Download Introduction

Introduction
Dr. Neminath Hubballi
IIT Indore © Neminah Hubballi
Outline
 Administrative stuff




Instructor and TA
Text Book and reading Material
Course Content
Evaluation Criteria
 Fundamentals of security




Define security
Learn why should we care about security
CIA principles of security
AAA principles of security
IIT Indore © Neminah Hubballi
Administrative Stuff
 Instructor
 Neminath Hubballi
 Area of expertise in Network Security, System Security
 Room No- PS06 C
 Readings
 Text Book:
 Introduction to Computer Security- Goodrich and Tamassia
 Computer Security – William Stallings
 Security and Usability Designing Secure Systems that People Can Use –
Lorre Faith Cranor and Simson Garfinkel
 Additional reading material will be given
 You are expected to go through additional material- web has enormous
amount of material on security
 Two Lectures + One Tutorial per week
 Office hours : Friday 3-4 PM
 Teaching Assistant
 XXXXXX- A Graduate student in school of Computer Science
 Tutorials will be handledIITby
him
Indore
© Neminah Hubballi
Prerequisites
 Computer Networks
 Operating Systems
 C Programming
 Working Proficiency with Linux system
 Knowing Perl/Shell Scripting will be an
advantage
IIT Indore © Neminah Hubballi
Course Content
 Recap of
Networking
Concepts
 Transport Layer
 IP Layer
 Link Layer
 Usability Aspects
Of security
 Network and System
Attacks
 Information Gathering
 Buffer Overflow
Attacks
 Format String Attacks
 SQL Injection Attacks
 Spoofing Attacks
 Phishing Attacks
 DoS Attacks
 Virus, Worms, Trojon
Horse
 Session Hijacking
 Snooping and Sniffing
 OS and Unix System
Security
 Botnets
 Spamming
IIT Indore © Neminah Hubballi
 Defense
Mechanisms
 Antivirus
 Authentication
 Proxy Servers
 IDS
 Firewall
 Email Security
 Cryptography
 PGP
 Digital Signatures
 Kerberose
 IPSec
 Web Security
Evaluation Criteria





Assignments – 10 %
Two Surprise Quizzes - 10 %
Mid Semester Exam - 20 %
End Semester Exam -30 %
Seminar and project – 25 %
 Seminar in a group of 2
 Topics to be chosen in consultation with instructor
 I will float few potential topics
 But you are free to chose one on your own with restriction that, it must be relevant and
informative to everyone in the class
 Presentation for 30 minutes each – Post mid semester exam
 A neatly written report (not a copy paste from somewhere) in .pdf format created with
latex along with source
 Demo of your project
 Attendance and class participation – 5%
IIT Indore © Neminah Hubballi
What is Computer Security ?
 Deals with art of protecting computer resources
 What are the resources
 Memory
 Computing power
 Data
 Protection against
 Human errors
 Malicious guys outside
 Dishonest people inside
IIT Indore © Neminah Hubballi
When to Say System is Secure
 The goal of computing is to do something useful
 We write computer programs to do useful
computation
 All programs take some input and usually
generate some output
 A system/program is said to be secure if
 For an expected input supplied with good intent it
generates a desired output
 For an unexpected input supplied with malicious
intent it does not fail
IIT Indore © Neminah Hubballi
Why We Should Care about
Security ?
 We use internet for many things
 Online banking
 Online shopping
 Booking tickets …
 We store many things in computers
 Photos
 Files
 Computer may become too slow in responding
 Reputation and credibility
 Media glare
 You may be contributing to computer crime without your knowledge
 Ex. Open wireless networks
 Legal aspects
IIT Indore © Neminah Hubballi
Vulnerability and Attack
 Vulnerability: a weakness in system which
allows a malicious user to gain access
 Attack: a successful strategy to exploit a
vulnerability in order to gain illegal access
 Active
 Passive
 Attacker: someone who crafts an attack
 Insider attack
 Outside attack
IIT Indore © Neminah Hubballi
Types of Attackers
 Attacker – someone who can find an exploitable bug in
computer system
 Cracker – an attacker who exploit a system illegally
 Script kiddies – uses tools available publicly
 White hacker- people who discover vulnerabilities but
does not exploit
 Help to fix it
 Black hacker – bad people who wants to exploit systems
after discovery
 Cyber terrorists – often have religious and
fundamentalist mindset
 Cyber army – state sponsored attackers
 Work for nation’s strategic security
IIT Indore © Neminah Hubballi
Who Are Vulnerable to Attacks ?








