CSC 474 Information Systems Security

Similar documents
CSCI 454/554 Computer and Network Security. Instructor: Dr. Kun Sun

CIS 6930/4930 Computer and Network Security. Dr. Yao Liu

CSE 5392 Sensor Network Security

CNT5412/CNT4406 Network Security. Course Introduction. Zhenhai Duan

CSCI 4541/6541: NETWORK SECURITY

CS 450/650 Fundamentals of Integrated Computer Security

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶

Boston University MET CS 690. Network Security

City University of Hong Kong. Information on a Course offered by Department of Electronic Engineering with effect from Semester A in 2012/2013

7. Public Key Cryptosystems and Digital Signatures, 8. Firewalls, 9. Intrusion detection systems, 10. Biometric Security Systems, 11.

CSC574 - Computer and Network Security Module: Introduction

Computer and Network Security

Module: Introduction. Professor Trent Jaeger Fall CSE543 - Introduction to Computer and Network Security

Information Security Basic Concepts

COSC 472 Network Security

Lecture 1 - Overview

Department of Computer & Information Sciences. CSCI-445: Computer and Network Security Syllabus

Weighted Total Mark. Weighted Exam Mark

Soran University Faculty of Science and Engineering Computer Science Department Information Security Module Specification

CSCI 4250/6250 Fall 2015 Computer and Network Security. Instructor: Prof. Roberto Perdisci

Chapter 4 Information Security Program Development

資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview. Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系

Network Security ITP 457 (4 Units)

NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus

CS 464/564 Networked Systems Security SYLLABUS

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

CPSC 467: Cryptography and Computer Security

Chap. 1: Introduction

Computer and Network Security

Introduction to Security

Cryptography and Network Security

CSE331: Introduction to Networks and Security. Lecture 1 Fall 2006

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

CSUS COLLEGE OF ENGINEERING AND COMPUTER SCIENCE Department of Computer Science (RVR 3018; /6834)

CS 5490/6490: Network Security Fall 2015

CS 458 / 658 Computer Security and Privacy. Course mechanics. Course website. Module 1 Introduction to Computer Security and Privacy.

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Department of Computer & Information Sciences. INFO-450: Information Systems Security Syllabus

Course mechanics. CS 458 / 658 Computer Security and Privacy. Course website. Additional communication

Data Management Policies. Sage ERP Online

HARFORD COMMUNITY COLLEGE 401 Thomas Run Road Bel Air, MD Course Outline

CNT4406/5412 Network Security Introduction

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Cryptography and Network Security Chapter 1

RYERSON UNIVERSITY Ted Rogers School of Information Technology Management And G. Raymond Chang School of Continuing Education

Network Security: Introduction

CIS433/533 - Computer and Network Security Introduction

Computer Security: Principles and Practice

How To Protect Your Data From Attack

Content Teaching Academy at James Madison University

Module: Introduction. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

MW , TU 1-3; and other times by appointment

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

CS Ethical Hacking Spring 2016

CIS 4204 Ethical Hacking Fall, 2014

CNA 432/532 OSI Layers Security

Cryptography and network security CNET4523

Security + Certification (ITSY 1076) Syllabus

Prerequisite: For students other than business and agribusiness majors.

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

External Supplier Control Requirements

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

93% of large organisations and 76% of small businesses

CSE343/443 Lehigh University Fall Course Overview. Presenter: Yinzhi Cao Lehigh University

UVic Department of Electrical and Computer Engineering

IY2760/CS3760: Part 6. IY2760: Part 6

Risk Management Guide for Information Technology Systems. NIST SP Overview

Network Security. Introduction. Università degli Studi di Brescia Dipartimento di Ingegneria dell Informazione 2014/2015

CS 203 / NetSys 240. Network Security

Security Goals Services

What is Web Security? Motivation

ITS425: Ethical Hacking and Penetration Testing

Compliance and Industry Regulations

Network Security Policy

Data Security Incident Response Plan. [Insert Organization Name]

PCI DSS Requirements - Security Controls and Processes

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

FINAL May Guideline on Security Systems for Safeguarding Customer Information

CIS 250 NETWORK SECURITY JACKSON STATE COMMUNITY COLLEGE COURSE SYLLABUS

ITSY Security Assessment/Auditing Spring 2010 Professor: Zoltan Szabo D111 LEC TR 11:20AM 12:45PM D111 LAB TR 12:50PM 02:15PM

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Syllabus. No: CIS 200. Title: Fundamentals of Network Security. Credits: 4. Coordinator: Dr. B. Dike-Anyiam, Computer Science & Networking Lecturer

Basic understanding of data security tools such as access control mechanisms, authentication tools and cryptographic constructs.

