Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 1 Introduction Basic Security Concepts

Published byHarvey Blankenship Modified over 6 years ago

Similar presentations

Presentation on theme: "Lecture 1 Introduction Basic Security Concepts"— Presentation transcript:

1 Lecture 1 Introduction Basic Security Concepts

2 What is Cyber Security? Highly Technical
People, processes, and technology Legislation and Regulation Risk management

3 Copyright of Information Security Incorporated © 2008–2014
Lecture 1 CSCE Farkas Copyright of Information Security Incorporated © 2008–2014

4 What Can I Do?

5 Class Information Class Homepage: Instructor: Csilla Farkas Office: Swearingen 3A43 Office Hours: Tuesday, Thursday 10:30 – 11:30 am (Swearingen 3A43) , 2:30 – 3:00 pm (WMBB) Lecture 1 CSCE Farkas

6 Teaching Assistant Tieming Geng, Office hours: Monday/Wednesday 2 – 4 pm Office location: Swearingen 2D19 Lecture 1 CSCE Farkas

7 Text Books Charles P. Pfleeger and Shari Lawrence Pfleeger, Security in Computing (5th Edition) (Hardcover), Prentice Hall PTR; ISBN: Handouts Lecture 1 CSCE Farkas

8 Course Objective Understanding of Information Security
Industry + Academics Managerial + Technical Leadership and Communication DEFENSE! Lecture 1 CSCE Farkas

9 TENTATIVE SCHEDULE Basic security concepts Cryptography, Secret Key
Cryptography, Public Key Identification and Authentication, key-distribution centers, Kerberos Security Policies -- Discretionary Access Control, Mandatory Access Control Access control -- Role-Based, Provisional, and Logic-Based Access Control The Inference Problem Network and Internet Security, security, User Safety Program Security -- Viruses, Worms, etc. Firewalls Intrusion Detection, Fault tolerance and recovery Information Warfare Security Administration, Economic impact of cyber attacks Lecture 1 CSCE Farkas

10 Assignments Homework assignments: there will be several homework assignments during the semester.  Homework should be individual work! There will be a late submission penalty of 10%/day after the due date.    Cutoff date for the assignments is one week after due date. Exams: three closed book tests will cover the course material.  Final exam is accumulative.  Lecture 1 CSCE Farkas

11 Grading Midterm 1: 20%, Midterm 2: 20%, Final exam: 30%,  Homework: 30% Grades: 90 < A , 85 < B+ <=90, 80 < B <= 85, 75 < C+ <= 80, 65 < C <= 75, 60 < D+ <= 65, 50 < D <= 60, F <= 50 Graduate students must perform additional assignments to receive full credit. Lecture 1 CSCE Farkas

12 Reading Assignment Reading assignments for this class: Pfleeger: Ch 1
Reading assignments for next class: Pfleeger: Ch 2 Lecture 1 CSCE Farkas

13 Security Objectives Confidentiality: prevent/detect/deter improper disclosure of information Integrity: prevent/detect/deter improper modification of information Availability: prevent/detect/deter improper denial of access to services Lecture 1 CSCE Farkas

14 Military Example Confidentiality: target coordinates of a missile should not be improperly disclosed Integrity: target coordinates of missile should be correct Availability: missile should fire when proper command is issued Lecture 1 CSCE Farkas

15 Commercial Example Confidentiality: patient’s medical information should not be improperly disclosed Integrity: patient’s medical information should be correct Availability: patient’s medical information can be accessed when needed for treatment Lecture 1 CSCE Farkas

16 Fourth Objective Securing computing resources: prevent/detect/deter improper use of computing resources Hardware Software Data Network Lecture 1 CSCE Farkas

17 What is the trade off between the security objectives?
Lecture 1 CSCE Farkas

18 Achieving Security Policy Mechanism Assurance What to protect?
How to protect? Assurance How good is the protection? Lecture 1 CSCE Farkas

19 Security Policy Organizational Policy Computerized Information System
Lecture 1 CSCE Farkas

20 Why do we need to fit the security policy into the organizational policy?
Lecture 1 CSCE Farkas

21 Security Mechanism Prevention Detection Tolerance/Recovery Lecture 1
CSCE Farkas

22 Security by Obscurity Hide inner working of the system Bad idea!
Vendor independent open standard Widespread computer knowledge Lecture 1 CSCE Farkas

23 Security by Legislation
Instruct users how to behave Not good enough! Important Only enhance security Targets only some of the security problems Lecture 1 CSCE Farkas

24 Security Tradeoffs Security Functionality Ease of Use COST Lecture 1
CSCE Farkas

25 Threat, Vulnerability, Risk
Threat: potential occurrence that can have an undesired effect on the system Vulnerability: characteristics of the system that makes is possible for a threat to potentially occur Attack: action of malicious intruder that exploits vulnerabilities of the system to cause a threat to occur Risk: measure of the possibility of security breaches and severity of the damage Lecture 1 CSCE Farkas

26 Distinguish among vulnerability, threat, and control (protection).
Lecture 1 CSCE Farkas

27 Types of Threats (1) Errors of users
Natural/man-made/machine disasters Dishonest insider Disgruntled insider Outsiders Lecture 1 CSCE Farkas

28 Types of Threats (2) Disclosure threat – dissemination of unauthorized information Integrity threat – incorrect modification of information Denial of service threat – access to a system resource is blocked Lecture 1 CSCE Farkas

