IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
IntroductionIntroduction Dr. Neminath HubballiDr. Neminath Hubballi
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
OutlineOutline
Administrative stuffAdministrative stuff Instructor and TAInstructor and TA Text Book and reading MaterialText Book and reading Material Course Content Course Content Evaluation CriteriaEvaluation Criteria
Fundamentals of security Fundamentals of security Define securityDefine security Learn why should we care about securityLearn why should we care about security CIA principles of securityCIA principles of security AAA principles of securityAAA principles of security
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Administrative StuffAdministrative Stuff InstructorInstructor
Neminath HubballiNeminath Hubballi Area of expertise in Network Security, System SecurityArea of expertise in Network Security, System Security Room No- PS06 CRoom No- PS06 C
ReadingsReadings Text Book:Text Book:
Introduction to Computer Security- Goodrich and TamassiaIntroduction to Computer Security- Goodrich and Tamassia Computer Security – William StallingsComputer Security – William Stallings Security and Usability Designing Secure Systems that People Can Use –Lorre Security and Usability Designing Secure Systems that People Can Use –Lorre
Faith Cranor and Simson GarfinkelFaith Cranor and Simson Garfinkel Additional reading material will be givenAdditional reading material will be given You are expected to go through additional material- web has enormous You are expected to go through additional material- web has enormous
amount of material on securityamount of material on security Two Lectures + One Tutorial per weekTwo Lectures + One Tutorial per week Office hours : Friday 3-4 PM Office hours : Friday 3-4 PM Teaching AssistantTeaching Assistant
XXXXXX- A Graduate student in school of Computer ScienceXXXXXX- A Graduate student in school of Computer Science Tutorials will be handled by himTutorials will be handled by him
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Prerequisites Prerequisites
Computer NetworksComputer Networks Operating SystemsOperating Systems C Programming C Programming Working Proficiency with Linux system Working Proficiency with Linux system Knowing Perl/Shell Scripting will be an Knowing Perl/Shell Scripting will be an
advantageadvantage
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Course ContentCourse Content
Network and System Network and System AttacksAttacks Information Gathering Information Gathering Buffer Overflow AttacksBuffer Overflow Attacks Format String AttacksFormat String Attacks SQL Injection AttacksSQL Injection Attacks Spoofing AttacksSpoofing Attacks Phishing AttacksPhishing Attacks DoS AttacksDoS Attacks Virus, Worms, Trojon Virus, Worms, Trojon
HorseHorse Session Hijacking Session Hijacking Snooping and SniffingSnooping and Sniffing OS and Unix System OS and Unix System
SecuritySecurity BotnetsBotnets Spamming Spamming
Defense Defense MechanismsMechanisms AntivirusAntivirus AuthenticationAuthentication Proxy ServersProxy Servers IDSIDS FirewallFirewall Email SecurityEmail Security CryptographyCryptography PGPPGP Digital SignaturesDigital Signatures KerberoseKerberose IPSec IPSec Web SecurityWeb Security
Recap of Recap of Networking Networking ConceptsConcepts Transport LayerTransport Layer IP LayerIP Layer Link LayerLink Layer
Usability AspectsUsability AspectsOf security Of security
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Evaluation CriteriaEvaluation Criteria Assignments – 10 %Assignments – 10 % Two Surprise Quizzes - 10 %Two Surprise Quizzes - 10 % Mid Semester Exam - 20 %Mid Semester Exam - 20 % End Semester Exam -30 %End Semester Exam -30 % Seminar and project – 25 %Seminar and project – 25 %
Seminar in a group of 2Seminar in a group of 2 Topics to be chosen in consultation with instructorTopics to be chosen in consultation with instructor
I will float few potential topicsI will float few potential topics But you are free to chose one on your own with restriction that, it must be relevant and But you are free to chose one on your own with restriction that, it must be relevant and
informative to everyone in the classinformative to everyone in the class Presentation for 30 minutes each – Post mid semester examPresentation for 30 minutes each – Post mid semester exam A neatly written report (not a copy paste from somewhere) in .pdf format created with A neatly written report (not a copy paste from somewhere) in .pdf format created with
latex along with sourcelatex along with source Demo of your projectDemo of your project
Attendance and class participation – 5%Attendance and class participation – 5%
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
What is Computer Security ?What is Computer Security ?
Deals with art of protecting computer resourcesDeals with art of protecting computer resources What are the resourcesWhat are the resources
MemoryMemory Computing powerComputing power DataData
Protection against Protection against Human errorsHuman errors Malicious guys outside Malicious guys outside Dishonest people insideDishonest people inside
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
When to Say System is SecureWhen to Say System is Secure
The goal of computing is to do something usefulThe goal of computing is to do something useful We write computer programs to do useful We write computer programs to do useful
computationcomputation All programs take some input and usually All programs take some input and usually
generate some outputgenerate some output A system/program is said to be secure ifA system/program is said to be secure if
For an expected input supplied with good intent it For an expected input supplied with good intent it generates a desired outputgenerates a desired output
For an unexpected input supplied with malicious For an unexpected input supplied with malicious intent it does not failintent it does not fail
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Why We Should Care about Why We Should Care about Security ?Security ?
