Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCE 548 Introduction Basic Security Concepts. APOGEE Students Download recorded lectures Contact instructor if needed via – Phone: during office hours.

Published byCamron Chandler Modified over 8 years ago

Similar presentations

Presentation on theme: "CSCE 548 Introduction Basic Security Concepts. APOGEE Students Download recorded lectures Contact instructor if needed via – Phone: during office hours."— Presentation transcript:

1 CSCE 548 Introduction Basic Security Concepts

2 APOGEE Students Download recorded lectures Contact instructor if needed via – Phone: during office hours – Email: any time – Arrange meetings as needed Attend exams as scheduled Attend class presentation CSCE 548 - Farkas2

3 Instructor:Csilla Farkas Office:Swearingen 3A43 Office Hours:Mondays, Wednesdays 3:30 – 5:00 pm or electronically any time or by appointment Telephone: 576-5762 E-mail:farkas@cec.sc.edufarkas@cec.sc.edu Class homepage: http://www.cse.sc.edu/~farkas/csce548- 2012/csce548.htmhttp://www.cse.sc.edu/~farkas/csce548- 2012/csce548.htm CSCE 727 - Farkas3

4 Text Books Software Security: Building Security In by Gary McGraw, Publisher: Addison-Wesley Professional, February 2, 2006, ISBN-10: 0321356705 ISBN-13: 978-0321356703 24 Deadly Sins of Software Security by Michael Howard, David LeBlanc, John Viega, Publisher: McGraw-Hill Osborne Media, ISBN 978-0-07-162675-0 CSCE 727 - Farkas4

5 Assignments Research project: There will be one research project related to software security. Final project reports must be submitted at the end of the semester. Further project requirements will be distributed at a later time. Homework: There will be 4-5 homework assignments during the semester. There will be a late submission penalty of 4%/day after the due date. (You can always turn it in early.) Class Presentation: Each group will cover a particular code-level security vulnerability (topics to be distributed later) Exams: two closed book in-class exams CSCE 727 - Farkas5

6 Grading Test 1: 15%, Test 2: 30%, Homework: 15%, Presentation: 10%, Research project: 30% Total score that can be achieved: 100 Final grade: 90 < A ; 87<B+<= 90 ; 80<B<=87 ; 76<C+<=80 ; 66<C<=76 ; 61<D+<=66 ; 50 <D<= 61 CSCE 727 - Farkas6

7 Course Policies All students are responsible for reading and following the official Academic Responsibility of the University of South Carolina, as well as the policies of the university and department regarding usage of the computing resourcesAcademic Responsibility university department CSCE 727 - Farkas7

8 Tentative Schedule Week 1 Software Engineering and Security Week 2Risk Management Week 3 Use Cases and Misuse Cases Week 4 Software Reliability Week 5Seven Touchpoints for Software Security Week 6 Code Review; Architectural Risk Analysis TEST 1 Week 7Penetration Testing, Risk-Based Security Testing Week 8Abuse Cases; Security Requirements Week 9Security Analysis; Taxonomy of Coding Errors Week 10-15 Programming Flaws; Language-Based Vulnerabilities April 25, 5:30-7:30 pm FINAL EXAM CSCE 727 - Farkas8

9 Questions? 9

10 Basic Security Concepts http://www.cse.sc.edu/~farkas/cs ce522-2011/csce522.htm Basic Security Concepts CSCE 522 Information Security Principles Fall 2011 http://www.cse.sc.edu/~farkas/cs ce522-2011/csce522.htm

11 CSCE 548 - Farkas11 Security Objectives Confidentiality: prevent/detect/deter improper disclosure of information Integrity: prevent/detect/deter improper modification of information Availability: prevent/detect/deter improper denial of access to services

12 CSCE 548 - Farkas12 Fourth Objective Securing computing resources: prevent/detect/deter improper use of computing resources – Hardware – Software – Data – Network

13 CSCE 548 - Farkas13 Information Assurance Prevention Detection Tolerance/response

14 CSCE 548 - Farkas14 Achieving Security Policy – What to protect? Mechanism – How to protect? Assurance – How good is the protection?

15 CSCE 548 - Farkas15 Security Policy Organizational Policy Computerized Information System Policy

16 CSCE 548 - Farkas16 Security Tradeoffs COST Security Functionality Ease of Use

17 CSCE 548 - Farkas17 Threat, Vulnerability, Risk  Threat: potential occurrence that can have an undesired effect on the system  Vulnerability: characteristics of the system that makes is possible for a threat to potentially occur  Attack: action of malicious intruder that exploits vulnerabilities of the system to cause a threat to occur  Risk: measure of the possibility of security breaches and severity of the damage

18 CSCE 548 - Farkas18 Types of Threats  Errors of users  Natural/man-made/machine disasters  Dishonest insider  Disgruntled insider  Outsiders

19 CSCE 548 - Farkas19 Types of Attack  Interruption – an asset is destroyed, unavailable or unusable (availability)  Interception – unauthorized party gains access to an asset (confidentiality)  Modification – unauthorized party tampers with asset (integrity)  Fabrication – unauthorized party inserts counterfeit object into the system (authenticity)  Denial – person denies taking an action (authenticity)

