7 Course Grading Homework and Assignments: 25% Midterm Exam: 10% Term paper + Presentation: 25%Term project: %Final Exam: %
8 NoteAll information contained in this course information sheet, other than grading policy, may be subject to change.
9 Important Dates Abstracts for projects and term paper Midterm Feb. 6, 2014MidtermMar. 13, 2014Term paper and presentationApr. 24, 2014Project ReportMay 1, 2014Final Exam (24 hour take home exam)
10 Questions for the class Are you comfortable with C, C++, and/or Java?
11 Questions for the class Are you familiar with IP networking?
12 Questions for the class Are you familiar with Operating System? Linux and/or Windows?
13 Questions for the class What is your goal of this class?
14 Prohibited ConductStudents enrolled in academic credit bearing courses are subject to this Code. Conduct prohibited by this Code consists of all forms of academic dishonesty, including, but not limited to:1. Cheating, fabrication, facilitating academic dishonesty, and plagiarism as set out and defined in the Student Code of Conduct, ABOR Policy E.10, and F.12. Submitting an item of academic work that has previously been submitted or simultaneously submitted without fair citation of the original work or authorization by the faculty member supervising the work.Violating required disciplinary and professional ethics rules contained or referenced in the student handbooks (hardcopy or online) of undergraduate or graduate programs, or professional colleges.Source:
15 Prohibited Conduct4. Violating discipline specific health, safety or ethical requirements to gain any unfair advantage in lab(s) or clinical assignments. 5. Failing to observe rules of academic integrity established by a faculty member for a particular course. 6. Attempting to commit an act prohibited by this Code. Any attempt to commit an act prohibited by these rules shall be subject to sanctions to the same extent as completed acts. 7. Assisting or attempting to assist another to violate this Code.Source:
16 The Average Individual Cost due to Cyber Attack According to 2013’s Consumer Security Risks Survey, conducted by B2B International and Kaspersky Lab, the average cost of multimedia files that a user might lose as a result of a cyber attack or other damage is estimated at $418.According to the same survey, “over 60% of users who were victims of malware that either damaged or destroyed data admitted that they had not been able to fully restore their files.”“in the age group would face an average loss of $670, while those in the group would incur an average loss of $455; users aged 45 and older would lose an average of $227.”
17 Cyber attacks cost for US Organizations The Ponemon Institute sponsored by HP Enterprise Security Products conducted the “2013 Cost of Cyber Crime Study” that showed “the average annualized cost of cybercrime incurred by a benchmark sample of US organizations was $11.56 million, with a range of $1.3 million to $58 million. That represent a 78% increase since the initial study was conducted four years ago and an increase of 26%, or $2.6 million, over the average cost reported in 2012.”Source:
18 Cyber attacks cost for US Organizations It also stated: “the time it takes to resolve a cyber-attack has increased by nearly 130% during this same period. The average time to resolve a cyber-attack is 32 days, with an average cost incurred during the resolution period of $1,035,769, or $32,469 per day – a 55% increase over last year’s estimated average cost of $591,780 for a 24-day period.”Source:
19 Cyber attacks cost for US Organizations “Overall, organizations experience an average of 122 successful attacks per week, up from 102 attacks per week in Cybercrime cost varies by company size, but smaller organizations incur a significantly higher per-capita cost than larger organizations. Organizations in financial services, defense, and energy and utilities also experience substantially higher cybercrime costs than those in retail, hospitality and consumer products.”Source:
20 Small Businesses“Forty-four percent say they have been the victim of a cyber- attack – that’s high, and really concerning,” says Molly Brogan, the director of communications for the NSBA.Of the 44% of businesses that had experienced an attack, 59% say they incurred service interruptions, and 35% say information was falsely sent from their domain names. Nineteen percent say their website was taken down, and 5% say sensitive information and data was stolen.The NSBA’s 2013 Small Business Technology Survey was conducted in August and surveyed 845 small-business owners, including both NSBA members and non-members.Source:
22 Cloud AttacksOn Oct. 3, 2013, Adobe announced that their Creative Cloud customers database has been the target of a cyber attack which may have compromised the data of some 2.9 million Creative Cloud customers.
