Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 1: Overview modified from slides of Lawrie Brown.

Published byBrice Garrison Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 1: Overview modified from slides of Lawrie Brown."— Presentation transcript:

1 Lecture 1: Overview modified from slides of Lawrie Brown

2 Outline The focus of this chapter is on three fundamental questions: What assets do we need to protect? How are those assets threatened? What can we do to counter those threats?

3 Computer Security Overview The NIST Computer Security Handbook defines the term Computer Security as: “The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources” includes hardware, software, firmware, information/data, and telecommunications.

4 The CIA Triad

5 Key Security Concepts Confidentiality preserving authorized restrictions on information access and disclosure. including means for protecting personal privacy and proprietary information guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity Availability ensuring timely and reliable access to and use of information Integrity Is this all?

6 Levels of Impact Low The loss could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals Moderate The loss could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals High The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals

7 Computer Security Challenges computer security is not as simple as it might first appear to the novice potential attacks on the security features must be considered procedures used to provide particular services are often counterintuitive physical and logical placement needs to be determined multiple algorithms or protocols may be involved

8 Computer Security Challenges attackers only need to find a single weakness, the developer needs to find all weaknesses users and system managers tend to not see the benefits of security until a failure occurs security requires regular and constant monitoring is often an afterthought to be incorporated into a system after the design is complete thought of as an impediment to efficient and user-friendly operation

9 Computer Security Terminology Adversary (threat agent) – An entity that attacks, or is a threat to, a system. Attack – An assault on system security that derives from an intelligent threat; a deliberate attempt to evade security services and violate security policy of a system. Countermeasure – An action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken. 9

10 Computer Security Terminology Risk – An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result. Security Policy – A set of rules and practices that specify how a system or org provides security services to protect sensitive and critical system resources. System Resource (Asset) – Data; a service provided by a system; a system capability; an item of system equipment; a facility that houses system operations and equipment. 10

11 Computer Security Terminology Threat – A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. Vulnerability – Flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy. 11

12 Security Concepts and Relationships 12

13 Assets of a Computer System Hardware Software Data Communication facilities and networks

14 Vulnerabilities, Threats and Attacks vulnerabilities – leaky (loss of confidentiality) – corrupted (loss of integrity) – unavailable or very slow (loss of availability) threats – capable of exploiting vulnerabilities – represent potential security harm attacks (threats carried out) – passive or active attempt to alter/affect system resources – insider or outsider 14

15 Countermeasures means used to deal with security attacks may introduce new vulnerabilities Residual vulnerabilities may remain goal is to minimize residual level of risk to the assets prevent detect recover 15

16 Lecture 2: Overview (cont) modified from slides of Lawrie Brown

17 by Peter Steiner, New York, July 5, 1993

18 Threat Consequences Unauthorized disclosure is a threat to confidentiality Exposure: This can be deliberate or be the result of a human, hardware, or software error Interception: unauthorized access to data Inference: e.g., traffic analysis or use of limited access to get detailed information Intrusion: unauthorized access to sensitive data 18

19 Threat Consequences Deception is a threat to either system or data integrity Masquerade: an attempt by an unauthorized user to gain access to a system by posing as an authorized user Falsification: altering or replacing of valid data or the introduction of false data Repudiation: denial of sending, receiving or possessing the data. 19

20 Threat Consequences Usurpation is a threat to system integrity. Misappropriation: e.g., theft of service, distributed denial of service attack Misuse: security functions can be disabled or thwarted 20

21 Threat Consequences Disruption is a threat to availability or system integrity Incapacitation: a result of physical destruction of or damage to system hardware Corruption: system resources or services function in an unintended manner; unauthorized modification Obstruction: e.g. overload the system or interfere with communications 21

