1 / 44

Lecture 1: Information Security Overview

Lecture 1: Information Security Overview. SYCS 653 – Fall 2009 Wayne Patterson. Attack of the Giant Worm.

farhani
Download Presentation

Lecture 1: Information Security Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 1: Information Security Overview SYCS 653 – Fall 2009 Wayne Patterson

  2. Attack of the Giant Worm • On November 2, 1988, a worm began to thread its way through the Internet. Once installed, it multiplied, clogging available space, until computers ground to a halt. The worm exploited UNIX holes in sendmail and fingerd. Around 2500 computers were infected.Within 12 hours, the Computer Systems Research Group at Berkeley developed a way of stopping the spread of this worm.Total Cost? Although no data were destroyed, the time involved in fixing and testing was estimated to be between $1,000,000 and $100,000,000.

  3. Robert J. Morris, a Cornell graduate student in computer science, was convicted on May 4, 1990 to 3-year probation and a $10,000 fine. “I'm at the MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) in the PDOS group. The Culprit?

  4. First National Attack • For the first time, a national attack on the Internet was exposed. • As a result, the Computer Emergency Response Team (CERT), at the Software Engineering Institute of Carnegie Mellon University was developed.

  5. Other Examples • Some other examples of destructive computer behavior include:Cuckoo’s Egg: Clifford Stoll spent a year tracking down a hacker in West Germany who had successfully penetrated 30 computers, including the Lawrence Berkeley Labs, and other government computers. (The Cuckoo's Egg: Tracking a Spy through the Maze of Computer Espionage by Cliff Stoll, Doubleday 1989.)

  6. Other Examples • HBO: In April of 1986, an HBO channel was taken over by an intruder known as Captain Midnight, who overpowered the HBO uplink transmitter signal with a stronger signal, and sent out his own messages to eight million viewers. • Friday the 13th: A student at Hebrew University in Jerusalem discovered that thousands of university computers were infected with a virus. The virus slowed down processing on certain Fridays the 13th and was scheduled to erase the hard disks of many computers on May 13, 1988.

  7. Computer Crime • According to the FBI, computer crime is the most expensive form of crime, at $450,000 per theft. The estimated total volume of computer crime is $5,000,000,000 per year. • Some reports estimate that 90% of computer crime goes unreported. • (See http://www.usdoj.gov/criminal/cybercrime/cccases.html, the Computer Crime & Intellectual Property Section of the US Department of Justice, Computer Crime Cases.)

  8. What is Computer Security? • Computer security is designed to protect your computer and everything associated with it --- the building, the workstations and printers, cabling, and disks and other storage media. Most importantly, computer security protects the information stored in your system. • Computer security is not only designed to protect against outside intruders who break into systems, but also dangers arising from sharing a password with a friend, failing to back up a disk, spilling a soda on a keyboard.There are three distinct aspects of security: secrecy, accuracy, and availability. • Having said this, we should emphasize that “Information Security” or “Cybersecurity” is more up-to-date terminology, since rarely are we concerned with the protection of a single computer system.

  9. Secrecy • A secure computer system must not allow information to be disclosed to anyone who is not authorized to access it. In highly secure government systems, secrecy ensures that users access only information they’re allowed to access. • In business environments, confidentiality ensures the protection of private information such as payroll data.

  10. Accuracy, Integrity, and Authenticity • A secure computer system must maintain the continuing integrity of the information stored in it. Accuracy or integrity means that the system must not corrupt the information or allow any unauthorized malicious or accidental changes to it. • In network communications, a related variant of accuracy known as authenticity provides a way to verify the origin of data by determining who entered or sent it, and by recording when it was sent and received.

  11. Availability • A secure computer system must keep information available to its users. Availability means that the computer system’s hardware and software keeps working efficiently and that the system is able to recover quickly and completely if a disaster occurs.The opposite of availability is denial of service. Denial of service can be every bit as disruptive as actual information theft.

