csce 201 introduction to information security fall 2010
TRANSCRIPT
CSCE 201CSCE 201Introduction to Introduction to
Information Security Information Security Fall 2010Fall 2010
CSCE 201 Introduction to Computer CSCE 201 Introduction to Computer Security Security
Instructor: Csilla Farkas Office: Swearingen 3A43 Office Hours:Monday, Wednesday 10:00 – 11:00 am or
electronically any time or by appointment Telephone: 576-5762 E-mail: [email protected] Homepage: http://www.cse.sc.edu/~farkas/csce201-
2009/csce201.htm
CSCE 201 - Farkas 2
Course ObjectivesCourse Objectives Understand basic concepts and practices of information security Understand tools and techniques used by attackers to penetrate
computer systems Understand tools and techniques used by defense to protect
computer systems Be able to check for security updates, apply and use patches and
other defense mechanisms Be able to understand and follow security and privacy policies Understand the ethical implications of using attack tools on
computer systems
CSCE 201 - Farkas 3
TextText
C. Easttom, Computer Security Fundamentals, PearsonPrentice Hall, ISBN: 0-13-171129-6
Lecture handouts
CSCE 201 - Farkas 4
GradingGrading
Test 1: 20%, Test 2: 40%, Homework: 40%
Total score that can be achieved: 100Final grade: 90 < A , 87 < B+ <=90, 80
< B <= 87, 77 < C+ <= 80, 65 < C <= 77, 60 < D+ <= 65, 52 < D <= 60, F <= 52
CSCE 201 - Farkas 5
Tentative ScheduleTentative Schedule
Weeks 1—5: Basic Security Concepts Weeks 6—10: Home Computer Security –
Hardening the SystemWeeks 11—15: Let’s Have Fun – Popular
applications, ethics, security and privacy
CSCE 201 - Farkas 6
CSCE 201 - Farkas 8
Reading list:– Easttom: Chapter 1
Other useful sites– Computer Security Institute, http://www.gocsi.com/ – SANS Institute, http://www.sans.org/ – Carnegie Mellon University's Computer Emergency
Response Team , http://www.cert.org/ – Information Warfare and
Information Security on the Web, http://www.fas.org/irp/wwwinfo.html
– Sun Tzu on the Art of War (Lionel Giles, trans.), http://all.net/books/tzu/tzu.html
CSCE 201 - Farkas 9
Security ObjectivesSecurity Objectives
Confidentiality: prevent/detect/deter improper disclosure of information
Integrity: prevent/detect/deter improper modification of information
Availability: prevent/detect/deter improper denial of access to services
CSCE 201 - Farkas 10
Military ExampleMilitary Example
Confidentiality: target coordinates of a missile should not be improperly disclosed
Integrity: target coordinates of missile should be correct
Availability: missile should fire when proper command is issued
CSCE 201 - Farkas 11
Commercial ExampleCommercial Example
Confidentiality: patient’s medical information should not be improperly disclosed
Integrity: patient’s medical information should be correct
Availability: patient’s medical information can be accessed when needed for treatment
CSCE 201 - Farkas 12
Fourth ObjectiveFourth Objective
Securing computing resources: prevent/detect/deter improper use of computing resources– Hardware– Software– Data– Network
CSCE 201 - Farkas 13
Achieving SecurityAchieving Security
Policy– What to protect?
Mechanism– How to protect?
Assurance– How good is the protection?
CSCE 201 - Farkas 14
Security PolicySecurity Policy
Organizational Policy
Computerized Information SystemPolicy
CSCE 201 - Farkas 16
Security by Obscurity
Hide inner working of the system
Bad idea! Vendor independent open standard Widespread computer knowledge
CSCE 201 - Farkas 17
Security by Legislation
• Instruct users how to behave• Not good enough!
Important Only enhance security Targets only some of the security problems
CSCE 201 - Farkas 19
Threat, Vulnerability, Risk
Threat: potential occurrence that can have an undesired effect on the system
Vulnerability: characteristics of the system that makes is possible for a threat to potentially occur
Attack: action of malicious intruder that exploits vulnerabilities of the system to cause a threat to occur
Risk: measure of the possibility of security breaches and severity of the damage
CSCE 201 - Farkas 20
Types of Threats
Errors of users
Natural/man-made/machine disasters
Dishonest insider
Disgruntled insider
Outsiders
CSCE 201 - Farkas 21
Types of Attack
Interruption – an asset is destroyed, unavailable or unusable (availability)
Interception – unauthorized party gains access to an asset (confidentiality)
Modification – unauthorized party tampers with asset (integrity)
Fabrication – unauthorized party inserts counterfeit object into the system (authenticity)
Denial – person denies taking an action (authenticity)
CSCE 201 - Farkas 22
Computer CrimeComputer Crime
Any crime that involves computers or aided by the use of computers
U.S. Federal Bureau of Investigation: reports uniform crime statistics
CSCE 201 - Farkas 23
Computer CriminalsComputer Criminals
Amateurs: regular users, who exploit the vulnerabilities of the computer system– Motivation: easy access to vulnerable resources
Crackers: attempt to access computing facilities for which they do not have the authorization– Motivation: enjoy challenge, curiosity
Career criminals: professionals who understand the computer system and its vulnerabilities– Motivation: personal gain (e.g., financial)
CSCE 201 - Farkas 24
Methods of DefenseMethods of Defense
Prevent: block attack Deter: make the attack harder Deflect: make other targets more attractive Detect: identify misuse Tolerate: function under attack Recover: restore to correct state Documentation and reporting
CSCE 201 - Farkas 25
Information Security PlanningInformation Security Planning
Organization AnalysisRisk managementMitigation approaches and their costsSecurity policy and proceduresImplementation and testingSecurity training and awareness
28
System Security Engineering(Traditional View)
Specify SystemArchitecture
Identify Threats, Vulnerabilities, Attacks
Estimate Risk
PrioritizeVulnerabilities
Identify and Install Safeguards
Risk is acceptably low
Human Actions
Domains:– Play: hackers vs. owners– Crime: perpetrators vs. victims– Individual rights: individuals vs.
individuals/organizations/government– National security: national level activities
Play
Playing pranksActors: hackers/crackers/phreakersMotivation: challenge, knowledge, thrillCulture: social/educational
– “global networks”– publications– forums
Law
Crime
Intellectual Property Crimes– IT targets: research and development, manufacturing and
marketing plan, customer list, etc.– Attacker: insiders, formal insiders– 1996: Economic Espionage Act (U.S. Congress)
Fraud– Telemarketing scam, identity theft, bank fraud,
telecommunication fraud, computer fraud and abuse
Fighting crime
Individual Rights
Privacy– Secondary use of information
Free speech– Harmful/disturbing speech– Theft and distribution of intellectual property– Censorship
National Security
Foreign Intelligence– Peace time: protecting national interests
Open channels, human spies, electronic surveillance, electronic hacking (?)
– War time: support military operations– U.S. Intelligence Priorities:
Intelligence supporting military needs during operation Intelligence about hostile countries Intelligence about specific transnational threats
– Central Intelligence Agency (CIA)– Primary targets in U.S.A.: high technology and
defense-related industry
Terrorism
Traditional:– Intelligence collection– Psyops and perception management
New forms:– Exploitation of computer technologies
Internet propaganda Cyber attacks (electronic mail flooding, DOS, etc.)
Protection of national infrastructure