CSC 382582 Computer Security Introduction CSC 382582 Computer
- Slides: 31
CSC 382/582: Computer Security Introduction CSC 382/582: Computer Security 1
About Me http: //www. nku. edu/~waldenj 1 James Walden – Assistant Professor of Computer Science – waldenj@nku. edu – Interests: • • Software Security Programming Languages Software Engineering Network Security CSC 382/582: Computer Security 2
Course Administration • Web Site – Notes, readings, and assignments on web site. • Assignment submission – Send electronic submissions to waldenj@nku. edu • Contact Information – Email: waldenj@nku. edu – Phone: (859) 572 -5571 CSC 382/582: Computer Security 3
Course Goals 1. What is computer security? 2. How do computer systems fail? 3. How can the risks to a system be evaluated? 4. How well does a particular security solution mitigate the risks to a system? 5. How can the costs and trade-offs of a security solution be balanced? 6. What are the essential problems and solutions of network security? 7. How do viruses and worms propagate and how can they be stopped? 8. How can intrusions be detected and investigated to determine the nature of the attackand the attacker? 9. What are the ethical impacts of security technologies? CSC 382/582: Computer Security 4
Grading CSC 382 CSC 582 Midterm Exam 30% Midterm Exam 25% Final Exam 40% Assignments 30% Final Exam Assignments Research Paper 35% 30% 10% CSC 382/582: Computer Security 5
Topics A first look at four important questions: – What is security? – How do we evaluate risks of various threats? – How does security mitigate these risks? – How do we balance the costs and trade-offs of our security solutions? CSC 382/582: Computer Security 6
9/11 Most devastating terrorist attack in history. – Low-tech. – Innovative. • Completely different than earlier hijackings. • We thought we had solved airplane bombings by ensuring passengers were on same flight as baggage. – What were the security responses? • How effective were the responses? • What were the costs? CSC 382/582: Computer Security 7
What is Security? Security is the prevention of certain types of intentional actions from occuring in a system. – These potential actions are threats. – Threats that are carried out are attacks. – Intentional attacks are carried out by an attacker. – Objects of attacks are assets. CSC 382/582: Computer Security 8
Safety vs Security Adversary: An intelligent attacker who intentionally causes the system to fail. Safety • Home: fire alarm. • Car: crumple zones. • Computer: UPS. Security • Home: door lock. • Car: alarm. • Computer: Login password. Safety and security can interact: Who is watching your computer room after the fire alarm was pulled? CSC 382/582: Computer Security 9
Goals of Security • Prevention – Prevent attackers from violating security policy • Detection – Detect attackers’ violation of security policy • Recovery – Stop attack, assess and repair damage • Survivability – Continue to function correctly even if attack succeeds CSC 382/582: Computer Security 10
NSTISSC Security Model CSC 382/582: Computer Security 11
Components of Security • Confidentiality – Keeping data and resources hidden. Privacy. • Integrity – Preventing unauthorized changes to data or resources. • Availability – Enabling access to data and resources CSC 382/582: Computer Security 12
Confidentiality • Authentication – Passwords, mother’s maiden name • Corporations – Trade secrets, e. g. , the formula for Coca Cola. • Databases – SSN, Driver’s license • Governments – National security – Embarrassing information: www. thememoryhole. org CSC 382/582: Computer Security 13
Integrity • Data Integrity – content of the information. – ex: 2005 Walmart $1. 5 million bar code scam. • Origin Integrity (authentication) – source of the information. – ex: 1997 Kurt Vonnegut MIT commencement address email. Vonnegut was not the 1997 speaker and the content wasn’t his. • Prevention vs Detection CSC 382/582: Computer Security 14
Availability • Prevent loss of system access. • Denial of service attacks common. – Easy to launch, difficult to track down. – Can be just part of another attack CSC 382/582: Computer Security 15
States of Information 1. Storage – Information not currently being accessed. 2. Processing – Information currently being used by processor. 3. Transmission – Information in transit between one node and another. CSC 382/582: Computer Security 16
Security Measures • Technology. – Hardware/software used to ensure confidentiality, integrity, or availability. • Policy and practice. – Security requirements and activities. • Education, training, and awareness. – Understanding of threats and vulnerabilities and how to protect against them. CSC 382/582: Computer Security 17
How can we evaluate security solutions? 1. What assets are you trying to protect? 2. What are the risks to those assets? 3. How well does the security solution mitigate those risks? 4. What other risks does the security solution cause? 5. What costs and trade-offs does the security solution impose? CSC 382/582: Computer Security 18
Aspects of Risks • To evaluate a risk, we need to evaluate both: – Probability of risk occurring. – Cost incurred by risk if it occurs. • Minimize product of probability and cost. • Risks are impacted by environment. – Building a house in a flood plain incurs additional risks beyond that of house itself. – Similarly, installion and configuration options impact risk of software systems. CSC 382/582: Computer Security 19
