Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

CPE 5002 Network security

advertisement 
CSE2500
System Security and Privacy
Lecturers
Prof B Srinivasan
Phone: 990 31333
Room No: C4.47
Ms Nandita Bhattacharjee
srini@infotech.monash.edu.au
nandita@csse.monash.edu.au
Phone: 990 32185/990 53293
Room No C4.05
2
CSE2500 System Security and PrivacyNandita&Srini
Organisation and Evaluation
12 weeks of lectures
 2 hours of tutorials per week – mainly
problem solving, starting from week 2 to
week 12.

3
CSE2500 System Security and PrivacyNandita&Srini
Weekly Lectures

Lectures
Wednesdays 7p.m. to 9p.m. in Caulfield K
Block K3.21

Alternative Lecture times?
Fridays 12 noon to 2p.m. in Caulfield – K
block 3.09
Fridays 3p.m. to 5p.m. in Caulfield B block
B2.13
4
CSE2500 System Security and PrivacyNandita&Srini
Tutorials

Tutorials from week 2 to week 12:
 Wednesdays 10a.m. in Caulfield/B471
 Wednesdays 4p.m. in Caulfield/B471
 Wednesdays 4p.m. in Caulfield/B476
 Thursdays 10a.m. in Caulfield/A212
 Thursdays 2p.m. in Caulfield/B224
 Thursdays 6p.m. in Caulfield/F206 or Wednesday
5p.m in Caulfield/??
 Pl use Allocate+ for allocating tutorials. If you have
any problems, please see us during the tutorial times
next week.
5
CSE2500 System Security and PrivacyNandita&Srini
Assessment

Four assessment components
 Two 30 min tests during the tutorial sessions in
weeks 6 and 12, worth 15% each.
 Individual question solving during the tutorial session
from weeks 7 to 11, worth 10%
• Each student will be assigned a time slot and a problem and
they have to make a presentation of the solution to the rest of
the group.
 Examination – 2 hours duration – worth 60%

You need to get at least 50% to pass this unit.
6
CSE2500 System Security and PrivacyNandita&Srini
References

Primary Reference book:


Security in Computing – C P Pfleeger and S L
Pfleeger, Third Edition, 2003, Prentice Hall
Secondary Reference book:
Computer Security—Dieter Gollmann, 1999,
John Wiley
7
CSE2500 System Security and PrivacyNandita&Srini
Subject: CSE2500

Lecturers:
 Prof. Bala Srinivasan
 Mrs. Nandita Bhattacharjee
Prescribed Text:
Pfleeger
Security in Computing 3e
Available from the University Bookshop
8
CSE2500 System Security and PrivacyNandita&Srini
Where to look for the subject
materials?

http://www.csse.monash.edu.au/courseware/cse
2500
 http://beast.csse.monash.edu.au/cse2500
 Please down load and print the lecture materials
before coming to the class as NO further
photocopies of notes will be distributed in the
class.
 The lecture notes is complementary to the
prescribed text.
9
CSE2500 System Security and PrivacyNandita&Srini
Security
 Why
do you lock your house before you
leave?
 How do you choose the kind of lock for
your house?
 Any added devices (such as alarms, bull
terrier, etc…)
 What you do when you observe that things
in the house are scattered around?
10
CSE2500 System Security and PrivacyNandita&Srini
What are you protecting?
Brick and walls
 Money and jewellery
 Music CDs and tapes
 Etc ….

11
CSE2500 System Security and PrivacyNandita&Srini
Threats to Computer and
Communications systems
Domain of information and network
security
 Taxonomy of security attacks
 Aims or services of security
 Model of system/(inter)network security
 Methods of defense

12
CSE2500 System Security and PrivacyNandita&Srini
Security

Human nature
 physical, financial, mental,…, data and
information security
13
CSE2500 System Security and PrivacyNandita&Srini
There are Problems






Theft - of equipment
Theft – e.g. Copying of confidential material
Modification - for gain – e.g. Adding false names
to payroll
Modification - malicious – e.g. Virus infections
Access - easy for ‘us’ and difficult for ‘them’
….
14
CSE2500 System Security and PrivacyNandita&Srini
Fact sheet
bank robbery through computers
 industrial espionage on corporate
information
 loss of individual privacy (email, mobile
phone/computer, fax, ...)
 information vandalism
 computer viruses
 (more can be found in “comp.risks”)

15
CSE2500 System Security and PrivacyNandita&Srini
What we mean by Security?

Protection of assets - can take several
forms:
 Prevention
 Detection
 Reaction
16
CSE2500 System Security and PrivacyNandita&Srini
Reactions
active research in security & privacy
(numerous conferences each year)
 new laws
 education
 collaborations between governments,
industries & academia
 employment of computer security
specialists

17
CSE2500 System Security and PrivacyNandita&Srini
What that means for computer
assets?

What are the assets (for system
security)?
18
CSE2500 System Security and PrivacyNandita&Srini
Information Security

