Computer Security

COMPUTER SECURITY

Slide #1-1

CSCI 370Fall 2013

Dr. Ram Basnet

OUTLINE

Class Overview Information Assurance Overview

Components of information securityThreats, Vulnerabilities, Attacks, and

ControlsPolicy

Slide #1-2

MORE ADMINISTRIVIA Grades

3 midterms, highest 2 scores each worth 30%, lowest score will be discarded.

Final worth 30%Quizzes 10% Extra credit project worth 10%

Slide #1-3

A FEW WORDS ON CLASS INTEGRITY

Review department and university cheating and honor codes:

http://www.coloradomesa.edu/studentservices/conduct.html

Expectations for exams and projects Closed books; mostly multiple choices Team Projects

Most quizzes will be unannounced

Slide #1-4

CLASS READINGS

Text: Computer Security Fundamentals, William (Chuck) Easttom, II

Additional readings provided via public links

Books on reserve at the library

Slide #1-5

CLASS FORMAT Meet twice a week 70% lecture; 30% hands-on laboratory

works Posted slides not sufficient to master

material alone

Slide #1-6

OTHER SOURCES FOR SECURITY NEWS

Darknet – The Darkside: Don’t Learn to HACK – Hack to LEARN: http://www.darknet.org.uk/

Help Net Security http://www.net-security.org/ Naked Security – News, Opinion, Advice and

Research form SOPHOS http://nakedsecurity.sophos.com/

Packet Storm – all things security - http://packetstormsecurity.com/

Bruce Schneier's blog http://www.schneier.com/blog/

Slide #1-7

SECURITY IN THE NEWS HTTPS flaws

German security researchers present BREACH attack against HTTPS in BlackHat 2013 Conference http://nakedsecurity.sophos.com/2013/08/06/anatomy-of-a-cryptographic-oracle-understanding-and-mitigating-the-breach-attack/

CyberWar Iran – stuxnet

http://www.voanews.com/content/stuxnet-an-effective-cyberwar-weapon/1691311.html

Extortion Threaten DDoS attack unless company pays up

Privacy/Identity theft 4 Russians & 1 Ukrainian charged with hacking 160M

credit card numbers Worms

Conficker, twitter, and facebook worms Slammer worm crashed nuclear power plant network

Hactivism – Anonymous & other politically motivated hackers

Slide #1-8

OBJECTIVE

Provide a broad introduction to the major topics in computer and communication security

Provide students with a basic understanding of the problems of information security and the solutions that exist to secure information on computers and networks

Slide #1-9

ASPECTS OF INFORMATION ASSURANCE

Slide #1-14

Information Security

Disaster Recovery

Business Continuity

Governance Privacy

Fraud Examinatio

nSystems

Engineering

Computer Science

Security Engineerin

g

Management Science

Criminology

Forensic Science

Compliance

INFORMATION SECURITY BASICS: CIA TRIAD

Confidentiality Measures taken to prevent disclosure of

information or data to unauthorized systems or individuals

Why? How? Integrity

Measures taken to protect the information or data from unauthorized alternation or revision

Availability Measures taken to ensure data and resources are

readily available for access to legitimate usersSlide #1-15

THE SECURITY, FUNCTIONALITY AND EASE OF USE TRIANGLE

A problem that has faced security professionals for an eternity – the more secure something is, the less usable and functional it becomes.

Security

Functionality Ease of Use Slide #1-16

THE SECURITY PARADIGM

Principle 1: The Hacker Who Breaks into Your System Will Probably Be Someone You Know

Principle 2: Trust No One, or Be Careful About Whom You Are Required to Trust

Principle 3: Make Would-Be Intruders Believe They Will Be Caught

Principle 4: Protect in Layers Principle 5: While Planning Your Security

Strategy, Presume the Complete Failure of Any Single Security Layer

Slide #1-17

THE SECURITY PARADIGM…

Principle 6: Make Security a Part of the Initial Design

Principle 7: Disable Unneeded Services, Packages and Features

Principle 8: Before Connecting, Understand and Secure

Principle 9: Prepare for the Worst

Slide #1-18

INFORMATION ASSURANCE PROCESS

Slide #1-19

Enumeration & Classification of Assets (value)

Risk Assessment (Vulnerabilities

& Threats)

Risk Analysis (Prob./likelihood

& Impacts)

Risk Management (treatment)

Test & Review

IDENTIFYING TERMS

Vulnerability – Weakness in the system that could be exploited to cause loss or harm

Threat – Set of circumstances that has the potential to cause loss or harm

Attack – When an entity exploits a vulnerability on system

Control – A means to prevent a vulnerability from being exploited

Slide #1-20

CLASSES OF THREATS Disclosure – Unauthorized access to

information Deception – Acceptance of false data Disruption – Interruption or prevention of

correct operation Usurpation – Unauthorized control of

some part of a system

Slide #1-21

SOME COMMON THREATS Snooping

Unauthorized interception of information Modification or alteration

Unauthorized change of information Masquerading or spoofing

An impersonation of one entity by another Repudiation of origin

A false denial that an entity sent or created something.

Denial of receipt A false denial that an entity received some

information.Slide #1-22

MORE COMMON THREATS Delay

A temporary inhibition of service Denial of Service

A long-term inhibition of service

Slide #1-23

MORE DEFINITIONS Policy

A statement of what is and what is not allowed Divides the world into secure and non-secure states A secure system starts in a secure state. All

transitions keep it in a secure state. Mechanism

A method, tool, or procedure for enforcing a security policy

Slide #1-24

IS THIS SITUATION SECURE?

Web server accepts all connectionsNo authentication requiredSelf-registrationConnected to the Internet

Slide #1-25

POLICY EXAMPLE University computer lab has a policy that

prohibits any student from copying another student's homework files The computers have file access controls to prevent

other's access to your files Bob does not read protect his files Alice copies his files Who cheated? Alice, Bob, both, neither?

Slide #1-26

MORE EXAMPLE What if Bob posted his homework on his dorm

room door? What if Bob did read protect his files, but Alice

found a hack on the mechanism?

Slide #1-27

TRUST AND ASSUMPTIONS

Locks prevent unwanted physical access. What are the assumptions this statement builds on?

Slide #1-28

POLICY ASSUMPTIONS

Policy correctly divides world into secure and insecure states

Mechanisms prevent transition from secure to insecure states

Slide #1-29

ANOTHER POLICY EXAMPLE

Bank officers may move money between accounts.

Any flawed assumptions here?

Slide #1-30

ASSURANCE Evidence of how much to trust a system Evidence can include

System specifications Design Implementation

Mappings between the levels

Slide #1-31

ASPIRIN ASSURANCE EXAMPLE Why do you trust aspirin from a major

manufacturer? FDA certifies the aspirin recipe Factory follows manufacturing standards Safety seals on bottles

Analogy to software assurance Software assurance ensures integrity, security, and

reliability in software

Slide #1-32

KEY POINTS

Must look at the big picture when securing a system

Main components of information securityConfidentiality IntegrityAvailability

Differentiating Threats, Vulnerabilities, Attacks and Controls

Policy vs. MechanismSlide #1-33

REFERENCES

http://users.crhc.illinois.edu/nicol/ece422/ http://www.snia.org/sites/default/education/tu

torials/2009/spring/security/EricHibbard-Introduction-Information-Assurance.pdf

Slide #1-34