Computer Science and Engineering 1

Csilla FarkasAssociate Professor

Center for Information Assurance EngineeringDept. of Computer Science and Engineering

University of South Carolina

farkas@cse.sc.eduhttp://www.cse.sc.edu/~farkas

Computer Science and Engineering 2

Attack Sophistication vs. Intruder Technical Knowledge

High

Low

1980 1985 1990 1995 2000

password guessing

self-replicating code

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijacking sessions

sweepers

sniffers

packet spoofing

GUIautomated probes/scans

denial of service

www attacks

Tools

Attackers

IntruderKnowledge

AttackSophistication

“stealth” / advanced scanning techniques

burglaries

network mgmt. diagnostics

distributedattack tools

Cross site scripting

Stagedattack

Copyright: CERT, 2000

Computer Science and Engineering 3

CSI Survey 2008CSI Survey 2008

Types of incidents

CSI/FBI Computer Crime and Security SurveyComputer Security Institute

Computer Science and Engineering 4

CSI Survey 2008CSI Survey 2008

CSI/FBI Computer Crime and Security SurveyComputer Security Institute

Computer Science and Engineering 5

CSI Survey 2008CSI Survey 2008

CSI/FBI Computer Crime and Security SurveyComputer Security Institute

Computer Science and Engineering 6

CSI Survey 2008CSI Survey 2008

CSI/FBI Computer Crime and Security SurveyComputer Security Institute

Computer Science and Engineering 7

Systems must be protected against attacks!

What can a business do about it?

What can IT professionals do about it?

Computer Science and Engineering 8

Graduate Certificate Program in Information Assurance and

Security (IA&S)

Computer Science and Engineering 9

Security ObjectivesSecurity Objectives• Confidentiality: prevent/detect/deter improper

disclosure of information• Integrity: prevent/detect/deter improper

modification of information• Availability: prevent/detect/deter improper denial

of access to services

Security NeedsSecurity Needs

Computer Science and Engineering 10

Types of ThreatsTypes of Threats

• Errors of users

• Natural/man-made/machine disasters

• Dishonest insider

• Disgruntled insider

• Outsiders

Computer Science and Engineering 11

Computer Science and Engineering

• Semantic Web security – Data and meta-data security – Secure information sharing– Web application security

• Critical Infrastructure Protection– Economic and social aspects of

cyber attacks– SCADA systems security

Sample Research DirectionsSample Research Directions

Organizational Data

Confidential

OntologySecure Data Integration

andInferences

Public User

Web Data

Public

Access ControlModels

OffenseDefense

• Other Research– Policy Compliance – Online Privacy – Open source intelligence– Secure VANET communication

Computer Science and Engineering 12

Computer Science and Engineering

Secure Semantic Web Secure Semantic Web

• Web Data and Metadata Security – Semantic-Aware XML access control– RDF security policy– Stream data security

• Web Services (WS) Security– Service-level security across heterogeneous domains– Identity and trust management– Execution correctness, WS transactions

Computer Science and Engineering 13

Computer Science and Engineering

Damage Assessment and Social Damage Assessment and Social VulnerabilityVulnerability

• Damage Estimation and Social Vulnerability– Damage of the target may not reflect the real amount of

damage– Services may rely on the attacked service, causing a

cascading and escalating damage– Identify characteristics to evaluate vulnerability of different

social strata for cyber attack consequences• Support decision makers to

– Evaluate risk and consequences of cyber attacks– Support methods to prevent, deter, and mitigate consequences

of attacks

Computer Science and Engineering 14

IA JobsIA Jobs

• Job market– Civil (Join Information Systems Security Association, ISSA,

https://www.issa.org/ )

– Government (Internship available at USC-UTS, and SC Dept. of Probation, Parole, and Pardon Services)

– Military (Internship available at SPAWAR, Charleston)

• Education and training requirements (B.S. degree, certification, hands-on experiments)

• Salary• FUN

Computer Science and Engineering 15

IA&S Certificate IA&S Certificate ProgramProgram

Admission Requirements

• Baccalaureate degree in computer science, computer engineering, or a related field

• Work experience as information security professional

• Admission requirements for graduate study at the Department of Computer Science and Engineering http://www.cse.sc.edu/GRADUATE/AdmissionsPage.html

Computer Science and Engineering 16

Graduation requirements18 hours of graduate study with B average – 9 hours core courses– 9 hours of elective courses

IA&S Certificate ProgramIA&S Certificate Program

Computer Science and Engineering 17

Core CoursesCore Courses

• CSCE 522 – Information Systems Security Principles – offered every Fall semester

• CSCE 715– Network Security– offered every Fall semester

• CSCE 727 – Information Warfare– offered every 3rd semester

Computer Science and Engineering 18

Elective CoursesElective Courses

• CSCE 517 – Computer Crime and Forensics • CSCE 557 – Introduction to Cryptography• CSCE 548 – Secure Software Construction• CSCE 716 – Design for Reliability• CSCE 717 – Comp. Systems Performance• CSCE 790 – Topic Course• CSCE 813 – Internet Security• CSCE 814 – Distributed Systems Security• CSCE 824 – Secure Databases• CSCE 853 – Formal Models of Information Security

Computer Science and Engineering 19

New undergraduate courses:CSCE 201: Introduction to Information Security

Computer Science and Engineering 20

Thank you!Thank you!