lecture 1 1. introduction 2. basic security concepts
TRANSCRIPT
Lecture 1
1. Introduction
2. Basic Security Concepts
CSCE 522 - Farkas 2Lecture 1
Class Information
Class Homepage: http://www.cse.sc.edu/~farkas/csce522-2013/csce522.htm
Instructor: Csilla Farkas Office: Swearingen 3A43 Office Hours: M, W 2:30-3:30 pm or electronically any
time or by appointment E-mail: [email protected]
Text Books
Charles P. Pfleeger and Shari Lawrence Pfleeger, Security in Computing (4th Edition) (Hardcover), Prentice Hall PTR; 4 edition (October 23, 2006), ISBN-10: 0132390779
Handouts
CSCE 522 - Farkas 3Lecture 1
CSCE 522 - Farkas 4Lecture 1
Course Objective
Understanding of Information Security Industry + Academics Managerial + Technical DEFENSE!
TENTATIVE SCHEDULE Week 1 Basic security concepts Week 2 Cryptography, Secret Key Week 3 Cryptography, Public Key Week 4 Identification and Authentication, key-distribution centers, Kerberos Week 5 Security Policies -- Discretionary Access Control, Mandatory Access Control Week 6 Access control -- Role-Based, Provisional, and Logic-Based Access Control Week 7 The Inference Problem Week 8 EXAM 1
Network and Internet Security, E-mail security, User Safety Week 9 Program Security -- Viruses, Worms, etc. Week 10 Firewalls Week 11 Intrusion Detection, Fault tolerance and recovery Week 12 Information Warfare Week 13 Security Administration, Economic impact of cyber attacks Week 14 Presentations Week 15 Presentations DECEMBER 13 (Friday), 12:30 PM -- FINAL EXAM
CSCE 522 - Farkas 5Lecture 1
Assignments
Research project: there will be a group (2-4 students) research project and the students must present their results to the class in the last two weeks of the semester.
Homework: there will be several homework assignments during the semester. Homework should be individual work! There will be a late submission penalty of 4%/day after the due date. (You can always turn it in early.)
Exams: two closed book tests will cover the course material. Final exam is accumulative.
CSCE 522 - Farkas 6Lecture 1
Grading
Test 1: 25%, Test 2: 35%, Homework: 20%, Research project: 20%
Total score that can be achieved: 100 Final grade: 90 < A , 87 < B+ <=90, 80 < B
<= 87, 75 < C+ <= 80, 65 < C <= 75, 60 < D+ <= 65, 50 < D <= 60, F <= 50 Graduate students must perform additional
assignments to receive full credit.
CSCE 522 - Farkas 7Lecture 1
CSCE 522 - Farkas 8Lecture 1
Reading Assignment
Reading assignments for this class: Pfleeger: Ch 1
Reading assignments for lecture 2: Pfleeger: Ch 2
CSCE 522 - Farkas 9Lecture 1
Attack Sophistication vs.Intruder Technical Knowledge
High
Low
1980 1985 1990 1995 2000
password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking sessions
sweepers
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
Tools
Attackers
IntruderKnowledge
AttackSophistication
“stealth” / advanced scanning techniques
burglaries
network mgmt. diagnostics
distributedattack tools
Cross site scripting
Stagedattack
Copyright: CERT, 2000
CSCE 522 - Farkas 10Lecture 1
Security Objectives
Confidentiality: prevent/detect/deter improper disclosure of information
Integrity: prevent/detect/deter improper modification of information
Availability: prevent/detect/deter improper denial of access to services
CSCE 522 - Farkas 11Lecture 1
Military Example
Confidentiality: target coordinates of a missile should not be improperly disclosed
Integrity: target coordinates of missile should be correct
Availability: missile should fire when proper command is issued
CSCE 522 - Farkas 12Lecture 1
Commercial Example
Confidentiality: patient’s medical information should not be improperly disclosed
Integrity: patient’s medical information should be correct
Availability: patient’s medical information can be accessed when needed for treatment
CSCE 522 - Farkas 13Lecture 1
Fourth Objective
Securing computing resources: prevent/detect/deter improper use of computing resourcesHardwareSoftwareDataNetwork
What is the trade off between the security objectives?
CSCE 522 - Farkas 14Lecture 1
CSCE 522 - Farkas 15Lecture 1
Achieving Security
PolicyWhat to protect?
MechanismHow to protect?
AssuranceHow good is the protection?
CSCE 522 - Farkas 16Lecture 1
Security Policy
Organizational Policy
Computerized Information SystemPolicy
Why do we need to fit the security policy into the organizational policy?
