Computer Security (aka, Cybersecurity)

Dr. Chris Mayfield

Department of Computer ScienceJames Madison University

Sep 30, 2014

WWW stands for “World Wide Web”

Sep 30, 2014 Computer Security 2 of 21

WWW stands for “Wild Wild West”

Sep 30, 2014 Computer Security 3 of 21

Reality check

The Internet is an open network

I Designs are in the public domain

I Built by the people, for the people

Anyone can send a packet anywhere

I Endpoints don’t have to receive themI Principle of Network Neutrality

I All data/packets should be treated equallyI ISPs and governments should not discriminate

Openness drives innovation

I Side effect: “anything goes” (good/bad)

I New applications coming out all the time

Sep 30, 2014 Computer Security 4 of 21

What does “security” mean?

Sep 30, 2014 Computer Security 5 of 21

Access control

As a human being, you have the right to control

I your information (data, files, identity, . . . )

I your property (computers, phones, TVs, . . . )

Control means to allow or to restrict access

I in an environment where “anything goes”

Computer security is part of information security (InfoSec)

I See http://en.wikipedia.org/wiki/Information security

I “Defend from unauthorized access, use, disclosure, disruption,modification, perusal, inspection, recording, or destruction.”

Sep 30, 2014 Computer Security 6 of 21

CIA triad

Source: digitalthreat.net

Three fundamental aspects ofinformation security

Affects the way information is:

I Stored

I Processed

I Transmitted

Sep 30, 2014 Computer Security 7 of 21

What can go wrong?

And what can be done about it?

(Terminology: threats and solutions)

Sep 30, 2014 Computer Security 8 of 21

OS security

Threats

I Unauthorized access

I Insecure passwords

I Malicious processes

I Vulnerabilities in OS

I Key loggers, sniffers

Solutions

I User accounts, permissions

I Password policies, auditing

I CPU privileged instructions

I Security updates, patches

I Trusted software sources

Sep 30, 2014 Computer Security 9 of 21

Network security

Threats

I Unauthorized access

I Virus, worm

I Trojan horse

I Spyware, phishing

I Denial of service

Solutions

I Firewall (hardware/software)

I Antivirus software (maybe)

I Intrusion detection system

I Content filtering, education

I Redirection/dropping packets

Sep 30, 2014 Computer Security 10 of 21

Spoiler Alert!

Perfect security is impossible

Sep 30, 2014 Computer Security 11 of 21

Possible, but worth preparing for?

Sep 30, 2014 Computer Security 12 of 21

Security in practice

Securing a system is a continual process

I Cost/benefit analysis of threats/solutions

Trade-off of functionality and security

I Too invasive → users undermine the system

Source: digitalunion.osu.edu

Sep 30, 2014 Computer Security 13 of 21

Two more problems

(that encryption can solve)

Sep 30, 2014 Computer Security 14 of 21

Sniffing

Sep 30, 2014 Computer Security 15 of 21

Cryptography

Symmetric encryption

I Secret key (mathematical formula) encodes data

I Chances of guessing the key is nearly impossible

I Problem: how do a server/client agree on a key?

Public-key encryptionI Generate a pair of keys (make one public, one private)

I You can’t figure out one, given the otherI But the keys are “inverses” of each other

I Anyone can use your public key to send you a messageI And you use your private key to decrypt itI Also useful for establishing your identify

Sep 30, 2014 Computer Security 16 of 21

Spoofing

Source: http://en.wikipedia.org/wiki/ARP spoofing

Sep 30, 2014 Computer Security 17 of 21

Digital signatures

Certificate authorities

I Symantec (VeriSign, Thawte, Geotrust)

I Comodo Group

I Go Daddy

Solution: verify the identify of servers

I When you use HTTPS, you browser gets certificate of server

I The certificate has been encrypted with a CA’s private key

I Your browser uses the CA’s public key to decrypt the cert

I If everything checks out, you know you have the right server

Sep 30, 2014 Computer Security 18 of 21

How do we prosecute the bad guys?

Sep 30, 2014 Computer Security 19 of 21

Legal approaches

Problems

I Information theft

I Eavesdropping

I Distributed DoS

I Cybersquatting

Legislation

I “Anything of value” (CFAA)

I Information privacy (ECPA)

I Monitoring (USA PATRIOT)

I Registered trademarks (ACPA)

Sep 30, 2014 Computer Security 20 of 21

Advice and tips

http://www.us-cert.gov/ncas/tips

Sep 30, 2014 Computer Security 21 of 21