iit indore © neminah hubballi introduction dr. neminath hubballi dr. neminath hubballi

IIT Indore © Neminah HubballiIIT Indore © Neminah Hubballi

IntroductionIntroduction Dr. Neminath HubballiDr. Neminath Hubballi


OutlineOutline

Administrative stuffAdministrative stuff Instructor and TAInstructor and TA Text Book and reading MaterialText Book and reading Material Course Content Course Content Evaluation CriteriaEvaluation Criteria

Fundamentals of security Fundamentals of security Define securityDefine security Learn why should we care about securityLearn why should we care about security CIA principles of securityCIA principles of security AAA principles of securityAAA principles of security


Administrative StuffAdministrative Stuff InstructorInstructor

Neminath HubballiNeminath Hubballi Area of expertise in Network Security, System SecurityArea of expertise in Network Security, System Security Room No- PS06 CRoom No- PS06 C

ReadingsReadings Text Book:Text Book:

Introduction to Computer Security- Goodrich and TamassiaIntroduction to Computer Security- Goodrich and Tamassia Computer Security – William StallingsComputer Security – William Stallings Security and Usability Designing Secure Systems that People Can Use –Lorre Security and Usability Designing Secure Systems that People Can Use –Lorre

Faith Cranor and Simson GarfinkelFaith Cranor and Simson Garfinkel Additional reading material will be givenAdditional reading material will be given You are expected to go through additional material- web has enormous You are expected to go through additional material- web has enormous

amount of material on securityamount of material on security Two Lectures + One Tutorial per weekTwo Lectures + One Tutorial per week Office hours : Friday 3-4 PM Office hours : Friday 3-4 PM Teaching AssistantTeaching Assistant

XXXXXX- A Graduate student in school of Computer ScienceXXXXXX- A Graduate student in school of Computer Science Tutorials will be handled by himTutorials will be handled by him


Prerequisites Prerequisites

Computer NetworksComputer Networks Operating SystemsOperating Systems C Programming C Programming Working Proficiency with Linux system Working Proficiency with Linux system Knowing Perl/Shell Scripting will be an Knowing Perl/Shell Scripting will be an

advantageadvantage


Course ContentCourse Content

Network and System Network and System AttacksAttacks Information Gathering Information Gathering Buffer Overflow AttacksBuffer Overflow Attacks Format String AttacksFormat String Attacks SQL Injection AttacksSQL Injection Attacks Spoofing AttacksSpoofing Attacks Phishing AttacksPhishing Attacks DoS AttacksDoS Attacks Virus, Worms, Trojon Virus, Worms, Trojon

HorseHorse Session Hijacking Session Hijacking Snooping and SniffingSnooping and Sniffing OS and Unix System OS and Unix System

SecuritySecurity BotnetsBotnets Spamming Spamming

Defense Defense MechanismsMechanisms AntivirusAntivirus AuthenticationAuthentication Proxy ServersProxy Servers IDSIDS FirewallFirewall Email SecurityEmail Security CryptographyCryptography PGPPGP Digital SignaturesDigital Signatures KerberoseKerberose IPSec IPSec Web SecurityWeb Security

Recap of Recap of Networking Networking ConceptsConcepts Transport LayerTransport Layer IP LayerIP Layer Link LayerLink Layer

Usability AspectsUsability AspectsOf security Of security


Evaluation CriteriaEvaluation Criteria Assignments – 10 %Assignments – 10 % Two Surprise Quizzes - 10 %Two Surprise Quizzes - 10 % Mid Semester Exam - 20 %Mid Semester Exam - 20 % End Semester Exam -30 %End Semester Exam -30 % Seminar and project – 25 %Seminar and project – 25 %

Seminar in a group of 2Seminar in a group of 2 Topics to be chosen in consultation with instructorTopics to be chosen in consultation with instructor

I will float few potential topicsI will float few potential topics But you are free to chose one on your own with restriction that, it must be relevant and But you are free to chose one on your own with restriction that, it must be relevant and

informative to everyone in the classinformative to everyone in the class Presentation for 30 minutes each – Post mid semester examPresentation for 30 minutes each – Post mid semester exam A neatly written report (not a copy paste from somewhere) in .pdf format created with A neatly written report (not a copy paste from somewhere) in .pdf format created with

latex along with sourcelatex along with source Demo of your projectDemo of your project

Attendance and class participation – 5%Attendance and class participation – 5%


What is Computer Security ?What is Computer Security ?

