SlideShare a Scribd company logo

Computer Security.ppt

Download as PPT, PDF
S
SharudinBoriak1

This document provides an overview of the CMSC 414 Computer and Network Security course. It discusses the importance of security and how it differs from other areas of computer science by focusing on preventing undesired behavior rather than achieving desired behavior. The course will take an interdisciplinary approach to security, drawing from many areas of computer science. It will aim to provide students with a basic understanding of common security topics and concepts rather than making them experts. Upcoming topics will include cryptography, system security, programming language security, network security, and more. The goal is for students to develop a "security mindset" and appreciation of security issues rather than comprehensive expertise.

Technology
1 of 41
CMSC 414 Computer and Network Security Jonathan Katz
Introduction and overview  What is computer/network security? Why is it important?  Course philosophy and goals  Course organization and information  High-level overview of topics  A broad perspective on “computer security”
“Security”  Most of computer science is concerned with achieving desired behavior  Security is concerned with preventing undesired behavior – Different way of thinking! – An enemy/opponent/hacker/adversary who is actively and maliciously trying to circumvent any protective measures you put in place
One illustration of the difference  Software testing determines whether a given program implements a desired functionality – Test I/O characteristics – Q/A  How do you test whether a program does not allow for undesired functionality? – Penetration testing helps, but only up to a point
Security is interdisciplinary  Draws on all areas of CS – Theory (especially cryptography) – Networking – Operating systems – Databases – AI/learning theory – Computer architecture/hardware – Programming languages/compilers – HCI, psychology
Fortunately, we are winning the security battle  Strong cryptography  Firewalls, intrusion detection, virus scanners  Buffer overflow detection/prevention  User education
Really??! Security incidents (reported)
Philosophy of this course  We are not going to be able to cover everything – We are not going to be able to even mention everything  Main goals – A sampling of many different aspects of security – The security “mindset” – Become familiar with basic acronyms (RSA, SSL, PGP, etc.), and “buzzwords” (phishing, …) – Become an educated security consumer – Try to keep it interesting with real-world examples and “hacking” projects You will not be a security expert after this class (after this class, you should realize why it would be dangerous to think you are) You should have a better appreciation of security issues after this class
Course Organization
Administrative  Me  TA  Contact information, office hours, listed on course webpage
Course webpage http://www.cs.umd.edu/~jkatz/security/f09  Syllabus – Subject to change… – Slides will be posted for convenience, but they are not a substitute for attending lecture – Assigned readings  Homeworks distributed from the course webpage  Check frequently for announcements
Course blog http://cmsc414.wordpress.com  I will post after each lecture – Students can post questions/comments about the lecture – Today: post a “hello” message, and answer the question: “What do you hope to get from the course?”  I will post for each homework – Students can post questions  I will post links to interesting news articles, papers, etc.
Textbook  Recommended text: – “Network Security…” by Kaufman, Perlman, and Speciner (most recent edition) – Will only be used for a portion of the course  Several other good texts out there – Ask me if you are interested  Will supplement with other readings (distributed on class webpage)
Class participation and readings  Research papers and news articles will be posted on the course webpage – Read these before class and come prepared to discuss  Material from these readings is fair game for the exams, even if not covered in class  Several readings already assigned
Course requirements  Homeworks – About 4-5 throughout the semester – Programming portion will be done with a partner  Each student will receive a computer account – You should have already been assigned a GRACE account
Syllabus (tentative)
Syllabus I  Introduction… – Is security achievable…? – A broad perspective on security  Cryptography – The basics (take CMSC 456 or read my book for more) • If you took 456 with me, you can skip – Cryptography is not the whole solution… – …but it is an important part of the solution – Along the way, we will see why cryptography can’t solve all security problems
Syllabus II  System security – General principles – Security policies – Access control – OS security – “Trusted computing”  Programming language security – Buffer overflows, input validation errors – Viruses/worms
