The Security Theme: an introduction · Advanced Computer Science Security Theme...
Transcript of The Security Theme: an introduction · Advanced Computer Science Security Theme...
![Page 1: The Security Theme: an introduction · Advanced Computer Science Security Theme ‘Hacking’-as-a-service • Consulting services such as botnet setup ($350-$400) • Infection/spreading](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7dae58e533201dc4af219/html5/thumbnails/1.jpg)
Advanced Computer Science Security Theme
The Security Theme:
an introduction
School of Computer Science
The University of Manchester
1
![Page 2: The Security Theme: an introduction · Advanced Computer Science Security Theme ‘Hacking’-as-a-service • Consulting services such as botnet setup ($350-$400) • Infection/spreading](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7dae58e533201dc4af219/html5/thumbnails/2.jpg)
Advanced Computer Science Security Theme
Outline
• Why do we need a
Security Theme?
• Core Modules
– Cryptography
– Cyber security
• Some Research
Activities
• Ratio of hackers to security
professionals
~ 1000:1*
• Computer Security
• Military Intelligence
• The laws of
thermodynamics**
• But you can manage the
risks . . .
• …disrupt and counter the kill
chain…
• . . . taking heed of the
Security Theme!
**You can’t win . . . you can’t even break even 2
*SANS (SysAdmin, Audit, Network, Security) Institute
![Page 3: The Security Theme: an introduction · Advanced Computer Science Security Theme ‘Hacking’-as-a-service • Consulting services such as botnet setup ($350-$400) • Infection/spreading](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7dae58e533201dc4af219/html5/thumbnails/3.jpg)
Advanced Computer Science Security Theme
3
The challenge…
![Page 4: The Security Theme: an introduction · Advanced Computer Science Security Theme ‘Hacking’-as-a-service • Consulting services such as botnet setup ($350-$400) • Infection/spreading](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7dae58e533201dc4af219/html5/thumbnails/4.jpg)
Advanced Computer Science Security Theme
‘Hacking’-as-a-service
• Consulting services such as botnet setup ($350-$400)
• Infection/spreading services (~$100 per 1K installs)
• Botnets & Rentals [Direct Denial of Service (DDoS) $535 for 5 hours
a day for one week], e-mail spam ($40 / 20K e-mails) and Web
spam ($2/30 posts)
• Blackhat Search Engine Optimization (SEO) ($80 for 20K
spammed backlinks)
• Inter-Carrier Money Exchange and Mule services (25%
commission)
• Recruited CAPTCHA Breaking ($1/1000 CAPTCHAs)
• Crimeware Upgrade Modules: Using Zeus Modules as an example,
range anywhere from $500 to $10K
Source: Fortinet 2013 Cybercrime Report 4
![Page 5: The Security Theme: an introduction · Advanced Computer Science Security Theme ‘Hacking’-as-a-service • Consulting services such as botnet setup ($350-$400) • Infection/spreading](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7dae58e533201dc4af219/html5/thumbnails/5.jpg)
Advanced Computer Science Security Theme
So we need a fifth column…
…to protect the systems of today and build
tomorrow’s systems safely 5
![Page 6: The Security Theme: an introduction · Advanced Computer Science Security Theme ‘Hacking’-as-a-service • Consulting services such as botnet setup ($350-$400) • Infection/spreading](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7dae58e533201dc4af219/html5/thumbnails/6.jpg)
Advanced Computer Science Security Theme
Cyber Security: topics • Risk assessment
• Requirement and policy specifications
• Solutions and countermeasures
– Intrusion detection/prevention
– Secure software
– Authentication and authorisation
– Virtual Private Networks
– Firewalls
– Digital certification and Public Key
Infrastructures
– Real-life exemplar security systems (cloud
computing security, web security, email
security wireless network security, electronic
payment systems, etc)
• Audits and reviews
• System security planning
• Penetration testing
• Digital forensics 6
![Page 7: The Security Theme: an introduction · Advanced Computer Science Security Theme ‘Hacking’-as-a-service • Consulting services such as botnet setup ($350-$400) • Infection/spreading](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7dae58e533201dc4af219/html5/thumbnails/7.jpg)
Advanced Computer Science Security Theme
• Lectures
• Guest lectures
– CY40R;
Digital forensics
– McAfee;
Malware and intruders:
vulnerabilities and
countermeasures
– NCC Group;
Penetration Testing
• Cryptography – Examination (60%)
– Coursework (40%)
• Cyber security – Coursework (2x25%)
• Groupwork
• Case studies
• Report
• Review/inspect
• Templates
– Report
– Risk treatment plan
– Examination (50%)
• Employment
potential
How
7
![Page 8: The Security Theme: an introduction · Advanced Computer Science Security Theme ‘Hacking’-as-a-service • Consulting services such as botnet setup ($350-$400) • Infection/spreading](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7dae58e533201dc4af219/html5/thumbnails/8.jpg)
