IS 302: Information Security and Trust Week 1: Introduction to IST, Security, and Networks 2013.

IS 302: Information Security and TrustWeek 1: Introduction to IST, Security, and

Networks

2013

© Yingjiu Li 2005 2

Course material– My web site – eLearn


Basic Modules

Background (1 week) Background (1 week)

Applied Crypto(4 wks)

Applied Crypto(4 wks)

Network Security(4 wks)

Network Security(4 wks)

Access Control(1 wk)

Access Control(1 wk)

Project Presentations (2 wk)

Security in Computing: International EditionAuthor: Charles P. Pfleeger

Shari Lawrence Pfleeger

Edition: 4th edition

ISBN: 9780136012962

Information Security & Trust

Available in your school bookshop!


Grading• Individual Assignment (10%)

– Assignment 1(week 3)– Assignment 2 (week 10)

• Group Project (25%) – Presentation (15%) + report (10%)– Outline due in week 9 (Friday)– Presentation in weeks 12 and 13 (15%)– Final report due in week 14 (10%)

• Midterm Quiz (15%; week 7) • Final Exam (40%; week 15)

– SMU final exam policy: Students are not allowed to reschedule their examination or request for special arrangements of the examination from instructors.

• Attendance and Participation (10%)


Policies• Honor code

– No plagiarism or cheating (SMU Code of Student Conduct)

• Due time (assignments, project, quiz, exam)– Strictly enforced

– Points (~10%) may be deducted for late turn-in

• Excuses– No excuse for project, midterm quiz, and final exam

– Must be approved before hand

• Class arrangement

Introduction to NetworksIntroduction to Networks

Robert Deng/SMU 8

Network Architecture

InternetLink Level

Subnet 1Subnet 2

App A

App B

App A

App B

Host A Host B

Router

Robert Deng/SMU 9

The Internet Protocol Layers

Apps

TCP/UDP

IP

D-Link

Physical

Apps

TCP/UDP

IP

D-Link

Physical

Host A Host B

Internet

Src IP Adr; Des IP Adr Src Port#; Des Port# Payload

IP header TCP/UDP header

IP datagram/packet

10

Terminology• IP Address: An Internet identifier for each network

interface (Address of a building)– Example: 202.161.41.246

• Port Number: An identifier for an application in a host (Room number in a building)

• Hostname: An Internet name of a host (Name of a building)– Example: www.smu.edu.sg

• Domain name: An identifier of a domain, which is a network of associated hosts– Example: smu.edu.sg

11

Router

• The postman in the Internet– stores and forwards IP packets

• On arrival of an IP packet, it makes a routing decision based on the packet’s destination IP address.

• Routing decision: to choose the next router to forward the packet, based on a routing table

12

Domain Name System (DNS)

A service translating “Names” to “IP addresses”

your laptopwww.google.com

local DNS serverns01.staff.smu.edu.sg

1. w

ww

.goo

gle.

com

2. www.google.com

authoritative DNS serverdns.google.com

3. 74.125.79.105

4. 7

4.12

5.79

.105

13

Transport services and protocols• Provide logical communication

between app processes running on different hosts

• Transport protocols run in end systems

– sending side: breaks app messages into segments, passes to network

– receiving side: reassembles segments into messages, passes to applications

• More than one transport protocol available to apps

– Internet: TCP and UDP

Host A

Host B

application

TCP/UDPnetworkdata linkphysical

application


networkdata linkphysical



networkdata linkphysicalnetwork

data linkphysical

logical end-end transport

14

Internet Transport Layer Protocols

• Reliable, in-order delivery (TCP)– connection setup

• Unreliable, unordered delivery: UDP

• Services not available: – delay guarantees

– bandwidth guarantees

application


application





networkdata linkphysicalnetwork

data linkphysical

logical end-end transport

15

Port Number• Port: identity of an application• IP address + port number can uniquely identify an

application running in a host in the Internet.• Well-known Port numbers:

– Web: TCP port 80– Email Transportation: TCP port 25– Email Retrieval: TCP port 110– DNS: UDP port 53

• Both the client and the server need to specify their port numbers for data transmission.

17

HTTP overview

HTTP: hypertext transfer

protocol

• Web’s application layer protocol

• client/server model

– client: browser that requests,

receives, “displays” Web

objects

– server: Web server sends

objects in response to requests

• HTTP 1.0: RFC 1945

• HTTP 1.1: RFC 2068

PC runningExplorer

Server running

Apache Webserver

Mac runningNavigator

HTTP request

HTTP request

HTTP response

HTTP response

Server:• always on• fixed address

HTTP has nothing to do with how a web page is interpretedHTTP has nothing to do with how a web page is interpreted

18

Electronic MailThree major components: • User agents

• Mail servers

• Simple mail transfer protocol: SMTP

User Agent• “mail reader”

• Composing, editing, reading mail messages

• e. g., Eudora, Outlook, elm, Netscape Messenger

• Outgoing, incoming messages stored on server

user mailbox

outgoing message queue

mailserver

useragent

useragent

useragent

mailserver

useragent

useragent

mailserver

useragent

SMTP

SMTP

SMTP

Mathematic Notation

19

Good news: You are not required to compute the modular inverse.


Introduction to

Information Security

Motivation

• To fight against cybercrime

• I can attack U



Achieve CIA

INTEGRITY

AVAILABILITY

CONFIDENTIALITY


Objectives

• Confidentiality (secrecy, privacy)– Information is not exposed to unauthorized

parties.

