Introductory Computer Security

Slides:



Advertisements
Similar presentations
Chapter 1  Introduction 1 Chapter 1: Introduction.
Advertisements

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Introduction and Logistics Amir Houmansadr CS660: Advanced Information Assurance Spring 2015.
September 10, 2012Introduction to Computer Security ©2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.
1 Overview CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 8, 2004.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
1 An Overview of Computer Security computer security.
Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.
CSCD 434 Spring 2011 Lecture 1 Course Overview. Contact Information Instructor Carol Taylor 315 CEB Phone: Office.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Introduction to Computer Security: Terminology, Security Policy ECE 422 / CS Fall 2013 *Acknowledgment: Thanks to Susan Hinrichs for her slides.
Topics in Information Security Prof. JoAnne Holliday Santa Clara University.
An Introduction to Information Assurance COEN 150 Spring 2007.
1 Cryptography and Network Security Fourth Edition by William Stallings Lecture slides by Lawrie Brown Changed by: Somesh Jha [Lecture 1]
Cryptography and Network Security
Computer Security “Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware,
@Yuan Xue CS 285 Network Security Fall 2008.
CSCD 434 Network Security Spring 2014 Lecture 1 Course Overview.
John Carpenter & lecture & Information Security 2008 Lecture 1: Subject Introduction and Security Fundamentals.
CS461/ECE422 — Computer Security I — Spring 2012.
Welcome to Introduction to Computer Security. Why Computer Security The past decade has seen an explosion in the concern for the security of information.
1.1 Chapter 1 Introduction Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,
Slide #1-1 Introductory Computer Security CS461/ECE422 Fall 2010 Susan Hinrichs.
Csci5233 computer security & integrity 1 An Overview of Computer Security.
12/18/20151 Computer Security Introduction. 12/18/20152 Basic Components 1.Confidentiality: Concealment of information (prevent unauthorized disclosure.
Fall 2008CS 334 Computer Security1 CS 334: Computer Security Fall 2008.
Lecture 1 Page 1 CS 236 Online Introduction CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
1 Network Security Maaz bin ahmad.. 2 Outline Attacks, services and mechanisms Security attacks Security services Security Mechanisms A model for Internetwork.
@Yuan Xue CS 285 Network Security Fall 2013 Yuan Xue.
@Yuan Xue CS 285 Network Security Fall 2012 Yuan Xue.
Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University
1.1 Chapter 1 Introduction Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Computer Security Introduction
Cryptography and Network Security
CS457 Introduction to Information Security Systems
CS 395: Topics in Computer Security
Introduction to Information Assurance
Overview CSE 465 – Information Assurance Fall 2017 Adam Doupé
Information Security, Theory and Practice.
Chapter 1: Introduction
Cryptography and Network Security
Purpose of Class To prepare students for research and advanced work in security topics To familiarize students working in other networking areas with important.
Information System and Network Security
Data & Network Security
Information and Network Security
Chapter 1: Introduction
CSCD 434 Network Security Spring 2012 Lecture 1 Course Overview.
Cryptography and Network Security
Chapter 1 Introduction Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 1.#
Chapter 1 Introduction Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 1.#
Advanced System Security
Overview CSE 365 – Information Assurance Fall 2018 Adam Doupé
Information Security: Terminology
Chapter 1 Introduction Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 1.#
Computer Security Introduction
CSCD 434 Network Security Spring 2019 Lecture 1 Course Overview.
Security.
Basic of Modern Cryptography
Introduction to Cryptography
Chapter 4: Security Policies
Cryptography and Network Security
Introduction to Course
Chapter 1: Introduction
Overview CSE 365 – Information Assurance Fall 2019 Adam Doupé
Presentation transcript:

Introductory Computer Security CS461/ECE422 Fall 2009 Susan Hinrichs

Outline Administrative Issues Class Overview Information Assurance Overview Components of computer security Threats, Vulnerabilities, Attacks, and Controls Policy Assurance

Administrivia Staff Communications Office Hours Susan Hinrichs, lecturer Fariba Khan, TA Omid Fatemieh, TA Communications Class web page http://www.cs.illinois.edu/class/fa09/cs461 Newsgroup cs461 Jabber Chat room cs461 Office Hours Susan: 12:30-1:30pm Wednesday and after class Fariba and Omid: TBA

More Administrivia Grades 2 midterms worth 25% each. October 7 and November 18. Final worth 25%. December 18. Roughly weekly homework worth 25%. Can drop low homework. 8 homeworks last year. Extra project worth 20% for grad students taking for 4 credits Submit homework via compass Class Sections Online students: geographically distributed ECE and CS 3 and 4 credit sections

A Few Words on Class Integrity Review department and university cheating and honor codes: https://agora.cs.illinois.edu/display/under gradProg/Honor+Code http://admin.illinois.edu/policy/code/artic le1_part4_1-402.html This has been an issue in the past Expectations for exams, homeworks, and projects

Class Readings Text Computer Security: Art and Science by Matt Bishop Additional readings provided via compass or public links Books on reserve at the library

Class Format Meet three times a week Mostly lecture format Will attempt to have a class exercise about once a week. Will be noted on class web site. Will attempt to make this relevant for online students too. Lectures video taped for online students All have access to tapes. Link on class web site. A few lectures will be video only. Noted on schedule Will still play video in class Posted slides not sufficient to master material alone

Class communication Limited physical access Use technology to help Lecturer part time on campus Use technology to help Newsgroup for timely, persistent information Jabber and Jabber chat room for questions and conversation Email and phone

Security Classes at UIUC Three introductory courses Information Assurance (CS461/ECE422) Covers NSA 4011 security professional requirements Taught every semester Computer Security (CS463/ECE424) Continues in greater depth on more advanced security topics Taught every semester or so Applied Computer Security Lab Taught last spring as CS498sh Will be CS460 With CS461 covers NSA 4013 system administrator requirements Two of the three courses will satisfy the Security Specialization in the CS track for Computer Science majors.

