Fall 2008CS 334 Computer Security1 CS 334: Computer Security Fall 2008.

Slides:



Advertisements
Similar presentations
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Advertisements

September 10, 2012Introduction to Computer Security ©2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Is There a Security Problem in Computing? Network Security / G. Steffen1.
Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.
Cryptography and Network Security Chapter 1
Lecture 1: Overview modified from slides of Lawrie Brown.
1 cs691 chow C. Edward Chow Overview of Computer Security CS691 – Chapter 1 of Matt Bishop.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002.
1 Overview CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 8, 2004.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
1 An Overview of Computer Security computer security.
Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
Applied Cryptography for Network Security
April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.
Introduction (Pendahuluan)  Information Security.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering.
Topics in Information Security Prof. JoAnne Holliday Santa Clara University.
An Introduction to Information Assurance COEN 150 Spring 2007.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
Cryptography and Network Security
Computer Security “Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware,
@Yuan Xue CS 285 Network Security Fall 2008.
John Carpenter & lecture & Information Security 2008 Lecture 1: Subject Introduction and Security Fundamentals.
CS461/ECE422 — Computer Security I — Spring 2012.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Computer and Network Security Rabie A. Ramadan. Organization of the Course (Cont.) 2 Textbooks William Stallings, “Cryptography and Network Security,”
Welcome to Introduction to Computer Security. Why Computer Security The past decade has seen an explosion in the concern for the security of information.
What security is about in general? Security is about protection of assets –D. Gollmann, Computer Security, Wiley Prevention –take measures that prevent.
. 1. Computer Security Concepts 2. The OSI Security Architecture 3. Security Attacks 4. Security Services 5. Security Mechanisms 6. A Model for Network.
SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Slide #1-1 Introductory Computer Security CS461/ECE422 Fall 2010 Susan Hinrichs.
Topic 5: Basic Security.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Csci5233 computer security & integrity 1 An Overview of Computer Security.
12/18/20151 Computer Security Introduction. 12/18/20152 Basic Components 1.Confidentiality: Concealment of information (prevent unauthorized disclosure.
Computer Security By Duncan Hall.
INTRODUCTION TO COMPUTER & NETWORK SECURITY INSTRUCTOR: DANIA ALOMAR.
Computer threats, Attacks and Assets upasana pandit T.E comp.
C OMPUTER THREATS, ATTACKS AND ASSETS DONE BY NISHANT NARVEKAR TE COMP
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
CST 312 Pablo Breuer. measures to deter, prevent, detect, and correct security violations that involve the transmission of information.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Threats, Attacks And Assets… By: Rachael L. Fernandes Roll no:
1 Network Security Maaz bin ahmad.. 2 Outline Attacks, services and mechanisms Security attacks Security services Security Mechanisms A model for Internetwork.
Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University
Lecture 1 Introduction Dr. nermin hamza 1. Aim of Course Overview Cryptography Symmetric and Asymmetric Key management Researches topics 2.
Computer Security Introduction
CS457 Introduction to Information Security Systems
CS 395: Topics in Computer Security
Network Security Presented by: JAISURYA BANERJEA MBA, 2ND Semester.
Chapter 1: Introduction
Information System and Network Security
Data & Network Security
Information and Network Security
NET 311 Information Security
Chapter 1: Introduction
Cryptography and Network Security
Information Security: Terminology
Computer Security Introduction
Security.
Introduction to Cryptography
Cryptography and Network Security
Chapter 1: Introduction
Presentation transcript:

Fall 2008CS 334 Computer Security1 CS 334: Computer Security Fall 2008

Website: 08/main.html Fall 2008CS 334 Computer Security2

Fall 2008CS 334 Computer Security3 Text: Security in Computing by Charles P. and Shari Lawrence Pfleeger. Two other good references: Computer Security: Art and Science by Matt Bishop Security Engineering by Ross Anderson

Thanks to Anthony Joseph, Doug Tygar, Umesh Vazirani, and David Wagner of the University of California, Berkeley, for their generosity in allowing me to use some of their course material (slides and handouts) Fall 2008CS 334 Computer Security4

Why Is Security Such a Problem? Monoculture computing environment Web, e-commerce, & collaborative applications Internet spans national boundaries Poor programming practices Inherently more difficult to defend vs disrupt Fall 2008CS 334 Computer Security5

Two Security Nightmares The transparent society “Electronic Pearl Harbor” Fall 2008CS 334 Computer Security6

Electronic Pearl Harbor Is this just scare-mongering? Slammer worm took down Bank of America’s ATM network, Seattle 911 service Nachi worm invaded Diebold ATMs Real worries about e-voting validity Millions of CC #s, SS #s leaked Case study: Attacks over the Taiwan straits Fall 2008CS 334 Computer Security8

Goals of this class Solid foundation in understanding security Key information a/b building secure systems Introduce range of topics in security Interest some of you in further study Fall 2008CS 334 Computer Security9

Fall 2008CS 334 Computer Security10 Introduction Attacks Security Goals

Fall 2008CS 334 Computer Security11 What is Computer Security? Generally concerned with protection of computer related assets Risk analysis and management! –“Manage” could mean prevention of damage or detection of damage –Knowledge of available countermeasures and controls

Fall 2008CS 334 Computer Security12 Security Goals Confidentiality: concealment of information or resources. –Sometimes called privacy Availability: preserve ability to use information or resource desired. –An unavailable system is at least as bad as no system at all!

Fall 2008CS 334 Computer Security13 Security Goals (cont.) Integrity: trustworthiness of data or resources. –Typically refers to preventing improper or unauthorized modification –Data integrity (content of information) –Origin integrity (origin of information). Typically referred to as authentication.

