Transcript CS 5950/6030: Network Security - Computer Science

CS 5950/6030 Network Security
Class 1 (W, 8/31/05)
Leszek Lilien
Department of Computer Science
Western Michigan University
[Using some slides prepared by:
Prof. Aaron Striegel, University of Notre Dame
Prof. Barbara Endicott-Popovsky and Prof. Deborah Frincke, University of Washington]
Class 1 Outline
 1.1. Course Overview
– Syllabus - Course Introduction
 1.2. Survey of Students’ Background and
Experience
 1.3. Introduction to Security
– Examples – Security in Practice
– Discussion – What does security mean?
2
1.1. Course Overview (1)
CS 5950/6030: Network Security - Fall 2005
Department of Computer Science
Western Michigan University
Description: Survey of topics in the area of computer and network security with
a thorough basis in the fundamentals of computer/network security.
Class:
CEAS C0141, M W F 3:00 PM – 3:50 PM
Instructor:
Dr. Leszek (Leshek) Lilien, CEAS B-249, phone: 276-3116
Email: [email protected] – please use for urgent matters only
Notes:
1) Only mail coming from a WMU account (ending with “wmich.edu” will be read).
2) Files submitted as attachments will not be read unless they are scanned with upto-date anti-viral software, and the message including them contains the following
statement:
I have scanned the enclosed file(s) with <name of software, its version>, which
was last updated on <date>>.
Office Hours: MW 4:30 PM -5:30 PM F 1:30 PM – 2:30 PM
Web Pages:
http://www.cs.wmich.edu/~llilien/cs5950-6030/index.html
3
Course Overview (2)
Required Text:
Pfleeger and Pfleeger, Security in Computing. Third Edition, Prentice
Hall PTR, 2003, ISBN 0-13-035548-8.
Course Overview:
This course is a survey of topics in the realm of computer and network security. It
introduces topics in computer security ranging from cryptographic techniques to trust to
multilevel security to security ethics. Students will learn fundamental concepts of security
that can be applied to many traditional aspects of computer programming and computer
systems design. The course will culminate in a project where the students will have an
opportunity to more fully investigate a topic related to the course.
Course Objectives:
 The course is designed to provide knowledge in the following areas:
 Security terminology
 Cryptographic techniques: terminology, basic techniques
 Encryption systems: RSA, DES, public/private key
 Program security: viruses, other malicious code, controls against program threats
 Trusted computer systems: OS characteristics, certification levels, access control
 Network security: threats and controls, authentication mechanisms, Kerberos,
intrusion detection
 Database security: security requirements, inference, multilevel security
 Legal, ethical, privacy issue discussions
4
Course Overview (3)
Performance Objectives:
 At the end of the course, all students should be able to:
 Describe and correctly use fundamental terminology in the area of computer/network
security
 Describe fundamental concepts of cryptography and assess the strengths and weaknesses
of common cryptographic protocols
 Identify weaknesses in program design and be able to categorize basic forms of attack
against programs
 Understand the basic concepts of security with regards to operating systems and access
control
 Assess the areas of trust in both operating systems and protocols
 Describe database attacks and how to design against such attacks
 Describe basic methods for network security
 Intelligently discuss the legal, ethical, and privacy issues in computer security
5
Course Overview (4)
Grading:
 Grading components:
–
–
–
–




Quizzes
10%
Midterm Exam 25%
Final Exam
30%
Group Project (incl. final project presentation)
35%
Fixed standard grading scale (A: 90, BA: 85, B: 80, CB: 75, C: 70, DC: 65, D: 60)
– I may curve a “bad” exam to improve the letter grades.
Inquiries about graded quizzes/exams must be made within one week after they are handed
back. In case of a grading disagreement, written arguments for your claims are required.
In my book, there is the “AA” grade—known to the outside world as the “A+” grade  —
for extraordinary performance (best in class, etc.). Each student who receives it can get
a written statement from me upon request (in case the student needs a strong evidence for
a recommendation letter). Of course, WMU transcript will show an “A” only.
I might offer an extra credit for an optional coursework—such as presenting in class
a software security tool or a research paper.
6
Course Overview (5)
Course Policies:
1. Lecture

Lecture notes may or may not be on-line so taking notes during class is highly
encouraged. Especially, you should write down anything that is written down using the
board or the document projector. You are encouraged to slow me down if you need
more time to take notes.

Attendance at lectures is required. If you must miss a lecture, please contact the
instructor in advance.

