advanced computer science security theme€¦ · advanced computer science security theme...

Advanced Computer Science Security Theme

1

http://map.norsecorp.com/#/

http://map.norsecorp.com/#/


The Security Theme:

an introduction

School of Computer Science

The University of Manchester

2


Outline

• Why do we need a

Security Theme?

• Core Modules

– Cryptography

– Cyber security

• Some Research

Activities

Ratio of hackers to security

professionals

~ 1000:1*

Communications security

Computer security

Information security

Information assurance

Cyber security

Quality…security…trustworthiness

The laws of thermodynamics**

But you can manage the risks . .

.…disrupt and counter the kill chain…

. . . taking heed of the Security Theme!

**You can’t win . . . you can’t even break even3

*SANS (SysAdmin, Audit, Network, Security) Institute


4

The challenge…

http://viperdb.scripps.edu/info_page.php?VDB=1b35


http://viperdb.scripps.edu/info_page.php?VDB=1ohg


http://viperdb.scripps.edu/info_page.php?VDB=1dzl


http://viperdb.scripps.edu/info_page.php?VDB=1ohf



‘Hacking’-as-a-service

• Consulting services such as botnet setup ($350-$400)

• Infection/spreading services (~$100 per 1K installs)

• Botnets & Rentals [Direct Denial of Service (DDoS) $535 for 5 hours

a day for one week], e-mail spam ($40 / 20K e-mails) and Web

spam ($2/30 posts)

• Blackhat Search Engine Optimization (SEO) ($80 for 20K

spammed backlinks)

• Inter-Carrier Money Exchange and Mule services (25%

commission)

• Recruited CAPTCHA Breaking ($1/1000 CAPTCHAs)

• Crimeware Upgrade Modules: Using Zeus Modules as an example,

range anywhere from $500 to $10K

Source: Fortinet 2013 Cybercrime Report 5


So we need a fifth column…

…to protect the systems of today and build

tomorrow’s systems safely6


Security: topics• Threat and risk assessment

• Kill chain disruption and recovery from

attack

• Requirement and policy specifications

• Solutions and countermeasures

– Cryptography

– Intrusion detection/prevention

– Trustworthy software

– Authentication and authorisation

– Virtual Private Networks

– Firewalls

– Digital certification and Public Key

Infrastructures

– Real-life exemplar security systems (cloud

computing security, web security, email

security wireless network security,

electronic payment systems, etc)

• Audits, reviews, and penetration testing

• Digital forensics7


• Lectures

• Guest lectures

– CYFOR;

Digital forensics

– McAfee;

Malware and intruders:

vulnerabilities and

countermeasures

– NCC Group;

Penetration Testing

There’s an open invitation to

come to the guest lectures on

security matters in COMP60721

IT Governance too

• Cryptography– Examination (60%)

– Coursework (40%)

• Cyber security– Coursework (2x25%)

• Groupwork

• Case studies

• Report

• Review/inspect

• Templates

– Threat analysis

– Risk treatment plan

– Examination (50%)

• Employment

potential

How

8


Bad

• 96.1 million malware variants

identified in 2016 (Symantec)

• 230,000+ premises in the

Ukraine lost power for 3

days in the winter

• £60,000 for losing an

unencrypted laptop

• Fined £2.75m for loosing a

laptop with records of 46,000

people

• Many vulnerable ‘IoT’

devices can’t be ‘patched’

• Authorities will be able to

fine £17m or 4% global

turnover

Good

You become the Fifth Column

1. Cryptography

2. Cyber security

9


Who they gonna call?

10


Some research Projects/Activities• Designs of systems or solutions for

security and privacy in distributed

systems

• Cloud and Ubiquitous Computing,

and electronic commerce…

• …covering issues such as risk-

based authentication, authorisation,

intrusion detections, and trust

management

• Anti-Impersonation in Service

Access using Mobile Devices

• Addressing Virtualization

Vulnerabilities in Cloud Servers

• Investigation of Digital Forensic

Techniques

• FAME-Permis

• Traceable Identity

Privacy

• Context-aware Security

Provision

• Wireless Network,

Cloud Computing, IoT

Security

• Adaptive Security

Solutions

11


The FAME - Permis Project

• A middleware extension to Shibboleth to support

– Inter-organisational resource sharing

– Single sign-on

– User identity privacy

– Fine-grained access control

12


LoA linked AC (FAME-permis)

2. Re-direct to WAYF

for Handle

Shib-HS

Protected by

F-LS

User’s Home Site

Web Server

6. A

uth

entication

is successfu

l

1. User request

4. Authenticate yourself

with AuthService x

3. Re-direct to HS

AuthServices

x, y, z, …

AS

I-AP

IHost Authentication

Module (HAM)

Browser

PKCS#11

tokens, Java

Cards, ...

TI-API

WAYF

SHAR

SHIRE

8.Handle

Shib Target -

Resource Gateway

The Internet

5. Authenticationdialogue

7. Handle

FAME Login

Server (F-LS)

Where Are

You From?

13


FIDES

• Aim to secure e-Commerce transactions, e.g.

– e-Payment vs e-Goods (e-Purchase).

– e-Goods/e-mail vs Signed receipt (Certified

delivery).

– Signed contract vs Signed contract (Contract

signing).

– e-Goods vs e-Goods (Barter).

• can be used to develop new secure business

applications, such as e-procurement.

14


Context-aware Security Provision

• Use your context data to determine the level of

security protection

– Your location

• This room, or

• Airport lunge

– Your device

• Wireless PDA, or

• More capable desktop

– Your past access history/profile

• Have you been a good guy, or

• You have tried to breach some rules

15


Context-aware Access Control

Context

Acquisition

Sensors

Context Source

Access

Requester

PolicyStore

Policy

Policy

Decision

ContextService

PEPPDP

Resource

16


Context-aware Adaptive Routing in

MANETs Context-aware multiple route

adaptation can increase

reliability with low costs.

A

C

B

P

InternetM

X

17


Other project opportunities may include…

• Whitelisting software

• A method to articulate

requirements for security

(MARS)

• Measuring security maturity

to understand the costs and

benefits of countermeasures

• Security dashboard

• Information and cyber

security threat analyser

• IT Strategy design tool

• Protect- Operate - Self-

preserve: designing a

universal secure architecture

• Rules of engagement:

Legitimate use of the Dark

Internet and Deep Web

• Security economics modeller

• Balancing technical security

controls with human factors

• An application to test

websites for compliance and

award a commensurate trust

mark

18


Module Leader/Lecturers

• Dr Ning Zhang

[email protected]

• Dr Daniel Dresner Finst.ISP*

[email protected]

• Dr Richard Banach

[email protected]

19*Ask about this…










Let’s disrupt the kill chain together…

20

Reconnaissance

Weaponisation

Delivery

Exploitation

Installation

Command and

control

Action on

objectives

Detect

Deny

Disrupt

Degrade

Deceive

Destroy


The big picture

21

Crypto Cyber security

IT Governance


Thank you. Questions...(Ask us or we might ask you)

22

advanced computer science security theme€¦ · advanced computer science security theme...

Documents