Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCD 434/539 Lecture 2 Spring 2014 Computer Security Overview.

Published byAshlie King Modified over 8 years ago

Similar presentations

Presentation on theme: "CSCD 434/539 Lecture 2 Spring 2014 Computer Security Overview."— Presentation transcript:

1 CSCD 434/539 Lecture 2 Spring 2014 Computer Security Overview

2 Overview History of Computer Security Definitions – Confidentiality, Integrity, Availability – Examples Threats to Computer Systems – How bad is it? Vulnerabilities – Defined, Statistics Examples

3 History of Computer Security

4 Computer Security http://di.ionio.gr/~emagos/security/0/Gollmann%27s%20Chapter %201-%20History%20of%20Computer%20Security.pdf Computer security can trace its origins back to 1960s Multi-user systems emerged, needing mechanisms for protecting the system from its users, and the users from each other We observe that computer security has passed through the following epochs: 1970s: age of the Mainframe, 1980s: age of the PC, 1990s: age of the Internet, 2000s: age of the Web

5 History of Computer Security Age of the Mainframes Mainframes were deployed in government departments and in large commercial organizations Two applications from public administration are of particular significance Defense sector saw potential benefits of using computers, Yet, classified information would have to be processed securely Developed a formal statemachine model for multi-level security policies regulating access to classified data, Bell–LaPadula model was highly influential on computer security research into 1980s … more later Multics project developed an operating system that had security as one of its main design objectives

6 Time out for a Quiz What popular operating system was developed based on the Multics Operating System? Unix !!!!

7 History of Computer Security Mainframes continued Multi-level Security (MLS) dominated security research into following decade Leading to development of high-assurance systems whose design had been verified employing formal methods However, these high-assurance systems did not solve problems of following epochs

8 History of Computer Security Military dominated computer security Obsessed with (MLS) Confidentiality Want to Prove formally that secrets could remain secret in presence of unclassified people in multi-user environment Concerned with detecting covert channels where spies or insiders would signal each other – Great Collection of early security papers http://seclab.cs.ucdavis.edu/projects/history/

9 Multi-level Security in a Nutshell Bell-Lapadula Model There are security classifications or security levels – Users/principals/subjects have security clearances – Objects have security classifications Example Top Secret Secret Confidential Unclassified Top Secret > Secret > Confidential > Unclassified Security goal (confidentiality): Ensures that information does not flow to those not cleared for that level

10 History of Computer Security Age of the PC PC was singleuser machine, first successful applications were word processors and spreadsheet programs, and users no longer were concerned with classified data At a stroke, multi-level security and multiuser security became irrelevant 1980s also saw first worms and viruses, were proposed in research papers before they later appeared in wild

11 Second Quiz … Who was the first to use term “computer worm” in print? John Brunner's 1975 novel, The Shockwave Rider

12 History of Computer Security Age of the Internet World Wide Web (1991) and graphical web browsers, 1993 created a whole new paradigm Both developments facilitated a whole new range of applications Typical end system was PC, no longer stand-alone or connected to a LAN, but connected to Internet Connecting a machine to Internet has two major ramifications. System owner no longer controls who can send inputs to this machine and system owner no longer controls what input is sent to machine

13 History of Computer Security Age of the Internet Thus, malformed packets could be sent to private computers attached to Internet and result in exploiting vulnerabilities in software On-line denial-of-service attacks became a possibility and towards the end of the 1990s a fact This became greatly expanded into 2000's with World Wide Web...

14 History of Computer Security Age of the World Wide Web Application-level software implementing Web services has become a main target for attacks Major attack patterns are SQL injection, crosssite scripting, and attacks against domain name system Application software accounts for an increasing number of reported vulnerabilities and real attacks Attacks have stolen contact data from Gmail users, worm spread to over a million users on MySpace

15 History of Computer Security World Wide Web Picture of attacker has changed Hackers of 1990s often matched stereotype of a male in his teens or twenties with limited social skills In rare cases, attacks were made for financial gain Today, criminal organizations have moved to web Criminals have no interest in high profile fast spreading worm attacks … for fun !!! Place trojans on their victims’ machines to harvest sensitive data, passwords, PINs, or Credit Cards or to use the victims’ machines as part of a botnet

