/
Introduction to Computer Security: Terminology, Security Po Introduction to Computer Security: Terminology, Security Po

Introduction to Computer Security: Terminology, Security Po - PowerPoint Presentation

lindy-dunigan
lindy-dunigan . @lindy-dunigan
Follow
445 views
Uploaded On 2017-08-18

Introduction to Computer Security: Terminology, Security Po - PPT Presentation

ECE 422 CS 461 Fall 2013 Acknowledgment Thanks to Susan Hinrichs for her slides Outline Administrative Issues Class Overview Introduction to Computer Security What is computer security ID: 579936

policy security system computer security policy computer system secure illinois information class www ece policies amp entity privacy department

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Introduction to Computer Security: Termi..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

Introduction to Computer Security: Terminology, Security Policy

ECE 422 / CS 461 - Fall 2013

*Acknowledgment: Thanks to Susan

Hinrichs

for her slidesSlide2

Outline

Administrative IssuesClass OverviewIntroduction to Computer SecurityWhat is computer security?

Why computer security?

Computer security components

Introduction to security policy

1-

2Slide3

Staff etc.

StaffINSTRUCTORS:

David

Nicol

: First half (Roughly: Aug. 26 – Oct. 14)

Rakesh Bobba: Second half

(Roughly: Oct. 16 – Dec. 12)

TAs Balaji ManoharanTed PacygaOffice hours David Nicol (held when teaching; 451 CSL)TBDRakesh Bobba (held when teaching; 444 CSL)TBD

1-

3Slide4

Academic Honesty

Review department and university cheating and honor codes:

http://www.ece.illinois.edu/students/ugrad/academic-

honesty.html

https

://wiki.engr.illinois.edu/display/undergradProg/Honor+Code

http://admin.illinois.edu/policy/code/article1_part4_1-402.

html

Expectations

for exams,

homeworks, projects, and papersWhen in doubt, ask!

1-

4Slide5

Class Overview I – Format &Text

FormatMeets 2-times a week (MW)

Mostly lecture based

Text Books / Readings

Computer Security: Principles and Practice by William Stallings and Lawrie Brown 2

nd

Ed.

Additional ReadingsLinks and documents posted in CompassBooks on reserve at library1-5Slide6

Class Overview II – Lectures

Lecture Slides - DisclaimerNot intended to be self sufficient

Going through lecture slides will NOT be enough to master course material

1-

6Slide7

Class Overview III - Grades

2 midterms worth 20% each (total 40%)Tentatively:

October 2nd and November 6

th

Comprehensive Final worth 30%Date & Time:

December 16

th

8 -11 AM In class quizzes – 5%Homeworks & MPs 25% About 7 – 8 homeworks ; can drop lowest homeworkSubmit homeworks via Compass2gExtra project for grad. students (4 credits) 20%1-

7Slide8

Class Overview IV -

Communication

Class web page

https://wiki.engr.illinois.edu/display/ece422sp13/ECE422+-+CS461+Computer+Security+I+Fall+

2013

Lecture

slides, schedule,

homeworksLecture Videos (For Online Students)https://wiki.engr.illinois.edu/display/ENGRonline/Fall+2013+CS+coursesCompass2gHomework submissions and grade distributionPiazzaFor discussionshttps://piazza.com/illinois/fall2013/cs461ece422/home

1-

8Slide9

Security Classes Roadmap I

3 Introductory/General CoursesComputer Security I (CS461/ECE422)

Covers NSA 4011 security professional requirements

Taught every semester (mostly)

Computer Security II (CS463/ECE424)Continues in greater depth on more advanced security topics

Taught every semester or so

Applied Computer Security Lab (CS460)

Generally taught in the springWith CS461 covers NSA 4013 system administrator requirementsTwo of the three courses will satisfy the Security Specialization in the CS track for Computer Science majors.1-9Slide10

Security Classes Roadmap

II

Theoretical

Foundations of

Cryptography (CS 498) & Applied Cryptography (CS 598 MAN)

Prof

Manoj

PrabhakaranAdvanced Applied Cryptography (ECE 598 NB) & Privacy Enhancing Technologies (ECE 598 NB)Prof Nikita BorisovCryptography (Math 595/ECE 559)Prof. BlahutMalware Analysis CS498SHSecurity Reading Group CS591RHCAdvanced Computer Security CS563Local talks

http://

www.iti.illinois.edu

/content/seminars-and-eventsITI Security Roadmaphttp://www.iti.illinois.edu/education/course-roadmaps/security1-10Slide11

ECE 422 / CS 461 Topics

First course in computer security at UIUCMix of motivation, design, planning, and mechanisms

Covers what, why and how of computer security

Breadth first look

1-

11Slide12

What is computer security?Why do we need it?