Syllabus III  Network security – Identity, PKI – Authentication and key exchange protocols – Password and biometric authentication – Anonymity and pseudonymity – Privacy – Some real-world protocols (IPSec/SSL) – Attacks on network infrastructure (routing, DNS, DDos) – Wireless security
Syllabus IV  Miscellaneous – Database security – Web security – Other topics (spam, …)
A High-Level Introduction to Computer Security
A naïve view  Computer security is about CIA: – Confidentiality, integrity, and availability  These are important, but security is about much more…
A naïve view password
In reality…  Where does security end? password forgot password?
One good attack  Use public records to figure out someone’s password – Or, e.g., their SSN, so can answer security question…  The problem is not (necessarily) that SSNs are public  The problem is that we “overload” SSNs, and use them for more than they were intended  Note: “the system” here is not just the computer, nor is it just the network…
A naïve view  Achieve “absolute” security
In reality…  Absolute security is easy to achieve! – How…?  Absolute security is impossible to achieve! – Why…?  Good security is about risk management
Security as a trade-off  The goal is not (usually) “to make the system as secure as possible”…  …but instead, “to make the system as secure as possible within certain constraints” (cost, usability, convenience)  Must understand the existing constraints – E.g., passwords…
Cost-benefit analysis  Important to evaluate what level of security is necessary/appropriate – Cost of mounting a particular attack vs. value of attack to an adversary – Cost of damages from an attack vs. cost of defending against the attack – Likelihood of a particular attack  Sometimes the best security is to make sure you are not the easiest target for an attacker…
“More” security not always better  “No point in putting a higher post in the ground when the enemy can go around it”  Need to identify the weakest link – Security of a system is only as good as the security at its weakest point…  Security is not a “magic bullet”  Security is a process, not a product
Computer security is not just about security  Detection, response, audit – How do you know when you are being attacked? – How quickly can you stop the attack? – Can you identify the attacker(s)? – Can you prevent the attack from recurring?  Recovery – Can be much more important than prevention  Economics, insurance, risk management…  Offensive techniques  Security is a process, not a product…
Computer security is not just about computers  What is “the system”?  Physical security  Social engineering – Bribes for passwords – Phishing  “External” means of getting information – Legal records – Trash cans  Security is a process, not a product…(!)
Security mindset  Learn to think with a “security mindset” in general – What is “the system”? – How could this system be attacked? • What is the weakest point of attack? – How could this system be defended? • What threats am I trying to address? • How effective will a given countermeasure be? • What is the trade-off between security, cost, and usability?
An example: airline security  Ask: what is the cost (economic and otherwise) of current airline security?  Ask: do existing rules (e.g., banning liquids) make sense?  Ask: are the tradeoffs worth it? – (Why do we not apply the same rules to train travel?) – (Would spending money elsewhere be more effective?)  Ask: how would you get on a plane if you were on the no-fly list? – (I will not give you the answer – you can find it online) – This is a thought experiment only!
Summary  “The system” is not just a computer or a network  Prevention is not the only goal – Cost-benefit analysis – Detection, response, recovery  Nevertheless…in this course, we will focus on computer security, and primarily on prevention – If you want to be a security expert, you need to keep the rest in mind
Why is computer security so hard?  Computer networks are “systems of systems” – Your system may be secure, but then the surrounding environment changes  Too many things dependent on a small number of systems  Society is unwilling to trade off features for security  Ease of attacks – Cheap – Distributed, automated – Anonymous – Insider threats  Security not built in from the beginning  Humans in the loop…  Computers ubiquitous…
Computers are everywhere…  …and can always be attacked  Electronic banking, social networks, e-voting  iPods, iPhones, PDAs, RFID transponders  Automobiles  Appliances, TVs  (Implantable) medical devices  Cameras, picture frames(!) – See http://www.securityfocus.com/news/11499
“Trusting trust” (or: how hard is security?)
“Trusting trust”  Consider a compiler that embeds a trapdoor into anything it compiles  How to catch? – Read source code? (What if replaced?) – Re-compile compiler?  What if the compiler embeds the trojan code whenever it compiles a compiler? – (That’s nasty…)
“Trusting trust”  Whom do you trust?  Does one really need to be this paranoid?? – Probably not – Sometimes, yes  Shows that security is complex…and essentially impossible  Comes back to risk/benefit trade-off
Next time: begin cryptography

