Download presentation
1
Lecture 1 Introduction Basic Security Concepts
2
Class Information Class Homepage: Instructor: Csilla Farkas Office: Swearingen 3A43 Office Hours: M, W 2:30-3:30 pm or electronically any time or by appointment Lecture 1 CSCE Farkas
3
Text Books Charles P. Pfleeger and Shari Lawrence Pfleeger, Security in Computing (4th Edition) (Hardcover), Prentice Hall PTR; 4 edition (October 23, 2006), ISBN-10: Handouts Lecture 1 CSCE Farkas
4
Course Objective Understanding of Information Security
Industry + Academics Managerial + Technical DEFENSE! Lecture 1 CSCE Farkas
5
TENTATIVE SCHEDULE Week 1 Basic security concepts
Week 2 Cryptography, Secret Key Week 3 Cryptography, Public Key Week 4 Identification and Authentication, key-distribution centers, Kerberos Week 5 Security Policies -- Discretionary Access Control, Mandatory Access Control Week 6 Access control -- Role-Based, Provisional, and Logic-Based Access Control Week The Inference Problem Week 8 EXAM 1 Network and Internet Security, security, User Safety Week 9 Program Security -- Viruses, Worms, etc. Week 10 Firewalls Week 11 Intrusion Detection, Fault tolerance and recovery Week 12 Information Warfare Week 13 Security Administration, Economic impact of cyber attacks Week 14 Presentations Week 15 Presentations DECEMBER 13 (Friday), 12:30 PM -- FINAL EXAM Lecture 1 CSCE Farkas
6
Assignments Research project: there will be a group (2-4 students) research project and the students must present their results to the class in the last two weeks of the semester. Homework: there will be several homework assignments during the semester. Homework should be individual work! There will be a late submission penalty of 4%/day after the due date. (You can always turn it in early.) Exams: two closed book tests will cover the course material. Final exam is accumulative. Lecture 1 CSCE Farkas
7
Grading Test 1: 25%, Test 2: 35%, Homework: 20%, Research project: 20% Total score that can be achieved: 100 Final grade: 90 < A , 87 < B+ <=90, 80 < B <= 87, 75 < C+ <= 80, 65 < C <= 75, 60 < D+ <= 65, 50 < D <= 60, F <= 50 Graduate students must perform additional assignments to receive full credit. Lecture 1 CSCE Farkas
8
Reading Assignment Reading assignments for this class: Pfleeger: Ch 1
Reading assignments for lecture 2: Pfleeger: Ch 2 Lecture 1 CSCE Farkas
9
Attack Sophistication vs. Intruder Technical Knowledge
High Low 1980 1985 1990 1995 2000 password guessing self-replicating code password cracking exploiting known vulnerabilities disabling audits back doors hijacking sessions sweepers sniffers packet spoofing GUI automated probes/scans denial of service www attacks Tools Attackers Intruder Knowledge Attack Sophistication “stealth” / advanced scanning techniques burglaries network mgmt. diagnostics distributed attack tools Cross site scripting Staged attack Copyright: CERT, 2000 Lecture 1 CSCE Farkas
10
Security Objectives Confidentiality: prevent/detect/deter improper disclosure of information Integrity: prevent/detect/deter improper modification of information Availability: prevent/detect/deter improper denial of access to services Lecture 1 CSCE Farkas
11
Military Example Confidentiality: target coordinates of a missile should not be improperly disclosed Integrity: target coordinates of missile should be correct Availability: missile should fire when proper command is issued Lecture 1 CSCE Farkas
12
Commercial Example Confidentiality: patient’s medical information should not be improperly disclosed Integrity: patient’s medical information should be correct Availability: patient’s medical information can be accessed when needed for treatment Lecture 1 CSCE Farkas
13
Fourth Objective Securing computing resources: prevent/detect/deter improper use of computing resources Hardware Software Data Network Lecture 1 CSCE Farkas
14
What is the trade off between the security objectives?
Lecture 1 CSCE Farkas
15
Achieving Security Policy Mechanism Assurance What to protect?
How to protect? Assurance How good is the protection? Lecture 1 CSCE Farkas
16
Security Policy Organizational Policy Computerized Information System
Lecture 1 CSCE Farkas
17
Why do we need to fit the security policy into the organizational policy?