16 Modern State of Computer Security

17 1. Computers are Connected and Interdependent This codependency magnifies effects of any failures Slammer worm, 2003, Infected 75,000 computers in 11 minutes Continued to scan 55 million computers / sec Blaster worm, 2003, Infected 138,000 in first 4 hours Over 1.4 million computers worldwide Many others.... http://hardgeek.org/2009/09/10-worst-computer-virus-attacks-in-history/

18 Modern State of Computer Security 2. Computing today is very Homogeneous – A single architecture and a handful of OS's dominate Linux, Mac OS and Windows In biology, homogeneous populations... terrible idea – A single disease or virus can wipe them out because they all share the same weakness – The disease needs one infection method!! Computers are the animals... think cows Internet provides the infection vector... virus that sickens cows... Mad Cow disease

19 Modern State of Computer Security 3. Adversaries are all levels and Global – Range from script kiddies to serious groups such as those that steal defense secrets or industrial espionage – Global reach with many in countries where we can't extradite them China, Eastern Europe, Russia and S. America Hacker Timeline http://en.wikipedia.org/wiki/Timeline_of_computer_security_hacker_his tory

20 Computer Security Definitions

21 Security Defined System Secure if … – Has these properties Confidentiality Integrity Availability C.I.A

22 Confidentiality Defined Confidentiality – What does it mean for data to be confidential? – Data must only be accessed, used, copied, or disclosed by persons who have been authorized To access, use, copy, or disclose information … – You ensure information is not accessed by unauthorized users

23 Confidentiality Example Communication between two people should not be compromised network Eavesdropping, packet sniffing, illegal copying Threats We have made an important discovery …

24 Definitions More on Confidentiality How do you prevent confidentiality loss? Confidentiality is preventing disclosure of information to unauthorized individuals or systems Example, credit card transaction on the Internet System enforces confidentiality by encrypting card number during transmission or limiting the places where it might appear

25 Integrity Defined Integrity – What is Data Integrity? – Data must not be Created Changed, or Deleted without authorization – Ensuring that information is not altered by unauthorized persons

26 Integrity Defined Messages should be received as originally intended network Intercept messages, tamper, release again I love you darling!! I don’t want to see you again Threats

27 Definitions More on Integrity – Integrity means that data cannot be modified without authorization – Example of violation – Integrity is violated When an employee (accidentally or with malicious intent) deletes important data files, When a computer virus infects a computer, When an employee is able to modify his own salary in a payroll database, When an unauthorized user vandalizes web site

28 Availability Defined Availability – Systems function correctly when information is provided when its needed – The opposite of availability is denial of service (DOS)‏

29 Availability Example Disrupting communications completely network Overwhelm or crash servers, disrupt infrastructure Threats

30 Definitions More on Availability – Information must be available when it is needed. – High availability systems goal is remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades – Example of violation? – Ensuring availability also involves preventing DoS attacks denial-of-service attacks

31 CIA While a good way to measure system security – DOD environment Not sufficient for modern computers – Today, computers are complex – Many more layers of applications and uses – More difficult to both define and measure security

32 Simple View Computer Security You have something you want to protect You have someone or something you want to protect it from You are willing to expend effort and resources in order to protect it

33 Question Is Computer Security a Process or a State?

34 Security Defined It is a process, not a state There is no fundamental point when system is secure Have Risk, Do Assessment Manage risk, Mitigate what can't be managed Need to identify what’s “Good Enough” Security is a tradeoff, can't protect everything

35 Examples

36 ATM Machine Example ATM Machine – User asks for cash, spits it out – Door opens, user takes cash, door closes – What happens if user doesn’t take cash?

37 ATM Machine Example Assumption if this happens, subsequent user shouldn’t get cash that doesn’t belong to him – All following transactions, machine refuses to open door – Cash could go to wrong user – Creates a DoS for rest of users

38 Security Protocols Difficult Hard to get security protocols right Designers don’t anticipate everything that could go wrong – Users or attackers frequently seem to find the flaw Even something seemingly simple can have flaws

39 US Tax System Example Tax refunds, how hard is that? – Algorithm for processing form Verify identity of form filled out by a given person Verify income and with-holding are correct If these two steps ok && amount of Withholding > tax owed then send person refund check What could go wrong?

