CNT Computer and Network Security Review/Wrapup

Transcription

1 CNT Computer and Network Security Review/Wrapup Professor Kevin Butler Fall 2015

2 Review What did we talk about this semester? Cryptography secret vs public-key key exchange (Diffie-Hellman) symmetric ciphers and modes of operation hashing, MAC, HMAC encryption and digital signatures constructions based on crypto primitives (e.g., hash chains) 2

3 Review Authentication credentials and types thereof (passwords, biometrics, tokens) Kerberos PKI Network security TCP sequence number attacks ARP spoofing DNS security Securing legacy protocols IPsec 3

4 Review Intrusion detection Insider threat rootkit network and host intrustion detection system behavior and signature based IDS anomaly detection Bayesian rate fallacy Firewalls blacklisting vs whitelisting firewall policy 4

5 Review Malware and bonnets Ransomware C&C architectures Fraud Bot cycles (scan-infect-download-communicate) Prevention mechanisms Bayesian fallacy ROC curves 5

6 Review Web security legacy and new web models cookie design content injection IFRAME compromise cross-site scripting browser security architectures SSL 6

7 Review Cloud computing Types of cloud service architectures Threat and trust models Multi-Tenancy Cloud side channels 7

8 Review Anonymous networks and censorship resistance TOR Hidden services Mix vs DC-nets Limitations Anonymous publishing Private browsing 8

9 Mobile Networks and Devices Rigidity in cellular networks SMS attacks Android communication mechanisms Secure application design and deployment End-to-end principle 9

10 Wrapup So, what does it all mean? 10

11 The state of security issues are in public consciousness Press coverage is increasing Losses mounting (billions and billions) Affect increasing (ATMs, commerce, infrastructure) Public is at risk... What are we doing? sound and fury signifying nothing (well, it s not quite that bad) 11

12 The problems What is the root cause? Security is not a key goal and it never has been so, we need to figure out how to change the way we do engineering (and science) to make computers secure. Far too much misunderstanding about basic security and the use of technology (security theatre) 12

13 The current solutions Make better software we mean it - B. Gates (2002) no really - B. Gates (2003) Linux/OS X/Sun OS etc. is bad too - B. Gates (2005) Vista will fix everything - B. Gates (2006) Vista fixes everything - B. Gates (2007) Sorry about Vista... - B. Gates (2007.5) Windows 7.0 will fix everything - B. Gates (2008) CERT/SANS-based problem/event tracking Experts tracking vulnerabilities Patch system completely broken Destructive research Back-pressure on product developers Arms-race with bad guys Problem: reactive, rather than proactive 13

14 The real solutions Fix the economic incentive equation Eventually, MS/Sun/Apple/*** will be in enough pain that they change the way they make software Education Things will get better when people understand when how to use technology Fix engineering practices Design for security Apply technology What we have been talking about Policy: how do we as technologists balance security and privacy? 14

15 Your new skills arsenal A little knowledge is a dangerous thing More and more, real lives at stake through subverting computers With great power comes great responsibility 15

16 The bottom line The Web/Internet and new technologies have limited ability to address security and privacy concerns computer science is making the world less safe!! it is incumbent on us as scientists to meet these challenges. Evangelize importance of security Provide sound technologies Define better practices Choose your questions wisely 16

17 Additional Courses Systems Security (grad. certificate) Cryptography Hardware security Embedded systems security Mobile computing security Research opportunities 17

18 Thank You 18