Fall 2008CS 334 Computer Security14 Confidentiality Supported by access control methods –Cryptography for example –System-dependent mechanisms BUT: These leave data public when they fail or are bypassed Also applies to existence of data –Knowing data exists can often be as valuable as the data itself

Fall 2008CS 334 Computer Security15 Confidentiality All confidentiality enforcement mechanisms require supporting services from system. –Assumption is that security services can rely on kernel and other agents, to supply correct data. Thus assumptions and trust underlie confidentiality mechanisms. Confidentiality is not integrity: just because no one can read it, doesn’t mean they can’t change it!

Fall 2008CS 334 Computer Security16 Integrity Example: the correct quote credited to the wrong source preserves data integrity but not origin integrity.

Fall 2008CS 334 Computer Security17 Integrity Two classes –Prevention mechanisms: maintain integrity by blocking unauthorized attempts to change data or by blocking attempts to change data in unauthorized ways. –Detection mechanisms: report that data’s integrity is no longer trustworthy

Fall 2008CS 334 Computer Security18 Integrity Affected by –Origin of data (how and from whom it was obtained) –How well data protected before arrival at current machine –How well data is protected on current machine Evaluating is difficult: relies on assumptions about source and about trust in that source

Fall 2008CS 334 Computer Security19 Availability Relevant to security because someone may be attempting to affect data or service by making it unavailable –Ex. Some software (e.g. network code) depends for correct operation on underlying statistical information and assumptions. By changing, for example, service request patterns, an adversary can cause this code to fail.

Fall 2008CS 334 Computer Security20 Availability Attack on availability is called a denial of service attack –Difficult to detect: is it a deliberate phenomenon or just an unusual access pattern? Also, even if underlying statistical model is accurate, atypical events do occur that may appear to be malicious!

Fall 2008CS 334 Computer Security21 Threat Related Terminology Vulnerability: Weakness (in security system) that might be exploited to cause loss or harm. Threat: Set of circumstances that has potential to cause loss or harm The difference? –Losing important file is a threat. The weakness in the system that allows this is the vulnerability

Fall 2008CS 334 Computer Security22 Threat Related Terminology Attack: actions that could cause violation to occur Attacker: those who cause such actions to be executed Passive attack: attacker merely observes (e.g., traffic analysis) Active attack: attacker actively modifies data or creates false data stream

Fall 2008CS 334 Computer Security23 Threat Classes (Shirey 1994) Disclosure: unauthorized access to info Deception: acceptance of false data Disruption: interruption or prevention of correct operation Usurpation: unauthorized control of some part of a system

Fall 2008CS 334 Computer Security24 Examples and Terms Snooping: unauthorized interception of information (form of disclosure). Countered by confidentiality mechanisms –Ex. Wiretapping

Fall 2008CS 334 Computer Security25 Examples and Terms Modification or alteration: unauthorized change of information (could be deception, disruption, or usurpation) –Ex. Active wiretapping –Ex. Person-in-the-middle attack: attacker reads message from sender and forwards (possibly modified) message to receiver. Countered by integrity mechanisms

Fall 2008CS 334 Computer Security26 Examples and Terms Masquerading or Spoofing: impersonation of one identity by another. Most often deception, but may be used for usurpation. Integrity services (called authentication services in this context) counter this threat.

Fall 2008CS 334 Computer Security27 Examples and Terms Delegation (one entity authorizes a second entity to perform functions on its behalf) is a form of masquerading that may be allowed. This is not the same as traditional masquerading, since the person performing the action is not pretending to be someone they are not. That is, all parties are aware of the delegation.

Fall 2008CS 334 Computer Security28 Examples and Terms Repudiation of origin: false denial that an entity sent or created something Denial of receipt: false denial that an entity received some information or message

Fall 2008CS 334 Computer Security29 Examples and Terms Delay: temporary inhibition of service. Typically a form of usurpation, but may also be used for deception. Denial-of-service: seen this already: long term inhibition of service. A form of usurpation.

Fall 2008CS 334 Computer Security30 Policy and Mechanism Security Policy: a statement of what is, and what is not, allowed Security Mechanism: a method, tool, or procedure for enforcing a security policy –Mechanisms can be non-technical. Policies often require some procedural mechanisms that technology cannot enforce.

Fall 2008CS 334 Computer Security31 Policies and Mechanisms Policies may be presented mathematically, as a list of allowed and disallowed states. –In general an axiomatic description of secure states and insecure states In practice, rarely this precise –Normally written in English, leading to ambiguity (is a state legal or not?)

Fall 2008CS 334 Computer Security32 Assumptions and Trust Security rests on assumptions specific to the type of security required and the environment in which it is to be employed. –Ex. (Bishop) Opening a door lock requires a key. Assumption is that the lock is secure against lock picking. This assumption is treated as an axiom and made because most people require a key to open a locked door. A good lock picker can, however, open a locked door without a key. Thus in an environment with a skilled, untrustworthy lock picker, the assumption is wrong and the consequence invalid.

Fall 2008CS 334 Computer Security33 Assumptions and Trust Well-defined exception to rules provides a back door through which security mechanisms can be bypassed. –Trust resides in belief that back door will not be used except as specified by policy.

Fall 2008CS 334 Computer Security34 Assumptions and Trust Two assumptions made by policy designers –Policy correctly and unambiguously partitions set of system states into secure and insecure states –Security mechanisms prevent system from entering an insecure state –If either of these fail, system is not secure

Fall 2008CS 334 Computer Security35 Our First Security Principles Principle of Adequate Protection: –Computer systems must be protected to a degree consistent with their value Principle of Easiest Penetration: –Count on an intruder to use the easiest means to penetrate the system –I.e., System is most vulnerable at its weakest point (regardless of how well other points are defended).

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.