40 US Tax System Example Except, no rule against duplicate checks – Person could file for multiple refund checks under this system – And, that happened for a while – Was eventually caught …

41 Computer Security Threats

42 Threats to Computer Security So, what are the threats? Passive – Sniffing of data Viewing of information – physical Over your shoulder, taking pictures of screens – Dumpster diving – Social Engineering Active – Interception of data, injection of data – Virus, worm, trojan horse program – DOS or DDOS

43 Is Security that Bad? License

44 Is Security that Bad?

45 How big is the security problem? http://www.cert.org/stats/ CERT Vulnerabilities reported

46 Malware Over Time Number of new malicious programs has remained stable does not automatically imply any stabilization in the number of attacks http://www.securelist.com/en/analysis/204792161/ Kaspersky_Security_Bulletin_Malware_Evolution_2010

47 Malware 2010 Data from Kapersky Labs In 2010, total number of recorded incidents exceeded 1.5 billion for the first time since we began our observations! Attacks via browsers accounted for over 30% of these incidents, that’s over 500 million blocked attacks Vulnerabilities have really come to the fore in 2010 Exploiting vulnerabilities has become the prime method for penetrating users’ computers – Vulnerabilities in Microsoft products rapidly losing ground to those in Adobe and Apple products such as Safari, QuickTime and iTunes.

48 Malware 2010 More Statistics Increase in number of attacks via P2P networks P2P networks are now a major channel through which malware penetrates users’ computers. In terms of security incident rates, we estimate this infection vector to be second only to browser attacks. Practically all types of threats, including file viruses, Rogue AVs, backdoors and various worms spread via P2P-networks.

49 Malware Complexity 2010 Stuxnet worm – Experts needed 3 months – To understand its functionality – Stuxnet left all previously known malware behind in terms of the number of publications it generated – Malware author success = major security community attention

50 Malware in 2010 Used to be... – Users who have jailbroken their iPhones to install third-party applications increased risk to themselves – Now... even those installing native applications downloaded from Apple Store are also exposing themselves to a degree of threat – Several incidents involved legitimate Apple applications iPhone apps were detected covertly gathered data, sent it to software manufacturers

51 DDoS Attack Example July 21, 2008, Web site for president of Georgia was knocked offline by a distributed denial-of-service (DDOS) attack Georgia's presidential Web site was down for a day, starting early Saturday until Sunday Network experts said the attack was executed by a botnet Whats a botnet?

52 Botnet Defined A botnet is a large number of compromised computers that are used to generate spam, relay viruses or flood a network or Web server with excessive requests to cause it to fail The computer is compromised via a Trojan that often works by opening an Internet Relay Chat (IRC) channel that waits for commands from the person in control of the botnet There is a thriving botnet business selling lists of compromised computers to hackers and spammers http://www.pcmag.com/encyclopedia_term/0,2542,t=botnet&i=3886 6,00.asp

53 Another DDoS Attack Example February 16th, 2007 Anti-phishing group, CastleCops.com was knocked out by a massive DDoS, – Volunteer-driven site, run by husband and wife team had been coping with on-and-off attacks since February 13 – An intense wave that began around 3:45 PM EST completely crippled the server capacity CastleCops.com just celebrated its fifth anniversary as a high-profile anti-malware community Comment: This site ceased operation Dec. 2008

54 Why do threats succeed? Vulnerabilities !!! Is it because hackers are so smart, or is it just too easy?

55 Vulnerability Defined What is a security vulnerability? A vulnerability is an error or weakness in a component that allows it to be attacked Typically, something that runs in an OS or other application If exploited, each vulnerability can potentially compromise the system or network

56 Vulnerabilities Explained Software vulnerabilities highly specific – Classic vulnerability affects a single feature of one release of a software product installed under a specific operating system Out of trillions of lines of code running in networked systems, – A vulnerability may exist in a single line. – Like a unique grain of sand in a mile-long beach... – As the number of network components grows every year, so do the number of vulnerabilities

57 Vulnerability Example CVE-2005-3641 – Oracle Databases running on Windows XP with Simple File Sharing enabled, allows remote attackers to bypass authentication by supplying a valid username. Impact – CVSS Severity: 7.0 (High) – Range: Remotely exploitable – Authentication: Not required to exploit – Impact Type: Provides unauthorized access, Allows partial confidentiality, integrity, and availability violation, Allows disruption of service

58 Vulnerabilities True or False? – “Vulnerabilities that lead to system security breaches are a result of sloppy or ignorant programmers producing bad, error-prone code”

