EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

Slides:



Advertisements
Similar presentations
Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
Advertisements

Advanced Networks and Computer Security Curt Carver & Jeff Humphries © 1999 Texas A&M University.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012.
30/04/2015Tim S Roberts COIT13152 Operating Systems T1, 2008 Tim S Roberts.
The University of Adelaide, School of Computer Science
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Introduction to Security in Computing Computer and Network Security Semester 1, 2011 Lecture #01.
Is There a Security Problem in Computing? Network Security / G. Steffen1.
Lecture 1: Overview modified from slides of Lawrie Brown.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002.
Informationsteknologi Thursday, October 11, 2007Computer Systems/Operating Systems - Class 161 Today’s class Security.
6/2/2015B.Ramamurthy1 Security B.Ramamurthy. 6/2/2015B.Ramamurthy2 Computer Security Collection of tools designed to thwart hackers Became necessary with.
Chapter 1 – Introduction
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.
1 An Overview of Computer Security computer security.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering.
Summary of Lecture 1 Security attack types: either by function or by the property being compromised Security mechanism – prevention, detection and reaction.
Network Security PHILADELPHIA UNIVERSITY Ahmad Alghoul Module 1 Introduction: To Information & Security  Modified by :Ahmad Al Ghoul  Philadelphia.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
CPSC 6126 Computer Security Information Assurance.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
Information Systems Security Computer System Life Cycle Security.
Cryptography and Network Security
What does “secure” mean? Protecting Valuables
Prepared by: Dinesh Bajracharya Nepal Security and Control.
Computer Security “Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware,
29.1 Lecture 29 Security I Based on the Silberschatz & Galvin’s slides And Stallings’ slides.
What does secure mean? You have been assigned a task of finding a cloud provider who can provide a secure environment for the launch of a new web application.
10/17/20151 Computer Security Introduction. 10/17/20152 Introduction What is the goal of Computer Security? A first definition: To prevent or detect unauthorized.
Chapter 01: Introduction to Network Security. Network  A Network is the inter-connection of communications media, connectivity equipment, and electronic.
Network security Network security. Look at the surroundings before you leap.
John Carpenter & lecture & Information Security 2008 Lecture 1: Subject Introduction and Security Fundamentals.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
What security is about in general? Security is about protection of assets –D. Gollmann, Computer Security, Wiley Prevention –take measures that prevent.
1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.
1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.
Topic 5: Basic Security.
Chap1: Is there a Security Problem in Computing?.
Csci5233 computer security & integrity 1 An Overview of Computer Security.
T.A 2013/2014. Wake Up Call! Malware hijacks your , sends death threats. Found in Japan (Oct 2012) Standford University Recent Network Hack May Cost.
Computer Security By Duncan Hall.
Introduction to Computer Security
INTRODUCTION TO COMPUTER & NETWORK SECURITY INSTRUCTOR: DANIA ALOMAR.
Computer threats, Attacks and Assets upasana pandit T.E comp.
C OMPUTER THREATS, ATTACKS AND ASSETS DONE BY NISHANT NARVEKAR TE COMP
1 TMK 264: COMPUTER SECURITY CHAPTER ONE: AN OVERVIEW OF COMPUTER SECURITY.
Is There a Security Problem in Computing?
Chapter One: Introduction to Information Security.
1 Network Security Maaz bin ahmad.. 2 Outline Attacks, services and mechanisms Security attacks Security services Security Mechanisms A model for Internetwork.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University
Lecture 1 Introduction Dr. nermin hamza 1. Aim of Course Overview Cryptography Symmetric and Asymmetric Key management Researches topics 2.
CS 395: Topics in Computer Security
Security
CS 450/650 Fundamentals of Integrated Computer Security
INFORMATION SYSTEMS SECURITY and CONTROL
Faculty of Science IT Department By Raz Dara MA.
EEC 688/788 Secure and Dependable Computing
EEC 688/788 Secure and Dependable Computing
Security in Computing, Fifth Edition
Presentation transcript:

EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

2 6/15/2015 EEC688/788: Secure & Dependable ComputingWenbing Zhao Outline Introduction to computer security –Security concept –Vulnerabilities, threats, attacks, and Controls Security in Computing, 4th Edition By Charles P. Pfleeger, Shari Lawrence Pfleeger

3 6/15/2015 EEC688/788: Secure & Dependable ComputingWenbing Zhao Security in Computing Systems Security in computing systems = protecting valuable computer-related asset Computer-related asset (valuable components): –Hardware, software, and data Means to achieve security –Protecting programs –Protecting operating systems –Protecting networks

4 6/15/2015 EEC688/788: Secure & Dependable ComputingWenbing Zhao Vulnerabilities, Threats, Attacks, & Controls A vulnerability is a weakness in the security system A threat to a computing system is a set of circumstances that has the potential to cause loss or harm A human who exploits a vulnerability perpetrates an attack on the system. How do we address these problems? We use a control as a protective measure –A control is an action, device, procedure, or technique that removes or reduces a vulnerability –A threat is blocked by control of a vulnerability

5 6/15/2015 EEC688/788: Secure & Dependable ComputingWenbing Zhao Threats, Vulnerabilities, and Controls

6 6/15/2015 EEC688/788: Secure & Dependable ComputingWenbing Zhao Type of Threats An interception means that some unauthorized party has gained access to an asset In an interruption, an asset of the system becomes lost, unavailable, or unusable If an unauthorized party not only accesses but tampers with an asset, the threat is a modification An unauthorized party might create a fabrication of counterfeit objects on a computing system

7 6/15/2015 EEC688/788: Secure & Dependable ComputingWenbing Zhao Type of Threats

8 6/15/2015 EEC688/788: Secure & Dependable ComputingWenbing Zhao Interception An interception means that some unauthorized party has gained access to an asset –Example: illicit copying of program or data files, or wiretapping to obtain data in a network –Unlike a loss, which may be discovered fairly quickly, a silent interceptor may leave no traces by which the interception can be readily detected

9 6/15/2015 EEC688/788: Secure & Dependable ComputingWenbing Zhao Interruption In an interruption, an asset of the system becomes lost, unavailable, or unusable –Example: malicious destruction of a hardware device –Example: erasure of a program or data file –Example: (distributed) denial of service attacks

10 6/15/2015 EEC688/788: Secure & Dependable ComputingWenbing Zhao Modification If an unauthorized party not only accesses but tampers with an asset, the threat is a modification –Example: someone might change the values in a database, alter a program so that it performs an additional computation –Example: modify message being transmitted over the network –Some cases of modification can be detected with simple measures, but other, more subtle, changes may be almost impossible to detect

11 6/15/2015 EEC688/788: Secure & Dependable ComputingWenbing Zhao Fabrication An unauthorized party might create a fabrication of counterfeit objects on a computing system –Example: the intruder may insert spurious transactions to a network communication system or add records to an existing database –Sometimes these additions can be detected as forgeries, but if skillfully done, they are virtually indistinguishable from the real thing

12 6/15/2015 EEC688/788: Secure & Dependable ComputingWenbing Zhao Threats: Methods, Opportunity, and Motive A malicious attacker must have three things: –Method: the skills, knowledge, tools, and other things with which to launch an attack –Opportunity: the time and access to accomplish the attack –Motive: a reason to want to perform this attack against this system

13 6/15/2015 EEC688/788: Secure & Dependable ComputingWenbing Zhao The Meaning of Computer Security The purpose of computer security is to devise ways to prevent the weaknesses from being exploited What we mean when we say that a system is secure: –Confidentiality: computer-related assets are accessed only by authorized parties. Confidentiality is sometimes called secrecy or privacy –Integrity: assets can be modified only by authorized parties or only in authorized ways –Availability: assets are accessible to authorized parties at appropriate times

14 6/15/2015 EEC688/788: Secure & Dependable ComputingWenbing Zhao Relationship of Security Goals A secure system must meet all three requirements The challenge is how to find the right balance among the goals, which often conflict –For example, it is easy to preserve a particular object's confidentiality in a secure system simply by preventing everyone from reading that object –However, this system is not secure, because it does not meet the requirement of availability for proper access => There must be a balance between confidentiality and availability

