CS 477 Computer Security

1
CS 477 Computer Security Prof. W. A.
Zuniga-Galindo E-mailwzuniga_at_mail.barry.edu Phon
e (305) 899-3616 Office Garner 210 Home page
http//Euclid.barry.edu/zuniga
2
References

• Textbook
• William Stallings, Network Security Essentials,
  Second Edition, Prentice Hall, 2002
• Charles P. Pfleeger, and Shari Lawrence Pfleeger,
  Security in Computing, Third Edition, 2003

3
Structure of Course

• Core
• Introduction (Basics ideas and Vocabulary)
• Symmetric Encryption
• Introduction to Number Theory
• Public-Key Encryption
• PGP

4
Structure of Course

• Student Presentations
• Security In Networks 
• Authentication Applications
• IP Security
• Web Security
• Administering Security
• Intruder and Viruses
• Legal and ethical Issues in Computer Security

5
Introduction

• Computer Security is a generic name for the
  collection of tools designed to protect data and
  to thwart (frustrate) hackers.
• A collection of interconnected networks is called
  an internet
• This course is dedicated to Network Security (or
  internet Security), which consists of measures to
  deter, prevent, detect, and correct security
  violations that involve the transmission of
  information.

5
6
Examples of Security Violations

• User A transmits a file to user B. The file
  contains sensitive information (e.g. payroll
  records) that is to be protected from
  disclosure. User C, who is not authorized to read
  the file, is able to monitor the transmission and
  captures a copy of the file during its
  transmission.

7
Examples of Security Violations

• A network management application, D, transmits a
  message to a computer, E, under its management.
  The message instructs computer E to update an
  authorization file to include the identities of a
  number of new users who are to be given access to
  that computer. User F intercepts the message,
  alters its contents to add or delete entries, and
  then forwards the message to E, which accepts the
  message as coming from the manager D and updates
  its authorization file accordingly.

8
Examples of Security Violations

• An employee is fired without warning. The
  personnel manager sends a message to a server
  system to invalidate the employees account. When
  the invalidation is accomplished, the server is
  to post a notice to the employees file as
  confirmation of the action. The employee is able
  to intercept the message and delay it long enough
  to make a final access to the server to retrieve
  sensitive information.The message is then
  forwarded, the action is taken, and the
  confirmation posted. The employees action may go
  unnoticed for some considerable time.

9
Examples of Security Violations

• A message is sent from a customer to a
  stockbroker with instructions for various
  transactions. Subsequently, the investments lose
  value and the customer denies sending the
  message.

10
Attacks, Services, and Mechanisms
Security Attack Any action that compromises
the security of information owned by an
organization. Security Mechanism A mechanism
that is designed to detect, prevent, or recover
from a security attack. Security Service A
service that enhances the security of data
processing systems and information transfers of
an organization. A security service makes use of
one or more security mechanisms.
10
11
Security Attacks

• Attacks on the security of a computer system or
  network are best characterized by viewing the
  function of the computer system as providing
  information.
• In general there is a flow of information from a
  source, such as a file , to a destination, such
  as a hard disk.

12
Security Attacks

• Interruption An asset of the system is
  destroyed or becomes unavailable or
  unusable.This is an attack on availability.
• Example the destruction of a piece of hardware,
  such as a hard disk, the cutting of a
  communication line, or the disabling of the file
  management system.

13
Security Attacks

• Interception An unauthorized user (party) gain
  access to an asset. This is an attack on
  confidentiality. The unauthorized user may be a
  person, computer or program.
• ExamplesWiretapping to capture data in a
  network, and the unauthorized copying of files or
  programs.

14
Security Attacks

• Modification An unauthorized user (party) not
  only gains access to but tampers with an asset.
  This is an attack on integrity..
• Examples Changing data in a data file, altering
  a program so that it performs differently, and
  modifying the content of messages being
  transmitted on a network.

15
Security Attacks

• Fabrication An unauthorized user (party)
  inserts counterfeit objects into the system.
  This an attack on authenticity..
• ExamplesInsertion of spurious messages in a
  network or the addition of records to a file.

16
Security Attacks

• A useful categorization of the above mentioned
  attacks is in terms of passive and active
  attacks.
• Passive Attacks
• Passive attacks are in the nature of
  eavesdropping on, or monitoring of,
  transmissions. The goal of the opponent is to
  obtain information that is being transmitted.
  There are two types of passive attacks (1)
  release of message contents and (2) traffic
  analysis.
• Examples(traffic analysis) Creating a customer
  profile of a user by using information about the
  sites that he or she visits.

17
17
18
Security Attacks

• Active Attacks
• These attacks involve some modification of the
  data stream or the creation of a false stream.
• Categories masquerade, replay, modification of
  messages, denial service.
• A masquerade takes place when one entity pretends
  to be a different entity.
• Replay involves the passive capture of a data
  unit and its subsequent retransmission to produce
  an unauthorized effect.

19
Security Attacks

• Modification of messages simply means that some
  portion of a legitimate message is altered, or
  that messages are delayed or reordered, to
  produce an unauthorized effect.
• The denial of service prevents or inhibits the
  normal use or management of communications
  facilities.
• Exercise To classify the security attacks
  presented in page 3 of the textbook.

20
Security Services

• Confidentiality (privacy) confidentiality is
  the protection of transmitted data from passive
  attacks
• Authentication the authentication service is
  concerned with assuring the identity of the
  sender (who created or sent the data)
• Integrity integrity service is the protection
  of data from unauthorized modifications during
  the transmission
• Non-repudiation this service prevents either
  sender or receiver from denying transmitted
  message.

20
21
Security Services

• Access control in the context of network
  security, access control is the ability to limit
  and control the access to host systems and
  applications via communications links. To achieve
  this control, each entity trying to gain access
  must first be identified, so that access rights
  can be tailored to the individual.
• Availability This service is concerned with
  assuring the permanence of a service or data
  for authorized users
• - Denial of Service Attacks
• - Virus that deletes files

22
(No Transcript)
23

• Exercise What class of security mechanism can be
  used to deter, prevent,and detect the security
  attacks presented in page 3 of the textbook.

24
Viruses, Worms, and Trojan Horses
Virus - code that copies itself into other
programs Worm - a program that replicates itself
across the network (usually riding on email
messages or attached documents (e.g., macro
viruses). Trojan Horse - instructions in an
otherwise good program that cause bad things to
happen (sending your data or password to an
attacker over the net). Logic Bomb - malicious
code that activates on an event (e.g.,
date). Trap Door (or Back Door) - undocumented
entry point written into code for debugging that
can allow unwanted users.
24
25
Virus Protection
Have a well-known virus protection program,
configured to scan disks and downloads
automatically for known viruses. Do not execute
programs (or "macro's") from unknown sources
(e.g., PS files, HyperCard files, MS Office
documents, Java, ...), if you can help it. Avoid
the most common operating systems and email
programs, if possible.
25
26
26
27
27