Download presentation
Presentation is loading. Please wait.
Published byGervais Murphy Modified over 6 years ago
1
The Security Problem Security must consider external environment of the system, and protect it from: unauthorized access. malicious modification or destruction accidental introduction of inconsistency. Easier to protect against accidental than malicious misuse.
2
Security A system is secure if its resources are used and accessed as intended under all circumstances.
3
Java Security Model
4
What is Security? All Security is based on the answers to the questions. Who do you trust? How much do you trust them? The answers to these questions form a Security Policy
5
What is System Security?
Computer Security commonly refers to the mechanisms available to enforce the Security Policy
6
Security Components Physical Security
7
Obviously, if your computer is stolen, you have no security
Physical Security Obviously, if your computer is stolen, you have no security
8
Physical Security WiFi – defined network Bluetooth– ad-hoc network
9
Security Components Physical Security Authentication
10
Authentication Verify that someone is who they say they are
Two general methods Data item you know (e.g. password) Data media you have (e.g. card)
11
Authentication Problems with Passwords User selects System selects
Dictionary Attack System selects May not be easily guessed, but… User can’t remember it and… Writes it on a post-it note
12
Authentication Problems with data media you have Can be lost or stolen
Can be forged
13
Authentication Combination of both Examples ATM card requires a PIN
SecurID card requires PIN
14
Authentication Biometrics
Data item you have that most likely cannot be lost or stolen Examples Fingerprint Retinal Scan Facial Recognition Voice Recognition
15
Security Components Physical Security Authentication Protection
16
Protection Mechanisms to control what an authenticated user can do.
File Protection Memory Protection Web Protection
17
Protection Mechanism to keep unauthorized users from accessing the system Firewalls Virus Detection Spyware Detection
18
Security Components Physical Security Authentication Protection
Encryption
19
Encryption Scrambles data so that eavesdroppers cannot read what is being transmitted Also used as part of Authentication to help ensure that someone is not posing as somebody else
20
Security Components Physical Security Authentication Protection
Encryption People
21
People Lack of knowledge about security
People will not keep data secure. People can be conned into giving out information they shouldn’t Poor System Administration
22
Types of Attacks Trojan Horse Trap Door Stack & Buffer Overflow Worm
Virus Denial of Service
23
Trojan Horse Program that appears to be a legitimate agent or process but really behaves in a different manner Viruses and Spyware are often introduced as Trojan Horses
24
Trap Door A way to bypass the normal security protections
Often left in applications / systems to help support staff
25
Stack & Buffer Overflow
Send an incorrectly formatted command / message to a system. If system does not carry out adequate checking, it may execute some action it shouldn’t
26
Stack & Buffer Overflow
How does this happen? Poorly Programmed Read Should be read(file,buffer,100) Instead of read(file,buffer) which reads as much data as the remote system sends Inadequate checking of the validity of the data that is received
27
Stack & Buffer Overflow
Security Design Rule Assume any data you receive is incorrectly formatted (Until proven otherwise)
28
SQL Injection Application does inadequate validation of user input before putting it into an SQL statement Example SELECT BALANCE FROM ACCTS WHERE ACCT_ID=xxxx User Input for xxxx 104;UPDATE ACCTS SET BALANCE= WHERE ACCT_ID=104
29
Worm A program that automatically sends itself to another system
30
Virus Program that attacks a system to carry out some action the computer user does not want
31
Denial of Service Typical attack sends so many messages to a system, that system cannot execute anything except respond to those messages
32
Modern Attacks A modern attack will often employ several combinations of these attacks
33
Example Attack I Kournikova Virus
Enticed people to open an attachment Attachment was a virus that used mail program’s address book to propagate itself
34
Example Attack II Windows XP Universal Plug n Play
Upnp is a feature of Win XP that is intended to allow people to control their (future) internet connected home appliances from any computer Early Flaw: Buffer Overflow problem
35
Example Attack II Windows XP Universal Plug n Play
XP was touted as MS’s most secure OS Reality: ALL XP systems were vulnerable to be hacked
36
Example Attack III Wireless LAN Laptop Office Network
37
Example Attack III IEEE 802.11 Wireless LAN
Marketed as having Wired Equivalent Privacy Uses Encryption to keep data private Flaw: Bad Encryption Result: one can monitor traffic for about a day and then easily break into the network Several apps available on web for executing this hack
38
Example Attack IV
39
Example Attack IV Distributed Denial of Service Attack
Hacker compromised several computers Programmed each of those systems to repeatedly send messages to “target” Hacker shutdown many popular websites
40
Problem Set The following topics are also important Types of attacks
Virtual Memory 8/9/2018 Problem Set The following topics are also important Types of attacks Protection policies and mechanisms Encryption, digital signature, PKI, digital certificate Authentication What are the advantages of encrypting data stored in the computer system? Compare symmetric and asymmetric encryption schemes, and discuss under what circumstances a distributed system would use one or the other. J Garrido
41
Virtual Memory 8/9/2018 Problem Set Discuss how the asymmetric encryption algorithm can be used to achieve the following goals. Authentication: the receiver knows that only the sender could have generated the message Secrecy: only the receiver can decrypt the message Authentication and Secrecy: only the receiver can decrypt the message, and the receiver knows that only the sender could have generated the message J Garrido
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.