Recommended

LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9
Amanda Case
 
Information security power point slides.ppt
Information security power point slides.pptInformation security power point slides.ppt
Information security power point slides.ppt
MuhammadAbdullah311866
 
15_526_topic01.ppt
15_526_topic01.ppt15_526_topic01.ppt
15_526_topic01.ppt
Faiz Fanani
 
Psychological Security: Introducing the PsySec Field
Psychological Security: Introducing the PsySec FieldPsychological Security: Introducing the PsySec Field
Psychological Security: Introducing the PsySec Field
Zach(ary) Eikenberry
 
Isys20261 lecture 11
Isys20261 lecture 11Isys20261 lecture 11
Isys20261 lecture 11
Wiliam Ferraciolli
 
1.Security Overview And Patching
1.Security Overview And Patching1.Security Overview And Patching
1.Security Overview And Patching
phanleson
 
Usable Security: When Security Meets Usability
Usable Security: When Security Meets UsabilityUsable Security: When Security Meets Usability
Usable Security: When Security Meets Usability
Shujun Li
 
Intro infosec version 2
Intro infosec version 2Intro infosec version 2
Intro infosec version 2
Highervista
 

Recommended

LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9
Amanda Case
 
Information security power point slides.ppt
Information security power point slides.pptInformation security power point slides.ppt
Information security power point slides.ppt
MuhammadAbdullah311866
 
15_526_topic01.ppt
15_526_topic01.ppt15_526_topic01.ppt
15_526_topic01.ppt
Faiz Fanani
 
Psychological Security: Introducing the PsySec Field
Psychological Security: Introducing the PsySec FieldPsychological Security: Introducing the PsySec Field
Psychological Security: Introducing the PsySec Field
Zach(ary) Eikenberry
 
Isys20261 lecture 11
Isys20261 lecture 11Isys20261 lecture 11
Isys20261 lecture 11
Wiliam Ferraciolli
 
1.Security Overview And Patching
1.Security Overview And Patching1.Security Overview And Patching
1.Security Overview And Patching
phanleson
 
Usable Security: When Security Meets Usability
Usable Security: When Security Meets UsabilityUsable Security: When Security Meets Usability
Usable Security: When Security Meets Usability
Shujun Li
 
Intro infosec version 2
Intro infosec version 2Intro infosec version 2
Intro infosec version 2
Highervista
 
Network Security
Network Security Network Security
Network Security
Vipul Mosaic
 
Intro
IntroIntro
Intro
JustineJohn3
 
App sec - code insecurity basics
App sec - code insecurity basicsApp sec - code insecurity basics
App sec - code insecurity basics
Christopher Hamm
 
Commonwealth of Learning cybersecurity training for teachers | 2022
Commonwealth of Learning cybersecurity training for teachers | 2022Commonwealth of Learning cybersecurity training for teachers | 2022
Commonwealth of Learning cybersecurity training for teachers | 2022
KharimMchatta
 
Basic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpageBasic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpage
nakomuri
 
1_Introduction.pdf
1_Introduction.pdf1_Introduction.pdf
1_Introduction.pdf
ssuserfb92ae
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptx
Dinesh582831
 
Health Information Security and Privacy (June 19, 2017)
Health Information Security and Privacy (June 19, 2017)Health Information Security and Privacy (June 19, 2017)
Health Information Security and Privacy (June 19, 2017)
Nawanan Theera-Ampornpunt
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries
Blake Carver
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
Priyanka Aash
 
Information Security
Information SecurityInformation Security
Information Security
vadapav123
 
Intro to cybersecurity concepts 20210813
Intro to cybersecurity concepts 20210813Intro to cybersecurity concepts 20210813
Intro to cybersecurity concepts 20210813
Kinetic Potential
 
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity
laurieannwilliams
 
Cobit 2
Cobit 2Cobit 2
Cobit 2
Securelogy
 
Main Menu
Main MenuMain Menu
Main Menu
Securelogy
 
IMA Meeting 03222012
IMA Meeting 03222012IMA Meeting 03222012
IMA Meeting 03222012
jerryjustice
 
SoftwareSecurity.ppt
SoftwareSecurity.pptSoftwareSecurity.ppt
SoftwareSecurity.ppt
ssuserfb92ae
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
Claus Cramon Houmann
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM Gap
Eric Johansen, CISSP
 
02-overview.pptx
02-overview.pptx02-overview.pptx
02-overview.pptx
EmanAzam
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
DianaGray10
 

More Related Content

Similar to Computer Security.ppt

Basic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpageBasic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpage
nakomuri
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
Priyanka Aash
 
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity
laurieannwilliams
 
IMA Meeting 03222012
IMA Meeting 03222012IMA Meeting 03222012
IMA Meeting 03222012
jerryjustice
 

Similar to Computer Security.ppt (20)

Network Security
Network Security Network Security
Network Security
 
Intro
IntroIntro
Intro
 
App sec - code insecurity basics
App sec - code insecurity basicsApp sec - code insecurity basics
App sec - code insecurity basics
 
Commonwealth of Learning cybersecurity training for teachers | 2022
Commonwealth of Learning cybersecurity training for teachers | 2022Commonwealth of Learning cybersecurity training for teachers | 2022
Commonwealth of Learning cybersecurity training for teachers | 2022
 
Basic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpageBasic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpage
 
