IS 2150 / TEL 2810 Introduction to Security - PowerPoint PPT Presentation

About This Presentation

Title:

IS 2150 / TEL 2810 Introduction to Security

Description:

Instructor: James B. D. Joshi. 706A, IS Building. Phone: 412-624-9982 ... Tuesdays: 3.00 6.00 p.m. By appointments. GSA: Saubhagya R. Joshi ... – PowerPoint PPT presentation

Number of Views:79

Avg rating:3.0/5.0

Slides: 44

Provided by: PrashantKr93

Learn more at: http://www.sis.pitt.edu

Category:

more less

Transcript and Presenter's Notes

Title: IS 2150 / TEL 2810 Introduction to Security

1
IS 2150 / TEL 2810Introduction to Security

Lecture 1
August 31, 2006

2
Contact

Instructor James B. D. Joshi
706A, IS Building
Phone 412-624-9982
E-mail jjoshi_at_mail.sis.pitt.edu
Web http//www.sis.pitt.edu/jjoshi/
Office Hours
Tuesdays 3.00 6.00 p.m.
By appointments
GSA Saubhagya R. Joshi
Email srjoshi_at_mail.sis.pitt.edu
Office hours Wednesday 200-400PM
Place GIS Lab, 4th Floor

3
IS 2150 / TEL 2810

The objective of the course is to cover the
fundamental issues of information system security
and assurance.
Develop broad understanding of diverse issues
Certified by NSA
About 85 is based on the CNSS requirements
Core course for SAIS track
Course webpage http//www.sis.pitt.edu/jjoshi/co
urses/2007_1/IS2150SYL071.html

4
Course Outline

Intrusion Detection and Response (23, 25, ..)
Attack Classification and Vulnerability Analysis
Detection, Containment and Response/Recovery
Legal, Ethical, Social Issues
Evaluation, Certification Standards
Miscellaneous Issues (22, ..)
Malicious code, Mobile code
Digital Rights Management, Forensics
Watermarking,
E/M-commerce security, Multidomain Security
Identity/Trust Management

Security Basics (1-8)
General overview and definitions
Security models and policy issues
Basic Cryptography and Network security (9-12,
26)
Crypto systems, digital signature,
authentication, PKI
IPSec, VPN, Firewalls
Systems Design Issues and Information assurance
(13-21, 24)
Design principles
Security Mechanisms
Auditing Systems
Risk analysis
System verification

5
Course Material

Textbook
Introduction to Computer Security, Matt Bishop,
Errata URL http//nob.cs.ucdavis.edu/bishop/
Computer Security Art and Science, Matt Bishop
is fine too
Other Recommended
Security in Computing, Charles P. Pfleeger,
Prentice Hall
Inside Java 2 Platform Security, 2nd Edition, L.
Gong, G. Ellision, M. Dageforde
Security Engineering A Guide to Building
Dependable Distributed Systems, Ross Anderson,
Wiley, John Sons, Incorporated, 2001
Supplemental readings will be provided

6
Prerequisites

Assumes the following background
Programming skill
Some assignments in Java
Working knowledge of
Operating systems, algorithms and data
structures, database systems, and networks
Basic Mathematics
Set, logic, induction techniques, data
structure/algorithms
Not sure? SEE ME

7
Grading

Lab Homework/Quiz/Paper review 40
Exams 40 includes
Midterm 20
Final 20
Paper/Project 20
List of suggested topics will be posted
Encouraged to think of a project/topic of your
interest
Some other
Seminar and participation

8
Course Policies

Your work MUST be your own
Zero tolerance for cheating/plagiarism
You get an F for the course if you cheat in
anything however small NO DISCUSSION
Discussing the problem is encouraged
Homework
Penalty for late assignments (15 each day)
Ensure clarity in your answers no credit will
be given for vague answers
Sample solutions will be provided
Check webpage for everything!
You are responsible for checking the webpage for
updates

