Add to collection(s) Add to saved
  1. Social Science
  2. Psychology
  3. Forensic Psychology

Computer Security

advertisement 
Cosc 4765
Security?
This system is secure.
•
•
•
•
•
•
•
This will make your network secure
We have secure e-commerce.
What does that mean?
Secure from what or whom?
Secure from an employee theft?
Secure from Social Engineering?
Secure from a small explosion in the hallway?
Security?
• Involves people:
– Things people know, relations between people
and how they relate to computers
• Digital Security
– involves computers
• complex, unstable, and buggy
People and computers
• Computers are mathematical in nature.
– Math is perfect, reality is subjective
– Math is defined and computers are ornery
– Math is logical, while people are erratic,
capricious, and barely comprehensible.1
• Security is fundamentally a people problem!
Why aren't computers secure?
• And why aren't applications secure?
• Computer companies are businesses.
– They do a risk assessment and figure what is the most cost
effective way to get their product to market.
– Software manufacturers are not hold held accountable for
their products
• Microsoft has not been found at fault once for a breach into a
computer running a windows product. Some bad press, but little else.
• Instead, their stock goes up with a new release of their O/S.
– But a bank using that software, could go under because of
security breach.
Security and people
• Increased security annoys users!
• Think about the security that has been
implemented on campus.
– How often have you complained about it?
– Complained about the things you can't do
anymore?
Security and economics
• If CEO of Microsoft walked into the
boardroom and said the next version of
Windows will be secure, but cut the
companies earning by one third.
– The board will fire him.
• On the other hand, bad press goes away
– Have several press conferences saying "security
is our top priority".
Security and economics
• Example: Firewalls
– There are everywhere. Over last 10 years more
companies and people are using firewalls
– Many are so badly configured that they are barely effective
» May actually cause more problems
– Everyone is on the firewall bandwagon.
– Why?
• All the best practices guide say to use one.
• Economically they work, because of lawsuits.
– Because they are following the guides, so they are making a
best attempt at security, even if they are broken into.
Vulnerabilities
• Hardware and physical
– In the computer itself secure?
• Software
– Bugs, modifications, viruses, trojan horses, logic
bombs, back doors, information leaks, etc.
• Data
– Leaks and badly formed (accidentally or intentional)
• Network
– Physical, hardware, software, data, etc.
• People
The nature of attacks
• The nature of attacks haven't really changed
much (digital and real world):
– embezzlement, theft, robbery, invasion of
privacy, and identity theft.
– racketeering, vandalism, voyeurism,
exploitation, extortion, con games, and fraud.
– stalking, and physical harm
Computer attacks
•
The real difference from real world attacks and
computer attacks is these three:
1. more widespread and common
•
automation is the key.
2. harder to track, capture, and convict the attackers
•
because they may not even be in the country, let alone in
town where the "attack" happened.
3. More devastating.
•
with automation you can do more in a shorter time.
Computer attacks (2)
• Technique Propagation
– Physical techniques are harder to master and
the people must be able learn how to do it.
– computer attacks can be done by people with
little knowledge or expertise
• publish a script and 1,000s will attempt.
– script kiddies. Common for people to make simple
modifications to viruses as well.
The nature of Adversaries
• Who are these people?
– Hackers, criminals, businesses, governments?
– Basically they are the same as in the real world
•
•
•
•
•
•
Criminals looking for easy money
thieves and robbers
industrial spies stealing secrets
intelligence agencies looking for “intelligence”
hackers looking for the “secret knowledge”
People wanting to make a “social statement”
The nature of Adversaries (2)
• Sometimes easier to think of them by what
do/want:
–
–
–
–
–
Raw damage
Malicious insiders
Financial gain
Information
publicly.
Different types of attackers
• Amateurs and Insiders:
– Usually people who never had intent to attack a system, but
observe a weakness and take advantage of it
– Often they are insiders who may become disgruntled or greedy and
abuse their power, other times it is much more innocuous
– Examples:
• A user notices opening disk and cpu accounting policies, so they use
the computer system at work for their own purposes.
