advanced computer science security theme€¦ · advanced computer science security theme...
TRANSCRIPT
Advanced Computer Science Security Theme
The Security Theme:
an introduction
School of Computer Science
The University of Manchester
2
Advanced Computer Science Security Theme
Outline
• Why do we need a
Security Theme?
• Core Modules
– Cryptography
– Cyber security
• Some Research
Activities
Ratio of hackers to security
professionals
~ 1000:1*
Communications security
Computer security
Information security
Information assurance
Cyber security
Quality…security…trustworthiness
The laws of thermodynamics**
But you can manage the risks . .
.…disrupt and counter the kill chain…
. . . taking heed of the Security Theme!
**You can’t win . . . you can’t even break even3
*SANS (SysAdmin, Audit, Network, Security) Institute
Advanced Computer Science Security Theme
4
The challenge…
Advanced Computer Science Security Theme
‘Hacking’-as-a-service
• Consulting services such as botnet setup ($350-$400)
• Infection/spreading services (~$100 per 1K installs)
• Botnets & Rentals [Direct Denial of Service (DDoS) $535 for 5 hours
a day for one week], e-mail spam ($40 / 20K e-mails) and Web
spam ($2/30 posts)
• Blackhat Search Engine Optimization (SEO) ($80 for 20K
spammed backlinks)
• Inter-Carrier Money Exchange and Mule services (25%
commission)
• Recruited CAPTCHA Breaking ($1/1000 CAPTCHAs)
• Crimeware Upgrade Modules: Using Zeus Modules as an example,
range anywhere from $500 to $10K
Source: Fortinet 2013 Cybercrime Report 5
Advanced Computer Science Security Theme
So we need a fifth column…
…to protect the systems of today and build
tomorrow’s systems safely6
Advanced Computer Science Security Theme
Security: topics• Threat and risk assessment
• Kill chain disruption and recovery from
attack
• Requirement and policy specifications
• Solutions and countermeasures
– Cryptography
– Intrusion detection/prevention
– Trustworthy software
– Authentication and authorisation
– Virtual Private Networks
– Firewalls
– Digital certification and Public Key
Infrastructures
– Real-life exemplar security systems (cloud
computing security, web security, email
security wireless network security,
electronic payment systems, etc)
• Audits, reviews, and penetration testing
• Digital forensics7
Advanced Computer Science Security Theme
• Lectures
• Guest lectures
– CYFOR;
Digital forensics
– McAfee;
Malware and intruders:
vulnerabilities and
countermeasures
– NCC Group;
Penetration Testing
There’s an open invitation to
come to the guest lectures on
security matters in COMP60721
IT Governance too
• Cryptography– Examination (60%)
– Coursework (40%)
• Cyber security– Coursework (2x25%)
• Groupwork
• Case studies
• Report
• Review/inspect
• Templates
– Threat analysis
– Risk treatment plan
– Examination (50%)
• Employment
potential
How
8
Advanced Computer Science Security Theme
Bad
• 96.1 million malware variants
identified in 2016 (Symantec)
• 230,000+ premises in the
Ukraine lost power for 3
days in the winter
• £60,000 for losing an
unencrypted laptop
• Fined £2.75m for loosing a
laptop with records of 46,000
people
• Many vulnerable ‘IoT’
devices can’t be ‘patched’
• Authorities will be able to
fine £17m or 4% global
turnover
Good
You become the Fifth Column
1. Cryptography
2. Cyber security
9
Advanced Computer Science Security Theme
Some research Projects/Activities• Designs of systems or solutions for
security and privacy in distributed
systems
• Cloud and Ubiquitous Computing,
and electronic commerce…
• …covering issues such as risk-
based authentication, authorisation,
intrusion detections, and trust
management
• Anti-Impersonation in Service
Access using Mobile Devices
• Addressing Virtualization
Vulnerabilities in Cloud Servers
• Investigation of Digital Forensic
Techniques
• FAME-Permis
• Traceable Identity
Privacy
• Context-aware Security
Provision
• Wireless Network,
Cloud Computing, IoT
Security
• Adaptive Security
Solutions
11
Advanced Computer Science Security Theme
The FAME - Permis Project
• A middleware extension to Shibboleth to support
– Inter-organisational resource sharing
– Single sign-on
– User identity privacy
– Fine-grained access control
12
Advanced Computer Science Security Theme
LoA linked AC (FAME-permis)
2. Re-direct to WAYF
for Handle
Shib-HS
Protected by
F-LS
User’s Home Site
Web Server
6. A
uth
entication
is successfu
l
1. User request
4. Authenticate yourself
with AuthService x
3. Re-direct to HS
AuthServices
x, y, z, …
AS
I-AP
IHost Authentication
Module (HAM)
Browser
PKCS#11
tokens, Java
Cards, ...
TI-API
WAYF
SHAR
SHIRE
8.Handle
Shib Target -
Resource Gateway
The Internet
5. Authenticationdialogue
7. Handle
FAME Login
Server (F-LS)
Where Are
You From?
13
Advanced Computer Science Security Theme
FIDES
• Aim to secure e-Commerce transactions, e.g.
– e-Payment vs e-Goods (e-Purchase).
– e-Goods/e-mail vs Signed receipt (Certified
delivery).
– Signed contract vs Signed contract (Contract
signing).
– e-Goods vs e-Goods (Barter).
• can be used to develop new secure business
applications, such as e-procurement.
14
Advanced Computer Science Security Theme
Context-aware Security Provision
• Use your context data to determine the level of
security protection
– Your location
• This room, or
• Airport lunge
– Your device
• Wireless PDA, or
• More capable desktop
– Your past access history/profile
• Have you been a good guy, or
• You have tried to breach some rules
15
Advanced Computer Science Security Theme
Context-aware Access Control
Context
Acquisition
Sensors
Context Source
Access
Requester
PolicyStore
Policy
Policy
Decision
ContextService
PEPPDP
Resource
16
Advanced Computer Science Security Theme
Context-aware Adaptive Routing in
MANETs Context-aware multiple route
adaptation can increase
reliability with low costs.
A
C
B
P
InternetM
X
17
Advanced Computer Science Security Theme
Other project opportunities may include…
• Whitelisting software
• A method to articulate
requirements for security
(MARS)
• Measuring security maturity
to understand the costs and
benefits of countermeasures
• Security dashboard
• Information and cyber
security threat analyser
• IT Strategy design tool
• Protect- Operate - Self-
preserve: designing a
universal secure architecture
• Rules of engagement:
Legitimate use of the Dark
Internet and Deep Web
• Security economics modeller
• Balancing technical security
controls with human factors
• An application to test
websites for compliance and
award a commensurate trust
mark
18
Advanced Computer Science Security Theme
Module Leader/Lecturers
• Dr Ning Zhang
• Dr Daniel Dresner Finst.ISP*
• Dr Richard Banach
19*Ask about this…
Advanced Computer Science Security Theme
Let’s disrupt the kill chain together…
20
Reconnaissance
Weaponisation
Delivery
Exploitation
Installation
Command and
control
Action on
objectives
Detect
Deny
Disrupt
Degrade
Deceive
Destroy