1_Introduction.pdf
1_Introduction.pdf1_Introduction.pdf
1_Introduction.pdf
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptx
 
Health Information Security and Privacy (June 19, 2017)
Health Information Security and Privacy (June 19, 2017)Health Information Security and Privacy (June 19, 2017)
Health Information Security and Privacy (June 19, 2017)
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
 
Information Security
Information SecurityInformation Security
Information Security
 
Intro to cybersecurity concepts 20210813
Intro to cybersecurity concepts 20210813Intro to cybersecurity concepts 20210813
Intro to cybersecurity concepts 20210813
 
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity
 
Cobit 2
Cobit 2Cobit 2
Cobit 2
 
Main Menu
Main MenuMain Menu
Main Menu
 
IMA Meeting 03222012
IMA Meeting 03222012IMA Meeting 03222012
IMA Meeting 03222012
 
SoftwareSecurity.ppt
SoftwareSecurity.pptSoftwareSecurity.ppt
SoftwareSecurity.ppt
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM Gap
 
02-overview.pptx
02-overview.pptx02-overview.pptx
02-overview.pptx
 

Recently uploaded

In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
Expeed Software
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 

Recently uploaded (20)

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 

Computer Security.ppt

  • 1. CMSC 414 Computer and Network Security Jonathan Katz
  • 2. Introduction and overview  What is computer/network security? Why is it important?  Course philosophy and goals  Course organization and information  High-level overview of topics  A broad perspective on “computer security”
  • 3. “Security”  Most of computer science is concerned with achieving desired behavior  Security is concerned with preventing undesired behavior – Different way of thinking! – An enemy/opponent/hacker/adversary who is actively and maliciously trying to circumvent any protective measures you put in place
  • 4. One illustration of the difference  Software testing determines whether a given program implements a desired functionality – Test I/O characteristics – Q/A  How do you test whether a program does not allow for undesired functionality? – Penetration testing helps, but only up to a point
  • 5. Security is interdisciplinary  Draws on all areas of CS – Theory (especially cryptography) – Networking – Operating systems – Databases – AI/learning theory – Computer architecture/hardware – Programming languages/compilers – HCI, psychology
  • 6. Fortunately, we are winning the security battle  Strong cryptography  Firewalls, intrusion detection, virus scanners  Buffer overflow detection/prevention  User education
  • 8. Philosophy of this course  We are not going to be able to cover everything – We are not going to be able to even mention everything  Main goals – A sampling of many different aspects of security – The security “mindset” – Become familiar with basic acronyms (RSA, SSL, PGP, etc.), and “buzzwords” (phishing, …) – Become an educated security consumer – Try to keep it interesting with real-world examples and “hacking” projects You will not be a security expert after this class (after this class, you should realize why it would be dangerous to think you are) You should have a better appreciation of security issues after this class
  • 10. Administrative  Me  TA  Contact information, office hours, listed on course webpage
  • 11. Course webpage http://www.cs.umd.edu/~jkatz/security/f09  Syllabus – Subject to change… – Slides will be posted for convenience, but they are not a substitute for attending lecture – Assigned readings  Homeworks distributed from the course webpage  Check frequently for announcements
  • 12. Course blog http://cmsc414.wordpress.com  I will post after each lecture – Students can post questions/comments about the lecture – Today: post a “hello” message, and answer the question: “What do you hope to get from the course?”  I will post for each homework – Students can post questions  I will post links to interesting news articles, papers, etc.
  • 13. Textbook  Recommended text: – “Network Security…” by Kaufman, Perlman, and Speciner (most recent edition) – Will only be used for a portion of the course  Several other good texts out there – Ask me if you are interested  Will supplement with other readings (distributed on class webpage)
  • 14. Class participation and readings  Research papers and news articles will be posted on the course webpage – Read these before class and come prepared to discuss  Material from these readings is fair game for the exams, even if not covered in class  Several readings already assigned
  • 15. Course requirements  Homeworks – About 4-5 throughout the semester – Programming portion will be done with a partner  Each student will receive a computer account – You should have already been assigned a GRACE account
  • 17. Syllabus I  Introduction… – Is security achievable…? – A broad perspective on security  Cryptography – The basics (take CMSC 456 or read my book for more) • If you took 456 with me, you can skip – Cryptography is not the whole solution… – …but it is an important part of the solution – Along the way, we will see why cryptography can’t solve all security problems
  • 18. Syllabus II  System security – General principles – Security policies – Access control – OS security – “Trusted computing”  Programming language security – Buffer overflows, input validation errors – Viruses/worms
