CIT 480: Securing Computer Systems

Slides:



Advertisements
Similar presentations
Operating System Security
Advertisements

Security+ Guide to Network Security Fundamentals
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
1 An Overview of Computer Security computer security.
Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Chapter 3 Ethics, Privacy & Security
Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.
Storage Security and Management: Security Framework
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
CIT 380: Securing Computer Systems Security Solutions.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Patient Data Security and Privacy Lecture # 7 PHCL 498 Amar Hijazi, Majed Alameel, Mona AlMehaid.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Information Systems, Security, and e-Commerce* ACCT7320, Controllership C. Bailey *Ch in Controllership : The Work of the Managerial Accountant,
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Introduction.
Chap1: Is there a Security Problem in Computing?.
Csci5233 computer security & integrity 1 An Overview of Computer Security.
CIT 380: Securing Computer Systems Security Solutions Part 2.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Introduction.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.
Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Information Systems Security
Security Issues in Information Technology
CS457 Introduction to Information Security Systems
CSC 482/582: Computer Security
Securing Network Servers
Network Security Presented by: JAISURYA BANERJEA MBA, 2ND Semester.
Information Security, Theory and Practice.
ISSeG Integrated Site Security for Grids WP2 - Methodology
Security Standard: “reasonable security”
Chapter 1: Introduction
Secure Software Confidentiality Integrity Data Security Authentication
Outline Introduction Characteristics of intrusion detection systems
INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.
Information Security 101 Richard Davis, Rob Laltrello.
Security Engineering.
Securing Information Systems
Teaching Computing to GCSE
Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek
CSC 482/582: Computer Security
Chapter 1: Introduction
Chapter 1: Introduction
IS4680 Security Auditing for Compliance
County HIPAA Review All Rights Reserved 2002.
Cybersecurity Am I concerned?
How to Mitigate the Consequences What are the Countermeasures?
Faculty of Science IT Department By Raz Dara MA.
An Overview of Computer Security
– Communication Technology in a Changing World
Module 2 OBJECTIVE 14: Compare various security mechanisms.
Computer Security By: Muhammed Anwar.
Designing IIS Security (IIS – Internet Information Service)
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
6. Application Software Security
Unit # 1: Overview of the Course Dr. Bhavani Thuraisingham
Presentation transcript:

CIT 480: Securing Computer Systems Security Fundamentals

About Me James Walden Associate Professor of Computer Science waldenj@nku.edu http://faculty.cs.nku.edu/~waldenj Interests: Software Security Mobile Application Security Web Application Security Empirical Software Engineering

Topics What is Security? Security Concepts States of Information Confidentiality Integrity Availability States of Information Policies and Principles Security Controls

What is Security? Security is the prevention of certain types of intentional actions from occurring in a system. The actors who might attack a system are threats. Threats carry out attacks to compromise a system. Objects of attacks are assets.

We all have Assets: The Value of a Hacked PC http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/

Safety vs Security Adversary: An intelligent attacker who intentionally causes the system to fail. Safety Home: fire alarm. Car: crumple zones. Computer: UPS. Security Home: door lock. Car: alarm. Computer: Login password. Safety and security can interact: Who is watching your computer room after the fire alarm was pulled?

Components of Security Integrity Confidentiality Availability

Confidentiality Confidentiality is the avoidance of the unauthorized disclosure of information. Examples where confidentiality is critical: Personal information Trade secrets Military plans

Security Controls for Confidentiality Access Control: rules and policies that limit access to certain people and/or systems. File permissions (which users can access) Firewall settings (which IP addresses can access) Encryption: transforming information so that it can only be read using a secret key. AES SSL

Integrity Integrity is the property that information has not be altered in an unauthorized way. Examples where integrity is critical: Operating system files Software updates and downloads Bank account records

Security Controls for Integrity Backups: periodic archiving of data. Checksums: the computation of a function that maps the contents of a file to a numerical value. Intrusion detection: systems that look for signatures of attacks or that verify that all system software matches correct checksums.

Availability Availability is the property that information is accessible and modifiable in a timely fashion by those authorized to do so. Examples where availability is critical: E-commerce site Authentication server for your network Current stock quotes

Security Controls for Availability Physical protections: infrastructure meant to keep information available even in the event of physical challenges. Backup generators Disaster recovery site Computational redundancies: computers and storage devices that serve as fallbacks in the case of failures. Backup tapes RAID

Other Security Components Authenticity Anonymity Assurance

States of Information Storage: information in permanent storage (disk or tape) that is not currently being accessed. Processing: information in memory (RAM or cache) that is currently being used by a program. Transmission: information in transit between one node and another on a network.

Securing Information in All States Internet Information in Transmission Information in Storage Information in Processing

Security Policies A security policy is a definition of what it means to be secure for a system or organization. Security controls are used to enforce security policies. Security policies hold even in the absence of a control to protect a system, e.g. you can commit a crime by entering someone’s house even if they didn’t lock the door. Examples: http://oit.nku.edu/security/policies-and-guidelines.html Acceptable Use Policy Antivirus Policy Security Policy LISTSERV and Mass Email Policy

Security Principles Security Principles Economy of mechanism Fail-safe defaults Complete mediation Open design Separation of privilege Least privilege Least common mechanism Psychological acceptability Work factor Compromise recording

Security Controls Security controls are policies, technologies, or human factors that avoid, reduce, or counteract security risks. Controls act in three main ways: Prevention: prevent attackers from violating security policy. Ex: firewall. Detection: detect attackers’ violation of security policy. Ex: anti-virus. Recovery: stop attack, assess and repair damage. Ex: backups.

