Presentation is loading. Please wait.

Presentation is loading. Please wait.

I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University.

Published byBrian Evans Modified over 9 years ago

Similar presentations

Presentation on theme: "I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University."— Presentation transcript:

1 I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University

2 S LIDE R EFERENCES Matt Bishop, Computer Security: Art and Science, the author homepage, 2004. Michael E. Whitman, Principles of Information Security: Chapter 1: Introduction to Information Security, 4/e, 2011. Chris Clifton, CS 526: Information Security course, Purdue university, 2010. Patrick Traynor, CS 8803 - Cellular and Mobile Network Security, Georgia Tec, 2012. 2

3 W HAT IS S ECURITY ? Security /s ɪˈ kj ʊ ə r ɪ ti/ noun the state of being free from danger or threat. synonyms:certainty, safe future, assured future, safety, reliability, dependability, solidness, soundness 3

4 W HAT IS S ECURITY ? A successful organization should have multiple layers of security in place: Physical security : to protect the physical items, objects, or areas of an organization from unauthorized access and misuse. Personal security : to protect the (group of) authorized individual. Operations security : to protect the details of a particular operation or series of activities. Communications security : to protect an organization’s communications media, technology, and content. Network security : to protect networking components, connections, and contents. Information security 4

5 B ASIC C OMPONENTS 5 An Information System is secure if it supports CIA: C onfidentiality Keeping data and resources hidden I ntegrity Data integrity (integrity) Origin integrity (authentication) A vailability Enabling access to data and resources The CIA triangle

6 T HE H ISTORY OF I NFORMATION S ECURITY Began immediately following development first mainframes Developed for code-breaking computations During World War II Multiple levels of security were implemented Physical controls Elementary Mainly composed of simple document classification Defending against physical theft, espionage, and sabotage

7 T HE 1960 S Original communication by mailing tapes Advanced Research Project Agency (ARPA) Examined feasibility of networked communications Larry Roberts developed ARPANET Plan Link computers Resource sharing Link 17 Computer Research Centers Cost 3.4M $ ARPANET is predecessor to the Internet

8 T HE 1970 S AND 80 S ARPANET grew in popularity Potential for misuse grew Fundamental problems with ARPANET security Individual remote sites were not secure from unauthorized users Vulnerability of password structure and formats No safety procedures for dial-up connections to ARPANET Non-existent user identification and authorization to system

9 T HE 1970 S AND 80 S ‏ … Rand Report R-609 Paper that started the study of computer security Information Security as we know it began ‏ Scope of computer security grew from physical security to include: Safety of data Limiting unauthorized access to data Involvement of personnel from multiple levels of an organization

10 MULTICS Early focus of computer security research System called Multiplexed Information and Computing Service (MULTICS) ‏ First operating system created with security as its primary goal Mainframe, time-sharing OS developed in mid- 1960s GE, Bell Labs, and MIX ‏ Several MULTICS key players created UNIX Late 1970s Microprocessor expanded computing capabilities Mainframe presence reduced Expanded security threats

11 T HE 1990 S Networks of computers became more common Need to interconnect networks grew Internet became first demonstration of a global network of networks Initially based on de-facto standards In early Internet deployments, security was treated as a low priority

12 2000 TO P RESENT Millions of computer networks communicate Many of the communication unsecured Ability to secure a computer’s data influenced by the security of every computer to which it is connected Growing threat of cyber attacks has increased the need for improved security

13 C HALLENGES OF COMPUTER SECURITY 1. Computer security is not simple 2. One must consider potential (unexpected) attacks 3. Must decide where to deploy mechanisms 4. Involve algorithms and secret info (keys) 5. A battle between attacker / admin 6. It is not perceived on benefit until fails 7. Requires constant monitoring 8. Too often incorporated after the design is complete (not integral) 9. Regarded as a barrier to using system

14 K EY I NFORMATION S ECURITY C ONCEPTS Access Adversary Asset Attack Control, Safeguard, or Countermeasure Exploit Exposure Hack Loss Nonrepudiation Subjects / Objects Risk Threat Vulnerability 14

