CC 551 Computer and Network Security

Computer and Communication Engineering Department

Specialized Scientific Programs (SSP)

Fall 2015

Bassem Mokhtar, Ph.D.

Assistant Professor

Department of Electrical Engineering

Faculty of Engineering

Alexandria University Introduction 1-1

Agenda

Course Overview

Introduction to network and computer security

Introduction 1-2

Course Information Instructor: Dr. Bassem Mokhtar

Office hours: Thursdays (10:30 am to 11:30 am)

Location: office room 4-4-F132

Teaching Assistants: Eng. Ahmed Shokry and Eng. Noran Ossama

Lecture hours: 2 One lecture weekly (Thursdays)

Location: C39

Tutorial and lab hours: 4 One tutorial class and lab weekly

Course website: http://eng.alexu.edu.eg/~bmokhtar/courses/network_security/fall_2015/net_security.htm Introduction 1-3

Course Outline

Covering principles of computer systems and

network security

Discussing various attack techniques and how to

defend against them

Topics include network attacks and defenses,

operating system holes, web security, e-mail,

botnet, malware, social engineering attacks,

privacy, and digital rights management

Introduction 1-4

Course Objectives Having successfully completed this course, the student will

be able to describe :

(a) The basics of network and computer security (architecting for security):

- Securing applications and operating systems - Isolation, authentication, and access control

(b) Network security (defending against a network attacker)

- Security within an IP network at different levels (physical, transport, application, …. )

- Monitoring and architecting secure networks.

(c) Web security (defending against a web attacker)

- Building robust web sites

- Understanding the browser security model

Introduction 1-5

Different Computer and Network Security Tracks

Introduction 1-6

Prerequisites

Course: CC 451 Computer Networks

Basic understanding of:

Operating systems and networking

protocols

Programming languages (C++, JavaScript,

etc.)

Introduction 1-7

References

Lecture notes

J. Joshi et al., Network Security: Know It All, Morgan Kaufmann, 2008 used for a portion of the course

C. Kaufman, R. Perlman, and M. Speciner, Network Security: Private Communication in a Public World, 2nd Edition, Prentice Hall, 2002 used for a portion of the course

W. Stallings, Cryptography and Network Security, 5th Edition, 2011 used for a portion of the course

Other supplementary readings

Introduction 1-8

Assessment

Quizzes: 5%

Assignments: 10%

Midterm exam: 20%

Project: 15% Submitting a project paper and related codes and

simulation results

Final exam: 50%

Introduction 1-9

Project The final project will run in parallel with the course. Each team (up to five

students per team) will choose freely a network security-related topic (not covered in the course)

The topic will be chosen by the team on a first-come first-serve (FCFS) basis (no more than one team per topic)

The team will need to do more extensive searching for the latest research work concerning the selected topic

Each team will prepare and submit a project paper (using WORD, LATEX) which provides qualitative study for the their topic via including: Motivation for selecting the topic

Discussion of the current research contributions related to the selected topic

Discussion of the major challenges related to the selected topic

Table of performance measure metrics for the related topic

Table of comparison which compare existing solutions/work concerning the selected topic

Showing evaluation scenarios which describe case studies related to the topic

Designing a simple simulation scenario using any simulation tool or programming language and submitting the code

Citation of all referenced work, figures, etc

-> You can add other issues based on your selected topic

Each team must work on a different topic

Teams will present their project and they will be discussed Introduction 1-10

Project Topics and Related Tools (Examples) Account and password management; PAM, password

cracking.

Logging and Auditing. Setting up a log server.

Network security reconnaissance attack; ping, nmap.

Packet sniffers; Ethereal.

Intrusion detection systems; Snort.

Configuring common services; IIS, Apache, OpenSSH, WU-FTP.

Backdoor attacks; netcat, vnc.

Firewalls, IPtables.

Security analysis and configuration tools: Nessus, Microsoft baseline security analyzer, Bastille

Attacks in special networks such wireless sensor networks; ns-2

Introduction 1-11

Finally: Interaction

In class, participation is highly recommended Questions

Comments

Disagreements

Debates … are highly encouraged

Introduction 1-12

Introduction “Security” relates to “computing or communicating

in the presence of adversaries”

Typically involves an “information system”: PC,

network of computers, cell phone, email, ATM, car,

smart grid, RFID, wireless link, medical device, …

Security relates to a “security objective” or

“security policy”: What is being prevented? What

activities or events should be prevented/detected? Introduction 1-13

Introduction Security policy usually stated in terms of:

Principals (actors or participants, perhaps in terms of

their roles)

Giving permissible (or impermissible) actions or

operations

Examples:

“Each registered voter may vote at most once.”

