Security Systems Lecture notes Drs. Clifford Neuman University of Southern California Information Sciences Institute Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall 2003 1 CSci530: Security Systems Lecture 1 – August 27, 2004 Dr. Clifford Neuman University of Southern California Information Sciences Institute Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall 2003 2 Administration Class home page http://ccss.isi.edu/CSci530.html (or http://530.cliffordneuman.com) – Preliminary Syllabus – Assigned Readings – Lecture notes – Assignments Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall 2003 3 Who gets in Class size is 120 students – Main room holds 70 50 will view from overflow room or through webcast. – Currently waiting list of about 30 Most will likely get in You must have given your name to the CS department for addition to the waiting list, or send mail to csci530@usc.edu. Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall 2003 4 Structure of lecture Classes from 9:00 AM – 11:50 AM – 10-15 minute break halfway through – Final 15 minutes for discussion of current events in security. Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall 2003 5 Administration Class e-mail: csci530@usc.edu Instructors – Dr. Clifford Neuman – Office hours Friday 1:30-2:30 TAs – Ho Chung – Office hours Tuesday 9:00 - Noon – Second TA to be determined Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall 2003 6 Administration A separate 1 unit lab class is available as a CS590 Advanced Security Systems http://www-scf.usc.edu/~csci590 – Provides hands on experience with systems discussed in class. – Developed jointly with this class. – May take concurrently, or in subsequent semester. Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall 2003 7 Administration Grading – Reading reports: 5,5,5 – Exams: 25,25 – Research paper, 35 – Class participation (up to 15% bonus) Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall 2003 8 Blackboard Using the DEN Blackboard system – Go to http://den.usc.edu – Click “for on campus students” – Follow the instructions to obtain your Blackboard password for the DEN site. – Contact webclass@usc.edu if you have difficulty gaining access to the system. Experimental interactive features for discussion will be added within a couple weeks. Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall 2003 9 Class Participation This is a large class, but I will promote discussion as if it were smaller. – Class participation is important. Either by asking or answering questions in class. Or by asking, answering, and participating in discussion online. – Bonus for class participation If I don’t remember who you are from lecture or office hours, then I go back and look at participation in the web forums, and what kinds of participation. – Did you ask good questions. – Did you provide good answers to others that did not duplicate earlier answers. – Did you make good points in discussions. Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall 2003 10 What is security System, Network, Data – What do we want to protect – From what perspective How to evaluate – Balance costs to protect with costs of compromise – Balance costs to compromise with benefit to attacker. Security vs. Risk Management – Prevent successful attacks vs. mitigate the consequences. It’s not all technical Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall 2003 11 Why we aren’t secure Buggy code Protocols design failures Weak crypto Social engineering Insider threats Poor configuration Incorrect policy specification Stolen keys or identities Denial of service Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall 2003 12 What do we want from security Confidentiality – Prevent unauthorized disclosure Integrity – Authenticity of document – That it hasn’t changes Availability – That the system continues to operate – That the system and data is reachable and readable. Enforcement of policies – Privacy – Accountability and audit – Payment Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall 2003 13 The role of policy in security architecture Policy – Defines what is allowed and how the system and security mechanisms should act. Enforced By Mechanism – Provides protection interprets/evaluates (firewalls, ID, access control, confidentiality, integrity) Implemented as: Software: which must be implemented correctly and according to sound software engineering principles. Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall 2003 14 Security Mechanisms Encryption Virtual Private Nets Checksums Intrusion detection Key management Intrusion response Authentication Development tools Authorization Virus Scanners Accounting Policy managers Firewalls Trusted hardware Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall 2003 15 Today’s security deployment Most of the deployment of security services today handles the easy stuff, implementing security at a single point in the network, or at a single layer in the protocol stack: – Firewalls, VPN’s – IPSec – SSL Unfortunately, security isn’t that easy. It must be better integrated with the application. – At the level at which it must ultimately be specified, security policies pertain to application level objects, and identify application level entities (users). Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall 2003 16 Security Systems vs Systems Security INTRUSION DETECTION UNDER ATTACK Firewalls Integration of dynamic security services creates feedback path enabling effective response to attacks POLICY Web Servers Databases IPSec EACL GAA API Authentication … Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE SECURITY AUDIT RECORDS Fall 2003 17 Current event – What is security relevant here From: Copyright_Compliance@usc.edu Date: August 26, 2004 Subject: Copyright Compliance Notice Dear Student: This e-mail is being sent to all students at USC to make sure that they have the same information about copyright compliance. … Furthermore, infringing conduct exposes the infringer to serious legal penalties. In response to the growth of infringement through P2P networks, the recording and motion picture industries have increased their efforts to identify and stop those who download unauthorized music and video files. Organizations such as the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA) can and do monitor P2P users, obtaining "snapshots" of the users' Internet protocol addresses, the files they are downloading or uploading from their P2P directories, the time that downloading occurs, and the Internet service provider (ISP) through which the files travel. (Gathering this information is not a violation of the users' privacy rights, because the user has voluntarily made his or her P2P directory available for public file sharing.) … Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall 2003 18