Why Security Matters. Why Security Matters. 00 Overview 03 Sept 2015. CSCD27 Computer and Network Security. CSCD27 Computer and Network Security 1



Similar documents
Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Soran University Faculty of Science and Engineering Computer Science Department Information Security Module Specification

Department of Computer & Information Sciences. INFO-450: Information Systems Security Syllabus

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

Curran, K. Tutorials. Independent study (including assessment) N/A

NSA/DHS CAE in IA/CD 2014 Mandatory Knowledge Unit Checklist 4 Year + Programs

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

CRYPTUS DIPLOMA IN IT SECURITY

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

CSE331: Introduction to Networks and Security. Lecture 1 Fall 2006

Weighted Total Mark. Weighted Exam Mark

Network Security Essentials:

CEH Version8 Course Outline

CSCI 454/554 Computer and Network Security. Instructor: Dr. Kun Sun

CS5008: Internet Computing

Network Security Fundamentals

Computer Security. Principles and Practice. Second Edition. Amp Kumar Bhattacharjee. Lawrie Brown. Mick Bauer. William Stailings

TIME SCHEDULE. 1 Introduction to Computer Security & Cryptography 13

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Content Teaching Academy at James Madison University

Network Security - ISA 656 Review

CRYPTOGRAPHY AND NETWORK SECURITY

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

The Information Security Problem

A Systems Engineering Approach to Developing Cyber Security Professionals

RYERSON UNIVERSITY Ted Rogers School of Information Technology Management And G. Raymond Chang School of Continuing Education

What is Web Security? Motivation

Major prerequisites by topic: Basic concepts in operating systems, computer networks, and database systems. Intermediate programming.

IBM Protocol Analysis Module

90% of data breaches are caused by software vulnerabilities.

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

Detailed Description about course module wise:

EC Council Certified Ethical Hacker V8

[CEH]: Ethical Hacking and Countermeasures

EECS 588: Computer and Network Security. Introduction January 14, 2014

City University of Hong Kong. Information on a Course offered by Department of Electronic Engineering with effect from Semester A in 2012/2013

Certified Ethical Hacker (CEH)

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

CS 450/650 Fundamentals of Integrated Computer Security

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

Network and Host-based Vulnerability Assessment

Computer and Network Security

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Department of Computer & Information Sciences. CSCI-445: Computer and Network Security Syllabus

Security Goals Services

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

Security Implications Associated with Mass Notification Systems

Ethical Hacking and Information Security. Foundation of Information Security. Detailed Module. Duration. Lecture with Hands On Session: 90 Hours

When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

Cryptography and network security CNET4523

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶

Ursuline College Accelerated Program URSULINE COLLEGE

Information Security. Training

COSC 472 Network Security

Skoot Secure File Transfer

Certificate Authorities and Public Keys. How they work and 10+ ways to hack them.

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

CSC574 - Computer and Network Security Module: Introduction

CYBERTRON NETWORK SOLUTIONS

Description: Objective: Attending students will learn:

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

University of Wisconsin-Whitewater Curriculum Proposal Form #3 New Course

CPSC 467b: Cryptography and Computer Security

Higher National Unit specification: general information

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0

Course Content Summary ITN 262 Network Communication, Security and Authentication (4 Credits)

COMP-530 Cryptographic Systems Security *Requires Programming Background. University of Nicosia, Cyprus

Summary of the SEED Labs For Authors and Publishers

Computer Security (EDA263 / DIT 641)

Introduction to Computer Security

The Top Web Application Attacks: Are you vulnerable?

Computer Forensics Training - Digital Forensics and Electronic Discovery (Mile2)

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

TELE 301 Network Management. Lecture 18: Network Security

Monfort College of Business Semester Course Syllabus ( ) COURSE PREFIX/TITLE: BACS 382 TCP/IP Network Security Sem. Hrs. 3 Ed.

Computer Security. Introduction to. Michael T. Goodrich Department of Computer Science University of California, Irvine. Roberto Tamassia PEARSON

Chapter 15: Security

CS Final Exam

Where every interaction matters.