29 Types of Attacks (1) Interruption – an asset is destroyed, unavailable or unusable (availability) Interception – unauthorized party gains access to an asset (confidentiality) Modification – unauthorized party tampers with asset (integrity) Fabrication – unauthorized party inserts counterfeit object into the system (authenticity) Denial – person denies taking an action (authenticity) Lecture 1 CSCE Farkas

30 Types of Attacks (2) Passive attacks: Eavesdropping Monitoring
Active attacks: Masquerade – one entity pretends to be a different entity Replay – passive capture of information and its retransmission Modification of messages – legitimate message is altered Denial of service – prevents normal use of resources Lecture 1 CSCE Farkas

31 Computer Crime Any crime that involves computers or aided by the use of computers U.S. Federal Bureau of Investigation: reports uniform crime statistics Lecture 1 CSCE Farkas

32 How can defense influence these aspects of attacks?
Malicious Attacks Method: skills, knowledge, tools, information, etc. Opportunity: time and access Motive: reason to perform the action How can defense influence these aspects of attacks? Lecture 1 CSCE Farkas

33 Computer Criminals Amateurs: regular users, who exploit the vulnerabilities of the computer system Motivation: easy access to vulnerable resources Crackers: attempt to access computing facilities for which they do not have the authorization Motivation: enjoy challenge, curiosity Career criminals: professionals who understand the computer system and its vulnerabilities Motivation: personal gain (e.g., financial) Lecture 1 CSCE Farkas

34 Methods of Defense Prevent: block attack Deter: make the attack harder
Deflect: make other targets more attractive Detect: identify misuse Tolerate: function under attack Recover: restore to correct state Lecture 1 CSCE Farkas

35 Information Security Planning
Organization Analysis Risk management Mitigation approaches and their costs Security policy Implementation and testing Security training and awareness Lecture 1 CSCE Farkas

36 Risk Management Lecture 1 CSCE Farkas

37 Risk Assessment RISK Threats Vulnerabilities Consequences Lecture 1
CSCE Farkas

38 Optimal level of security
Risk Assessment Business Policy Decision Communication between technical and administrative employees Internal vs. external resources Legal and regulatory requirements Developing security capabilities Cost Security level 0 % 100% Optimal level of security at a minimum cost Security Investment Cost of Breaches

39 Real Cost of Cyber Attack
Damage of the target may not reflect the real amount of damage Services may rely on the attacked service, causing a cascading and escalating damage Need: support for decision makers to Evaluate risk and consequences of cyber attacks Support methods to prevent, deter, and mitigate consequences of attacks Lecture 1 CSCE Farkas

40 Risk Management Framework (Business Context)
Understand Business Context Identify Business and Technical Risks Synthesize and Rank Risks Define Risk Mitigation Strategy Carry Out Fixes and Validate Measurement and Reporting Lecture 1 CSCE Farkas

41 Risk Acceptance Certification Accreditation
How well the system meet the security requirements (technical) Accreditation Management’s approval of automated system (administrative) Lecture 1 CSCE Farkas

42 The science and study of secret writing
Next Class Cryptography The science and study of secret writing Lecture 1 CSCE Farkas

Download ppt "Lecture 1 Introduction Basic Security Concepts"

Similar presentations

CSE 5392By Dr. Donggang Liu1 CSE 5392 Sensor Network Security Course Introduction.

CSE 5392By Dr. Donggang Liu1 CSE 5392 Sensor Network Security Course Introduction.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
CSCE 201 Introduction to Information Security Fall 2010.

CSCE 201 Introduction to Information Security Fall 2010.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Cryptography and Network Security Chapter 1

Cryptography and Network Security Chapter 1
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002.

IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002.
Security Controls – What Works

Security Controls – What Works
Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.

Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Introducing Computer and Network Security

Introducing Computer and Network Security
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
“Network Security” Introduction. My Introduction Obaid Ullah Owais Khan Obaid Ullah Owais Khan B.E (I.T) – Hamdard University(2003), Karachi B.E (I.T)

“Network Security” Introduction. My Introduction Obaid Ullah Owais Khan Obaid Ullah Owais Khan B.E (I.T) – Hamdard University(2003), Karachi B.E (I.T)
Network Security PHILADELPHIA UNIVERSITY Ahmad Alghoul 2010-2011 Module 1 Introduction: To Information & Security  Modified by :Ahmad Al Ghoul  Philadelphia.

Network Security PHILADELPHIA UNIVERSITY Ahmad Alghoul Module 1 Introduction: To Information & Security  Modified by :Ahmad Al Ghoul  Philadelphia.
Introduction (Pendahuluan)  Information Security.

Introduction (Pendahuluan)  Information Security.
CPSC 6126 Computer Security Information Assurance.

CPSC 6126 Computer Security Information Assurance.
1 CSE 651: Introduction to Network Security Steve Lai Spring 2010.

1 CSE 651: Introduction to Network Security Steve Lai Spring 2010.
1 Cryptography and Network Security Fourth Edition by William Stallings Lecture slides by Lawrie Brown Changed by: Somesh Jha [Lecture 1]

1 Cryptography and Network Security Fourth Edition by William Stallings Lecture slides by Lawrie Brown Changed by: Somesh Jha [Lecture 1]
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.

Similar presentations

Ads by Google