cse2500 system security and privacy l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
CSE2500 System Security and Privacy PowerPoint Presentation
Download Presentation
CSE2500 System Security and Privacy

Loading in 2 Seconds...

play fullscreen
1 / 54

CSE2500 System Security and Privacy - PowerPoint PPT Presentation


  • 176 Views
  • Uploaded on

CSE2500 System Security and Privacy. Lecturers. Prof B Srinivasan Phone: 990 31333 Room No: C4.47 srini@infotech.monash.edu.au. Ms Nandita Bhattacharjee Phone: 990 32185/990 53293 Room No C4.05 nandita@csse.monash.edu.au. Organisation and Evaluation . 12 weeks of lectures

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'CSE2500 System Security and Privacy' - josiah


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
lecturers
Lecturers

Prof B Srinivasan

Phone: 990 31333

Room No: C4.47 srini@infotech.monash.edu.au

Ms Nandita BhattacharjeePhone: 990 32185/990 53293Room No C4.05nandita@csse.monash.edu.au

organisation and evaluation
Organisation and Evaluation
  • 12 weeks of lectures
  • 2 hours of tutorials per week – mainly problem solving, starting from week 2 to week 12.
weekly lectures
Weekly Lectures
  • Lectures
    • Wednesdays 7p.m. to 9p.m. in Caulfield K Block K3.21
  • Alternative Lecture times?
    • Fridays 12 noon to 2p.m. in Caulfield – K block 3.09
    • Fridays 3p.m. to 5p.m. in Caulfield B block B2.13
tutorials
Tutorials
  • Tutorials from week 2 to week 12:
    • Wednesdays 10a.m. in Caulfield/B471
    • Wednesdays 4p.m. in Caulfield/B471
    • Wednesdays 4p.m. in Caulfield/B476
    • Thursdays 10a.m. in Caulfield/A212
    • Thursdays 2p.m. in Caulfield/B224
    • Thursdays 6p.m. in Caulfield/F206 or Wednesday 5p.m in Caulfield/??
    • Pl use Allocate+ for allocating tutorials. If you have any problems, please see us during the tutorial times next week.
assessment
Assessment
  • Four assessment components
    • Two 30 min tests during the tutorial sessions in weeks 6 and 12, worth 15% each.
    • Individual question solving during the tutorial session from weeks 7 to 11, worth 10%
      • Each student will be assigned a time slot and a problem and they have to make a presentation of the solution to the rest of the group.
    • Examination – 2 hours duration – worth 60%
  • You need to get at least 50% to pass this unit.
references
References
  • Primary Reference book:
    • Security in Computing – C P Pfleeger and S L Pfleeger, Third Edition, 2003, Prentice Hall
  • Secondary Reference book:
    • Computer Security—Dieter Gollmann, 1999, John Wiley
slide8
Subject: CSE2500

Lecturers:

Prof. Bala Srinivasan

Mrs. Nandita Bhattacharjee

Prescribed Text:

