Administrivia          Setting the stage...                Case studiesIntroduction to Information and System             ...
Isolation...
Administrivia                      Setting the stage...                            Case studiesOutline  1   Administrivia ...
Administrivia      Coordinates, officialdom, assessment                    Setting the stage...     What you’ll be learning...
Administrivia      Coordinates, officialdom, assessment                         Setting the stage...     What you’ll be lea...
Administrivia      Coordinates, officialdom, assessment                    Setting the stage...     What you’ll be learning...
Timetable  Lectures, tutorials and project...                   June            July                    18      25      2 ...
Administrivia      Coordinates, officialdom, assessment                       Setting the stage...     What you’ll be learn...
Administrivia      Coordinates, officialdom, assessment                      Setting the stage...     What you’ll be learni...
Administrivia      Coordinates, officialdom, assessment                      Setting the stage...     What you’ll be learni...
What you should learn...  What you are expected to know...      To be able to put security systems in context.           F...
Why should you learn...  ...and why should you care?      Reason #1: Pick up these skills and pass the final exam :)      R...
Administrivia      Coordinates, officialdom, assessment                        Setting the stage...     What you’ll be lear...
DBS/POSB attacks Big news last week...
Administrivia                                               In the news earlier this year...                      Setting ...
DBS/POSB attacks How was it done?    Through the use of card skimmers on two machines in Bugis.    Card skimming involves ...
DBS/POSB attacks Card skimmers    Magnetic strip read as it passes through the capture “shell”.    The electronics include...
DBS/POSB attacks Getting the PIN?     Either          a small (pinhole) camera looking down on the keypad, with an SD     ...
Installing a skimmer...
More things to worry about:
NUS attacks  News in January...
Administrivia                                               In the news earlier this year...                      Setting ...
Administrivia                                                In the news earlier this year...                       Settin...
Administrivia                                                 In the news earlier this year...                        Sett...
Framework to hang our understanding on...  Ross Anderson’s book suggests this framework:  Differentiate between security p...
A quick quiz...  Which of these two vehicles has a door lock?        Value SING$ 20,000      Value SING$ 350,000,000      ...
Administrivia                                                 Airports, banks, the military, hospitals, homes             ...
Administrivia                                                 Airports, banks, the military, hospitals, homes             ...
Administrivia                                                Airports, banks, the military, hospitals, homes              ...
Administrivia                                                Airports, banks, the military, hospitals, homes              ...
During the SARS outbreak...  Releasing (unexpected) information from databases      Day’s average temperature of SOC staff...
Administrivia                                                Airports, banks, the military, hospitals, homes              ...
Administrivia                                                 Airports, banks, the military, hospitals, homes             ...
Administrivia                                                  Airports, banks, the military, hospitals, homes            ...
Administrivia                                                Airports, banks, the military, hospitals, homes              ...
The CIA triad...  FIPS specify three objectives/goals:      confidentiality: concealing information - resources may only be...
The CIAAA gang-of-five...  Many observers identify more...      Authenticity: logins, password checks      Accountability: ...
Administrivia                                                 Airports, banks, the military, hospitals, homes             ...
Administrivia                                                  Airports, banks, the military, hospitals, homes            ...
Administrivia                                                Airports, banks, the military, hospitals, homes              ...
Administrivia                                            Airports, banks, the military, hospitals, homes                  ...
Administrivia                                            Airports, banks, the military, hospitals, homes                  ...
Administrivia                                             Airports, banks, the military, hospitals, homes                 ...
Administrivia                                            Airports, banks, the military, hospitals, homes                  ...
Administrivia                                             Airports, banks, the military, hospitals, homes                 ...
Upcoming SlideShare
Loading in …5
×

Foils1

307 views
255 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
307
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Foils1

  1. 1. Administrivia Setting the stage... Case studiesIntroduction to Information and System Security First lecture Hugh Anderson National University of Singapore School of Computing June, 2012 Hugh Anderson Introduction to Information and System Security First lecture 1
  2. 2. Isolation...
