CS 591 Fundamentals of Computer and Network Security C. Edward Chow .

Uploaded on:
CS 591 Fundamentals of Computer and Network Security C. Edward Chow. http://cs.uccs.edu/~cs591/. Class Background Poll. Introduction to computer security? Access control, Web security, sandboxing, virus? Cryptography?
Slide 1

CS 591 Fundamentals of Computer and Network Security C. Edward Chow http://cs.uccs.edu/~cs591/C. Edward Chow

Slide 2

Class Background Poll Introduction to PC security? Get to control, Web security, sandboxing, infection? Cryptography? Open key and symmetric encryption, advanced marks, cryptographic hash, irregular number generators? PC systems? Arrange design, application and transport layer conventions? Design of Router? Firewall? Programming in C? Camouflage? I386 get together? OS establishment encounter? Linux, Fedora Core, WinXP, Win2003, Virtual machines: UML, VPC System Admin Experience? Organize Admin Experience? Utilize Ethereal? Nessus/Tenable? MetaSploit? Rootkit? C. Edward Chow

Slide 3

Useful Book Textbook: "Security in Computing," by Charles P. Pfleeger, Shari Lawrence Pfleeger, 2003. William Stallings. "Arrange Security Essentials: Applications and Standards." Ross Anderson. "Security Engineering". Kaufman, Perlman, Speciner. "Arrange Security: Private Communication in a Public World". C. Edward Chow

Slide 4

Lab Exercises Buffer Overflow. Given target.c code, compose exploit.c that acquires a shell with root benefit. Perform Scanning utilizing Nessus/Tenable NeWT Security Scanner Break-into Win/Fedora machines utilizing MetaSploit Framework Configure/Use Snort IDS, Linux Firewall Configure and Secure the border of a Network Climax Capstone Project: Capture the Flag, Cyber Defense/Attack work out! (Require your information) C. Edward Chow

Slide 5

Lab Resources Virtual machines running fixed/unpatched FC4, FC1, WinXP, Win2000/SQL2000, Win2003 on EAS149/139 PCs. 3 Real Testbeds: Each with 5 organized PCs, 2 5 port Ethernet Switches. 3 PCs effectively arranged with Fedora Core 4. 1 PCs arranged with XP (Snort IDS) 1 PCs designed with Win 2003 (essential NeWT Securiy Scanner C. Edward Chow

Slide 6

Goals Develop comprehension of fundamental issues hidden PC security and the strategies accessible to manage them. Look at the dangers of security in figuring Consider accessible countermeasures or controls Stimulate contemplated revealed vulnerabilities Identify zones where more work is required C. Edward Chow

Slide 7

Principle of Easiest Penetration A gatecrasher must be relied upon to utilize any accessible method for entrance. The infiltration may not really be by the most clear means, nor is it essentially the one against which the most strong resistance been introduce. It suggests the PC security expert must Consider every single conceivable mean of entrance. Entrance examination must done over and again Especially when framework and its security change C. Edward Chow

Slide 8

Vulnerability and Threat Vulnerability: A shortcoming in the security framework, e.g., in methodology, plan, or execution, that may be abused to bring about misfortune or mischief. Risk to a PC framework: an arrangement of conditions that can possibly bring about misfortune or mischief. defenselessness Threat C. Edward Chow

Slide 9

Control Vulnerability Control: an activity, gadget, strategy, or system that evacuates or lessens a helplessness. A string is obstructed by control of helplessness . We will talk about assortment of controls and how much they improve a framework\'s security. Web Security Glossary: rfc2828 by Bob Shirey of GTE/BBN May 2003 National Informaiton Assurance (IA) Glossary by CNSS, amended May 2003. C. Edward Chow

Slide 10

Types of System Security Threats Interception : some unapproved party has accessed a benefit. Intrusion : a circumstance where a benefit of the framework gets to be lost, inaccessible, unusable. Change : an unapproved treating with a benefit. Manufacture : unapproved formation of fake protests on a registering framework. C. Edward Chow

Slide 11

MOM: Method, Opportunity, Motive Method: the ability, information, devices and different things with which to have the capacity to pull off the assault. Opportunity: the time and access to fulfill assault Motive: motivation to need to play out this assault against this framework. Preclude any from claiming those three things and the assault won\'t happen. In any case it is difficult to cut these off! Proficiencies/particular/source code accessible on Internet Access to PC frameworks accessible, through buy of same kind of frameworks, Internet get to Motives: indicate ability of aggressors; simple assaults; arbitrary; money related; vindicate Why Universities are Prime Targets? C. Edward Chow