Pfleeger

Security in Computing 3e

Available from the University Bookshop

where to look for the subject materials
Where to look for the subject materials?
  • http://www.csse.monash.edu.au/courseware/cse2500
  • http://beast.csse.monash.edu.au/cse2500
  • Please down load and print the lecture materials before coming to the class as NOfurther photocopies of notes will be distributed in the class.
  • The lecture notes is complementary to the prescribed text.
security
Security
  • Why do you lock your house before you leave?
  • How do you choose the kind of lock for your house?
  • Any added devices (such as alarms, bull terrier, etc…)
  • What you do when you observe that things in the house are scattered around?
what are you protecting
What are you protecting?
  • Brick and walls
  • Money and jewellery
  • Music CDs and tapes
  • Etc ….
threats to computer and communications systems
Threats to Computer and Communications systems
  • Domain of information and network security
  • Taxonomy of security attacks
  • Aims or services of security
  • Model of system/(inter)network security
  • Methods of defense
security13
Security
  • Human nature
    • physical, financial, mental,…, data and information security
there are problems
There are Problems
  • Theft - of equipment
  • Theft – e.g. Copying of confidential material
  • Modification - for gain – e.g. Adding false names to payroll
  • Modification - malicious – e.g. Virus infections
  • Access - easy for ‘us’ and difficult for ‘them’
  • ….
fact sheet
Fact sheet
  • bank robbery through computers
  • industrial espionage on corporate information
  • loss of individual privacy (email, mobile phone/computer, fax, ...)
  • information vandalism
  • computer viruses
  • (more can be found in “comp.risks”)
what we mean by security
What we mean by Security?
  • Protection of assets - can take several forms:
    • Prevention
    • Detection
    • Reaction
reactions
Reactions
  • active research in security & privacy(numerous conferences each year)
  • new laws
  • education
  • collaborations between governments, industries & academia
  • employment of computer security specialists
what that means for computer assets
What that means for computer assets?
  • What are the assets (for system security)?
information security
Information Security
  • Shift from the physical security to the protection of data (on systems) and to thwart hackers (by means of automated software tools) – calledSystem and information security
network security
Network Security
  • With the widespread use of distributed systems and the use of networks and communications require protection of data during transmission – callednetwork security
internetwork security
Internetwork security
  • The term Network Security may be misleading, because virtually all businesses, govt., and academic organisations interconnect their data processing equipment with a collection of interconnected networks – probably we should call it as (inter)network security
aspects of system and information security
Aspects of System (and information) security
  • Security attack – any action that compromises the security of system and information.
  • Security mechanism – to detect, prevent, or recover from a security attack.
  • Security service – service that enhances and counters security attacks.
other terminology
Other terminology
  • vulnerability
    • a weakness in a computer system that might be exploited to cause loss or harm
  • attack
    • an action that exploits a vulnerability
  • threat
    • circumstances that have the potential to cause loss or harm
  • control - a protective measure
security mechanisms
Security mechanisms
  • No single mechanism that can provide the services mentioned in the previous slide. However one particular aspect that underlines most (if not all) of the security mechanism is the cryptographic techniques.
  • Encryption or encryption-like transformation of information are the most common means of providing security.
why security
Why Security?
  • Security is not simple as it might first appear.
  • In developing a particular security measure one has to consider potential counter measures.
  • Because of the counter measures, the problem itself becomes complex.
  • Once you have designed the security measure, it is necessary to decide where to use them.
  • Security mechanisms usually involve more than a particular algorithm or protocol.
security and cost analysis
Security and Cost Analysis

cost

100%

Security level

security attacks taxonomy
Security Attacks - Taxonomy
  • Interruption – attack on availability
  • Interception – attack on confidentiality
  • Modification – attack on integrity
  • Fabrication – attack on authenticity

Property

that is

compromised

interruption
Interruption
  • Also known as denial of services.
  • Information resources (hardware, software and data) are deliberately made unavailable, lost or unusable, usually through malicious destruction.
  • e.g: cutting a communication line, disabling a file management system, etc.
interception
Interception
  • Also known as un-authorised access.
  • Difficult to trace as no traces of intrusion might be left.
  • e.g: illegal eavesdropping or wiretapping or sniffing, illegal copying.
modification
Modification
  • Also known as tampering a resource.
  • Resources can be data, programs, hardware devices, etc.
fabrication
Fabrication
  • Also known as counterfeiting (of objects such as data, programs, devices, etc).
  • Allows to by pass the authenticity checks.
  • e.g: insertion of spurious messages in a network, adding a record to a file, counterfeit bank notes, fake cheques,…
  • impersonation/masquerading
    • to gain access to data, services etc.
security attacks taxonomy32

Information

Source

Information

Destination

Normal

Information

Source

Information

Destination

Information

Source

Information

Destination

Interruption

Interception

Information

Source

Information

Destination

Information

Source

Information

Destination

Modification

Fabrication

Security Attacks - Taxonomy

Source and Destination - can be

what is supposed to be and

what you get

attacks passive types
Attacks – Passive types
  • Passive (interception) – eavesdropping on, monitoring of, transmissions.
  • The goal is to obtain information that is being transmitted.
  • Types here are: release of message contents and traffic analysis.
attacks active types
Attacks – Active types
  • Involve modification of the data stream or creation of a false stream and can be subdivided into – masquerade, replay, modification of messages and denial of service.
attacks

Active

Passive

Interception

(confidentiality)

