Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 1 Page 1 CS 236 Online Introduction to Computer Security Why do we need computer security? What are our goals and what threatens them?

Published byShawn Ross Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 1 Page 1 CS 236 Online Introduction to Computer Security Why do we need computer security? What are our goals and what threatens them?"— Presentation transcript:

1 Lecture 1 Page 1 CS 236 Online Introduction to Computer Security Why do we need computer security? What are our goals and what threatens them?

2 Lecture 1 Page 2 CS 236 Online Why Is Security Necessary? Because people aren’t always nice Because a lot of money is handled by computers Because a lot of important information is handled by computers Because our society is increasingly dependent on correct operation of computers

3 Lecture 1 Page 3 CS 236 Online History of the Security Problem In the beginning, there was no computer security problem Later, there was a problem, but nobody cared Now, there’s a big problem and people care –Only a matter of time before a real disaster –At least one company went out of business due to a DDoS attack –Identity theft and phishing claim vast number of victims –Stuxnet seriously damaged Iran’s nuclear capability –Video showed cyberattack causing an electric transformer to fail –There’s an underground business in cyber thievery –Increased industry spending on cybersecurity

4 Lecture 1 Page 4 CS 236 Online Some Examples of Large Scale Security Problems Modern malicious code attacks Distributed denial of service attacks Vulnerabilities in commonly used systems

5 Lecture 1 Page 5 CS 236 Online Malicious Code Attacks Multiple new viruses, worms, botnets, and Trojan horses appear every week Recent estimate of $10 billion annual damages from botnets Stuxnet worm targeted at nuclear facilities –Unspecified amounts of damage done to Iran’s nuclear program IM and smartphone attacks are popular

6 Lecture 1 Page 6 CS 236 Online Distributed Denial of Service Attacks Use large number of compromised machines to attack one target –By exploiting vulnerabilities –Or just generating lots of traffic Very common today A favored tool for hacktivists –Recent large DDoS attacks on Ello and others In general form, an extremely hard problem

7 Lecture 1 Page 7 CS 236 Online Vulnerabilities in Commonly Used Systems 802.11 WEP is fatally flawed Recently, critical vulnerabilities in Intel processor microcode, Linksys routers Many popular applications have vulnerabilities –Recent vulnerabilities in Android WebView, Android OS, Internet Explorer, HP backup software, Microsoft Office, Adobe Flash, Apache Tomcat, etc. Many security systems have vulnerabilities –Gnu TLS, Apple iOS SSL, and Symantec Endpoint Protection recently

8 Lecture 1 Page 8 CS 236 Online Electronic Commerce Attacks As Willie Sutton said when asked why he robbed banks, –“Because that’s where the money is” Increasingly, the money is on the Internet Criminals have followed Common problems: –Credit card number theft (often via phishing) –Identity theft (phishing, again, is a common method) –Loss of valuable data from laptop theft –Manipulation of e-commerce sites –Extortion via DDoS attacks or threatened release of confidential data 2010’s Sony data breach estimated to cost the company $170 million

9 Lecture 1 Page 9 CS 236 Online Another Form of Cyberattack Click fraud Based on popular pay-per-click model of Internet advertising Two common forms: –Rivals make you pay for “false clicks” –Profit sharers “steal” or generator bogus clicks to drive up profits

10 Lecture 1 Page 10 CS 236 Online Some Recent Statistics Bit9 survey in 2013 reports 47% of surveyed organizations knew they’d suffered a cyberattack –But 52% doubted their ability to detect attacks –13% didn’t even know if they’d been attacked 2013 Verizon report said that 66% of breaches took months to years to discover –And 69% of breaches were not discovered by the compromised organization itself Ponemon Institute 2014 survey showed 94% of healthcare organizations lost data in past two years

11 Lecture 1 Page 11 CS 236 Online Cyberwarfare Nation states have developed capabilities to use computer networks for such purposes DDoS attacks on Estonia and Georgia –Probably just hackers Some regard Stuxnet as real cyberwarfare –Pretty clear it was done by US Continuous cyberspying by many nations Vulnerabilities of critical infrastructure –The smart grid will only increase the danger

12 Lecture 1 Page 12 CS 236 Online Something Else to Worry About Are some of the attempts to deal with cybersecurity damaging liberty? Does data mining for terrorists and criminals pose a threat to ordinary people? –The NSA is looking at a lot of stuff... –And they aren’t the only ones Can I trust Facebook/Google/MySpace/Twitter/whoever with my private information? Are we in danger of losing all privacy?

13 Lecture 1 Page 13 CS 236 Online Why Aren’t All Computer Systems Secure? Partly due to hard technical problems But also due to cost/benefit issues Security costs Security usually only pays off when there’s trouble Many users perceive no personal threat to themselves –“I don’t have anything valuable on my computer” –“I don’t have any secrets and I don’t care what the government/Google/my neighbor knows about me” Ignorance also plays a role –Increasing numbers of users are unsophisticated –Important that computer security professionals don’t regard this ignorance as a character flaw –It’s a fact of life we must deal with

14 Lecture 1 Page 14 CS 236 Online Computer Security and History Much of our computer infrastructure is constrained by legacy issues –Core Internet design –Popular programming languages –Commercial operating systems All developed before security was a concern –Generally with little or no attention to security