59 Vulnerabilities If previous statement isn’t true, – What causes vulnerabilities? Software is one cause – Bugs, coding errors or incomplete specifications that didn’t account for security Network protocols – bad design – Incorrect assumptions about protocols and how they would be used … classic example is TCP/IP Human error – Social engineering and human ignorance Physical access – Insecure premises allowing unauthorized access

60 Steal cars with a laptop NEW YORK - Security technology created to protect luxury vehicles may now make it easier for tech-savy thieves to drive away with them. In April ‘07, high-tech criminals made international headlines when they used a laptop and transmitter to open the locks and start the ignition of an armor-plated BMW X5 belonging to soccer player David Beckham, the second X5 stolen from him using this technology within six months How did they do it? … Beckham's BMW X5s were stolen by thieves who hacked into the codes for the vehicles' RFID chips … 60

61 Disable Cars Over the Internet Young man, used an Internet service to remotely disable ignitions and set off car horns of more than 100 cars – Ramos-Lopez used a former colleague's password to deactivate starters and set off car horns, police said – Several car owners said they had to call tow trucks and were left stranded at work or home – The Texas Auto Center dealership in Austin installs GPS devices that can prevent cars from starting System is used to repossess cars when buyers are overdue on payments Car horns can be activated when repo agents go to collect vehicles and believe the owners are hiding them

62 Human Vulnerabilities Social Engineering – Alive and well in spite of lots of publicity Email Scams – Investment schemes in African economy “Nigerian uncle has died intestate Need to transfer $8M to US with your assistance. You will get 10% of funds, need your bank info to initiate the transfer …” – Phishing Want to get your money!! “Your paypal account needs updating, please enter your username and password …”

63 Improving Security Design it in from the beginning – Security is typically an afterthought … still People more concerned with performance and nice features than security, want to sell products Microsoft ?? and Linux and Apple too.... – Security is often seen as something users don’t want – hinders their use of the system – Must create security requirements that need to be met along with other requirements

64 Security is Hard Security hard to define – Without good definition, almost impossible to achieve – One way to think of security, Consider system states – Think of security of a system as its ability to stay in good states – Be wary of anyone who says they have built a secure system How do they know?

65 Class Contributions Extra Credit !!! Any topic in class, 5 Points – If you can find relevant actual examples or news - must be current, past year – Example: If we are talking about Attackers Story must be about Attackers, within last year – You get to share it with the class!!!

66 The End Next Time – We will look at vulnerabilities in TCP/IP and other protocols – See reading assignment

Download ppt "CSCD 434/539 Lecture 2 Spring 2014 Computer Security Overview."

Similar presentations

1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.

1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.
SECURITY CHECK Protecting Your System and Yourself Source:

SECURITY CHECK Protecting Your System and Yourself Source:
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
Acceptable Use Policy –The Acceptable Use Policy defines the rules of the machine and internet connection you are on. –Specific policies differ by machine.

Acceptable Use Policy –The Acceptable Use Policy defines the rules of the machine and internet connection you are on. –Specific policies differ by machine.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
Computer and Internet Crimes By: Tracey Ross & Tommy Brown.

Computer and Internet Crimes By: Tracey Ross & Tommy Brown.
Computer Viruses.

Computer Viruses.
Malicious Attacks By Chris Berg-Jones, Ethan Ungchusri, and Angela Wang.

Malicious Attacks By Chris Berg-Jones, Ethan Ungchusri, and Angela Wang.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.

BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.
Introducing Computer and Network Security

Introducing Computer and Network Security
Lecture 1 Page 1 CS 236, Spring 2008 What Are Our Security Goals? Confidentiality –If it’s supposed to be a secret, be careful who hears it Integrity –Don’t.

Lecture 1 Page 1 CS 236, Spring 2008 What Are Our Security Goals? Confidentiality –If it’s supposed to be a secret, be careful who hears it Integrity –Don’t.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Security Awareness Challenges of Security No single simple solution to protecting computers and securing information Different types of attacks Difficulties.

Security Awareness Challenges of Security No single simple solution to protecting computers and securing information Different types of attacks Difficulties.
Chapter Nine Maintaining a Computer Part III: Malware.

Chapter Nine Maintaining a Computer Part III: Malware.
Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.

Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.
Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.

Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.
CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.

CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.

Similar presentations

Ads by Google