Overview of
Security Assured Information Systems
Track

10
LERSAIS

Laboratory of Education and Research in Security
Assured Information Systems
Established in 2003
National Center of Academic Excellence in
Information Assurance Education Program
A US National Security Agency program initiated
in 1998 through a presidential directive to
SECURE the Cyberspace
Partnered by Department of Homeland Security
since 2003
There are 70 such centers now
Designation requires meeting a set of criteria
Basic IA curriculum
Strong research activity
LERSAIS is Pitts representative center
Website http//www.sis.pitt.edu/lersais/

11
IA Education _at_Pitt

Pitts IA curriculum has been certified for
Committee on National Security Systems IA
Standards
CNSS 4011 Information Security Professionals
CNSS 4012 Designated Approving Authority
CNSS 4013 System Administrator in Information
Systems Security
CNSS 4014 Information Systems Security Officer
CNSS 4015 System Certifiers
Pitt is one among 12 Institutions in the US and
only one in the State of Pennsylvania to have all
certifications
Website http//www.sis.pitt.edu/sais/

12
IA Education _at_Pitt Grants

NSF Scholarship for Service Grant
First award (286,710)
For the development of the curriculum
Second award (1,055,553)
For establishing a scholarship program
Department of Defense Information Assurance
Scholarship (DoD IASP)
Support for 4 National Defense University
Students to pursue IA degree at Pitt
CISCO Critical Infrastructure Assurance Group
Equipment grant winner of Year Spring-2005
Equipments worth 130,000

13
IA Education _at_Pitt Tracks/Courses
Master of Science in Information Sciences Master of Science in Telecommunications and Networking Certificate of Advanced Studies (CNSS Certifications)
Courses Introduction to Security Developing Secure Systems Cryptography Security in E-commerce Network Security Security Management Capstone course Information System and Network Infrastructure Protection Information Ethics Legal Issues in Information Handling
14
NSF IA Scholarship _at_ Pitt

New scholarship starting this Fall
Support include
Stipend of 12,000/year
Tuition and fees
Students should be
In the track (MSIS/MST)
Within last 2 years of completing the PhD studies
Support for up to 2 years
Work in Gov for the equal amount of time
Summer internship is required
Citizenship is required
Need to obtain clearance for work in Gov

Website will be created shortly for now check
out http//www.sfs.opm.gov/
15
NSF IA Scholarship _at_ Pitt

Less chance for the following
If you have less than one year of study
If you want to work fulltime and study under
scholarship
Scholarship students will have to
Involve in some activities of LERSAIS
University activities of importance
Mentor future scholarship students

16
MSIS Security Assured Information Systems Track
Foundations (6 credits)
Cognitive Systems (6 credits)
Systems and Technology (9 credits SAIS Track 9
ST) (18 credits)
Electives (3 Credits SAIS Track 3 Credits ST)
IS-2000 Intro to Info Sc IS-2170 Cryptography

IS-2300 Human Information Processing IS-2470
Interactive System Design OR IS-2350 Human
Factors In Systems
IS-2550 Client-Sever IS2710 DBMS IS-2511
Adv. Anal. Des. OR IS-2540 Soft Engg.
IS2150 Intro to ComSec TEL-2821 Net Sec TEL
2830/IS-2190 Capstone Course in Security
IS-2570 Dev sec Systems IS-2771 Sec in
E-Comm IS2810/TEL-2813 Sec Mgmt LIS-2194 Info
Ethics LIS-2184 Legal issues in Handling
Info One ST Electives (may include another of
the SAIS course elective)
17
MST Security Assured Information Systems Track
Core Required (9 credits)
Human Comm Mgmt/Policy (6 credits)
Protocols and Design (6 credits)
SAIS Track Core (12 credits)
SAIS Track Electives (3 credits)
TEL-2210 Electronic Comm II TEL-2120
Network Performance TEL-2310 Computer Networks

