CS 458 / 658 Computer Security and Privacy. Course mechanics. Course website. Module 1 Introduction to Computer Security and Privacy.



Similar documents
Course mechanics. CS 458 / 658 Computer Security and Privacy. Course website. Additional communication

Computer and Network Security

CSC 474 Information Systems Security

CS 464/564 Networked Systems Security SYLLABUS

CS 203 / NetSys 240. Network Security

Please see web page for the course information.

Spring 2013 CS 6930 Advanced Topics in Web Security and Privacy - 3 Credit Hours Syllabus and Course Policies

EECS 588: Computer and Network Security. Introduction January 14, 2014

CS 450/650 Fundamentals of Integrated Computer Security

CSE331: Introduction to Networks and Security. Lecture 1 Fall 2006

CSCI 454/554 Computer and Network Security. Instructor: Dr. Kun Sun

EECS 588: Computer and Network Security. Introduction

CIS 6930/4930 Computer and Network Security. Dr. Yao Liu

Department of Computer & Information Sciences. INFO-450: Information Systems Security Syllabus

Unit 3 Cyber security

Module: Introduction. Professor Trent Jaeger Fall CSE543 - Introduction to Computer and Network Security

CIS433/533 - Computer and Network Security Introduction

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

SECURITY CHAPTER 24 (6/E) CHAPTER 23 (5/E)

Department of Computer & Information Sciences. CSCI-445: Computer and Network Security Syllabus

Chapter 4 Information Security Program Development

CSC574 - Computer and Network Security Module: Introduction

Nine Steps to Smart Security for Small Businesses

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

CPSC 467: Cryptography and Computer Security

How to Justify Your Security Assessment Budget

Computer Science 3CN3 Computer Networks and Security. Software Engineering 4C03 Computer Networks and Computer Security. Winter 2008 Course Outline

plantemoran.com What School Personnel Administrators Need to know

External Supplier Control Requirements

Adobe Systems Software Ireland Ltd

Network Security ITP 457 (4 Units)

CSUS COLLEGE OF ENGINEERING AND COMPUTER SCIENCE Department of Computer Science (RVR 3018; /6834)

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Lecture 1 - Overview

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

COURSE OUTLINE. SOC SCI 2EN3 (Winter 2014) Entrepreneurial Training for Social Science Students

GGR272: GEOGRAPHIC INFORMATION AND MAPPING I. Course Outline

Applied Network Security Course Syllabus Spring 2015

Standard: Information Security Incident Management

Basic understanding of data security tools such as access control mechanisms, authentication tools and cryptographic constructs.

Major prerequisites by topic: Basic concepts in operating systems, computer networks, and database systems. Intermediate programming.

Network Security. Text. Administrative. My Information. Course Focus. Evaluation CEN

BCS Certificate in Information Security Management Principles

Module: Introduction. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Data Management Policies. Sage ERP Online

GGR272: GEOGRAPHIC INFORMATION AND MAPPING I. Course Outline

Why Security Matters. Why Security Matters. 00 Overview 03 Sept CSCD27 Computer and Network Security. CSCD27 Computer and Network Security 1

CNT5412/CNT4406 Network Security. Course Introduction. Zhenhai Duan

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

BUAD : Corporate Finance - Spring

HIPAA Security Alert

1. Computer Security: An Introduction. Definitions Security threats and analysis Types of security controls Security services

Advanced System Security

X Network, Operating System, and Database Security. Fall 2014, Registration Number W. UCLA EXTENSION: Computer Science.