Types of Security Controls Technologies Hardware/software used to ensure confidentiality, integrity, or availability. Policy and practice. Security requirements and activities. Education, training, and awareness. Understanding of threats and vulnerabilities and how to protect against them.

Control Example: Authentication Authentication: the determination of the identity or role that someone has. Need to authenticate an entity before applying access control. Something you are Something you know Something you have radio token with secret keys password=ucIb()w1V mother=Jones pet=Caesar human with fingers and eyes

How to evaluate security controls? What assets are you trying to protect? What are the risks to those assets? How well does the security control mitigate those risks? What other risks does the security control cause? What costs and trade-offs does the security control impose?

Example: Password Vault Asset: passwords. Risks: use of passwords by someone else to gain access to private email, bank, health information. Mitigate: encrypted storage prevents use of passwords without vault key. Other risks: lose access to all passwords if you forget the vault key. Costs/tradeoffs: if vault is on PC, lose access elsewhere. If vault is networked, passwords may not be encrypted in transit, will be accessible to attackers who don’t have access to your PC.

Security is a matter of Trade-offs Security is only one of many system goals: Functionality Usability Efficiency Time to market Cost Security Security does not end when the system is completed. Its operation affects security. A “secure” system can be breached by improper operation (for example, when accounts with no passwords are created). The question is how to assess the effect of operational issues on security.

Aspects of Risks To evaluate a risk, we need to evaluate both: Probability of risk occurring. Cost incurred by risk if it occurs. Minimize product of probability and cost. Risks are impacted by environment. Building a house in a flood plain incurs additional risks beyond that of house itself. Similarly, installation and configuration options impact risk of software systems.

Cost-Benefit Analysis Is it cheaper to prevent violation or recover? Cost of good network security: Money, time, reduced functionality, annoyed users. Large and ongoing. Risks of bad network security: Angry customers, bad press, network downtime. Small and temporary. Cost-Benefit Analysis: this weighs the cost of protecting data and resources with the costs associated with losing the data. Among the considerations are the overlap of mechanisms’ effects (one mechanism may protect multiple services, so its cost is amortized), the non-technical aspects of the mechanism (will it be impossible to enforce), and the ease of use (if a mechanism is too cumbersome, it may cost more to retrofit a decent user interface than the benefits would warrant). Risk Analysis: what happens if the data and resources are compromised? This tells you what you need to protect and to what level. Cost-benefit analyses help determine the risk here, but there may be other metrics involved (such as customs).

Security: Laws and Customs Are desired security measures illegal? cryptography export before 2000 is it legal to monitor security breakins? international commerce Will users circumvent them? writing down passwords removing file ACLs Laws and Customs: these constrain what you can do. Encryption used to be the biggie here, as the text indicates. How much that has changed is anybody’s guess. Customs involve non-legislated things, like the use of urine specimens to determine identity. That is legal, at least in the US in some cases; but it would never be widely accepted as an alternative to a password.

Security Liability Product liability: Tires: Continental recalled Ford SUV tires in 2002 due to wire and vibration problems. Software: Manufacturer not liable for security flaws. Since Microsoft isn’t liable for Windows security failures, why would they want to sacrifice money, time, functionality, and ease of use for security?

Assumptions Security rests on assumptions specific to type of security required and environment. Example: TCP/IP designed for pre-commercial Internet. Assumed only legitimate admins had root access. Trusted IP addresses, since only root can set IP addr. What happens to network when everyone has personal devices with administrative (root) access?

What do you trust? Your vendor’s software Your encryption libraries “Yet another picture frame malware incident” http://blog.trendmicro.com/trendlabs-security-intelligence/yet-another-digital-picture-frame-malware-incident/ Your encryption libraries RSA warns customers to stop using BSAFE lib http://rt.com/usa/nsa-weak-cryptography-rsa-110/ Your ISP ISP hijacks DNS and adds affiliates to URLs http://erichelgeson.github.io/blog/2013/12/31/i-fought-my-isps-bad-behavior-and-won/

Can you trust your compiler? Ken Thompson’s compiler hack from “Reflections on Trusting Trust.” Modified C compiler does two things: If compiling a compiler, inserts the self-replicating code into the executable of the new compiler. If compiling login, inserts code to allow a backdoor password. After recompiling and installing old C compiler: Source code for Trojan horse does not appear anywhere in login or C compiler. Only method of finding Trojan is analyzing binary.

Key Points Definitions Components of security Security, security policy, security control, threat, attack, asset. Components of security Confidentiality, Integrity, Availability Protect CIA in all states of information: Storage, Processing, Transmission Security Controls Technology, policy, education Cost-Benefit Analysis Probability × cost of the risk Policy and Principles

References Anderson, Security Engineering 2nd Edition, Wiley, 2008. Bishop, Computer Security: Art and Science, Addison-Wesley, 2002. Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.