Interruption

(availability)

Modification

(integrity)

Fabrication

(integrity)

Release of

Message

contents

Traffic

analysis

Attacks
security threats to maintain are
Security threats (to maintain) are
  • Confidentiality
  • Integrity
  • Availability
    • to give us secure data (and information)
  • Authenticity
confidentiality
Confidentiality
  • Only accessible by authorised parties
  • Not revealed
  • More that just not reading
  • Confidentiality is distinct from secrecy and privacy ( ?)
integrity
Integrity
  • Associated with loss and corruption
  • Data Integrity as
    • Computerised data same as external, source data
    • Data not exposed to alteration or destruction
  • No inappropriate modification
availability
Availability
  • The property of being accessible and useable (without delay) upon demand by an authorised entity
  • We want there to be
  • no denial of service
other issues
Other issues
  • Accountability
  • Reliability
  • Safety
  • Dependability
security is defined as
Security is defined as
  • Computer security deals with the prevention and detection of unauthorised actions by users of a computer system
  • Security deals with the ready availability of valuable assets by authorised agents, and the denial of that access to all others
the security dilemma
The security dilemma
  • security deals with the ready availability of valuable assets by authorised agents, and the denial of that access to all others.
  • Security-unaware users have specific security requirements but (usually) no security expertise.But
the security dilemma43
The security dilemma
  • The costs of additional resources to implement security mechanisms can be quantified.
  • Security mechanisms interfere with users, and can lead to loss of productivity.
  • Managing security also costs.
  • Need to perform risk analysis (which will be the next topic)
principles of security
Principles of Security
  • Principle of easiest penetration
    • an intruder will use any means of penetration
  • Principles of timeliness
    • items only need to be protected until they lose their value
  • Principles of effectiveness
    • controls must work, and they should be efficient, easy to use, and appropriate.
layers of technology and onion model
Layers of technology (and Onion Model)
  • In which layer should security mechanisms be placed ?
  • Should controls be placed in more that one layer ?
  • See slide 46 too.

Operating System

Kernel

Hardware

Services

Applications

layers
Layers
  • The presence of layers is a feature of technology
  • Separate layers often perform very different functions
  • Similar functions are combined in one layer
  • The boundary between two layers is usually easily defined
  • Layers can often be independently implemented
vulnerabilities
Vulnerabilities
  • The three broad computing system resources are
    • hardware
      • interruption (denial of service), interception (theft)
    • software
      • interruption (deletion), interception, modification
    • data
      • interruption (loss), interception, modification and fabrication
one method of defence
One method of defence
  • By controls
    • What should be the focus of the controls?
      • For example: should protection mechanisms focus on data or operations on that data or on the users who use the data?
    • Since there are layers of technology, where controls should apply?
      • Applications, services, operating systems, kernel, hardware.
controls
Controls
  • Can be applied at hardware, software, physical or polices.
  • Simple mechanisms or lots of features?
  • Should defining and enforcing security mechanism be a centralised function?
  • How to prevent access to the layer below the security mechanism?
examples of controls
Examples of Controls
  • Modern cryptology
    • Encryption, authentication code, digital signature,etc.
  • Software controls
    • Standard development tools (design, code, test, maintain,etc)
    • Operating systems controls
    • Internal program controls (e.g: access controls to data in a database)
    • Firewalls
examples of controls51
Examples of Controls
  • Hardware controls
    • Security devices, smart cards, …
  • Physical controls
    • Lock, guards, backup of data and software, thick walls, ….
  • Security polices and procedures
  • User education
  • Law
effectiveness of controls
Effectiveness of Controls
  • Merely having controls does no good unless they are used properly. The factors that affect the effectiveness are
    • Awareness of protection
    • Likelihood of users
    • Overlapping controls
    • Periodic review
model for network security
Model for network security

Trusted

Third party

Principal

Principal

Message

Gate

Keeper

Message

Information channel

Secret

Info.

Secret

Info.

Opponent – security threads and possible attacks

[Borrowed from Stallings]

two questions to ponder
Two questions to ponder
  • Having backup copies of the data – is it a solution to security?
  • The internetwork security model (the previous slide) has the gate keeper at the receiver (or destination) end – why not at the sender (source)?