Download Security - UMD Department of Computer Science

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
Document related concepts
no text concepts found
Transcript 
CMSC 414
Computer and Network Security
Jonathan Katz
Introduction and overview
 What is computer/network security?
 Course philosophy and goals
 High-level overview of topics
 Course organization and information
“Security”
 Most of computer science is concerned with
achieving desired behavior
 In some sense, security is concerned with
preventing undesired behavior
– Different way of thinking!
– An enemy/opponent/hacker/adversary may be
actively and maliciously trying to circumvent
any protective measures you put in place
Broader impacts of security
 Explosive growth of interest in security
– Most often following notable security failures…
 Impact on/interest from all (?) areas of CS
– Theory (especially cryptography)
– Databases
– Operating systems
– AI/learning theory
– Networking
– Computer architecture/hardware
– Programming languages/compilers
– HCI
Philosophy
 We are not going to be able to cover
everything
 Main goals
– Exposure to different aspects of security; meant
mainly to “pique” your interest
– The “mindset” of security: a new way of
thinking…
– Become familiar with basic crypto, acronyms
(RSA, SSL, PGP, etc.), and “buzzwords”
Student participation (I hope!)
 Papers listed on course webpage
– Read these before class and come prepared to
discuss
 Monitor the media
– Email me relevant/interesting stories
 Class participation counts!
High-level overview
 Introduction…
– What do we mean by security?
– Is security achievable…?
 Cryptography
– Cryptography is not the (whole) solution…
– …but is is an important part of the solution
– Along the way, we will see why cryptography
can’t solve all security problems
High-level overview II
 System security
– General principles
– Security policies
– Access control; confidentiality/integrity
– OS security
– “Trusted computing”
High-level overview III
 Network security
– Identity
– Authentication and key exchange protocols
– Anonymity and pseudonymity
– Some real-world protocols
High-level overview IV
 Application-level security
– Web-based security
– Buffer overflows; secure programming and
sandboxing
– Viruses, worms, and malicious code
Course Organization
Staff
 Me
 TAs
 Contact information, office hours, listed on
course webpage
Course webpage
http://www.cs.umd.edu/~jkatz/comp_sec
 Contains course organization, updated syllabus,
various links, etc.
– Also links to papers!
– Slides posted for convenience, but no substitute for
attending lecture
 Homeworks distributed from the course webpage
 Check often for announcements
Textbooks
 I will primarily use two texts:
– “Security in Computing” by Pfleeger and
Pfleeger
– “Network Security…” by Kaufman, Perlman,
and Speciner
 Neither is officially required, but both will
make it easier to follow the course
 Both are on reserve in the library
Other readings
 Will be linked from the course webpage
 Material from these readings is fair game
for the exams, even if not covered in class
(unless stated otherwise)
 Please suggest other readings or relevant
news articles!
Course requirements
 Homeworks and project
– About 4-5 HWs throughout the semester
– Programming portion will be done with a
partner
– Will require implementation using JCE
– TAs will help with using JCE and Java…
– Details about project to come…
Computer accounts
 Each student will receive a computer
account for homeworks and the project
 Accounts will be assigned in the next class
Security is Harder than it
*And
*
Seems
it already seems quite hard!
Some terminology
 Confidentiality
 Integrity
 Availability
 Often, these are conflicting goals…
“We are all Security Customers”
 Security is always a trade-off
 The goal should never be “to make the
system as secure as possible”…
 …but instead, “to make the system as
secure as possible within certain
constraints” (cost, usability, convenience)
Cost-benefit analysis
 Important to evaluate what level of security
is necessary/appropriate
– Cost of mounting a particular attack vs. value
of attack to an adversary
– Cost of damages from an attack vs. cost of
defending against the attack
– Likelihood of a particular attack
“More” security not always better
 “No point in putting a higher post in the
ground when the enemy can go around it”
 Need to identify the weakest link
 Security of a system is only as good as the
security at its weakest point…
 Security is not a “magic bullet”
 Security is a process, not a product
Human factors
 E.g., passwords…
 Outsider vs. insider attacks
 Software misconfiguration
 Not applying security patches
 Social engineering
 Physical security
Importance of precise specification
 Security policy
– Statement of what is and is not allowed
 Security mechanism
– Method for enforcing a security policy
 One is meaningless without the other…
Prevention not the only concern
 Detection and response
– How do you know when you are being
attacked?
– How quickly can you stop the attack?
– Can you prevent the attack from recurring?
 Recovery
– Can be much more important than prevention
 Legal issues?
“Managed security monitoring”
 Is the state of network security this bad?
 Network monitoring; risk management
– Attacks are going to occur; impossible to have
complete protection
 Security as a process, not a product…
“Trusting trust”
 Whom do you trust?
 Does one really need to be this paranoid??
– Probably not
– Sometimes, yes
 Shows that security is complex…and
essentially impossible
 Comes back to risk/benefit trade-off
Nevertheless…
 In this course, we will focus on security in
isolation
 But important to keep in the back of your
mind the previous discussion…
– …and if you decide to enter the security field,
learn more about it!
Related documents
Security - Computer Science Department
Security - Computer Science Department
Evidence of Common Ancestry
Evidence of Common Ancestry
ICS 143 - Introduction to Operating Systems
ICS 143 - Introduction to Operating Systems
The Internet I 1/2 - SEE-ICT
The Internet I 1/2 - SEE-ICT
Reliable Sources Worksheet
Reliable Sources Worksheet
Communication Plan
Communication Plan
The Organelle Trail
The Organelle Trail
Chapter 1
Chapter 1
commission on higher education
commission on higher education
CS 153: Design of Operating Systems (Spring 2011)
CS 153: Design of Operating Systems (Spring 2011)
Cryptography and Inverse Linear Function Powerpoint
Cryptography and Inverse Linear Function Powerpoint
MIX NETWORKS
MIX NETWORKS
lec01
lec01
CS 153 Design of Operating Systems
CS 153 Design of Operating Systems
11jce
11jce
(Public-Key) Cryptography
(Public-Key) Cryptography
Symmetric-Key Cryptography - Sensorweb Research Laboratory
Symmetric-Key Cryptography - Sensorweb Research Laboratory
8. managing data resources
8. managing data resources
Still Image Compression
Still Image Compression
General
General