnerabilities, Attacks, and Controls
    • Policy
more administrivia
More Administrivia
  • Grades
    • 3midterms, highest 2 scores each worth 30%, lowest score will be discarded.
    • Final worth 30%
    • Quizzes 10%
    • Extra credit project worth 10%
a few words on class integrity
A Few Words on Class Integrity
  • Review department and university cheating and honor codes:
    • http://www.coloradomesa.edu/studentservices/conduct.html
  • Expectations for exams and projects
    • Closed books; mostly multiple choices
    • Team Projects
  • Most quizzes will be unannounced
class readings
Class Readings
  • Text: Computer Security Fundamentals, William (Chuck) Easttom, II
  • Additional readings provided via public links
  • Books on reserve at the library
class format
Class Format
  • Meet twice a week
  • 70% lecture; 30% hands-on laboratory works
  • Posted slides not sufficient to master material alone
other sources for security news
Other Sources for Security News
  • Darknet– The Darkside: Don’t Learn to HACK – Hack to LEARN: http://www.darknet.org.uk/
  • Help Net Security http://www.net-security.org/
  • Naked Security – News, Opinion, Advice and Research form SOPHOS http://nakedsecurity.sophos.com/
  • Packet Storm – all things security - http://packetstormsecurity.com/
  • Bruce Schneier's blog http://www.schneier.com/blog/
security in the news
Security in the News
  • HTTPS flaws
    • German security researchers present BREACH attack against HTTPS in BlackHat 2013 Conference http://nakedsecurity.sophos.com/2013/08/06/anatomy-of-a-cryptographic-oracle-understanding-and-mitigating-the-breach-attack/
  • CyberWar
    • Iran –stuxnethttp://www.voanews.com/content/stuxnet-an-effective-cyberwar-weapon/1691311.html
  • Extortion
    • Threaten DDoS attack unless company pays up
  • Privacy/Identity theft
    • 4 Russians & 1 Ukrainian charged with hacking 160M credit card numbers
  • Worms
    • Conficker, twitter, and facebook worms
    • Slammer worm crashed nuclear power plant network
  • Hactivism – Anonymous & other politically motivated hackers
objective
Objective
  • Provide a broad introduction to the major topics in computer and communication security
  • Provide students with a basic understanding of the problems of information security and the solutions that exist to secure information on computers and networks
aspects of information assurance
Aspects of Information Assurance

Fraud Examination

Security Engineering

Systems Engineering

Information Security

Forensic Science

Disaster Recovery

Business Continuity

Compliance

Governance

Privacy

Computer Science

Criminology

Management Science

information security basics cia triad
Information Security Basics: CIA Triad
  • Confidentiality
    • Measures taken to prevent disclosure of information or data to unauthorized systems or individuals
    • Why? How?
  • Integrity
    • Measures taken to protect the information or data from unauthorized alternation or revision
  • Availability
    • Measures taken to ensure data and resources are readily available for access to legitimate users
the security functionality and ease of use triangle
The Security, Functionality and Ease of Use Triangle
  • A problem that has faced security professionals for an eternity – the more secure something is, the less usable and functional it becomes.

Security

Functionality

Ease of Use

the security paradigm
The Security Paradigm
  • Principle 1: The Hacker Who Breaks into Your System Will Probably Be Someone You Know
  • Principle 2: Trust No One, or Be Careful About Whom You Are Required to Trust
  • Principle 3: Make Would-Be Intruders Believe They Will Be Caught
  • Principle 4: Protect in Layers
  • Principle 5: While Planning Your Security Strategy, Presume the Complete Failure of Any Single Security Layer
the security paradigm1
The Security Paradigm…
  • Principle 6: Make Security a Part of the Initial Design
  • Principle 7: Disable Unneeded Services, Packages and Features
  • Principle 8: Before Connecting, Understand and Secure
  • Principle 9: Prepare for the Worst
identifying terms
Identifying Terms
  • Vulnerability – Weakness in the system that could be exploited to cause loss or harm
  • Threat – Set of circumstances that has the potential to cause loss or harm
  • Attack – When an entity exploits a vulnerability on system
  • Control – A means to prevent a vulnerability from being exploited
classes of threats
Classes of Threats
  • Disclosure – Unauthorized access to information
  • Deception – Acceptance of false data
  • Disruption – Interruption or prevention of correct operation
  • Usurpation – Unauthorized control of some part of a system
some common threats
Some common threats
  • Snooping
    • Unauthorized interception of information
  • Modification or alteration
    • Unauthorized change of information
  • Masquerading or spoofing
    • An impersonation of one entity by another
  • Repudiation of origin
    • A false denial that an entity sent or created something.
  • Denial of receipt
    • A false denial that an entity received some information.
more common threats
More Common Threats
  • Delay
    • A temporary inhibition of service
  • Denial of Service
    • A long-term inhibition of service
more definitions
More definitions
  • Policy
    • A statement of what is and what is not allowed
    • Divides the world into secure and non-secure states
    • A secure system starts in a secure state. All transitions keep it in a secure state.
  • Mechanism
    • A method, tool, or procedure for enforcing a security policy
is this situation secure
Is this situation secure?
  • Web server accepts all connections
    • No authentication required
    • Self-registration
    • Connected to the Internet
policy example
Policy Example
  • University computer lab has a policy that prohibits any student from copying another student's homework files
    • The computers have file access controls to prevent other's access to your files
  • Bob does not read protect his files
  • Alice copies his files
  • Who cheated? Alice, Bob, both, neither?
more example
More Example
  • What if Bob posted his homework on his dorm room door?
  • What if Bob did read protect his files, but Alice found a hack on the mechanism?
trust and assumptions
Trust and Assumptions
  • Locks prevent unwanted physical access.
    • What are the assumptions this statement builds on?
policy assumptions
Policy Assumptions
  • Policy correctly divides world into secure and insecure states
  • Mechanisms prevent transition from secure to insecure states
another policy example
Another Policy Example
  • Bank officers may move money between accounts.
    • Any flawed assumptions here?
assurance
Assurance
  • Evidence of how much to trust a system
  • Evidence can include
    • System specifications
    • Design
    • Implementation
  • Mappings between the levels
aspirin assurance example
Aspirin Assurance Example
  • Why do you trust aspirin from a major manufacturer?
    • FDA certifies the aspirin recipe
    • Factory follows manufacturing standards
    • Safety seals on bottles
  • Analogy to software assurance
    • Software assurance ensures integrity, security, and reliability in software
key points
Key Points
  • Must look at the big picture when securing a system
  • Main components of information security
    • Confidentiality
    • Integrity
    • Availability
  • Differentiating Threats, Vulnerabilities, Attacks and Controls
  • Policy vs. Mechanism
references
References
  • http://users.crhc.illinois.edu/nicol/ece422/
  • http://www.snia.org/sites/default/education/tutorials/2009/spring/security/EricHibbard-Introduction-Information-Assurance.pdf