We use internet for many thingsWe use internet for many things Online bankingOnline banking Online shoppingOnline shopping Booking tickets …Booking tickets …
We store many things in computersWe store many things in computers PhotosPhotos FilesFiles
Computer may become too slow in respondingComputer may become too slow in responding Reputation and credibility Reputation and credibility
Media glare Media glare You may be contributing to computer crime without your knowledgeYou may be contributing to computer crime without your knowledge
Ex. Open wireless networks Ex. Open wireless networks Legal aspectsLegal aspects
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Vulnerability and AttackVulnerability and Attack
Vulnerability: a weakness in system which Vulnerability: a weakness in system which allows a malicious user to gain accessallows a malicious user to gain access
Attack: a successful strategy to exploit a Attack: a successful strategy to exploit a vulnerability in order to gain illegal accessvulnerability in order to gain illegal access ActiveActive PassivePassive
Attacker: someone who crafts an attackAttacker: someone who crafts an attack Insider attackInsider attack Outside attackOutside attack
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Types of AttackersTypes of Attackers Attacker – someone who can find an exploitable bug in Attacker – someone who can find an exploitable bug in
computer systemcomputer system Cracker – an attacker who exploit a system illegallyCracker – an attacker who exploit a system illegally Script kiddies – uses tools available publiclyScript kiddies – uses tools available publicly White hacker- people who discover vulnerabilities but White hacker- people who discover vulnerabilities but
does not exploitdoes not exploit Help to fix itHelp to fix it
Black hacker – bad people who wants to exploit systems Black hacker – bad people who wants to exploit systems after discoveryafter discovery
Cyber terrorists – often have religious and Cyber terrorists – often have religious and fundamentalist mindsetfundamentalist mindset
Cyber army – state sponsored attackersCyber army – state sponsored attackers Work for nation’s strategic securityWork for nation’s strategic security
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Who Are Vulnerable to Attacks ?Who Are Vulnerable to Attacks ?
Financial institutionsFinancial institutions Defense organizationsDefense organizations Government agenciesGovernment agencies Pharmaceutical companiesPharmaceutical companies IT companiesIT companies Intellectual property management companiesIntellectual property management companies Academic institutionsAcademic institutions Everyone connected to internetEveryone connected to internet
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
CIA Principles of SecurityCIA Principles of Security
Information security is defined by an Information security is defined by an acronymacronym CIA CIA
Confidentiality: Avoiding unauthorized Confidentiality: Avoiding unauthorized disclosure of informationdisclosure of information
Integrity: An assurance that information is Integrity: An assurance that information is not altered midway of transmissionnot altered midway of transmission
Availability: An assurance of information Availability: An assurance of information access and modification in a reasonable access and modification in a reasonable timeframe timeframe
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Confidentiality Confidentiality
Provide access to legitimate usersProvide access to legitimate users Block access to illegitimate usersBlock access to illegitimate users Confidentiality can be achieved throughConfidentiality can be achieved through
Encryption: Transform data to a meaningless unit for Encryption: Transform data to a meaningless unit for transmission and storage. Show it correctly to intended userstransmission and storage. Show it correctly to intended users
Access control: Control who can claim access toAccess control: Control who can claim access to Authentication: Determining identity of person claiming accessAuthentication: Determining identity of person claiming access
Something person hasSomething person has Something person knowsSomething person knows Something he/she is Something he/she is
Authorization: Determining whether the person is allowed to Authorization: Determining whether the person is allowed to access somethingaccess something
Physical security: Establishing physical barriersPhysical security: Establishing physical barriers
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
IntegrityIntegrity Integrity compromiseIntegrity compromise
System induced: hardware flips a bitSystem induced: hardware flips a bit Malicious: someone rewrites the dataMalicious: someone rewrites the data
Techniques to prevent confidentiality also help prevent integrity Techniques to prevent confidentiality also help prevent integrity In addition In addition
Backup: periodically archive dataBackup: periodically archive data Checksum: computing something out of dataChecksum: computing something out of data Error correction code: can correct errors up to a limitError correction code: can correct errors up to a limit
Metadata : also needs to be protected Metadata : also needs to be protected OwnerOwner Size of fileSize of file Last read and write timingsLast read and write timings Location of dataLocation of data
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
AvailabilityAvailability
Timely delivery of information is importantTimely delivery of information is important Banking transactionsBanking transactions Stock quotesStock quotes
Can be achieved with Can be achieved with Physical protection:Physical protection:
guards, guards, fire management systems,fire management systems, lockslocks
Redundancy in computing :Redundancy in computing : RAIDRAID Fault tolerance systemsFault tolerance systems
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
AAA Principles of SecurityAAA Principles of Security