BBM 461: SECURE PROGRAMMING INTRODUCTION. Ahmet Burak Can

Textbooks: Matt Bishop, Introduction to Computer Security, Addison-Wesley, November 5, 2004, ISBN

CIS 213 PENETRATION TESTING 3 cr. (2-2)

Basics of Internet Security

Major prerequisites by topic: Basic concepts in operating systems, computer networks, and database systems. Intermediate programming.

Syllabus: IST451. Division of Business and Engineering. Penn State Altoona

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

Transcription:

CSC 474 Information Systems Security Introduction About Instructor Dr. Peng Ning, assistant professor of computer science http://www.csc.ncsu.edu/faculty/ning pning@ncsu.edu (919)513-4457 Office: Room 250 (in Suite 243), Venture III, centennial campus Office hours: Mondays and Thursdays, 3:00pm 4:00pm CSC 474 By Dr. Peng Ning 2 1

About TA Shu Huang shuhuang2002@yahoo.com Office hours: TBD CSC 474 By Dr. Peng Ning 3 Course Objectives Understanding of basic issues, concepts, principles, and mechanisms in information systems security. Basic security concepts Cryptography Authentication Distributed system security Network security Be able to determine appropriate mechanisms for protecting information systems. CSC 474 By Dr. Peng Ning 4 2

Course Styles Descriptive: what is out there. Critical: what is wrong with... Both knowledge and skill oriented Interactive: discussion and questions encouraged. Information sharing: home page and message board in http://wolfware.ncsu.edu. CSC 474 By Dr. Peng Ning 5 Course Outline Basic Security Concepts Confidentiality, integrity, availability Security policies, security mechanisms, assurance Cryptography Basic number theory Secret key cryptosystems Public key cryptosystems Hash function Key management CSC 474 By Dr. Peng Ning 6 3

Course Outline (Cont d) Identification and Authentication Basic concepts of identification and authentication Password authentication Security handshake pitfalls CSC 474 By Dr. Peng Ning 7 Course Outline (Cont d) Network and Distributed Systems Issues in Network and Distributed Systems Security Kerberos IPsec IPsec key management IP trace back SSL/TLS Firewalls and Virtual Private Network Secure Email CSC 474 By Dr. Peng Ning 8 4

Course Outline (Cont d) Miscellaneous Topics Malicious Software Multi-Level Security Evaluation of Secure Information Systems Auditing and Intrusion Detection CSC 474 By Dr. Peng Ning 9 Lab Exercises Network security Network scanning exercise VPN exercise Location Venture II networking lab Time TBD Will be given as a part of homework assignments CSC 474 By Dr. Peng Ning 10 5

Prerequisites CSC 401 (Data and Computer Communications Networks) Programming in Java Basic knowledge and skills in Discrete Mathematics CSC 474 By Dr. Peng Ning 11 Textbook and Handouts Required textbook Charlie Kaufman, Radia Perlman, and Mike Speciner, Network Security: Private Communication in a Public World, 2nd Edition, Prentice Hall, ISBN: 0-13-046019-2. CSC 474 By Dr. Peng Ning 12 6

On-line Resources WWW page: http://courses.ncsu.edu/csc474/lec/001 For course materials, e.g., lecture slides, homework files, papers, tools, etc. Will be updated frequently. So check frequently. Message board: http://courses.ncsu.edu/csc474 For discussions, Q&As. CSC 474 By Dr. Peng Ning 13 Grading CSC 474: Assignments 20%, midterm 40%, final 40%. The final grades are computed according to the following rules: A+: >= 95%; A: >= 90% and < 95%; A-: >= 85% and < 90%; B+: >= 80% and < 85%; B: >= 75% and < 80%; B-: >= 70% and < 75%; C+: >= 66% and < 70%; C: >= 63% and < 66%; C-: >= 60% and < 63%; D+: >= 56% and < 60%; D: >= 53% and < 56%; D-: >= 50% and < 53%; F: < 50%. CSC 474 By Dr. Peng Ning 14 7

