1 / 31

SCSC 455 Computer Security

SCSC 455 Computer Security. Chapter 1 Introduction Dr. Frank Li. Index. Definition of Computer Security OSI Security Architecture Security Attacks Security Services Security Mechanisms Model Standards Additional Concepts: Risk, People, Security certifications.

Télécharger la présentation

SCSC 455 Computer Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SCSC 455 Computer Security Chapter 1 Introduction Dr. Frank Li

  2. Index • Definition of Computer Security • OSI Security Architecture • Security Attacks • Security Services • Security Mechanisms • Model • Standards • Additional Concepts: Risk, People, Security certifications

  3. Definition of Computer Security • Definition of Computer security page 4 • There are many unauthorized computer access events and attacks on computer networks. Do you know … • Carlos Felipe Salgado used sniffing technique to collect over 100,000 credit card numbers from online merchants. • He was arrested in June 1997 as he tried to sell them to undercover FBI agents. • On Nov. 3, 1988, system administrators all over the U.S. found that their systems were running abnormally slowly.

  4. Overview Computer Security Do you know … (cont’) • In early 2000, a series of attacks attempt to shut down many web sites (Yahoo, eBay, Microsoft Network, etc.) by overwhelming them with bogus requests. Q: What are the causes of so many attacks on networks and computer systems?

  5. Evolution of computing and security • Mainframe era • The only computers were a few mainframes, which are used for specialized tasks. • Users access the mainframes through “dumb” terminals • Little threat of security breaches or vulnerabilities being exploited at that time. Why?

  6. Mainframe era Because … • Only a handful of people, who knew how to operate the computer, work in a closed environment. • Although some mainframes are networked, it was done in a crude fashion for specific tasks. • Although the OS of that time had problems, software bugs, and vulnerabilities, not many people were interested in taking advantage of them.

  7. PC and networking era • PC and networking era (1980 -- ) • Personal computers (PCs) become more efficient and cheaper • The functionality of the system grew, various applications were developed • Millions individuals have access to computers • Millions of computers are networked and birth of the client / server computing model • Many security issues emerge • Data got corrupted accidentally due to individual mistakes • unexpected inputs from users • malicious attempts from crackers

  8. Pros and cons of Networking • A large number of computers are networked nowadays. • This broad access represents the power of networked computers, but also represents opportunities for malicious intent. • The more broadly a computer is networked, the more potential for access to that computer • A great deal of valuable information (personal, financial …) are stored on computers. • Two terms are commonly used to persons who break into computer systems: hacker vs. cracker. • The motivations: for fun or for profit

  9. Other causes of computer attacks • Cyber-terrorism:the use of computing resources to intimidate or coerce others. • E.g. Hacking into a hospital computer system and changing someone's medicine prescription to a lethal dosage as an act of revenge. • Information warfare is the offensive and defensive use of information and information systems to deny, exploit, corrupt, or destroy, an adversary's information, information-based processes, information systems, and computer-based networks while protecting one's own. Such actions are designed to achieve advantages over military, political or business adversaries. -- Dr. Ivan Goldberg • Computer Crime: unauthorized access to a computer system. • Gathering accurate statistics of the damages caused by computer crime is difficult. Why?

  10. How are nations affected? We are increasingly dependent on computer /network technology for communication, funds transfers, utility management, government services, military action, and maintaining confidential information. • E.g. 1, A majority of the military vehicles, weapons systems, and communication systems are controlled by computer systems. • E.g. 2, Critical infrastructures and industries, such as power grid and communication channels, are controlled by computer systems. Most governments have recognized this vulnerability and have started taking steps to evade these types of attacks.

  11. How are companies affected? Many companies are finding out how security affects their bottom line in ways they never expected. • If a company suffers a security breach, it will have to deal with a wide range of issues, such as sued by the customers. • Organizations have had trade secrets and intellectual property stolen by employees who left to work for a competitor. • A company can lose money and time is by its lack of readiness to react to a situation. • To get a good insurance rate, companies must prove that they have a solid security program and that they are doing all that they can to protect their own investments.