Shift from the physical security to the
protection of data (on systems) and to
thwart hackers (by means of automated
software tools) – called
System and information security
19
CSE2500 System Security and PrivacyNandita&Srini
Network Security

With the widespread use of distributed
systems and the use of networks and
communications require protection of data
during transmission – called
network security
20
CSE2500 System Security and PrivacyNandita&Srini
Internetwork security

21
The term Network Security may be
misleading, because virtually all
businesses, govt., and academic
organisations interconnect their data
processing equipment with a collection of
interconnected networks – probably we
should call it as
(inter)network security
CSE2500 System Security and PrivacyNandita&Srini
Aspects of System (and
information) security
Security attack – any action that
compromises the security of system and
information.
 Security mechanism – to detect, prevent,
or recover from a security attack.
 Security service – service that enhances
and counters security attacks.

22
CSE2500 System Security and PrivacyNandita&Srini
Other terminology

vulnerability
a weakness in a computer system that might
be exploited to cause loss or harm

attack
an action that exploits a vulnerability

threat
circumstances that have the potential to
cause loss or harm
 control - a protective measure
23
CSE2500 System Security and PrivacyNandita&Srini
Security mechanisms
No single mechanism that can provide the
services mentioned in the previous slide.
However one particular aspect that
underlines most (if not all) of the security
mechanism is the cryptographic
techniques.
 Encryption or encryption-like
transformation of information are the most
common means of providing security.

24
CSE2500 System Security and PrivacyNandita&Srini
Why Security?





Security is not simple as it might first appear.
In developing a particular security measure one
has to consider potential counter measures.
Because of the counter measures, the problem
itself becomes complex.
Once you have designed the security measure,
it is necessary to decide where to use them.
Security mechanisms usually involve more than
a particular algorithm or protocol.
25
CSE2500 System Security and PrivacyNandita&Srini
Security and Cost Analysis
cost
100%
26
Security level
CSE2500 System Security and PrivacyNandita&Srini
Security Attacks - Taxonomy
Interruption – attack on availability
 Interception – attack on confidentiality
 Modification – attack on integrity
 Fabrication – attack on authenticity

Property
that is
compromised
27
CSE2500 System Security and PrivacyNandita&Srini
Interruption
Also known as denial of services.
 Information resources (hardware,
software and data) are deliberately made
unavailable, lost or unusable, usually
through malicious destruction.
 e.g: cutting a communication line,
disabling a file management system, etc.

28
CSE2500 System Security and PrivacyNandita&Srini
Interception
Also known as un-authorised access.
 Difficult to trace as no traces of intrusion
might be left.
 e.g: illegal eavesdropping or wiretapping
or sniffing, illegal copying.

29
CSE2500 System Security and PrivacyNandita&Srini
Modification
Also known as tampering a resource.
 Resources can be data, programs,
hardware devices, etc.

30
CSE2500 System Security and PrivacyNandita&Srini
Fabrication
Also known as counterfeiting (of objects
such as data, programs, devices, etc).
 Allows to by pass the authenticity checks.
 e.g: insertion of spurious messages in a
network, adding a record to a file,
counterfeit bank notes, fake cheques,…
 impersonation/masquerading

to gain access to data, services etc.
31
CSE2500 System Security and PrivacyNandita&Srini
Security Attacks - Taxonomy
Source and Destination - can be
what is supposed to be and
what you get
Information
Source
Information
Destination
Normal
Information
Source
Information
Destination
Interruption
Information
Source
32
Information
Destination
Modification
Information
Source
Information
Destination
Interception
Information
Source
Information
Destination
Fabrication
CSE2500 System Security and PrivacyNandita&Srini
Attacks – Passive types
Passive (interception) – eavesdropping
on, monitoring of, transmissions.
 The goal is to obtain information that is
being transmitted.
 Types here are: release of message
contents and traffic analysis.

33
CSE2500 System Security and PrivacyNandita&Srini
Attacks – Active types

Involve modification of the data stream or
creation of a false stream and can be
subdivided into – masquerade, replay,
modification of messages and denial of
service.
34
CSE2500 System Security and PrivacyNandita&Srini
Attacks
Active
Passive
Interception
(confidentiality)
Release of
Message
contents
Interruption
(availability)
Modification
(integrity)
Fabrication
(integrity)
Traffic
analysis
35
CSE2500 System Security and PrivacyNandita&Srini
Security threats (to maintain) are
Confidentiality
 Integrity
 Availability

 to give us secure data (and information)

Authenticity
36
CSE2500 System Security and PrivacyNandita&Srini
Confidentiality
Only accessible by authorised parties
 Not revealed
 More that just not reading
 Confidentiality is distinct from secrecy and
privacy ( ?)