15 6/15/2015 EEC688/788: Secure & Dependable ComputingWenbing Zhao Relationship of Security Goals

16 6/15/2015 EEC688/788: Secure & Dependable ComputingWenbing Zhao Confidentiality Confidentiality is the security property we understand best because its meaning is narrower than the other two However, it is not trivial to ensure confidentiality. For example, –Who determines which people or systems are authorized to access the current system? –By "accessing" data, do we mean that an authorized party can access a single bit? pieces of data out of context? –Can someone who is authorized disclose those data to other parties?

17 6/15/2015 EEC688/788: Secure & Dependable ComputingWenbing Zhao Integrity It is much harder to ensure integrity. One reason is that integrity means different things in different context For example, if we say that we have preserved the integrity of an item, we may mean that the item is: –precise –accurate –unmodified –modified only in acceptable ways –modified only by authorized people –modified only by authorized processes –consistent –internally consistent –meaningful and usable

18 6/15/2015 EEC688/788: Secure & Dependable ComputingWenbing Zhao Integrity Aspects of integrity: computerized data are the same as those in source documents; they have not been exposed to accidental or malicious alteration or destruction Aspects of integrity: authorized actions, separation and protection of resources, and error detection and correction Integrity can be enforced in much the same way as can confidentiality: by rigorous control of who or what can access which resources in what ways

19 6/15/2015 EEC688/788: Secure & Dependable ComputingWenbing Zhao Availability Availability applies both to data and to services (i.e., to information and to information processing We say a data item, service, or system is available if –There is a timely response to our request –There is a fair allocation of resources, so that some requesters are not favored over others –The service or system involved are fault tolerant - hardware or software faults lead to graceful cessation of service or to workarounds rather than to crashes and abrupt loss of information –The service or system can be used easily and in the way it was intended to be used –….

20 6/15/2015 EEC688/788: Secure & Dependable ComputingWenbing Zhao Availability The security community is just beginning to understand what availability implies and how to ensure it A small, centralized control of access is fundamental to preserving confidentiality and integrity, but it is not clear that a single access control point can enforce availability Much of computer security's past success has focused on confidentiality and integrity; full implementation of availability is security's next great challenge

21 6/15/2015 EEC688/788: Secure & Dependable ComputingWenbing Zhao Vulnerabilities Vulnerabilities: would prevent us from reaching one or more of our three security goals The three assets (hardware, software and data) and the connections among them are all potential security weak points

22 6/15/2015 EEC688/788: Secure & Dependable ComputingWenbing Zhao Vulnerabilities

23 6/15/2015 EEC688/788: Secure & Dependable ComputingWenbing Zhao Software Vulnerabilities Software is surprisingly easy to delete and to copy Software is vulnerable to modifications that either cause it to fail or cause it to perform an unintended task –Trojan horse: a program that overtly does one thing while covertly doing another –Virus: a specific type of Trojan horse that can be used to spread its "infection" from one computer to another –…

24 6/15/2015 EEC688/788: Secure & Dependable ComputingWenbing Zhao Data Vulnerabilities Data items have greater public value than hardware and software, because more people know how to use or interpret data By themselves, out of context, pieces of data have essentially no intrinsic value On the other hand, data items in context do relate to cost: e.g., measurable by the cost to reconstruct or redevelop damaged or lost data

25 6/15/2015 EEC688/788: Secure & Dependable ComputingWenbing Zhao Data Vulnerabilities Confidential data leaked to a competitor may narrow a competitive edge Data incorrectly modified can cost human lives Inadequate security may lead to financial liability if certain personal data are made public The value of data over time is far less predictable or consistent –Quite often, data is valuable only for a period of time

26 6/15/2015 EEC688/788: Secure & Dependable ComputingWenbing Zhao Security of Data Confidentiality prevents unauthorized disclosure of a data item Integrity prevents unauthorized modification Availability prevents denial of authorized access