1. Lecture 1 1. Introduction 2. Basic Security Concepts

2. What is Cyber Security? Highly Technical People, processes, and technology Legislation and Regulation Risk management

3. CSCE 522 - Farkas 3 Lecture 1 Copyright of Information Security Incorporated © 2008–2014

4. Understanding Cyber Security Risk dreamsmademe.wordpress.com Cyber Security Threats Mobile Malware Virtual currencies Stealth attacks by state actors Social attack New PC and server attacks Cloud-based attacks Source: McAfee Labs 2014 Treats Predictions 2014

5. Are you still using Microsoft Windows XP? April 8, 2014, Microsoft Stopped supporting Windows XP How many security updates were issued for Windows XP during the 13 years of support?  Paul Robeson, http://www.youtube.com/watch?v=4EJSkJlh _fg http://www.youtube.com/watch?v=4EJSkJlh _fg 5

6. So you think you are safe? “Millions of Android smartphone and tablet users are vulnerable to the Heartbleed security flaw” http://www.dailymail.co.uk/news/article- 2603817/Own-Android-device-Watch- Heartbleed-Millions-smartphones-tablets- ARE-vulnerable-security-breach.html, April 14, 2014 http://www.dailymail.co.uk/news/article- 2603817/Own-Android-device-Watch- Heartbleed-Millions-smartphones-tablets- ARE-vulnerable-security-breach.html 6

7. But I am using an Apple… Security vulnerability was detected and patched in iPhone, iPad, and iPod running iOS7; laptops and desktop computers running OS X, February 2014 http://www.bbc.com/news/technology- 26335701 http://www.bbc.com/news/technology- 26335701 7

8. What Can I Do? 8

9. CSCE 522 - Farkas 9 Lecture 1 Class Information Class Homepage: https://cse.sc.edu/~farkas/csce522- 2014/csce522.htmhttps://cse.sc.edu/~farkas/csce522- 2014/csce522.htm Instructor: Csilla Farkas Office: Swearingen 3A43 Office Hours: M, W, 1:15 pm - 2:45 pm E-mail: farkas@cec.sc.edufarkas@cec.sc.edu

10. Text Books Charles P. Pfleeger and Shari Lawrence Pfleeger, Security in Computing (5th Edition) (Hardcover), Prentice Hall PTR; ISBN: 9780134085043 Handouts CSCE 522 - Farkas 10 Lecture 1

11. CSCE 522 - Farkas 11 Lecture 1 Course Objective Understanding of Information Security Industry + Academics Managerial + Technical Leadership and Communication DEFENSE!

12. TENTATIVE SCHEDULE Basic security concepts Cryptography, Secret Key Cryptography, Public Key Identification and Authentication, key-distribution centers, Kerberos Security Policies -- Discretionary Access Control, Mandatory Access Control Access control -- Role-Based, Provisional, and Logic-Based Access Control The Inference Problem Network and Internet Security, E-mail security, User Safety Program Security -- Viruses, Worms, etc. Firewalls Intrusion Detection, Fault tolerance and recovery Information Warfare Security Administration, Economic impact of cyber attacks CSCE 522 - Farkas 12 Lecture 1

13. Assignments Homework: there will be several homework assignments during the semester. Homework should be individual work! There will be a late submission penalty of 4%/day after the due date. (You can always turn it in early.) Exams: three closed book tests will cover the course material. Final exam is accumulative. Group project: TBA CSCE 522 - Farkas 13 Lecture 1

14. Grading Test 1: 15%, Test 2: 15%, Final exam: 30%, Homework: 20%, Project: 20%  Total score that can be achieved: 100 Final grade: 90 < A, 87 < B+ <=90, 80 < B <= 87, 75 < C+ <= 80, 65 < C <= 75, 60 < D+ <= 65, 50 < D <= 60, F <= 50 Graduate students must perform additional assignments to receive full credit. CSCE 522 - Farkas 14 Lecture 1

15. CSCE 522 - Farkas 15 Lecture 1 Reading Assignment Reading assignments for this class:  Pfleeger: Ch 1 Reading assignments for next class:  Pfleeger: Ch 2

16. CSCE 522 - Farkas 16 Lecture 1 Security Objectives Confidentiality: prevent/detect/deter improper disclosure of information Integrity: prevent/detect/deter improper modification of information Availability: prevent/detect/deter improper denial of access to services

17. CSCE 522 - Farkas 17 Lecture 1 Military Example Confidentiality: target coordinates of a missile should not be improperly disclosed Integrity: target coordinates of missile should be correct Availability: missile should fire when proper command is issued

18. CSCE 522 - Farkas 18 Lecture 1 Commercial Example Confidentiality: patient’s medical information should not be improperly disclosed Integrity: patient’s medical information should be correct Availability: patient’s medical information can be accessed when needed for treatment

19. CSCE 522 - Farkas 19 Lecture 1 Fourth Objective Securing computing resources: prevent/detect/deter improper use of computing resources  Hardware  Software  Data  Network

20. What is the trade off between the security objectives? CSCE 522 - Farkas 20 Lecture 1

21. CSCE 522 - Farkas 21 Lecture 1 Achieving Security Policy  What to protect? Mechanism  How to protect? Assurance  How good is the protection?

