1 IS 2150 / TEL 2810 Introduction to Security Lecture 1 August 31, 2006

2 Contact Instructor: James B. D. Joshi 706A, IS Building Phone: Web: Office Hours: Tuesdays: 3.00 – 6.00 p.m. By appointments GSA: Saubhagya R. Joshi Office hours: Wednesday 2:00-4:00PM Place: GIS Lab, 4 th Floor

3 IS 2150 / TEL 2810 The objective of the course is to cover the fundamental issues of information system security and assurance. Develop broad understanding of diverse issues Certified by NSA About 85% is based on the CNSS requirements Core course for SAIS track Course webpage:

4 Course Outline Security Basics (1-8) General overview and definitions Security models and policy issues Basic Cryptography and Network security (9-12, 26) Crypto systems, digital signature, authentication, PKI IPSec, VPN, Firewalls Systems Design Issues and Information assurance (13-21, 24) Design principles Security Mechanisms Auditing Systems Risk analysis System verification Intrusion Detection and Response (23, 25,..) Attack Classification and Vulnerability Analysis Detection, Containment and Response/Recovery Legal, Ethical, Social Issues Evaluation, Certification Standards Miscellaneous Issues (22,..) Malicious code, Mobile code Digital Rights Management, Forensics Watermarking, E/M-commerce security, Multidomain Security Identity/Trust Management

5 Course Material Textbook Introduction to Computer Security, Matt Bishop, Errata URL: Computer Security: Art and Science, Matt Bishop – is fine too Other Recommended Security in Computing, Charles P. Pfleeger, Prentice Hall Inside Java 2 Platform Security, 2 nd Edition, L. Gong, G. Ellision, M. Dageforde Security Engineering: A Guide to Building Dependable Distributed Systems, Ross Anderson, Wiley, John & Sons, Incorporated, 2001 Supplemental readings will be provided

6 Prerequisites Assumes the following background Programming skill Some assignments in Java Working knowledge of Operating systems, algorithms and data structures, database systems, and networks Basic Mathematics Set, logic, induction techniques, data structure/algorithms Not sure? SEE ME

7 Grading Lab + Homework/Quiz/Paper review 40% Exams 40% includes Midterm 20% Final 20% Paper/Project 20% List of suggested topics will be posted; Encouraged to think of a project/topic of your interest Some other Seminar and participation

8 Course Policies Your work MUST be your own Zero tolerance for cheating/plagiarism You get an F for the course if you cheat in anything however small – NO DISCUSSION Discussing the problem is encouraged Homework Penalty for late assignments (15% each day) Ensure clarity in your answers – no credit will be given for vague answers Sample solutions will be provided Check webpage for everything! You are responsible for checking the webpage for updates

9 Overview of Security Assured Information Systems Track

10 LERSAIS Laboratory of Education and Research in Security Assured Information Systems Established in 2003 National Center of Academic Excellence in Information Assurance Education Program A US National Security Agency program initiated in 1998 through a presidential directive to SECURE the Cyberspace Partnered by Department of Homeland Security since 2003 There are 70+ such centers now Designation requires meeting a set of criteria Basic IA curriculum Strong research activity LERSAIS is Pitt’s representative center Website:

11 IA Pitt’s IA curriculum has been certified for Committee on National Security Systems IA Standards CNSS 4011: Information Security Professionals CNSS 4012: Designated Approving Authority CNSS 4013: System Administrator in Information Systems Security CNSS 4014: Information Systems Security Officer CNSS 4015: System Certifiers Pitt is one among 12 Institutions in the US and only one in the State of Pennsylvania to have all certifications Website:

12 IA Grants NSF – Scholarship for Service Grant First award ($286,710) For the development of the curriculum Second award ($1,055,553) For establishing a scholarship program Department of Defense Information Assurance Scholarship (DoD IASP) Support for 4 National Defense University Students to pursue IA degree at Pitt CISCO Critical Infrastructure Assurance Group Equipment grant winner of Year Spring-2005 Equipments worth $130,000

13 IA Tracks/Courses Master of Science in Information Sciences Master of Science in Telecommunications and Networking Certificate of Advanced Studies (CNSS Certifications) Courses: Introduction to Security Developing Secure Systems Cryptography Security in E-commerce Network Security Security Management Capstone course Information System and Network Infrastructure Protection Information Ethics Legal Issues in Information Handling