More Security Classes at UIUC Theoretical Foundations of Cryptography Taught about once a year, last year as CS498pr Security Reading Group CS591RHC Advance Computer Security Taught once a year, this semester as CS598cag Math 595/ECE 559 – Cryptography http://www.math.uiuc.edu/%7Eduursma/Math59 5CR/ Taught every couple years ITI Security Roadmap http://www.iti.illinois.edu/content/security

Other Sources for Security News Bruce Schneier's blog http://www.schneier.com/blog/ Local talks http://www.iti.illinois.edu/content/seminars- and-events

Security in the News DNS flaws InfoWar Extortion - Dan Kamisky found flaw in widely used DNS protocol requiring upgrade of network infrastructure http://blog.wired.com/27bstroke6/2008/07/details-of-dns.html InfoWar Estonia http://blog.wired.com/27bstroke6/2007/08/cyber-war-and-e.html Extortion - Threaten DDoS attack unless company pays up DDoS protection from carriers can cost $12K per month Privacy/Identity theft Albert Gonzalez and 130 million credit card numbers. Cars.gov ? ChoicePoint, Bank of America, disgruntled waiter Worms Conflicker, twitter worms Slammer worm crashed nuclear power plant network

Class Topics Mix of motivation, design, planning, and mechanisms See lecture page http://www.cs.illinois.edu/class/fa09/cs461/lectur es.html A few open lecture spots if there are topics of particular interest May have some industry guest lectures

Security Components Confidentiality Integrity Availability Keeping data and resources hidden Integrity Data integrity (integrity) Origin integrity (authentication) Availability Enabling access to data and resources Confidentiality: a good example is cryptography, which traditionally is used to protect secret messages. But cryptography is traditionally used to protect data, not resources. Resources are protected by limiting information, for example by using firewalls or address translation mechanisms. Integrity: a good example here is that of an interrupted database transaction, leaving the database in an inconsistent state (this foreshadows the Clark- Wilson model). Trustworthiness of both data and origin affects integrity, as noted in the book’s example. That integrity is tied to trustworthiness makes it much harder to quantify than confidentiality. Cryptography provides mechanisms for detecting violations of integrity, but not preventing them (e.g., a digital signature can be used to determine if data has changed). Availability: this is usually defined in terms of “quality of service,” in which authorized users are expected to receive a specific level of service (stated in terms of a metric). Denial of service attacks are attempts to block availability.

CIA Examples

Identifying Terms Vulnerability – Weakness in the system that could be exploited to cause loss or harm Threat – Set of circumstances that has the potential to cause loss or harm Attack – When an entity exploits a vulnerability on system Control – A means to prevent a vulnerability from being exploited

Example

Classes of Threats Disclosure – Unauthorized access to information Deception – Acceptance of false data Disruption – Interruption or prevention of correct operation Usurpation – Unauthorized control of some part of a system

Some common threats Snooping Unauthorized interception of information Modification or alteration Unauthorized change of information Masquerading or spoofing An impersonation of one entity by another Repudiation of origin A false denial that an entity sent or created something. Denial of receipt A false denial that an entity received some information.

More Common Threats Delay A temporary inhibition of service Denial of Service A long-term inhibition of service

More definitions Policy Mechanism A statement of what is and what is not allowed Divides the world into secure and non-secure states A secure system starts in a secure state. All transitions keep it in a secure state. Mechanism A method, tool, or procedure for enforcing a security policy

Is this situation secure? Web server accepts all connections No authentication required Self-registration Connected to the Internet

Policy Example University computer lab has a policy that prohibits any student from copy another student's homework files. The computers have file access controls to prevent other's access to your files. Bob does not read protect his files Alice copies his files Who cheated? Alice, Bob, both, neither?

More Example What if Bob posted his homework on his dorm room door? What if Bob did read protect his files, but Alice found a hack on the mechanism?

Trust and Assumptions Locks prevent unwanted physical access. What are the assumptions this statement builds on?

Policy Assumptions Policy correctly divides world into secure and insecure states. Mechanisms prevent transition from secure to insecure states.

Another Policy Example Bank officers may move money between accounts. Any flawed assumptions here?

Assurance Evidence of how much to trust a system Evidence can include System specifications Design Implementation Mappings between the levels

Aspirin Assurance Example Why do you trust Aspirin from a major manufacturer? FDA certifies the aspirin recipe Factory follows manufacturing standards Safety seals on bottles Analogy to software assurance

Key Points Must look at the big picture when securing a system Main components of security Confidentiality Integrity Availability Differentiating Threats, Vulnerabilities, Attacks and Controls Policy vs mechanism Assurance