The Security Theme: an introduction

Transcription

1 The Security Theme: an introduction School of Computer Science The University of Manchester 1

2 Outline Why do we need a Security Theme? Core Modules Cryptography Cyber security Some Research Activities Ratio of hackers to security professionals ~ 1000:1* Computer Security Military Intelligence The laws of thermodynamics** But you can manage the risks... disrupt and counter the kill chain... taking heed of the Security Theme! *SANS (SysAdmin, Audit, Network, Security) Institute **You can t win... you can t even break even 2

3 The challenge 3

4 Hacking -as-a-service Consulting services such as botnet setup ($350-$400) Infection/spreading services (~$100 per 1K installs) Botnets & Rentals [Direct Denial of Service (DDoS) $535 for 5 hours a day for one week], spam ($40 / 20K s) and Web spam ($2/30 posts) Blackhat Search Engine Optimization (SEO) ($80 for 20K spammed backlinks) Inter-Carrier Money Exchange and Mule services (25% commission) Recruited CAPTCHA Breaking ($1/1000 CAPTCHAs) Crimeware Upgrade Modules: Using Zeus Modules as an example, range anywhere from $500 to $10K Source: Fortinet 2013 Cybercrime Report 4

5 So we need a fifth column to protect the systems of today and build tomorrow s systems safely 5

6 Cyber Security: topics Risk assessment Requirement and policy specifications Solutions and countermeasures Intrusion detection/prevention Secure software Authentication and authorisation Virtual Private Networks Firewalls Digital certification and Public Key Infrastructures Real-life exemplar security systems (cloud computing security, web security, security wireless network security, electronic payment systems, etc) Audits and reviews System security planning Penetration testing Digital forensics 6

7 How Lectures Guest lectures CY40R; Digital forensics McAfee; Malware and intruders: vulnerabilities and countermeasures NCC Group; Penetration Testing Cryptography Examination (60%) Coursework (40%) Cyber security Coursework (2x25%) Groupwork Case studies Report Review/inspect Templates Report Risk treatment plan Examination (50%) Employment potential 7

8 Cyber security COMP61421 Advanced Computer Science Security Theme Business Continuity Security Incidents and Events Information Information Assets Information Assets Information Assets Assets Realised Risk Dependencies Business Impact (Value C-I-A) Risk Assessment (Risk Register) Controls Controls Risk Treatments Controls (Controls) Risk Attitude People: Human Factors Behaviour Process Technology 8

9 Objectives Advanced Computer Science Security Theme Conformance Business Continuity Evaluate Leadership Direct Monitor Performance Security Incidents and Events Ethical framework IT Governance Use Development Operations Information Information Assets Information Assets Information Assets Assets Abuse Failure Realised Risk Dependencies Risk Appetite Business Impact (Value C-I-A) Risk Assessment (Risk Register) Controls Controls Risk Treatments Controls (Controls) Project Management Portfolio Management Risk Attitude People: Human Factors Behaviour IT Governance Programme Process Technology COMP60721 Management 9 Security Architecture

10 Help new and constant Bad new pieces of malware per hour (McAfee) 15 friends invited on Facebook 21,000 accepted 60,000 for losing an unencrypted laptop Fined 100,000 for faxing details of a child sex abuse case to a member of the public Fined 2.75m for loosing a laptop with records of 46,000 people Good You become the Fifth Column 1. Cryptography 2. Cyber security 10

11 11

12 Summary: the two laws of security 1.Never reveal everything you know. And now Dr Zhang on some more projects 12

13 Some research Projects/Activities Designs of systems or solutions for security and privacy in distributed systems Cloud and Ubiquitous Computing, and electronic commerce covering issues such as risk-based authentication, authorisation, intrusion detections, and trust management. FAME-Permis Traceable Identity Privacy FIDES Context-aware Security Provision Wireless Network Security Adaptive Security Solutions 13

14 The FAME - Permis Project A middleware extension to Shibboleth to support Inter-organisational resource sharing Single sign-on User identity privacy Fine-grained access control 14

15 ASI-API 6. Authentication is successful Advanced Computer Science Security Theme LoA linked AC (FAME-permis) User s Home Site Web Server Shib-HS Protected by F-LS FAME Login Server (F-LS) AuthServices x, y, z, 3. Re-direct to HS WAYF Where Are You From? 4. Authenticate yourself with AuthService x Host Authentication Module (HAM) Browser TI-API PKCS#11 tokens, Java Cards, User request 5. Authentication dialogue The Internet 7. Handle 2. Re-direct to WAYF for Handle Shib Target - Resource Gateway SHIRE SHAR 8.Handle 15

16 FIDES Aim to secure e-commerce transactions, e.g. e-payment vs e-goods (e-purchase). e-goods/ vs Signed receipt (Certified delivery). Signed contract vs Signed contract (Contract signing). e-goods vs e-goods (Barter). can be used to develop new secure business applications, such as e-procurement. 16

17 Context-aware Security Provision Use your context data to determine the level of security protection Your location This room, or Airport lunge Your device Wireless PDA, or More capable desktop Your past access history/profile Have you been a good guy, or You have tried to breach some rules 17

18 Context-aware Access Control Resource Policy Store Policy PDP Policy Decision PEP Access Requester Context Acquisition Context Service Context Source Sensors 18

19 Context-aware Adaptive Routing in MANETs Context-aware multiple route adaptation can increase reliability with low costs. B P A M Internet X C 19

20 Other project opportunities may include Whitelisting software A method to articulate requirements for security (MARS) Measuring security maturity to understand the costs and benefits of countermeasures Security dashboard Information and cyber security threat analyser IT Strategy design tool Protect- Operate - Selfpreserve: designing a universal secure architecture Rules of engagement: Legitimate use of the Dark Internet and Deep Web Security economics modeller Balancing technical security controls with human factors An application to test websites for compliance and award a commensurate trust mark 20

21 Module Leader/Lecturers Dr Ning Zhang Dr Daniel Dresner Minst.ISP Dr Richard Banach 21

22 22