Policies on incomplete grades and late assignments Homework and project deadlines will be hard. Late homework will be accepted with a 10% reduction in grade for each class period they are late by. Once a homework assignment is discussed in class, submissions will no longer be accepted. All assignments must be turned in before the start of class on the due date. CSC 474 By Dr. Peng Ning 15 Policies on absences and scheduling makeup work You may be excused from an exam only with a university approved condition, with proof. For example, if you cannot take an exam because of a sickness, we will need a doctor's note. Events such as going on a business trip or attending a brother's wedding are not an acceptable excuse for not taking an exam at its scheduled time and place. You will have one chance to take a makeup exam if your absence is excused. There will be no makeup for homework assignments. CSC 474 By Dr. Peng Ning 16 8

Academic integrity The university, college, and department policies against academic dishonesty will be strictly enforced. You may obtain copies of the NCSU Code of Student Conduct from the Office of Student Conduct, or from the following URL. http://www.fis.ncsu.edu/ncsulegal/41.03- codeof.htm CSC 474 By Dr. Peng Ning 17 NC State policy on working with students with disabilities Reasonable accommodations will be made for students with verifiable disabilities. Please schedule an appointment with the instructor. In order to take advantage of available accommodations, students must register with Disability Service for Students at 1900 Student Health Center, Campus Box 7509, 515-7653. http://www.ncsu.edu/provost/offices/affirm_action/dss/ For more information on NC State s policy on working with students with disabilities, please see http://www.ncsu.edu/provost/hat/current/appendix/appen_k.html. CSC 474 By Dr. Peng Ning 18 9

Check the website for details! CSC 474 By Dr. Peng Ning 19 CSC 474 Information Systems Security Topic #1. Basic Security Concepts 10

Information Security Problems Public, private, and government networks have been penetrated by unauthorized users and rogue programs Increased volume of security breaches attributed Computer Emergency Response Team (CERT) reports a tremendous increase in cracking incidents Insider attacks CSC 474 By Dr. Peng Ning 21 Information Security Concerns Distributed Denial of Service (DDOS) attacks Worm attacks (e.g., code red) Monitoring and capture of network traffic User IDs, passwords, and other information are often stolen on Internet Exploitation of software bugs Unauthorized access to resources Disclosure, modification, and destruction of resources Compromised system used as hostile attack facility Masquerade as authorized user or end system Data driven attacks Importation of malicious or infected code E-Mail forgery CSC 474 By Dr. Peng Ning 22 11

Contributing Factors Lack of awareness of threats and risks of information systems Security measures are often not considered until an Enterprise has been penetrated by malicious users Wide-open network policies Many Internet sites allow wide-open Internet access Vast majority of network traffic is unencrypted Network traffic can be monitored and captured CSC 474 By Dr. Peng Ning 23 Contributing Factors (Cont d) Lack of security in TCP/IP protocol suite Most TCP/IP protocols not built with security in mind Work is actively progressing within the Internet Engineering Task Force (IETF) Complexity of security management and administration Exploitation of software (e.g., protocol implementation) bugs Example: Sendmail bugs Cracker skills keep improving CSC 474 By Dr. Peng Ning 24 12

Security Objectives Secrecy (Confidentiality) Integrity Availability (Denial of Service) CSC 474 By Dr. Peng Ning 25 Security Objectives Secrecy Prevent/detect/deter improper disclosure of information Integrity Prevent/detect/deter improper modification of information Availability Prevent/detect/deter improper denial of access to services provided by the system Note the use of improper rather than unauthorized Authorized users are accountable for their actions CSC 474 By Dr. Peng Ning 26 13

