Top Banner

Click here to load reader

of 76

Computer Security ( CE-408)

Feb 23, 2016




Computer Security ( CE-408). An Overview Muhammad Najmul Islam Farooqui Assistant Professor Department of Computer Engineering. Course Tutors. Muhammad Najmul Islam Farooqui (B) Ms. Roohi Kamal (A) Mr. Muhammad Naseem (C) Mr. Hisham Naeem (DE) Mr. Noman Ali Khan (F). - PowerPoint PPT Presentation

Introduction to Computer Security

Computer Security (CE-408)An Overview

Muhammad Najmul Islam FarooquiAssistant Professor Department of Computer Engineering11Muhammad Najmul Islam Farooqui (B)Ms. Roohi Kamal(A)Mr. Muhammad Naseem (C)Mr. Hisham Naeem (DE)Mr. Noman Ali Khan (F)2Course Tutors23Time DistributionTheoryPractical3/41/4Mid Term ExamLabsLabsTheoretical aspects of the coursePractical approachto the course34Performance Assessment CriteriaMarks DistributionTotal 100 pointsLecturesLabsCourse WorkExamsWeekly LabsAttendanceAssign.QuizzesMid TermFinalLab1, Lab 2 Lab n80205751462315604Pre-Mid TermCourse Coverage556WeekTopics CoveredStudy Ref.1.Introduction, General discussion about course contents, Historical Review of Computer Security, Threats and attacks to Data Security, A Generic Model of Network SecurityPg # 31-542.What is Cryptography & Cryptanalysis, Concepts of Cryptographic Algorithm, Conventional Cryptographic techniques, Substitution and Transposition, Cryptanalysis TechniquesPg # 55-893.Introduction to S-DES, Overview and Mechanism of Encryption in DES, DES Design PrinciplesPg # 90-1244.Triple Data Encryption Standard (3-DES), Modes of Operations of Symmetric Key Algorithms, International Data Encryption Algorithm (IDEA)Pg # 217-241, IDEA Handout5.Raijndael Algorithm (The Finalist of AES), Simplified AES, Mechanism of Encryption in AESPg # 171-2146.Key Exchange Problem, Key Exchange Approaches using Symmetric Key algorithm and Need for Public Key CryptographyPg # 435- 4537.Number Theory, Modular Arithmetic, Eulers Function and Public Key Cryptography, Diffie-Hellman Key Exchange AlgorithmPg # 267-275, 324-3328.Introduction to RSA, Key Generation and Encryption, Examples, RSA Applications in Network SecurityPg # 290-3316Post-Mid TermCourse Coverage7789.Authentication Functions, Hash Function and its properties, Secure Hashing Algorithm (SHA), Pg #351-376, 386-39910.Digital Signature and Authentication Requirements, Message Authentication Code, Introduction to Digital Signatures, RSA Approach, Digital Signature Standard (DSS) and its proofPg # 419-43011.Email Security Standards, PGP Certificate and Algorithms, Introduction to Trust ModelsPg # 591- 599, 636-63812.Introduction to IPSec, IPSec Security Model, IPSec modes and protocols, IPSec TechnologiesPg # 639-662 13.Introduction to VPNs, VPN Features, Protocols used in VPNs, L2TP, PPTPLecture Notes14.Introduction & History of SSL, SSL in Client-Server Architecture, Transport Layer SecurityPg # 509-54315.Introduction to Firewalls, Components of Firewalls, Types of Firewalls, Lecture Notes, Online Chapter16.Architecture and Policies in Intrusion Detection Systems, Introduction to Viruses, and TrojansLecture Notes, Online ChapterFinal Examination8Text BookReference BooksSpecific to the courseGeneral to the topicInternet Sources

9Reading Resources9Cryptography and Network Security: Principles & Practice (Fifth Edition)By William Stallings Prentice Hall Publication

