Introduction to Computer Security

Similar documents
COSC 472 Network Security

Security Goals Services

CPSC 467: Cryptography and Computer Security

Network Security. Instructor: Adam Hahn

Chap. 1: Introduction

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Soran University Faculty of Science and Engineering Computer Science Department Information Security Module Specification

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz , ICSG 2014

Information Security and Privacy

Overview of computer and communications security

Introduction to Security

CSE331: Introduction to Networks and Security. Lecture 1 Fall 2006

Information Security Basic Concepts

資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview. Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Information Systems Security

Computer and Information Security

What is Web Security? Motivation

A Systems Engineering Approach to Developing Cyber Security Professionals

Certified Ethical Hacker Exam Version Comparison. Version Comparison

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

How To Write A Transport Layer Protocol For Wireless Networks

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Security Implications Associated with Mass Notification Systems

When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

CSCI 454/554 Computer and Network Security. Instructor: Dr. Kun Sun

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

TIME SCHEDULE. 1 Introduction to Computer Security & Cryptography 13

Introduction to Information Security

EECS 588: Computer and Network Security. Introduction January 14, 2014

Application Intrusion Detection

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

CYBERTRON NETWORK SOLUTIONS

Chapter 6 Electronic Mail Security

CIS 6930/4930 Computer and Network Security. Dr. Yao Liu

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

CEH Version8 Course Outline

CS5008: Internet Computing

Content Teaching Academy at James Madison University

Security within a development lifecycle. Enhancing product security through development process improvement

Thick Client Application Security

Skoot Secure File Transfer

What is Really Needed to Secure the Internet of Things?

Client Server Registration Protocol

EXIN Information Security Foundation based on ISO/IEC Sample Exam

Cryptography and Network Security

CNT4406/5412 Network Security Introduction

Computer Security. Introduction to. Michael T. Goodrich Department of Computer Science University of California, Irvine. Roberto Tamassia PEARSON

Why Security Matters. Why Security Matters. 00 Overview 03 Sept CSCD27 Computer and Network Security. CSCD27 Computer and Network Security 1

Certified Ethical Hacker (CEH) Ethical Hacking & Counter Measures Course 9962; 5 Days, Instructor-Led

CSE343/443 Lehigh University Fall Course Overview. Presenter: Yinzhi Cao Lehigh University

Ohio Supercomputer Center

Security. Definitions

How To Protect Your Data From Attack

Cryptography and Network Security Chapter 1

EECS 588: Computer and Network Security. Introduction

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

The Information Security Problem

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Firewalls and Intrusion Detection

IY2760/CS3760: Part 6. IY2760: Part 6

Taxonomic Modeling of Security Threats in Software Defined Networking

Data Security Incident Response Plan. [Insert Organization Name]

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

The monsters under the bed are real World Tour

Overview of Information Security. Murat Kantarcioglu

Weighted Total Mark. Weighted Exam Mark

Cybersecurity for the C-Level

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

[CEH]: Ethical Hacking and Countermeasures

Cyber Security & Data Privacy. January 22, 2014

Securing Data on Microsoft SQL Server 2012

CS 203 / NetSys 240. Network Security

External Supplier Control Requirements

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Security Testing. How security testing is different Types of security attacks Threat modelling

Certified Ethical Hacker (CEH)

Security threats and attackers are turning

E-commerce. business. technology. society. Kenneth C. Laudon Carol Guercio Traver. Second Edition. Copyright 2007 Pearson Education, Inc.

Foundations of Computer Security

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

1 Introduction. Agenda Item: Work Item:

UNCLASSIFIED Version 1.0 May 2012

IBM Protocol Analysis Module

Department of Computer & Information Sciences. INFO-450: Information Systems Security Syllabus

Application Security: Threats and Architecture

Guide to Vulnerability Management for Small Companies

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶

NATIONAL CYBER SECURITY AWARENESS MONTH

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Security Issues with Distributed Web Applications

Columbia University Web Security Standards and Practices. Objective and Scope

What Every (Software) Engineer Needs To Know About Security. -- and -- Where To Learn It

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

Patterns for Secure Boot and Secure Storage in Computer Systems

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

Name: 1. CSE331: Introduction to Networks and Security Fall 2003 Dec. 12, /14 2 /16 3 /16 4 /10 5 /14 6 /5 7 /5 8 /20 9 /35.

