CSCE 201CSCE 201Introduction to Introduction to

Information Security Information Security Fall 2010Fall 2010

CSCE 201 Introduction to Computer CSCE 201 Introduction to Computer Security Security

Instructor: Csilla Farkas Office: Swearingen 3A43 Office Hours:Monday, Wednesday 10:00 – 11:00 am or

electronically any time or by appointment Telephone: 576-5762 E-mail: farkas@cec.sc.edu Homepage: http://www.cse.sc.edu/~farkas/csce201-

2009/csce201.htm

CSCE 201 - Farkas 2

Course ObjectivesCourse Objectives Understand basic concepts and practices of information security Understand tools and techniques used by attackers to penetrate

computer systems Understand tools and techniques used by defense to protect

computer systems Be able to check for security updates, apply and use patches and

other defense mechanisms Be able to understand and follow security and privacy policies Understand the ethical implications of using attack tools on

computer systems

CSCE 201 - Farkas 3

TextText

C. Easttom, Computer Security Fundamentals, PearsonPrentice Hall, ISBN: 0-13-171129-6

Lecture handouts

CSCE 201 - Farkas 4

GradingGrading

Test 1: 20%, Test 2: 40%, Homework: 40%

Total score that can be achieved: 100Final grade: 90 < A , 87 < B+ <=90, 80

< B <= 87, 77 < C+ <= 80, 65 < C <= 77, 60 < D+ <= 65, 52 < D <= 60, F <= 52

CSCE 201 - Farkas 5

Tentative ScheduleTentative Schedule

Weeks 1—5: Basic Security Concepts Weeks 6—10: Home Computer Security –

Hardening the SystemWeeks 11—15: Let’s Have Fun – Popular

applications, ethics, security and privacy

CSCE 201 - Farkas 6

Security PlanningSecurity Planning

CSCE 201 - Farkas 7

CSCE 201 - Farkas 8

Reading list:– Easttom: Chapter 1

Other useful sites– Computer Security Institute, http://www.gocsi.com/ – SANS Institute, http://www.sans.org/ – Carnegie Mellon University's Computer Emergency

Response Team , http://www.cert.org/ – Information Warfare and

Information Security on the Web, http://www.fas.org/irp/wwwinfo.html

– Sun Tzu on the Art of War (Lionel Giles, trans.), http://all.net/books/tzu/tzu.html

CSCE 201 - Farkas 9

Security ObjectivesSecurity Objectives

Confidentiality: prevent/detect/deter improper disclosure of information

Integrity: prevent/detect/deter improper modification of information

Availability: prevent/detect/deter improper denial of access to services

CSCE 201 - Farkas 10

Military ExampleMilitary Example

Confidentiality: target coordinates of a missile should not be improperly disclosed

Integrity: target coordinates of missile should be correct

Availability: missile should fire when proper command is issued

CSCE 201 - Farkas 11

Commercial ExampleCommercial Example

Confidentiality: patient’s medical information should not be improperly disclosed

Integrity: patient’s medical information should be correct

Availability: patient’s medical information can be accessed when needed for treatment

CSCE 201 - Farkas 12

Fourth ObjectiveFourth Objective

Securing computing resources: prevent/detect/deter improper use of computing resources– Hardware– Software– Data– Network

CSCE 201 - Farkas 13

Achieving SecurityAchieving Security

Policy– What to protect?

Mechanism– How to protect?

Assurance– How good is the protection?

CSCE 201 - Farkas 14

Security PolicySecurity Policy

Organizational Policy

Computerized Information SystemPolicy

CSCE 201 - Farkas 15

Security MechanismSecurity Mechanism

Prevention DetectionTolerance/Recovery

CSCE 201 - Farkas 16

Security by Obscurity

Hide inner working of the system

Bad idea! Vendor independent open standard Widespread computer knowledge

CSCE 201 - Farkas 17

Security by Legislation

• Instruct users how to behave• Not good enough!