15 Lecture 1 Page 15 CS 236 Online Retrofitting Security Since security not built into these systems, we try to add it later Retrofitting security is known to be a bad idea Much easier to design in from beginning Patching security problems has a pretty dismal history

16 Lecture 1 Page 16 CS 236 Online Problems With Patching Usually done under pressure –So generally quick and dirty Tends to deal with obvious and immediate problem –Not with underlying cause Hard (sometimes impossible) to get patch to everyone Since it’s not organic security, patches sometimes introduce new security problems

17 Lecture 1 Page 17 CS 236 Online Speed Is Increasingly Killing Us Attacks are developed more quickly –Often easier to adapt attack than defense Malware spreads faster –Slammer got 75,000 nodes in 30 minutes More attackers generating more attacks –US DoD computers targeted at least 43,000 times in first half of 2009 –US military doctrine says cyber attack could be an act of war

18 Lecture 1 Page 18 CS 236 Online Some Important Definitions Security Protection Vulnerabilities Exploits Trust

19 Lecture 1 Page 19 CS 236 Online Security and Protection Security is a policy –E.g., “no unauthorized user may access this file” Protection is a mechanism –E.g., “the system checks user identity against access permissions” Protection mechanisms implement security policies

20 Lecture 1 Page 20 CS 236 Online Vulnerabilities and Exploits A vulnerability is a weakness that can allow an attacker to cause problems –Not all vulnerabilities can cause all problems –Most vulnerabilities are never exploited An exploit is an actual incident of taking advantage of a vulnerability –Allowing attacker to do something bad on some particular machine –Term also refers to the code or methodology used to take advantage of a vulnerability

21 Lecture 1 Page 21 CS 236 Online Trust An extremely important security concept You do certain things for those you trust You don’t do them for those you don’t Seems simple, but...

22 Lecture 1 Page 22 CS 236 Online Problems With Trust How do you express trust? Why do you trust something? How can you be sure who you’re dealing with? What if trust is situational? What if trust changes?

23 Lecture 1 Page 23 CS 236 Online Trust Is Not a Theoretical Issue Most vulnerabilities that are actually exploited are based on trust problems Attackers exploit overly trusting elements of the computer –From the access control model to the actual human user Taking advantage of misplaced trust Such a ubiquitous problem that some aren’t aware of its existence

24 Lecture 1 Page 24 CS 236 Online Transitive Trust I trust AliceAlice trusts Bob David trusts Carol Bob trusts David So do I trust Carol? Should I?

25 Lecture 1 Page 25 CS 236 Online Examples of Transitive Trust Trust systems in peer applications Chains of certificates But also less obvious things –Like a web server that calls a database –The database perhaps trusts the web server –But does the database necessarily trust the user who invoked the server? –Even if the web server trusts the user Programs that call programs that call programs are important cases of transitive trust

Download ppt "Lecture 1 Page 1 CS 236 Online Introduction to Computer Security Why do we need computer security? What are our goals and what threatens them?"

Similar presentations

Chapter 1 We’ve Got Problems…. Four Horsemen  … of the electronic apocalypse  Spam --- unsolicited bulk email o Over 70% of email traffic  Bugs ---

Chapter 1 We’ve Got Problems…. Four Horsemen  … of the electronic apocalypse  Spam --- unsolicited bulk o Over 70% of traffic  Bugs ---
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Viruses,Hacking and Backups By Grace Mackay 8K Viruses Hacking and Hackers Backups.

Viruses,Hacking and Backups By Grace Mackay 8K Viruses Hacking and Hackers Backups.
The development of Internet A cow was lost in Jan 14th 2003. If you know where it is, please contact with me. My QQ number is 87881405. QQ is one of the.

The development of Internet A cow was lost in Jan 14th If you know where it is, please contact with me. My QQ number is QQ is one of the.
HALDEBIQUE Geoffroy ROYER Johan  Crime motivated attacks  Hacktivism  Cyber Warfare.

HALDEBIQUE Geoffroy ROYER Johan  Crime motivated attacks  Hacktivism  Cyber Warfare.
AVG- Protecting those who are vulnerable.  Free Anti-Virus Software ◦ J.R. Smith President of AVG oversees a lineup of antivirus products used by 110.

AVG- Protecting those who are vulnerable.  Free Anti-Virus Software ◦ J.R. Smith President of AVG oversees a lineup of antivirus products used by 110.
Computer and Internet Crimes By: Tracey Ross & Tommy Brown.

Computer and Internet Crimes By: Tracey Ross & Tommy Brown.
The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.

The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Lecture 1 Page 1 CS 236, Spring 2008 Introduction to Computer Security Why do we need computer security? What are our goals and what threatens them?

Lecture 1 Page 1 CS 236, Spring 2008 Introduction to Computer Security Why do we need computer security? What are our goals and what threatens them?
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.
Internet Safety CSA 105 1.0 September 21, 2010. Internet Threats Malware (viruses) Spyware Spam Hackers Cyber-criminals.

Internet Safety CSA September 21, Internet Threats Malware (viruses) Spyware Spam Hackers Cyber-criminals.
Viruses & Security Threats Unit 1 – Understanding Computer Systems JMW 2012.

Viruses & Security Threats Unit 1 – Understanding Computer Systems JMW 2012.
Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.

Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.
Cyber Crime & Security Raghunath M D BSNL Mobile Services,

Cyber Crime & Security Raghunath M D BSNL Mobile Services,
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Similar presentations

Ads by Google