“Only an administrator may modify this file.”

“The recipient of an email shall be able to authenticate

its sender.” Introduction 1-14

Introduction Goals of security policies often fall into

one of three classic categories (“CIA”):

Confidentiality: information should not be

disclosed to unauthorized parties

Integrity: information should not be

modified in an unauthorized manner

Availability: system or resource shall be

available for use as intended

Introduction 1-15

Introduction

Security mechanism (aka “security control”) is a

component, technique, or method for (attempting

to) achieve or enforce security policy

Examples:

smart card for voter

password for system admin

digital signature on email

locked cabinet for server

Introduction 1-16

Introduction Security mechanisms are typically one of two

forms:

1. Prevention: keep security policy from being

violated

• Examples: password, encryption, memory bounds check,

2. Detection: detect when policy is violated

• Examples: motion sensor, tamper-evident seal, stored

fingerprint (“hash”) of executables, intrusion detection

on network, virus scanner,… Introduction 1-17

Introduction

Detection mechanism often comes with

recovery mechanism (remove intruder, remove

virus, load files from backup, …)

Detection may involve deterrence (adversary

risks being identified and being held

accountable for security breach) and so plays a

role in prevention

Introduction 1-18

Introduction Security mechanisms may involve:

Identification of principals (e.g. “user name”)

Authentication of principals (e.g. password)

Authorization: checking to see if principal is authorized

for requested action

Physical protection: locks, enclosures

Cryptography: math in service of security (hard

computational problems)

Deception: to get adversary to reveal himself or waste

his efforts (e.g. honeypot) Introduction 1-19

Introduction Who is adversary? (Know your enemy!)

May be insider/outsider, vendor, …

Examples:

• Vendor may install “backdoor” in system

• Eavesdropper may manipulate communications

What does adversary know?

Examples:

• System design and implementation details

• Passwords

• Facebook profiles of all personnel

Introduction 1-20

Introduction What resources does adversary have?

Examples:

• Large computers

• Ability to intercept and modify all communications

• Ability to corrupt some participants (e.g. legal

subscriber, voter, server…)

We typically make generous assumptions

about adversary’s abilities. Introduction 1-21

Introduction Vocab:

“vulnerability” = weakness that might be exploited by an adversary (e.g. poor password, buffer overflow possibility)

“threat” = potential violation of security policy (e.g. by exploiting a vulnerability)

“risk” = likelihood that threat will materialize

“risk management” = balancing one risk against another, or other factors, such as cost, ease-of-use, understandability, availability, …

No security mechanism is perfect – we build fences, not impenetrable walls (how high is a fence?) Introduction 1-22

Vulnerable applicaions being exploited

Introduction 1-23

IT Security Vocabulary

Back door – a means of accessing your computer that bypasses computer security mechanisms

Bot – short for robot, a computer on which intruders have installed software that lets them secretly control the system from a remote location on the Internet (Botnet)

Denial of Service (DoS) – an attack that successfully prevents or impairs the authorized functionality of networks, systems or applications by exhausting resources

Introduction 1-24

IT Security Vocabulary (cont’d)

Firmware – software that is embedded into hardware; it can be updated and accessed by the user

Firewall – a security system that uses hardware and/or software mechanisms to prevent unauthorized users from accessing an organization’s internal computer network

Malware – a contraction of “malicious software,” malware is a general term used to describe software that infiltrates or damages a computer

Introduction 1-25

IT Security Vocabulary (cont’d) Spyware – malware whose principal aim is to

surreptitiously collect information by “spying” on the user

Trojan – malware that appears to perform a benign or useful action but in fact performs a malicious action, such as transmitting a computer virus

Virus – self-replicating malware that attaches itself to a digital document or application, then spreads through copies of that document or application

Worm – self-replicating malware that can move from computer to computer on the network. Unlike a virus, it does not need to attach itself to an existing document or application

Introduction 1-26

Mobile Malicious Software Rise

Introduction 1-27

Sample Network/Computer Attacks IP address and bandwidth stealing

Attacker’s goal: look like a random Internet user

Use the IP address of infected machine or phone for: • Spam (e.g., the Storm botnet)

• Denial of Service

Steal user credentials keylog for banking passwords, web passwords, gaming passwords

Spread to isolated systems Stuxtnet

Server-side attacks PHP-based tools installed on compromised web sites

Infects browsers that visit site

Insider attacks Hidden trap door in operating systems (e.g., Linux)

Allows attacker to take over a computer

Introduction 1-28