CIS 6930/4930 Computer and Network Security. Dr. Yao Liu

Build Your Own Security Lab

Textbooks: Matt Bishop, Introduction to Computer Security, Addison-Wesley, November 5, 2004, ISBN

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Module: Introduction. Professor Trent Jaeger Fall CSE543 - Introduction to Computer and Network Security

Certified Ethical Hacker (CEH) Ethical Hacking & Counter Measures Course 9962; 5 Days, Instructor-Led

Course mechanics. CS 458 / 658 Computer Security and Privacy. Course website. Additional communication

Application Intrusion Detection

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Network Security and Firewall 1

e-code Academy Information Security Diploma Training Discerption

Security. Definitions

Chapter 18: System Security

Course Title: Course Description: Course Key Objective: Fee & Duration:

CS Ethical Hacking Spring 2016

CS 458 / 658 Computer Security and Privacy. Course mechanics. Course website. Module 1 Introduction to Computer Security and Privacy.

How To Classify A Dnet Attack

Thick Client Application Security

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Transcription:

CSCD27 Computer and Network Security Instructor: Alan Rosselet Office: IC-494 E-mail: rosselet @ utsc utoronto ca Web: http://www.utsc.utoronto.ca/~rosselet/cscd27/ 00 Overview CSCD27 Computer and Network Security 1 Why Security 00 Overview CSCD27 Computer and Network Security 2 Why Security 00 Overview CSCD27 Computer and Network Security 3 CSCD27 Computer and Network Security 1

Why Security 00 Overview CSCD27 Computer and Network Security 4 Why Security 00 Overview CSCD27 Computer and Network Security 5 Why Security 00 Overview CSCD27 Computer and Network Security 6 CSCD27 Computer and Network Security 2

Insert slides for US govt breach, Ashley Madison breach "Ashley Madison Director of Security Mark Steele wrote in an email dated May 25, 2015. Our codebase has many (riddled?) XSS/CRSF vulnerabilities which are relatively easy to find (for a security researcher), and somewhat difficult to exploit in the wild (requires phishing). Other vulnerabilities would be things like SQL injection/data leaks, which would be much more damaging 00 Overview CSCD27 Computer and Network Security 7 "The Obama administration on Thursday revealed that 21.5 million people were swept up in a colossal breach of government computer systems that was far more damaging than initially thought, resulting in the theft of a vast trove of personal information. Every person given a government background check for the last 15 years was probably affected, hackers stole sensitive information, including addresses, health and financial history, social-security# s fingerprints and other private details. NYTimes 00 Overview CSCD27 Computer and Network Security 8 Why Security 00 Overview CSCD27 Computer and Network Security 9 CSCD27 Computer and Network Security 3

Why Security 00 Overview CSCD27 Computer and Network Security 10 Why Security "Roberts was able to connect to a box under his seat on several occasions, allowing him to view data from the aircraft's engines, fuel and flight-management systems." Roberts tweet was analyzed, and an FBI team dispatched to detain him at the airport when he landed. 00 Overview CSCD27 Computer and Network Security 11 Why Security 00 Overview CSCD27 Computer and Network Security 12 CSCD27 Computer and Network Security 4

Why Security 00 Overview CSCD27 Computer and Network Security 13 Course Content Plan of Attack Begin with a solid grounding in the algorithms that underpin much of today s digital security confidentiality: symmetric and asymmetric encryption integrity: secure hash and MAC authentication: digital signature, authentication protocols In each case, we ll examine the design of these algorithms in some depth With the fundamentals in place, we ll move on to examine some important systems security issues: code attacks and defenses authenticating humans network attacks and defenses Web attacks and defenses malware 00 Overview CSCD27 Computer and Network Security 14 Cryptography Course Topics classical crypto, Symmetric Key (DES/AES/RC4), Public Key (DH, RSA), block and stream encryption, key management Integrity and Authentication MAC, Hashes and Message Digests, Digital Signatures Authentication protocols, human authentication Crypto Software & Applications cryptographic libraries, secure email (GPG), including developing implementations of encryption algorithms 00 Overview CSCD27 Computer and Network Security 15 CSCD27 Computer and Network Security 5