Financial institutions
Defense organizations
Government agencies
Pharmaceutical companies
IT companies
Intellectual property management companies
Academic institutions
Everyone connected to internet
IIT Indore © Neminah Hubballi
CIA Principles of Security
 Information security is defined by an
acronym CIA
 Confidentiality: Avoiding unauthorized
disclosure of information
 Integrity: An assurance that information is
not altered midway of transmission
 Availability: An assurance of information
access and modification in a reasonable
timeframe
IIT Indore © Neminah Hubballi
Confidentiality
 Provide access to legitimate users
 Block access to illegitimate users
 Confidentiality can be achieved through
 Encryption: Transform data to a meaningless unit for
transmission and storage. Show it correctly to intended users
 Access control: Control who can claim access to
 Authentication: Determining identity of person claiming access
 Something person has
 Something person knows
 Something he/she is
 Authorization: Determining whether the person is allowed to
access something
 Physical security: Establishing physical barriers
IIT Indore © Neminah Hubballi
Integrity
 Integrity compromise
 System induced: hardware flips a bit
 Malicious: someone rewrites the data
 Techniques to prevent confidentiality also help prevent integrity
 In addition
 Backup: periodically archive data
 Checksum: computing something out of data
 Error correction code: can correct errors up to a limit
 Metadata : also needs to be protected




Owner
Size of file
Last read and write timings
Location of data
IIT Indore © Neminah Hubballi
Availability
 Timely delivery of information is important
 Banking transactions
 Stock quotes
 Can be achieved with
 Physical protection:
 guards,
 fire management systems,
 locks
 Redundancy in computing :
 RAID
 Fault tolerance systems
IIT Indore © Neminah Hubballi
AAA Principles of Security
 AAA stand for Assurance, Authenticity and
Anonymity
 Assurance asks for guarantee
 Authenticity asks to tell you “who are you”
 Anonymity asks not to reveal identity
IIT Indore © Neminah Hubballi
Assurance
 Refers to the issue of trust relationship in computer
systems
 How to quantify trust
 Binary
 Fractional
 Trust involves
 Policy- the behavioral expectation of an individual
 Permissions- state what can be accessed and what not
 Protections- mechanisms in place to implement policies and
permissions
 Online purchase
 You give your credit card to merchant
 It is expected that the merchant adhere to stated policy on how
they use your data
IIT Indore © Neminah Hubballi
Authenticity
 Deals with knowing whether the users and
system are entitled to what they do
 Mainly from legal angle
 A mechanism to verify authenticity of an entity
digitally
 For example an online portal says you order here by
credit card payment and we will ship the item
 How do we know whether it actually does or
 If someone is faking a message ?
 Nonrepudiation – authentic statements
 Digital signatures
IIT Indore © Neminah Hubballi
Anonymity
 Deals with protecting personal identities in online
transactions
 Our credit card numbers, PAN numbers, health records,
etc.
 Preserving privacy of users
 Aggregation- sum up data from many users and aggregated data
does not reveal anything
 Mixing - such that no transaction can be traced to any individual
 Proxies- trusted agents involving in transactions on behalf of
users
 Pseudonyms - fictional identities which fill in for real identities
IIT Indore © Neminah Hubballi
The Value of Your Network
 Lost data
 Financial loss
 Confidential data
 Danger of going into wrong hands
 Downtime
 Calling a customer care which says my server is down
 It looks cheap
 Staff time
 Time invested in repairing and fixing the issue
 Hijacked computer
 Reputation
 Damage
 Financial loss
IIT Indore © Neminah Hubballi
Security Principles
 Economy of mechanism
 The easier and simple a security mechanism the better it is to
understand
 Fail-safe defaults
 Default configuration should be conservative
 Complete mediation
 A security authority should check every action of a user
 Open design
 Security design should be made public
 Separation of privilege
 Multiple conditions should be required to get access
IIT Indore © Neminah Hubballi
Security Principles
 Least privileges
 Every program must have bare minimum privileges to run
 Least common mechanism
 Says sharing among users should be minimum
 Psychological acceptability
 User interfaces should be intuitive
 Work factor
 Tradeoff between breaking and value of secrete
 Compromise recording
 Sometime it is more desirable to record details of an attack
rather than designing a comprehensive security mechanism
IIT Indore © Neminah Hubballi
Vulnerability Disclosure Trends
Courtesy: Vulnerability Threats and Trends Report NSS Labs , Stefan Frei
IIT Indore © Neminah Hubballi
Vulnerability Criticality
Courtesy: Vulnerability Threats and Trends Report NSS Labs , Stefan Frei
IIT Indore © Neminah Hubballi
Complexity to Execute an Attack
Courtesy: Vulnerability Threats and Trends Report NSS Labs , Stefan Frei
IIT Indore © Neminah Hubballi
Top 10 Vendors Vulnerabilities
Courtesy: Vulnerability Threats and Trends Report NSS Labs , Stefan Frei
IIT Indore © Neminah Hubballi