1 / 34

Computer Security

CSCI 370 Fall 2013 Dr. Ram Basnet. Computer Security. Outline. Class Overview Information Assurance Overview Components of information security Threats, Vulnerabilities, Attacks, and Controls Policy. More Administrivia. Grades

armine
Télécharger la présentation

Computer Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSCI 370 Fall 2013 Dr. Ram Basnet Computer Security

  2. Outline • Class Overview • Information Assurance Overview • Components of information security • Threats, Vulnerabilities, Attacks, and Controls • Policy

  3. More Administrivia • Grades • 3midterms, highest 2 scores each worth 30%, lowest score will be discarded. • Final worth 30% • Quizzes 10% • Extra credit project worth 10%

  4. A Few Words on Class Integrity • Review department and university cheating and honor codes: • http://www.coloradomesa.edu/studentservices/conduct.html • Expectations for exams and projects • Closed books; mostly multiple choices • Team Projects • Most quizzes will be unannounced

  5. Class Readings • Text: Computer Security Fundamentals, William (Chuck) Easttom, II • Additional readings provided via public links • Books on reserve at the library

  6. Class Format • Meet twice a week • 70% lecture; 30% hands-on laboratory works • Posted slides not sufficient to master material alone

  7. Other Sources for Security News • Darknet– The Darkside: Don’t Learn to HACK – Hack to LEARN: http://www.darknet.org.uk/ • Help Net Security http://www.net-security.org/ • Naked Security – News, Opinion, Advice and Research form SOPHOS http://nakedsecurity.sophos.com/ • Packet Storm – all things security - http://packetstormsecurity.com/ • Bruce Schneier's blog http://www.schneier.com/blog/

  8. Security in the News • HTTPS flaws • German security researchers present BREACH attack against HTTPS in BlackHat 2013 Conference http://nakedsecurity.sophos.com/2013/08/06/anatomy-of-a-cryptographic-oracle-understanding-and-mitigating-the-breach-attack/ • CyberWar • Iran –stuxnethttp://www.voanews.com/content/stuxnet-an-effective-cyberwar-weapon/1691311.html • Extortion • Threaten DDoS attack unless company pays up • Privacy/Identity theft • 4 Russians & 1 Ukrainian charged with hacking 160M credit card numbers • Worms • Conficker, twitter, and facebook worms • Slammer worm crashed nuclear power plant network • Hactivism – Anonymous & other politically motivated hackers

  9. Objective • Provide a broad introduction to the major topics in computer and communication security • Provide students with a basic understanding of the problems of information security and the solutions that exist to secure information on computers and networks

  10. Aspects of Information Assurance Fraud Examination Security Engineering Systems Engineering Information Security Forensic Science Disaster Recovery Business Continuity Compliance Governance Privacy Computer Science Criminology Management Science

  11. Information Security Basics: CIA Triad • Confidentiality • Measures taken to prevent disclosure of information or data to unauthorized systems or individuals • Why? How? • Integrity • Measures taken to protect the information or data from unauthorized alternation or revision • Availability • Measures taken to ensure data and resources are readily available for access to legitimate users

  12. The Security, Functionality and Ease of Use Triangle • A problem that has faced security professionals for an eternity – the more secure something is, the less usable and functional it becomes. Security Functionality Ease of Use

  13. The Security Paradigm • Principle 1: The Hacker Who Breaks into Your System Will Probably Be Someone You Know • Principle 2: Trust No One, or Be Careful About Whom You Are Required to Trust • Principle 3: Make Would-Be Intruders Believe They Will Be Caught • Principle 4: Protect in Layers • Principle 5: While Planning Your Security Strategy, Presume the Complete Failure of Any Single Security Layer

  14. The Security Paradigm… • Principle 6: Make Security a Part of the Initial Design • Principle 7: Disable Unneeded Services, Packages and Features • Principle 8: Before Connecting, Understand and Secure • Principle 9: Prepare for the Worst

  15. Information Assurance Process

  16. Identifying Terms • Vulnerability – Weakness in the system that could be exploited to cause loss or harm • Threat – Set of circumstances that has the potential to cause loss or harm • Attack – When an entity exploits a vulnerability on system • Control – A means to prevent a vulnerability from being exploited

  17. Classes of Threats • Disclosure – Unauthorized access to information • Deception – Acceptance of false data • Disruption – Interruption or prevention of correct operation • Usurpation – Unauthorized control of some part of a system

  18. Some common threats • Snooping • Unauthorized interception of information • Modification or alteration • Unauthorized change of information • Masquerading or spoofing • An impersonation of one entity by another • Repudiation of origin • A false denial that an entity sent or created something. • Denial of receipt • A false denial that an entity received some information.

  19. More Common Threats • Delay • A temporary inhibition of service • Denial of Service • A long-term inhibition of service

  20. More definitions • Policy • A statement of what is and what is not allowed • Divides the world into secure and non-secure states • A secure system starts in a secure state. All transitions keep it in a secure state. • Mechanism • A method, tool, or procedure for enforcing a security policy

  21. Is this situation secure? • Web server accepts all connections • No authentication required • Self-registration • Connected to the Internet

  22. Policy Example • University computer lab has a policy that prohibits any student from copying another student's homework files • The computers have file access controls to prevent other's access to your files • Bob does not read protect his files • Alice copies his files • Who cheated? Alice, Bob, both, neither?

  23. More Example • What if Bob posted his homework on his dorm room door? • What if Bob did read protect his files, but Alice found a hack on the mechanism?

  24. Trust and Assumptions • Locks prevent unwanted physical access. • What are the assumptions this statement builds on?

  25. Policy Assumptions • Policy correctly divides world into secure and insecure states • Mechanisms prevent transition from secure to insecure states

  26. Another Policy Example • Bank officers may move money between accounts. • Any flawed assumptions here?

  27. Assurance • Evidence of how much to trust a system • Evidence can include • System specifications • Design • Implementation • Mappings between the levels

  28. Aspirin Assurance Example • Why do you trust aspirin from a major manufacturer? • FDA certifies the aspirin recipe • Factory follows manufacturing standards • Safety seals on bottles • Analogy to software assurance • Software assurance ensures integrity, security, and reliability in software

  29. Key Points • Must look at the big picture when securing a system • Main components of information security • Confidentiality • Integrity • Availability • Differentiating Threats, Vulnerabilities, Attacks and Controls • Policy vs. Mechanism

  30. References • http://users.crhc.illinois.edu/nicol/ece422/ • http://www.snia.org/sites/default/education/tutorials/2009/spring/security/EricHibbard-Introduction-Information-Assurance.pdf

More Related