1 / 35

CSCE 201 Introduction to Information Security Fall 2015

This course provides an understanding of basic concepts and practices of information security, tools and techniques used by attackers and defense, and the ability to apply security updates and follow security policies.

ntyson
Télécharger la présentation

CSCE 201 Introduction to Information Security Fall 2015

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSCE 201Introduction to Information Security Fall 2015

  2. CSCE 201 Introduction to Computer Security Instructor: Csilla Farkas Office: Swearingen 3A43 Office Hours:Monday, Wednesday 1:15 – 2:45 pm or electronically any time or by appointment Telephone: 576-5762 E-mail: farkas@cec.sc.edu Homepage: http://www.cse.sc.edu/~farkas/csce201-2015/csce201.htm

  3. Course Objectives Understand basic concepts and practices of information security Understand tools and techniques used by attackers to penetrate computer systems Understand tools and techniques used by defense to protect computer systems Be able to check for security updates, apply and use patches and other defense mechanisms Be able to understand and follow security and privacy policies Understand the ethical implications of using attack tools on computer systems

  4. Text C. Easttom, Computer Security Fundamentals, PearsonPrentice Hall, ISBN-10: 0789748908 Lecture handouts

  5. Grading Test 1: 15%, Test 2: 15%, Test 3: 35% Homework: 35% Total score that can be achieved: 100 Final grade: 90 < A 87 < B+ <=90 80 < B <= 87 77 < C+ <= 80 65 < C <= 77 60 < D+ <= 65 52 < D <= 60 F<= 52

  6. Tentative Schedule Weeks 1—5: Basic Security Concepts Weeks 6—10: Home Computer Security – Hardening the System Weeks 11—15: Let’s Have Fun – Popular applications, ethics, security and privacy

  7. Security Planning

  8. Other useful sites • Forensic Magazine, http://www.forensicmag.com/ • Homeland Security News Wire, http://www.homelandsecuritynewswire.com/ • Dark Reading, http://www.darkreading.com/ • Microsoft Safety and Security Center, http://www.microsoft.com/security/default.aspx • SANS Institute, http://www.sans.org/ • Carnegie Mellon University's Computer Emergency Response Team , http://www.cert.org/ • Sun Tzu on the Art of War (Lionel Giles, trans.), http://all.net/books/tzu/tzu.html

  9. Security Objectives • Confidentiality: prevent/detect/deter improper disclosure of information • Integrity: prevent/detect/deter improper modification of information • Availability: prevent/detect/deter improper denial of access to services

  10. Military Example • Confidentiality: target coordinates of a missile should not be improperly disclosed • Integrity: target coordinates of missile should be correct • Availability: missile should fire when proper command is issued

  11. Commercial Example • Confidentiality: patient’s medical information should not be improperly disclosed • Integrity: patient’s medical information should be correct • Availability: patient’s medical information can be accessed when needed for treatment

  12. Fourth Objective • Securing computing resources: prevent/detect/deter improper use of computing resources • Hardware • Software • Data • Network

  13. Achieving Security • Policy • What to protect? • Mechanism • How to protect? • Assurance • How good is the protection?

  14. Security Policy Organizational Policy Computerized Information System Policy

  15. Security Mechanism • Prevention • Detection • Tolerance/Recovery

  16. Security by Obscurity • Hide inner working of the system • Bad idea! • Vendor independent open standard • Widespread computer knowledge

  17. Security by Legislation • Instruct users how to behave • Not good enough! • Important • Only enhance security • Targets only some of the security problems

  18. Security Tradeoffs Security Functionality COST Ease of Use

  19. Threat, Vulnerability, Risk • Threat: potential occurrence that can have an undesired effect on the system • Vulnerability: characteristics of the system that makes is possible for a threat to potentially occur • Attack: action of malicious intruder that exploits vulnerabilities of the system to cause a threat to occur • Risk: measure of the possibility of security breaches and severity of the damage

  20. Types of Threats • Errors of users • Natural/man-made/machine disasters • Dishonest insider • Disgruntled insider • Outsiders

  21. Types of Attack • Interruption – an asset is destroyed, unavailable or unusable (availability) • Interception – unauthorized party gains access to an asset (confidentiality) • Modification – unauthorized party tampers with asset (integrity) • Fabrication – unauthorized party inserts counterfeit object into the system (authenticity) • Denial – person denies taking an action (authenticity)

  22. Computer Crime • Any crime that involves computers or aided by the use of computers • U.S. Federal Bureau of Investigation: reports uniform crime statistics

  23. Computer Criminals • Amateurs: regular users, who exploit the vulnerabilities of the computer system • Motivation: easy access to vulnerable resources • Crackers: attempt to access computing facilities for which they do not have the authorization • Motivation: enjoy challenge, curiosity • Career criminals: professionals who understand the computer system and its vulnerabilities • Motivation: personal gain (e.g., financial)

  24. Methods of Defense • Prevent: block attack • Deter: make the attack harder • Deflect: make other targets more attractive • Detect: identify misuse • Tolerate: function under attack • Recover: restore to correct state • Documentation and reporting

  25. Information Security Planning • Organization Analysis • Risk management • Mitigation approaches and their costs • Security policy and procedures • Implementation and testing • Security training and awareness

  26. Risk Management 26

  27. Threats RISK Vulnerabilities Consequences Risk Assessment 27

  28. System Security Engineering (Traditional View) Specify System Architecture Identify and Install Safeguards Identify Threats, Vulnerabilities, Attacks Prioritize Vulnerabilities Estimate Risk Risk is acceptably low 28

  29. Human Actions • Domains: • Play: hackers vs. owners • Crime: perpetrators vs. victims • Individual rights: individuals vs. individuals/organizations/government • National security: national level activities

  30. Play • Playing pranks • Actors: hackers/crackers/phreakers • Motivation: challenge, knowledge, thrill • Culture: social/educational • “global networks” • publications • forums • Law

  31. Crime • Intellectual Property Crimes • IT targets: research and development, manufacturing and marketing plan, customer list, etc. • Attacker: insiders, formal insiders • 1996: Economic Espionage Act (U.S. Congress) • Fraud • Telemarketing scam, identity theft, bank fraud, telecommunication fraud, computer fraud and abuse • Fighting crime

  32. Individual Rights • Privacy • Secondary use of information • Free speech • Harmful/disturbing speech • Theft and distribution of intellectual property • Censorship

  33. National Security • Foreign Intelligence • Peace time: protecting national interests • Open channels, human spies, electronic surveillance, electronic hacking (?) • War time: support military operations • U.S. Intelligence Priorities: • Intelligence supporting military needs during operation • Intelligence about hostile countries • Intelligence about specific transnational threats • Central Intelligence Agency (CIA) • Primary targets in U.S.A.: high technology and defense-related industry

  34. Terrorism • Traditional: • Intelligence collection • Psyops and perception management • New forms: • Exploitation of computer technologies • Internet propaganda • Cyber attacks (electronic mail flooding, DOS, etc.) • Protection of national infrastructure

  35. Next Week

More Related