Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 1 Page 1 CS 236, Spring 2008 What Are Our Security Goals? Confidentiality –If it’s supposed to be a secret, be careful who hears it Integrity –Don’t.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 1 Page 1 CS 236, Spring 2008 What Are Our Security Goals? Confidentiality –If it’s supposed to be a secret, be careful who hears it Integrity –Don’t."— Presentation transcript:

1 Lecture 1 Page 1 CS 236, Spring 2008 What Are Our Security Goals? Confidentiality –If it’s supposed to be a secret, be careful who hears it Integrity –Don’t let someone change something they shouldn’t Availability –Don’t let someone stop others from using services Exclusivity –Don’t let someone use something he shouldn’t

2 Lecture 1 Page 2 CS 236, Spring 2008 What Are the Threats? Theft Privacy Destruction Interruption or interference with computer-controlled services

3 Lecture 1 Page 3 CS 236, Spring 2008 Thinking About Threats Threats are viewed as types of attacks on normal services So, what is normal service? Information Source Information Destination

4 Lecture 1 Page 4 CS 236, Spring 2008 Classification of Threats Secrecy Integrity Availability Exclusivity

5 Lecture 1 Page 5 CS 236, Spring 2008 Interruption Information Source Information Destination The information never reaches the destination

6 Lecture 1 Page 6 CS 236, Spring 2008 Interruption Threats Denial of service Prevents source from sending information to receiver Or receiver from sending requests to source A threat to availability

7 Lecture 1 Page 7 CS 236, Spring 2008 How Do Interruption Threats Occur? Destruction of hardware, software, or data Interference with a communications channel Overloading a shared resource

8 Lecture 1 Page 8 CS 236, Spring 2008 Interception Information Source Information Destination Unauthorized Third Party An unintended party receives the information

9 Lecture 1 Page 9 CS 236, Spring 2008 Interception Threats Data or services are provided to an unauthorized party Either in conjunction with or independent of a legitimate request A threat to secrecy Also a threat to exclusivity

10 Lecture 1 Page 10 CS 236, Spring 2008 How Do Interception Threats Occur? Eavesdropping Masquerading Break-ins Illicit data copying

11 Lecture 1 Page 11 CS 236, Spring 2008 Modification Information Source Information Destination Unauthorized Third Party The destination receives different information than what was originally sent

12 Lecture 1 Page 12 CS 236, Spring 2008 Modification Threats Unauthorized parties modify the data Either on the way to the users Or permanently at the servers A threat to integrity

13 Lecture 1 Page 13 CS 236, Spring 2008 How Do Modification Threats Occur? Interception of data requests/replies Masquerading Break-ins Flaws in applications allowing unintended modifications Other forms of illicit access to servers and their services

14 Lecture 1 Page 14 CS 236, Spring 2008 Fabrication Information Source Information Destination Unauthorized Third Party The destination receives information the source never sent

15 Lecture 1 Page 15 CS 236, Spring 2008 Fabrication Threats Unauthorized parties insert counterfeit objects into the system Causing improper changes in data Or improper use of system resources Or other bad behavior A threat to integrity –And possibly exclusivity

16 Lecture 1 Page 16 CS 236, Spring 2008 How Do Fabrication Threats Occur? Masquerading Bypassing protection mechanisms Duplication of legitimate requests/responses

17 Lecture 1 Page 17 CS 236, Spring 2008 Destruction Threats Information Source Information Destination ? The information is no longer accessible to a legitimate user `

18 Lecture 1 Page 18 CS 236, Spring 2008 Destruction Threats Destroy data, hardware, messages, or software Often easier to destroy something than usefully modify it Often (but not always) requires physical access –As counterexample, consider demo of destroying power generator remotely 1 1 http://www.cnn.com/2007/US/09/26/power.at.risk/index.html?iref=newssearch#cnnSTCVideo

19 Lecture 1 Page 19 CS 236, Spring 2008 Active Threats Vs. Passive Threats Passive threats are forms of eavesdropping –No modification, injections of requests, etc. Active threats are more aggressive Passive threats are mostly to secrecy Active threats are to all properties

20 Lecture 1 Page 20 CS 236, Spring 2008 Social Engineering and Security The best computer security practices are easily subverted by bad human practices –E.g., giving passwords out over the phone to anyone who asks –Or responding to bogus email with your credit card number Social engineering attacks tend to be cheap, easy, effective So all our work may be for naught