Important Only enhance security Targets only some of the security problems

CSCE 201 - Farkas 18

Security Tradeoffs

COST

Security Functionality

Ease of Use

CSCE 201 - Farkas 19

Threat, Vulnerability, Risk

Threat: potential occurrence that can have an undesired effect on the system

Vulnerability: characteristics of the system that makes is possible for a threat to potentially occur

Attack: action of malicious intruder that exploits vulnerabilities of the system to cause a threat to occur

Risk: measure of the possibility of security breaches and severity of the damage

CSCE 201 - Farkas 20

Types of Threats

Errors of users

Natural/man-made/machine disasters

Dishonest insider

Disgruntled insider

Outsiders

CSCE 201 - Farkas 21

Types of Attack

Interruption – an asset is destroyed, unavailable or unusable (availability)

Interception – unauthorized party gains access to an asset (confidentiality)

Modification – unauthorized party tampers with asset (integrity)

Fabrication – unauthorized party inserts counterfeit object into the system (authenticity)

Denial – person denies taking an action (authenticity)

CSCE 201 - Farkas 22

Computer CrimeComputer Crime

Any crime that involves computers or aided by the use of computers

U.S. Federal Bureau of Investigation: reports uniform crime statistics

CSCE 201 - Farkas 23

Computer CriminalsComputer Criminals

Amateurs: regular users, who exploit the vulnerabilities of the computer system– Motivation: easy access to vulnerable resources

Crackers: attempt to access computing facilities for which they do not have the authorization– Motivation: enjoy challenge, curiosity

Career criminals: professionals who understand the computer system and its vulnerabilities– Motivation: personal gain (e.g., financial)

CSCE 201 - Farkas 24

Methods of DefenseMethods of Defense

Prevent: block attack Deter: make the attack harder Deflect: make other targets more attractive Detect: identify misuse Tolerate: function under attack Recover: restore to correct state Documentation and reporting

CSCE 201 - Farkas 25

Information Security PlanningInformation Security Planning

Organization AnalysisRisk managementMitigation approaches and their costsSecurity policy and proceduresImplementation and testingSecurity training and awareness

26

Risk Management

27

Risk AssessmentRisk Assessment

RISKRISK

Threats

Vulnerabilities Consequences

28

System Security Engineering(Traditional View)

Specify SystemArchitecture

Identify Threats, Vulnerabilities, Attacks

Estimate Risk

PrioritizeVulnerabilities

Identify and Install Safeguards

Risk is acceptably low

Human Actions

Domains:– Play: hackers vs. owners– Crime: perpetrators vs. victims– Individual rights: individuals vs.

individuals/organizations/government– National security: national level activities

Play

Playing pranksActors: hackers/crackers/phreakersMotivation: challenge, knowledge, thrillCulture: social/educational

– “global networks”– publications– forums

Law

Crime

Intellectual Property Crimes– IT targets: research and development, manufacturing and

marketing plan, customer list, etc.– Attacker: insiders, formal insiders– 1996: Economic Espionage Act (U.S. Congress)

Fraud– Telemarketing scam, identity theft, bank fraud,

telecommunication fraud, computer fraud and abuse

Fighting crime

Individual Rights

Privacy– Secondary use of information

Free speech– Harmful/disturbing speech– Theft and distribution of intellectual property– Censorship

National Security

Foreign Intelligence– Peace time: protecting national interests

Open channels, human spies, electronic surveillance, electronic hacking (?)

– War time: support military operations– U.S. Intelligence Priorities:

Intelligence supporting military needs during operation Intelligence about hostile countries Intelligence about specific transnational threats

– Central Intelligence Agency (CIA)– Primary targets in U.S.A.: high technology and

defense-related industry

Terrorism

Traditional:– Intelligence collection– Psyops and perception management

New forms:– Exploitation of computer technologies

Internet propaganda Cyber attacks (electronic mail flooding, DOS, etc.)

Protection of national infrastructure

Next Class

Making decisions about securityEasttom: Ch. 3