IS 302: Information Security and Trust Week 1: Introduction to IST, Security, and Networks 2013
IS 302: Information Security and TrustWeek 1: Introduction to IST, Security, and
Networks
2013
© Yingjiu Li 2005 2
Course material– My web site – eLearn
© Yingjiu Li 2005 3
Basic Modules
Background (1 week) Background (1 week)
Applied Crypto(4 wks)
Applied Crypto(4 wks)
Network Security(4 wks)
Network Security(4 wks)
Access Control(1 wk)
Access Control(1 wk)
Project Presentations (2 wk)
Security in Computing: International EditionAuthor: Charles P. Pfleeger
Shari Lawrence Pfleeger
Edition: 4th edition
ISBN: 9780136012962
Information Security & Trust
Available in your school bookshop!
© Yingjiu Li 2005 5
Grading• Individual Assignment (10%)
– Assignment 1(week 3)– Assignment 2 (week 10)
• Group Project (25%) – Presentation (15%) + report (10%)– Outline due in week 9 (Friday)– Presentation in weeks 12 and 13 (15%)– Final report due in week 14 (10%)
• Midterm Quiz (15%; week 7) • Final Exam (40%; week 15)
– SMU final exam policy: Students are not allowed to reschedule their examination or request for special arrangements of the examination from instructors.
• Attendance and Participation (10%)
© Yingjiu Li 2005 6
Policies• Honor code
– No plagiarism or cheating (SMU Code of Student Conduct)
• Due time (assignments, project, quiz, exam)– Strictly enforced
– Points (~10%) may be deducted for late turn-in
• Excuses– No excuse for project, midterm quiz, and final exam
– Must be approved before hand
• Class arrangement
Introduction to NetworksIntroduction to Networks
Robert Deng/SMU 8
Network Architecture
InternetLink Level
Subnet 1Subnet 2
App A
App B
App A
App B
Host A Host B
Router
Robert Deng/SMU 9
The Internet Protocol Layers
Apps
TCP/UDP
IP
D-Link
Physical
Apps
TCP/UDP
IP
D-Link
Physical
Host A Host B
Internet
Src IP Adr; Des IP Adr Src Port#; Des Port# Payload
IP header TCP/UDP header
IP datagram/packet
10
Terminology• IP Address: An Internet identifier for each network
interface (Address of a building)– Example: 202.161.41.246
• Port Number: An identifier for an application in a host (Room number in a building)
• Hostname: An Internet name of a host (Name of a building)– Example: www.smu.edu.sg
• Domain name: An identifier of a domain, which is a network of associated hosts– Example: smu.edu.sg
11
Router
• The postman in the Internet– stores and forwards IP packets
• On arrival of an IP packet, it makes a routing decision based on the packet’s destination IP address.
• Routing decision: to choose the next router to forward the packet, based on a routing table
12
Domain Name System (DNS)
A service translating “Names” to “IP addresses”
your laptopwww.google.com
local DNS serverns01.staff.smu.edu.sg
1. w
ww
.goo
gle.
com
2. www.google.com
authoritative DNS serverdns.google.com
3. 74.125.79.105
4. 7
4.12
5.79
.105
13
Transport services and protocols• Provide logical communication
between app processes running on different hosts
• Transport protocols run in end systems
– sending side: breaks app messages into segments, passes to network
– receiving side: reassembles segments into messages, passes to applications
• More than one transport protocol available to apps
– Internet: TCP and UDP
Host A
Host B
application
TCP/UDPnetworkdata linkphysical
application
TCP/UDPnetworkdata linkphysical
networkdata linkphysical
networkdata linkphysical
networkdata linkphysical
networkdata linkphysicalnetwork
data linkphysical
logical end-end transport
14
Internet Transport Layer Protocols
• Reliable, in-order delivery (TCP)– connection setup
• Unreliable, unordered delivery: UDP
• Services not available: – delay guarantees
– bandwidth guarantees
application
TCP/UDPnetworkdata linkphysical
application
TCP/UDPnetworkdata linkphysical
networkdata linkphysical
networkdata linkphysical
networkdata linkphysical
networkdata linkphysicalnetwork
data linkphysical
logical end-end transport
15
Port Number• Port: identity of an application• IP address + port number can uniquely identify an
application running in a host in the Internet.• Well-known Port numbers:
– Web: TCP port 80– Email Transportation: TCP port 25– Email Retrieval: TCP port 110– DNS: UDP port 53
• Both the client and the server need to specify their port numbers for data transmission.