Slide 12

Three Basic Security Service and Desirable Security Properties Three Basic Security Service: Confidentiality: the disguise of data or assets; just got to by approved gatherings. Respectability: the dependability of information and assets; just changed by approved gatherings in approved ways. Accessibility: the capacity to utilize the data or assets sought at suitable time (QoS, convenient, reasonable portion of asset, blame tolerant) Other Desirable Security Properties Authenticity Non-revocation Freshness Access control Privacy of gathered data Accountability More over the top rundown from NIST C. Edward Chow

Slide 13

Attack on Confidentiality from Prof. Vitaly Shmatikov\'s decent viewgraph Confidentiality is covering of data guarantee that PC related resources are gotten to just by approved gatherings. Once in a while called mystery or security . Listening in, parcel sniffing, illicit replicating system C. Edward Chow

Slide 14

Attack on Integrity is anticipation of unapproved changes resources can be adjusted just by approved gatherings or just in approved ways. Adjustment incorporate written work, changing, evolving status, erasing, and making. Man-in-the center assault Intercept messages, alter, discharge again arrange C. Edward Chow

Slide 15

Attack on Authenticity is ID and certification of starting point of data Unauthorized presumption of another\'s personality arrange C. Edward Chow

Slide 16

Attack on Availability is capacity to utilize data or assets fancied. Resources are available to approved gatherings at proper times. - Denial of Service Attack Overwhelm or crash servers, disturb framework arrange C. Edward Chow

Slide 17

DDoS: Distributed Denial of Service Attack Research by Moore et al of University of California at San Diego, 2001. 12,805 DoS in 3-week time span Most of them are Home, little to medium estimated associations DDoS Victims: Yahoo/Amazon 2000 CERT 5/2001 DNS Root Servers 10/2002 (4up 7 cripple 80Mbps) Akamai DDNS 5/2004 DDoS Tools: Stacheldraht Trinoo Tribal Flood Network (TFN) C. Edward Chow

Slide 18

Relationship among Confidentiality, Integrity, and Availability Independent Overlap Mutual Exclusive Computer security\'s past achievement has concentrated on privacy and honesty. "Full Implementation of accessibility is security\'s next incredible test" C. Edward Chow

Slide 19

Vulnerability of Computer Systems C. Edward Chow

Slide 20

Software Modification Logic bomb : program adjusted to come up short when certain conditions are met or when a specific date/time is come to. Trojan steed : a program that unmistakably does a certain something while secretly doing another. Infection : a particular kind of Trojan steed that can be utilized to spread its "contamination" starting with one PC then onto the next. Trapdoor : a program that has a mystery section point. Data spills in a program: code that makes data open to unapproved individuals or projects. C. Edward Chow

Slide 21

Data Security Principle of Adequate Protection Computer things must be ensured just until they lose their esteem. They should be secured to a degree predictable with their esteem. Arrival of information identified with the condition of national economy Personal information/charge card data C. Edward Chow

Slide 22

Computer Criminals Amateurs PC hoodlums Crackers Career Criminals The security group recognizes Hacker: somebody who non-malignantly programs, oversees, utilizes figuring frameworks, and Cracker: somebody who endeavors access to registering frameworks for malevolent purposes. C. Edward Chow

Slide 23

Method of Defense Risk : The likelihood for damage to happen. Approaches to manage dangers: Prevent Deter Deflect Detect Recover C. Edward Chow

Slide 24

Software Controls Internal program controls: parts of the program that authorize security confinement, for example, get to restriction in a database administration program. Working framework and system framework control: impediment authorized by the OS or system to shield every client from every single other client. Autonomous control programs: secret word checkers, IDS, infection scanners Development controls: keep programming flaws from getting to be exploitable helplessness C. Edward Chow

Slide 25

Effectiveness of Controls Awareness of Problem Likelihood of Use Principle of Effectiveness : Control must be utilized and utilized appropriately to be powerful. Proficient, simple to utilize, and suitable. Covering Control (Layered Defense): physical security, confine program get to, document locking. Intermittent Review: OMB 2001 2/3 government organizations got a F review (Defense, Justice, Treasure). State Department D+; NSF B+. C. Edward Chow

Slide 26

Codes of Best Security Practices Information Security Forum Internet Security Alliance C. Edward Chow

Slide 27

Sarbanes-Oxley Act of 2002 The Sarbanes-Oxley Act of 2002 (frequently abbreviated to SOX ) is enactment sanctioned in light of the prominent Enron and WorldCom budgetary embarrassments to shield shareholders and the overall population from bookkeeping mistakes and false practices in the undertaking. The Sarbanes-Oxley Act expresses that all business records, including electronic records and electronic messages, must be put something aside for "not under five years." The outcomes for resistance are fines, detainment, or both. http://searchcio.techtarget.com/sDefinition/0,,sid19_gci920030,00.html C. Edward Chow

View more...