Lecture 1 CSCE Farkas
18
Security Mechanism Prevention Detection Tolerance/Recovery Lecture 1
CSCE Farkas
19
Security by Obscurity Hide inner working of the system Bad idea!
Vendor independent open standard Widespread computer knowledge Lecture 1 CSCE Farkas
20
Security by Legislation
Instruct users how to behave Not good enough! Important Only enhance security Targets only some of the security problems Lecture 1 CSCE Farkas
21
Security Tradeoffs Security Functionality Ease of Use COST Lecture 1
CSCE Farkas
22
Threat, Vulnerability, Risk
Threat: potential occurrence that can have an undesired effect on the system Vulnerability: characteristics of the system that makes is possible for a threat to potentially occur Attack: action of malicious intruder that exploits vulnerabilities of the system to cause a threat to occur Risk: measure of the possibility of security breaches and severity of the damage Lecture 1 CSCE Farkas
23
Distinguish among vulnerability, threat, and control (protection).
Lecture 1 CSCE Farkas
24
Types of Threats (1) Errors of users
Natural/man-made/machine disasters Dishonest insider Disgruntled insider Outsiders Lecture 1 CSCE Farkas
25
Types of Threats (2) Disclosure threat – dissemination of unauthorized information Integrity threat – incorrect modification of information Denial of service threat – access to a system resource is blocked Lecture 1 CSCE Farkas
26
Types of Attacks (1) Interruption – an asset is destroyed, unavailable or unusable (availability) Interception – unauthorized party gains access to an asset (confidentiality) Modification – unauthorized party tampers with asset (integrity) Fabrication – unauthorized party inserts counterfeit object into the system (authenticity) Denial – person denies taking an action (authenticity) Lecture 1 CSCE Farkas
27
Types of Attacks (2) Passive attacks: Eavesdropping Monitoring
Active attacks: Masquerade – one entity pretends to be a different entity Replay – passive capture of information and its retransmission Modification of messages – legitimate message is altered Denial of service – prevents normal use of resources Lecture 1 CSCE Farkas
28
Computer Crime Any crime that involves computers or aided by the use of computers U.S. Federal Bureau of Investigation: reports uniform crime statistics Lecture 1 CSCE Farkas
29
How can defense influence these aspects of attacks?
Malicious Attacks Method: skills, knowledge, tools, information, etc. Opportunity: time and access Motive: reason to perform the action How can defense influence these aspects of attacks? Lecture 1 CSCE Farkas
30
Computer Criminals Amateurs: regular users, who exploit the vulnerabilities of the computer system Motivation: easy access to vulnerable resources Crackers: attempt to access computing facilities for which they do not have the authorization Motivation: enjoy challenge, curiosity Career criminals: professionals who understand the computer system and its vulnerabilities Motivation: personal gain (e.g., financial) Lecture 1 CSCE Farkas
31
Methods of Defense Prevent: block attack Deter: make the attack harder
Deflect: make other targets more attractive Detect: identify misuse Tolerate: function under attack Recover: restore to correct state Lecture 1 CSCE Farkas
32
Information Security Planning
Organization Analysis Risk management Mitigation approaches and their costs Security policy Implementation and testing Security training and awareness Lecture 1 CSCE Farkas
33
Risk Management Lecture 1 CSCE Farkas
34
Risk Assessment RISK Threats Vulnerabilities Consequences Lecture 1
CSCE Farkas
35
Real Cost of Cyber Attack
Damage of the target may not reflect the real amount of damage Services may rely on the attacked service, causing a cascading and escalating damage Need: support for decision makers to Evaluate risk and consequences of cyber attacks Support methods to prevent, deter, and mitigate consequences of attacks Lecture 1 CSCE Farkas
36
Risk Management Framework (Business Context)
Understand Business Context Identify Business and Technical Risks Synthesize and Rank Risks Define Risk Mitigation Strategy Carry Out Fixes and Validate Measurement and Reporting Lecture 1 CSCE Farkas
37
Risk Acceptance Certification Accreditation
How well the system meet the security requirements (technical) Accreditation Management’s approval of automated system (administrative) Lecture 1 CSCE Farkas
38
The science and study of secret writing
Next Class Cryptography The science and study of secret writing Lecture 1 CSCE Farkas
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.