Presentation is loading. Please wait.

Presentation is loading. Please wait.

Topics in Information Security Prof. JoAnne Holliday Santa Clara University.

Published byMadison Pitts Modified over 9 years ago

Similar presentations

Presentation on theme: "Topics in Information Security Prof. JoAnne Holliday Santa Clara University."— Presentation transcript:

1 Topics in Information Security Prof. JoAnne Holliday Santa Clara University

2 This course is part of the SCU Information Assurance curriculum which was recently certified by the Committee on National Systems Security of the National Security Agency as meeting the standards of the National INFOSEC Education and Training Program. http://www.nsa.gov/isso/programs/nietp/corseval.htm

3 Reading Assignment Read section 3 of faq http://www.w3.org/Security/Faq/ CERT is a coordination center for Internet security operated by Carnegie Mellon. Read CERT article on security http://www.cert.org/encyc_article/tocencyc.html

4 Outline Attacks, Services and Mechanisms Security Services Threats, Attacks and Vulnerabilities Security Policies and Mechanisms for Defense Readings, standards, etc.

5 Definitions Security Attack: Any action that compromises the security of information. Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack. Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms.

6 Security Services (Goals) Confidentiality – concealment of information or resources. Includes whether or not data exists. Implies “authorization” so that only authorized people can access confidential data.

7 Security Services (cont) Integrity – the trustworthiness and the correctness of data or resources. Usually in terms of preventing improper or unauthorized change. Can have several types of integrity: data integrity and origin integrity (was the email spoofed?). Two types of integrity services: prevention and detection.

8 Security Services (cont) Availability – the ability of authorized entities to use the information or resource. Denial of service attacks inhibit this service Confidentiality, Integrity, Availability

9 Vulnerabilities, Threats and Attacks A vulnerability is a weakness in the system that might be exploited to cause loss or harm (and a violation of security services). A threat is a potential violation of security. Security services counter threats. An attack is the actual attempt to violate security. It is the manifestation of the threat.

10 Classifying Threats

11 Types of Threats Interruption: This is an attack on availability Interception: This is an attack on confidentiality Modification: This is an attack on integrity Fabrication: This is an attack on integrity

12 Additional Threats Repudiation of origin – a false denial that an entity sent or created something (I didn’t send that order to but Enron stock the day before it crashed). Attack on integrity Denial of receipt – a false denial that an entity received some information or message. (I didn’t receive the diamond shipment). Attack on integrity and availability. Denial of Service – long term inhibition of information or service. Attack on availability.

13 Passive and Active Threats

14 Security Policy and Mechanisms A security policy is a statement of what is and is not allowed. A security mechanism is a method, tool, or procedure for enforcing security policy. These should clearly be separate things.

15 Policy and Mechanism Example Policy – only the systems administrator is allowed to access the password file and then only in encrypted form Mechanism – the password file is not stored in clear text, but only in encrypted form with algorithm XYZ. The O.S. checks the access authorization of any process attempting to read the password file immediately before the access and whenever access is denied, that attempt is recorded in a log of suspicious activity.

16 Security Mechanisms Prevention, Detection, Recovery Prevention: –Encryption –Software Controls (DB access limitations, operating system process protection) –Policies (frequent changes of passwords) –Physical Controls Detection: Intrusion detection systems (IDS)

17 Prevention Mechanisms Adequate prevention means that an attack will fail. Prevention usually involves mechanisms that the user cannot override. Prevention mechanisms are often cumbersome and do not always work perfectly or fail because they are circumvented. Passwords are a prevention mechanism to prevent unauthorized access. They fail when the password becomes known to a person other than the owner.

18 Detection Mechanisms Detection is used when an attack cannot be prevented and it also indicates the effectiveness of prevention measures. The goal is to determine that an attack is underway or has occurred and report it. Audit logs are detection mechanisms. When you log into the design center’s unix servers, it gives you the IP address of the last successful login.

19 Recovery Recovery has several aspects. The first is to stop an attack and repair the damage. Another is to trace the evidence back to the attacker and discover the identity of the attacker (this could result in legal retaliation). Yet another aspect is to determine the vulnerability that was exploited and fix it or devise a way of preventing a future attack.

20 Example: Private Property Prevention: locks at doors, window bars, walls round the property Detection: stolen items are missing, burglar alarms, closed circuit TV Recovery: call the police, replace stolen items, make an insurance claim …

21 Example E-Commerce Prevention: encrypt your orders, rely on the merchant to perform checks on the caller, don’t use the Internet (?) … Detection: an unauthorized transaction appears on your credit card statement Recovery: complain, ask for a new card number, etc. Footnote: Your credit card number has not been stolen. Your card can be stolen, but not the number. Confidentiality is violated.

22 Problems with Security Mechanisms Laws and Customs - is it legal? Might not be legal to retaliate against an attacker. Is it acceptable practice? How many hoops do we have to jump through to authenticate? Is it convenient? Users with security needs are often not aware of vulnerabilities and will not put up with excessive cost and inconvenience.

23 Non-required but Worth a Glance Common vulnerabilities and Exposures http://www.cve.mitre.org/ SANS top 20 vulnerabilities http://www.sans.org/top20/ NIST Computer Security Resource Center http://csrc.nist.gov/

24 What the Government is Doing National Strategy to Secure Cyberspace http://www.whitehouse.gov/pcipb/

25 What you can do Scholarships for IA study designated CAE http://www.c3i.osd.mil/iasp/studentsMain.htm http://cisr.nps.navy.mil/scholarships.html IA at SCU AMTH 387 Cryptology COEN 250 Info Security Management COEN 252 Computer Forensics COEN 253 Secure Systems Development COEN 350 Secure Distributed Systems COEN 351 Internet and E-Commerce Security

Download ppt "Topics in Information Security Prof. JoAnne Holliday Santa Clara University."

Similar presentations

Network Security Chapter 1 - Introduction.

Network Security Chapter 1 - Introduction.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
NS-H0503-02/11041 Attacks. NS-H0503-02/11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.

NS-H /11041 Attacks. NS-H /11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.
Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.

Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.
1 Network Security Ola Flygt Växjö University +46 470 70 86 49.

1 Network Security Ola Flygt Växjö University
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
1 cs691 chow C. Edward Chow Overview of Computer Security CS691 – Chapter 1 of Matt Bishop.

1 cs691 chow C. Edward Chow Overview of Computer Security CS691 – Chapter 1 of Matt Bishop.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002.

IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002.
1 Overview CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 8, 2004.

1 Overview CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 8, 2004.
Chapter 1 – Introduction

Chapter 1 – Introduction
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.

Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
Applied Cryptography for Network Security

Applied Cryptography for Network Security
April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.

April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.
Henric Johnson1 Network Security /. 2 Outline Attacks, services and mechanisms Security attacks Security services Methods of Defense A model for Internetwork.

Henric Johnson1 Network Security /. 2 Outline Attacks, services and mechanisms Security attacks Security services Methods of Defense A model for Internetwork.

Similar presentations

Ads by Google