17
HTTP overview
HTTP: hypertext transfer
protocol
• Web’s application layer protocol
• client/server model
– client: browser that requests,
receives, “displays” Web
objects
– server: Web server sends
objects in response to requests
• HTTP 1.0: RFC 1945
• HTTP 1.1: RFC 2068
PC runningExplorer
Server running
Apache Webserver
Mac runningNavigator
HTTP request
HTTP request
HTTP response
HTTP response
Server:• always on• fixed address
HTTP has nothing to do with how a web page is interpretedHTTP has nothing to do with how a web page is interpreted
18
Electronic MailThree major components: • User agents
• Mail servers
• Simple mail transfer protocol: SMTP
User Agent• “mail reader”
• Composing, editing, reading mail messages
• e. g., Eudora, Outlook, elm, Netscape Messenger
• Outgoing, incoming messages stored on server
user mailbox
outgoing message queue
mailserver
useragent
useragent
useragent
mailserver
useragent
useragent
mailserver
useragent
SMTP
SMTP
SMTP
Mathematic Notation
19
Good news: You are not required to compute the modular inverse.
© Yingjiu Li 2005 20
Introduction to
Information Security
Motivation
• To fight against cybercrime
• I can attack U
© Yingjiu Li 2005 21
© Yingjiu Li 2005 22
Achieve CIA
INTEGRITY
AVAILABILITY
CONFIDENTIALITY
© Yingjiu Li 2005 23
Objectives
• Confidentiality (secrecy, privacy)– Information is not exposed to unauthorized
parties.
• Integrity– Information is not modified by unauthorized
parties.
• Availability– Information can be accessed by authorized
parties at proper time.
© Yingjiu Li 2005 R. Sandhu 24
CIA-U
INTEGRITY
AVAILABILITYCONFIDENTIALITY
USAGE
© Yingjiu Li 2005 25
4th Objective
• Usage– Information is not misused by authorized
parties
© Yingjiu Li 2005 26
Mitigate TVA
• Threat– Something bad could happen
• Vulnerability– Weakness in an information system could be
exploited
• Attack– Some vulnerabilities are actually exploited by
some adversary, which may result in security incidents
27
Sources of Cybersecurity Threats(United States Government Accountability Office GAO-10-606)
Bot-network operators
Use a network, or bot-net, of compromised, remotely controlled systems to coordinate attacks and to distribute phishing schemes, spam, and malware attacks. The services of these networks are sometimes made available on underground markets.
Criminal groups Seek to attack systems for monetary gain (e.g., identity theft and online fraud) or conduct industrial espionage. They hire or develop hacker talent.
Hackers Break into networks for the thrill of the challenge, bragging rights in the hacker community, revenge, stalking others, and monetary gain, among other reasons
Insiders Includes disgruntled employees, contractors hired by the organization, as well as employees who accidentally introduce malware into systems.
Nations Nations use cyber tools as part of their information-gathering and espionage activities. In addition, several nations are aggressively working to develop information warfare doctrine, programs, and capabilities.
Phishers Individuals, or small groups, execute phishing schemes in an attempt to steal identities or information for monetary gain
Spammers Individuals or organizations distribute unsolicited e-mail with hidden or false information in order to sell products, conduct phishing schemes, distribute spyware/malware, or attack organizations (i.e., denial of service).
