170 likes | 174 Views
CSE331: Introduction to Networks and Security. Lecture 15 Fall 2002. Announcements. Midterm graded Average: 65 Solutions available on the web Pick up after class or during office hours Introduction Computer Security. Today. Real World Security. Value: what is being protected?
E N D
CSE331:Introduction to Networksand Security Lecture 15 Fall 2002
Announcements • Midterm graded • Average: 65 • Solutions available on the web • Pick up after class or during office hours • Introduction Computer Security Today CSE331 Fall 2002
Real World Security • Value: what is being protected? • Things that have worth • Locks, walls, safes, fences, … • Scaled for what they’re protecting • Scaled for what they’re protecting against (threats) • Minimal interference (or else they aren’t used) • Police & Courts • Follow up after an attack/violation • Perhaps most important! CSE331 Fall 2002
Real World: Risk Managment • People pay for security based on perceived needs • Trade off security vs. • Convenience / ease of use • Functionality • Efficiency • Cost • Security is holistic: • Attacks go for the weakest link CSE331 Fall 2002
Security Terminology • Vulnerability • Weakness that can be exploited in a system • Attack • Method for exploiting vulnerability • Threat • A motivated, capable adversary that would mount attacks CSE331 Fall 2002
Example Vulnerabilities • Poorly chosen passwords • Software bugs • unchecked array access (buffer overflow attacks) • Automatically running active content: macros, scripts, Java programs • Open ports: telnet, mail • Incorrect configuration • file permissions • administrative privileges • Untrained users/system administrators • Trap doors (intentional security holes) • Unencrypted communication • Limited Resources (i.e. TCP connections) CSE331 Fall 2002
Example Attacks • Password Crackers • Viruses: • ILoveYou (VBscript virus), Melissa (Word macro virus) • Worms • Code Red: Port 80 (HTTP), Buffer overflow in IIS (Internet/Indexing Service) • Trojan Horses • Root kits, Back Orifice, SATAN • Social Engineering: • “Hi, this is Joe from systems, can you tell me your password?” • Packet sniffers: Ethereal • Denial of service: TCP SYN packet floods CSE331 Fall 2002
Range of Threats • Concerted Attack by a Foreign Government • Money & Resources • Strong Motivation • … • Teenage Hacker • No money • ? Motivation • Note: the range above doesn’t necessarily represent a range of sophistication! CSE331 Fall 2002
CERT Vulnerabilities CSE331 Fall 2002
CERT Incidents Check out www.cert.org CSE331 Fall 2002
Questions for Computer Security • What are we protecting? • What has value? • What are its characteristics? • What tools do we have to use? • Hardware • Software • Knowledge • How do we effectively use those tools? • What principles apply? • How do we know what we want to achieve? • How do we know what we’ve done? CSE331 Fall 2002
Quality 1: Confidentiality • Keep data or actions secret. • Related to: Privacy, Anonymity, Secrecy • Examples: • Pepsi secret formula • Medical information • Personal records (e.g. credit card information) • Military secrets Data CSE331 Fall 2002
Quality 2: Integrity • Protect the reliability of data against unauthorized tampering • Related to: Corruption, Forgery, Consistency • Example: • Bank statement agrees with ATM transactions • The mail you send is what arrives Data CSE331 Fall 2002
Quality 3: Availability • Resources must be there to use • Related to: Reliability, Fault Tolerance, Denial of Service • Example: • You want the web-server to reply to your requests • The military communication devices must work Data CSE331 Fall 2002
What tools are there? • Authorization mechanisms • Access control • Specifies who is allowed to do what. • Authentication mechanisms • A principal is an entity that has a stake in the security of a system • Authentication identifies principals • Examples: User identifiers & Passwords, secret keys • Audit mechansisms • Monitoring, or logging security-relevant activities • Permits follow-up after a security breech • Au = Aurum = “Gold standard” CSE331 Fall 2002
Example tools • Cryptography • Protects confidentiality & Integrity • Can be used for authentication • Firewalls, access control monitors • Authorization mechanisms • OS Kernels • Resource allocation/monitoring • Replication • Provides fault tolerance • Java bytecode verifier • Protects against faulty/malicious code CSE331 Fall 2002
Security Policy • Set of security requirements for a system • Takes into account trade-offs of value vs. functionality • Changes over time • Depends on context • Varying degrees of formality • Informal: Don’t reveal my credit card information. • Formal: Government’s “Orange Book” • National Computer Security Center (1988) • Trusted Computer System Evaluation Criteria (TCSEC) • Classes D –- A1 CSE331 Fall 2002