  12. Threats to Security • There are three key words that come up in discussions of computer security: • vulnerabilities, • threats, and • countermeasures. • A vulnerability is a point where a system is susceptible to attack. • A threat is a possible danger to the system: e.g. a person, a thing (a faulty piece of equipment), or an event (a fire or a flood). • Techniques for protecting your system are called countermeasures.

  13. Vulnerabilities • Examples: physical vulnerabilities natural vulnerabilities hardware and software vulnerabilities media vulnerabilities emanation vulnerabilities communications vulnerabilities human vulnerabilities • There is a lot of variation in how easy it is to exploit different types of vulnerabilities. For example, tapping a cordless telephone or a cellular mobile phone requires only a $199 scanner from Radio Shack.

  14. Threats • Threats fall into three main categories: natural threats unintentional threats intentional threatsThe intentional threats can come from insiders or outsiders. Outsiders can include: foreign intelligence agents terrorists criminals corporate raiders crackers

  15. Inside or Outside? • Although most security mechanisms protect best against outside intruders, survey after survey indicates that most attacks are by insiders. Estimates are that as many as 80% of system penetrations are by fully authorized users.

  16. The Insider • There are a number of different types of insiders: disgruntled employee, the coerced employee, and the greedy employee. One of the most dangerous types of insiders may simply be lazy or untrained. He or she doesn’t bother changing passwords, doesn’t learn how to encrypt files, doesn’t get around to erasing old disks, and leaves sensitive printout in piles on the floor.

  17. Countermeasures • There are many different types of countermeasures ,methods of protecting information. In the next several lectures, we will survey these methods: computer security communications security physical security

  18. Information and Its Controls • Information security is almost as old as information itself. • innovations are inevitably followed by methods of harnessing the new technologies and protecting the information they process. • within five years of the introduction of the telephone in 1881, a patent applications was filed for a voice scrambler; • in the 1920s, the use of telephone wiretaps by government and criminals resulted in a public outcry, leading to legislation banning most wiretapping; • in the 1940s, concerns about controlling the proliferation of information about atomic energy led to the Atomic Energy Act of 1946. This act created a Restricted Data category of information requiring special protection.

  19. Debates • One ongoing debate in the computer security world is over the government’s restriction of technological information. • The government needs to protect certain kinds of information, such as national defense data. • Particular security technologies, for example, cryptology, are very effective at safeguarding such information. Should the government be able to control who can and cannot buy such technologies? • Another debate concerns the involvement of the government in mandating the protecting of nongovernment information.

  20. Computer Security: Then and Now • In the early days of computing, computer systems were large, rare, and very expensive. Those organizations lucky enough to have a computer tried their best to protect it. Computer security was just one aspect of general plant security. • Security concerns focused on physical break-ins, theft of computer equipment, and theft or destruction of disk packs, tape reels, and other media. • Insiders were also kept at bay. Few people knew how to use computers, and thus the users could be carefully screened.

  21. Later On • By the 1970s, technology was transformed, and with it the ways in which users related to computers and data. Multi-programaming, time-sharing, and networking changed the rules. • Telecommunications --- the ability to access computers from remote locations --- radically changed computer usage. Businesses began to store information online. Networks linked minicomputers together and with mainframes containing large online databases. Banking and the transfer of assets became an electronic business.

  22. New Abuses • The increased availability of online systems and information led to abuses. Instead of worrying only about intrusions by outsiders into computer facilities and equipment, organizations now had to worry about • computers that were vulnerable to sneak attacks over telephone lines, and • information that could be stolen or changed by intruders who didn’t leave a trace. • Individuals and government agencies expressed concerns about the invasion of privacy posed by the availability individual financial, legal, and medical records on shared online databases.

  23. The PC World • The 1980s saw a new dawn in computing. With the introduction of the PC, individuals of all ages and occupations became computer users. This technology introduced new risks. Precious and irreplaceable corporate data were now stored on diskettes, which could now be lost or stolen. • As PCs proliferated, so too did PC networks, electronic mail, chat rooms, and bulletin boards, vastly raising the security stakes. The 1980s also saw systems under attack.