  3. 3. Administrivia Setting the stage... Case studiesOutline 1 Administrivia Coordinates, officialdom, assessment What you’ll be learning Why should you learn? 2 Setting the stage... In the news earlier this year... Context for security studies 3 Case studies Airports, banks, the military, hospitals, homes Term definitions Hugh Anderson Introduction to Information and System Security First lecture 3
  4. 4. Administrivia Coordinates, officialdom, assessment Setting the stage... What you’ll be learning Case studies Why should you learn?Hugh’s coordinates Room COM2 #03-24 Telephone 6516-4262 E-mail hugh@comp.nus.edu.sg Open-door policy (I have one!) Please call me Hugh, and visit me in my room if you have any questions... Hugh Anderson Introduction to Information and System Security First lecture 4
  5. 5. Administrivia Coordinates, officialdom, assessment Setting the stage... What you’ll be learning Case studies Why should you learn?Official SOC description From the official course description... This module serves as an introductory module on information and computer system security. It illustrates the fundamentals of how systems fail due to malicious activities and how they can be protected. The module also places emphasis on the practices of secure programming and implementation. Topics covered include classical/historical ciphers, introduction to modern ciphers and cryptosystems, ethical, legal and organisational aspects, classic examples of direct attacks on computer systems such as input validation vulnerability, examples of other forms of attack such as social engineering/phishing attacks, and the practice of secure programming. Hugh Anderson Introduction to Information and System Security First lecture 5
  6. 6. Administrivia Coordinates, officialdom, assessment Setting the stage... What you’ll be learning Case studies Why should you learn?Assessment Assessment Grade Homework 15% Group project 20% Tests MCQ (Closed book - on the 9th July) 15% Final Exam Open Book 50% Total marks 100% Hugh Anderson Introduction to Information and System Security First lecture 6
  7. 7. Timetable Lectures, tutorials and project... June July 18 25 2 9 16 23 Lectures Tutorials Project EXAM (Fri, 27th, a.m.) Project will be a group one (up to 4 members in each group), with a presentation in the last week.
  8. 8. Administrivia Coordinates, officialdom, assessment Setting the stage... What you’ll be learning Case studies Why should you learn?Tutorials Tutorials/demos/discussions start next week... Give a written answer to the homework as you enter the tutorial room for assessment (A,B,C or F) There will be four assessed homework/assignments. Hugh Anderson Introduction to Information and System Security First lecture 8
  9. 9. Administrivia Coordinates, officialdom, assessment Setting the stage... What you’ll be learning Case studies Why should you learn?Resources Resources No textbook, but you may find the following texts useful: Ross Anderson’s “Security Engineering” book: http://www.cl.cam.ac.uk/˜rja14/musicfiles/manuscripts/SEv1.pdf Computer Security, Matt Bishop Directed readings - all available on the Internet. IVLE at http://ivle.nus.edu.sg/ Hugh Anderson Introduction to Information and System Security First lecture 9
  10. 10. Administrivia Coordinates, officialdom, assessment Setting the stage... What you’ll be learning Case studies Why should you learn?General area of the course topics In short... History and background Classical and modern cryptography Security of systems Building safer systems - secure programming techniques for programs, web sites... Hugh Anderson Introduction to Information and System Security First lecture 10
  11. 11. What you should learn... What you are expected to know... To be able to put security systems in context. For example: history, understanding of the “big picture”. To describe “security related” things using some technical terms. For example: keysize, PK, man-in-the-middle. To understand the roles of the components of security systems, understanding the underlying reasons for their properties. For example: certifying authorities. To aquire some practical skills that would help in programming more secure computer systems.
  12. 12. Why should you learn... ...and why should you care? Reason #1: Pick up these skills and pass the final exam :) Reason #2: It is fun in a kind of “You did what?” way. Reason #3: Knowing the issues, and underlying mechanisms, helps you ... build better systems in future. ... explain to the person on the helpdesk why their system is flawed, and what needs to be done to fix it. ... avoid being the victim of (computer) fraud. ... realistically assess threats to you, your organization, your country. ... fly with the eagles.
  13. 13. Administrivia Coordinates, officialdom, assessment Setting the stage... What you’ll be learning Case studies Why should you learn?My expectation... Please, please, please.... Attend classes and tutorials Ask if you don’t know Read references and handouts... Get interested in the subject Dont do anything you know is plain wrong... Hugh Anderson Introduction to Information and System Security First lecture 13
  14. 14. DBS/POSB attacks Big news last week...
  15. 15. Administrivia In the news earlier this year... Setting the stage... Context for security studies Case studiesAnd a few days later... Tracked down... Hugh Anderson Introduction to Information and System Security First lecture 15
  16. 16. DBS/POSB attacks How was it done? Through the use of card skimmers on two machines in Bugis. Card skimming involves trying to collect your card details from the magnetic strip:
  17. 17. DBS/POSB attacks Card skimmers Magnetic strip read as it passes through the capture “shell”. The electronics includes a magnetic strip reader head, a small amount of electronics, a battery, a microcomputer and storage (an SD card).
