1. CMSC 414 Computer (and Network) Security Jonathan Katz

2. Introduction and overview  What is computer/network security?  Course philosophy and goals  High-level overview of topics  Course organization and information

3. “Security”  Most of computer science is concerned with achieving desired behavior  In some sense, security is concerned with preventing undesired behavior –Different way of thinking! –An enemy/opponent/hacker/adversary may be actively and maliciously trying to circumvent any protective measures you put in place

4. Computer vs. network security  One view: –Computer security: focuses on security aspects of systems in isolation –Network security: focuses on security of data as it is transmitted between networked systems  Not always a clear-cut dividing line…

5. Some examples…  Computer security –Viruses –Secure data storage –OS Security  Network security –Authentication protocols –Encryption of transmitted data –Firewalls

6. Broader impacts of security  Explosive growth of interest in security –Most often following notable security failures…  Impact on/interest from all (?) areas of CS –Theory (especially cryptography) –Databases –Operating systems –AI/learning theory –Networking –Computer architecture/hardware –Programming languages/compilers –HCI

7. Philosophy  We are not going to be able to cover everything  Main goals –Exposure to different aspects of security; meant mainly to “pique” your interest –The “mindset” of security: a new way of thinking…about more than computer networks –Become familiar with basic crypto, acronyms (RSA, SSL, PGP, etc.), and “buzzwords” –Security is a process, not a product

8. Student participation (I hope!)  If something interests you, let me know –Depending on time, may be able to cover in more detail –Can always suggest further references  Monitor the media –Email me relevant/interesting stories  Class participation counts!

9. High-level overview  Introduction… –Including various classes of attacks  Cryptography –Cryptography is not the (whole) solution… –…but is is an important part of the solution –Along the way, we will see why cryptography can’t solve all security problems

10. High-level overview II  Security policies and analysis –Attack trees –Access control –Confidentiality/integrity –Key management  Principles for secure design/implementation

11. High-level overview III  Network security –Identity –Authentication –Some real-world protocols –Wireless security

12. High-level overview IV  Miscellaneous (as time permits) –Firewalls –Intrusion detection –Buffer overflows; secure programming languages –Viruses and malicious logic –Etc…

13. Course Organization

14. Staff  Me  TAs (Introduce)  Contact information, office hours, listed on course webpage

15. Course webpage http://www.cs.umd.edu/~jkatz/comp_sec  Contains information about course organization, updated syllabus, various links, etc.  No paper handouts; all handouts will be distributed from the course webpage  Check often for announcements

16. Textbooks  I will primarily use two texts: –“Computer Security” by Bishop –“Network Security…” by Kaufman, Perlman, and Speciner  Neither is officially required, but both will make it easier to follow the course  Exams may rely on material in these books, even if not covered in class

17. Other readings  Will be linked from the course webpage  Material from these readings is fair game for the exams, even if not covered in class (unless stated otherwise)  Please suggest other readings or relevant news articles!

18. Course requirements  Homeworks –About 5-6 throughout the semester –Collaboration with one other student allowed; answers must be written independently –If you consult references, you must reference  Project –In three parts throughout the semester –Will require implementation using JCE –TAs will help with using JCE and Java…

19. Computer accounts  Each student will receive a computer account for homeworks and the project  We are still looking into this…

20. Grading  See course webpage  Note: class participation counts! –Suggest readings and references related to course and/or project –Speak up in class!

21. Security: an Introduction

22. Two papers linked from webpage  “Reflections on trusting trust”  “Managed security monitoring”  Both leave a fairly negative impression of security…  …at the very least, they show that security is not easy, and cannot just be applied as a “magic bullet”

23. “Trusting trust”  (summarize article)  Does one really need to be this paranoid?? –Probably not –Sometimes, yes  Shows that security is complex…and probably impossible (in theory?)

24. “Managed security monitoring”  (Summarize article) –Is the state of network security really this bad? (Arguably, yes) –Although network monitoring and risk management are important, security is too –Security is not an ends unto itself If you really want to be secure, disconnect yourself from the Internet

25. An Overview of Computer Security

26. Basic components  Confidentiality  Integrity  Availability

27. Confidentiality  Encryption  Access control

28. Integrity  Trustworthiness of data or resources  Prevention vs. detection  Blocking unauthorized attempts to change data, or attempts to change data in unauthorized ways –The second is much harder…  Correctness vs. trustworthiness of data

29. Availability  Denial of service attacks  Denying access can lead to more serious attacks –I.e., if credit card verification is down

30. Threats (or “attacks”)  Snooping, eavesdropping  Modification, alteration  Masquerading, spoofing  False repudiation/denial of receipt  Network delay, denial of service

31. Policy vs. mechanism  Security policy –Statement of what is and is not allowed  Security mechanism –Method for enforcing a security policy  One is meaningless without the other…  Problems when combining security policies of multiple organizations