ITM 641: Information Security Policies Syllabus Sanjay Goel School of Business University at Albany, State University of New York

DATA AND PAYMENT SECURITY PART 1

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Security Is Everyone s Concern:

SHARING BEST PRACTICES IN INFORMATION SECURITY PREVENTION TIPS & RESPONSE TECHNIQUES

Information Security Policy

Securing Applications, Web Services, and Software-As-A-Service (SAAS)

SYLLABUS PSYCHOLOGY 2C03: SOCIAL PSYCHOLOGY Department of Psychology, Neuroscience, and Behaviour McMaster University Winter 2011

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

UVic Department of Electrical and Computer Engineering

Data Protection Act Guidance on the use of cloud computing

Comm : Introduction to Communication Technologies. Syllabus. Spring 2015

Soran University Faculty of Science and Engineering Computer Science Department Information Security Module Specification

WILLIAM PATERSON UNIVERSITY CHRISTOS M. COTSAKOS COLLEGE OF BUSINESS Course Syllabus

Boston University MET CS 690. Network Security

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Summer 2015 Course Title & credit hours: Information Security, CET2830C (hybrid); 3 credit hours

Course Syllabus PSYCH 2C03: SOCIAL PSYCHOLOGY Department of Psychology, Neuroscience, and Behaviour McMaster University Spring 2014

IIABSC Spring Conference

External Supplier Control Requirements

AB 1149 Compliance: Data Security Best Practices

RYERSON UNIVERSITY Ted Rogers School of Information Technology Management And G. Raymond Chang School of Continuing Education

Data Security Incident Response Plan. [Insert Organization Name]

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

CS Ethical Hacking Spring 2016

Information Security

CSCI 4250/6250 Fall 2015 Computer and Network Security. Instructor: Prof. Roberto Perdisci

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

College of Southern Maryland Fundamentals of Accounting Practice(ACC 1015) Course Syllabus Spring 2015

Contact Information I usually try to check once per day and respond within 48 hours or sooner, except on weekends and holidays.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

CSE331: Introduction to Networks and Security. Lecture 1 Fall 2004

ABNORMAL PSYCHOLOGY (PSYCH 238) Psychology Building, Rm.31 Spring, 2010: Section K. Tues, Thurs 1:45-2:45pm and by appointment (schedule via )

Information, Network & Cyber Security

DEPARTMENT OF SOCIOLOGY AND CRIMINAL JUSTICE SOCIAL SCIENCE BUILDING 1000 CHASTAIN ROAD KENNESAW, GA

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Cybersecurity Best Practices

Information Security Basic Concepts

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

CYBERSECURITY TESTING & CERTIFICATION SERVICE TERMS

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶

Top Ten Technology Risks Facing Colleges and Universities

Computer and Network Security

Transcription:

CS 458 / 658 Computer Security and Privacy Module 1 Introduction to Computer Security and Privacy Spring 2013 Course mechanics Instructor: Ian Goldberg https://cs.uwaterloo.ca/ iang/ Office hours: Thursdays 2:00 3:00 pm or by appointment Lectures: T Th 8:30 9:50, MC 1056 1-2 Course website This course will use LEARN Syllabus, calendar, lecture notes, additional materials, assignments, announcements, policies, etc. Site will be updated regularly It is your responsibility to ensure that you are authorized to access the site and to keep up with the information on that site. Feedback is encouraged! 1-3

Piazza Discussion related to the course will take place on Piazza (piazza.com) General course questions, announcements Assignment-related questions You must keep up with the information posted there as well 1-4 Additional communication Some communication might be sent to your uwaterloo email address Check uwaterloo email account regularly or have email forwarded to your regular account Use discussion forums in Piazza for questions of general interest Use LEARN course mail for questions just for course personnel Course syllabus 1-5 You are expected to be familiar with the contents of the course syllabus Available on the course home page and LEARN If you haven t read it, read it after this lecture 1-6

Plagiarism and academic offenses We take academic offenses very seriously Even (especially?) in fourth year Nice explanation of plagiarism online http://arts.uwaterloo.ca/current-undergraduates/ academic-responsibility Read this and understand it Ignorance is no excuse! Questions should be brought to instructor Plagiarism applies to both text and code You are free (even encouraged) to exchange ideas, but no sharing code or text Plagiarism (2) 1-7 Common mistakes Excess collaboration with other students Share ideas, but no design or code! Using solutions from other sources (like for previous offerings of this course, maybe written by yourself) Possible penalties First offense (for assignments; exams are harsher) 0% for that assignment, -5% on final grade Second offense Expulsion is possible More information linked to from course syllabus 1-8 Grading scheme for CS 458 Midterm (15%) Tue, June 18, 2013, 7:00 8:20 pm / MC 1085 There is no alternate midterm. Final (30%) You must pass the weighted exam mark in order to pass the course! Assignments (3 * 15% = 45%) Work alone Self-tests (5%) Blog task (5%) Additional research survey paper for CS 658 See syllabus for more details See syllabus for late and reappraisal policies, academic integrity policy, and other details 1-9