23 Healthcare“A top Homeland Security Department official testified Wednesday that there have been approximately 16 cyberattacks on the HealthCare.gov website and one ‘denial of service’ attack that was unsuccessful.”Source:
28 Why Internet SecurityInternet attacks are increasing in frequency, severity and sophisticationSecurity has become one of the hottest jobs even with downturn of economy2.4 billion loss:Economic loss:
29 Why Internet Security (cont’d) Virus and wormsMelissa, Nimda, Code Red, Code Red II, Slammer …Cause over $28 billion in economic losses in 2003, growing to over $75 billion in economic losses by 2007.Code Red (2001): 13 hours infected >360K machines - $2.4 billion lossSlammer (2003): 10 minutes infected > 75K machines - $1 billion loss2.4 billion loss:Economic loss:
30 U.S. National Cybersecurity Martin Casado • Keith ColemanSponsored by William J. PerryMS&E 91SIFall 2006Stanford University
32 Case 1: Blue Security DoS May 2006, anti-spam company “Blue Security” attacked by PharmaMasterPharmaMaster bribed a top-tier ISP's staff member into black holing Blue Security's former IP address ( ) at internet backbone routers.Attack disrupts the operations of five top-tier hosting providers in the US and Canada, as well as a major DNS provider for several hours.Blue security operation was disrupted, and they had to shutdown their service.
33 Case 2: Slammer WormJanuary Infects 90% of vulnerable computers within 10 minutesEffect of the Worm - Interference with elections - Cancelled airline flights emergency systems affected in Seattle - 13,000 Bank of America ATMs failedNo malicious payload!Estimated ~$1 Billion in productivity lossNote that $1billion dollars in damage puts it in 9th place behind code-red (2.6 billion), LoveLetter (8.8 billion) and Klez (9 billion)Does anyone actually believe those estimates?As a result people weren’t getting dial tones, planes couldn’t fly and ATM’s weren’t giving cache.404-byte UDP packet!!
34 Vulnerabilities are not just technical Case 3: WorldComJuly WorldCom declares bankruptcyProblem WorldCom carries 13% - 50% of global internet traffic. About 40% of Internet traffic uses WorldCom’s network at some pointOctober Outage affecting only 20% of WorldCom users snarls traffic around the globeCongressional Hearings Congress considers, but rejects, extension of FCC regulatory powers to prevent WorldCom shutdownVulnerabilities are not just technicalWorldCom in particular carries somewhere between thirteen to fifty percent of the entire world’s Internet traffic and its failure or shut down could spell global disaster on economic and other levels. In fact, government officials were so worried that bankruptcy might force the giant to close its internet services division that Congress held special hearings in 2002 to consider what might happen in that event. These fears got a boost of validity when in October 2002 a WorldCom outage that affected a mere twenty percent of its customers snarled internet traffic around the globe. In an effort avoid a complete outage, the Congressional hearings went so far as to consider extending FCC regulatory power so that the government could in fact prevent the bankrupt provider from shutting down its internet services division.  Zager, Masha. “Will WorldCom’s Bankruptcy Choke the Internet?” NewsFactor Network. August 2, Available online at: Salkever, Alex. “When the Net’s Backbone is Out of Joint,” Business Week. October 8, Available online at:
35 Case 4: “Titan Rain”Successful network intrusions on U.S. military installationsIncreasing in frequency since 2003Originating from ChinaSuccessful intrusion into…U.S. Army Information Systems Engineering Command at Fort Huachuca, ArizonaDefense Information Systems Agency in Arlington, VirginiaNaval Ocean Systems Center in San Diego, CaliforniaUnited States Army Space and Strategic Defense installation in Huntsville, Alabamamore…
36 Increasing Dependence Communication ( , IM, VoIP)Commerce (business, banking, e-commerce, etc)Control systems (public utilities, etc)Information and entertainmentSensitive data stored on the Internete.g.Biz, Edu, Gov have permanently replaced physical/manual processes with Internet- based processesNavy command dissemination?U.S. is particularly dependentData privacy is currently a big driver behind regulationWhy does this dependency cause problems? Why is it a risk? It’s a risk because we’re depending heavily on a system for which security is not often a top priority.Permanent replacement: this is scary, because if our information systems fail, we have no processes to fall back on. Commerce/etc stops.
