Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Secure Computing CMSC 100, Fall 2011 Adapted from slides provided by Marie.

Published byOswin Hensley Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Secure Computing CMSC 100, Fall 2011 Adapted from slides provided by Marie."— Presentation transcript:

1 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Secure Computing CMSC 100, Fall 2011 Adapted from slides provided by Marie desJardins Some slides borrowed from book slides for Computer Science: An Overview by J. Glenn Brookshear

2 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Security Issues Network security (protecting against unwanted intrusions; chap. 4.5) Software quality assurance (ensuring software does what is is meant to; chap. 5.6, 7.6) Database integrity (ensuring stored information is maintained correctly; chap. 9.4) Protecting confidential information (encryption & other methods for access control; chap. 12.6) Protecting intellectual property (copyrights, patents, trademarks) 4-2

3 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley ISO 27002: Information Security Standard Key issues for organizations: [quoted from http://www.17799.com/] –intellectual property rights –safeguarding of organizational records –data protection and privacy of personal information –information security policy document –information security education and training –reporting security incidents –business continuity management 4-3

4 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley NETWORK SECURITY 4-4

5 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley 25 Worst Passwords of 2011 1. password 2. 123456 3.12345678 4. qwerty 5. abc123 6. monkey 7. 1234567 8. letmein 9. trustno1 10. dragon 4-5 11. baseball 12. 111111 13. iloveyou 14. master 15. sunshine 16. ashley 17. bailey 18. passw0rd 19. shadow 20. 123123 21. 654321 22. superman 23. qazwsx 24. michael 25. football Source: SplashData http://mashable.com/2011/11/17/worst-internet-passwords/

6 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley 4-6 Source: http://xkcd.com/936/

7 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley 4-7 Security Attacks –Malware (viruses, worms, Trojan horses, spyware, phishing software) –Denial of service –Spam Protection –Firewalls –Spam filters –Proxy servers –Antivirus software

8 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Malware Malware: Software designed to get into your computer without your consent/knowledge Viruses: self-replicating software that travels with a “host” (email attachment, downloaded file) Effects range from pranks (displaying messages on the user’s screen) to malicious behavior (destroy data on the hard disk) 4-8

9 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Malware (cont.) Worms: Like viruses, but spread by copying themselves (rather than being transmitted with a “host” file) Spyware: Collects information (about user, websites accessed, etc.) surreptitiously Trojan horses: Apparently non-malicious software that actually provides remote access to the designer/hacker –downloaded software, executable website content (ActiveX), email attachments 4-9

10 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Source: http://xkcd.com/350/

11 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Prevention: Firewalls Block unauthorized network access –Packet filtering –Port blocking –Password protection 4-11

12 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Prevention: Virus Checkers Most virus checkers rely on a library of known virus “signatures” –These libraries have to be constantly maintained and updated –Updated your virus checker lately?? Heuristics can also be used to identify likely new viruses –False negatives: True viruses go undetected –False positives: Legitimate software flagged as virus 4-12

13 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Denial of Service Attempt to make a computer resource inaccessible to its intended users –Saturate with access attempts to slow down the computer/connection –Deliberately cause the resource to enter an error state and reset itself –Disrupt the physical network or network connection 4-13

14 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Prevention: Intrusion Detection Monitor and analyze network traffic –Look for known patterns of “bad behavior” –Anomaly detection: Determine when traffic patterns are different than normal patterns 4-14

15 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Spam Spam: Defined as unsolicited bulk mail –Unwanted individual email is (technically) not spam –Mailing lists are not necessarily spam –Costs industry and individuals billions of dollars to send, process, detect, and deal with unwanted spam –Costs spammers close to nothing! 4-15

16 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Prevention: Spam Filtering Preprocessors in email programs to identify and discard (or refile) likely spam –Regular expression matching (hand-designed rules) –User-specified filters –AI learning-based techniques (train with tagged “spam” and “ham”) 4-16

17 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Prevention: Anti-Spam Legislation CAN-SPAM Act of 2003 –Covers all commercial messages, not just spam –Header line information must be truthful –Subject lines must be accurate (reflect the content of the message) –Commercial messages must be explicitly identified as such –A valid postal address must be included –Recipients must be told how to opt out of future mailings –Such opt out procedures must be honored July 2009: Five spammers pled guilty, facing fines of up to $1M and 6+ years in prison 4-17

18 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Phishing Email (or IM, or text message, or Facebook message) that purports to be from an official organization, used to gather confidential information –Disguised to look like email from banks, credit card companies, universities, etc. –Often ask you to update your information or reset your password, or threaten to close your account –Link text is often different than URL 4-18

19 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley SOFTWARE QUALITY ASSURANCE 4-19

20 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley 7-20 Software Testing Strategies Verification – conforms to specifications Validation – meets requirements Glass-box testing –Pareto principle (80% of the errors will come from 20% of the code) –Basis path testing Black-box testing –Boundary value analysis –Redundancy testing –Beta testing

21 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Software Testing Consequences Blackberry outage, October 2011 (unconfirmed) Northeast blackout of 2003 AT&T network outage, January 1990 Therac-25, 1985-7; National Cancer Inst, 2000 Soviet gas pipeline, 1982 4-21 Sources: http://www.wired.com/software/coolapps/news/2005/11/69355 http://en.wikipedia.org/wiki/Northeast_blackout_of_2003 www.guardian.co.uk/technology/2011/oct/14/blackberry-outage-faulty-router-suspected

