Scribd
Upload
29 views

Introduction To Computer Security Slide Set 1: CS498IA Spring 2007 Nikita Borisov

This document outlines the topics to be covered in an introduction to computer security course. It includes an administrative section about the instructor, grades, and related courses. The content section previews key computer security concepts like threats, policies, mechanisms, trust, assurance, and both technical and human aspects. Sample topics are access control, risk analysis, cryptography, and security design principles.

Uploaded by

kashokcse16
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
29 views

Introduction To Computer Security Slide Set 1: CS498IA Spring 2007 Nikita Borisov

This document outlines the topics to be covered in an introduction to computer security course. It includes an administrative section about the instructor, grades, and related courses. The content section previews key computer security concepts like threats, policies, mechanisms, trust, assurance, and both technical and human aspects. Sample topics are access control, risk analysis, cryptography, and security design principles.

Uploaded by

kashokcse16
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 30

Introduction to Computer

Security
Slide Set 1
CS498IA
Spring 2007
Nikita Borisov

Based on slides provided by Matt Bishop for use with


Computer Security: Art and Science
Outline
• Administrative Issues
• Class Overview
• Information Assurance Overview
– Components of computer security
– Threats
– Policies and mechanisms
– The role of trust
– Assurance
– Operational Issues
– Human Issues
Reading
• For this lecture:
– First Chapter of Computer Security: Art and
Science
• For next lecture:
– Read Chapter 2 of Computer Security: Art and
Science
Administrivia
• Instructor
– Nikita Borisov
• Communications
– Class web page http://www.cs.uiuc.edu/class/sp07/cs498ia
– Newsgroup class.cs498ia
• Office Hours:
– TBA
• Grades
– 2 midterms
– 1 final
– approx. bi-weekly homeworks
– extra project for graduate students taking IA4
Grading Scheme
IA3 IA4

Midterms 20% each 15% each

Final 40% 30%

Homeworks 20% 15%

Project N/A 25%


Security Classes at UIUC
• Security course roadmap
– http://iti.uiuc.edu/roadmaps/security-roadmap.html
• Two course security introduction sequence
– Cover “Computer Security: Art and Science” by Matt Bishop
– Introduction to Computer Security (CS461)
• Covers NSA 4011 security professional requirements
• A broad overview of security.
– Computer Security (CS463)
• Covers more advanced topics
• Covers introductory topics in greater depth
Security Classes at UIUC
• Applied Computer Security Lab - CS460
– Taught in spring
– With CS461 covers NSA 4013 system administrator requirements
– Project oriented course. Hands on experience to reinforce how basic
security concepts are implemented today.
• Advanced Computer Security - CS598cag
– Prepares students for research in computer security
– Seminar style course
• Cryptography
– Math 595/ECE 559
• Reading Group
– Listed as CS591rhc
– Student lead group. Reads and discusses current security research papers.
Write on Card
1. Your name & netid
2. Your year (if undergrad) or advisor (if
grad)
3. 400- & 500- level courses you’ve taken
4. Why you’re interested in computer
security
Why I Like Security
• You get to be paranoid

• You get to look at systems in a broad


context
Brief History of Computer
Security

“With the explosive growth of the


Internet, there has been a rise in
importance of computer security”
Time Lag
• Internet is 35 years old
– Was designed without security provisions

• “Explosive growth” started in mid-’90s


– Security not a priority until much later

• Explosive growth of desktops started in


’80s
– Also no emphasis on security
A less brief history
• Interest in computer security very old
– But largely confined to the military

• Other communities did not care


– Internet - it’s only a research network, who
would attack it?

– Desktops - who needs military security, I just


want to run my spreadsheet!
Important Events
• Morris worm - 1988
– Brought down a large fraction of the Internet
– Academic interest in network security
• E-commerce - mid ‘90s
– Industrial interest in network security protocols
• Resurgence of worms - early ‘00s
– Made computer security a household term
Class Topics
• Introduction and motivation
• Security Policies: Access Control Matrix, Confidentiality and integrity
policies
• Trusted Operating Systems
• Risk Analysis
• Legislation and security
• Applied Cryptography: basic crypto, key management, cipher
techniques, authentication
• Network security mechanisms
• Legal and ethical issues in security
• Security design principles, assurance techniques, Auditing
• System evaluation
• Code vulnerabilities and malicious programs
• Physical security
• EMSEC
• Hardware-enforced security
Basic Components
• Confidentiality
– Keeping data and resources hidden
• Integrity
– Data integrity (integrity)
– Origin integrity (authentication)
• Availability
– Enabling access to data and resources
Classes of Threats
• Disclosure
– Snooping
• Deception
– Modification, spoofing, repudiation of origin, denial of
receipt
• Disruption
– Modification
• Usurpation
– Modification, spoofing, delay, denial of service
Types of Attackers
• Unskilled hacker (“script-kiddie”)
• Skilled hacker
• Organized crime
• Nation-states
Policies and Mechanisms
• Policy says what is, and is not, allowed
– This defines “security” for the site/system/etc.
• Mechanisms enforce policies
• Composition of policies
– If policies conflict, discrepancies may create
security vulnerabilities
Goals of Security
• Prevention
– Prevent attackers from violating security policy
• Detection
– Detect attackers’ violation of security policy
• Recovery
– Stop attack, assess and repair damage
– Continue to function correctly even if attack
succeeds
Trust and Assumptions
• Underlie all aspects of security
• Policies
– Unambiguously partition system states
– Correctly capture security requirements
• Mechanisms
– Assumed to enforce policy
– Support mechanisms work correctly
Login Program
check_password(user, pass) {
if (user = “ken” and password = “xyzzy”) {
A return OK
}
...
}
Compiler Program
compile(source) {
if (match(source, “check_password”)) {
B insert(source, A)
}
...
}
Compiler Program
compile(source) {
if (match(source, “check_password”)) {
B insert(source, A)
}
if (match(source, “compile”)) {
insert(source, B);
}
...
}
Compiler Program
compile(source) {
if (match(source, “check_password”)) {
insert(source, A)
}
B if (match(source, “compile”)) {
insert(source, B);
}
...
}
Types of Mechanisms

secure precise broad

set of reachable states set of secure states


Assurance
• Specification
– Requirements analysis
– Statement of desired functionality
• Design
– How system will meet specification
• Implementation
– Programs/systems that carry out design
Operational Issues
• Cost-Benefit Analysis
– Is it cheaper to prevent or recover?
• Risk Analysis
– Should we protect something?
– How much should we protect this thing?
• Laws and Customs
– Are desired security measures illegal?
– Will people do them?
Human Issues
• Organizational Problems
– Power and responsibility
– Financial benefits
• People problems
– Outsiders and insiders
– Social engineering
Tying Together
Information
Threats
Policy
Specification

Design

Implementation

Operation
Key Points
• Policy defines security, and mechanisms
enforce security
– Confidentiality
– Integrity
– Availability
• Trust and knowing assumptions
• Importance of assurance
• The human factor

You might also like