20 CSCE 548 - Farkas20 Computer Criminals Amateurs: regular users, who exploit the vulnerabilities of the computer system – Motivation: easy access to vulnerable resources Crackers: attempt to access computing facilities for which they do not have the authorization – Motivation: enjoy challenge, curiosity Career criminals: professionals who understand the computer system and its vulnerabilities – Motivation: personal gain (e.g., financial)

21 CSCE 548 - Farkas21 Methods of Defense Prevent: block attack Deter: make the attack harder Deflect: make other targets more attractive Detect: identify misuse Tolerate: function under attack Recover: restore to correct state Documentation and reporting

22 CSCE 548 - Farkas22 Information Security Planning Organization Analysis Risk management Mitigation approaches and their costs Security policy and procedures Implementation and testing Security training and awareness

23 CSCE 548 - Farkas23 Prevention

24 CSCE 548 - Farkas24 Identification Authentication

25 CSCE 548 - Farkas25 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose identity is verified reveals knowledge of some secret S to the verifier Strong authentication: the entity reveals knowledge of S to the verifier without revealing S to the verifier

26 CSCE 548 - Farkas26 Access Control

27 CSCE 548 - Farkas27 Access Control Protection objects: system resources for which protection is desirable – Memory, file, directory, hardware resource, software resources, etc. Subjects: active entities requesting accesses to resources – User, owner, program, etc. Access mode: type of access – Read, write, execute

28 CSCE 548 - Farkas28 Indirect Information Flow Channels Covert channels Inference channels

29 CSCE 548 - Farkas29 Firewall Objectives Keep intruders, malicious code and unwanted traffic or information out Keep proprietary and sensitive information in Private Network External Network Proprietary data External attacks

30 CSCE 548 - Farkas30 Cryptography Confidentiality - Secret-Key Encryption - Public-Key Encryption

31 CSCE 548 - Farkas31 Insecure communications Sender Snooper Recipient Insecure channel Confidential Plus: -Authentication (digital signatures) -Integrity verification (hash functions)

32 CSCE 548 - Farkas32 Encryption and Decryption EncryptionDecryption PlaintextCiphertextPlaintext

33 CSCE 548 - Farkas33 Hash Functions Hash function h maps an input x of arbitrary length to a fixed length output h(x) (compression) Given h and x, h(x) is easy to compute (ease of computation)

34 CSCE 548 - Farkas34 Digital Signatures in RSA A B Insecure channel Plaintext Signed plaintext Encryption Alg. Decryption Alg. A’s public keyA’s private key (need reliable channel) SignVerify

35 CSCE 548 - Farkas35 Signature and Encryption D EDE A B Plaintext Signed Plaintext Signed Plaintext Encrypted Signed Plaintext A’s private key B’s public key B’s private key A’s public key

36 CSCE 548 - Farkas36 Cryptographic Protocols  Messages should be transmitted to destination  Only the recipient should see it  Only the recipient should get it  Proof of the sender’s identity  Message shouldn’t be corrupted in transit  Message should be sent/received once only

37 CSCE 548 - Farkas37 Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system

38 CSCE 548 - Farkas38 Security Flaws by Genesis Genesis – Intentional Malicious: Trojan Horse, Trapdoor, Logic Bomb, covert channels Non-malicious – Inadvertent Validation error Domain error Serialization error Identification/authentication error Other error

39 CSCE 548 - Farkas39 Next Class: Secure software development G. McGraw: Chapter 1

Download ppt "CSCE 548 Introduction Basic Security Concepts. APOGEE Students Download recorded lectures Contact instructor if needed via – Phone: during office hours."

Similar presentations

CSE 5392By Dr. Donggang Liu1 CSE 5392 Sensor Network Security Course Introduction.

CSE 5392By Dr. Donggang Liu1 CSE 5392 Sensor Network Security Course Introduction.
Computer and Network Security Mini Lecture by Milica Barjaktarovic.

Computer and Network Security Mini Lecture by Milica Barjaktarovic.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
CSCE 201 Introduction to Information Security Fall 2010.

CSCE 201 Introduction to Information Security Fall 2010.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002.

IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.

Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
“Network Security” Introduction. My Introduction Obaid Ullah Owais Khan Obaid Ullah Owais Khan B.E (I.T) – Hamdard University(2003), Karachi B.E (I.T)

“Network Security” Introduction. My Introduction Obaid Ullah Owais Khan Obaid Ullah Owais Khan B.E (I.T) – Hamdard University(2003), Karachi B.E (I.T)
Network Security PHILADELPHIA UNIVERSITY Ahmad Alghoul 2010-2011 Module 1 Introduction: To Information & Security  Modified by :Ahmad Al Ghoul  Philadelphia.

Network Security PHILADELPHIA UNIVERSITY Ahmad Alghoul Module 1 Introduction: To Information & Security  Modified by :Ahmad Al Ghoul  Philadelphia.
CPSC 6126 Computer Security Information Assurance.

CPSC 6126 Computer Security Information Assurance.
1 CSE 651: Introduction to Network Security Steve Lai Spring 2010.

1 CSE 651: Introduction to Network Security Steve Lai Spring 2010.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.

Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.

Similar presentations

Ads by Google