Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE331: Introduction to Networks and Security Lecture 15 Fall 2002.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "CSE331: Introduction to Networks and Security Lecture 15 Fall 2002."— Presentation transcript:

1 CSE331: Introduction to Networks and Security Lecture 15 Fall 2002

2 CSE331 Fall 20022 Announcements Midterm graded –Average: 65 –Solutions available on the web –Pick up after class or during office hours Introduction Computer Security Today

3 CSE331 Fall 20023 Real World Security Value: what is being protected? –Things that have worth Locks, walls, safes, fences, … –Scaled for what they’re protecting –Scaled for what they’re protecting against (threats) –Minimal interference (or else they aren’t used) Police & Courts –Follow up after an attack/violation –Perhaps most important!

4 CSE331 Fall 20024 Real World: Risk Managment People pay for security based on perceived needs Trade off security vs. –Convenience / ease of use –Functionality –Efficiency –Cost Security is holistic: –Attacks go for the weakest link

5 CSE331 Fall 20025 Security Terminology Vulnerability –Weakness that can be exploited in a system Attack –Method for exploiting vulnerability Threat –A motivated, capable adversary that would mount attacks

6 CSE331 Fall 20026 Example Vulnerabilities Poorly chosen passwords Software bugs –unchecked array access (buffer overflow attacks) Automatically running active content: macros, scripts, Java programs Open ports: telnet, mail Incorrect configuration – file permissions –administrative privileges Untrained users/system administrators Trap doors (intentional security holes) Unencrypted communication Limited Resources (i.e. TCP connections)

7 CSE331 Fall 20027 Example Attacks Password Crackers Viruses: –ILoveYou (VBscript virus), Melissa (Word macro virus) Worms –Code Red: Port 80 (HTTP), Buffer overflow in IIS (Internet/Indexing Service) Trojan Horses Root kits, Back Orifice, SATAN Social Engineering: –“Hi, this is Joe from systems, can you tell me your password?” Packet sniffers: Ethereal Denial of service: TCP SYN packet floods

8 CSE331 Fall 20028 Range of Threats Concerted Attack by a Foreign Government –Money & Resources –Strong Motivation … Teenage Hacker –No money –? Motivation Note: the range above doesn’t necessarily represent a range of sophistication!

9 CSE331 Fall 20029 CERT Vulnerabilities

10 CSE331 Fall 200210 CERT Incidents Check out www.cert.org

11 CSE331 Fall 200211 Questions for Computer Security What are we protecting? –What has value? –What are its characteristics? What tools do we have to use? –Hardware –Software –Knowledge How do we effectively use those tools? –What principles apply? –How do we know what we want to achieve? –How do we know what we’ve done?

12 CSE331 Fall 200212 Quality 1: Confidentiality Keep data or actions secret. Related to: Privacy, Anonymity, Secrecy Examples: –Pepsi secret formula –Medical information –Personal records (e.g. credit card information) –Military secrets Data

13 CSE331 Fall 200213 Quality 2: Integrity Protect the reliability of data against unauthorized tampering Related to: Corruption, Forgery, Consistency Example: –Bank statement agrees with ATM transactions –The mail you send is what arrives Data

14 CSE331 Fall 200214 Quality 3: Availability Resources must be there to use Related to: Reliability, Fault Tolerance, Denial of Service Example: –You want the web-server to reply to your requests –The military communication devices must work Data

15 CSE331 Fall 200215 What tools are there? Authorization mechanisms –Access control –Specifies who is allowed to do what. Authentication mechanisms –A principal is an entity that has a stake in the security of a system –Authentication identifies principals –Examples: User identifiers & Passwords, secret keys Audit mechansisms –Monitoring, or logging security-relevant activities –Permits follow-up after a security breech Au = Aurum = “Gold standard”

16 CSE331 Fall 200216 Example tools Cryptography –Protects confidentiality & Integrity –Can be used for authentication Firewalls, access control monitors –Authorization mechanisms OS Kernels –Resource allocation/monitoring Replication –Provides fault tolerance Java bytecode verifier –Protects against faulty/malicious code

17 CSE331 Fall 200217 Security Policy Set of security requirements for a system –Takes into account trade-offs of value vs. functionality –Changes over time –Depends on context Varying degrees of formality –Informal: Don’t reveal my credit card information. –Formal: Government’s “Orange Book” National Computer Security Center (1988) Trusted Computer System Evaluation Criteria (TCSEC) Classes D –- A1

Download ppt "CSE331: Introduction to Networks and Security Lecture 15 Fall 2002."

Similar presentations

CS5038 The Electronic Society

CS5038 The Electronic Society
CSE331: Introduction to Networks and Security Lecture 30 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 30 Fall 2002.
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.
Chapter 1  Introduction 1 Introduction Chapter 1  Introduction 2 The Cast of Characters  Alice and Bob are the good guys  Trudy is the bad guy 

Chapter 1  Introduction 1 Introduction Chapter 1  Introduction 2 The Cast of Characters  Alice and Bob are the good guys  Trudy is the bad guy 
Chapter 1  Introduction 1 Chapter 1: Introduction.

Chapter 1  Introduction 1 Chapter 1: Introduction.
Csci5931 Web Security1 Case Study: A Forensic Lesson for Web Security (MSS, part one)

Csci5931 Web Security1 Case Study: A Forensic Lesson for Web Security (MSS, part one)
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.

Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.

Silberschatz, Galvin and Gagne  Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Bruce Schneier Lanette Dowell November 25, 2009. Introduction  “It is insufficient to protect ourselves with laws; we need to protect ourselves with.

Bruce Schneier Lanette Dowell November 25, Introduction  “It is insufficient to protect ourselves with laws; we need to protect ourselves with.
Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.

Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.

Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Similar presentations

Ads by Google