Lectures will be driven by student interaction, in addition to the standard lecture
material.
2. Quizzes

2-4 quizzes are planned.

Quizzes will be announced no later than at the preceding lecture.

Quiz solutions will be posted, most probably online.
7
Course Overview (6)
3. Exams

There will be two exams for the class.

The midterm exam will be announced at least a week in advance (it should be expected
around October 15). The midterm exam will be held during normal class time.

The final exam will be held during the finals week, as scheduled (Th, Dec. 8, 2:45 PM
– 4:45 PM).
4. Project(s)

Small projects:
–
1-2 small projects will be individual and self-guided (using guidelines
provided by me). They will not be graded but lessons learned may be checked
by my quiz questions.

The final project:
–
The final project will be done in teams consisting normally of 3-4 students.
–
I will propose a set of topics for the final project to help students in final
project selection. The groups are free to propose their own topics for the final
project but must obtain my buy-in before starting their work.
–
The results obtained in the final project will be presented by the students in
class at the end of the semester.
8
Course Overview (7)

Project presentation requirements:
–
For all projects, both technical contents and quality of (written and/or oral)
presentation will be evaluated for the total project credit.
–
No handwritten project reports will be accepted. All text and figures must be
prepared using a word processor (and a drawing program, if necessary).
–
The project reports must be submitted both as hard copies and in an electronic
format.
•
Required electronic format: PDF.
•
The message including project files must include information on antiviral software used (cf. above).
–
Late project reports will lose 33% per day beyond the due date.
Other Notes:

The topics for the course will be quite flexible. If there is a technology related to
security that you would like to know more about, please let me know. I will try to
accommodate your wishes, depending on the availability of time.

This class will be a class where many of the topics build upon one another. Therefore,
please ask questions in class if you do not understand the material.
9
Course Overview(8)



Since email and telephone limit interaction, please see me during my office hours in
case of any course difficulties. (In justified cases, a special appointment can be made.)
No questions will be answered on the date of a quiz/exam.
A make-up quiz/exam can be given only when the student presents a valid reason with
documented evidence for missing the test/exam. Without such a reason, the student will
loose all quiz/exam points.
Academic Honesty Statement (WMU Policy)
You are responsible for making yourself aware of and understanding the policies and
procedures in the Undergraduate Catalog (pp. 274-276) or the Graduate Catalog (pp.
25-27) that pertain to Academic Honesty. These policies include cheating, fabrication,
falsification and forgery, multiple submission, plagiarism, complicity and computer
misuse. If there is reason to believe you have been involved in academic dishonesty,
you will be referred to the Office of Student Conduct. You will be given the
opportunity to review the charge(s). If you believe you are not responsible, you will
have the opportunity for a hearing. You should consult with me if you are uncertain
about an issue of academic honesty prior to the submission of an assignment or test.
10
1.2. Survey of Students’ Background and Experience (1)
Background Survey
CS 5950/6030 Network Security - Fall 2005
Please print all your answers.
First name: __________________________ Last name: _____________________________
Email
_____________________________________________________________________
Undergrad./Year ________
OR:Grad./Year or Status (e.g., Ph.D. student) ________________
Major
_____________________________________________________________________
PART 1. Background and Experience
1-1)Please rate your knowledge in the following areas (0 = None, 5 = Excellent).
UNIX/Linux/Solaris/etc. Experience (use, administration, etc.)
0
1
2
3
Network Protocols (TCP, UDP, IP, etc.)
0
1
2
3
Cryptography (basic ciphers, DES, RSA, PGP, etc.)
0
1
2
3
Computer Security (access control, security fundamentals, etc.)
0
1
2
3
4
5
4
5
4
5
4
5
11
Survey of Students’ Background and Experience (2)
1-2)
Please list (by number and name) all classes in operating systems, networks,
databases, and security taken at WMU:
OS: ________________________________________________________________
Networks: ___________________________________________________________
Databases: __________________________________________________________
Security: ___________________________________________________________
1-3)
Please list (by name) classes in operating systems, networks, databases, and
security taken at institutions other than WMU (name the institutions):
OS: ________________________________________________________________
Networks: ___________________________________________________________
Databases: __________________________________________________________
Security: ___________________________________________________________
1-4)
Please list up to 3 programming languages, which you know, and rate your skill
level in each (1-5).
Language 1: ______________________________ Rating: _______________
Language 2: ______________________________ Rating: _______________
Language 3: ______________________________ Rating: _______________
12
Survey of Students’ Background and Experience (3)
1-5)
Please list any other notable/important background or experience in OS, networks,
databases, and security (incl. work, internships, projects, etc.).
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
1-6) Operating system you feel most comfortable with (circle one or more):
Windows
Linux
Solaris
Other: ___________
PART 2. Motivation and Expectations
2-1)
Why did you sign up for this course?
___________________________________________________________________
___________________________________________________________________
2-2)
Would you prefer a more theoretical (principles, ideas, formal models) course or a
more practical course?
___________________________________________________________________
Why?
___________________________________________________________________
13
Survey of Students’ Background and Experience (4)
2-3)
If there were 2-3 topics related to security that you would like to know
more about, what would those be (in your preference order)?
Topic 1: ____________________________________________________________
Topic 2: ____________________________________________________________
Topic 3: ____________________________________________________________
PART 3. Any Other Comments
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
Thank you!
14
1.3. Introduction to Security (1)
1.3.1. Examples – Security in Practice
From CSI/FBI Report 2002
 90% detected computer security breaches within the last year
 80% acknowledged financial losses
 44% were willing and/or able to quantify their financial losses.
These 223 respondents reported $455M in financial losses.
 The most serious financial losses occurred through theft of proprietary information and financial
fraud:
26 respondents: $170M
25 respondents: $115M
For the fifth year in a row, more respondents (74%) cited their Internet connection as a frequent
point of attack than cited their internal systems as a frequent point of attack (33%).
34% reported the intrusions to law enforcement. (In 1996, only 16% acknowledged reporting
intrusions to law enforcement.)
[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
15
More from CSI/FBI 2002