Security is a matter of Trade-offs Security is only one of many system goals: • • • Functionality Ease of Use Efficiency Time to market Cost Security CSC 382/582: Computer Security 20
Cost-Benefit Analysis Is it cheaper to prevent violation or recover? – Cost of good network security: • Money, time, reduced functionality, annoyed users. • Large and ongoing. – Risks of bad network security: • Angry customers, bad press, network downtime. • Small and temporary. CSC 382/582: Computer Security 21
Airport Security Let’s consider the issue of airport security again from the standpoint of what we’ve learned. Develop a solution, keeping the 5 questions in mind: 1. What assets are you trying to protect? 2. What are the risks to those assets? 3. How well does the security solution mitigate those risks? 4. What other risks does the security solution cause? 5. What costs and trade-offs does the security solution impose? CSC 382/582: Computer Security 22
Human Issues: People Problems • Social engineering – Kevin Mitnick testified before Congress “I was so successful in that line of attack that I rarely had to resort to a technical attack. ” • Circumvention – Users write down passwords, leave screens unlocked. • Insider attacks CSC 382/582: Computer Security 23
Human Issues: Organizations • Low priority – Security costs, but doesn’t produce income. – Lack of liability reduces costs of bad security. • Variable impact – Cost of security violation highly variable. – Insurance converts variable risk to fixed cost, but risk too variable for much involvement so far. • Power and responsibility – Personnel responsible for security often don’t have power to enforce security. CSC 382/582: Computer Security 24
Security: Laws and Customs • Are desired security measures illegal? – cryptography export before 2000 – is it legal to monitor security breakins? – international commerce • Will users circumvent them? – writing down passwords – removing file ACLs CSC 382/582: Computer Security 25
Security Liability • Product liability: – Tires: Continental recalled Ford SUV tires in 2002 due to wire and vibration problems. – Software: Manufacturer not liable for security flaws. • Since Microsoft isn’t liable for Windows security failures, why would they want to sacrifice money, time, functionality, and ease of use for security? CSC 382/582: Computer Security 26
Assumptions • Security rests on assumptions specific to type of security required and environment. • Example: – TCP/IP designed for pre-commercial Internet. • Assumed only legitimate admins had root access. • Trusted IP addresses, since only root can set IP addr. • What happens to network when Windows 95 systems added to network, where desktop user has all privileges? CSC 382/582: Computer Security 27
Assurance How much can you trust a system? Example: – Purchasing aspirin from a drugstore. – Bases for trust: • Certification of drug by FDA. • Reputation of manufacturer. • Safety seal on bottle. CSC 382/582: Computer Security 28
How much do you trust? Ken Thompson’s compiler hack from “Reflections on Trusting Trust. ” – Modified C compiler does two things: • If compiling a compiler, inserts the self-replicating code into the executable of the new compiler. • If compiling login, inserts code to allow a backdoor password. – After recompiling and installing old C compiler: • Source code for Trojan horse does not appear anywhere in login or C compiler. • Only method of finding Trojan is analyzing binary. CSC 382/582: Computer Security 29
Key Points • Components of security – Confidentiality – Integrity – Availability • Evaluating risk and security solutions. – Security is a matter of trade-offs. • Security is a human problem. CSC 382/582: Computer Security 30
References 1. Ross Anderson, Security Engineering, Wiley, 2001. 2. Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. 3. Peter Neumann, (moderator), Risks Digest, http: //catless. ncl. ac. uk/Risks/ 4. Bruce Schneier, Beyond Fear, Copernicus Books, 2003. 5. Ken Thompson, “Reflections on Trusting Trust”, Communication of the ACM, Vol. 27, No. 8, August 1984, pp. 761 -763 (http: //www. acm. org/classics/sep 95/) CSC 382/582: Computer Security 31
- 382582
- Csc
- Privat security
- Introduction to computer security
- Cpe102/csc102 introduction to programming
- Osi security architecture
- Security guide to network security fundamentals
- Wireless security in cryptography
- Visa international security model in information security
- Electronic mail security in network security
- Nstissc security model
- E commerce security meaning
- Software security building security in
- Security guide to network security fundamentals
- Security guide to network security fundamentals
- Introduction to database security
- Security mechanisms in cryptography
- Oracle vpd column masking example
- Introduction to cryptography and network security
- Scytale
- Symantec email security
- Introduction to cryptography and network security
- Components of computer security
- State legal, ethical and professional aspects of security.
- Legal and ethical issues in computer security
- Ethique informatique
- Computer security tutorial
- Computer security 161 cryptocurrency lecture
- Computer security principles and practice
- Computer security principles and practice solutions
- Computer security dieter gollmann
- Computer security handbook