CSCE 522 - Farkas 17Lecture 1
CSCE 522 - Farkas 18Lecture 1
Security Mechanism
Prevention Detection Tolerance/Recovery
CSCE 522 - Farkas 19Lecture 1
Security by Obscurity
Hide inner working of the system
Bad idea! Vendor independent open standard Widespread computer knowledge
CSCE 522 - Farkas 20Lecture 1
Security by Legislation
• Instruct users how to behave• Not good enough!
Important Only enhance security Targets only some of the security problems
CSCE 522 - Farkas 21Lecture 1
Security Tradeoffs
COST
Security Functionality
Ease of Use
CSCE 522 - Farkas 22Lecture 1
Threat, Vulnerability, Risk
Threat: potential occurrence that can have an undesired effect on the system
Vulnerability: characteristics of the system that makes is possible for a threat to potentially occur
Attack: action of malicious intruder that exploits vulnerabilities of the system to cause a threat to occur
Risk: measure of the possibility of security breaches and severity of the damage
Distinguish among vulnerability, threat, and control (protection).
CSCE 522 - Farkas 23Lecture 1
CSCE 522 - Farkas 24Lecture 1
Types of Threats (1)
Errors of users
Natural/man-made/machine disasters
Dishonest insider
Disgruntled insider
Outsiders
CSCE 522 - Farkas 25Lecture 1
Types of Threats (2)
Disclosure threat – dissemination of unauthorized information
Integrity threat – incorrect modification of information
Denial of service threat – access to a system resource is blocked
CSCE 522 - Farkas 26Lecture 1
Types of Attacks (1)
Interruption – an asset is destroyed, unavailable or unusable (availability)
Interception – unauthorized party gains access to an asset (confidentiality)
Modification – unauthorized party tampers with asset (integrity)
Fabrication – unauthorized party inserts counterfeit object into the system (authenticity)
Denial – person denies taking an action (authenticity)
CSCE 522 - Farkas 27Lecture 1
Types of Attacks (2) Passive attacks:
Eavesdropping Monitoring
Active attacks: Masquerade – one entity pretends to be a
different entity Replay – passive capture of information and its
retransmission Modification of messages – legitimate message
is altered Denial of service – prevents normal use of
resources
CSCE 522 - Farkas 28Lecture 1
Computer Crime
Any crime that involves computers or aided by the use of computers
U.S. Federal Bureau of Investigation: reports uniform crime statistics
Malicious Attacks
Method: skills, knowledge, tools, information, etc.
Opportunity: time and access
Motive: reason to perform the action
How can defense influence these aspects of attacks?
CSCE 522 - Farkas 29Lecture 1
CSCE 522 - Farkas 30Lecture 1
Computer Criminals
Amateurs: regular users, who exploit the vulnerabilities of the computer system Motivation: easy access to vulnerable resources
Crackers: attempt to access computing facilities for which they do not have the authorization Motivation: enjoy challenge, curiosity
Career criminals: professionals who understand the computer system and its vulnerabilities Motivation: personal gain (e.g., financial)
CSCE 522 - Farkas 31Lecture 1
Methods of Defense
Prevent: block attack Deter: make the attack harder Deflect: make other targets more attractive Detect: identify misuse Tolerate: function under attack Recover: restore to correct state
CSCE 522 - Farkas 32Lecture 1
Information Security Planning
Organization Analysis Risk management Mitigation approaches and their costs Security policy Implementation and testing Security training and awareness
CSCE 522 - Farkas 33Lecture 1
Risk Management
CSCE 522 - Farkas 34Lecture 1
Risk AssessmentRisk Assessment
RISKRISK
Threats
Vulnerabilities Consequences
CSCE 522 - Farkas 35Lecture 1
Real Cost of Cyber AttackReal Cost of Cyber Attack
Damage of the target may not reflect the real amount of damage
Services may rely on the attacked service, causing a cascading and escalating damage
Need: support for decision makers to – Evaluate risk and consequences of cyber
attacks– Support methods to prevent, deter, and
mitigate consequences of attacks
CSCE 522 - Farkas 36Lecture 1
Risk Management Framework(Business Context)
Understand BusinessContext
Identify Business and Technical Risks
Synthesize and RankRisks
Define RiskMitigation Strategy
Carry Out Fixesand Validate
Measurement and Reporting
CSCE 522 - Farkas 37Lecture 1
Risk Acceptance
Certification How well the system meet the security
requirements (technical)
Accreditation Management’s approval of automated
system (administrative)
CSCE 522 - Farkas 38Lecture 1
Next Class
Cryptography
The science and study of secret writing