• Integrity– Information is not modified by unauthorized

parties.

• Availability– Information can be accessed by authorized

parties at proper time.

© Yingjiu Li 2005 R. Sandhu 24

CIA-U

INTEGRITY

AVAILABILITYCONFIDENTIALITY

USAGE


4th Objective

• Usage– Information is not misused by authorized

parties


Mitigate TVA

• Threat– Something bad could happen

• Vulnerability– Weakness in an information system could be

exploited

• Attack– Some vulnerabilities are actually exploited by

some adversary, which may result in security incidents

27

Sources of Cybersecurity Threats(United States Government Accountability Office GAO-10-606)

Bot-network operators

Use a network, or bot-net, of compromised, remotely controlled systems to coordinate attacks and to distribute phishing schemes, spam, and malware attacks. The services of these networks are sometimes made available on underground markets.

Criminal groups Seek to attack systems for monetary gain (e.g., identity theft and online fraud) or conduct industrial espionage. They hire or develop hacker talent.

Hackers Break into networks for the thrill of the challenge, bragging rights in the hacker community, revenge, stalking others, and monetary gain, among other reasons

Insiders Includes disgruntled employees, contractors hired by the organization, as well as employees who accidentally introduce malware into systems.

Nations Nations use cyber tools as part of their information-gathering and espionage activities. In addition, several nations are aggressively working to develop information warfare doctrine, programs, and capabilities.

Phishers Individuals, or small groups, execute phishing schemes in an attempt to steal identities or information for monetary gain

Spammers Individuals or organizations distribute unsolicited e-mail with hidden or false information in order to sell products, conduct phishing schemes, distribute spyware/malware, or attack organizations (i.e., denial of service).

Spyware/malware authors

Individuals or organizations with malicious intent carry out attacks against users by producing and distributing spyware and malware.

Terrorists Seek to destroy, incapacitate, or exploit critical infrastructures in order to threaten national security, cause mass casualties, weaken a nation’s economy, and damage public morale and confidence.

Robert Deng/SMU 28

Attacks

Difficult to detect but relatively easy to counteract

Difficult to prevent absolutely but relatively easy to detect; the goal is to detect them and to recover from any disruption


How secure are we?


Hardware and Software Grow

• Moore’s law– (Hardware) processing power doubles every 18

months

• Gates’ law – Software grows to use all processing power

• Multics 1970: ~55k lines of code

• Windows 2000: ~55M lines of code


More Vulnerabilities

• Neumann’s law– Number of vulnerabilities is proportional to the

square of software size


High Network Value

• Metcalfe’s law– Value of a network is proportional to the square

of number of users– Internet 1970: ~10K users– Internet 2005: ~1B users


High Security Risk

• Evan’s Law– Security risk is the product of the number of

vulnerabilities and the value of network

34

Even Worse: Defense is So Hard

– An intruder only needs to find one vulnerability

– Defender needs to control all possible vulnerabilities

• Features of cyber attacks– Action at a distance (difficult to trace & prosecute)

– Propagation of attacking techniques (hacker groups, bulletin boards; only the 1st needs skill, the rest just use the s/w)

Principle of Easiest Penetration

An intruder can exploit any vulnerability to launc an attack


What can we do

about security?


How to Achieve Security Objectives

• Policy– What to protect

• Mechanism– How to protect

• Assurance– How well is protection

Policy

Mechanism

Assurance

Security

37

Can We Hide?• Security by Obscurity

– A system would be secure if we hide its insides?

• It won’t work well– Vendor independent standards

– Open source

– Widespread knowledge and expertise

• Kerckhoffs Principle (1883): Only the key should be kept secret, while the algorithm itself should be publicly known.

38

Can We Instruct?

• Security by legislation– A system will be secure if we instruct users to behave

in a secure, ethical and lawful manner

– Example: Corporate Acceptable Use Policy

• It is not adequate– Users’ cooperation is important; however, it should not

be our main focus for achieving security

– Attackers (outsider and insider attackers) will not follow instructions


Tradeoffs

• Security is not free

Security

Functionality/performance

Ease of use/ compatibility

Cost


Discussion

• Good security and bad security


Project

• Project (25%) – Investigation on a security/privacy related topic (each team

chooses a different topic)

– Project presentation (15%)

• Presentation organization (5%);

• Technical description(5%)

• Q&A (5%)

• Timing: 20~25 min presentation + 5~10 min Q&A

– Final report (10%)

• Breadth (5%)

• Depth (5%)


Project – Due Time• Project outline is due in week 9.

• Project presentation is scheduled in weeks 12 and 13.

• Project report is due in week 14.


Topics 1) Web browser security

2) SSL security issues and solutions

3) Privacy leakage and control in online social networks

4) Authentication and anonymity in location based services

5) Differential privacy

6) Android permission models and enforcement

7) iOS malware and detection

8) Android malware and detection

9) Timing based attestation

10) Password strength measurements


Must do before next class

• Download and install Cryptool– http://www.cryptool.org/en/ct1-download-en

• CrypTool 1.4.30 - English version

• CrypTool 1.4.31 Beta 05 - English version

• We will use this tool frequently in class

IS 302: Information Security and Trust Week 1: Introduction to IST, Security, and Networks 2013.

Documents