21 Lecture 1 Page 21 CS 236, Spring 2008 Social Engineering Example Phishing Attackers send plausible email requesting you to visit a web site To “update” your information Typically a bank, popular web site, etc. The attacker controls the site and uses it to obtain your credit card, SSN, etc. Likelihood of success based on attacker’s ability to convince the victim that he’s real –And that the victim had better go to the site or suffer dire consequences

22 Lecture 1 Page 22 CS 236, Spring 2008 How Popular is Phishing? Anti-Phishing Work Group reported 38,514 new phishing schemes in September 2007 alone 1 Up from 13,000 in August 2007 Based on gullibility of humans more than computer vulnerability But can computer scientists do something to help? 1 http://www.antiphishing.org/

23 Lecture 1 Page 23 CS 236, Spring 2008 Why Isn’t Security Easy? Security is different than most other problems in CS The “universe” we’re working in is much more hostile Human opponents seek to outwit us Fundamentally, we want to share secrets in a controlled way –A classically hard problem in human relations

24 Lecture 1 Page 24 CS 236, Spring 2008 What Makes Security Hard? You have to get everything right –Any mistake is an opportunity for your opponent When was the last time you saw a computer system that did everything right? So, must we wait for bug-free software to achieve security?

25 Lecture 1 Page 25 CS 236, Spring 2008 How Common Are Software Security Flaws? SANS publishes weekly compendium of newly discovered security flaws Nearly 100 flaws listed in typical SANS Risks digest So ~5000 security flaws found per year –Only counting popular software –Only flaws with real security implications –And only those that were publicized

26 Lecture 1 Page 26 CS 236, Spring 2008 Security Is Actually Even Harder The computer itself isn’t the only point of vulnerability If the computer security is good enough, the foe will attack: –The users –The programmers –The system administrators –Or something you never thought of

27 Lecture 1 Page 27 CS 236, Spring 2008 A Further Problem With Security Security costs –Computing resources –People’s time and attention If people use them badly, most security measures won’t do the job Security must work 100% effectively With 0% overhead or inconvenience or learning

28 Lecture 1 Page 28 CS 236, Spring 2008 Another Problem Most computer practitioners know little or nothing about security Few programmers understand secure programming practices Few sysadmins know much about secure system configuration Typical users know even less

29 Lecture 1 Page 29 CS 236, Spring 2008 The Principle of Easiest Penetration An intruder must be expected to use any available means of penetration. This is not necessarily the most obvious means, nor is it necessarily the one against which the most solid defense has been installed. Put another way, –The smart opponent attacks you where you’re weak, not where you’re strong

30 Lecture 1 Page 30 CS 236, Spring 2008 But Sometimes Security Isn’t That Hard The Principle of Adequate Protection: –Computer items must be protected only until they lose their value. They must be protected to a degree consistent with their value. So worthless things need little protection And things with timely value need only be protected for a while

31 Lecture 1 Page 31 CS 236, Spring 2008 Conclusion Security is important Security is hard A security expert’s work is never done –At least, not for very long Security is full-contact computer science –Probably the most adversarial area in CS Intensely interesting, intensely difficult, and “the problem” will never be solved

Download ppt "Lecture 1 Page 1 CS 236, Spring 2008 What Are Our Security Goals? Confidentiality –If it’s supposed to be a secret, be careful who hears it Integrity –Don’t."

Similar presentations

NS-H0503-02/11041 Attacks. NS-H0503-02/11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.

NS-H /11041 Attacks. NS-H /11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002.

IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
Operating System Security Andy Wang COP 5611 Advanced Operating Systems.

Operating System Security Andy Wang COP 5611 Advanced Operating Systems.
6/9/2015Madhumita. Chatterjee1 Overview of Computer Security.

6/9/2015Madhumita. Chatterjee1 Overview of Computer Security.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering.
Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.

Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.
Network Security PHILADELPHIA UNIVERSITY Ahmad Alghoul 2010-2011 Module 1 Introduction: To Information & Security  Modified by :Ahmad Al Ghoul  Philadelphia.

Network Security PHILADELPHIA UNIVERSITY Ahmad Alghoul Module 1 Introduction: To Information & Security  Modified by :Ahmad Al Ghoul  Philadelphia.

Similar presentations

Ads by Google