  • 19. Syllabus III  Network security – Identity, PKI – Authentication and key exchange protocols – Password and biometric authentication – Anonymity and pseudonymity – Privacy – Some real-world protocols (IPSec/SSL) – Attacks on network infrastructure (routing, DNS, DDos) – Wireless security
  • 20. Syllabus IV  Miscellaneous – Database security – Web security – Other topics (spam, …)
  • 21. A High-Level Introduction to Computer Security
  • 22. A naïve view  Computer security is about CIA: – Confidentiality, integrity, and availability  These are important, but security is about much more…
  • 24. In reality…  Where does security end? password forgot password?
  • 25. One good attack  Use public records to figure out someone’s password – Or, e.g., their SSN, so can answer security question…  The problem is not (necessarily) that SSNs are public  The problem is that we “overload” SSNs, and use them for more than they were intended  Note: “the system” here is not just the computer, nor is it just the network…
  • 26. A naïve view  Achieve “absolute” security
  • 27. In reality…  Absolute security is easy to achieve! – How…?  Absolute security is impossible to achieve! – Why…?  Good security is about risk management
  • 28. Security as a trade-off  The goal is not (usually) “to make the system as secure as possible”…  …but instead, “to make the system as secure as possible within certain constraints” (cost, usability, convenience)  Must understand the existing constraints – E.g., passwords…
  • 29. Cost-benefit analysis  Important to evaluate what level of security is necessary/appropriate – Cost of mounting a particular attack vs. value of attack to an adversary – Cost of damages from an attack vs. cost of defending against the attack – Likelihood of a particular attack  Sometimes the best security is to make sure you are not the easiest target for an attacker…
  • 30. “More” security not always better  “No point in putting a higher post in the ground when the enemy can go around it”  Need to identify the weakest link – Security of a system is only as good as the security at its weakest point…  Security is not a “magic bullet”  Security is a process, not a product
  • 31. Computer security is not just about security  Detection, response, audit – How do you know when you are being attacked? – How quickly can you stop the attack? – Can you identify the attacker(s)? – Can you prevent the attack from recurring?  Recovery – Can be much more important than prevention  Economics, insurance, risk management…  Offensive techniques  Security is a process, not a product…
  • 32. Computer security is not just about computers  What is “the system”?  Physical security  Social engineering – Bribes for passwords – Phishing  “External” means of getting information – Legal records – Trash cans  Security is a process, not a product…(!)
  • 33. Security mindset  Learn to think with a “security mindset” in general – What is “the system”? – How could this system be attacked? • What is the weakest point of attack? – How could this system be defended? • What threats am I trying to address? • How effective will a given countermeasure be? • What is the trade-off between security, cost, and usability?
  • 34. An example: airline security  Ask: what is the cost (economic and otherwise) of current airline security?  Ask: do existing rules (e.g., banning liquids) make sense?  Ask: are the tradeoffs worth it? – (Why do we not apply the same rules to train travel?) – (Would spending money elsewhere be more effective?)  Ask: how would you get on a plane if you were on the no-fly list? – (I will not give you the answer – you can find it online) – This is a thought experiment only!
  • 35. Summary  “The system” is not just a computer or a network  Prevention is not the only goal – Cost-benefit analysis – Detection, response, recovery  Nevertheless…in this course, we will focus on computer security, and primarily on prevention – If you want to be a security expert, you need to keep the rest in mind
  • 36. Why is computer security so hard?  Computer networks are “systems of systems” – Your system may be secure, but then the surrounding environment changes  Too many things dependent on a small number of systems  Society is unwilling to trade off features for security  Ease of attacks – Cheap – Distributed, automated – Anonymous – Insider threats  Security not built in from the beginning  Humans in the loop…  Computers ubiquitous…
  • 37. Computers are everywhere…  …and can always be attacked  Electronic banking, social networks, e-voting  iPods, iPhones, PDAs, RFID transponders  Automobiles  Appliances, TVs  (Implantable) medical devices  Cameras, picture frames(!) – See http://www.securityfocus.com/news/11499
  • 38. “Trusting trust” (or: how hard is security?)
  • 39. “Trusting trust”  Consider a compiler that embeds a trapdoor into anything it compiles  How to catch? – Read source code? (What if replaced?) – Re-compile compiler?  What if the compiler embeds the trojan code whenever it compiles a compiler? – (That’s nasty…)
  • 40. “Trusting trust”  Whom do you trust?  Does one really need to be this paranoid?? – Probably not – Sometimes, yes  Shows that security is complex…and essentially impossible  Comes back to risk/benefit trade-off