Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security in Computing, Fifth Edition

Published byAdrian Simon Modified over 5 years ago

Similar presentations

Presentation on theme: "Security in Computing, Fifth Edition"— Presentation transcript:

1 Security in Computing, Fifth Edition
Chapter 1: Introduction

2 About the Module The core book is Security in Computing by Charles Pfleeger and Shari Pfleeger, Pearson COM535 Home page is really Blackboard but also mirrored below: Please remember optional means optional. Practicals: Placed on Blackboard each week. Examination: Coursework 100% - Essay on security topic for week 7 and class test in labs where you will demonstrate aspects of the lab Core module text on Blackboard The NIST Computer Security Handbook [NIST95] defines the term computer security as follows: Computer Security: The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications). This definition introduces three key objectives that are at the heart of computer security: • Confidentiality: This term covers two related concepts: — Data confidentiality : 1 Assures that private or confidential information is not made available or disclosed to unauthorized individuals. — Privacy : Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed. • Integrity: This term covers two related concepts: — Data integrity : Assures that information and programs are changed only in a specified and authorized manner. — System integrity : Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system. • Availability: Assures that systems work promptly and service is not denied to authorized users.

3 Content Covered in labs
The NIST Computer Security Handbook [NIST95] defines the term computer security as follows: Computer Security: The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications). This definition introduces three key objectives that are at the heart of computer security: • Confidentiality: This term covers two related concepts: — Data confidentiality : 1 Assures that private or confidential information is not made available or disclosed to unauthorized individuals. — Privacy : Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed. • Integrity: This term covers two related concepts: — Data integrity : Assures that information and programs are changed only in a specified and authorized manner. — System integrity : Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system. • Availability: Assures that systems work promptly and service is not denied to authorized users.

4 Objectives for this lecture
Define computer security as well as basic computer security terms Introduce the C-I-A Triad Introduce basic access control terminology Explain basic threats, vulnerabilities, and attacks Show how controls map to threats Define the Internet of Things and discuss associated emerging security issues Discuss nascent efforts to financially measure cybersecurity to make sound investment decisions Explore the evolving field of electronic voting, which has been an important and open security research problem for over a decade Study potential examples of cyber warfare and their policy implications

5 What’s in a Tweet?

6 What Is Computer Security?
The protection of the assets of a computer system Hardware Software Data

7 Assets

8 Values of Assets While hardware and software may be expensive, unique data cannot be replaced if it is lost.

9 Basic Terms Vulnerability Threat Attack Countermeasure or control
There will be further discussion of each later in the chapter. From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: ). Copyright 2015 by Pearson Education, Inc. All rights reserved.

10 Threat and Vulnerability
The water is the threat, the crack the vulnerability, and the finger the control (for now).

11 Common Threats and Attacks
In order to assess the relative severity of various threats and the relative importance of various approaches to computer security, it is useful to look at the experience of organizations. A useful view is provided by the CSI Computer Crime and Security Survey for 2010/2011, conducted by the Computer Security Institute. The respondents consisted of over 350 U.S.-based companies, nonprofit organizations, and public sector organizations. Figure 1.4 shows the types of attacks experienced by respondents in nine major categories. 6 Most noteworthy is the large and growing prevalence of malicious software (malware) attacks. It is also worth noting that most categories of attack exhibit a somewhat downward trend. The CSI report speculates that this is due in large part to improved security techniques by organizations.

12 The CIA Triad Integrity Availability Confidentiality
The National Institute of Standards and technology (NIST) Computer Security Handbook defines the term Computer Security as: “The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources” (includes hardware, software, firmware, information/data, and telecommunications). Confidentiality preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information Integrity guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity Availability ensuring timely and reliable access to and use of information FIPS PUB 199 provides a useful characterization of these three objectives in terms of requirements and the definition of a loss of security in each category: • Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information. • Integrity: Guarding against improper information modification or destruction, including ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information. • Availability: Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system. Although the use of the CIA triad to define security objectives is well established, some in the security field feel that additional concepts are needed to present a complete picture. Two of the most commonly mentioned are as follows: • Authenticity: The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. This means verifying that users are who they say they are and that each input arriving at the system came from a trusted source. • Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action. Because truly secure systems aren’t yet an achievable goal, we must be able to trace a security breach to a responsible party. Systems must keep records of their activities to permit later forensic analysis to trace security breaches or to aid in transaction disputes. Note that FIPS PUB 199 includes authenticity under integrity. The CIA Triad

13 Access Control Visual explanation of basic access control terms
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: ). Copyright 2015 by Pearson Education, Inc. All rights reserved.

14 Types of Threats This diagram shows threats categorized according to whether they are human-caused, malicious, or directed. These characteristics will affect security planning in important ways later. From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: ). Copyright 2015 by Pearson Education, Inc. All rights reserved.

15 Advanced Persistent Threat (APT)
Organized Directed Well financed Patient Silent APT is a special type of threat that has only been taken seriously by the broad security community over the past decade. In general, security experts believe that no one who becomes a high-priority target can truly be safe from APT. From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: ). Copyright 2015 by Pearson Education, Inc. All rights reserved.