Deals with art of protecting computer resourcesDeals with art of protecting computer resources What are the resourcesWhat are the resources

MemoryMemory Computing powerComputing power DataData

Protection against Protection against Human errorsHuman errors Malicious guys outside Malicious guys outside Dishonest people insideDishonest people inside


When to Say System is SecureWhen to Say System is Secure

The goal of computing is to do something usefulThe goal of computing is to do something useful We write computer programs to do useful We write computer programs to do useful

computationcomputation All programs take some input and usually All programs take some input and usually

generate some outputgenerate some output A system/program is said to be secure ifA system/program is said to be secure if

For an expected input supplied with good intent it For an expected input supplied with good intent it generates a desired outputgenerates a desired output

For an unexpected input supplied with malicious For an unexpected input supplied with malicious intent it does not failintent it does not fail


Why We Should Care about Why We Should Care about Security ?Security ?

We use internet for many thingsWe use internet for many things Online bankingOnline banking Online shoppingOnline shopping Booking tickets …Booking tickets …

We store many things in computersWe store many things in computers PhotosPhotos FilesFiles

Computer may become too slow in respondingComputer may become too slow in responding Reputation and credibility Reputation and credibility

Media glare Media glare You may be contributing to computer crime without your knowledgeYou may be contributing to computer crime without your knowledge

Ex. Open wireless networks Ex. Open wireless networks Legal aspectsLegal aspects


Vulnerability and AttackVulnerability and Attack

Vulnerability: a weakness in system which Vulnerability: a weakness in system which allows a malicious user to gain accessallows a malicious user to gain access

Attack: a successful strategy to exploit a Attack: a successful strategy to exploit a vulnerability in order to gain illegal accessvulnerability in order to gain illegal access ActiveActive PassivePassive

Attacker: someone who crafts an attackAttacker: someone who crafts an attack Insider attackInsider attack Outside attackOutside attack


Types of AttackersTypes of Attackers Attacker – someone who can find an exploitable bug in Attacker – someone who can find an exploitable bug in

computer systemcomputer system Cracker – an attacker who exploit a system illegallyCracker – an attacker who exploit a system illegally Script kiddies – uses tools available publiclyScript kiddies – uses tools available publicly White hacker- people who discover vulnerabilities but White hacker- people who discover vulnerabilities but

does not exploitdoes not exploit Help to fix itHelp to fix it

Black hacker – bad people who wants to exploit systems Black hacker – bad people who wants to exploit systems after discoveryafter discovery

Cyber terrorists – often have religious and Cyber terrorists – often have religious and fundamentalist mindsetfundamentalist mindset

Cyber army – state sponsored attackersCyber army – state sponsored attackers Work for nation’s strategic securityWork for nation’s strategic security


Who Are Vulnerable to Attacks ?Who Are Vulnerable to Attacks ?

Financial institutionsFinancial institutions Defense organizationsDefense organizations Government agenciesGovernment agencies Pharmaceutical companiesPharmaceutical companies IT companiesIT companies Intellectual property management companiesIntellectual property management companies Academic institutionsAcademic institutions Everyone connected to internetEveryone connected to internet


CIA Principles of SecurityCIA Principles of Security

Information security is defined by an Information security is defined by an acronymacronym CIA CIA

Confidentiality: Avoiding unauthorized Confidentiality: Avoiding unauthorized disclosure of informationdisclosure of information

Integrity: An assurance that information is Integrity: An assurance that information is not altered midway of transmissionnot altered midway of transmission

Availability: An assurance of information Availability: An assurance of information access and modification in a reasonable access and modification in a reasonable timeframe timeframe


Confidentiality Confidentiality

Provide access to legitimate usersProvide access to legitimate users Block access to illegitimate usersBlock access to illegitimate users Confidentiality can be achieved throughConfidentiality can be achieved through

Encryption: Transform data to a meaningless unit for Encryption: Transform data to a meaningless unit for transmission and storage. Show it correctly to intended userstransmission and storage. Show it correctly to intended users

Access control: Control who can claim access toAccess control: Control who can claim access to Authentication: Determining identity of person claiming accessAuthentication: Determining identity of person claiming access

Something person hasSomething person has Something person knowsSomething person knows Something he/she is Something he/she is

Authorization: Determining whether the person is allowed to Authorization: Determining whether the person is allowed to access somethingaccess something

Physical security: Establishing physical barriersPhysical security: Establishing physical barriers


IntegrityIntegrity Integrity compromiseIntegrity compromise

System induced: hardware flips a bitSystem induced: hardware flips a bit Malicious: someone rewrites the dataMalicious: someone rewrites the data

Techniques to prevent confidentiality also help prevent integrity Techniques to prevent confidentiality also help prevent integrity In addition In addition

Backup: periodically archive dataBackup: periodically archive data Checksum: computing something out of dataChecksum: computing something out of data Error correction code: can correct errors up to a limitError correction code: can correct errors up to a limit

Metadata : also needs to be protected Metadata : also needs to be protected OwnerOwner Size of fileSize of file Last read and write timingsLast read and write timings Location of dataLocation of data


AvailabilityAvailability

Timely delivery of information is importantTimely delivery of information is important Banking transactionsBanking transactions Stock quotesStock quotes