Course Topics Software Security mechanics of exploits such as buffer overflow and SQL injection, and associated defenses Network Security Vulnerabilities and defenses for protocols such as ARP, 802.11 (Wifi), IP/ICMP, TCP/IP, TLS/SSL (HTTPS), DNS, including Denial of Service (DoS) Malicious Code / Malware e-mail and Web security including implementation of phishing/web attack code, viruses/worms/trojans 00 Overview CSCD27 Computer and Network Security 16 Informal Survey 1. Can you explain how RSA encryption works? AES? 2. How does HTTPS (SSL/TLS) use RSA, AES? 3. Have you coded in C or C++? Java? 4. Can you explain how a buffer-overflow exploit works? 5. Have you coded a Web app? (e.g. JavaScript, PHP)? 6. What is MD5? Is it broken? Why? 7. Can you explain how TCP/IP works? What is ARP? 8. Who is the man in the middle? 9. Have you set up a Wifi router? Configured a firewall? 10. How do you protect yourself against malware? 11. Have you run a packet sniffer or port scanner? Why? 12. Have you ever used someone else s credentials to login? 00 Overview CSCD27 Computer and Network Security 17 Learning Objectives In-depth understanding of foundationalsecurity properties: confidentiality, integrity, authentication, and state of the art algorithms to implement them these algorithms underpin much of the security the digital world relies on if you don t understand these fundamentals, you re likely to make dangerous mistakes Awareness of the role of the above algorithms (or their absence/misuse) plays in various security scenarios, e.g.: SSL/HTTPS relies on many of these algorithms even digital currency relies on them! misuse of algorithms can expose you to crypto attacks 00 Overview CSCD27 Computer and Network Security 18 CSCD27 Computer and Network Security 6

Learning Objectives Understanding causes and mitigation for common security vulnerabilities including: buffer overflows SQL injection Web attacks network attacks Experience implementing and applying state-of-the-art security algorithms, e.g.: sending secure email, implementing standard crypto algorithm(s), writing secure code 00 Overview CSCD27 Computer and Network Security 19 Learning Objectives Fluency in security policies, principles, mechanisms, issues, acronyms, problems Experience in an adversarial role, through attacks on application code, network and Web systems constructed using standard technologies, but with some vulnerabilities baked in Understand issues and methods for authenticating humans: passwords, biometrics, multi-factor systems Awareness of the evolution and current state of malware (trojans, viruses, worms) 00 Overview CSCD27 Computer and Network Security 20 Background Preparation No prior exposure to security-related ideas assumed Programming aptitude; familiarity with some Web technologies helpful Some mathematical topics covered (finite fields, modular arithmetic, number theory), but in less depth than in the Math Crypto course (MATC16) some cryptography utilizes math problems that are computationally hard without access to a key no assumptions made on the math background all concepts will be introduced as needed 00 Overview CSCD27 Computer and Network Security 21 CSCD27 Computer and Network Security 7

Information Sources Lecture slides, weekly notes and examples Tutorial notes Recommended text (not required): Cryptography and Network Security, 6e, William Stallings, Addison Wesley, 2014, ISBN-10: 0-13-335469-5 (or earlier edition) Supplement to lecture handouts, fill gaps in understanding Well written, comprehensive coverage of most course topics Web references, provided on lectures Web page 00 Overview CSCD27 Computer and Network Security 22 Evaluation 3 assignments (cumulative 50%) both written and programming components Python, CSS, HTML, JavaScript used for implementations late submit policy: see the Course Information Sheet posted on the course Web site. final exam (50%) past exam and midterm provided for studying 00 Overview CSCD27 Computer and Network Security 23 Assignments Assignments will include a mix of written problems that reinforce concepts, and programming/implementation Programming/Implementation overview: Implement code-security attacks in Python (perform unauthorized action, get root shell access) Implement encryption algorithm in Python Sniff network packets, find MD5 hash collisions, crack keys Web attacks in HTML, CSS, JavaScript, with PHP Why not stick to theory, rather than spend time on implementation? gain insight into how algorithms work, which parts are tricky/hard something to talk about in interviews 00 Overview CSCD27 Computer and Network Security 24 CSCD27 Computer and Network Security 8

Ethical Expectations o We will be covering/applying various adversarial mechanisms in the course o As a senior Computer Science student, you are expected to uphold a high standard of personal ethics o Your knowledge of attack methods does not imply permission to exploit them, except as indicated for course assignments, and/or where all involved parties have granted consent o Just because it may seem to you like harmless fun does not make it acceptable or legal behavior! o These are not idle warnings: o UT policies are strictlyenforced o Some kinds of attacks violate civil and/or criminal codes, see e.g. https://www.hackcanada.com/canadian/freedom/canadacode.html o RCMP charge straight-a CS student in CRA Heartbleed breach o If in doubt about whether you can/should perform some act related to course topics, consult with the instructor or TA first 00 Overview CSCD27 Computer and Network Security 25 Lectures Conduct of the Course Background ideas, conceptual explanations, high-level examples Lecture slides posted on course Web site Tutorials Examples related to assignments worked out in detail Test problems from prior years Opportunity to interact with TA and classmates while working on assignment problems 00 Overview CSCD27 Computer and Network Security 26 CSCD27 Computer and Network Security 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information