22. CSCE 522 - Farkas 22 Lecture 1 Security Policy Organizational Policy Computerized Information System Policy

23. Why do we need to fit the security policy into the organizational policy? CSCE 522 - Farkas 23 Lecture 1

24. CSCE 522 - Farkas 24 Lecture 1 Security Mechanism Prevention Detection Tolerance/Recovery

25. CSCE 522 - Farkas 25 Lecture 1 Security by Obscurity Hide inner working of the system Bad idea! Vendor independent open standard Widespread computer knowledge

26. CSCE 522 - Farkas 26 Lecture 1 Security by Legislation Instruct users how to behave Not good enough! Important Only enhance security Targets only some of the security problems

27. CSCE 522 - Farkas 27 Lecture 1 Security Tradeoffs COST Security Functionality Ease of Use

28. CSCE 522 - Farkas 28 Lecture 1 Threat, Vulnerability, Risk  Threat: potential occurrence that can have an undesired effect on the system  Vulnerability: characteristics of the system that makes is possible for a threat to potentially occur  Attack: action of malicious intruder that exploits vulnerabilities of the system to cause a threat to occur  Risk: measure of the possibility of security breaches and severity of the damage

29. Distinguish among vulnerability, threat, and control (protection). CSCE 522 - Farkas 29 Lecture 1

30. CSCE 522 - Farkas 30 Lecture 1 Types of Threats (1)  Errors of users  Natural/man-made/machine disasters  Dishonest insider  Disgruntled insider  Outsiders

31. CSCE 522 - Farkas 31 Lecture 1 Types of Threats (2)  Disclosure threat – dissemination of unauthorized information  Integrity threat – incorrect modification of information  Denial of service threat – access to a system resource is blocked

32. CSCE 522 - Farkas 32 Lecture 1 Types of Attacks (1)  Interruption – an asset is destroyed, unavailable or unusable (availability)  Interception – unauthorized party gains access to an asset (confidentiality)  Modification – unauthorized party tampers with asset (integrity)  Fabrication – unauthorized party inserts counterfeit object into the system (authenticity)  Denial – person denies taking an action (authenticity)

33. CSCE 522 - Farkas 33 Lecture 1 Types of Attacks (2)  Passive attacks:  Eavesdropping  Monitoring  Active attacks:  Masquerade – one entity pretends to be a different entity  Replay – passive capture of information and its retransmission  Modification of messages – legitimate message is altered  Denial of service – prevents normal use of resources

34. CSCE 522 - Farkas 34 Lecture 1 Computer Crime Any crime that involves computers or aided by the use of computers U.S. Federal Bureau of Investigation: reports uniform crime statistics

35. Malicious Attacks M ethod: skills, knowledge, tools, information, etc. O pportunity: time and access M otive: reason to perform the action How can defense influence these aspects of attacks? CSCE 522 - Farkas 35 Lecture 1

36. CSCE 522 - Farkas 36 Lecture 1 Computer Criminals Amateurs: regular users, who exploit the vulnerabilities of the computer system  Motivation: easy access to vulnerable resources Crackers: attempt to access computing facilities for which they do not have the authorization  Motivation: enjoy challenge, curiosity Career criminals: professionals who understand the computer system and its vulnerabilities  Motivation: personal gain (e.g., financial)

37. CSCE 522 - Farkas 37 Lecture 1 Methods of Defense Prevent: block attack Deter: make the attack harder Deflect: make other targets more attractive Detect: identify misuse Tolerate: function under attack Recover: restore to correct state

38. CSCE 522 - Farkas 38 Lecture 1 Information Security Planning Organization Analysis Risk management Mitigation approaches and their costs Security policy Implementation and testing Security training and awareness

39. CSCE 522 - Farkas 39 Lecture 1 Risk Management

40. CSCE 522 - Farkas 40 Lecture 1 Risk Assessment RISK Threats VulnerabilitiesConsequences

41. Risk Assessment Business Policy Decision Communication between technical and administrative employees Internal vs. external resources Legal and regulatory requirements Developing security capabilities Cost Security level 0 %100% Optimal level of security at a minimum cost Security Investment Cost of Breaches

42. CSCE 522 - Farkas 42 Lecture 1 Real Cost of Cyber Attack Damage of the target may not reflect the real amount of damage Services may rely on the attacked service, causing a cascading and escalating damage Need: support for decision makers to – Evaluate risk and consequences of cyber attacks – Support methods to prevent, deter, and mitigate consequences of attacks

43. CSCE 522 - Farkas 43 Lecture 1 Risk Management Framework (Business Context) Understand Business Context Identify Business and Technical Risks Synthesize and Rank Risks Define Risk Mitigation Strategy Carry Out Fixes and Validate Measurement and Reporting

44. CSCE 522 - Farkas 44 Lecture 1 Risk Acceptance Certification How well the system meet the security requirements (technical) Accreditation Management’s approval of automated system (administrative)

45. CSCE 522 - Farkas 45 Lecture 1 Next Class Cryptography The science and study of secret writing