Presentation is loading. Please wait.

Presentation is loading. Please wait.

SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,

Published byClare Bradley Modified over 8 years ago

Similar presentations

Presentation on theme: "SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,"— Presentation transcript:

1 SECURITY Professor Mona Mursi

2 ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components, abstractly: computer NETWORK computer computer NETWORK computer Each component is uniquely vulnerable to attack Each component is uniquely vulnerable to attack S/W Internet R

3 Security Information Security Information Security Cryptography and Information Security Cryptography and Information Security Cryptography: Basic building blocks of security Cryptography: Basic building blocks of security Using cryptography to protect information Using cryptography to protect information System Security System Security Attack and defense of individual computer systems Attack and defense of individual computer systems Focus on software security Focus on software security Applications, Operating System Applications, Operating System Network Security Network Security Attack and defense of entire networks Attack and defense of entire networks Focus on network protocol security and protecting network infrastructure devices Focus on network protocol security and protecting network infrastructure devices

4 Security Goals Security Goals Confidentiality Confidentiality Concealment of information Concealment of information Integrity Integrity Trustworthiness of information Trustworthiness of information Availability Availability Access to information Access to information

5 Threats Vocabulary Vocabulary Threat: potential security vulnerability Threat: potential security vulnerability Attack: action exploiting security vulnerabilities Attack: action exploiting security vulnerabilities Adversary: one who implements attacks Adversary: one who implements attacks Types of threats Types of threats Disclosure: unauthorized access to information Disclosure: unauthorized access to information Threat to CONFIDENTIALITY Threat to CONFIDENTIALITY Deception: acceptance of false data Deception: acceptance of false data Threat to INTEGRITY Threat to INTEGRITY Disruption: interruption of correct operation Disruption: interruption of correct operation Threat to AVAILABILITY Threat to AVAILABILITY Usurpation: unauthorized system control Usurpation: unauthorized system control Threat to ALL Threat to ALL

6 Threats Types of attacks Types of attacks  Snooping, aka wiretapping  Modification, unauthorized change of information  Masquerading, aka spoofing, impersonation  Repudiation of Origin, false denial that an entity sent/created something  Denial of Receipt, false denial that an entity received something  Delay  Denial of service

7 Entire Taxonomy ConfidentialityAvailabilityIntegrity Disclosure Deception Snooping Usurpation Disruption ModificationSpoofing Repudiation of Origin Denial of Receipt Delay Denial of Service

8 Threat Models Threat models define a hypothetical adversary ’ s capabilities Threat models define a hypothetical adversary ’ s capabilities Based on capabilities, we can determine the types of attacks Based on capabilities, we can determine the types of attacks Given attacks we can determine threats Given attacks we can determine threats Given threats we can determine the necessary security goals Given threats we can determine the necessary security goals Adversary Capabilities Security Goals ThreatsAttacks

9 Adversary Capabilities Can vary depending on the application, environment, system Can vary depending on the application, environment, system Examples … Examples … Crypto / Information Security Crypto / Information Security Access to keying material Access to keying material Computational capabilities (i.e. laptop vs supercomputer) Computational capabilities (i.e. laptop vs supercomputer) System Security System Security Access to operating system, applications Access to operating system, applications User vs administrator access User vs administrator access Physical access to system Physical access to system Network Security Network Security On-path vs off-path On-path vs off-path Active vs passive Active vs passive

10 Policy vs. Mechanism How are security goals achieved? How are security goals achieved? Security Policy: statement as to what is or is not allowed Security Policy: statement as to what is or is not allowed Security Mechanism : method, tool, or procedure to enforce policy Security Mechanism : method, tool, or procedure to enforce policy Example 1: Example 1:  Bank policy requires that all home banking transactions have confidentiality and integrity  Bank website encrypts communications to web browsers and requires that users log in before accessing accounts Example 2: Example 2:  University policy requires that users who forget their password be authenticated before having their password reset  University requires users to bring a photo ID to the helpdesk to reset passwords

11 Assumptions  Two key assumptions: Policy correctly and unambiguously partitions the set of system states into secure and nonsecure Policy correctly and unambiguously partitions the set of system states into secure and nonsecure Security mechanisms prevent the system from entering a nonsecure-state Security mechanisms prevent the system from entering a nonsecure-state

