Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Security CS432 – Security in Computing Copyright © 2005, 2009 by Scott Orr and the Trustees of Indiana University.

Similar presentations


Presentation on theme: "Introduction to Security CS432 – Security in Computing Copyright © 2005, 2009 by Scott Orr and the Trustees of Indiana University."— Presentation transcript:

1 Introduction to Security CS432 – Security in Computing Copyright © 2005, 2009 by Scott Orr and the Trustees of Indiana University

2 Section Overview Why Security? Why Security? Terms and Concepts Terms and Concepts Security Threats Security Threats Security Countermeasures Security Countermeasures

3 References Security in Computing, 4 th Ed. Security in Computing, 4 th Ed. Chapter 1 Chapter 1

4 Why Worry about Security? Y2K Bug – 1/1/2000 Y2K Bug – 1/1/2000 DDoS Attack of Yahoo, CNN – 2/2000 DDoS Attack of Yahoo, CNN – 2/2000 Microsoft break-in – 10/2000 Microsoft break-in – 10/2000 SPAM and Phishing SPAM and Phishing Viruses and Worms Viruses and Worms Internet Worm – 11/1988 Internet Worm – 11/1988 Melissa/ILoveYou Viruses – 1999 - 2000 Melissa/ILoveYou Viruses – 1999 - 2000 CodeRed/Nimda/Slammer/Sobig – 2001-2003 CodeRed/Nimda/Slammer/Sobig – 2001-2003 MyDoom,Netsky/Bagel – 2004 - present MyDoom,Netsky/Bagel – 2004 - present SPAM/Virus Writer Connection SPAM/Virus Writer Connection Terrorist Attacks - 9/11/2001 Terrorist Attacks - 9/11/2001 Numerous Web Defacements Numerous Web Defacements

5 Reported Incidents Source: CERT CERT

6 Reported Vulnerabilities Source: CERT CERT

7 Security Lingo Exposure Exposure Vulnerability Vulnerability Threat Threat Attack Attack Countermeasure (or Control) Countermeasure (or Control)

8 What are we protecting? Hardware SoftwareData Computer System Assets

9 Threats to these Assets Interruption Interruption Interception Interception Modification Modification Fabrication Fabrication

10 Goals of Security Confidentiality Integrity Availability Accountability?

11 Vulnerabilities to Hardware Interception: Theft Interception: Theft Interruption: Denial of Service (DoS) Interruption: Denial of Service (DoS) Failures/Accidents Failures/Accidents Sabotage/Vandalism Sabotage/Vandalism

12 Vulnerabilities to Software Interception: Theft Interception: Theft Interruption: Deleted Programs Interruption: Deleted Programs Modification Modification Login Bombs Login Bombs Program Threats Program Threats

13 Vulnerabilities to Data Interception: Theft Interception: Theft Interruption: Deletion Interruption: Deletion Modification: Modification: Fabrication: Fabrication: } Integrity “Principle of Adequate Protection”

14 Other Assets Storage Media Storage Media Networks Networks Access to resources Access to resources Key People Key People

15 Why me?!?!?! You are the Target You are the Target Blackmail Blackmail Revenge Revenge Espionage Espionage Target of Opportunity Target of Opportunity Thrill Seeker & Net Cred Thrill Seeker & Net Cred Scams & ID Theft Scams & ID Theft Botnet recruitment Botnet recruitment Ideological (“Hacktivists”) Ideological (“Hacktivists”) “MOM” “MOM” Means, Opportunity, Motive Means, Opportunity, Motive

16 Threat Pyramid ScriptKids Moderate Aggressive Governments 1M’s 10K’s 1K’s 100’s Source: Tom Perrine, SDSC Security as Infrastructure

17 Source: CERT (Phishing Exposed)

18 The good, the bad, & the ugly WhiteHatsGrayHatsBlackHats

19 Approaches to Defense Prevent – Block attack entirely Prevent – Block attack entirely Deter – Make attack harder Deter – Make attack harder Deflect – Make target less interesting Deflect – Make target less interesting Detect – Know attack is occuring/occured Detect – Know attack is occuring/occured Recover – Fix aftermath Recover – Fix aftermath

20 Cryptography Features Non-repudiation Integrity Confidentiality Authorization Authentication

21 Other Countermeasures Software Software Code within applications Code within applications Operating System Operating System Stand Alone Security Applications Stand Alone Security Applications Code Standards and Testing Code Standards and Testing Hardware Hardware Physical Physical Policies Policies

22 Applying Countermeasures Awareness of Problem Awareness of Problem Likelihood of Use Likelihood of Use “Principle of Effectiveness” Overlapping measures (Layering) Overlapping measures (Layering) Periodic Review Periodic Review “Principle of Weakest Link”

23 How much security? Security Ease of Use Beware of Security through Obscurity “Principle of Easiest Penetration”

24 Security Design “The mantra of any good security engineer is: 'Security is a not a product, but a process.' It's more than designing strong cryptography into a system; it's designing the entire system such that all security measures, including cryptography, work together.” Source: Bruce Scheiener

25 Role of Security “Security is like adding brakes to cars. The underlying purpose of brakes is not to stop you: it’s to enable you to go fast! Brakes help avoid accidents caused by mechanical failures in other cars, rude drivers, and road hazards. Better security is an enabler for greater freedom and confidence in the Cyber world.” Source: Gene Spafford


Download ppt "Introduction to Security CS432 – Security in Computing Copyright © 2005, 2009 by Scott Orr and the Trustees of Indiana University."

Similar presentations


Ads by Google