16 Types of Attackers Each of these attacker types is associated with a different set of resources, capabilities, and motivations. Understanding the different types will help later in considering threats. From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: ). Copyright 2015 by Pearson Education, Inc. All rights reserved.

17 Types of Harm These are the primary types of harm against system data and functions. Understanding these possibilities is important to considering threat and risk. From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: ). Copyright 2015 by Pearson Education, Inc. All rights reserved.

18 Method—Opportunity--Motive
Understanding method, motive, and opportunity can be a good way to think about potential threats. Reducing any of those dimensions can lower the risk to the system. From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: ). Copyright 2015 by Pearson Education, Inc. All rights reserved.

19 Controls/Countermeasures
This representation shows the three dimensions by which a control can be categorized. Thinking about controls in this way enables you to easily map the controls against the threats they help address. From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: ). Copyright 2015 by Pearson Education, Inc. All rights reserved.

20 Different Types of Controls
In this simple representation of a networked system, it is easy to see all the touch points where controls can be placed, as well as some different types of controls, including deterrence, deflection, response, prevention, and preemption. From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: ). Copyright 2015 by Pearson Education, Inc. All rights reserved.

21 Emerging Topics

22 The Internet of Things (IoT)
IoT refers to the connection of everyday devices to the Internet, making a world of so-called smart devices Examples: Smart appliances, such as refrigerators and dishwashers Smart home, such as thermostats and alarm systems Smart health, such as fitness monitors and insulin pumps Smart transportation, such as driverless cars Smart entertainment, such as video recorders Potential downsides: Loss of privacy Loss of control of data Potential for subversion Mistaken identification Uncontrolled access The goals of this slide are for students to understand what IoT refers to and to consider the security and privacy implications of this class of devices. Mistaken identification—e.g., a thermostat mistaking a houseguest for its owner

23 Smartphones Smartphones are the control hub of the IoT
In 2013, Kaspersky Labs identified 143,211 distinct new forms of malware against mobile devices 98% targeted Android devices, far in excess of its market share Android, unlike its competitors, does not limit the software users are allowed to install and is thus an easier target Apple, in contrast, only allows apps from its app store to be installed on its smartphones All apps go through an approval process, which includes some security review Once approved, apps are signed, using a certificate approach similar to that described in Chapter 2 The lessons of this slide are that Mobile phones have become an important target for malware. Apple’s locked-down approach to software installation acts as a deterrent against malware authors as compared to Android’s approach.

24 Economics Cybersecurity planning includes deciding how to allocate scarce resources for investing in security controls Making a business case: A description of the problem or need to be addressed A list of possible solutions A list of constraints on solving the problem A list of underlying assumptions An analysis of the risks, costs, and benefits of each alternative A summary of why the proposed investment is a good idea

25 Influences on Cybersecurity Investment
This table is adapted from [ROW06]. The key takeaway here is that a business case is never about good security for its own sake. Violating regulatory requirements can result in fines, lawsuits, or loss of customers, so it drives investment. All of the other reasons listed, with the exception of “Network history or information technology staff knowledge,” are also ones in which a direct business impact is visible, and the value of the investment can be quantified.

26 Quantifying Security Cybersecurity threats are impossible to accurately quantify and estimate How do you predict the likelihood that a hacker will attack a network, and how do you know the precise value of the assets the hacker will compromise? While many industrial surveys collect cybersecurity incident data, they are inconsistent on key issues: No standards for defining or categorizing security incidents Disagreements about sources of attack Selection bias among respondents Useful data for decision making, such as rates and severity of attacks, cost of damage and recovery, and cost of security measures, are not yet known with any accuracy

27 Electronic Voting Confidentiality Integrity Availability
We want to be able to cast a ballot without revealing our votes to others. Integrity We want votes to represent our actual choices and not be changed between the time we mark the ballot and the time our vote is counted. We also want every counted ballot to reflect one single vote of an authorized person. That is, we want to be able to ensure that our votes are authentic and that the reported totals accurately reflect the votes cast. Availability Usually, votes are cast during an approved pre-election period or on a designated election day, so we must be able to vote when voting is allowed. If we miss the chance to vote or if voting is suspended during the designated period, we lose the opportunity to cast a vote in the given election.

28 What Is a Fair Election? Each voter’s choices must be kept secret.
Each voter may vote only once and only for allowed offices. The voting system must be tamperproof, and the election officials must be prevented from allowing it to be tampered with. All votes must be reported accurately. The voting system must be available for use throughout the election period. An audit trail must be kept to detect irregularities in voting but without disclosing how any individual voted. Many of the attacks described throughout this book have strong potential to violate these principles in an electronic voting system: Program flaws, incorrect use of encryption, and man-in-the-middle attacks could violate secrecy and allow tampering. Consider having students brainstorm specific attack examples.