Advanced Computer Science Security Theme
Cyber security COMP61421
Dependencies
Business
Impact
(Value…C-I-A)
Information
Assets
Risk
Assessment
(Risk Register)
Risk
Attitude People:
Human
Factors
Behaviour
Technology Process
Controls Controls Controls Risk
Treatments
(Controls)
Information
Assets Information
Assets Information
Assets
Realised
Risk
Business
Continuity
Security
Incidents and
Events
8
![Page 9: The Security Theme: an introduction · Advanced Computer Science Security Theme ‘Hacking’-as-a-service • Consulting services such as botnet setup ($350-$400) • Infection/spreading](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7dae58e533201dc4af219/html5/thumbnails/9.jpg)
Advanced Computer Science Security Theme Objectives
IT Governance
Risk Appetite
Conformance
Performance Monitor
Ethical framework
Portfolio
Management
Leadership
Direct Evaluate
Security Architecture
Programme
Management
Project
Management
Development
Operations
Use
Abuse
Failure
Dependencies
Business
Impact
(Value…C-I-A)
Information
Assets
Risk
Assessment
(Risk Register)
Realised
Risk
Risk
Attitude People:
Human
Factors
Behaviour
Technology Process
Controls Controls Controls Risk
Treatments
(Controls)
Business
Continuity
Security
Incidents and
Events
Information
Assets Information
Assets Information
Assets
IT Governance
COMP60721 9
![Page 10: The Security Theme: an introduction · Advanced Computer Science Security Theme ‘Hacking’-as-a-service • Consulting services such as botnet setup ($350-$400) • Infection/spreading](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7dae58e533201dc4af219/html5/thumbnails/10.jpg)
Advanced Computer Science Security Theme
Help…new and constant
Bad
• 20000 new pieces of
malware per hour (McAfee)
• 15 friends invited on
Facebook…21,000
accepted
• £60,000 for losing an
unencrypted laptop
• Fined £100,000 for faxing
details of a child sex abuse
case to a member of the
public
• Fined £2.75m for loosing a
laptop with records of
46,000 people
Good
• You become the Fifth Column
1. Cryptography
2. Cyber security
10
![Page 11: The Security Theme: an introduction · Advanced Computer Science Security Theme ‘Hacking’-as-a-service • Consulting services such as botnet setup ($350-$400) • Infection/spreading](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7dae58e533201dc4af219/html5/thumbnails/11.jpg)
Advanced Computer Science Security Theme
11
![Page 12: The Security Theme: an introduction · Advanced Computer Science Security Theme ‘Hacking’-as-a-service • Consulting services such as botnet setup ($350-$400) • Infection/spreading](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7dae58e533201dc4af219/html5/thumbnails/12.jpg)
Advanced Computer Science Security Theme
Summary: the two laws of security
1.Never reveal everything you know.
And now Dr Zhang on some more projects…
12
![Page 13: The Security Theme: an introduction · Advanced Computer Science Security Theme ‘Hacking’-as-a-service • Consulting services such as botnet setup ($350-$400) • Infection/spreading](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7dae58e533201dc4af219/html5/thumbnails/13.jpg)
Advanced Computer Science Security Theme
Some research Projects/Activities
• Designs of systems or
solutions for security and
privacy in distributed
systems
• Cloud and Ubiquitous
Computing, and electronic
commerce…
• …covering issues such as
risk-based authentication,
authorisation, intrusion
detections, and trust
management.
• FAME-Permis
• Traceable Identity
Privacy
• FIDES
• Context-aware Security
Provision
• Wireless Network
Security
• Adaptive Security
Solutions
13
![Page 14: The Security Theme: an introduction · Advanced Computer Science Security Theme ‘Hacking’-as-a-service • Consulting services such as botnet setup ($350-$400) • Infection/spreading](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7dae58e533201dc4af219/html5/thumbnails/14.jpg)
Advanced Computer Science Security Theme
The FAME - Permis Project
• A middleware extension to Shibboleth to support
– Inter-organisational resource sharing
– Single sign-on
– User identity privacy
– Fine-grained access control
14
![Page 15: The Security Theme: an introduction · Advanced Computer Science Security Theme ‘Hacking’-as-a-service • Consulting services such as botnet setup ($350-$400) • Infection/spreading](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7dae58e533201dc4af219/html5/thumbnails/15.jpg)
Advanced Computer Science Security Theme
LoA linked AC (FAME-permis)
2. Re-direct to WAYF
for Handle
Shib-HS
Protected by
F-LS
User’s Home Site
Web Server
6. A
uth
entication
is successfu
l
1. User request
4. Authenticate yourself
with AuthService x
3. Re-direct to HS
AuthServices
x, y, z, …
AS
I-AP
IHost Authentication
Module (HAM)
Browser
PKCS#11
tokens, Java
Cards, ...