Art & science of protecting/securing computer systems?

Because we

need

to protect/secure computers from …. adversaries

Mischief makers (script kiddies)?

Hackers?

Hactivists?Ourselves (sometimes)….1-12Slide13

What is Computer Security?

“The protection afforded to an automated information system in order to attain the applicable objectives of

preserving the integrity, availability and confidentiality

of information system resources” (includes hardware, software, firmware, information/data, and telecommunications)

.”

NIST Security Handbook

1-

13Slide14

Key Security Notions/Concepts

ConfidentialityPreventing unauthorized access or disclosure

Keeping data confidential to authorized parties

Privacy (subtle difference)

IntegrityPreventing against unauthorized modifications

Data Integrity (integrity)

Origin Integrity (authentication)

AvailabilityEnsuring timely availability of (data, system service etc.)1-14Slide15

Additional Security Concepts

AuthenticityProperty of being genuine; can be verified

and trusted

Similar to authentication

AccountabilityRequirement for entity actions to be traced uniquely to that entity

Non-repudiation -- one cannot repudiate one’s actions

1-

15Slide16

Why is computer security challenging?

Both systems to be protected and security mechanisms can be quite complex and subtle

Security mechanisms themselves might become targets or introduce unintended weaknesses

A single weakness can bring down the system – defenders have to work harder

Systems, environments, and adversaries are constantly evolving/changing

Security often tends to be an afterthought rather than designed in

….

1-16Slide17

Some Terminology

Threat

– Set of circumstances that has the potential to

breach security and cause harm

Vulnerability

– Weakness in the system that could be exploited to

violate security property of interest

Attack

– When an entity exploits a vulnerability on system

Control or Countermeasure – A means to prevent a vulnerability from being exploited; or minimize harm from the vulnerability/attack; or detect attack so recovering actions may be initiatedAdversary – threat agent1-17Slide18

Classes of Threats

Disclosure

– Unauthorized access to

information

Deception

– Acceptance of false

data

Disruption

– Interruption or prevention of correct operationUsurpation – Unauthorized control of some part of a system1-18What security property(ies) or concept(s) does each class violate?Slide19

Some common threats

Snooping or interception

Unauthorized interception of information

Falsification

Unauthorized change of information

Masquerading or spoofing

An impersonation of one entity by another

Repudiation

A false denial that an entity received some information

.

1-

19Slide20

Security Strategy

Specification/Policy

What does it mean to be secured in particular

?

Implementation/Mechanism

How to enforce the specified security policy?

Correctness/Assurance

Does the security system work as advertised1-20Slide21

Specification/Policy

Specification considerations

Security

vs.

ease of use

Return on investment – security business

case

Policy

A statement of what is and what is not allowed

Divides the world into secure and non-secure states

A secure system starts in a secure state. All transitions keep it in a secure state.

1-

21Slide22

1-

22

Is this situation secure?

Web server accepts all connections

No authentication required

Self-registration

Connected to the Internet Slide23

Security Mechanism or Implementation

A

method, tool, or procedure for enforcing a security policy

Prevention

Detection

Response

R

ecovery

1

-

23Slide24

1-

24

Trust and Assumptions

Locks prevent unwanted physical access.

What are the assumptions this statement builds on?Slide25

Policy Assumptions

Policy correctly divides world into secure and insecure states.

Mechanisms prevent transition from secure to insecure states.

1

-

25Slide26

Assurance

Evidence of how much to trust a system

Evidence can include

System specifications

Design

Implementation

1-

26Slide27

1-

27

Aspirin Assurance Example

Why do you trust Aspirin from a major manufacturer?

FDA certifies the aspirin recipe

Factory follows manufacturing standards

Safety seals on bottles

Analogy to software assuranceSlide28

Slide #1-28

Key Points

Must look at the big picture when securing a system

Main components of security

Confidentiality

Integrity

Availability

Differentiating Threats, Vulnerabilities, Attacks and Controls

Policy

vs.

mechanism

AssuranceSlide29

Security Policy

A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must apply. (RFC 2196)

Defines what it means for the organization to be in a secure state.