12 Dealing with Attacks Prevention Prevention Mechanisms prevent attack from being effective Mechanisms prevent attack from being effective Detection Detection Mechanisms to detect an attack has occurred Mechanisms to detect an attack has occurred Recovery Recovery Mechanisms to allow a system to be restored to its pre-attack state after an attack is detected Mechanisms to allow a system to be restored to its pre-attack state after an attack is detected Mechanisms to allow a system to function correctly in spite of an attack (more difficult) Mechanisms to allow a system to function correctly in spite of an attack (more difficult)

13 Trust Implementing policy typically requires some level of trust Implementing policy typically requires some level of trust Example: Example: Opening a door requires a key Opening a door requires a key Trusted parties have keys Trusted parties have keys Trusted parties can open the door Trusted parties can open the door What about lock pickers? We assume they are trustworthy, and do not open doors without permission. What about lock pickers? We assume they are trustworthy, and do not open doors without permission. Example: Example: Reading your email requires a password Reading your email requires a password Only you know your password, so only you can read your email Only you know your password, so only you can read your email What about system administrators? We assume they are trustworthy and do not use their system access to read our email. What about system administrators? We assume they are trustworthy and do not use their system access to read our email.

14 Assurance Trust is imprecise, and rarely “ yes ” or “ no ” Trust is imprecise, and rarely “ yes ” or “ no ” Assurance is a trust metric: specifies how much you trust a system, and what do you trust it to do? Assurance is a trust metric: specifies how much you trust a system, and what do you trust it to do? Examples Examples Who on the Internet do you trust with your credit card information? Who on the Internet do you trust with your credit card information? Would you trust a computer system more if it had up-to-date anti- virus software installed? Would you trust a computer system more if it had up-to-date anti- virus software installed?

15 Assurance Operational Issues Enterprise networks: information assurance is based on a cost-benefit analysis Enterprise networks: information assurance is based on a cost-benefit analysis Weigh the value of the information with the expense of protecting it Weigh the value of the information with the expense of protecting it Financial cost of a security policy violation Financial cost of a security policy violation Theft of funds, intellectual property, state secrets Theft of funds, intellectual property, state secrets Loss of revenue or reputation Loss of revenue or reputation Cost of recovering from the attack Cost of recovering from the attack Financial cost of implementing mechanisms Financial cost of implementing mechanisms Additional staff to audit computer networks Additional staff to audit computer networks Cost of firewalls, secure servers, physical security, etc Cost of firewalls, secure servers, physical security, etc Cost of increased system complexity Cost of increased system complexity

16 Overall Determine Adversary Capabilities Determine Adversary Capabilities Determine Possible Attacks Determine Possible Attacks Develop Overall System Security Policy Establish Security Goals for System Components (i.e. confidentiality, integrity, availability) Enumerate Threats Implement Security Mechanisms consistent with the required level of Assurance

Download ppt "SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,"

Similar presentations

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
September 10, 2012Introduction to Computer Security ©2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.

September 10, 2012Introduction to Computer Security ©2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.

Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.
Cryptography and Network Security Chapter 1

Cryptography and Network Security Chapter 1
1 cs691 chow C. Edward Chow Overview of Computer Security CS691 – Chapter 1 of Matt Bishop.

1 cs691 chow C. Edward Chow Overview of Computer Security CS691 – Chapter 1 of Matt Bishop.
1 Overview CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 8, 2004.

1 Overview CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 8, 2004.
Chapter 1 – Introduction

Chapter 1 – Introduction
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
22 November 2010. Security and Privacy  Security: the protection of data, networks and computing power  Privacy: complying with a person's desires when.

22 November Security and Privacy  Security: the protection of data, networks and computing power  Privacy: complying with a person's desires when.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
6/9/2015Madhumita. Chatterjee1 Overview of Computer Security.

6/9/2015Madhumita. Chatterjee1 Overview of Computer Security.
Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.

Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.
July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.

July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
Applied Cryptography for Network Security

Applied Cryptography for Network Security
April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.

April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.
Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,

Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Similar presentations

Ads by Google