• A programmer inserts a backdoor so that they may access the system
later without being noticed
– Not all insiders are necessarily amateurs. Sometimes (rarely) they
are hired as spies or by organized crime to infiltrate organizations.
Different types of attackers (2)
• The Script Kiddie
– Usually teenaged kids, not very smart. Sometimes they can be
University or even Graduate Students!
– Get packaged up “scripts” of exploits from various sources
– IRC Channels, Web Pages, Friends
– Often make many mistakes
• Typing/spelling errors
• Typing “dir” at a UNIX prompt
• May unintentionally ruin a machine after getting in
– Usually have a bag of (old) exploits
– Will persistently scan for vulnerable machines
– Not a problem as long as you are patched and ready
Different types of attackers (3)
• The Professional Hacker/Black Hat
– Usually someone with in-depth knowledge
– Can create new exploits (zero day exploits)
– May have various motives
• Hack for fun, Money, Fame, Politically motivated
– Will often distribute exploits to Kiddies after
they’ve been discovered
• Their tracks will get lost in the noise
Security Needs
• Generally, what kinds of security are
necessary:
– multilevel security
• Not all data is created equal.
– authentication
• Who are you? origin of data?
– integrity
• is it real? has it been tampered with?
– Audit
• logs, verification, and such
Security Needs (2)
– privacy
• Hotly debated!
• Government argues against this one regularly.
– anonymity
• personal, medical, commercial
5 Security Design questions
1. In a given application should the protection
mechanisms in a computer focus on data,
operations, or users?
2. In which layer of the computer system
should a security mechanism be placed?
3. Do you prefer simplicity and higher
assurance – to a feature rich security
environment?
5 Security Design questions (2)
4. Should the tasks of defining and enforcing
security be given over to a central entity or
left to individual components?
5. How can you prevent an attacker from
getting access to a layer below the
protection mechanism?
A Good Security System
• A mixture of the following:
– Prevention
– Detection
– Response
Back to the Question:
What is Computer Security?
• Security can be defined by these three terms:
– Confidentiality
• Only those who are authorized to access the system and/or data
– Integrity
• The system is functioning the way we except it to
• The data is accurate and what is excepted.
– Availability
• It is usable, responds in a timely matter, and meets the
service’s needs.
• Where these three intersection is one definition of
computer security.
Cryptography
• Many argue this is the answer to our "security
problems", prevention at the very least.
• Many other argue around this type of statement:
– Cryptography is rarely ever the solution to a security
problem. Cryptography is a translation mechanism,
usually converting a communications security problem
into a key management problem and ultimately into a
computer security problem. Hopefully, the resulting
problem is easier to solve than the original problem. In
summary, cryptography can enhance computer security;
it is not a substitute for computer security.2
A little history
• In the early 90s, most said there was little
need for cryptography in computer security.
– It was all about the Trust Computer Base
(TCB)
– Monitors, discretionary and mandatory access
control, and formal verification of security
models and systems
• Now, in many ways it is the other extreme.
– Why has it changed?
References
• Computer Security, Dieter Gollmann, Wiley, 2003
• Secrets & lies Digital Security in a Networked
World, Bruce Schneier, Wiley, 2004
• Practical Cryptography, Ferguson & Schneier,
Wiley, 2003
• Security in Computing, Pfleeger & Pfleeger,
Prentice Hall, 2003
Q&A
Related documents
1. Introduction to Ethical Hacking
1. Introduction to Ethical Hacking
Diapositive 1
Diapositive 1
HardCrypto
HardCrypto
Side-Channel Resistant Cryptography on FPGAs
Side-Channel Resistant Cryptography on FPGAs
Introduction to Computer and Network Security 15-349
Introduction to Computer and Network Security 15-349
plaintext version
plaintext version
Course outline Data security and Cryptography
Course outline Data security and Cryptography
Lecture 3
Lecture 3
01 Overview of security
01 Overview of security
William Stallings, Cryptography and Network Security 5/e
William Stallings, Cryptography and Network Security 5/e
Download
advertisement