Commercial Example Secrecy An employee should not come to know the salary of his manager Integrity An employee should not be able to modify the employee's own salary Availability Paychecks should be printed on time as stipulated by law CSC 474 By Dr. Peng Ning 27 Military Example Secrecy The target coordinates of a missile should not be improperly disclosed Integrity The target coordinates of a missile should not be improperly modified Availability When the proper command is issued the missile should fire CSC 474 By Dr. Peng Ning 28 14

A Fourth Objective Securing computing resources Prevent/detect/deter improper use of computing resources including Hardware Resources Software resources Data resources Network resources CSC 474 By Dr. Peng Ning 29 Achieving Security Security policy What? Security mechanism How? Security assurance How well? CSC 474 By Dr. Peng Ning 30 15

Security Policy Organizational Policy Automated Information System Policy CSC 474 By Dr. Peng Ning 31 Compusec + Comsec = Infosec Compsec Security Comsec Computers Communications Infosec CSC 474 By Dr. Peng Ning 32 16

Security Mechanism Prevention Access control Detection Auditing and intrusion detection Tolerance Practicality Good prevention and detection both require good authentication as a foundation CSC 474 By Dr. Peng Ning 33 Security Mechanism Security mechanisms implement functions that help prevent, detect, and respond to security attacks Prevention is more fundamental Detection seeks to prevent by threat of punitive action Detection requires that the audit trail be protected from alteration Sometime detection is the only option, e.g., Accountability in proper use of authorized privileges Modification of messages in a network Security functions are typically made available to users as a set of security services through APIs or integrated interfaces Cryptography underlies (almost) all security mechanisms CSC 474 By Dr. Peng Ning 34 17

Security Services Confidentiality: protection of any information from being exposed to unintended entities. Information content. Parties involved. Where they are, how they communicate, how often, etc. Authentication: assurance that an entity of concern or the origin of a communication is authentic - it s what it claims to be or from Integrity: assurance that the information has not been tampered with CSC 474 By Dr. Peng Ning 35 Security Services - Cont d Non-repudiation: offer of evidence that a party is indeed the sender or a receiver of certain information Access control: facilities to determine and enforce who is allowed access to what resources, hosts, software, network connections Monitor & response: facilities for monitoring security attacks, generating indications, surviving (tolerating) and recovering from attacks CSC 474 By Dr. Peng Ning 36 18

Security Services - Cont d Security management: facilities for coordinating users service requirements and mechanism implementations throughout the enterprise network and across the internet Trust model Trust communication protocol Trust management infrastructure CSC 474 By Dr. Peng Ning 37 Security Assurance How well your security mechanisms guarantee your security policy Everyone wants high assurance High assurance implies high cost May not be possible Trade-off is needed. CSC 474 By Dr. Peng Ning 38 19

Security by Obscurity Security by obscurity says that if we hide the inner workings of a system it will be secure It is a bad idea Less and less applicable in the emerging world of vendor-independent open standards Less and less applicable in a world of widespread computer knowledge and expertise CSC 474 By Dr. Peng Ning 39 Security by Legislation Security by legislation says that if we instruct our users on how to behave we can secure our systems It is a bad idea For example Users should not share passwords Users should not write down passwords Users should not type in their password when someone is looking over their shoulder User awareness and cooperation is important, but cannot be the principal focus for achieving security CSC 474 By Dr. Peng Ning 40 20

Security Tradeoffs Security Functionality COST Ease of Use CSC 474 By Dr. Peng Ning 41 Threat-Vulnerability-Risk Threats Possible attacks on the system Vulnerabilities Weaknesses that may be exploited to cause loss or harm Risk A measure of the possibility of security breaches and severity of the ensuing damage Requires assessment of threats and vulnerabilities CSC 474 By Dr. Peng Ning 42 21

Risk Management Risk analysis Mathematical formulae and computer models can be developed, but the underlying parameters are difficult to estimate. Risk reduction Risk acceptance Certification Technical evaluation of a system's security features with respect to how well they meet a set of specified security requirements Accreditation The management action of approving an automated system, perhaps with prescribed administrative safeguards, for use in a particular environment CSC 474 By Dr. Peng Ning 43 22

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information