Otherwise people can claim ignorance.

1

-

29Slide30

Question

University policy disallows cheating.Alice forgets to write protect her homework.

Bob copies it.

Who violated policy?

1

-

30Slide31

Question Part 2

Alice posts her homework on the department bulletin board (or piazza).

Bob copies it.

Who is at fault with respect to policy?

1

-

31Slide32

Mechanisms or Controls or Countermeasures

Entity or procedure that enforces some part of the security policy

Access controls (like bits to prevent someone from reading a homework file)

Disallowing people from bringing CDs and floppy disks into a computer facility to control what is placed on systems

1

-

32Slide33

Hierarchy of Policy

Organizational

Policy

Departmental

Policy

Department

Standards

CSIL-Linux10

SE Linux Policy

Linux Lab

Umask settings

1

-

33Slide34

-34

Natural Language Security Policies

Targeting Humans

Written at different levels

To inform end users

To inform lawyers

To inform technicians

Users, owners, beneficiaries (customers)

As with all policies, should define purpose not mechanism

May have additional documents that define how policy maps to mechanism

Should be enduring

Don't want to update with each change to technology

Shows due diligence on part of the organization

1

-

34Slide35

Key Parts of Organizational Policy

What is being protected? Why?

Generally how should it be protected?

Who is responsible for ensuring policy is applied?

How are conflicts and discrepancies to be interpreted and resolved?

1

-

35Slide36

-36

How to Write a Policy

Understand your environment

Risk Analysis (see next lecture)

Understand your industry

Look for “standards” from similar companies

Leverage others wisdom

Already proven with

auditors/regulators

Standards

ISO 17799 – Code of Practice for Information Security Management

COBIT – Control Objectives for Information and Related

Technolgy

SANS, CERT have policy guidelines

Gather

the right set of people

Technical experts, person ultimately responsible, person who can make it happen

Not just the security policy “expert”

1

-

36Slide37

Security Policy Life Cycle

Risk Analysis

Policy Development

Reassessment

Policy Implementation

Raising Awareness

Policy Approval

1

-

37Slide38

-38

Security Policy Contents

Purpose – Why are we trying to secure things

Identify protected resources

Who is responsible for protecting

What kind of protection? Degree but probably not precise mechanism.

Cover all cases

Realistic

1

-

38Slide39

More Specific Policy Content Ideas

Principles of SecurityOrganizational Reporting Structure

Physical Security

Hiring, management, firing

Data protectionCommunication securityHardware

Software

Operating systems

Technical supportPrivacyAccessAccountabilityAuthenticationAvailabilityMaintenanceViolations reportingBusiness continuitySupporting information

1

-

39Slide40

-40

University of Illinois Information Security Policies

University of Illinois Information Security Policies

System wide policy; Identifies what, not how

http://www.obfs.uillinois.edu/cms/one.aspx?pageId=914038

CITES UIUC standards and guidelines

DNS

 

http://

www.cites.uiuc.edu/dns/standards.html

CS Department

policies

https://wiki.engr.illinois.edu/display/tsg/Policies

1

-

40Slide41

-41

Example Privacy policies

Busey

Bank

https://www.busey.com/home/fiFiles/static/documents/privacy.pdf

Financial Privacy Policy

Targets handling of personal non-public data

Clarifies what data is protected

Who the data is shared with

1

-

41Slide42

Poorly Written Policies

Cars.gov – Had following in click-through policy for

dealers

This

application provides access to the [Department of Transportation] DoT CARS system. When logged on to the CARS system, your computer is considered a Federal computer system and is the property of the U.S. Government. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed... to authorized CARS, DoT, and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign.

According to

EFF

http

://www.eff.org/deeplinks/2009/08/cars-gov-terms-service

-

421-42Slide43

-43

Example Acceptable Use Policy

IEEE Email Acceptable Use Policy

http://eleccomm.ieee.org/email-aup.shtml

Inform user of what he can do with IEEE email

Inform user of what IEEE will provide

Does not accept responsibility of actions resulting from user email

Does not guarantee privacy of IEEE computers and networks

Examples of acceptable and unacceptable use

1

-

43Slide44

Key Points

Security policy bridges between human expectations and implementation reality

1

-

44