i ntroduction to c omputer s ecurity dr. shahriar bijani shahed university
DESCRIPTION
W HAT IS S ECURITY ? Security /s ɪˈ kj ʊ ə r ɪ ti/ noun the state of being free from danger or threat. synonyms:certainty, safe future, assured future, safety, reliability, dependability, solidness, soundness 3TRANSCRIPT
![Page 1: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/1.jpg)
INTRODUCTION TO COMPUTER SECURITY
Dr. Shahriar BijaniShahed University
![Page 2: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/2.jpg)
2
SLIDE REFERENCES Matt Bishop, Computer Security: Art and
Science, the author homepage, 2004. Michael E. Whitman, Principles of
Information Security: Chapter 1: Introduction to Information Security, 4/e, 2011.
Chris Clifton, CS 526: Information Security course, Purdue university, 2010.
Patrick Traynor, CS 8803 - Cellular and Mobile Network Security, Georgia Tec, 2012.
![Page 3: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/3.jpg)
3
WHAT IS SECURITY?
Security /sɪˈkjʊərɪti/noun the state of being free from danger or threat. synonyms: certainty, safe future, assured
future, safety, reliability, dependability, solidness, soundness
![Page 4: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/4.jpg)
WHAT IS SECURITY? A successful organization should have multiple
layers of security in place: Physical security: to protect the physical items,
objects, or areas of an organization from unauthorized access and misuse.
Personal security: to protect the (group of) authorized individual.
Operations security: to protect the details of a particular operation or series of activities.
Communications security: to protect an organization’s communications media, technology, and content.
Network security: to protect networking components, connections, and contents.
Information security4
![Page 5: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/5.jpg)
5
BASIC COMPONENTS An Information System is secure if it supports
CIA:Confidentiality
Keeping data and resources hiddenIntegrity
Data integrity (integrity)Origin integrity (authentication)
Availability Enabling access to data and resources
The CIA triangle
![Page 6: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/6.jpg)
THE HISTORY OF INFORMATION SECURITY
Began immediately following development first mainframes Developed for code-breaking computations During World War II Multiple levels of security were implemented
Physical controls Elementary
Mainly composed of simple document classification
Defending against physical theft, espionage, and sabotage
![Page 7: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/7.jpg)
THE 1960S Original communication by mailing tapes Advanced Research Project Agency (ARPA)
Examined feasibility of networked communications
Larry Roberts developed ARPANET Plan
Link computers Resource sharing Link 17 Computer Research Centers Cost 3.4M $
ARPANET is predecessor to the Internet
![Page 8: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/8.jpg)
THE 1970S AND 80S ARPANET grew in popularity Potential for misuse grew Fundamental problems with ARPANET security
Individual remote sites were not secure from unauthorized users
Vulnerability of password structure and formats No safety procedures for dial-up connections to
ARPANET Non-existent user identification and authorization to
system
![Page 9: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/9.jpg)
THE 1970S AND 80S … Rand Report R-609
Paper that started the study of computer security Information Security as we know it began
Scope of computer security grew from physical security to include: Safety of data Limiting unauthorized access to data Involvement of personnel from multiple levels of an
organization
![Page 10: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/10.jpg)
THE 1990S Networks of computers became more common Need to interconnect networks grew Internet became first demonstration of a global
network of networks Initially based on de-facto standards In early Internet deployments, security was
treated as a low priority
![Page 11: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/11.jpg)
2000 TO PRESENT Millions of computer networks communicate Many of the communication unsecured Ability to secure a computer’s data influenced
by the security of every computer to which it is connected
Growing threat of cyber attacks has increased the need for improved security
![Page 12: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/12.jpg)
CHALLENGES OF COMPUTER SECURITY1. Computer security is not simple2. One must consider potential (unexpected)
attacks3. Must decide where to deploy mechanisms4. Involve algorithms and secret info (keys)5. A battle between attacker / admin6. It is not perceived on benefit until fails7. Requires constant monitoring8. Too often incorporated after the design is complete (not
integral)9. Regarded as a barrier to using system
![Page 13: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/13.jpg)
14
KEY INFORMATION SECURITY CONCEPTS
Access Adversary Asset Attack Control, Safeguard, or
Countermeasure Exploit Exposure Hack Loss Nonrepudiation
• Subjects / Objects• Risk• Threat• Vulnerability
![Page 14: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/14.jpg)
RELATIONSHIPS OF SECURITY CONCEPTS
![Page 15: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/15.jpg)
16
KEY INFORMATION SECURITY CONCEPTS Computer can be subject or object of an
attackWhen the subject of an attack
An active tool to conduct attackWhen the object of an attack
An entity being attackedSource: Principles of Information Security, 4th Edition
![Page 16: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/16.jpg)
17
INFORMATION SECURITY VS. ACCESS
Perfect security is impossibleSecurity is a process Security should be considered balance
between protection and availability Must allow reasonable access, yet
protect against threats
![Page 17: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/17.jpg)
18Source: Principles of Information Security, 4th Edition
INFORMATION SECURITY VS. ACCESS
![Page 18: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/18.jpg)
VULNERABILITIES
19Principles of Information Security, 4/e
![Page 19: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/19.jpg)
20
THREATS A threat is a potential violation of security.
