Beruflich Dokumente
Kultur Dokumente
Introduction
Introduction
Vandals
– Commercial and political reasons
– Mostly, nut cases and irresponsible kids (“script kiddies”)
Joy riders
– Technically skilled
– Psychologically challenged
– Again, mostly kids
Insiders!
EDUCATION!!
Security and People
People, not technology, are often the weakest link
– Create awareness and educate people that security matters
– Create business processes that enhance security
• accurate provisioning, password mgmt, stronger authentication,
segregation of duty
1/2002, hacker penetrates financial software maker Online Resources; then uses
this to hack into a NY bank and steal account data; then extorts the bank
2007 - Theft of laptops and PDAs is top security concern for CIOs
2008 – Identity theft is top concern for individuals (1 in 6 Americans last year!)
2009 – Data Leakage is a key concern for security and compliance officers
70% of all cases are “internal work” – profit, revenge, and ignorance
Nightmare Scenario #2:
Our communication can be exposed
In 16th century, Mary Queen of Scots loses her head when her coded
messages are deciphered
In WWII, many German U-boats were destroyed once the British were
able to decipher their Enigma messages
Massive defacing
– 2001- hacker group defaces 679 sites in 1 minute
– 2003 - Blackhat defacing competition: winner must deface 6000 sites asap
Main Textbook
– “Network Security Essentials: Applications and Standards” /
William Stallings (old edition OK)
Highly recommended
– Applied Cryptography / Bruce Schneier
Credits: 3
Open to CS MSc, and BSc (2nd and 3rd year) students
Alice Bob
Trusted Server
Example
ob) Pu
(B bK
m m
ob) (A
Co K(B lic
b e)
Pu
Alice Bob
Authorization
– Must be authorized to gain access to specific data, other
computing resources.
• E.g., file systems, firewalls, application authorization model
• Various levels of granularity
ITU/IETF X.800: Security Threats,
Attacks, Services, and Mechanisms
Security Threat: A potential attack on systems or on information
security needs
Examples of attacks:
– Intrusion
– Eavesdropping
– Impersonation
– Viruses / Worms
– Denial of service
– Man-in-the-middle
– Reflection attack
– Replay attack
– Password cracking
– Data/code modification
– Fraudulent attribution
– Repudiation
X.800 Security Services
Authentication
– Identify peers, Source authentication for data
Access Control
– Who can access to what
Data Confidentiality
– Connection, Connectionless (system), Traffic, Privacy
Data Integrity
– With or without recovery
Non-repudiation
– Origin, Destination, Both
Availability
– A service on its own, or a property of other services
Security Mechanisms
Specific use of certain algorithms, protocols, and procedures
to provide one or more security services
Examples
– Authentication – use password, fingerprint, magnetic card
– Access Control – specify access rights based on the user id,
role/group to specific transactions and/or specific content
– Data Confidentiality – encrypt information using a specific algorithm
– Data Integrity – detect and prevent unauthorized change to content
– Non-Repudiation – use electronic signature to ensure authenticity
– Availability – increase resiliency, filter malicious traffic