37 Security Initially Not a Priority Other design priorities often trump security:CostSpeedConvenienceOpen ArchitectureBackwards CompatibilityProblem isn’t that people don’t care about security, it’s that the Internet has so many other priorities. It needs to do all these things really well in order to meet the needs of its users. It’s understandable why it got this way.Plus there is an open culture that is constraint averseConvenience – remembering passwords, don’t want to configure
38 And It’s Really Hard … Hard to retrofit security “fixes” No metrics to measure (in)securityInternet is inherently international (no real boundaries)Private sector owns most of the infrastructure“Cybersecurity Gap”: a cost/incentive disconnect?Businesses will pay to meet business imperativesWho’s going to pay to meet national security imperatives?This problem is compounded by the fact that it’s difficult to manage Internet security*QUESTION PAUSE*There comes a point when the amount of money you’d have to spend to achieve a certain level of security would be greater than the all the profit you could potentially earn. Since you’re a business, you want to make money, so you’re not going to spend this much.Power outage in NY cost the city over a half-billion dollars
39 and a weak spot for accidents and failures An Achilles Heel?This level of dependence makes the Internet a target for asymmetric attackCyberwarfareCyberterrorismCyberhooliganism*and a weak spot for accidents and failuresThe level of dependence we have on a system that’s hard to secure makes the Internet a target for asymmetric attack.Asymmetric – nuclear weapons take years to develop, but a 15 yr old kid can take down US commerce infrastructure* Coined by Bruce Schneier, Counterpane
40 That’s what this class is about. The ChallengeClearly not just a technical problem. Requires consideration of economic factors, public policy, legal issues, social issues etc.That’s what this class is about.Protecting against these threats will require both the right technology and the right public policy. Accomplishing this is the “cybersecurity challenge”Pause for questions?
41 What is “cybersecurity?” When we talk about the “cybersecurity challenge” and “cybersecurity problems,” what are we really referring to?We have all these things labeled with the term “cybersecurity” – House Cybersecurity Subcommittee, Stanford Cybersecurity Center, etc…So what is “Cybersecurity?”Whenever anyone hears it, they never know. I bet students were even unsure when they first saw itIs it about crypto? Is it about buffer overflow attacks? Is it about international intelligence collaboration? What?
42 Some Definitions According to the U.S. Dept of Commerce: See “information security”According to the U.S. Dept of Commerce:n. cybersecurity:n. information security: The protection of information against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional.Focuses on information – the dataDoes not say anything about interruption – ability to communicate that informationNot fundamentally tied to “cyber”
43 Some DefinitionsAccording to S “Cybersecurity Research and Education Act of 2002”:cybersecurity: “information assurance, including scientific, technical, management, or any other relevant disciplines required to ensure computer and network security, including, but not limited to, a discipline related to the following functions:(A) Secure System and network administration and operations.(B) Systems security engineering.(C) Information assurance systems and product acquisition.(D) Cryptography.(E) Threat and vulnerability assessment, including risk management.(F) Web security.(G) Operations of computer emergency response teams.(H) Cybersecurity training, education, and management.(I) Computer forensics.(J) Defensive information operations.Cybersecurity is a disciplineHeavily technical – nothing about disciplines that study the economics, legal aspects, etc
44 Some DefinitionsAccording to S “Cyberterrorism Preparedness Act of 2002 ”:cybersecurity: “information assurance, including information security, information technology disaster recovery, and information privacy.”Again, doesn’t really say much about availability of systems & *ability* to communicate information (this is sometimes considered part of the definition of “info assurance”, but leaving it as such is still pretty vague – we’re not a whole lot better off than we were with “cybersecurity”)Could apply to things that aren’t computers
45 One way to think about it cybersecurity = security of cyberspaceWhat is cyberspace? Information Systems and Networks
46 One way to think about it cybersecurity = security of cyberspaceinformation systems and networks
47 One way to think about it cybersecurity = security of information systems and networksIt’s not really the security of the information systems and networks that we care about, it’s that we care about the operations and assets that depend on these information systems.
48 One way to think about it cybersecurity = security of information systems and networks+ with the goal of protecting operations and assets
49 One way to think about it cybersecurity = security of information systems and networks with the goal of protecting operations and assetsPeople often think of security as being security against attackers, but as we showed earlier you also need to protect against accidents and failures
50 One way to think about it cybersecurity = security of information systems and networks with the goal of protecting operations and assetssecurity in the face of attacks, accidents, and failures
51 One way to think about it cybersecurity = security of information systems and networks in the face of attacks, accidents, and failures with the goal of protecting operations and assets“Security” still a bit vague here. From earlier definitions we saw that security can mean a number of things – most notably availability, integrity and secrecyAvailability – ability to communicateIntegrity – that what is being communicated is authenticSecrecy – that communications and information can be kept private
52 One way to think about it cybersecurity = security of information systems and networks in the face of attacks, accidents and failures with the goal of protecting operations and assetsavailability, integrity, and secrecy
53 One way to think about it cybersecurity = availability, integrity and secrecy of information systems and networks in the face of attacks, accidents, and failures with the goal of protecting operations and assetsSTILL A WORK IN PROGRESS!This is an umbrella term(Still a work in progress…comments?)