22 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Software Testing Consequences Buffer Overflow SQL Injection Malformed Packet Attack 4-22

23 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley DATABASE INTEGRITY 4-23

24 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley 9-24 Maintaining Database Integrity Transaction: A sequence of operations that must all happen together –Example: transferring money between bank accounts Transaction log: A non-volatile record of each transaction’s activities, built before the transaction is allowed to execute –Commit point: The point at which a transaction has been recorded in the log –Roll-back: The process of undoing a transaction

25 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley 9-25 Maintaining database integrity (continued) Simultaneous access problems –Incorrect summary problem –Lost update problem Locking = preventing others from accessing data being used by a transaction –Shared lock: used when reading data –Exclusive lock: used when altering data

26 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley CRYPTOGRAPHY 4-26

27 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley 4-27 Encryption FTPS, HTTPS, SSL Public-key Encryption –Public key: Used to encrypt messages –Private key: Used to decrypt messages Certificates and Digital Signatures

28 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley 12-28 Public-Key Cryptography Key: A value used to encrypt or decrypt a message –Public key: Used to encrypt messages –Private key: Used to decrypt messages RSA: A popular public key cryptographic algorithm –Relies on the (presumed) intractability of the problem of factoring large numbers

29 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley 4-29 Figure 4.16 Public-key encryption

30 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley 12-30 Figure 12.13 Public key cryptography

31 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley 12-31 Figure 12.14 Establishing an RSA public key encryption system

32 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley RSA Scheme Constructing public & private keys: –p, q: large random primes (can find efficiently) –n = pq This implies that phi(n) = (p-1)(q-1) –e: 1 < e < phi(n) AND e and phi(n) are coprime –d: de = 1 (mod phi(n)) Public key: (n, e) Private key exponent: d –p and q are also private 4-32 Additional reference: http://www.muppetlabs.com/~breadbox/txt/rsa.html#11

33 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley RSA Encryption and Decryption Convert the message to be encrypted into an integer m in the range [0,n] Encoded message: c = m e mod n Decrypted message: m = c d mod n 4-33

34 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley 12-34 Encrypting the Message 10111 Recall: n=pq phi(n)=(p-1)(q-1) 1<e<phi(n) de = 1 (mod phi(n)) Public keys: n = 91 and e = 5 Message: 10111 10111 two = 23 ten 23 e = 23 5 = 6,436,343 6,436,343 ÷ 91 has a remainder of 4 4 ten = 100 two Thus, encrypted version of 10111 is 100. Additional example: http://www.muppetlabs.com/~breadbox/txt/rsa.html#12

35 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley 12-35 Decrypting the Message 100 Decrypting keys: d = 29, n = 91 100 two = 4 ten 4 d = 4 29 = 288,230,376,151,711,744 288,230,376,151,711,744 ÷ 91 has a remainder of 23 23 ten = 10111 two Therefore, decrypted version of 100 is 10111.

36 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Properties of RSA Public key can be made freely available – does not need to be kept secret RSA can only be “broken” in one of three ways: –Get the private key –Factor the very large number, n (typicaly 1024-2048 bits) – computationally too hard –Solve the RSA problem (invert exponentiation and modulus) – also too hard 4-36

37 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley INTELLECTUAL PROPERTY 4-37

38 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley 7-38 Software Ownership Copyright –The “substantial similarity” test –Filtration criteria: what is not copyrightable Features covered by standards Characteristics dictated by software purpose Components in the public domain –The “look and feel” argument

39 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley 7-39 Software Ownership (continued) Patents –“Natural laws” are traditionally not patentable Trade secrets –Non-disclosure agreements are legally enforceable In general, laws haven’t kept up with technology...

Download ppt "Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Secure Computing CMSC 100, Fall 2011 Adapted from slides provided by Marie."

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.
Confidentiality and Privacy Controls

Confidentiality and Privacy Controls
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
(4.4) Internet Protocols Layered approach to Internet Software 1.

(4.4) Internet Protocols Layered approach to Internet Software 1.
Computer Viruses.

Computer Viruses.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
MIS PERSONAL, LEGAL, ETHICAL, AND ORGANIZATIONAL ISSUES OF INFORMATION SYSTEMS CHAPTER 4 Hossein BIDGOLI Phishing Email that bites Paying for Privacy Pirates.

MIS PERSONAL, LEGAL, ETHICAL, AND ORGANIZATIONAL ISSUES OF INFORMATION SYSTEMS CHAPTER 4 Hossein BIDGOLI Phishing that bites Paying for Privacy Pirates.
Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.

Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Web Servers Security: What You Should Know. The World Wide Web (WWW) is one of the best ways to develop an e-commerce business presence and interact with.

Web Servers Security: What You Should Know. The World Wide Web (WWW) is one of the best ways to develop an e-commerce business presence and interact with.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Business Data Communications, Fourth Edition Chapter 10: Network Security.

Business Data Communications, Fourth Edition Chapter 10: Network Security.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Copyright © 2015 Pearson Education, Inc. Confidentiality and Privacy Controls Chapter 9 1.

Copyright © 2015 Pearson Education, Inc. Confidentiality and Privacy Controls Chapter 9 1.
Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.

Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Similar presentations

Ads by Google