1 / 17

CSE331: Introduction to Networks and Security

CSE331: Introduction to Networks and Security. Lecture 15 Fall 2002. Announcements. Midterm graded Average: 65 Solutions available on the web Pick up after class or during office hours Introduction Computer Security. Today. Real World Security. Value: what is being protected?

kimberlyjmartin
Télécharger la présentation

CSE331: Introduction to Networks and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSE331:Introduction to Networksand Security Lecture 15 Fall 2002

  2. Announcements • Midterm graded • Average: 65 • Solutions available on the web • Pick up after class or during office hours • Introduction Computer Security Today CSE331 Fall 2002

  3. Real World Security • Value: what is being protected? • Things that have worth • Locks, walls, safes, fences, … • Scaled for what they’re protecting • Scaled for what they’re protecting against (threats) • Minimal interference (or else they aren’t used) • Police & Courts • Follow up after an attack/violation • Perhaps most important! CSE331 Fall 2002

  4. Real World: Risk Managment • People pay for security based on perceived needs • Trade off security vs. • Convenience / ease of use • Functionality • Efficiency • Cost • Security is holistic: • Attacks go for the weakest link CSE331 Fall 2002

  5. Security Terminology • Vulnerability • Weakness that can be exploited in a system • Attack • Method for exploiting vulnerability • Threat • A motivated, capable adversary that would mount attacks CSE331 Fall 2002

  6. Example Vulnerabilities • Poorly chosen passwords • Software bugs • unchecked array access (buffer overflow attacks) • Automatically running active content: macros, scripts, Java programs • Open ports: telnet, mail • Incorrect configuration • file permissions • administrative privileges • Untrained users/system administrators • Trap doors (intentional security holes) • Unencrypted communication • Limited Resources (i.e. TCP connections) CSE331 Fall 2002

  7. Example Attacks • Password Crackers • Viruses: • ILoveYou (VBscript virus), Melissa (Word macro virus) • Worms • Code Red: Port 80 (HTTP), Buffer overflow in IIS (Internet/Indexing Service) • Trojan Horses • Root kits, Back Orifice, SATAN • Social Engineering: • “Hi, this is Joe from systems, can you tell me your password?” • Packet sniffers: Ethereal • Denial of service: TCP SYN packet floods CSE331 Fall 2002

  8. Range of Threats • Concerted Attack by a Foreign Government • Money & Resources • Strong Motivation • … • Teenage Hacker • No money • ? Motivation • Note: the range above doesn’t necessarily represent a range of sophistication! CSE331 Fall 2002

  9. CERT Vulnerabilities CSE331 Fall 2002

  10. CERT Incidents Check out www.cert.org CSE331 Fall 2002

  11. Questions for Computer Security • What are we protecting? • What has value? • What are its characteristics? • What tools do we have to use? • Hardware • Software • Knowledge • How do we effectively use those tools? • What principles apply? • How do we know what we want to achieve? • How do we know what we’ve done? CSE331 Fall 2002

  12. Quality 1: Confidentiality • Keep data or actions secret. • Related to: Privacy, Anonymity, Secrecy • Examples: • Pepsi secret formula • Medical information • Personal records (e.g. credit card information) • Military secrets Data CSE331 Fall 2002

  13. Quality 2: Integrity • Protect the reliability of data against unauthorized tampering • Related to: Corruption, Forgery, Consistency • Example: • Bank statement agrees with ATM transactions • The mail you send is what arrives Data CSE331 Fall 2002

  14. Quality 3: Availability • Resources must be there to use • Related to: Reliability, Fault Tolerance, Denial of Service • Example: • You want the web-server to reply to your requests • The military communication devices must work Data CSE331 Fall 2002

  15. What tools are there? • Authorization mechanisms • Access control • Specifies who is allowed to do what. • Authentication mechanisms • A principal is an entity that has a stake in the security of a system • Authentication identifies principals • Examples: User identifiers & Passwords, secret keys • Audit mechansisms • Monitoring, or logging security-relevant activities • Permits follow-up after a security breech • Au = Aurum = “Gold standard” CSE331 Fall 2002

  16. Example tools • Cryptography • Protects confidentiality & Integrity • Can be used for authentication • Firewalls, access control monitors • Authorization mechanisms • OS Kernels • Resource allocation/monitoring • Replication • Provides fault tolerance • Java bytecode verifier • Protects against faulty/malicious code CSE331 Fall 2002

  17. Security Policy • Set of security requirements for a system • Takes into account trade-offs of value vs. functionality • Changes over time • Depends on context • Varying degrees of formality • Informal: Don’t reveal my credit card information. • Formal: Government’s “Orange Book” • National Computer Security Center (1988) • Trusted Computer System Evaluation Criteria (TCSEC) • Classes D –- A1 CSE331 Fall 2002

More Related