Computing Security
Download
Report
Transcript Computing Security
Computing Security
Paul Wagner
Department of Computer Science
Messages
Security as a multi-faceted sub-discipline
of computer science
• System security
•
•
•
•
•
Client security
Server security
Application security
Network security
Database security
Social engineering
Others….
There are many interesting issues in each
of these areas
Overview
Not just viruses and worms
• Understanding security issues
• Applying other areas of computer
science (networking, operating systems)
• Understanding and applying overall
security principles
• Using tools
• Developing a security frame of mind
System Security
Probably single most important area
Multitude of sub-issues and tools
• Information gathering
Packet sniffing (e.g. ethereal)
Port scanning (e.g. nmap)
• Vulnerability assessment (e.g. nessus)
• Intrusion detection (e.g. snort)
Applicability to client and server
systems
System Security – Client-Side
Viruses, worms, trojan horses
Spyware
Spam
Patching
Human awareness
System Security – Server-Side
Client issues plus more
Servers are points for possibly
harmful access
• Program interaction
• Parameters passed in
• Data passed in
Often running multiple applications
• Web server, file server, mail server, …
Application Security
Secure transmission of information
• Protocols (e.g. SSL)
How to securely send information?
How to establish a channel for doing so?
• Cryptography
Private key systems
• DES (Data Encryption Standard) – older
• AES (Advanced Encryption Standard) - current
Public key systems
• RSA (Rivest, Shamir, Adelman)
• Application security issues
C/C++ - buffer overflow on stack
Java – “sandbox” issues
Network Security
Need
• Understanding of network protocols
7-layer OSI network stack
Issues
• Network Topology
• Firewalls
• Secure Communication on Network
Virtual Private Network (VPN)
• Other Network Security Approaches
E.g. Network Address Translation (NAT)
Database Security
Issues
• Security of data
• Security of transmission of data
Problems
• SQL Injection
• Vulnerabilities in DBMS systems code
Primarily buffer overflows
• Data passed insecurely
E.g. from web pages
Web Security
Many Issues
• Parameter Passing Issues
• Cross-Site Scripting
Expose information
Introduce vulnerabilities
• Web Server Configuration
Operating System Security
General Issues
• How can an OS be made more secure?
• How can an OS protect applications?
Examples
• Windows
Heavy usage means more attempts
• Linux
Attacks starting (e.g. Luppi worm, PHP, XML-RPC)
• Mac
Relatively rare
Social Engineering
Technological security isn’t enough
Best technology isn’t helpful if you
can convince someone to turn it off,
mis-configure it, tell you how it
works…
Many incidents throughout the years
Best example: Kevin Mitnick
• “The Art of Deception”, 2002
Ethical, Privacy, Legal Issues
Not just technology
• Certain Sony CDs install root-kit on computer
• Using a port-scanner against unknown systems
from campus can get your system
disconnected from network
• Violation of security guidelines can lead to
court action (Oregon vs. Schwartz)
Important to study computer security in
an ethical, legal way that doesn’t interfere
with anyone’s privacy
Other Areas
Honeypots and Honeynets
Artificial Intelligence and Security
Physical Security
Computer Forensics
Employment Opportunities
Systems administrator
Network administrator
Security engineer
Security architect
Security officer (CSO)
Courses at UW-Eau Claire
CS 255 – “Distributed OO Programming in Java”
• Java Security (SSL, basic crypto)
CS 370 – Computer Security
•
•
•
•
System security
Area security (e.g. database, web, operating systems)
Theory and tools
Cyberwar exercise – defense and investigation
CS 491 (special topic – Cryptography and
Network Security)
• Cryptography, including use in applications
• Network applications (e.g. email)
MIS 365 (proposed) – Security Policy
Management