29 Cyber Warfare Open questions:
When is an attack on cyber infrastructure considered an act of warfare? Is cyberspace different enough to be considered a separate domain for war, or is it much like any other domain (e.g., land, sea, or air)? What are the different ways of thinking about cyber war offense and defense? What are the benefits and risks of strategic cyber warfare and tactical cyber warfare? Cyber warfare is a poorly defined term—and an inherently political one—so it brings up far more questions than answers.

30 Possible Examples of Cyber Warfare
Estonia Beginning in April 2007, the websites of a variety of Estonian government departments were shut down by multiple DDoS attacks immediately after a political altercation with Russia. Iran The Stuxnet worm attacked a particular model of computer used for many production control systems, and all the infections could be traced back to domains within Iran linked to industrial processing. Israel and Syria Missiles fired in 2007 by Israeli planes did not show up on Syrian radar screens because software had replaced live images with fake, benign ones. Canada In January 2011, the Canadian government revealed that several of its national departments had been the victims of a cyber attack traced back to servers in China. Russia According to the New York Times, Russian hackers infiltrated the computers of various national governments, NATO, and the Ukraine. These examples illustrate three lessons: The line between cyber warfare and cyber espionage is not yet defined and may always be fuzzy. Attack attribution is a major impediment to addressing cyber warfare as an issue. Known cyber warfare incidents have thus far been small in scope, but that will not always be the case.

31 Summary Vulnerabilities are weaknesses in a system; threats exploit those weaknesses; controls protect those weaknesses from exploitation Confidentiality, integrity, and availability are the three basic security primitives Different attackers pose different kinds of threats based on their capabilities and motivations Different controls address different threats; controls come in many flavors and can exist at various points in the system The IoT has resulted in a flood of new devices connecting our private and personal lives to the Internet but is far from mature from a security and privacy perspective Cybersecurity investment decision making remains challenged by our inability to accurately measure risk and vulnerability After over a decade of research and practice, electronic voting remains an unsolved research problem Cyber warfare continues to lack clear definition and presents critical challenges, including attribution

32 Todays Lab 1. Linux & Pen Testing Environment Basics
1.1 Finding your way around Kali 1.2 Linux Basic & Linux Services 1.2.1 Linux basic commands 1.2.2 Text viewers and editors for Linux Newbies 1.2.3 SSHD 1.2.4 Apache 1.3 Netcat 1.3.1 Connecting to a TCP/UDP port with Netcat 1.3.2 Listening on a TCP/UDP port with Netcat 1.3.3 Transferring files with Netcat 1.3.4 Remote Administration with Netcat – Bind Shell 1.4 Wireshark for Sniffing Packets Wireshark & Packet Sniffing Background Wireshark Step by Step 1.5 Cross-site scripting A basic example Stored XSS Reflected XSS Preventing XSS Attacks 1.6 Creating a Keylogger to Snoop (on your home PC) Todays Lab Chapter 2 summary.

Download ppt "Security in Computing, Fifth Edition"

Similar presentations

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Cryptography and Network Security Chapter 1

Cryptography and Network Security Chapter 1
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Electronic Voting (E-Voting) An introduction and review of technology Written By: Larry Brachfeld CS591, December 2010.

Electronic Voting (E-Voting) An introduction and review of technology Written By: Larry Brachfeld CS591, December 2010.
“Network Security” Introduction. My Introduction Obaid Ullah Owais Khan Obaid Ullah Owais Khan B.E (I.T) – Hamdard University(2003), Karachi B.E (I.T)

“Network Security” Introduction. My Introduction Obaid Ullah Owais Khan Obaid Ullah Owais Khan B.E (I.T) – Hamdard University(2003), Karachi B.E (I.T)
C OMPUTER S ECURITY C ONCEPTS By: Qubilah D’souza 411109 TE computer.

C OMPUTER S ECURITY C ONCEPTS By: Qubilah D’souza TE computer.
Review security basic concepts IT 352 : Lecture 2- part1 Najwa AlGhamdi, MSc – 2012 /1433.

Review security basic concepts IT 352 : Lecture 2- part1 Najwa AlGhamdi, MSc – 2012 /1433.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Cryptography and Network Security Overview & Chapter 1 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Overview & Chapter 1 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Storage Security and Management: Security Framework

Storage Security and Management: Security Framework
Introduction (Based on Lecture slides by J. H. Wang)

Introduction (Based on Lecture slides by J. H. Wang)
Cryptography and Network Security

Cryptography and Network Security
Network Security Essentials Chapter 1

Network Security Essentials Chapter 1
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Network Security Essentials Chapter 1 Fourth Edition by William Stallings (Based on Lecture slides by Lawrie Brown)

Network Security Essentials Chapter 1 Fourth Edition by William Stallings (Based on Lecture slides by Lawrie Brown)
Chapter 8 Technology and Auditing Systems: Hardware and Software Defenses.

Chapter 8 Technology and Auditing Systems: Hardware and Software Defenses.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

Similar presentations

Ads by Google