COMPUTER SECURITY Sli de #1- 1 CSCI 370 Fall 2013 Dr. Ram Basnet
Jan 02, 2016
COMPUTER SECURITY
Slide #1-1
CSCI 370Fall 2013
Dr. Ram Basnet
OUTLINE
Class Overview Information Assurance Overview
Components of information securityThreats, Vulnerabilities, Attacks, and
ControlsPolicy
Slide #1-2
MORE ADMINISTRIVIA Grades
3 midterms, highest 2 scores each worth 30%, lowest score will be discarded.
Final worth 30%Quizzes 10% Extra credit project worth 10%
Slide #1-3
A FEW WORDS ON CLASS INTEGRITY
Review department and university cheating and honor codes:
http://www.coloradomesa.edu/studentservices/conduct.html
Expectations for exams and projects Closed books; mostly multiple choices Team Projects
Most quizzes will be unannounced
Slide #1-4
CLASS READINGS
Text: Computer Security Fundamentals, William (Chuck) Easttom, II
Additional readings provided via public links
Books on reserve at the library
Slide #1-5
CLASS FORMAT Meet twice a week 70% lecture; 30% hands-on laboratory
works Posted slides not sufficient to master
material alone
Slide #1-6
OTHER SOURCES FOR SECURITY NEWS
Darknet – The Darkside: Don’t Learn to HACK – Hack to LEARN: http://www.darknet.org.uk/
Help Net Security http://www.net-security.org/ Naked Security – News, Opinion, Advice and
Research form SOPHOS http://nakedsecurity.sophos.com/
Packet Storm – all things security - http://packetstormsecurity.com/
Bruce Schneier's blog http://www.schneier.com/blog/
Slide #1-7
SECURITY IN THE NEWS HTTPS flaws
German security researchers present BREACH attack against HTTPS in BlackHat 2013 Conference http://nakedsecurity.sophos.com/2013/08/06/anatomy-of-a-cryptographic-oracle-understanding-and-mitigating-the-breach-attack/
CyberWar Iran – stuxnet
http://www.voanews.com/content/stuxnet-an-effective-cyberwar-weapon/1691311.html
Extortion Threaten DDoS attack unless company pays up
Privacy/Identity theft 4 Russians & 1 Ukrainian charged with hacking 160M
credit card numbers Worms
Conficker, twitter, and facebook worms Slammer worm crashed nuclear power plant network
Hactivism – Anonymous & other politically motivated hackers
Slide #1-8
OBJECTIVE
Provide a broad introduction to the major topics in computer and communication security
Provide students with a basic understanding of the problems of information security and the solutions that exist to secure information on computers and networks
Slide #1-9
ASPECTS OF INFORMATION ASSURANCE
Slide #1-14
Information Security
Disaster Recovery
Business Continuity
Governance Privacy
Fraud Examinatio
nSystems
Engineering
Computer Science
Security Engineerin
g
Management Science
Criminology
Forensic Science
Compliance
INFORMATION SECURITY BASICS: CIA TRIAD
Confidentiality Measures taken to prevent disclosure of
information or data to unauthorized systems or individuals
Why? How? Integrity
Measures taken to protect the information or data from unauthorized alternation or revision
Availability Measures taken to ensure data and resources are
readily available for access to legitimate usersSlide #1-15
THE SECURITY, FUNCTIONALITY AND EASE OF USE TRIANGLE
A problem that has faced security professionals for an eternity – the more secure something is, the less usable and functional it becomes.
Security
Functionality Ease of Use Slide #1-16
THE SECURITY PARADIGM
Principle 1: The Hacker Who Breaks into Your System Will Probably Be Someone You Know
Principle 2: Trust No One, or Be Careful About Whom You Are Required to Trust
Principle 3: Make Would-Be Intruders Believe They Will Be Caught
Principle 4: Protect in Layers Principle 5: While Planning Your Security
Strategy, Presume the Complete Failure of Any Single Security Layer
Slide #1-17
THE SECURITY PARADIGM…
Principle 6: Make Security a Part of the Initial Design
Principle 7: Disable Unneeded Services, Packages and Features
Principle 8: Before Connecting, Understand and Secure
Principle 9: Prepare for the Worst
Slide #1-18
INFORMATION ASSURANCE PROCESS
Slide #1-19
Enumeration & Classification of Assets (value)
Risk Assessment (Vulnerabilities
& Threats)
Risk Analysis (Prob./likelihood
& Impacts)
Risk Management (treatment)
Test & Review
IDENTIFYING TERMS
Vulnerability – Weakness in the system that could be exploited to cause loss or harm
Threat – Set of circumstances that has the potential to cause loss or harm
Attack – When an entity exploits a vulnerability on system
Control – A means to prevent a vulnerability from being exploited
Slide #1-20
CLASSES OF THREATS Disclosure – Unauthorized access to
information Deception – Acceptance of false data Disruption – Interruption or prevention of
correct operation Usurpation – Unauthorized control of
some part of a system
Slide #1-21
SOME COMMON THREATS Snooping
Unauthorized interception of information Modification or alteration
Unauthorized change of information Masquerading or spoofing
An impersonation of one entity by another Repudiation of origin
A false denial that an entity sent or created something.
Denial of receipt A false denial that an entity received some
information.Slide #1-22
MORE COMMON THREATS Delay
A temporary inhibition of service Denial of Service
A long-term inhibition of service
Slide #1-23
MORE DEFINITIONS Policy
A statement of what is and what is not allowed Divides the world into secure and non-secure states A secure system starts in a secure state. All
transitions keep it in a secure state. Mechanism
A method, tool, or procedure for enforcing a security policy
Slide #1-24
IS THIS SITUATION SECURE?
Web server accepts all connectionsNo authentication requiredSelf-registrationConnected to the Internet
Slide #1-25
POLICY EXAMPLE University computer lab has a policy that
prohibits any student from copying another student's homework files The computers have file access controls to prevent
other's access to your files Bob does not read protect his files Alice copies his files Who cheated? Alice, Bob, both, neither?
Slide #1-26
MORE EXAMPLE What if Bob posted his homework on his dorm
room door? What if Bob did read protect his files, but Alice
found a hack on the mechanism?
Slide #1-27
TRUST AND ASSUMPTIONS
Locks prevent unwanted physical access. What are the assumptions this statement builds on?
Slide #1-28
POLICY ASSUMPTIONS
Policy correctly divides world into secure and insecure states
Mechanisms prevent transition from secure to insecure states
Slide #1-29
ANOTHER POLICY EXAMPLE
Bank officers may move money between accounts.
Any flawed assumptions here?
Slide #1-30
ASSURANCE Evidence of how much to trust a system Evidence can include
System specifications Design Implementation
Mappings between the levels
Slide #1-31
ASPIRIN ASSURANCE EXAMPLE Why do you trust aspirin from a major
manufacturer? FDA certifies the aspirin recipe Factory follows manufacturing standards Safety seals on bottles
Analogy to software assurance Software assurance ensures integrity, security, and
reliability in software
Slide #1-32
KEY POINTS
Must look at the big picture when securing a system
Main components of information securityConfidentiality IntegrityAvailability
Differentiating Threats, Vulnerabilities, Attacks and Controls
Policy vs. MechanismSlide #1-33
REFERENCES
http://users.crhc.illinois.edu/nicol/ece422/ http://www.snia.org/sites/default/education/tu
torials/2009/spring/security/EricHibbard-Introduction-Information-Assurance.pdf
Slide #1-34