Transcription:

Introduction to Computer Security (ECE 458) Vijay Ganesh Spring 2014

Online Resources, Books, Notes,... Books Introduction to Computer Security by Matt Bishop Computer Security: Art and Science by Matt Bishop Hacking: The Art of Exploitation by Jon Erickson Notes and slides Course notes/lectures by Prof. Dan Boneh (Stanford) Course notes/lectures by Prof. John Mitchell (Stanford) Course notes/lectures by Prof. Bill Young (UT, Austin) Course notes/lectures by Prof. Matt Bishop (UC, Davis) Websites Website by Dan Bernstein (http://cr.yp.to/djb.html) Website by Schneier (http://www.schneier.com/)

Goals of this Course (Syllabus) Theory Foundational concepts in security (e.g., confidentiality, integrity,...) Security policies (e.g., access control,...) Basic crypto (e.g., public key cryptography, key management,...) Principles of secure design (e.g., least privilege, fail-safe,...) Practice Authentication (e.g., password schemes) Forms of attack, Malware (e.g., viruses, worms, buffer overflow attacks) Mechanisms to prevent/detect/recover from attacks (e.g., layout randomization) Software engineering tools to improve security (e.g., vulnerability and information flow analysis, pen testing, language design)

Topics covered in this Lecture Basic components of computer security Confidentiality Integrity Availability Classes of threats Disclosure Deception Disruption Usurpation Policy vs. mechanism Security policies, e.g., access control Mechanism to implement the policy Goals of security Prevention Detection Recovery Trust and assumptions

What is Security? Why is it Important? What is computer security? Often hard to define a field, esp. an evolving one Techniques and mechanisms to protect systems and data from threats Techniques to prevent, detect and recover from threats and attacks Requires understanding of threat/attack models, policies, trust, assumptions, properties Motivation to study security National defense Espionage by corporations and nations Increasing societal reliance on computers Financial transactions are primarily electronic Privacy issues related to health/financial records Technically challenging (both theory and practice)

Lots of Vulnerable Applications ( Percentage(from(Web(applicaEons( Source:(IBM(X-Force,(Mar(2011( Data:(h7p://cve.mitre.org/(

Why is Security Hard? Thinking through all possible threat scenarios is difficult Future-proofing a system is hard Information systems are heterogenous, target-rich Difficult to impose a uniform security policy Security often comes with a price, requiring trade-offs Balancing security with system usability and efficiency Designing, implementing and deploying security features is costly Lots of buggy software that is expensive to fix Security ultimately is about risk management Risk assessment (what are the threats, how much would they cost?) How much are you willing to pay Continuous re-assessment

Security Properties of Systems Confidentiality Concealment of information or resources Integrity Trustworthiness of data or resources (provenance) Availability Ability to use information or resource by authorized parties only Authentication Mechanisms to establish identity Appropriate control Mechanisms to unauthorized access and control of resources Non-repudiation Non-deniability of actions

Wait, what about...? Cryptography Digital signatures Access control Firewalls Authentication through passwords Digital certificates,... These are mechanisms for providing confidentiality, integrity, availability, authentication,...

Confidentiality Concealment of information or resources System makes it infeasible for unauthorized parties to learn concealed data or access resources Mechanisms to enforce confidentiality Access control mechanisms support confidentiality Encryption of data (decryption feasible only if key is available) Data maybe in the clear, but resource requires authentication Sometime even the existence of data (or occurrence of event) needs concealing Need to know principle

Integrity Trustworthiness of data or resources System prevents improper or unauthorized change to data Data integrity: Data has not been tampered with Origin integrity: The source of the data is verifiable Mechanisms to enforce integrity Prevention mechanisms Block unauthorized attempts to change data (e.g., password protection) Block attempts to change data in unauthorized ways (e.g., change policy) Detection mechanisms Detect unauthorized attempts to change data (e.g., MACs) Detect attempts to change data in unauthorized ways (e.g.,macs)

