Ch01-Computer Security
0 likes29 views
This document discusses the need for computer security and provides an introduction to key concepts. It explains that security is necessary to protect vital information, provide authentication and access control, and ensure availability of resources. The document then outlines common security threats like firewall exploits, software bugs, and denial of service attacks. It also discusses basic security components of confidentiality, integrity, and availability as well as goals of preventing attacks, detecting violations, and enabling recovery.
Ch01-Computer Security
- 1. 1 241-427-SV-2-2553-COE-PSU 1 241-427 Computer Security Chapter I: Introduction Dr. Sangsuree Vasupongayya 241-427-SV-2-2553-COE-PSU 2 A Brief History of the World 241-427-SV-2-2553-COE-PSU 3 Why do we need security? Protect vital information while still allowing access to those who need it Trade secrets, medical records, etc. Provide authentication and access control for resources Ex: AFS Guarantee availability of resources Ex: 5 9’s (99.999% reliability)
- 2. 2 241-427-SV-2-2553-COE-PSU 4 Who is vulnerable? Financial institutions and banks Internet service providers Pharmaceutical companies Government and defense agencies Contractors to various government agencies Multinational corporations ANYONE ON THE NETWORK 241-427-SV-2-2553-COE-PSU 5 Common security attacks Finding a way into the network Firewalls Exploiting software bugs, buffer overflows Intrusion Detection Systems Denial of Service Ingress filtering, IDS TCP hijacking IPSec Packet sniffing Encryption (SSH, SSL, HTTPS) Social problems Education 241-427-SV-2-2553-COE-PSU 6 Basic Components Confidentiality Keeping data and resources hidden Integrity Data integrity (integrity) Origin integrity (authentication) Availability Enabling access to data and resources
- 3. 3 241-427-SV-2-2553-COE-PSU 7 Goals of Security Prevention Prevent attackers from violating security policy Detection Detect attackers’ violation of security policy Recovery Stop attack, assess and repair damage Continue to function correctly even if attack succeeds 241-427-SV-2-2553-COE-PSU 8 Trust and Assumptions Underlie all aspects of security Policies Unambiguously partition system states Correctly capture security requirements Mechanisms Assumed to enforce policy Support mechanisms work correctly 241-427-SV-2-2553-COE-PSU 9 Assurance Specification Requirements analysis Statement of desired functionality Design How system will meet specification Implementation Programs/systems that carry out design
- 4. 4 241-427-SV-2-2553-COE-PSU 10 Security standards ISO ISO 17799, ISO 27002, ISO 27001 NIST NIST SP 800-12, NIST SP 800-14, NIST SP 800-18, NIST SP 800-26, NIST SP 800-30 In Thailand http://www.mict.go.th/ พ.ร.บ.วาดวยการกระทําผิดเกี่ยวกับคอมพิวเตอร พ.ศ. 2550 พ.ร.บ. วาดวยธุรกรรมทางอิเล็กทรอนิกส พ.ศ. 2554 (on going) 241-427-SV-2-2553-COE-PSU 11 Operational Issues Cost-Benefit Analysis Is it cheaper to prevent or recover? Risk Analysis Should we protect something? How much should we protect this thing? Laws and Customs Are desired security measures illegal? Will people do them? 241-427-SV-2-2553-COE-PSU 12 Human Issues Organizational Problems Power and responsibility Financial benefits People problems Outsiders and insiders Social engineering
- 5. 5 241-427-SV-2-2553-COE-PSU 13 Key Points Policy defines security, and mechanisms enforce security Confidentiality Integrity Availability Trust and knowing assumptions Importance of assurance The human factor 241-427-SV-2-2553-COE-PSU 14 Client-side Security Doesn’t Work Client-side: a computer that the user has control over and can do whatever he/she like with it Client-side security: some sort of security mechanism that is being enforced solely on the client Problem: a person has absolute control over it E.g., a software package that tries to limit its use in some way Debuggers, disassembles, hex editors, operating system modification, monitoring systems, unlimited copies of the software Conclusion: cannot maintain trusted software running on an untrusted machine 241-427-SV-2-2553-COE-PSU 15 Viruses and Trojans Viruses and Trojans cannot be 100 percent protected against Virus replicates and requires other programs to attach to Trojan horse pretend to be something else Usually attached to a program you wanted, or arrived on media you inserted How does antivirus software work? Before program execution can take place, the antivirus software will scan the program or media for “bad things” “bad things” based on signature files that are hopefully unique to a particular virus or trojan Usually signature files can be produced based on a seen virus or trojan Delay in getting new virus information
- 6. 6 241-427-SV-2-2553-COE-PSU 16 Firewalls Firewalls cannot protect you 100% from attack Sits between internal network and the rest of the network and attempts to prevent bad things from happening without preventing food things from happening allow some kinds of traffic, while stopping others Difficulties The firewall administrators can’t very easily limit traffic to exactly the type they would like Attacks Social engineering via email (e.g., Melissa virus) Attack the firewall directly 241-427-SV-2-2553-COE-PSU 17 241-427-SV-2-2553-COE-PSU 18 Spam Statistics Email considered Spam 40% of all email Daily Spam emails sent 12.4 billion Daily Spam received per person 6 Annual Spam received per person 2,200 Spam cost to all non-corp. Internet users $255 million Spam cost to all U.S. Corporations in 2002 $8.9 billion Email address changes due to Spam 16% Estimated Spam increase by 2007 63% Annual Spam in 1,000 employee company 2.1 million Users who reply to Spam email 28% Users who purchased from Spam email 8% Corporate email that is considered Spam 15-20% Wasted corporate time per Spam email 4-5 seconds http://spam-filter-review.toptenreviews.com/spam-statistics.html
- 7. 7 241-427-SV-2-2553-COE-PSU 19 Open Problems in Security Definition of metrics to assess the security of a system or protocol. Formal methods to verify the security of a system. Realistic models of adversaries. Emergency preparedness and response. Development of secure protocols and systems. (Scalability and efficiency.) Need to bridge the huge gap between cryptographers and systems designers/developers. Scarcity of professionals in the area. Lack of basic training in the area of security. 241-427-SV-2-2553-COE-PSU 20 References Justin Weisz, “Network Security”, Lecture slides, Fall 2002. Matt Bishop, “Introduction to Computer Security”, 2004.