  12. Three Key Objectives • Confidentiality • Data Confidentiality • Privacy • Integrity • Data Integrity • System Integrity • Availability

  13. Two additional Key Objectives • Authenticity • Accountability

  14. OSI Security Architecture • What is OSI Security Architecture • Definition of threat • Definition of Attack • Focus Areas • Security attack • Passive attacks • Active attacks • Security mechanism (Table 1.3) • Security service (Table 1.2) • Five categories : authentication, Access control, Data Confidentiality, Data integrity, Nonrepudiation

  15. Model for Network Security • Two components • A security-related transformation • Some secret information shared by the two principals • Four Basic Tasks in designing a security service • 1 • 2 • 3 • 4 • Other situations • Unwanted access • The placement that exploits vulnerabilities

  16. Standards • NIST • FIPS • SP • Internet Society • IETF and IAB • RFC (The next few slides are some additional concepts.)

  17. Outsider vs. Insider • Crackers break into systems in order to: • steal data e.g. credit card • corrupt data • maybe unintentionally, but often for malicious reasons • block access to the system • as in a Denial-of-Service (DoS) attack • Crackers are not the only threat to systems, a majority of security incidents result from the actions of users within an organization

  18. The approaches to security • A paradox of computer security: the more secure a system is, the less usable it is. • The best approach to security is to make a system highly secure without undue annoyance to authorized users. • “Security through obscurity” assumes that if no one knows about your system, you are safe, • Is it a good approach? Why?

  19. The approaches to security • “Security through obscurity” must be avoided. Because … The key to good security is not to hope that no one finds the security weaknesses of your system, but rather to eliminate those weaknesses.

  20. Risk Assessment • Security should begin with a careful analysis of the assets being protected and their value • These assets can include reputation, revenue generation, secret data, or other factors • Definition of risk • Risk Assessment

  21. Computer security is really about people • Beside technology, Computer security is really about people • knowing why they act as they do and knowing whom to trust • is true from the perspective of the system administrator and the cracker • The system administrator must proceed with caution regarding where they obtain Linux and other software • A back door is a method of accessing a program that is known to its creator but not to other users • Social engineering involves a cracker manipulating a user to extract needed access information • E.g., A cracker will simply obtain a user’s name and call them in order to obtain information. • E.g. A cracker could walk past an employee’s workstation and gather information from posted data

  22. The purpose of security certification Two purpose of Security Certification • helps companies identify individuals who have the ability, knowledge, and experience • To perform risk analysis, • To identify necessary countermeasures, • To implement solid security practices, • To help the organization as a whole protect its facility, network, systems, and information. • also provides security professionals with the credential that represents the skill set they want to offer to employers.

  23. Popular IT security certifications • CompTIA Security+ and Network+ certifications (or equivalent knowledge) are helpful to prepare advanced security certifications. ( www.comptia.org ) • CompTIA has more than 22,000 member companies in over 100 countries around the world; • also serves the IT industry as the world's largest developer of vendor-neutral IT certification exams. • Advanced security certifications (details next …) • Certified information systems security professional (CISSP) • SANS Institute offers training and information security certifications through Global Information Assurance Certification (GIAC) • The international council of electronic commerce consultants (EC-Council) offers Certified ethical hacker (CEH)

  24. Compare security certifications • CISSP • More concerned with policies and procedures • Although it is not geared toward the technical IT professional, it has become one of the standards for many security professionals. • GIAC certifications are classified in five subject areas: • Security Administration • Management • Operations • Legal • Audit • CEH certifications • People with this certification will most likely be placed on a team called a “red team” that conducts network penetration test. • Probing vulnerability of the networks and computer systems.

  25. The CISSP Requirements • CISSP exam requires one of the following professional experience requirements: • At least three years of experience in one (or more) of the ten domains and a college degree • Four years of professional experience in one (or more) of the domains within the Common Body of Knowledge (CBK) • Two years of experience plus a bachelor’s degree or a master’s degree in information security from a National Center of Excellence • Associate of CISSP • For candidates who do not meet professional experience requirements

  26. The Common Body of Knowledge (CBK) • CISSP exam covers the ten domains that make up the CISSP CBK

  27. The Common Body of Knowledge (CBK)

  28. The Common Body of Knowledge (CBK)

  29. The Common Body of Knowledge (CBK)

  30. The Common Body of Knowledge (CBK)

  31. The Common Body of Knowledge (CBK)

More Related