  18. 18. DBS/POSB attacks Getting the PIN? Either a small (pinhole) camera looking down on the keypad, with an SD card memory, or an overlay over the keyboard, with a small microcomputer and memory.
  19. 19. Installing a skimmer...
  20. 20. More things to worry about:
  21. 21. NUS attacks News in January...
  22. 22. Administrivia In the news earlier this year... Setting the stage... Context for security studies Case studiesNUS attacks What was done? Firstly - it was not NUS, but a departmental web server at NUS that was hacked. The hackers got irritated by a message on the web site, and made it a mission to hack it. They reported that the web site had minimal security. The attack was a SQL injection attack, which allowed them to download usercode/password hash entries stored in the SQL database attached to the web server. The passwords were not NUSNET ones, but ones specifically for the application on the departmental server. Hugh Anderson Introduction to Information and System Security First lecture 22
  23. 23. Administrivia In the news earlier this year... Setting the stage... Context for security studies Case studiesKey points/jargon Summary: Card skimmers SQL injection Keystroke logging using cameras, or keypad overlays Passwords versus password hashes Hugh Anderson Introduction to Information and System Security First lecture 23
  24. 24. Administrivia In the news earlier this year... Setting the stage... Context for security studies Case studiesHard to find the boundaries of “Security” It is not "one thing"... Security is complex: Security can involve elements such as computers, people, locks, communication links and so on. The goals of security might involve authentication, integrity, accountability, and so on. A security system may involve an arbitrary combination of these elements and goals. Security is everyone’s poor relation... not perceived as a benefit until something goes wrong requires regular monitoring too often an after-thought regarded as impediment to using system Hugh Anderson Introduction to Information and System Security First lecture 24
  25. 25. Framework to hang our understanding on... Ross Anderson’s book suggests this framework: Differentiate between security policies and mechanisms policy: what is allowed/disallowed. What you are supposed to do. mechanism: ways of enforcing a policy. Ciphers, controls... assurance: how much reliance you place on each mechanism. incentives: motives of the people guarding and maintaining the system, and the attackers.
  26. 26. A quick quiz... Which of these two vehicles has a door lock? Value SING$ 20,000 Value SING$ 350,000,000 Answer?
  27. 27. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studiesAirport security - 2001 attacks and afterwards Consider the 911 attacks... There was actually not any failure of the security systems in place at the time: Knives with blades less than 3 inches were OK in 2001. A failure of policy, not mechanism. Since 911? Still poor policy choices: passenger screening is aggressive and costly, (approx $15 billion), whereas strongly reinforced cockpit doors could remove most risk (est $100 million). Ground staff are seldom screened, planes do not have locks. Why such poor policy choices? Incentives for policy makers favour visible controls over effective ones. Assurance? System screening picks up less than half the weapons. Hugh Anderson Introduction to Information and System Security First lecture 27
  28. 28. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studiesBank security Policy in banks: "The bank never loses!" Mechanism: banks maintain a kind of distributed bookkeeping system. Customer accounts, and (daily) transactions. Internal: Main threats to banks are internal - their own staff. Main defenses are double-entry bookkeeping (First described in the 15th century), controls on large transactions, and staff required to take vacations. External: Buildings built to look imposing, but just a facade - “security theatre” - (a thief with a gun wins). ATMs (as we have seen) are susceptible to attacks. Bank websites use a mix of techniques - 2-factor authentication, HTTPS. Phishing attempts to bypass this by attacking clients. Cryptography for communication. Hugh Anderson Introduction to Information and System Security First lecture 28
  29. 29. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studiesMilitary security In all sorts of areas... Electronic warfare and defense - jamming of radar, so opponent cannot see your planes; jamming trigger systems for IEDs. Military communications - not just encryption, but also hiding the source (the location of a transmitter can be attacked, so the military use LPI - low probability of intercept - radio links). Military logistics - who can mobilize 10,000 people and 30,000 meals in a day? Management systems for the military have different requirements from commercial systems - basic rule is that restricted information cannot flow to an unrestricted area. Weapons control (eg nuclear weapons) need much higher levels of assurance than (say) commercial areas. Hugh Anderson Introduction to Information and System Security First lecture 29
  30. 30. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studiesHospital security Policies mostly to ensure patient safety and privacy Consider patient record systems: A mechanism might be that “Nurses can see the patient record for patients cared in their own department over the last 90 days”. However, this might be tricky to implement given that Nurses can move departments - the patient record system would become dependent on the hospital personnel system. Record anonymizing for research can be tricky. Consider the next slide on database attacks. A requirement for accuracy of web based data (reference texts, drug side effects). Hugh Anderson Introduction to Information and System Security First lecture 30
  31. 31. During the SARS outbreak... Releasing (unexpected) information from databases Day’s average temperature of SOC staff by nationality: Singaporean PRC Poland German Australian NZ .... 36.8 36.9 37.1 36.5 38.2 38.1 .... Numbers of SOC staff by nationality... Singaporean PRC Poland German Australian NZ .... 23 14 3 5 2 1 .... By inference you can deduce that Hugh’s temperature was too high!
