Computer Security
-
Upload
kentaro-saitou -
Category
Documents
-
view
24 -
download
0
description
Transcript of Computer Security
![Page 1: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/1.jpg)
COMPUTER SECURITY
Slide #1-1
CSCI 370Fall 2013
Dr. Ram Basnet
![Page 2: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/2.jpg)
OUTLINE
Class Overview Information Assurance Overview
Components of information securityThreats, Vulnerabilities, Attacks, and
ControlsPolicy
Slide #1-2
![Page 3: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/3.jpg)
MORE ADMINISTRIVIA Grades
3 midterms, highest 2 scores each worth 30%, lowest score will be discarded.
Final worth 30%Quizzes 10% Extra credit project worth 10%
Slide #1-3
![Page 4: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/4.jpg)
A FEW WORDS ON CLASS INTEGRITY
Review department and university cheating and honor codes:
http://www.coloradomesa.edu/studentservices/conduct.html
Expectations for exams and projects Closed books; mostly multiple choices Team Projects
Most quizzes will be unannounced
Slide #1-4
![Page 5: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/5.jpg)
CLASS READINGS
Text: Computer Security Fundamentals, William (Chuck) Easttom, II
Additional readings provided via public links
Books on reserve at the library
Slide #1-5
![Page 6: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/6.jpg)
CLASS FORMAT Meet twice a week 70% lecture; 30% hands-on laboratory
works Posted slides not sufficient to master
material alone
Slide #1-6
![Page 7: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/7.jpg)
OTHER SOURCES FOR SECURITY NEWS
Darknet – The Darkside: Don’t Learn to HACK – Hack to LEARN: http://www.darknet.org.uk/
Help Net Security http://www.net-security.org/ Naked Security – News, Opinion, Advice and
Research form SOPHOS http://nakedsecurity.sophos.com/
Packet Storm – all things security - http://packetstormsecurity.com/
Bruce Schneier's blog http://www.schneier.com/blog/
Slide #1-7
![Page 8: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/8.jpg)
SECURITY IN THE NEWS HTTPS flaws
German security researchers present BREACH attack against HTTPS in BlackHat 2013 Conference http://nakedsecurity.sophos.com/2013/08/06/anatomy-of-a-cryptographic-oracle-understanding-and-mitigating-the-breach-attack/
CyberWar Iran – stuxnet
http://www.voanews.com/content/stuxnet-an-effective-cyberwar-weapon/1691311.html
Extortion Threaten DDoS attack unless company pays up
Privacy/Identity theft 4 Russians & 1 Ukrainian charged with hacking 160M
credit card numbers Worms
Conficker, twitter, and facebook worms Slammer worm crashed nuclear power plant network
Hactivism – Anonymous & other politically motivated hackers
Slide #1-8
![Page 9: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/9.jpg)
OBJECTIVE
Provide a broad introduction to the major topics in computer and communication security
Provide students with a basic understanding of the problems of information security and the solutions that exist to secure information on computers and networks
Slide #1-9
![Page 10: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/10.jpg)
![Page 11: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/11.jpg)
![Page 12: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/12.jpg)
![Page 13: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/13.jpg)
![Page 14: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/14.jpg)
ASPECTS OF INFORMATION ASSURANCE
Slide #1-14
Information Security
Disaster Recovery
Business Continuity
Governance Privacy
Fraud Examinatio
nSystems
Engineering
Computer Science
Security Engineerin
g
Management Science
Criminology
Forensic Science
Compliance
![Page 15: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/15.jpg)
INFORMATION SECURITY BASICS: CIA TRIAD
Confidentiality Measures taken to prevent disclosure of
information or data to unauthorized systems or individuals
Why? How? Integrity
Measures taken to protect the information or data from unauthorized alternation or revision
Availability Measures taken to ensure data and resources are
readily available for access to legitimate usersSlide #1-15
![Page 16: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/16.jpg)
THE SECURITY, FUNCTIONALITY AND EASE OF USE TRIANGLE
A problem that has faced security professionals for an eternity – the more secure something is, the less usable and functional it becomes.
