Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Security Problem Security must consider external environment of the system, and protect it from: unauthorized access. malicious modification or destruction.

Published byGervais Murphy Modified over 5 years ago

Similar presentations

Presentation on theme: "The Security Problem Security must consider external environment of the system, and protect it from: unauthorized access. malicious modification or destruction."— Presentation transcript:

1 The Security Problem Security must consider external environment of the system, and protect it from: unauthorized access. malicious modification or destruction accidental introduction of inconsistency. Easier to protect against accidental than malicious misuse.

2 Security A system is secure if its resources are used and accessed as intended under all circumstances.

3 Java Security Model

4 What is Security? All Security is based on the answers to the questions. Who do you trust? How much do you trust them? The answers to these questions form a Security Policy

5 What is System Security?
Computer Security commonly refers to the mechanisms available to enforce the Security Policy

6 Security Components Physical Security

7 Obviously, if your computer is stolen, you have no security
Physical Security Obviously, if your computer is stolen, you have no security

8 Physical Security WiFi – defined network Bluetooth– ad-hoc network

9 Security Components Physical Security Authentication

10 Authentication Verify that someone is who they say they are
Two general methods Data item you know (e.g. password) Data media you have (e.g. card)

11 Authentication Problems with Passwords User selects System selects
Dictionary Attack System selects May not be easily guessed, but… User can’t remember it and… Writes it on a post-it note

12 Authentication Problems with data media you have Can be lost or stolen
Can be forged

13 Authentication Combination of both Examples ATM card requires a PIN
SecurID card requires PIN

14 Authentication Biometrics
Data item you have that most likely cannot be lost or stolen Examples Fingerprint Retinal Scan Facial Recognition Voice Recognition

15 Security Components Physical Security Authentication Protection

16 Protection Mechanisms to control what an authenticated user can do.
File Protection Memory Protection Web Protection

17 Protection Mechanism to keep unauthorized users from accessing the system Firewalls Virus Detection Spyware Detection

18 Security Components Physical Security Authentication Protection
Encryption

19 Encryption Scrambles data so that eavesdroppers cannot read what is being transmitted Also used as part of Authentication to help ensure that someone is not posing as somebody else

20 Security Components Physical Security Authentication Protection
Encryption People

21 People Lack of knowledge about security
People will not keep data secure. People can be conned into giving out information they shouldn’t Poor System Administration

22 Types of Attacks Trojan Horse Trap Door Stack & Buffer Overflow Worm
Virus Denial of Service

23 Trojan Horse Program that appears to be a legitimate agent or process but really behaves in a different manner Viruses and Spyware are often introduced as Trojan Horses

24 Trap Door A way to bypass the normal security protections
Often left in applications / systems to help support staff

25 Stack & Buffer Overflow
Send an incorrectly formatted command / message to a system. If system does not carry out adequate checking, it may execute some action it shouldn’t

26 Stack & Buffer Overflow
How does this happen? Poorly Programmed Read Should be read(file,buffer,100) Instead of read(file,buffer) which reads as much data as the remote system sends Inadequate checking of the validity of the data that is received

27 Stack & Buffer Overflow
Security Design Rule Assume any data you receive is incorrectly formatted (Until proven otherwise)

28 SQL Injection Application does inadequate validation of user input before putting it into an SQL statement Example SELECT BALANCE FROM ACCTS WHERE ACCT_ID=xxxx User Input for xxxx 104;UPDATE ACCTS SET BALANCE= WHERE ACCT_ID=104

29 Worm A program that automatically sends itself to another system

30 Virus Program that attacks a system to carry out some action the computer user does not want

31 Denial of Service Typical attack sends so many messages to a system, that system cannot execute anything except respond to those messages

32 Modern Attacks A modern attack will often employ several combinations of these attacks

33 Example Attack I Kournikova Virus
Enticed people to open an attachment Attachment was a virus that used mail program’s address book to propagate itself

34 Example Attack II Windows XP Universal Plug n Play
Upnp is a feature of Win XP that is intended to allow people to control their (future) internet connected home appliances from any computer Early Flaw: Buffer Overflow problem

35 Example Attack II Windows XP Universal Plug n Play
XP was touted as MS’s most secure OS Reality: ALL XP systems were vulnerable to be hacked

36 Example Attack III Wireless LAN Laptop Office Network

37 Example Attack III IEEE 802.11 Wireless LAN
Marketed as having Wired Equivalent Privacy Uses Encryption to keep data private Flaw: Bad Encryption Result: one can monitor traffic for about a day and then easily break into the network Several apps available on web for executing this hack

38 Example Attack IV

39 Example Attack IV Distributed Denial of Service Attack
Hacker compromised several computers Programmed each of those systems to repeatedly send messages to “target” Hacker shutdown many popular websites

40 Problem Set The following topics are also important Types of attacks
Virtual Memory 8/9/2018 Problem Set The following topics are also important Types of attacks Protection policies and mechanisms Encryption, digital signature, PKI, digital certificate Authentication What are the advantages of encrypting data stored in the computer system? Compare symmetric and asymmetric encryption schemes, and discuss under what circumstances a distributed system would use one or the other. J Garrido

41 Virtual Memory 8/9/2018 Problem Set Discuss how the asymmetric encryption algorithm can be used to achieve the following goals. Authentication: the receiver knows that only the sender could have generated the message Secrecy: only the receiver can decrypt the message Authentication and Secrecy: only the receiver can decrypt the message, and the receiver knows that only the sender could have generated the message J Garrido

Download ppt "The Security Problem Security must consider external environment of the system, and protect it from: unauthorized access. malicious modification or destruction."

Similar presentations

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
Chapter 9: Privacy, Crime, and Security

Chapter 9: Privacy, Crime, and Security
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.

Silberschatz, Galvin and Gagne  Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.
1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.

1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.

Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.
Business Data Communications, Fourth Edition Chapter 10: Network Security.

Business Data Communications, Fourth Edition Chapter 10: Network Security.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Lesson 1-What Is Information Security?. Overview History of security. Security as a process.

Lesson 1-What Is Information Security?. Overview History of security. Security as a process.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Computer Networks IGCSE ICT Section 4.

Computer Networks IGCSE ICT Section 4.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.

Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.

Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
ISNE101 Dr. Ken Cosh Week 14. This Week  Challenges (still) facing Modern IS  Reliability  Security.

ISNE101 Dr. Ken Cosh Week 14. This Week  Challenges (still) facing Modern IS  Reliability  Security.
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
Silberschatz and Galvin  1999 20.1 Operating System Concepts Module 20: Security The Security Problem Authentication Program Threats System Threats Threat.

Silberschatz and Galvin  Operating System Concepts Module 20: Security The Security Problem Authentication Program Threats System Threats Threat.
Malware  Viruses  E-mail Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.

Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
BUSINESS B1 Information Security.

BUSINESS B1 Information Security.

Similar presentations

Ads by Google