15 R ELATIONSHIPS OF S ECURITY C ONCEPTS

16 K EY I NFORMATION S ECURITY C ONCEPTS Computer can be subject or object of an attack When the subject of an attack An active tool to conduct attack When the object of an attack An entity being attacked Source: Principles of Information Security, 4th Edition 16

17 I NFORMATION S ECURITY VS. A CCESS Perfect security is impossible Security is a process Security should be considered balance between protection and availability Must allow reasonable access, yet protect against threats 17

18 18 Source: Principles of Information Security, 4th Edition I NFORMATION S ECURITY VS. A CCESS

19 V ULNERABILITIES 19 Principles of Information Security, 4/e

20 T HREATS A threat is a potential violation of security. 20

21 C LASSES OF T HREATS Interruption (Disruption) interruption or prevention of correct operation DOS attack: Denial of Service Interception / Disclosure Unauthorized access to information Snooping: the unauthorized interception of information Modification An unauthorized party not only gains access to but modify an asset. Masquerading or spoofing: an impersonation of one entity by another. Fabrication An unauthorized party inserts fake objects into the system. 21

22 C LASSES OF T HREATS 22

23 S OME T HREAT C ATEGORIES

24 E XAMPLES OF THREATS

25 A DVERSARY An adversary is anyone attempting to bypass the security infrastructure. The curious and generally inexperienced (e.g., script- kiddies) Unintended attackers seeing to understand systems Malicious and terrorist groups Competitors (industrial espionage) Governments 25

26 A TTACK An attack occurs when someone attempts to exploit a vulnerability Type of attacks Passive (e.g., eavesdropping) Active (e.g., password guessing, DoS) A compromise occurs when an attack is successful 26

27 T RUST Trust The degree to which an entity is expected to behave. Trust is a particular level of the subjective probability with which an agent assesses that another agent will perform a particular action in a context that affects his actions [Gambetta, 1990] Reputation Expectation about an entity’s behavior based on past behavior [Abdul-Rahman, 2000] May be used to determine trust 27

28 T RUST M ANAGEMENT Trust Management as a countermeasure: Trust relationships between peers help establish confidence Two types of trust management systems Credential and Policy-based Reputation-based 28

29 S ECURITY M ODEL A security model is the combination of a trust and threat models that address the: set of perceived risks The “security requirements” used to develop some cogent and comprehensive design Every design must have security model LAN network or global information system? Java applet or operating system? The single biggest mistake seen in use of security is the lack of a coherent security model It is very hard to retrofit security (design time) This class is going to talk a lot about security models What are the security concerns (risks)? Threats? Who are our adversaries? Who do we trust and to do what? Systems must be explicit about these things to be secure 29

30 P OLICIES AND M ECHANISMS Policy says what is, and is not, allowed This defines “security” for the site/system/ etc. Mechanisms enforce policies Composition of policies If policies conflict, inconsistencies may create security vulnerabilities 30

31 T RUST AND A SSUMPTIONS Underlie all aspects of security Policies Unambiguously partition system states Correctly capture security requirements Mechanisms Assumed to enforce policy Support mechanisms work correctly 31

32 G OALS OF S ECURITY Prevention( پیشگیری ) Prevent attackers from violating security policy Detection ( تشخیص ) Detect attackers’ violation of security policy Recovery ( ترمیم ) Stop attack, assess and repair damage Continue to function correctly even if attack succeeds 32

Download ppt "I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University."

Similar presentations

Network Security Chapter 1 - Introduction.

Network Security Chapter 1 - Introduction.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
September 10, 2012Introduction to Computer Security ©2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.

September 10, 2012Introduction to Computer Security ©2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Principles of Information Security, Fourth Edition

Principles of Information Security, Fourth Edition
Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.

Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
1 Overview CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 8, 2004.

1 Overview CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 8, 2004.
Chapter 1 – Introduction

Chapter 1 – Introduction
CSA 223 network and web security Chapter one

CSA 223 network and web security Chapter one
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Learning Objectives Upon completion of this material, you should be able to:

Learning Objectives Upon completion of this material, you should be able to:
Introduction to Information Security Chapter 1

Introduction to Information Security Chapter 1
Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.

Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.
Introduction to Information Security

Introduction to Information Security
July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.

July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Applied Cryptography for Network Security

Applied Cryptography for Network Security
April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.

April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.

Similar presentations

Ads by Google