Advanced Computer Science Security Theme

The Security Theme:

an introduction

School of Computer Science

The University of Manchester

1

Advanced Computer Science Security Theme

Outline

• Why do we need a

Security Theme?

• Core Modules

– Cryptography

– Cyber security

• Some Research

Activities

• Ratio of hackers to security

professionals

~ 1000:1*

• Computer Security

• Military Intelligence

• The laws of

thermodynamics**

• But you can manage the

risks . . .

• …disrupt and counter the kill

chain…

• . . . taking heed of the

Security Theme!

**You can’t win . . . you can’t even break even 2

*SANS (SysAdmin, Audit, Network, Security) Institute

Advanced Computer Science Security Theme

3

The challenge…

Advanced Computer Science Security Theme

‘Hacking’-as-a-service

• Consulting services such as botnet setup ($350-$400)

• Infection/spreading services (~$100 per 1K installs)

• Botnets & Rentals [Direct Denial of Service (DDoS) $535 for 5 hours

a day for one week], e-mail spam ($40 / 20K e-mails) and Web

spam ($2/30 posts)

• Blackhat Search Engine Optimization (SEO) ($80 for 20K

spammed backlinks)

• Inter-Carrier Money Exchange and Mule services (25%

commission)

• Recruited CAPTCHA Breaking ($1/1000 CAPTCHAs)

• Crimeware Upgrade Modules: Using Zeus Modules as an example,

range anywhere from $500 to $10K

Source: Fortinet 2013 Cybercrime Report 4

Advanced Computer Science Security Theme

So we need a fifth column…

…to protect the systems of today and build

tomorrow’s systems safely 5

Advanced Computer Science Security Theme

Cyber Security: topics • Risk assessment

• Requirement and policy specifications

• Solutions and countermeasures

– Intrusion detection/prevention

– Secure software

– Authentication and authorisation

– Virtual Private Networks

– Firewalls

– Digital certification and Public Key

Infrastructures

– Real-life exemplar security systems (cloud

computing security, web security, email

security wireless network security, electronic

payment systems, etc)

• Audits and reviews

• System security planning

• Penetration testing

• Digital forensics 6

Advanced Computer Science Security Theme

• Lectures

• Guest lectures

– CY40R;

Digital forensics

– McAfee;

Malware and intruders:

vulnerabilities and

countermeasures

– NCC Group;

Penetration Testing

• Cryptography – Examination (60%)

– Coursework (40%)

• Cyber security – Coursework (2x25%)

• Groupwork

• Case studies

• Report

• Review/inspect

• Templates

– Report

– Risk treatment plan

– Examination (50%)

• Employment

potential

How

7

Advanced Computer Science Security Theme

Cyber security COMP61421

Dependencies

Business

Impact

(Value…C-I-A)

Information

Assets

Risk

Assessment

(Risk Register)

Risk

Attitude People:

Human

Factors

Behaviour

Technology Process

Controls Controls Controls Risk

Treatments

(Controls)

Information

Assets Information

Assets Information

Assets

Realised

Risk

Business

Continuity

Security

Incidents and

Events

8

Advanced Computer Science Security Theme Objectives

IT Governance

Risk Appetite

Conformance

Performance Monitor

Ethical framework

Portfolio

Management

Leadership

Direct Evaluate

Security Architecture

Programme

Management

Project

Management

Development

Operations

Use

Abuse

Failure

Dependencies

Business

Impact

(Value…C-I-A)

Information

Assets

Risk

Assessment

(Risk Register)

Realised

Risk

Risk

Attitude People:

Human

Factors

Behaviour

Technology Process

Controls Controls Controls Risk

Treatments

(Controls)

Business

Continuity

Security

Incidents and

Events

Information

Assets Information

Assets Information

Assets

IT Governance

COMP60721 9

Advanced Computer Science Security Theme

Help…new and constant

Bad

• 20000 new pieces of

malware per hour (McAfee)

• 15 friends invited on

Facebook…21,000

accepted

• £60,000 for losing an

unencrypted laptop

• Fined £100,000 for faxing

details of a child sex abuse

case to a member of the

public

• Fined £2.75m for loosing a

laptop with records of

46,000 people

Good

• You become the Fifth Column

1. Cryptography

2. Cyber security

10

Advanced Computer Science Security Theme

11

Advanced Computer Science Security Theme

Summary: the two laws of security

1.Never reveal everything you know.

