1 / 24

QMCS 490 - Class Today

QMCS 490 - Class Today. Information Security life cycle Introductions Security perimeters Assignment. The life cycle. Identify your practical goals What “real” things do you want to accomplish? What threats interfere with them? Implement security measures What weaknesses exist?

gad
Download Presentation

QMCS 490 - Class Today

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. QMCS 490 - Class Today • Information Security life cycle • Introductions • Security perimeters • Assignment R. Smith - University of St Thomas - Minnesota

  2. The life cycle • Identify your practical goals • What “real” things do you want to accomplish? • What threats interfere with them? • Implement security measures • What weaknesses exist? • What security measures might work? • What are the trade-offs against goals? • Measure success • Monitor for attacks or other failures • Recover from problems • Reassess goals and trade-offs R. Smith - University of St Thomas - Minnesota

  3. So what will the class look at? • How to assess security in general • Analyzing risk trade-offs • Specific security issues and techniques • Workstations • LANs • Distributed networks • Internet access • E-commerce • If time, DRM and ‘extreme security’ R. Smith - University of St Thomas - Minnesota

  4. Who are you, who am I • Ask your neighbor: • Name, major • Why are you taking this class? • Do you “0wn” a computer? • I.e. can you log in as admin? • Give a personal, security related fact. • Experience, skill, incident, etc. R. Smith - University of St Thomas - Minnesota

  5. Why this course exists • Start of an Information Security major • Will be US govt certified • Four principal ‘special’ courses • Intro course = this one • Operating Systems • Networking • Infosec Analysis = capstone course • Analysis course • More labs and tools • More (very dry) government policy stuff • Info Warfare exercise at the end R. Smith - University of St Thomas - Minnesota

  6. The Syllabus: nuts and bolts • Grade = assignments + tests • Also a ‘participation’ grade • Attend class, hand in work = good test grade • Good grade <= assignments, attend class • Typical homework • Analyze a security problem, draw a diagram • I am planning a couple of labs • We have limited lab space (5 machines) • May do 30 minute shots at the labs • I typically have people do research projects • An outline, a paper, and a presentation. • Not sure this time R. Smith - University of St Thomas - Minnesota

  7. The Syllabus • Concepts we’ll cover • “Practical” security planning and assessment • Risk trade offs - the concept • Role of security policies • Environments - in order of breadth • Personal desktop/laptop • Shared computer • Local network • Internet access from LAN • Distributed LANs • E-commerce R. Smith - University of St Thomas - Minnesota

  8. Two security assessment techniques • Perimeter analysis • Look at the boundary protecting an asset • Look at access points in the boundary • Who might want the asset? • What attacks will break the boundary? • What attacks will break the access points? • Is the inside benign itself? Can it be hacked? • Flow analysis (data flow, execution flow) • Look at where data might flow • Assess mechanisms to restrict the flow • Assess attacks that can divert the flow • Look at “flow of execution” and possible diversion R. Smith - University of St Thomas - Minnesota

  9. Part of this semester’s agenda • I’m writing a book on elementary security • We’ll look at chapters in this class • I thought I’d have one ready for today • It’s not finished yet. • Internet Cryptography • An “old” book, but … • It talks about security, perimeters, and information flow • Provides the basics and concepts for networking & crypto R. Smith - University of St Thomas - Minnesota

  10. Personal Computer Security • Share a dorm room? • Share an apartment? • Share a home? • “My” computer - a security objective • “I’ll kill you if you touch it” • a policy statement? R. Smith - University of St Thomas - Minnesota

  11. Extreme Workstation Security Does this achieve our goals? R. Smith - University of St Thomas - Minnesota

  12. Threat Vulnerability Defense,Safeguard, or “Countermeasure” Asset Threats & Vulnerabilities An attempt to steal or harm the asset is an attack R. Smith - University of St Thomas - Minnesota

  13. A real world example • There is a company • Thieves walk into their buildings every day • The front door is unlocked all day long • Valuable company property is just lying around • The thieves pick it up and carry it away • Most thieves, but not all, get away? • WHAT IS THIS STUPID COMPANY? • Why don’t they lock the door, at least? R. Smith - University of St Thomas - Minnesota

  14. Security analysis: your PC • Threats? • Who, why? • Vulnerabilities? • What bad can happen? • What allows the badness to happen? • Can we just lock it up? • Put it in a room • Put a lock on the door. • Don’t share the key • Does this work? R. Smith - University of St Thomas - Minnesota

  15. Physically securing an area • What is a secure perimeter? • Contiguous - no breaks • A barrier - actually blocks some attacks • Minimal number of openings • Access restrictions on the openings • Example: my house • Wooden frame building - keeps out wild dogs • Glass windows with storms - ditto • Locked doors - ditto • Metal fence - ditto • Gates in the fence - ditto R. Smith - University of St Thomas - Minnesota

  16. Security Analysis • What are the threats? • Wild dogs • Burglars • People collecting for nasty charities • What are the defenses? • Are there effective attacks on them? • Effective = threats might use them R. Smith - University of St Thomas - Minnesota

  17. Is this a complete list of threats? • Of course not. • Study history, the news, experience, introspection • Generate a ‘better’ list • A notion of “threats” • Threat = anyone with strongly different goals • Example: Burger King vs McDonald’s • Both “sort of” have the same goal: sell burgers • In fact, BK wants to sell BK burgers, while Mac wants to sell Mac burgers • BK people are not trusted in McDonald’s places R. Smith - University of St Thomas - Minnesota

  18. Potential vs Real Threats • Potential Threat = strongly different goals • Not a member of the family, company, community • Member of competing entity • But not necessarily motivated to do you harm • Real Threat = history of attacks • “Good” neighborhood = neighbors not a threat • “Bad” neighborhood = neighbors have caused trouble in the past R. Smith - University of St Thomas - Minnesota

  19. Now, the Defenses • Physical world • Physical barriers, slows them down a lot • Locks - slow them down, restricts access • Alarms - calls for help • Warnings - shows you care • Computer world • Examples? R. Smith - University of St Thomas - Minnesota

  20. What defenses are “effective”? • Concept of “work factor” • How hard does the attacker have to work to overcome the defense? • May be computed in hours • May be computed in likelihood over time • Example: average of 3 days, $.25M to crack DES • Effective = • Work Factor > threat’s motivation or skill • My Home Example • Wild dogs motivated but not resourceful • Charity people resourceful but not motivated • Burglars may be both, but hopefully not too much so • Or, deterred by the alarm, and the large dog R. Smith - University of St Thomas - Minnesota

  21. How does this relate to computers? • Defenses are always a trade off • The same reasoning applies to both • All security begins with physical security R. Smith - University of St Thomas - Minnesota

  22. Evolution of Attacks and Defenses Attacks Defenses ?? One-Time Passwords Network Sniffing Password Tokens Password Sharing Memory Protection Keystroke Sniffing Guess Detection Guessing Password Hashing Steal the Password File Passwords Masquerade Remote Terminals Example: Passwords on Computers R. Smith - University of St Thomas - Minnesota

  23. The homework assignment • Two parts • A: describe your computer sharing “policy” • B: describe physical protection of your computer R. Smith - University of St Thomas - Minnesota

  24. Creative Commons License This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA. R. Smith - University of St Thomas - Minnesota

More Related