Can be achieved with Can be achieved with Physical protection:Physical protection:

guards, guards, fire management systems,fire management systems, lockslocks

Redundancy in computing :Redundancy in computing : RAIDRAID Fault tolerance systemsFault tolerance systems


AAA Principles of SecurityAAA Principles of Security

AAA stand for Assurance, Authenticity and AAA stand for Assurance, Authenticity and AnonymityAnonymity Assurance asks for guaranteeAssurance asks for guarantee Authenticity asks to tell you “who are you”Authenticity asks to tell you “who are you” Anonymity asks not to reveal identity Anonymity asks not to reveal identity


AssuranceAssurance Refers to the issue of trust relationship in computer Refers to the issue of trust relationship in computer

systemssystems How to quantify trustHow to quantify trust

BinaryBinary Fractional Fractional

Trust involves Trust involves Policy- the behavioral expectation of an individualPolicy- the behavioral expectation of an individual Permissions- state what can be accessed and what notPermissions- state what can be accessed and what not Protections- mechanisms in place to implement policies and Protections- mechanisms in place to implement policies and

permissionspermissions Online purchaseOnline purchase

You give your credit card to merchant You give your credit card to merchant It is expected that the merchant adhere to stated policy on how It is expected that the merchant adhere to stated policy on how

they use your datathey use your data


AuthenticityAuthenticity

Deals with knowing whether the users and Deals with knowing whether the users and system are entitled to what they dosystem are entitled to what they do Mainly from legal angle Mainly from legal angle

A mechanism to verify authenticity of an entity A mechanism to verify authenticity of an entity digitally digitally For example an online portal says you order here by For example an online portal says you order here by

credit card payment and we will ship the itemcredit card payment and we will ship the item How do we know whether it actually does or How do we know whether it actually does or If someone is faking a message ?If someone is faking a message ? Nonrepudiation – authentic statementsNonrepudiation – authentic statements Digital signaturesDigital signatures


Anonymity Anonymity

Deals with protecting personal identities in online Deals with protecting personal identities in online transactionstransactions

Our credit card numbers, PAN numbers, health records, Our credit card numbers, PAN numbers, health records, etc.etc.

Preserving privacy of usersPreserving privacy of users Aggregation- sum up data from many users and aggregated Aggregation- sum up data from many users and aggregated

data does not reveal anythingdata does not reveal anything Mixing - such that no transaction can be traced to any individualMixing - such that no transaction can be traced to any individual Proxies- trusted agents involving in transactions on behalf of Proxies- trusted agents involving in transactions on behalf of

usersusers Pseudonyms - fictional identities which fill in for real identitiesPseudonyms - fictional identities which fill in for real identities


The Value of Your NetworkThe Value of Your Network Lost dataLost data

Financial lossFinancial loss Confidential dataConfidential data

Danger of going into wrong handsDanger of going into wrong hands Downtime Downtime

Calling a customer care which says my server is downCalling a customer care which says my server is down It looks cheapIt looks cheap

Staff time Staff time Time invested in repairing and fixing the issueTime invested in repairing and fixing the issue

Hijacked computerHijacked computer Reputation Reputation

Damage Damage Financial lossFinancial loss


Security PrinciplesSecurity Principles

Economy of mechanismEconomy of mechanism The easier and simple a security mechanism the better it is to The easier and simple a security mechanism the better it is to

understandunderstand

Fail-safe defaultsFail-safe defaults Default configuration should be conservativeDefault configuration should be conservative

Complete mediationComplete mediation A security authority should check every action of a userA security authority should check every action of a user

Open design Open design Security design should be made publicSecurity design should be made public

Separation of privilegeSeparation of privilege Multiple conditions should be required to get accessMultiple conditions should be required to get access


Security PrinciplesSecurity Principles

Least privileges Least privileges Every program must have bare minimum privileges to runEvery program must have bare minimum privileges to run

Least common mechanismLeast common mechanism Says sharing among users should be minimumSays sharing among users should be minimum

Psychological acceptabilityPsychological acceptability User interfaces should be intuitive User interfaces should be intuitive

Work factorWork factor Tradeoff between breaking and value of secreteTradeoff between breaking and value of secrete

Compromise recordingCompromise recording Sometime it is more desirable to record details of an attack Sometime it is more desirable to record details of an attack

rather than designing a comprehensive security mechanismrather than designing a comprehensive security mechanism


Vulnerability Disclosure TrendsVulnerability Disclosure Trends

Courtesy: Vulnerability Threats and Trends Report NSS Labs , Stefan Frei


Vulnerability CriticalityVulnerability Criticality



Complexity to Execute an AttackComplexity to Execute an Attack



Top 10 Vendors Vulnerabilities Top 10 Vendors Vulnerabilities


iit indore © neminah hubballi introduction dr. neminath hubballi dr. neminath hubballi

Documents

network security

computer security goodrich

neminath hubballi slide

system security room

advantage slide

computer resources

computer programs

system attacks information