IS-2300 Human Information Processing TEL-2510
US Telecom Policy OR TEL-2511 Intl. Telecom
Policy OR LIS-2194 Information Ethics
TEL-2110 Network Design TEL-2121 Network
Mgt. TEL-2320 LANs TEL-2321 WANs TEL-2720 Cellu
lar Radio and PCS TEL-2721 Mobile Data
Networks
IS2150/TEL-2810 Intro To Security IS2170/TEL-282
0 Cryptography TEL-2821 Network Security IS219
0/TEL-2830 Capstone Course in Security
TEL-2825 Infrs. Protection IS-2771 Security in
E-Commerce IS-2810/TEL-2813 Security Management
TEL-2829 Adv. Cryptography OR Other Electives
18
Education _at_PittCertificate of Advanced Studies
Basic IA Studies Advanced IA Studies Advanced IA Studies
Pre-requisite MSIS, MST or MS in related areas Pre-requisite MSIS, MST or MS in related areas Pre-requisite MSIS, MST or MS in related areas
15 credits of coursework Three SAIS Core courses (9) Systems Technology course (3) Capstone (3) 15 credits of coursework Three SAIS Core courses (9) Systems Technology course (3) Capstone (3) 24 credits of coursework Three SAIS Core courses (9) Security management (3) One IA Elective (3) 2 Systems-Tech electives (6) Capstone (3)
Certificates CNSS 4011, 4012, and 4013 Certificates CNSS 4011, 4012, and 4013 Certificates CNSS 4011, 4012, 4013, 4014A, and 4015
19
Expected Pre-requisite Structure
IS-2150 TEL-2810 Intro to Security
TEL-2000 TEL-2120
IS-2510 IS-2511 IS-2550 IS-2710
IS-2160 TEL-2820 Cryptography
TEL-2821 Network Security
TEL-2825 Infrs. Protection
IS-2570 Dev. Secure Systems
IS-2820/TEL-2813 Security Management
IS-2771 E-commerce Security
TEL-2830/IS2190 Capstone
Check SIS web pages for new course numbers
TEL-2829 Adv. Cryptography
IS-2939 TEL-2938 Advanced Topics
20
The Department of Information Science and
Telecommunications Laboratory of Education and
Research on Security Assured Information Systems
(LERSAIS), a National Center of Academic
Excellence in Information Assurance Education
(2004-2007), hereby certifies that Mr. John
Smith has successfully completed the
requirements for the DISTs IA certification in
Fall 2004
The DISTs IA certification requires a student to
demonstrate competence in the following three IA
courses TELCOM 2810 Introduction to Computer
Security TELCOM 2820 Cryptography TELCOM 2821
Network Security These three courses have been
certified by the National Security Agency (NSA)
as meeting the following IA education standards
set by the Committee on National Systems Security
(CNSS) NSTISSI No. 4011, Information Systems
Security Professionals NSTISSI No. 4012,
Designated Approving Authority NSTISSI No.
4013, System Administrators in Information
Systems Security
SAMPLE
Ronald Larsen (Dean, School of Information
Sciences)
21
Introduction to Security

Overview of Computer Security

22
Information Systems Security

Deals with
Security of (end) systems
Examples Operating system, files in a host,
records, databases, accounting information, logs,
etc.
Security of information in transit over a network
Examples e-commerce transactions, online
banking, confidential e-mails, file transfers,
record transfers, authorization messages, etc.
Using encryption on the internet is the
equivalent of arranging an armored car to deliver
credit card information from someone living in a
cardboard box to someone living on a park bench
Gene Spafford

23
Basic Components of Security
CIA

Confidentiality
Keeping data and resources secret or hidden
Integrity
Ensuring authorized modifications
Includes correctness and trustworthiness
May refer to
Data integrity
Origin integrity
Availability
Ensuring authorized access to data and resources
when desired

Trust Management (Emerging Challenge)
24
CIA-based Model
NSTISSC 4011 Security Model (CNSS 4011)
25
Basic Components of Security

Additional from NIST (National Institute of
Standards and Technology
Accountability
Ensuring that an entitys action is traceable
uniquely to that entity
Security assurance
Assurance that all four objectives are met
Other
Non-repudiation
false denial of an act

26
Interdependencies
confidentiality
integrity
Integrity
confidentiality
availability
accountability
Integrity
confidentiality
Integrity
confidentiality
27
Security - Years back