![Page 20: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/20.jpg)
21
CLASSES OF THREATS Interruption (Disruption)
interruption or prevention of correct operationDOS attack: Denial of Service
Interception / DisclosureUnauthorized access to informationSnooping: the unauthorized interception of
informationModification
An unauthorized party not only gains access to but modify an asset.
Masquerading or spoofing: an impersonation of one entity by another.
FabricationAn unauthorized party inserts fake objects into the
system.
![Page 21: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/21.jpg)
22
CLASSES OF THREATS
![Page 22: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/22.jpg)
EXAMPLES OF THREATS
![Page 23: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/23.jpg)
25
ADVERSARY An adversary is anyone attempting to bypass the
security infrastructure. The curious and generally inexperienced (e.g.,
script-kiddies) Unintended attackers seeing to understand systems Malicious and terrorist groups Competitors (industrial espionage) Governments
![Page 24: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/24.jpg)
26
ATTACK An attack occurs when someone attempts to
exploit a vulnerability Type of attacks
Passive (e.g., eavesdropping) Active (e.g., password guessing, DoS)
A compromise occurs when an attack is successful
![Page 25: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/25.jpg)
27
TRUST Trust
The degree to which an entity is expected to behave.
Trust is a particular level of the subjective probability with which an agent assesses that another agent will perform a particular action in a context that affects his actions [Gambetta, 1990]
ReputationExpectation about an entity’s behavior based
on past behavior [Abdul-Rahman, 2000]May be used to determine trust
![Page 26: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/26.jpg)
28
TRUST MANAGEMENT Trust Management as a countermeasure:
Trust relationships between peers help establish confidence
Two types of trust management systemsCredential and Policy-basedReputation-based
![Page 27: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/27.jpg)
29
SECURITY MODEL A security model is the combination of a trust and threat
models that address the: set of perceived risks The “security requirements” used to develop some cogent and
comprehensive design Every design must have security model LAN network or global information system? Java applet or operating
system? The single biggest mistake seen in use of security is the lack of
a coherent security model
It is very hard to retrofit security (design time) This class is going to talk a lot about security models What are the security concerns (risks)? Threats? Who are our adversaries? Who do we trust and to do what? Systems must be explicit about these things to be secure
![Page 28: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/28.jpg)
30
POLICIES AND MECHANISMS
Policy says what is, and is not, allowed This defines “security” for the site/system/etc.
Mechanisms enforce policies Composition of policies
If policies conflict, inconsistencies may create security vulnerabilities
![Page 29: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/29.jpg)
31
TRUST AND ASSUMPTIONS
Underlie all aspects of security Policies
Unambiguously partition system states Correctly capture security requirements
Mechanisms Assumed to enforce policy Support mechanisms work correctly
![Page 30: I NTRODUCTION TO C OMPUTER S ECURITY Dr. Shahriar Bijani Shahed University](https://reader034.vdocuments.mx/reader034/viewer/2022051202/5a4d1b747f8b9ab0599b6793/html5/thumbnails/30.jpg)
32
GOALS OF SECURITY
Prevention(پیشگیری) Prevent attackers from violating security policy
Detection (تشخیص) Detect attackers’ violation of security policy
Recovery (ترمیم) Stop attack, assess and repair damage Continue to function correctly even if attack
succeeds