Assignments Assignments will be due at 3:00 PM Late submissions will be accepted up to 48 hours after due date There will be no penalty for accepted late submissions Multiple assignments can be submitted late, including the last one No assistance will be given after the due date You need to notify your instructor before the due date of a severe, long-lasting problem that prevents you from doing an assignment 1-10 Self-tests The self-tests are worth 5% of your grade They re meant to help you keep up with the material, and gauge your grasp of it on an ongoing basis Check calendar in LEARN for the availability and deadline information for each self-test First test: available tomorrow, deadline one week No late self-tests will be accepted! You can attempt each self-test as often as you like during its availability period; your last grade on each self-test will be the one recorded Format: online (on LEARN), usually multiple-choice questions Blog task Many of the security and privacy problems that we will discuss in this course will (unfortunately) occur in the real world during the next four months The blog task forces you to keep up with these developments Each student has to write one blog post during an assigned timeslot You must also participate in the discussion of other students blog posts throughout the term Blog task is part of material covered in exams See LEARN for sign-up and other instructions 1-11 1-12

A note on security In this course, you will be exposed to information about security problems and vulnerabilities with computing systems and networks To be clear, you are not to use this or any other similar information to test the security of, break into, compromise, or otherwise attack, any system or network without the express consent of the owner In particular, you will comply with all applicable laws and uwaterloo policies See syllabus for more details 1-13 Required textbook Security in Computing, 4th edition, Charles P. Pfleeger and Shari Lawrence Pfleeger, Prentice-Hall, 2007. You are expected to know entire textbook sections, as listed on course website all the material presented in class http://proquest.safaribooksonline.com/ 9780132390774 1-14 Other readings From time to time, there will be other readings assigned as well They will be linked to from the modules page in LEARN There will be both mandatory and optional readings You must read the mandatory ones before the class in which we will discuss them There is such a reading for the next lecture 1-15

Course mechanics Teaching assistants: Casey Devet, Kevin Henry, Jalaj Upadhyay, Tao Wang Come to class! Not every bit of material will be on the slides or in the text. You will need an account in the student.cs environment If you don t have a student.cs account for some reason, get one set up in MC 3017. Module outline 1-16 1 What is our goal in this course? 2 What is security? 3 What is privacy? 4 Who are the adversaries? 5 Assets, vulnerabilities, threats, attacks, and controls 6 Methods of defence What is our goal in this course? 1-17 Our primary goal is to be able to identify security and privacy issues in various aspects of computing, including: Programs Operating systems Networks Internet applications Databases Secondarily, to be able to use this ability to design systems that are more protective of security and privacy. 1-18

What is security? In the context of computers, security generally means three things: Confidentiality Access to systems or data is limited to authorized parties Integrity When you ask for data, you get the right data Availability The system or data is there when you want it A computing system is said to be secure if it has all three properties Well, usually 1-19 Security and reliability Security has a lot to do with reliability A secure system is one you can rely on to (for example): Keep your personal data confidential Allow only authorized access or modifications to resources Give you correct and meaningful results Give you correct and meaningful results when you want them What is privacy? 1-20 There are many definitions of privacy A useful one: informational self-determination This means that you get to control information about you Control means many things: Who gets to see it Who gets to use it What they can use it for Who they can give it to etc. 1-21