10Text Book10Specific to the CourseHandbook of CryptographyBy Alfred J. Menezese, Paul C. van OrchiNetwork Security Essentials, 2nd EditionWilliam Stallings, Prentice Hall, 2003Web Security: A step-by-step Reference GuideBy Lincoln D. Stein Addison Wesley PublicationInternet Security Protocols: Protecting IP Traffic (Low Price Edition)By Uyless Black Pearson Education Asia PublicationGeneral to the TopicActive Defense: A Comprehensive Guide to Network SecurityBy Chris Brenton & Cameron Hunt11Reference Books11 Sources12Online Access Copy CopyWill not be provided13How to get what we discuss?13Strictly practice your attendance in the class and labs.No relaxation, compensation or adjustment in your attendance.Be in Uniform (at least in the class)Preserve the sanity of the class, teachers, department and the University.Help us in serving you for a better future.14Codes of Conduct14The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications) is called Computer Security. 15What is Computer Security?1516Computer SecurityComputer security is a heady concoction of science, technology, and engineering. A secure system is only as strong as the weakest link, so each part of the mix needs to be good.16SecurityThe protection of assets.Computer Security Focuses on protecting assets within computer systems. Just as real-world physical security systems vary in their security provision (e.g., a building may be secure against certain kinds of attack, but not all), so computer security systems provide different kinds and amounts of security.17Definitions17For some Computer Security is controlling access to hardware, software and data of a computerized system.A large measure of computer security is simply keeping the computer system's information secure. In broader terms, computer security can be thought of as the protection of the computer and its resources against accidental or intentional disclosure of confidential data, unlawful modification of data or programs, the destruction of data, software or hardware. Computer security also includes the denial of use of ones computer facilities for criminal activities including computer related fraud and blackmail. Finally, computer security involves the elimination of weaknesses or vulnerabilities that might be exploited to cause loss or harm.18What is Computer Security? 18Why the need for Computer Security?The value of computer assets and servicesWhat is the new IT environment?Networks and distributed applications/servicesElectronic Commerce (E-commerce, E-business)19The Need for Computer Security19Most companies use electronic information extensively to support their daily business processes. Data is stored on customers, products, contracts, financial results, accounting etc. If this electronic information were to become available to competitors or to become corrupted, false or disappear, what would happen? What would the consequences be? Could the business still function? 20The Value of Computer Assets and Services20The network is the computerProliferation of networks has increased security risks much more.Sharing of resources increases complexity of system.Unknown perimeter (linked networks), unknown path.Many points of attack.Computer security has to find answers to network security problems.Hence today the field is called Computer and Network Security.21Network Security Issues21

22Security TrendsComputer fraud in the U.S. alone exceeds $3 billion each year.Less than 1% of all computer fraud cases are detectedover 90% of all computer crime goes unreported.Although no one is sure how much is lost to EFT crime annually, the consensus is that the losses run in the billions of dollars. Yet few in the financial community are paying any heed.Average computer bank theft amounts to $1.5 million.23Is there a Security Problem in Computing?23

24Computer Security Losses

25Security Technologies UsedMillions of dollars of damage resulted from the 1989 San Francisco earthquake.The fire at Subang International Airport knocked out the computers controlling the flight display system. A post office near the Computer Room was also affected by the soot which decommissioned the post office counter terminals. According to the caretaker, the computers were not burnt but crashed because soot entered the hard disks.Fire, Earthquakes, Floods, Electrical hazards, etc.How to prevent?26Natural Disasters Another Dimension26SecrecyIntegrityAvailabilityAuthenticityNon-repudiationAccess control27Computer Security Requirements27Secrecy requires that the information in a computer system only be accessible for reading by authorized parties. This type of access includes:PrintingDisplayingOther forms of disclosure, including simply revealing the existing of an object28Secrecy (Confidentiality)28Integrity requires that the computer system asset can be modified only by authorized parties. Modification includes:WritingChangingChanging statusDeleting and Creating29Integrity29Availability requires that computer system assets are available to authorized parties.Availability is a requirement intended to assure that systems work promptly and service is not denied to authorized users.30Availability30Integrity: In lay usage, information has integrity when it is timely, accurate, complete, and consistent. However, computers are unable to provide or protect all of these qualities. Therefore, in the computer security field, integrity is often discussed more narrowly as having two data integrity and system integrity.Data integrity is a requirement that information and programs are changed only in a specified and authorized manner. System integrity is a requirement that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system. The definition of integrity has been, and continues to be, the subject of much debate among computer security experts. 31More About Integrity3132Security of DataDataConfidentialityDataIntegrityDataAvailabilitySecure DataData32Authenticity means that parties in a information services can ascertain the identity of parties trying to access information services.Also means that the origin of the message is certain.Therefore two types:Principal AuthenticationMessage Authentication33Authenticity33Originator of communications cant deny it later.Without non-repudiation you could place an