Download presentation
Presentation is loading. Please wait.
Published byDamon Conley Modified over 9 years ago
1
Introduction to Security CS432 – Security in Computing Copyright © 2005, 2009 by Scott Orr and the Trustees of Indiana University
2
Section Overview Why Security? Why Security? Terms and Concepts Terms and Concepts Security Threats Security Threats Security Countermeasures Security Countermeasures
3
References Security in Computing, 4 th Ed. Security in Computing, 4 th Ed. Chapter 1 Chapter 1
4
Why Worry about Security? Y2K Bug – 1/1/2000 Y2K Bug – 1/1/2000 DDoS Attack of Yahoo, CNN – 2/2000 DDoS Attack of Yahoo, CNN – 2/2000 Microsoft break-in – 10/2000 Microsoft break-in – 10/2000 SPAM and Phishing SPAM and Phishing Viruses and Worms Viruses and Worms Internet Worm – 11/1988 Internet Worm – 11/1988 Melissa/ILoveYou Viruses – 1999 - 2000 Melissa/ILoveYou Viruses – 1999 - 2000 CodeRed/Nimda/Slammer/Sobig – 2001-2003 CodeRed/Nimda/Slammer/Sobig – 2001-2003 MyDoom,Netsky/Bagel – 2004 - present MyDoom,Netsky/Bagel – 2004 - present SPAM/Virus Writer Connection SPAM/Virus Writer Connection Terrorist Attacks - 9/11/2001 Terrorist Attacks - 9/11/2001 Numerous Web Defacements Numerous Web Defacements
5
Reported Incidents Source: CERT CERT
6
Reported Vulnerabilities Source: CERT CERT
7
Security Lingo Exposure Exposure Vulnerability Vulnerability Threat Threat Attack Attack Countermeasure (or Control) Countermeasure (or Control)
8
What are we protecting? Hardware SoftwareData Computer System Assets
9
Threats to these Assets Interruption Interruption Interception Interception Modification Modification Fabrication Fabrication
10
Goals of Security Confidentiality Integrity Availability Accountability?
11
Vulnerabilities to Hardware Interception: Theft Interception: Theft Interruption: Denial of Service (DoS) Interruption: Denial of Service (DoS) Failures/Accidents Failures/Accidents Sabotage/Vandalism Sabotage/Vandalism
12
Vulnerabilities to Software Interception: Theft Interception: Theft Interruption: Deleted Programs Interruption: Deleted Programs Modification Modification Login Bombs Login Bombs Program Threats Program Threats
13
Vulnerabilities to Data Interception: Theft Interception: Theft Interruption: Deletion Interruption: Deletion Modification: Modification: Fabrication: Fabrication: } Integrity “Principle of Adequate Protection”
14
Other Assets Storage Media Storage Media Networks Networks Access to resources Access to resources Key People Key People
15
Why me?!?!?! You are the Target You are the Target Blackmail Blackmail Revenge Revenge Espionage Espionage Target of Opportunity Target of Opportunity Thrill Seeker & Net Cred Thrill Seeker & Net Cred Scams & ID Theft Scams & ID Theft Botnet recruitment Botnet recruitment Ideological (“Hacktivists”) Ideological (“Hacktivists”) “MOM” “MOM” Means, Opportunity, Motive Means, Opportunity, Motive
16
Threat Pyramid ScriptKids Moderate Aggressive Governments 1M’s 10K’s 1K’s 100’s Source: Tom Perrine, SDSC Security as Infrastructure
17
Source: CERT (Phishing Exposed)
18
The good, the bad, & the ugly WhiteHatsGrayHatsBlackHats
19
Approaches to Defense Prevent – Block attack entirely Prevent – Block attack entirely Deter – Make attack harder Deter – Make attack harder Deflect – Make target less interesting Deflect – Make target less interesting Detect – Know attack is occuring/occured Detect – Know attack is occuring/occured Recover – Fix aftermath Recover – Fix aftermath
20
Cryptography Features Non-repudiation Integrity Confidentiality Authorization Authentication
21
Other Countermeasures Software Software Code within applications Code within applications Operating System Operating System Stand Alone Security Applications Stand Alone Security Applications Code Standards and Testing Code Standards and Testing Hardware Hardware Physical Physical Policies Policies
22
Applying Countermeasures Awareness of Problem Awareness of Problem Likelihood of Use Likelihood of Use “Principle of Effectiveness” Overlapping measures (Layering) Overlapping measures (Layering) Periodic Review Periodic Review “Principle of Weakest Link”
23
How much security? Security Ease of Use Beware of Security through Obscurity “Principle of Easiest Penetration”
24
Security Design “The mantra of any good security engineer is: 'Security is a not a product, but a process.' It's more than designing strong cryptography into a system; it's designing the entire system such that all security measures, including cryptography, work together.” Source: Bruce Scheiener
25
Role of Security “Security is like adding brakes to cars. The underlying purpose of brakes is not to stop you: it’s to enable you to go fast! Brakes help avoid accidents caused by mechanical failures in other cars, rude drivers, and road hazards. Better security is an enabler for greater freedom and confidence in the Cyber world.” Source: Gene Spafford
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.