22 Scope of Computer Security 22

23 Computer and Network Assets 23 Jamming

24 Passive and Active Attacks Passive attacks attempt to learn or make use of information from the system but does not affect system resources eavesdropping/monitoring transmissions difficult to detect emphasis is on prevention rather than detection two types: – message contents – traffic analysis Active attacks involve modification of the data stream goal is to detect them and then recover categories: – masquerade – replay – modification of messages – denial of service 24

25 Security Functional Requirements computer security technical measures access control identification & authentication; system & communication protection system & information integrity management controls and procedures awareness & training audit & accountability certification, accreditation, & security assessments contingency planning maintenance physical & environmental protection planning personnel security risk assessment systems & services acquisition overlap computer security technical measures and management controls configuration management incident response media protection 25

26 assuring a communication is from the source that it claims to be from – interference by a third party masquerading as one of the two legitimate parties Peer Entity Authentication – corroboration of the identity of a peer entity – confidence that an entity is not performing a masquerade or an unauthorized replay Authentication Service Data Origin Authentication Data Origin Authentication corroboration of the source of a data corroboration of the source of a data supports applications where there are no prior interactions supports applications where there are no prior interactions 26

27 limit and control the access to host systems and applications each entity trying to gain access must first be identified, or authenticated Access Control Service Nonrepudiation Service prevents either sender or receiver from denying a transmitted message prevents either sender or receiver from denying a transmitted message 27

28 protection of transmitted data from passive attacks protects user data transmitted over a period of time – connection confidentiality – connectionless confidentiality – selective-field confidentiality – traffic-flow confidentiality Data Confidentiality Service 28

29 can apply to a stream of messages, a single message, or selected fields within a message with and without recovery connectionless integrity service – provides protection against message modification only connection-oriented integrity service – assures that messages are received as sent no duplication, insertion modification, reordering, or replays Data Integrity Service 29

30 a service that protects a system to ensure its availability – being accessible and usable upon demand by an authorized system entity a variety of attacks can result in the loss of or reduction in availability some of these attacks are amenable to authentication and encryption some attacks require a physical action to prevent or recover from loss of availability depends on proper management and control of system resources Availability Service 30

31 Security Implementation response prevention recovery detection complementary courses of action 31

32 Security Mechanism Feature designed to – Prevent attackers from violating security policy – Detect attackers’ violation of security policy – Response to mitigate attack – Recover, continue to function correctly even if attack succeeds No single mechanism that will support all services – Authentication, authorization, availability, confidentiality, integrity, non-repudiation 32

33 Fundamental Security Design Principles Economy of mechanism Fail-safe defaults Complete mediation Open design Separation of privilege Least privilege Least common mechanism Psychological acceptability Isolation Encapsulation Modularity Layering Least astonishment

34 Attack Surfaces Consist of the reachable and exploitable vulnerabilities in a system Examples: Open ports on outward facing Web and other servers, and code listening on those ports Services available on the inside of a firewall Code that processes incoming data, email, XML, office documents, and industry- specific custom data exchange formats Interfaces, SQL, and Web forms An employee with access to sensitive information vulnerable to a social engineering attack

35 Attack Surface Categories Network Attack Surface Vulnerabilities over an enterprise network, wide- area network, or the Internet Included in this category are network protocol vulnerabilities, such as those used for a denial-of- service attack, disruption of communications links, and various forms of intruder attacks Software Attack Surface Vulnerabilities in application, utility, or operating system code Particular focus is Web server software Human Attack Surface Vulnerabilities created by personnel or outsiders, such as social engineering, human error, and trusted insiders

36 Security Technologies Used 36

37 Types of Attacks Experienced 37

38 38

39 Defense in Depth and Attack Surface

40 Computer Security Strategy Specification & policy what is the security scheme supposed to do? Implementation & mechanisms how does it do it? Correctness & assurance does it really work? 40

41 Computer Security Strategy

42 Security Policy formal statement of rules and practices that specify or regulate security services factors to consider: – value of the protected assets – vulnerabilities of the system – potential threats and the likelihood of attacks trade-offs to consider: – ease of use versus security – cost of security versus cost of failure and recovery 42

