CSE 825: Computer and Network Security - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

CSE 825: Computer and Network Security

Description:

The Slammer worm penetrated a private computer network at Ohio's Davis-Besse ... The Slammer worm entered the Davis-Besse plant through an unsecured network of ... – PowerPoint PPT presentation

Number of Views:58
Avg rating:3.0/5.0
Slides: 19
Provided by: alex78
Category:

less

Transcript and Presenter's Notes

Title: CSE 825: Computer and Network Security


1
CSE 825 Computer and Network Security
Alex X. Liualexliu_at_cse.msu.eduhttp//www.cse.ms
u.edu/alexliu2132 Engineering
BuildingDepartment of Computer Science and
EngineeringMichigan State University
2
General Course Infomation
  • Instructor Alex X. Liu
  • Office 2132 Engineering Building
  • Office hours Mon, Fri, 4-5PM
  • Open door policy feel free to drop by any time
  • Course homepage http//www.cse.msu.edu/alexliu/c
    ourses/825Spring2007/
  • Email list Cse825-spring07_at_lists.cse.msu.edu

3
General Course Infomation
  • Prerequisites
  • Computer Networks
  • Operating Systems
  • Programming Languages
  • No textbook, but papers
  • Warning You are not allowed to break into
    machines that are not your own.
  • Grading
  • Projects 60 (proposal 5, report 45,
    presentation 5, poster 5)
  • Final exam 20
  • Homework15
  • Participation5

4
Projects
  • Individual project or team project
  • Topics
  • How?
  • 1. Choose a topic that you feel exciting.
  • 2. Read papers. The goal is to UNDERSTAND the
    topic.
  • 3. Think of a problem that is important and that
    has not been addressed (enough). DO NOT propose a
    small fix to a previous idea. Think big!
  • 4. Think of your own idea to solve the problem.
    Be bold! Be creative!
  • 5. Develop your idea.
  • 6. Valid your idea.
  • 7. Write down your idea.
  • Goal a conference paper.

5
Project Deliverables
  • Project proposal, due February 9
  • Project report source code, due April 22
  • Presentation
  • Poster
  • You need to begin to think about your project
    topic, team, etc.

6
Homework
  • Writing paper reviews using your own words
  • What's the problem that the authors are trying to
    solve?
  • Why previous solutions are not good enough?
  • What's the solution that the authors are
    proposing?
  • Is this solution perfect? If not, what are the
    weaknesses of this solution?
  • How will you solve the problem after reading this
    paper? (Be bold in answering this question.)

7
Topics
  • Cryptography Basics
  • Basic Security Protocols
  • Authentication
  • Passwords
  • Cookies
  • Certificates, PKI
  • SSL

8
Topics
  • Phishing Attacks
  • Web Security
  • Firewalls
  • IPSec, VPN
  • Intrusion Detection Systems
  • DoS Attacks
  • Anti-SPAM

9
Topics
  • Operating System Security
  • Database Security
  • Software Security
  • Buffer Overflow Attacks
  • Virus, Worms
  • Privacy Perserving Data Mining
  • Language-based Security

10
Topics
  • Virtual Machine Security
  • Cell phone security
  • Electronic Voting Systems
  • Wireless Security
  • Sensor Network Security
  • RFID Security
  • Tunnel Detection

11
Why study security?
  • People attack systems and do damage
  • Why do they do it?
  • Financial motivation
  • Religious/political motivation
  • industrial espionage
  • Bored teenagers
  • Angry employees
  • How do they do it?
  • Physical access, network attacks
  • Exploit vulnerabilities in applications and
    security mechanisms
  • Whom do they attack?
  • Banks
  • Government agencies
  • E-commerce web sites
  • Hollywood
  • Universities (play ground)

12
How big is the problem?
CERT Vulnerabilities reported
http//www.cert.org/stats/
13
Attacks and Losses
  • In first half year of 2005, 237 million network
    attacks launched
  • IBM Global Business Security Index Report
  • In 2005, U.S. businesses lost 67.2 billion
    dollars due to attacks
  • 2006 Computer Crime and Security Survey by FBI
    and CSI

14
Why does this happen?
  • Lots of buggy software...
  • Some contributing factors
  • Few courses in computer security
  • Programming text books do not emphasize security
  • Few security audits
  • C is an unsafe language
  • Programmers are lazy
  • Legacy software (some solutions, e.g.
    Sandboxing)
  • Security mechanisms are difficult to use
  • Security is expensive and takes time
  • Insider threat
  • Easy to hide code in large software packages
  • Difficult to discover hiden malicious code
  • strict development rules and physical security
    help

15
Human Subjects
  • Social Engineering
  • There are attacks that do not use computers, use
    human instead.
  • Catch me if you can
  • Call system administrator
  • Dive in the dumpster
  • Online version
  • send trojan in email
  • picture or movie with malicious code

16
Example Security Incident 1
  • Rob Harris case - slot machines
  • An insider he worked for Gaming Control Board in
    the Electronic Services Division in Las Vegas.
  • Malicious code in testing unit
  • when testers checked slot machines
  • downloaded malicious code to slot machine
  • was never detected
  • special sequence of coins activated winning
    mode
  • Caught when greed sparked investigation
  • 100,000 jackpot

17
Example Security Incicent 2
  • The Slammer worm penetrated a private computer
    network at Ohio's Davis-Besse nuclear power plant
    in January 2003 and disabled a safety monitoring
    system for nearly five hours
  • The Slammer worm entered the Davis-Besse plant
    through an unsecured network of an unnamed
    contractor, then squirmed through a T1 line
    bridging that network and Davis-Besse's corporate
    network. The T1 line was one of multiple
    ingresses into Davis-Besse's business network
    that completely bypassed the plant's firewall,
    which was programmed to block the port Slammer
    used to spread.
  • Luckily the plant was not operating at that time.

18
Example Security Incicent 3
  • Breeders cup race
  • Upgrade of software to phone betting system
  • Insider, Christopher Harn, rigged software
  • Allowed him and accomplices to call in
  • change the bets that were placed
  • undetectable
  • Caught when got greedy
  • won 3 million
Write a Comment
User Comments (0)
About PowerShow.com