54 In Contextcorporate cybersecurity = availability, integrity and secrecy of information systems and networks in the face of attacks, accidents and failures with the goal of protecting a corporation’s operations and assetsnational cybersecurity = availability, integrity and secrecy of the information systems and networks in the face of attacks, accidents and failures with the goal of protecting a nation’s operations and assetsThis definition works well in context
55 What is computer security? Why do we need? Closer look at exactly what we’ll do in this class. Please hold questions until the end.
56 Cybersecurity Questions How vulnerable is the United States to a cyberattack? Are we heading for an “electronic pearl harbor”?What areas of vulnerability require the greatest attention in order to improve our national cybersecurity?Is the Internet an appropriate platform upon which to operate infrastructure systems critical to US economic or government operation? Here are some of the questions our speakers will be addressing If you’re intrigued by these questions, this is the right class for you.
57 Cybersecurity Questions What characteristics would we want in an “Ideal Internet”?Can the current Internet evolve into a network with significantly improved security guarantees or will another system need to created?Does greater Internet security necessarily entail decreased online privacy?These and many more are all questions we will touch on during the course of the class. The consideration of these types of questions is what drove us to create this course, and we hope that you all share this interest.
58 information security triad (CIA) ConfidentialityIntegrityAvailability
59 Confidentiality Prevent from unauthorized access Prevent from unauthorized disclosureGuarantee privacy
60 IntegrityPrevent from unauthorized modifications to information
61 AvailabilityEnsuring the availability of resources (System, Services, or Information) to users in a timely manner
63 Some of the methods used to protect the CIA of information Identification:Using unique naming to enforce access control and establish accountabilityAuthenticationVerification of the provided identificationAuthorizationDefine what actions the user, the system, or the process can perform on the information.
64 AccountabilityTracing back actions and events back in time to the entity (User, System, Process) that invokes them.
65 LogsOrdered list (usually by time) of actions and events created by systems and applications to provide accountability. The term Audit trail is used when to distinguish low level actions or events.
66 Functionality vs. Assurance We are looking on Functionality and Assurance from security prospectiveThe functionality of the system provides information about what the system can perform.The assurance of the system provides the information about what the system won’t perform.Conservative SystemAssuranceHolistic SystemFunctionality
68 System Resource (Asset) Information, Services, Functionalities, or Hardware.What about Network?
69 ThreatThreat: Set of conditions that has the potential of causing a security breach that harm the system.Types of threat:Unauthorized Disclosure: Unauthorized access to dataDeception: Acceptance of false dataDisruption: Interruption or prevention of correct operationUsurpation: Unauthorized control of a system or part of it.
70 Which of the security CIA properties does each threat type affect?
71 Unauthorized Disclosure Exposure: Sensitive data is released to unauthorized entityInterception: Unauthorized entity directly gain data being transferred between authorized entities.Inference: Unauthorized entity get data indirectlyIntrusion: Unauthorized entity gain data by cheating the security enforcement entities.
72 DeceptionMasquerade: Unauthorized entity perform an malicious activity as an authorized entity.Falsification: Providing false dataRepudiation: An entity denies the occurrence of an event.
73 DisruptionIncapacitation: interrupt operation by disabling some functionalityCorruption: Change in system and data to interrupt the system’s operationObstruction: disallow system from providing services.
74 UsurpationMisappropriation: an unauthorized entity controls system’s resources.Misuse: an unauthorized entity perform actions that reduce the system security.
75 Security PolicyA set of rules that regulate how the system provides security services in order to protect its services or resources.
76 Vulnerability and Attack Vulnerability: A flaw in the system that could be exploited to violate the security policy. Attack: An exploit of a vulnerability. Adversary: the entity that is launching the attack
77 Risk and Countermeasure Risk: The probability that a certain threat will attack and cause a particular harmful result. Countermeasure: An action that reduces the risk or the harm by eliminating or preventing from certain threats or attacks.
78 Security Concepts’ Relations AdversaryriseCountermeasuresThreatimposeOwnersWish to abuse ordamagereduceIncreaseWish to reduceRiskValuetotoAssetStallings, William. Computer Security: Principles and Practice (2nd Edition)