43 Assurance and Evaluation assurance – the degree of confidence one has that the security measures work as intended – both system design and implementation evaluation – process of examining a system with respect to certain criteria – involves testing and formal analytic or mathematical techniques 43

44 Security Trends 44 www.cert.orgwww.cert.org (Computer Emergency Readiness Team)

45 Early Hacking – Phreaking In1957, a blind seven-year old, Joe Engressia Joybubbles, discovered a whistling tone that resets trunk lines – Blow into receiver – free phone calls 45 Cap’n Crunch cereal prize Giveaway whistle produces 2600 MHz tone

46 The Seventies John Draper – a.k.a. Captain Crunch – “If I do what I do, it is only to explore a system” In 1971, built Bluebox – with Steve Jobs and Steve Wozniak 46

47 The Eighties Robert Morris worm - 1988 – Developed to measure the size of the Internet However, a computer could be infected multiple times – Brought down a large fraction of the Internet ~ 6K computers – Academic interest in network security 47

48 The Nineties Kevin Mitnick – First hacker on FBI’s Most Wanted list – Hacked into many networks including FBI – Stole intellectual property including 20K credit card numbers – In 1995, caught 2 nd time served five years in prison 48

49 Code-Red Worm On July 19, 2001, more than 359,000 computers connected to the Internet were infected in less than 14 hours Spread 49

50 Sapphire Worm was the fastest computer worm in history – doubled in size every 8.5 seconds – infected more than 90 percent of vulnerable hosts within 10 minutes. 50

51 DoS attack on SCO On Dec 11, 2003 – Attack on web and FTP servers of SCO a software company focusing on UNIX systems – SYN flood of 50K packet-per-second – SCO responded to more than 700 million attack packets over 32 hours 51

52 Witty Worm 25 March 2004 – reached its peak activity after approximately 45 minutes – at which point the majority of vulnerable hosts had been infected World USA 52

53 Nyxem Email Virus  Jan 15, 2006: infected about 1M computers within two weeks – At least 45K of the infected computers were also compromised by other forms of spyware or botware Spread 53

54 Sipscan Botnet  a botnet-orchestrated stealth scan of the entire IPv4 address space  31 Jan–12 Feb 2011 probing 54

Download ppt "Lecture 1: Overview modified from slides of Lawrie Brown."

Similar presentations

Network Security Chapter 1 - Introduction.

Network Security Chapter 1 - Introduction.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Cryptography and Network Security Sixth Edition by William Stallings.

Cryptography and Network Security Sixth Edition by William Stallings.
Chapter 18: Computer and Network Security Threats

Chapter 18: Computer and Network Security Threats
Cryptography and Network Security Chapter 1

Cryptography and Network Security Chapter 1
Chapter 1 This book focuses on two broad areas: cryptographic algorithms and protocols, which have a broad range of applications; and network and Internet.

Chapter 1 This book focuses on two broad areas: cryptographic algorithms and protocols, which have a broad range of applications; and network and Internet.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 1: Overview.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 1: Overview.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
Applied Cryptography for Network Security

Applied Cryptography for Network Security
“Network Security” Introduction. My Introduction Obaid Ullah Owais Khan Obaid Ullah Owais Khan B.E (I.T) – Hamdard University(2003), Karachi B.E (I.T)

“Network Security” Introduction. My Introduction Obaid Ullah Owais Khan Obaid Ullah Owais Khan B.E (I.T) – Hamdard University(2003), Karachi B.E (I.T)
Introduction (Pendahuluan)  Information Security.

Introduction (Pendahuluan)  Information Security.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Review security basic concepts IT 352 : Lecture 2- part1 Najwa AlGhamdi, MSc – 2012 /1433.

Review security basic concepts IT 352 : Lecture 2- part1 Najwa AlGhamdi, MSc – 2012 /1433.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Cryptography and Network Security Overview & Chapter 1 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Overview & Chapter 1 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”.

Similar presentations

Ads by Google