40% detected external penetration

40% detected denial of service attacks.

78% detected employee abuse of Internet access privileges

85% percent detected computer viruses.

38% suffered unauthorized access or misuse on their Web sites
within the last twelve months. 21% didn’t know.
[includes insider attacks]

12% reported theft of transaction information.

6% percent reported financial fraud (only 3% in 2000).
[cf. Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
16
Critical Infrastructure Areas
… telecommunications, electrical power systems, gas and
oil, banking and finance, transportation, water supply
systems, government services and emergency services.
[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
17
Threat Spectrum
[cf. Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
18
Cyberterrorism
 The Internet Black Tigers conducted a successful
"denial of service" attack on servers of Sri Lankan
government embassies
 Italian sympathizers of the Mexican Zapatista
rebels attacked web pages of Mexican financial
institutions.
 Rise of “Hack-tivism”
Freeh, Testimony before Senate, 2000.
[cf. Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
19
Threats to Personal Privacy
 Buying and selling confidential information from
Social Security files.
 Browsing IRS files.
 Buying and selling bank account name lists.
 A Princeton University student stole ~1800 credit
card numbers, customer names, and user
passwords from an e-commerce site.
House Ways and Means Committee, 102nd Congress, 1992.
10., Washington Post, S. Barr, 2 Aug. 1993
(4) Freeh, Testimoney 2000
[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
20
Identity Theft
 “The theft of computer hard drives from
TriWest Healthcare Alliance
could turn into one of the largest identity
thefts on record if the
information is misused, the Federal Trade
Commission said.”
[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
21
1.3.2. What is „Security?”
You Will Never Own a Perfectly Secure
System.
You Will Never Own a Perfectly Secure
System.
You Will Never Own a Perfectly Secure
System.
[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
22
Well … Maybe If You Do This:
(even then there are standards)
[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
“Secure” Computer System

To decide whether a computer system is “secure”, you must first decide what
“secure” means to you, then identify the threats you care about.
Cyberterrorism
Denial
of
Service
Modified
Databases
Virus
Espionage
Identity
Theft
Equipment
Theft
Stolen
Customer
Data
[cf. Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
1.3.3. Pillars of Security:
Confidentiality, Integrity, Availability (CIA)
Confidentiality: Who is authorized?
Integrity: Is the data „good?”
Availability: Can access data whenever need it?
Integrity
Confidentiality
S
Availability
S = Secure
[cf. Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
25
Balancing CIA
Payroll
Data
Biographical
Data
Confidentiality
Health
Data
Integrity
Sensitive
Data
Availability
Need to balance CIA
Ex: Disconnect computer from
Internet to increase
confidentiality (availability
suffers, integrity suffers due to
lost updates)
Ex: Have extensive data checks
by different people/systems to
increase integrity (confidentiality
suffers as more people see data,
availability suffers due to locks
on data under verification)
Packet
Switch
Bridge
File
Server
Gateway
Other
Networks
[cf. Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
26
Continued – Class 2
27