Physical security
Information was primarily on paper
Lock and key
Safe transmission
Administrative security
Control access to materials
Personnel screening
Auditing

28
Information security today

Emergence of the Internet and distributed systems
Increasing system complexity
Open environment with previously unknown entities
interacting
Digital information needs to be kept secure
Competitive advantage
Protection of assets
Liability and responsibility

29
Information security today

Financial losses
The FBI estimates that an insider attack results
in an average loss of 2.8 million
There are reports that the annual financial loss
due to information security breaches is between 5
and 45 billion dollars
National defense
Protection of critical infrastructures
Power Grid Air transportation SCADA
Interlinked government agencies
Bad Grade for most of the agencies (GAO Reports)
DHS gets a failing grade (2005) !!

30
Terminology
Security Architecture
Requirements Policies
Requirements Policies
Security Features or Services
Resources Assets Information
Attackers/Intruders/ Malfeasors
Security Models/ Mechanisms
31
Attack Vs Threat

A threat is a potential violation of security
The violation need not actually occur
The fact that the violation might occur makes it
a threat
It is important to guard against threats and be
prepared for the actual violation
The actual violation of security is called an
attack

32
Common security attacks

Interruption, delay, denial of receipt or denial
of service
System assets or information become unavailable
or are rendered unavailable
Interception or snooping
Unauthorized party gains access to information by
browsing through files or reading communications
Modification or alteration
Unauthorized party changes information in transit
or information stored for subsequent access
Fabrication, masquerade, or spoofing
Spurious information is inserted into the system
or network by making it appear as if it is from a
legitimate entity
Repudiation of origin
False denial that an entity did (send/create)
something

33
Classes of Threats (Shirley)

Disclosure unauthorized access to information
Snooping
Deception acceptance of false data
Modification, masquerading/spoofing, repudiation
of origin, denial of receipt
Disruption interruption/prevention of correct
operation
Modification
Usurpation unauthorized control of a system
component
Modification, masquerading/spoofing, delay,
denial of service

34
Policies and Mechanisms

A security policy states what is, and is not,
allowed
This defines security for the site/system/etc.
Policy definition Informal? Formal?
Mechanisms enforce policies
Composition of policies
If policies conflict, discrepancies may create
security vulnerabilities

35
Goals of Security

Prevention
To prevent someone from violating a security
policy
Detection
To detect activities in violation of a security
policy
Verify the efficacy of the prevention mechanism
Recovery
Stop policy violations (attacks)
Assess and repair damage
Ensure availability in presence of an ongoing
attack
Fix vulnerabilities for preventing future attack
Retaliation against the attacker

36
Assumptions and Trust

Policies and mechanisms have implicit assumptions
Assumptions regarding policies
Unambiguously partition system states into
secure and nonsecure states
Correctly capture security requirements
Mechanisms
Assumed to enforce policy i.e., ensure that the
system does not enter nonsecure state
Support mechanisms work correctly

37
Types of Mechanisms

Let P be the set of all the reachable states
Let Q be a set of secure states identified by a
policy Q ? P
Let the set of states that an enforcement
mechanism restricts a system to be R
The enforcement mechanism is
Secure if R ? Q
Precise if R Q
Broad if there are some states in R that are not
in Q

38
Types of Mechanisms
broad
precise
secure
set R
set Q (secure states)
39
Information Assurance

Information Assurance Advisory Council (IAAC)
Operations undertaken to protect and defend
information and information systems by ensuring
their availability, integrity, authentication,
confidentiality and non-repudiation
National Institute of Standards Technology
Assurance is the basis for confidence that the
security measures, both technical and
operational, work as intended to protect the
system and the information it processes

40
Assurance

Assurance is to indicate how much to trust a
system and is achieved by ensuring that
The required functionality is present and
correctly implemented
There is sufficient protection against
unintentional errors
There is sufficient resistance to intentional
penetration or by-pass
Basis for determining this aspect of trust
Specification
Requirements analysis
Statement of desired functionality
Design
Translate specification into components that
satisfy the specification
Implementation
Programs/systems that satisfy a design