14 NSF IA Pitt New scholarship starting this Fall Support include Stipend of $12,000/year Tuition and fees Students should be In the track (MSIS/MST) Within last 2 years of completing the PhD studies Support for up to 2 years Work in Gov for the equal amount of time Summer internship is required Citizenship is required Need to obtain clearance for work in Gov Website will be created shortly; for now check out :

15 NSF IA Pitt Less chance for the following If you have less than one year of study If you want to work fulltime and study under scholarship Scholarship students will have to Involve in some activities of LERSAIS University activities of importance Mentor future scholarship students

16 MSIS Security Assured Information Systems Track MSIS Security Assured Information Systems Track Foundations (6 credits) Foundations (6 credits) Cognitive Systems (6 credits) Cognitive Systems (6 credits) Systems and Technology (9 credits SAIS Track + 9 S&T) (18 credits) Systems and Technology (9 credits SAIS Track + 9 S&T) (18 credits) Electives (3 Credits SAIS Track + 3 Credits S&T) Electives (3 Credits SAIS Track + 3 Credits S&T) IS-2000 Intro to Info Sc IS-2170 Cryptography IS-2000 Intro to Info Sc IS-2170 Cryptography IS-2300 Human Information Processing IS-2470 Interactive System Design OR IS-2350 Human Factors In Systems IS-2300 Human Information Processing IS-2470 Interactive System Design OR IS-2350 Human Factors In Systems IS-2550 Client-Sever IS2710 DBMS IS-2511 Adv. Anal. & Des. OR IS-2540 Soft Engg. IS-2550 Client-Sever IS2710 DBMS IS-2511 Adv. Anal. & Des. OR IS-2540 Soft Engg. IS2150 Intro to ComSec TEL-2821 Net Sec TEL 2830/IS-2190 Capstone Course in Security IS2150 Intro to ComSec TEL-2821 Net Sec TEL 2830/IS-2190 Capstone Course in Security IS-2570 Dev sec Systems IS-2771 Sec in E-Comm IS2810/TEL-2813 Sec Mgmt LIS-2194 Info Ethics LIS-2184 Legal issues in Handling Info One S&T Electives (may include another of the SAIS course elective) IS-2570 Dev sec Systems IS-2771 Sec in E-Comm IS2810/TEL-2813 Sec Mgmt LIS-2194 Info Ethics LIS-2184 Legal issues in Handling Info One S&T Electives (may include another of the SAIS course elective)

17 MST Security Assured Information Systems Track MST Security Assured Information Systems Track Core Required (9 credits) Core Required (9 credits) Human Comm Mgmt/Policy (6 credits) Human Comm Mgmt/Policy (6 credits) Protocols and Design (6 credits) Protocols and Design (6 credits) SAIS Track Core (12 credits) SAIS Track Core (12 credits) SAIS Track Electives (3 credits) SAIS Track Electives (3 credits) TEL-2210 Electronic Comm II TEL-2120 Network Performance TEL-2310 Computer Networks TEL-2210 Electronic Comm II TEL-2120 Network Performance TEL-2310 Computer Networks IS-2300 Human Information Processing TEL-2510 US Telecom Policy OR TEL-2511 Intl. Telecom Policy OR LIS-2194 Information Ethics IS-2300 Human Information Processing TEL-2510 US Telecom Policy OR TEL-2511 Intl. Telecom Policy OR LIS-2194 Information Ethics TEL-2110 Network Design TEL-2121 Network Mgt. TEL-2320 LANs TEL-2321 WANs TEL-2720 Cellular Radio and PCS TEL-2721 Mobile Data Networks TEL-2110 Network Design TEL-2121 Network Mgt. TEL-2320 LANs TEL-2321 WANs TEL-2720 Cellular Radio and PCS TEL-2721 Mobile Data Networks IS2150/TEL-2810 Intro To Security IS2170/TEL-2820 Cryptography TEL-2821 Network Security IS2190/TEL-2830 Capstone Course in Security IS2150/TEL-2810 Intro To Security IS2170/TEL-2820 Cryptography TEL-2821 Network Security IS2190/TEL-2830 Capstone Course in Security TEL-2825 Infrs. Protection IS-2771 Security in E-Commerce IS-2810/TEL-2813 Security Management TEL-2829 Adv. Cryptography OR Other Electives TEL-2825 Infrs. Protection IS-2771 Security in E-Commerce IS-2810/TEL-2813 Security Management TEL-2829 Adv. Cryptography OR Other Electives