AAA stand for Assurance, Authenticity and AAA stand for Assurance, Authenticity and AnonymityAnonymity Assurance asks for guaranteeAssurance asks for guarantee Authenticity asks to tell you “who are you”Authenticity asks to tell you “who are you” Anonymity asks not to reveal identity Anonymity asks not to reveal identity
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
AssuranceAssurance Refers to the issue of trust relationship in computer Refers to the issue of trust relationship in computer
systemssystems How to quantify trustHow to quantify trust
BinaryBinary Fractional Fractional
Trust involves Trust involves Policy- the behavioral expectation of an individualPolicy- the behavioral expectation of an individual Permissions- state what can be accessed and what notPermissions- state what can be accessed and what not Protections- mechanisms in place to implement policies and Protections- mechanisms in place to implement policies and
permissionspermissions Online purchaseOnline purchase
You give your credit card to merchant You give your credit card to merchant It is expected that the merchant adhere to stated policy on how It is expected that the merchant adhere to stated policy on how
they use your datathey use your data
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
AuthenticityAuthenticity
Deals with knowing whether the users and Deals with knowing whether the users and system are entitled to what they dosystem are entitled to what they do Mainly from legal angle Mainly from legal angle
A mechanism to verify authenticity of an entity A mechanism to verify authenticity of an entity digitally digitally For example an online portal says you order here by For example an online portal says you order here by
credit card payment and we will ship the itemcredit card payment and we will ship the item How do we know whether it actually does or How do we know whether it actually does or If someone is faking a message ?If someone is faking a message ? Nonrepudiation – authentic statementsNonrepudiation – authentic statements Digital signaturesDigital signatures
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Anonymity Anonymity
Deals with protecting personal identities in online Deals with protecting personal identities in online transactionstransactions
Our credit card numbers, PAN numbers, health records, Our credit card numbers, PAN numbers, health records, etc.etc.
Preserving privacy of usersPreserving privacy of users Aggregation- sum up data from many users and aggregated Aggregation- sum up data from many users and aggregated
data does not reveal anythingdata does not reveal anything Mixing - such that no transaction can be traced to any individualMixing - such that no transaction can be traced to any individual Proxies- trusted agents involving in transactions on behalf of Proxies- trusted agents involving in transactions on behalf of
usersusers Pseudonyms - fictional identities which fill in for real identitiesPseudonyms - fictional identities which fill in for real identities
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
The Value of Your NetworkThe Value of Your Network Lost dataLost data
Financial lossFinancial loss Confidential dataConfidential data
Danger of going into wrong handsDanger of going into wrong hands Downtime Downtime
Calling a customer care which says my server is downCalling a customer care which says my server is down It looks cheapIt looks cheap
Staff time Staff time Time invested in repairing and fixing the issueTime invested in repairing and fixing the issue
Hijacked computerHijacked computer Reputation Reputation
Damage Damage Financial lossFinancial loss
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Security PrinciplesSecurity Principles
Economy of mechanismEconomy of mechanism The easier and simple a security mechanism the better it is to The easier and simple a security mechanism the better it is to
understandunderstand
Fail-safe defaultsFail-safe defaults Default configuration should be conservativeDefault configuration should be conservative
Complete mediationComplete mediation A security authority should check every action of a userA security authority should check every action of a user
Open design Open design Security design should be made publicSecurity design should be made public
Separation of privilegeSeparation of privilege Multiple conditions should be required to get accessMultiple conditions should be required to get access
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Security PrinciplesSecurity Principles
Least privileges Least privileges Every program must have bare minimum privileges to runEvery program must have bare minimum privileges to run
Least common mechanismLeast common mechanism Says sharing among users should be minimumSays sharing among users should be minimum
Psychological acceptabilityPsychological acceptability User interfaces should be intuitive User interfaces should be intuitive
Work factorWork factor Tradeoff between breaking and value of secreteTradeoff between breaking and value of secrete
Compromise recordingCompromise recording Sometime it is more desirable to record details of an attack Sometime it is more desirable to record details of an attack
rather than designing a comprehensive security mechanismrather than designing a comprehensive security mechanism
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Vulnerability Disclosure TrendsVulnerability Disclosure Trends
Courtesy: Vulnerability Threats and Trends Report NSS Labs , Stefan Frei
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Vulnerability CriticalityVulnerability Criticality
Courtesy: Vulnerability Threats and Trends Report NSS Labs , Stefan Frei
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Complexity to Execute an AttackComplexity to Execute an Attack
Courtesy: Vulnerability Threats and Trends Report NSS Labs , Stefan Frei
IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi
Top 10 Vendors Vulnerabilities Top 10 Vendors Vulnerabilities
Courtesy: Vulnerability Threats and Trends Report NSS Labs , Stefan Frei
Top Related