  32. 32. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studiesHome security Really? Consider... Web-based banking, over your home wifi. Your car key/immobliizer. Your (GSM) phone (much harder to clone now than it was five years ago). No unexpected charges. Your TV set-top box, electronic gas/electricity meter and so on. In some Condos, burglar alarm, lock and security systems. Hugh Anderson Introduction to Information and System Security First lecture 32
  33. 33. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studiesKey points/jargon Summary: Policy, mechanism, assurance and incentives Controls, visible and effective controls, security theatre 2-factor authentication, HTTPS, Phishing Database attacks Hugh Anderson Introduction to Information and System Security First lecture 33
  34. 34. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studiesWhat is a system? It can vary... 1 Product or component: such as a smartcard, a PC, or a communication protocol. 2 Collection: some products/components, and an OS, network, making up an organization’s infrastructure. 3 Application: the above and some set of applications. 4 Composite: the above and IT staff, and perhaps users, management, clients, customers... A system can thus refer to small things or big things. This indeterminacy about even basic words leads to confusion, and errors. Salespeople might concentrate their efforts on (say) the first two areas, whereas a business may think of it’s system in terms of the fourth area. Hugh Anderson Introduction to Information and System Security First lecture 34
  35. 35. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studiesServices/Goals, Attacks and Threats Basic terms: Vulnerability/Threats: If there is a weakness (vulnerability), then a potentially harmful situation (threat) may occur. Services/Goals: ensuring adequate service in a computer system CIA! Good guys need ’em. Attacks/Controls: An attack=threat+vulnerability. A control is a way of reducing the effect of a vulnerability. MOM! Bad guys need ’em. Hugh Anderson Introduction to Information and System Security First lecture 35
  36. 36. The CIA triad... FIPS specify three objectives/goals: confidentiality: concealing information - resources may only be accessed by authorized parties; integrity: trustworthiness of data - resources may only be modified by authorized parties in authorized ways; availability: preventing DOS/denial-of-service - resources are accessible in a timely manner.
  37. 37. The CIAAA gang-of-five... Many observers identify more... Authenticity: logins, password checks Accountability: non-repudiation of a prior commitment
  38. 38. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studiesServices/Goals, Real world analogues: CIA (Computer versions much faster) Security problems in society reoccur in computers Confidentiality = locks/encoding/secrecy/privacy. Integrity = handshakes/signature Availability = Union go-slows... But... The goals can conflict... (Consider ease of confidentiality versus lack of availability) The goals may not be met... (Consider password length versus human memory) Hugh Anderson Introduction to Information and System Security First lecture 38
  39. 39. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studiesAttacks: MOM! Three aspects of attacks: Method: tools, knowledge; Opportunity: time, access; Motive: what advantage is there? An important basic principle for attacks: The weakest link: An attacker only needs one small flaw in a system. Hugh Anderson Introduction to Information and System Security First lecture 39
  40. 40. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studiesTypes of threats Threats disclosure: unauthorized access (snooping/interception); deception: accept false data (man-in-the-middle/modification); disruption: prevent correct operation (denial-of-service/interruption); usurpation: unauthorized control (spoofing/fabrication). Hugh Anderson Introduction to Information and System Security First lecture 40
  41. 41. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studiesTypes of attacks Snooping/Interception Alice Bob Ted Hugh Anderson Introduction to Information and System Security First lecture 41
  42. 42. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studiesTypes of attacks Man-in-the-middle/Modification Alice Bob Ted Hugh Anderson Introduction to Information and System Security First lecture 42
  43. 43. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studiesTypes of attacks Denial of Service/Interruption Alice Bob Ted Hugh Anderson Introduction to Information and System Security First lecture 43
  44. 44. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studiesTypes of attacks Spoofing/Fabrication Alice Bob Ted Hugh Anderson Introduction to Information and System Security First lecture 44
  45. 45. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studiesTypes of attacks And persuasion human factors and social engineering: Hugh Anderson Introduction to Information and System Security First lecture 45

×