1. CSCE 201 Introduction to Information Security Fall 2010

2. CSCE 201 Introduction to Computer Security Instructor:Csilla Farkas Office:Swearingen 3A43 Office Hours:Monday, Wednesday 10:00 – 11:00 am or electronically any time or by appointment Telephone: 576-5762 E-mail:farkas@cec.sc.edufarkas@cec.sc.edu Homepage: http://www.cse.sc.edu/~farkas/csce201- 2009/csce201.htmhttp://www.cse.sc.edu/~farkas/csce201- 2009/csce201.htm CSCE 201 - Farkas2

3. Course Objectives Understand basic concepts and practices of information security Understand tools and techniques used by attackers to penetrate computer systems Understand tools and techniques used by defense to protect computer systems Be able to check for security updates, apply and use patches and other defense mechanisms Be able to understand and follow security and privacy policies Understand the ethical implications of using attack tools on computer systems CSCE 201 - Farkas3

4. Text C. Easttom, Computer Security Fundamentals, PearsonPrentice Hall, ISBN: 0-13-171129-6 Lecture handouts CSCE 201 - Farkas4

5. Grading Test 1: 20%, Test 2: 40%, Homework: 40% Total score that can be achieved: 100 Final grade: 90 < A, 87 < B+ <=90, 80 < B <= 87, 77 < C+ <= 80, 65 < C <= 77, 60 < D+ <= 65, 52 < D <= 60, F <= 52 CSCE 201 - Farkas5

6. Tentative Schedule Weeks 1—5: Basic Security Concepts Weeks 6—10: Home Computer Security – Hardening the System Weeks 11—15: Let’s Have Fun – Popular applications, ethics, security and privacy CSCE 201 - Farkas6

7. Security Planning CSCE 201 - Farkas7

8. 8 Reading list: – Easttom: Chapter 1 Other useful sites – Computer Security Institute, http://www.gocsi.com/http://www.gocsi.com/ – SANS Institute, http://www.sans.org/http://www.sans.org/ – Carnegie Mellon University's Computer Emergency Response Team, http://www.cert.org/http://www.cert.org/ – Information Warfare and Information Security on the Web, http://www.fas.org/irp/wwwinfo.html http://www.fas.org/irp/wwwinfo.html – Sun Tzu on the Art of War (Lionel Giles, trans.), http://all.net/books/tzu/tzu.html http://all.net/books/tzu/tzu.html

9. CSCE 201 - Farkas9 Security Objectives Confidentiality: prevent/detect/deter improper disclosure of information Integrity: prevent/detect/deter improper modification of information Availability: prevent/detect/deter improper denial of access to services

10. CSCE 201 - Farkas10 Military Example Confidentiality: target coordinates of a missile should not be improperly disclosed Integrity: target coordinates of missile should be correct Availability: missile should fire when proper command is issued

11. CSCE 201 - Farkas11 Commercial Example Confidentiality: patient’s medical information should not be improperly disclosed Integrity: patient’s medical information should be correct Availability: patient’s medical information can be accessed when needed for treatment

12. CSCE 201 - Farkas12 Fourth Objective Securing computing resources: prevent/detect/deter improper use of computing resources – Hardware – Software – Data – Network

13. CSCE 201 - Farkas13 Achieving Security Policy – What to protect? Mechanism – How to protect? Assurance – How good is the protection?

14. CSCE 201 - Farkas14 Security Policy Organizational Policy Computerized Information System Policy

15. CSCE 201 - Farkas15 Security Mechanism Prevention Detection Tolerance/Recovery

16. CSCE 201 - Farkas16 Security by Obscurity Hide inner working of the system Bad idea! Vendor independent open standard Widespread computer knowledge

17. CSCE 201 - Farkas17 Security by Legislation Instruct users how to behave Not good enough! Important Only enhance security Targets only some of the security problems

18. CSCE 201 - Farkas18 Security Tradeoffs COST Security Functionality Ease of Use

19. CSCE 201 - Farkas19 Threat, Vulnerability, Risk  Threat: potential occurrence that can have an undesired effect on the system  Vulnerability: characteristics of the system that makes is possible for a threat to potentially occur  Attack: action of malicious intruder that exploits vulnerabilities of the system to cause a threat to occur  Risk: measure of the possibility of security breaches and severity of the damage

20. CSCE 201 - Farkas20 Types of Threats  Errors of users  Natural/man-made/machine disasters  Dishonest insider  Disgruntled insider  Outsiders

21. CSCE 201 - Farkas21 Types of Attack  Interruption – an asset is destroyed, unavailable or unusable (availability)  Interception – unauthorized party gains access to an asset (confidentiality)  Modification – unauthorized party tampers with asset (integrity)  Fabrication – unauthorized party inserts counterfeit object into the system (authenticity)  Denial – person denies taking an action (authenticity)

22. CSCE 201 - Farkas22 Computer Crime Any crime that involves computers or aided by the use of computers U.S. Federal Bureau of Investigation: reports uniform crime statistics

23. CSCE 201 - Farkas23 Computer Criminals Amateurs: regular users, who exploit the vulnerabilities of the computer system – Motivation: easy access to vulnerable resources Crackers: attempt to access computing facilities for which they do not have the authorization – Motivation: enjoy challenge, curiosity Career criminals: professionals who understand the computer system and its vulnerabilities – Motivation: personal gain (e.g., financial)

24. CSCE 201 - Farkas24 Methods of Defense Prevent: block attack Deter: make the attack harder Deflect: make other targets more attractive Detect: identify misuse Tolerate: function under attack Recover: restore to correct state Documentation and reporting

25. CSCE 201 - Farkas25 Information Security Planning Organization Analysis Risk management Mitigation approaches and their costs Security policy and procedures Implementation and testing Security training and awareness

26. 26 Risk Management

27. 27 Risk Assessment RISK Threats VulnerabilitiesConsequences

28. 28 System Security Engineering (Traditional View) Specify System Architecture Identify Threats, Vulnerabilities, Attacks Estimate Risk Prioritize Vulnerabilities Identify and Install Safeguards Risk is acceptably low

29. Human Actions Domains: – Play: hackers vs. owners – Crime: perpetrators vs. victims – Individual rights: individuals vs. individuals/organizations/government – National security: national level activities

30. Play Playing pranks Actors: hackers/crackers/phreakers Motivation: challenge, knowledge, thrill Culture: social/educational – “global networks” – publications – forums Law

31. Crime Intellectual Property Crimes – IT targets: research and development, manufacturing and marketing plan, customer list, etc. – Attacker: insiders, formal insiders – 1996: Economic Espionage Act (U.S. Congress) Fraud – Telemarketing scam, identity theft, bank fraud, telecommunication fraud, computer fraud and abuse Fighting crime

32. Individual Rights Privacy – Secondary use of information Free speech – Harmful/disturbing speech – Theft and distribution of intellectual property – Censorship

33. National Security Foreign Intelligence – Peace time: protecting national interests Open channels, human spies, electronic surveillance, electronic hacking (?) – War time: support military operations – U.S. Intelligence Priorities: Intelligence supporting military needs during operation Intelligence about hostile countries Intelligence about specific transnational threats – Central Intelligence Agency (CIA) – Primary targets in U.S.A.: high technology and defense-related industry

34. Terrorism Traditional: – Intelligence collection – Psyops and perception management New forms: – Exploitation of computer technologies Internet propaganda Cyber attacks (electronic mail flooding, DOS, etc.) Protection of national infrastructure

35. Next Class Making decisions about security Easttom: Ch. 3