1 / 33

CS363

Week 1 - Wednesday. CS363. Last time. What did we talk about last time? Course overview Terminology Threats Vulnerabilities Attacks Controls CIA. Questions?. Security Tidbit: Patch Tuesday!. Yesterday was Patch Tuesday

adolfo
Download Presentation

CS363

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Week 1 - Wednesday CS363

  2. Last time • What did we talk about last time? • Course overview • Terminology • Threats • Vulnerabilities • Attacks • Controls • CIA

  3. Questions?

  4. Security Tidbit: Patch Tuesday! • Yesterday was Patch Tuesday • Microsoft, Oracle, and Adobe put out their patches on the second Tuesday of the month • Oracle (Java's owner) only puts them out quarterly • Are these patches available for Java 6? • No! • Unless you have an expensive support license from Oracle • And this lab has Java 6!

  5. Security tidbit continued • Welcome to Exploit Wednesday! • Because the patches on Patch Tuesday are often to fix security holes, today is one of the most dangerous days for computer security • All the hackers now know exactly what vulnerabilities can be attacked • 36 of the fixes will be for Java 7 SE products • 34 of these cover remote exploits without authentication • Follow the story: • http://www.zdnet.com/oracle-to-patch-java-other-products-tuesday-7000025023/

  6. Computer Criminals

  7. Amateurs • Most computer criminals are amateurs • They commit crimes of opportunity • Time-stealing is common • Disgruntled or recently fired employees can use their knowledge of a system to attack it

  8. Crackers • You are all hackers by now • A malicious hacker is called a cracker • A large segment of crackers are high school or college students • They often attempt to gain access to other people’s computer systems for the fun or challenge of it

  9. Career Criminals • Most professional crackers are trained computer scientists who have turned to crime • In the early days of hacking and viruses, destroying hardware, software, or data was the goal • Professional crackers now look to make money by stealing valuable data • There are connections to organized crime • Many attacks come from Russia, Asia, and Brazil

  10. Terrorists • Modern terrorists are often computer savvy • Three common forms of terrorist computer usage are: • Targets of attack Denial-of-service and defacement of websites • Propaganda vehicles Websites and e-mail lists used to disseminate information • Methods of attack Using computers to coordinate or initiate other forms of terrorism

  11. Methods of Defense

  12. Methods • There are five common ways of dealing with attacks, many of which can be used together

  13. Controls • Many different controls can be used to achieve the five methods of defense

  14. Encryption • Encryption is the scrambling of data • Often a key or some other secret information is used to do the scrambling • Without knowledge of the secret, the data becomes useless • Modern encryption is one of the most powerful tools for preserving computer security • Most modern attacks do not depend on breaking encryption but on circumventing it

  15. Encryption • The process of encryption takes plaintext as an input and produces ciphertext as an output • Plaintext (or cleartext) is not necessarily human readable, but its contents are not protected in any way • Using cryptography, we can build protocols to support confidentiality and integrity (and even availability indirectly) • As useful as it is, encryption is not a panacea

  16. Software controls • Software controls include: • Internal program controls • Parts of a program that enforce security • Example: password checking to access parts of a database • OS and network controls • Tools to protect users from each other • Example: user files that cannot be accessed by other users) • Independent control programs • Application programs that protect against specific vulnerabilities • Example: virus scanners • Development controls • Quality control for creating software so that vulnerabilities are not introduced

  17. Hardware controls • There are many different kinds of hardware controls that can be used for many different situations: • Smart cards used for encryption on satellite or cable television set-top boxes • Locks and cables preventing theft • Fingerprint or other biometric readers • Firewalls • Many others

  18. Policies and procedures • Human beings ultimately get involved • It is important to have policies and procedures to guide their actions, such as: • Change passwords regularly • Don’t give people your password • Don’t allow coworkers access to data they should not have • Laws are important policies with consequences, but they react slowly to the rapid changes in technology

  19. Physical controls • Physical controls can be inexpensive and effective • Locks on doors • Security guards • Backup copies of data • Planning for natural disasters and fires • Simple controls are often the best • Attackers will always look for a weak point in your defenses

  20. Effectiveness of controls • Many issues impact the effectiveness of controls • Awareness of problem Users must be convinced that it is worth using the controls • Likelihood of use The controls must be easy enough to use that the task performed is not seriously affected • Overlapping controls Overlapping controls or a layered defense can help, but sometimes the controls negatively impact each other • Periodic review Conditions change, and controls must be reviewed periodically and updated when needed

  21. Cryptography

  22. Cryptography • "Secret writing" • The art of encoding a message so that its meaning is hidden • Cryptanalysis is breaking those codes

  23. Encryption and decryption • Encryption is the process of taking a message and encoding it • Decryption is the process of decoding the code back into a message • A plaintext is a message before encryption • A ciphertext is the message in encrypted form • A key is an extra piece of information used in the encryption process

  24. Notation • A plaintext is M (sometimes P) • A ciphertext is C • The encryption function E(x) takes M and converts it into C • E(M) = C • The decryption function D(x) takes C and converts it into M • D(C) = M • We sometimes specify encryption and decryption functions Ek(x) and Dk(x) specific to a key k

  25. Attacks • Cryptography is supposed to prevent people from reading certain messages • Thus, we measure a cryptosystem based on its resistance to an adversary or attacker • Kinds of attacks: • Ciphertext only: Attacker only has access to an encrypted message, with a goal of decrypting it • Known plaintext: Attacker has access to a plaintext and its matching ciphertext, with a goal of discovering the key • Chosen plaintext: Attacker may ask to encrypt any plaintext, with a goal of discovering the key • Others, less common

  26. Cryptanalysis • There are two kinds of security for encryption schemes • Unconditionally secure • No matter how much time or energy an attacker has, it is impossible to determine the plaintext • Computationally secure • The cost of breaking the cipher exceeds the value of the encrypted information • The time required to break the cipher exceeds the useful lifetime of the information • We focus on computationally secure, because there is only one practical system that is unconditionally secure • "I want them to remain secret for as long as men are capable of evil" -Avi from Cryptonomicon

  27. Modular Arithmetic Overview

  28. Review of Modular Arithmetic • Modulo operator takes the remainder • Two numbers are said to be congruent modulo n if they have the same remainder when divided by n • For example, 39  3 (mod 12) • Addition, subtraction, and multiplication: • [(a mod n) + (b mod n)] mod n = (a + b) mod n • [(a mod n) – (b mod n)] mod n = (a – b) mod n • [(a mod n) x (b mod n)] mod n = (a x b) mod n

  29. Divided and Conquered • We can’t actually divide • Instead, we have to find the multiplicative inverse • The multiplicative inverse of x exists if and only if x is relatively prime to n • 13 ∙ 5  65  1 (mod 16) • So, 13 and 5 are multiplicative inverses mod 16 • But, 0, 2, 4, 6, 8, 10, and 12 do not have multiplicative inverses mod 16

  30. Sign up for Presentations

  31. Upcoming

  32. Next time… • Cryptography basics • Stream and block ciphers • Shift ciphers

  33. Reminders • Read Sections 2.1 and 2.2

More Related