  24. The Future • The challenge of the next decade will be to consolidate what we’ve learned --- to build computer security into our products and our daily routines ,to protect data without unnecessarily impeding our access to it, and to make sure that both products and standards grow to meet the ever-increasing scope of challenge of technology.

  25. Introduction to Crypto

  26. The Cast of Characters • Alice and Bob are the good guys • Trudy is the bad guy • Trudy is our generic “intruder”

  27. Alice’s Online Bank • Alice opens Alice’s Online Bank (AOB) • What are Alice’s security concerns? • If Bob is a customer of AOB, what are his security concerns? • How are Alice and Bob concerns similar? How are they different? • How does Trudy view the situation?

  28. CIA • Confidentiality, Integrity, and Availability • AOB must prevent Trudy from learning Bob’s account balance • Confidentiality: prevent unauthorized reading of information

  29. CIA • Trudy must not be able to change Bob’s account balance • Bob must not be able to improperly change his own account balance • Integrity: prevent unauthorized writing of information

  30. CIA • AOB’s information must be available when needed • Alice must be able to make transaction • If not, she’ll take her business elsewhere • Availability: Data is available in a timely manner when needed • Availability is a “new” security concern • In response to denial of service (DoS)

  31. Beyond CIA • How does Bob’s computer know that “Bob” is really Bob and not Trudy? • Bob’s password must be verified • This requires some clever cryptography • What are security concerns of pwds? • Are there alternatives to passwords?

  32. Beyond CIA • When Bob logs into AOB, how does AOB know that “Bob” is really Bob? • As before, Bob’s password is verified • Unlike standalone computer case, network security issues arise • What are network security concerns? • Protocols are critically important • Crypto also important in protocols

  33. Beyond CIA • Once Bob is authenticated by AOB, then AOB must restrict actions of Bob • Bob can’t view Charlie’s account info • Bob can’t install new software, etc. • Enforcing these restrictions is known as authorization • Access control includes both authentication and authorization

  34. Beyond CIA • Cryptography, protocols, and access control are implemented in software • What are security issues of software? • Most software is complex and buggy • Software flaws lead to security flaws • How to reduce flaws in software development?

  35. Beyond CIA • Some software is intentionally evil • Malware: computer viruses, worms, etc. • What can Alice and Bob do to protect themselves from malware? • What can Trudy do to make malware more “effective”?

  36. Beyond CIA • Operating systems enforce security • For example, authorization • OS: large and complex software • Win XP has 40,000,000 lines of code! • Subject to bugs and flaws like any other software • Many security issues specific to OSs • Can you trust an OS?

  37. The Textbook • The text consists of four major parts • Cryptography • Access control • Protocols • Software • In this course, we will address the first two of these (the others in 654)

  38. Cryptography • “Secret codes” • The book covers • Classic cryptography • Symmetric ciphers • Public key cryptography • Hash functions • Advanced cryptanalysis

  39. Access Control • Authentication • Passwords • Biometrics and other • Authorization • Access Control Lists and Capabilities • Multilevel security (MLS), security modeling, covert channel, inference control • Firewalls and Intrusion Detection Systems

  40. Think Like Trudy • In the past, no respectable sources talked about “hacking” in detail • It was argued that such info would help hackers • Very recently, this has changed • Books on network hacking, how to write evil software, how to hack software, etc.

  41. Think Like Trudy • Good guys must think like bad guys! • A police detective • Must study and understand criminals • In information security • We want to understand Trudy’s motives • We must know Trudy’s methods • We’ll often pretend to be Trudy

  42. Think Like Trudy • Is all of this security information a good idea? • “It’s about time somebody wrote a book to teach the good guys what the bad guys already know.”  Bruce Schneier

  43. Think Like Trudy • We must try to think like Trudy • We must study Trudy’s methods • We can admire Trudy’s cleverness • Often, we can’t help but laugh at Alice and Bob’s stupidity • But, we cannot act like Trudy

  44. In This Course… • Always think like the bad guy • Always look for weaknesses • Strive to find a weak link • It’s OK to break the rules • Think like Trudy! • But don’t do anything illegal…

More Related