37
CSE2500 System Security and PrivacyNandita&Srini
Integrity
Associated with loss and corruption
 Data Integrity as

 Computerised data same as external, source
data
 Data not exposed to alteration or destruction

No inappropriate modification
38
CSE2500 System Security and PrivacyNandita&Srini
Availability
The property of being accessible and
useable (without delay) upon demand by
an authorised entity
 We want there to be
 no denial of service

39
CSE2500 System Security and PrivacyNandita&Srini
Other issues
Accountability
 Reliability
 Safety
 Dependability

40
CSE2500 System Security and PrivacyNandita&Srini
Security is defined as
Computer security deals with the
prevention and detection of unauthorised
actions by users of a computer system
 Security deals with the ready availability of
valuable assets by authorised agents, and
the denial of that access to all others

41
CSE2500 System Security and PrivacyNandita&Srini
The security dilemma
security deals with the ready availability of
valuable assets by authorised agents, and
the denial of that access to all others.
 Security-unaware users have specific
security requirements but (usually) no
security expertise.

But
42
CSE2500 System Security and PrivacyNandita&Srini
The security dilemma
The costs of additional resources to
implement security mechanisms can be
quantified.
 Security mechanisms interfere with users,
and can lead to loss of productivity.
 Managing security also costs.
 Need to perform risk analysis (which will
be the next topic)

43
CSE2500 System Security and PrivacyNandita&Srini
Principles of Security

Principle of easiest penetration
 an intruder will use any means of penetration

Principles of timeliness
 items only need to be protected until they
lose their value

Principles of effectiveness
 controls must work, and they should be
efficient, easy to use, and appropriate.
44
CSE2500 System Security and PrivacyNandita&Srini
Layers of technology (and Onion
Model)

Operating System
Kernel
Hardware
Services
Applications
In which layer
should security
mechanisms be
placed ?
 Should controls
be placed in
more that one
layer ?
 See slide 46 too.
45
CSE2500 System Security and PrivacyNandita&Srini
Layers





The presence of layers is a feature of technology
Separate layers often perform very different
functions
Similar functions are combined in one layer
The boundary between two layers is usually
easily defined
Layers can often be independently implemented
46
CSE2500 System Security and PrivacyNandita&Srini
Vulnerabilities

The three broad computing system resources
are
 hardware
• interruption (denial of service), interception (theft)
 software
• interruption (deletion), interception, modification
 data
• interruption (loss), interception, modification and fabrication
47
CSE2500 System Security and PrivacyNandita&Srini
One method of defence

By controls
What should be the focus of the controls?
• For example: should protection mechanisms focus
on data or operations on that data or on the users
who use the data?
Since there are layers of technology, where
controls should apply?
• Applications, services, operating systems, kernel,
hardware.
48
CSE2500 System Security and PrivacyNandita&Srini
Controls
Can be applied at hardware, software,
physical or polices.
 Simple mechanisms or lots of features?
 Should defining and enforcing security
mechanism be a centralised function?
 How to prevent access to the layer below
the security mechanism?

49
CSE2500 System Security and PrivacyNandita&Srini
Examples of Controls

Modern cryptology
Encryption, authentication code, digital
signature,etc.

50
Software controls
Standard development tools (design, code,
test, maintain,etc)
Operating systems controls
Internal program controls (e.g: access
controls to data in a database)
Firewalls
CSE2500 System Security and PrivacyNandita&Srini
Examples of Controls
 Hardware
controls
Security devices, smart cards, …
 Physical
controls
Lock, guards, backup of data and software,
thick walls, ….
 Security
polices and procedures
 User education
 Law
51
CSE2500 System Security and PrivacyNandita&Srini
Effectiveness of Controls

Merely having controls does no good
unless they are used properly. The factors
that affect the effectiveness are
Awareness of protection
Likelihood of users
Overlapping controls
Periodic review
52
CSE2500 System Security and PrivacyNandita&Srini
Model for network security
Trusted
Third party
Principal
Principal
Message
Message
Information channel
Secret
Info.
53
Gate
Keeper
Secret
Info.
Opponent – security threads and possible attacks
[Borrowed from Stallings]
CSE2500 System Security and PrivacyNandita&Srini
Two questions to ponder
Having backup copies of the data – is it a
solution to security?
 The internetwork security model (the
previous slide) has the gate keeper at the
receiver (or destination) end – why not at
the sender (source)?

54
CSE2500 System Security and PrivacyNandita&Srini
Related documents
ppt
ppt
“Contrasting the early 19th versus early 21st Centuries”
“Contrasting the early 19th versus early 21st Centuries”
Central Missouri Cardiovascular Associates P
Central Missouri Cardiovascular Associates P
Privacy Confidentiality Minor
Privacy Confidentiality Minor
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Maintaining Privacy and Dignity in Care (Fiona Throp)
Maintaining Privacy and Dignity in Care (Fiona Throp)
Download
advertisement