Security
Functionality Ease of Use Slide #1-16
![Page 17: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/17.jpg)
THE SECURITY PARADIGM
Principle 1: The Hacker Who Breaks into Your System Will Probably Be Someone You Know
Principle 2: Trust No One, or Be Careful About Whom You Are Required to Trust
Principle 3: Make Would-Be Intruders Believe They Will Be Caught
Principle 4: Protect in Layers Principle 5: While Planning Your Security
Strategy, Presume the Complete Failure of Any Single Security Layer
Slide #1-17
![Page 18: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/18.jpg)
THE SECURITY PARADIGM…
Principle 6: Make Security a Part of the Initial Design
Principle 7: Disable Unneeded Services, Packages and Features
Principle 8: Before Connecting, Understand and Secure
Principle 9: Prepare for the Worst
Slide #1-18
![Page 19: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/19.jpg)
INFORMATION ASSURANCE PROCESS
Slide #1-19
Enumeration & Classification of Assets (value)
Risk Assessment (Vulnerabilities
& Threats)
Risk Analysis (Prob./likelihood
& Impacts)
Risk Management (treatment)
Test & Review
![Page 20: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/20.jpg)
IDENTIFYING TERMS
Vulnerability – Weakness in the system that could be exploited to cause loss or harm
Threat – Set of circumstances that has the potential to cause loss or harm
Attack – When an entity exploits a vulnerability on system
Control – A means to prevent a vulnerability from being exploited
Slide #1-20
![Page 21: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/21.jpg)
CLASSES OF THREATS Disclosure – Unauthorized access to
information Deception – Acceptance of false data Disruption – Interruption or prevention of
correct operation Usurpation – Unauthorized control of
some part of a system
Slide #1-21
![Page 22: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/22.jpg)
SOME COMMON THREATS Snooping
Unauthorized interception of information Modification or alteration
Unauthorized change of information Masquerading or spoofing
An impersonation of one entity by another Repudiation of origin
A false denial that an entity sent or created something.
Denial of receipt A false denial that an entity received some
information.Slide #1-22
![Page 23: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/23.jpg)
MORE COMMON THREATS Delay
A temporary inhibition of service Denial of Service
A long-term inhibition of service
Slide #1-23
![Page 24: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/24.jpg)
MORE DEFINITIONS Policy
A statement of what is and what is not allowed Divides the world into secure and non-secure states A secure system starts in a secure state. All
transitions keep it in a secure state. Mechanism
A method, tool, or procedure for enforcing a security policy
Slide #1-24
![Page 25: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/25.jpg)
IS THIS SITUATION SECURE?
Web server accepts all connectionsNo authentication requiredSelf-registrationConnected to the Internet
Slide #1-25
![Page 26: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/26.jpg)
POLICY EXAMPLE University computer lab has a policy that
prohibits any student from copying another student's homework files The computers have file access controls to prevent
other's access to your files Bob does not read protect his files Alice copies his files Who cheated? Alice, Bob, both, neither?
Slide #1-26
![Page 27: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/27.jpg)
MORE EXAMPLE What if Bob posted his homework on his dorm
room door? What if Bob did read protect his files, but Alice
found a hack on the mechanism?
Slide #1-27
![Page 28: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/28.jpg)
TRUST AND ASSUMPTIONS
Locks prevent unwanted physical access. What are the assumptions this statement builds on?
Slide #1-28
![Page 29: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/29.jpg)
POLICY ASSUMPTIONS
Policy correctly divides world into secure and insecure states
Mechanisms prevent transition from secure to insecure states
Slide #1-29
![Page 30: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/30.jpg)
ANOTHER POLICY EXAMPLE
Bank officers may move money between accounts.
Any flawed assumptions here?
Slide #1-30
![Page 31: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/31.jpg)
ASSURANCE Evidence of how much to trust a system Evidence can include
System specifications Design Implementation
Mappings between the levels
Slide #1-31
![Page 32: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/32.jpg)
ASPIRIN ASSURANCE EXAMPLE Why do you trust aspirin from a major
manufacturer? FDA certifies the aspirin recipe Factory follows manufacturing standards Safety seals on bottles
Analogy to software assurance Software assurance ensures integrity, security, and
reliability in software
Slide #1-32
![Page 33: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/33.jpg)
KEY POINTS
Must look at the big picture when securing a system
Main components of information securityConfidentiality IntegrityAvailability
Differentiating Threats, Vulnerabilities, Attacks and Controls
Policy vs. MechanismSlide #1-33
![Page 34: Computer Security](https://reader031.fdocuments.us/reader031/viewer/2022032017/5681344e550346895d9b361d/html5/thumbnails/34.jpg)
REFERENCES
http://users.crhc.illinois.edu/nicol/ece422/ http://www.snia.org/sites/default/education/tu
torials/2009/spring/security/EricHibbard-Introduction-Information-Assurance.pdf
Slide #1-34