Availability Ability to use the information or resource by authorized parties only System ensures availability of information or resource Attacker may attempt denial-of-service (DOS) Attacker may exploit hidden assumptions to force DOS Attacker may exploit vulnerabilities to take control of resource and make it unavailable to authorized users (e.g., control-hijacks) Mechanisms to ensure availability with high probability Force attacker to pay a price for every DOS attack attempt (e.g., use of SYN cookies to protect against simple DOS attack) Detection mechanisms: statistical models of normal behavior Hard to detect/prevent DOS attacks(esp. distributed)

What is Computer Security? Prevent, Detect and Recover Stealing data Data tampering Confidentiality Mechanism: Encryption Integrity Mechanism: MACs Secure System Authentication Mechanism: Password login Availability Mechanism: SYN cookie Stealing identity Denial of service

SYN Flooding DOS Attack Attack on Availability Normal TCP Operation SYN Flooding Attack

SYN Flooding DOS Attack SYN Cookies to the Rescue Original idea: Dan Bernstein (http://cr.yp.to/djb.html) Picture source: http://www.h3c.com

Authentication and Non-repudiation Authentication: Mechanism to establish identity Password-based login implemented using cryptographic hash-functions Collision-resistant and pre-image attack-resistant MD5, SHA256,... Non-repudiation: Non-deniability of actions Always ask for a receipt (proof of service provided) Digital signatures (sender cannot deny sending message)

Threats A threat is a potential violation of security Actions leading to violations are called attacks Confidentiality, Integrity, Availability (CIA) counter threats Some types of threats Disclosure: unauthorized access to information (e.g., Stalin knew of the Bomb) Deception: acceptance of false data (e.g., Honey Pots) Disruption: interruption of correct system operation (e.g., DOS attacks, Stuxnet) Usurpation: unauthorized control of system (e.g., Control-hijack, Botnets)

Snooping (Disclosure threat) Attacker is listening in, recording, monitoring the network Governments do this all the time How to protect against such a threat?

Snooping (Disclosure threat) Attacker is listening in, recording, monitoring the network Governments do this all the time How to protect against such a threat? Confidentiality services to rescue Encryption Need-to-know principle

Unauthorized Data Modification Can result in a variety of threats Deception Disruption Usurpation Examples Use buffer overflow to stack smash resulting in malicious code execution Man in the middle attack Privilege escalation in Web browsers due to software errors

Policy and Mechanism Policy An unambiguous statement of what is, and is not, allowed Security is very context-dependent A policy, therefore, helps pin down what security means in a specific context Policy may focus on one or more of a system s security properties (CIAA) Mechanism A procedure or tool to enforce a security policy E.g., password-based login is a mechanism to implement access control policy

Trust and Assumptions Assumptions Assuming crypto systems are unbreakable can be dangerous Crypto guarantees can be side-stepped by stepping outside the crypto model Side-channel attacks Attacker may learn key by analyzing power consumption or cache behavior Trust Very hard to quantify Processors are manufactured in a variety of nations How do you know that the computer manufacturer didn t put some backdoor? Read Reflections on Trusting Trust paper by Ken Thompson You cannot trust code you didn t create yourself

Design and Verification Principles of Secure Design Principle of least privilege (e.g., user gets only essential privileges) Principle of privilege separation (e.g., programs are split into two and granted separate privileges) Principle of fail-safe defaults (e.g., access to resources only through explicit authority) Verification PenetrationTesting Formal methods (e.g., model-checking) Information-flow analysis

Putting it all Together Computer Security: Prevent, Detect and Recover Stealing data Data tampering Confidentiality Mechanism: Encryption Secure System relies on Policy, mechanism trust, assumptions Verification Integrity Mechanism: MACs Authentication Mechanism: Password login Availability Mechanism: SYN cookie Stealing identity Denial of service

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information