Example: PIPEDA PIPEDA (Personal Information Protection and Electronic Documents Act) is Canada s private-sector privacy legislation Lists ten Fair Information Principles companies have to abide by: Be accountable Identify the purpose of data collection Obtain consent Limit collection Limit use, disclosure and retention Be accurate Use appropriate safeguards Be open Give individuals access Provide recourse 1-22 Security vs. privacy Sometimes people place security and privacy as if they re opposing forces. Are they really? Do we have to give up one to get the other? 1-23 Who are the adversaries? Who s trying to mess with us? Various groups: Murphy Amateurs Script kiddies Crackers Organised crime Government cyberwarriors Terrorists Which of these is the most serious threat today? 1-24

How secure should we make it? Principle of Easiest Penetration A system is only as strong as its weakest link The attacker will go after whatever part of the system is easiest for him, not most convenient for you. In order to build secure systems, we need to learn how to think like an attacker! How would you get private information from the US Social Security Administration database? Principle of Adequate Protection Security is economics Don t spend $100,000 to protect a system that can only cause $1000 in damage 1-25 Weakest link 1-26 Some terminology Assets Things we might want to protect, such as: Hardware Software Data Vulnerabilities Weaknesses in a system that may be able to be exploited in order to cause loss or harm e.g., a file server that doesn t authenticate its users 1-27

Some terminology Threats A loss or harm that might befall a system e.g., users personal files may be revealed to the public There are four major categories of threats: Interception Interruption Modification Fabrication When designing a system, we need to state the threat model Set of threats we are undertaking to defend against Whom do we want to stop from doing what? Some terminology 1-28 Attack An action which exploits a vulnerability to execute a threat e.g., telling the file server you are a different user in an attempt to read or modify their files Control Removing or reducing a vulnerability You control a vulnerability to prevent an attack and block a threat. How would you control the file server vulnerability? Our goal: control vulnerabilities Methods of defence 1-29 How can we defend against a threat? Prevent it: prevent the attack Deter it: make the attack harder or more expensive Deflect it: make yourself less attractive to attacker Detect it: notice that attack is occurring (or has occurred) Recover from it: mitigate the effects of the attack Often, we ll want to do many things to defend against the same threat Defence in depth 1-30

Example of defence Threat: your car may get stolen How to defend? Prevent: is it possible to absolutely prevent? Deter: Store your car in a secure parking facility Deflect: Use The Club, have sticker mentioning car alarm Detect: Car alarms, OnStar Recover: Insurance 1-31 Defence of computer systems Remember we may want to protect any of our assets Hardware, software, data Many ways to do this; for example: Cryptography Protecting data by making it unreadable to an attacker Authenticating users with digital signatures Authenticating transactions with cryptographic protocols Ensuring the integrity of stored data Aid customers privacy by having their personal information automatically become unreadable after a certain length of time Defence of computer systems Software controls Passwords and other forms of access control Operating systems separate users actions from each other Virus scanners watch for some kinds of malware Development controls enforce quality measures on the original source code Personal firewalls that run on your desktop 1-32 1-33

Defence of computer systems Hardware controls Not usually protection of the hardware itself, but rather using separate hardware to protect the system as a whole. Fingerprint readers Smart tokens Firewalls Intrusion detection systems Defence of computer systems 1-34 Physical controls Protection of the hardware itself, as well as physical access to the console, storage media, etc. Locks Guards Off-site backups Don t put your data centre on a fault line in California Defence of computer systems 1-35 Policies and procedures Non-technical means can be used to protect against some classes of attack If an employee connects his own Wi-Fi access point to the internal company network, that can accidentally open the network to outside attack. So don t allow the employee to do that! Rules about changing passwords Training in best security practices 1-36

Recap What is our goal in this course? Identify security and privacy issues Design systems that are more protective of security and privacy What is security? Confidentiality, Integrity, Availability What is privacy? Informational self-determination Recap 1-37 Who are the adversaries? Learn to think like an attacker Assets, vulnerabilities, threats, attacks and controls You control a vulnerability to prevent an attack and block a threat. Methods of defence Cryptography, software controls, hardware controls, physical controls, policies and procedures 1-38

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information