Spyware/malware authors
Individuals or organizations with malicious intent carry out attacks against users by producing and distributing spyware and malware.
Terrorists Seek to destroy, incapacitate, or exploit critical infrastructures in order to threaten national security, cause mass casualties, weaken a nation’s economy, and damage public morale and confidence.
Robert Deng/SMU 28
Attacks
Difficult to detect but relatively easy to counteract
Difficult to prevent absolutely but relatively easy to detect; the goal is to detect them and to recover from any disruption
© Yingjiu Li 2005 29
How secure are we?
© Yingjiu Li 2005 30
Hardware and Software Grow
• Moore’s law– (Hardware) processing power doubles every 18
months
• Gates’ law – Software grows to use all processing power
• Multics 1970: ~55k lines of code
• Windows 2000: ~55M lines of code
© Yingjiu Li 2005 31
More Vulnerabilities
• Neumann’s law– Number of vulnerabilities is proportional to the
square of software size
© Yingjiu Li 2005 32
High Network Value
• Metcalfe’s law– Value of a network is proportional to the square
of number of users– Internet 1970: ~10K users– Internet 2005: ~1B users
© Yingjiu Li 2005 33
High Security Risk
• Evan’s Law– Security risk is the product of the number of
vulnerabilities and the value of network
34
Even Worse: Defense is So Hard
– An intruder only needs to find one vulnerability
– Defender needs to control all possible vulnerabilities
• Features of cyber attacks– Action at a distance (difficult to trace & prosecute)
– Propagation of attacking techniques (hacker groups, bulletin boards; only the 1st needs skill, the rest just use the s/w)
Principle of Easiest Penetration
An intruder can exploit any vulnerability to launc an attack
© Yingjiu Li 2005 35
What can we do
about security?
© Yingjiu Li 2005 36
How to Achieve Security Objectives
• Policy– What to protect
• Mechanism– How to protect
• Assurance– How well is protection
Policy
Mechanism
Assurance
Security
37
Can We Hide?• Security by Obscurity
– A system would be secure if we hide its insides?
• It won’t work well– Vendor independent standards
– Open source
– Widespread knowledge and expertise
• Kerckhoffs Principle (1883): Only the key should be kept secret, while the algorithm itself should be publicly known.
38
Can We Instruct?
• Security by legislation– A system will be secure if we instruct users to behave
in a secure, ethical and lawful manner
– Example: Corporate Acceptable Use Policy
• It is not adequate– Users’ cooperation is important; however, it should not
be our main focus for achieving security
– Attackers (outsider and insider attackers) will not follow instructions
© Yingjiu Li 2005 39
Tradeoffs
• Security is not free
Security
Functionality/performance
Ease of use/ compatibility
Cost
© Yingjiu Li 2005 40
Discussion
• Good security and bad security
© Yingjiu Li 2005 41
Project
• Project (25%) – Investigation on a security/privacy related topic (each team
chooses a different topic)
– Project presentation (15%)
• Presentation organization (5%);
• Technical description(5%)
• Q&A (5%)
• Timing: 20~25 min presentation + 5~10 min Q&A
– Final report (10%)
• Breadth (5%)
• Depth (5%)
© Yingjiu Li 2005 42
Project – Due Time• Project outline is due in week 9.
• Project presentation is scheduled in weeks 12 and 13.
• Project report is due in week 14.
© Yingjiu Li 2005 43
Topics 1) Web browser security
2) SSL security issues and solutions
3) Privacy leakage and control in online social networks
4) Authentication and anonymity in location based services
5) Differential privacy
6) Android permission models and enforcement
7) iOS malware and detection
8) Android malware and detection
9) Timing based attestation
10) Password strength measurements
© Yingjiu Li 2005 44
Must do before next class
• Download and install Cryptool– http://www.cryptool.org/en/ct1-download-en
• CrypTool 1.4.30 - English version
• CrypTool 1.4.31 Beta 05 - English version
• We will use this tool frequently in class