Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Introduction to Computer and Network Security 15-349

advertisement 
15-349
Introduction to Computer and
Network Security
Iliano Cervesato
3 September 2012
This Lecture
• No scare tactic!
• What is computer security
• Course presentation
• Risks of computing
Why Computer Security?
Because computing resources and data are valuable
• Value of resources
 Physical entities
 Computing time / disk space / network connections
 System being off-line
• Value of data





Passwords
Credit cards
Contact list
Trade secrets
Military secrets, …
• How valuable?
Digital assets
 In the eye of the beholder
 The owner
 The attacker
Reasons for an Attack
What kind of value can an attacker get?
• A good laugh
• Bragging
• Embarrassment
 Discredit victim
• Inconvenience
 Sometimes huge
• Monetary gain
 Sometimes huge
• Personal safety
Attacking what, exactly?
Soft boundaries:
• Computer systems
 Hardware
 Software
 Data
• Information systems
• Is a program software or data?
• What is firmware?
• FPGA settings?
 (networked) computer systems
 Processes
Digital assets
 Goals/objectives
 People
Business aspects
Is it a Problem in Qatar?
• Qatar has digital assets!
 Virus attack takes down RasGas
computer systems (30 August 2012)
• Attacks happen
all the time
• Constant vigilance
 Q-CERT
Difference from Physical World
What makes protecting digital assets hard?
• Complexity of digital systems
 Lots of opportunities
 Attacker just needs to find one entry point
 Defender must protect them all
• No need for physical proximity
 Not even being in the same country
• Computing monoculture
 Low marginal cost
• Speed of aggression
 Defense takes time
Windows, MacOS, Linux
iOS, Android, WebOS
Course presentation
Course Logistics
• Time and place
 Lectures: Mo, We, 10:00-11:20 (1031)
 Recitations: Th 10:30-11:20 (1031)
• 3 instructors [Thierry, Iliano, Khaled]
• Web page: http://www.qatar.cmu.edu/cs/15349
• Readings:
 Textbook
 Smith, Marchesini
 Articles on the web site
 Article in the news
15-349
• Description:
 Intro course to computer & network
security
 Very broad
 Not very deep
 Theory <----------------------> Practice
• Objectives:
 Understand basic concepts in security
 Read newspaper/magazine articles
critically
Course organization
• 5 parts
1.
2.
3.
4.
5.
Intro (this week)
Applied cryptography
Program security, OS security and Trusted systems
Network security
Beyond technology




Discussions
Movies
Teacher for a day
Guest lectures
• Recitations
• Movie nights
 (date TBA)
Assessment
• Participation: 10%
 Class discussion
 Movie nights
• Quizzes: 20%
 Weekly
• Presentation: 15%
• Assignments: 55%




Crypto: 15%
Program security: 15%
Network security: 15%
Beyond technology: 10%
• No midterm, final!
Security is about
resourcefulness
You are expected to
go far and beyond
Prospects after 15-349
• Take more security courses
 In Pittsburgh
• Get a computer security job
 2 students so far
• Keep on hacking
 1 student so far
Let’s get started for real…
Computer & Network Security
Overview
The Security Game
Information and resources have value
• Attacker
 Appropriate the value of somebody
else’s digital assets
• Defender
 Protect digital assets from attackers
 Prevent attacker from appropriating
value
The Security Theater
Weakness in
the system
Possibility
of damage
Threats
enables
Vulnerabilities
Mitigates
Neutralizes
Countermeasures
Limits possibility
or consequence
of damage
Exploits
Disables
Mitigates
Diffuses
Attacks
Exploitation of a
vulnerability to
realize a threat
Example
• Threat
 Student setting own grade on Blackboard
• Vulnerabilities
 Weak passwords
 Incorrect permissions
 Soft IT guy
• Attacks
 Crack password
 Ask IT guy to weaken permissions
• Countermeasures




Authentication mechanisms
File protection (access control, access login)
Training
Punishments
Some Threats
[Defense Science Board]
• Unintended blunders
• Hackers driven by technical challenge
• Disgruntled employees or customers
• Petty criminals
• Organized crime
• Organized terror groups
• Foreign espionage agents
• Information warfare
Who are the Attackers?
• People making mistakes
 Unintentional blunder
• Geeks driven by technical challenge
 Show it can be done
 Often no damage besides planting a flag
 Generally very innovative
• Insiders
 Disgruntled employees
 Employees exploiting the company
• Organized crime
 Adware, span, fraud, DoS for ransom, …
 More and more sophisticated
 More and more of a problem
• States
 Very sophisticated
 From blocking sites to industrial/military espionage
• Script kiddies
 Unsophisticated
 Unknowledgeable, dumb
Is an Attack a Crime?
• Only if some law is broken
 Legal framework busy catching up with the
digital age
 Tendency to blame hackers for everything
• Does it matter?
 Law enforcement can help in case of crime
 Can be too little too late
 Whether illegal or not, one wants to set up
defenses against cyberattacks
• Legal system is reactive
• Technology/business are opportunistic
The CMU Computing Policy
• Rules that regulate allowed use of
computing resources
 No breaching security
• Is it enforceable?
 Yes! If caught, lots of trouble
• Does it mean that security mechanisms are
not needed?
 Needed to make enforcement manageable
 Needed because data/resources are valuable
beyond punishment
 Needed because policy applies only to CMU
students/faculty/staff
Systems don’t meet their functional requirements
Unintended Behaviors
and remedies
• Environmental disruptions
⇒ Fault-tolerant architecture
⇒ Stronger interfaces
• Operator errors
⇒ Education and training
⇒ Better human-computer interfaces
• Poor design/implementation (bugs)
⇒ Languages and tools
⇒ Testing and verification
• Deliberate attacks
⇒ Lower expectations
⇒ Security engineering

This course
Correctness vs. Security
• Correctness: satisfy specifications
 For reasonable inputs,
get reasonable output
• Security: resist attacks
 For unreasonable inputs,
output not completely disastrous
• Main difference
 Active interference from the environment
Stochastic vs. Malicious Events
Incorrect system
• Bugs manifest at
random
Insecure system
• Once discovered, a
vulnerability is
attacked over and over
Let’s play
• Can we redraw this graph so that the
edges don’t intersect?
Let’s play
• What about this one?
The Thrill of Computer Security
Thinking outside of the box!
• Exciting for geeky
attackers
• Exciting for
security
researchers
Imagined
Anticipated
Is Cryptography the Solution?
Cryptography is not the same as security
 No crypto in this lecture
 85% of all CERT advisories cannot be fixed by crypto
 30-50% of recent security holes from buffer overflow
Computer Security
Operating
systems
Cryptography
Mathematics
Psychology
Networking
Programming
languages
Law
Economics
Human
computer
interaction
Related documents
Diapositive 1
Diapositive 1
Introduction to Computer and Network Security 15-349 Iliano Cervesato
Introduction to Computer and Network Security 15-349 Iliano Cervesato
Computer Security
Computer Security
Network Security
Network Security
Side-Channel Resistant Cryptography on FPGAs
Side-Channel Resistant Cryptography on FPGAs
Availability
Availability
CS5412: DANGERS OF CONSOLIDATION Lecture XXIII Ken Birman
CS5412: DANGERS OF CONSOLIDATION Lecture XXIII Ken Birman
ppt-mod-1 introduction to network security
ppt-mod-1 introduction to network security
Common Types of Network Attacks
Common Types of Network Attacks
IRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application Vulnerabilities
Attacks and Defences
Attacks and Defences
UNIT-1 cns
UNIT-1 cns
Download
advertisement