18 Certificate of Advanced Studies Basic IA StudiesAdvanced IA Studies Pre-requisite: MSIS, MST or MS in related areas 15 credits of coursework: Three SAIS Core courses (9) Systems & Technology course (3) Capstone (3) 24 credits of coursework: Three SAIS Core courses (9) Security management (3) One IA Elective (3) 2 Systems-Tech electives (6) Capstone (3) Certificates: CNSS 4011, 4012, and 4013 Certificates: CNSS 4011, 4012, 4013, 4014A, and 4015

19 IS-2150 TEL-2810 Intro to Security IS-2150 TEL-2810 Intro to Security IS-2160 TEL-2820 Cryptography IS-2160 TEL-2820 Cryptography TEL-2821 Network Security TEL-2821 Network Security TEL-2825 Infrs. Protection TEL-2825 Infrs. Protection TEL-2829 Adv. Cryptography TEL-2829 Adv. Cryptography IS-2939 TEL-2938 Advanced Topics IS-2939 TEL-2938 Advanced Topics IS-2570 Dev. Secure Systems IS-2570 Dev. Secure Systems IS-2820/TEL-2813 Security Management IS-2820/TEL-2813 Security Management TEL-2830/IS2190 Capstone TEL-2830/IS2190 Capstone IS-2771 E-commerce Security IS-2771 E-commerce Security TEL-2000 TEL-2120 TEL-2000 TEL-2120 IS-2510 IS-2511 IS-2550 IS-2710 IS-2510 IS-2511 IS-2550 IS-2710 Expected Pre-requisite Structure Check SIS web pages for new course numbers

20 SAMPLE The Department of Information Science and Telecommunication’s Laboratory of Education and Research on Security Assured Information Systems (LERSAIS), a National Center of Academic Excellence in Information Assurance Education ( ), hereby certifies that Mr. John Smith has successfully completed the requirements for the DIST’s IA certification in Fall 2004 The DIST’s IA certification requires a student to demonstrate competence in the following three IA courses TELCOM 2810 Introduction to Computer Security; TELCOM 2820 Cryptography TELCOM 2821 Network Security These three courses have been certified by the National Security Agency (NSA) as meeting the following IA education standards set by the Committee on National Systems Security (CNSS) NSTISSI No. 4011, Information Systems Security Professionals NSTISSI No. 4012, Designated Approving Authority NSTISSI No. 4013, System Administrators in Information Systems Security Ronald Larsen (Dean, School of Information Sciences)

21 Introduction to Security Overview of Computer Security

22 Information Systems Security Deals with Security of (end) systems Examples: Operating system, files in a host, records, databases, accounting information, logs, etc. Security of information in transit over a network Examples: e-commerce transactions, online banking, confidential s, file transfers, record transfers, authorization messages, etc. “Using encryption on the internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench” – Gene Spafford

23 Basic Components of Security Confidentiality Keeping data and resources secret or hidden Integrity Ensuring authorized modifications; Includes correctness and trustworthiness May refer to Data integrity Origin integrity Availability Ensuring authorized access to data and resources when desired Trust Management (Emerging Challenge) Trust Management (Emerging Challenge) CIA

24 CIA-based Model NSTISSC 4011 Security Model (CNSS 4011)

25 Basic Components of Security Additional from NIST (National Institute of Standards and Technology Accountability Ensuring that an entity’s action is traceable uniquely to that entity [Security] assurance Assurance that all four objectives are met Other Non-repudiation: false denial of an act

26 Interdependencies confidentiality Integrity integrity confidentiality availability Integrity confidentiality accountability Integrity confidentiality

27 Security - Years back Physical security Information was primarily on paper Lock and key Safe transmission Administrative security Control access to materials Personnel screening Auditing

28 Information security today Emergence of the Internet and distributed systems Increasing system complexity Open environment with previously unknown entities interacting Digital information needs to be kept secure Competitive advantage Protection of assets Liability and responsibility

29 Information security today Financial losses The FBI estimates that an insider attack results in an average loss of $2.8 million There are reports that the annual financial loss due to information security breaches is between 5 and 45 billion dollars National defense Protection of critical infrastructures: Power Grid; Air transportation; SCADA Interlinked government agencies Bad Grade for most of the agencies (GAO Reports) DHS gets a failing grade (2005) !!

