Computer Systems and Security

1
Computer Systems and Security

• --- New era of secure communications ---
• Lecture 1

2
Schedule

• 1. Computer Systems and Security
• 2. Introduction to Information and Network
  Security
• 3. Introduction to Cryptography
• 4. Cryptosystems, Hash Functions and Digital
  Signatures
• 5. Introduction to Firewalls
• 6. Security at the IP Layer
• 7. Security at the Transport Layer SSL and TLS
• 8. Electronic Mail, Web Security and Malicious
  code
• 9. Information and Network Security
  Authentication
• 10. Introduction to Wireless Security
• 11. Security of Large Computer Systems
• 12. Informal Test

3
Computer Security and Industries
Government and private intelligence communities
Internal threats (dishonest employees, software
failures etc.)
Business partners(customers, competitors,suppli
ers, etc.)
Hackers, investigator,reporters etc.
4
Vulnerabilities

• The three broad computing system resources are
• hardware
• interruption (denial of service), interception
  (theft)
• software
• interruption (deletion), interception,
  modification
• data
• interruption (loss), interception, modification
  and fabrication

5
Security facts believe it or not!

• Bank robbery through computers
• Industrial espionage on corporate information
• Loss of individual privacy (files, emails, chats,
  video conferencing, ...)
• Information vandalism (destroy backup, delete
  files, vandalise web pages, )
• Computer viruses
• (more can be found in comp.risks and other
  websites)

6
Computer Security e.g

• Attacks can be INTERNAL and EXTERNAL.
• INTERNAL
• altering data
• stealing source code
• damaging computer systems
• revealing confidential information
• intentionally writing bad code for later use
• etc.
• EXTERNAL
• Send malicious programs
• Scanning your network for vulnerabilities and
  attack it
• Sending viruses (for Windows and Unix)- annoying,
  destructive
• Etc.

7
Is Computer Threat Real?

• 1997 survey of 61 large companies that had
  firewalls (site had gt 1000 pcs Internet
  servers)
• 44 reported probes by outsiders
• 23 IP spoofing (used to break in hosts on the
  Internet)
• 10 email bombs
• 8 denial of service attacks
• 8 sendmail probes
• 89 reported that the firewall responded
  adequately

Internet sources
8
Computer Threat

• Computer Security Institute/FBI Survey
• 35 annual increases in data sabotage incidents
  from 1997 to 1999
• 25 annual increases in financial fraud
  penetrated on-line
• Abuse of network access increased over 20
  resulting losses of 8 billions
• Security breaches caused US15 billions losses in
  2000

Internet sources
9
Other Surveys

• Poll of 1,400 companies with gt 100 employees
• About 90 are confident with their firms network
  security
• But 50 failed to report break-ins
• 58 increased in spending on security
• 1997-2001,fortune firms lost US45 billions
  high-tech firms most vulnerable

Internet sources
10
Why Study Network Security?

• IT professionals will either design, build,
  manage software, manage a network of computers or
  teams of IT professionals
• Need to know possible security threads and
  solutions
• Security Experts are very well paid
• Computer Security is becoming one of the most
  important things that governments and industries
  need to spend money for
• Management staff need to know possible computer
  security threads to their companies
• Ordinary users are interested in knowing how to
  protect their computers and their works

11
Security Forms
Borrowed from Stalling 2001
12
Reactions to Security Threads

• Find methods for defence by active research in
  security privacy(numerous conferences each
  year)
• Enforce new laws
• Provide education and training
• Set up collaborations between governments,
  industries academia
• Employ computer security specialists

13
How Secure Should It Be?

• How should you spend the money on securing your
  system?
• University computer systems - ?
• Free Servers - ?
• Bank computer systems - ?
• Computer systems of department of defence - ?

14
Risk Analysis

• Before carrying out security policy, we need to
  evaluate the cost of implementing security
  measures as opposed to losing the data and
  information.
• Should you maximise security and minimise
  services?
• How can you provide maximum services with minimum
  risk?
• Which security path should you take?
• Hire experts?
• Purchase the best software?
• Wait-and-see?

15
Security and Cost Analysis
cost
100
security
16
Principles of Security

• Principle of easiest penetration
• an intruder will use any means of penetration
• Principles of timeliness
• items only need to be protected until they lose
  their value
• Principles of effectiveness
• controls must work, and they should be
  efficient, easy to use, and appropriate.

17
Attacks
18
Attacks Passive Types

• Passive (interception) eavesdropping on,
  monitoring of, transmissions.
• The goal is to obtain information that is being
  transmitted.
• Types here are release of message contents and
  traffic analysis.

19
Attacks Active Types

• Involve modification of the data stream or
  creation of a false stream.
• It can be subdivided into
• masquerade,
• replay,
• modification of messages, and
• denial of service.

20
Security Attacks - Taxonomy

• Interruption attack on availability
• Interception attack on confidentiality
• Modification attack on integrity
• Fabrication attack on authenticity

Properties that are compromised
21
Interruption

• Causes denial of services.
• Information resources (hardware, software and
  data) are deliberately made unavailable, lost or
  unusable, usually through malicious destruction.
• E.g cutting a communication line, disabling a
  file management system (e.g unmount a NFS file
  system), etc.

22
Interception

• Also known as un-authorised access.
• Difficult to trace as no traces of intrusion
  might be left.
• e.g illegal eavesdropping or wiretapping or
  sniffing, illegal copying.

23
Modification

• Also known as tampering a resource.
• Resources can be data, programs, hardware
  devices, etc.
• E.g intercept a message, change and send it
• E.g intercept a mobile application, change and
  send it

24
Fabrication

• also known as counterfeiting (of objects such as
  data, programs, devices, etc).
• Allows to by pass the authenticity checks.
• e.g insertion of spurious messages in a
  network, adding a record to a file, counterfeit
  bank notes, fake cheques,
• impersonation/masquerading
• E.g To pretend some authorised entity to gain
  access to data, services etc.

25
Security Attacks - Taxonomy
26
Decide what/where to control

• What should be the focus of the controls?
• For example should protection mechanisms focus
  on data or operations on that data or on the
  users who use the data?
• Since there are layers of technology, where
  controls should apply?
• Applications, services, operating systems,
  kernel, hardware.

27
Study Effectiveness of Controls

• Merely having controls does no good unless they
  are used properly. The factors that affect the
  effectiveness are
• Awareness of protection
• Likelihood of users
• Overlapping controls
• Periodic review

28
Methods of Defence

• Physical controls
• Lock, guards, backup of data and software, thick
  walls,
• Hardware firmware controls
• Apply security devices, smart cards, firmware
  passwords
• Software controls
• Set up firewalls, install software to enforce
  authentication, etc...

29
Methods of Defence (e.g)

• Prevention
• Using cryptographic techniques to encrypt
  information
• Using software tools to find possible security
  problems and fix them before any attack occurs
  (e.g, Scanning programs STAN, ISS)
• Using secure communications or firewalls to
  prevent certain attacks
• Etc.
• Detection
• Use hardware software tools and security
  expertise to detect both attempts to violate and
  successful security violations
• Recovery
• Using Backup recovery, software (COPS, Tiger,
  etc) to automatically check the systems and
  recover

30
Methods of Defence (cont)

• Regularly check your systems for security holes
• Study new software carefully before install or
  update your systems
• Carry out and review company security polices and
  procedures
• Educating users