And now Dr Zhang on some more projects…

12

Advanced Computer Science Security Theme

Some research Projects/Activities

• Designs of systems or

solutions for security and

privacy in distributed

systems

• Cloud and Ubiquitous

Computing, and electronic

commerce…

• …covering issues such as

risk-based authentication,

authorisation, intrusion

detections, and trust

management.

• FAME-Permis

• Traceable Identity

Privacy

• FIDES

• Context-aware Security

Provision

• Wireless Network

Security

• Adaptive Security

Solutions

13

Advanced Computer Science Security Theme

The FAME - Permis Project

• A middleware extension to Shibboleth to support

– Inter-organisational resource sharing

– Single sign-on

– User identity privacy

– Fine-grained access control

14

Advanced Computer Science Security Theme

LoA linked AC (FAME-permis)

2. Re-direct to WAYF

for Handle

Shib-HS

Protected by

F-LS

User’s Home Site

Web Server

6. A

uth

entication

is successfu

l

1. User request

4. Authenticate yourself

with AuthService x

3. Re-direct to HS

AuthServices

x, y, z, …

AS

I-AP

IHost Authentication

Module (HAM)

Browser

PKCS#11

tokens, Java

Cards, ...

TI-API

WAYF

SHAR

SHIRE

8.Handle

Shib Target -

Resource Gateway

The Internet

5. Authenticationdialogue

7. Handle

FAME Login

Server (F-LS)

Where Are

You From?

15

Advanced Computer Science Security Theme

FIDES

• Aim to secure e-Commerce transactions, e.g.

– e-Payment vs e-Goods (e-Purchase).

– e-Goods/e-mail vs Signed receipt (Certified

delivery).

– Signed contract vs Signed contract (Contract

signing).

– e-Goods vs e-Goods (Barter).

• can be used to develop new secure business

applications, such as e-procurement.

16

Advanced Computer Science Security Theme

Context-aware Security Provision

• Use your context data to determine the level of

security protection

– Your location

• This room, or

• Airport lunge

– Your device

• Wireless PDA, or

• More capable desktop

– Your past access history/profile

• Have you been a good guy, or

• You have tried to breach some rules

17

Advanced Computer Science Security Theme

Context-aware Access Control

Context

Acquisition

Sensors

Context Source

Access

Requester

Policy Store

Policy

Policy

Decision

Context Service

PEP PDP

Resource

18

Advanced Computer Science Security Theme

Context-aware Adaptive Routing in

MANETs

Context-aware multiple route

adaptation can increase

reliability with low costs.

A

C

B

P

Internet M

X

19

Advanced Computer Science Security Theme

Other project opportunities may include…

• Whitelisting software

• A method to articulate

requirements for security

(MARS)

• Measuring security maturity

to understand the costs and

benefits of countermeasures

• Security dashboard

• Information and cyber

security threat analyser

• IT Strategy design tool

• Protect- Operate - Self-

preserve: designing a

universal secure architecture

• Rules of engagement:

Legitimate use of the Dark

Internet and Deep Web

• Security economics modeller

• Balancing technical security

controls with human factors

• An application to test

websites for compliance and

award a commensurate trust

mark

20

Advanced Computer Science Security Theme

Module Leader/Lecturers

• Dr Ning Zhang

ning.zhang@manchester.ac.uk

• Dr Daniel Dresner Minst.ISP

daniel.dresner@manchester.ac.uk

• Dr Richard Banach

banach@manchester.ac.uk

21

Advanced Computer Science Security Theme

22