30 Terminology Security Features or Services Security Features or Services Attackers/Intruders/ Malfeasors Security Architecture Resources Assets Information Requirements Policies Requirements Policies Requirements Policies Requirements Policies Security Models/ Mechanisms Security Models/ Mechanisms

31 Attack Vs Threat A threat is a “potential” violation of security The violation need not actually occur The fact that the violation might occur makes it a threat It is important to guard against threats and be prepared for the actual violation The actual violation of security is called an attack

32 Common security attacks Interruption, delay, denial of receipt or denial of service System assets or information become unavailable or are rendered unavailable Interception or snooping Unauthorized party gains access to information by browsing through files or reading communications Modification or alteration Unauthorized party changes information in transit or information stored for subsequent access Fabrication, masquerade, or spoofing Spurious information is inserted into the system or network by making it appear as if it is from a legitimate entity Repudiation of origin False denial that an entity did (send/create) something

33 Classes of Threats (Shirley) Disclosure: unauthorized access to information Snooping Deception: acceptance of false data Modification, masquerading/spoofing, repudiation of origin, denial of receipt Disruption: interruption/prevention of correct operation Modification Usurpation: unauthorized control of a system component Modification, masquerading/spoofing, delay, denial of service

34 Policies and Mechanisms A security policy states what is, and is not, allowed This defines “security” for the site/system/etc. Policy definition: Informal? Formal? Mechanisms enforce policies Composition of policies If policies conflict, discrepancies may create security vulnerabilities

35 Goals of Security Prevention To prevent someone from violating a security policy Detection To detect activities in violation of a security policy Verify the efficacy of the prevention mechanism Recovery Stop policy violations (attacks) Assess and repair damage Ensure availability in presence of an ongoing attack Fix vulnerabilities for preventing future attack Retaliation against the attacker

36 Assumptions and Trust Policies and mechanisms have implicit assumptions Assumptions regarding policies Unambiguously partition system states into “secure” and “nonsecure” states Correctly capture security requirements Mechanisms Assumed to enforce policy; i.e., ensure that the system does not enter “nonsecure” state Support mechanisms work correctly

37 Types of Mechanisms Let P be the set of all the reachable states Let Q be a set of secure states identified by a policy: Q  P Let the set of states that an enforcement mechanism restricts a system to be R The enforcement mechanism is Secure if R  Q Precise if R = Q Broad if there are some states in R that are not in Q

38 Types of Mechanisms secure precise broad set Rset Q (secure states)

39 Information Assurance Information Assurance Advisory Council (IAAC): “Operations undertaken to protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality and non-repudiation” National Institute of Standards Technology “Assurance is the basis for confidence that the security measures, both technical and operational, work as intended to protect the system and the information it processes”

40 Assurance Assurance is to indicate “how much” to trust a system and is achieved by ensuring that The required functionality is present and correctly implemented There is sufficient protection against unintentional errors There is sufficient resistance to intentional penetration or by-pass Basis for determining this aspect of trust Specification Requirements analysis Statement of desired functionality Design Translate specification into components that satisfy the specification Implementation Programs/systems that satisfy a design

41 Operational Issues Designing secure systems has operational issues Cost-Benefit Analysis Benefits vs. total cost Is it cheaper to prevent or recover? Risk Analysis Should we protect something? How much should we protect this thing? Risk depends on environment and change with time Laws and Customs Are desired security measures illegal? Will people do them? Affects availability and use of technology

42 Human Issues Organizational Problems Power and responsibility Financial benefits People problems Outsiders and insiders Which do you think is the real threat? Social engineering

43 Tying all together: The Life Cycle Operation & Maintenance Implementation Design Specification Policy Threats Human factor