TI-API
WAYF
SHAR
SHIRE
8.Handle
Shib Target -
Resource Gateway
The Internet
5. Authenticationdialogue
7. Handle
FAME Login
Server (F-LS)
Where Are
You From?
15
![Page 16: The Security Theme: an introduction · Advanced Computer Science Security Theme ‘Hacking’-as-a-service • Consulting services such as botnet setup ($350-$400) • Infection/spreading](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7dae58e533201dc4af219/html5/thumbnails/16.jpg)
Advanced Computer Science Security Theme
FIDES
• Aim to secure e-Commerce transactions, e.g.
– e-Payment vs e-Goods (e-Purchase).
– e-Goods/e-mail vs Signed receipt (Certified
delivery).
– Signed contract vs Signed contract (Contract
signing).
– e-Goods vs e-Goods (Barter).
• can be used to develop new secure business
applications, such as e-procurement.
16
![Page 17: The Security Theme: an introduction · Advanced Computer Science Security Theme ‘Hacking’-as-a-service • Consulting services such as botnet setup ($350-$400) • Infection/spreading](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7dae58e533201dc4af219/html5/thumbnails/17.jpg)
Advanced Computer Science Security Theme
Context-aware Security Provision
• Use your context data to determine the level of
security protection
– Your location
• This room, or
• Airport lunge
– Your device
• Wireless PDA, or
• More capable desktop
– Your past access history/profile
• Have you been a good guy, or
• You have tried to breach some rules
17
![Page 18: The Security Theme: an introduction · Advanced Computer Science Security Theme ‘Hacking’-as-a-service • Consulting services such as botnet setup ($350-$400) • Infection/spreading](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7dae58e533201dc4af219/html5/thumbnails/18.jpg)
Advanced Computer Science Security Theme
Context-aware Access Control
Context
Acquisition
Sensors
Context Source
Access
Requester
Policy Store
Policy
Policy
Decision
Context Service
PEP PDP
Resource
18
![Page 19: The Security Theme: an introduction · Advanced Computer Science Security Theme ‘Hacking’-as-a-service • Consulting services such as botnet setup ($350-$400) • Infection/spreading](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7dae58e533201dc4af219/html5/thumbnails/19.jpg)
Advanced Computer Science Security Theme
Context-aware Adaptive Routing in
MANETs
Context-aware multiple route
adaptation can increase
reliability with low costs.
A
C
B
P
Internet M
X
19
![Page 20: The Security Theme: an introduction · Advanced Computer Science Security Theme ‘Hacking’-as-a-service • Consulting services such as botnet setup ($350-$400) • Infection/spreading](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7dae58e533201dc4af219/html5/thumbnails/20.jpg)
Advanced Computer Science Security Theme
Other project opportunities may include…
• Whitelisting software
• A method to articulate
requirements for security
(MARS)
• Measuring security maturity
to understand the costs and
benefits of countermeasures
• Security dashboard
• Information and cyber
security threat analyser
• IT Strategy design tool
• Protect- Operate - Self-
preserve: designing a
universal secure architecture
• Rules of engagement:
Legitimate use of the Dark
Internet and Deep Web
• Security economics modeller
• Balancing technical security
controls with human factors
• An application to test
websites for compliance and
award a commensurate trust
mark
20
![Page 21: The Security Theme: an introduction · Advanced Computer Science Security Theme ‘Hacking’-as-a-service • Consulting services such as botnet setup ($350-$400) • Infection/spreading](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7dae58e533201dc4af219/html5/thumbnails/21.jpg)
Advanced Computer Science Security Theme
Module Leader/Lecturers
• Dr Ning Zhang
• Dr Daniel Dresner Minst.ISP
• Dr Richard Banach
21
![Page 22: The Security Theme: an introduction · Advanced Computer Science Security Theme ‘Hacking’-as-a-service • Consulting services such as botnet setup ($350-$400) • Infection/spreading](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed7dae58e533201dc4af219/html5/thumbnails/22.jpg)
Advanced Computer Science Security Theme
22