240 likes | 335 Views
QMCS 490 - Class Today. Information Security life cycle Introductions Security perimeters Assignment. The life cycle. Identify your practical goals What “real” things do you want to accomplish? What threats interfere with them? Implement security measures What weaknesses exist?
E N D
QMCS 490 - Class Today • Information Security life cycle • Introductions • Security perimeters • Assignment R. Smith - University of St Thomas - Minnesota
The life cycle • Identify your practical goals • What “real” things do you want to accomplish? • What threats interfere with them? • Implement security measures • What weaknesses exist? • What security measures might work? • What are the trade-offs against goals? • Measure success • Monitor for attacks or other failures • Recover from problems • Reassess goals and trade-offs R. Smith - University of St Thomas - Minnesota
So what will the class look at? • How to assess security in general • Analyzing risk trade-offs • Specific security issues and techniques • Workstations • LANs • Distributed networks • Internet access • E-commerce • If time, DRM and ‘extreme security’ R. Smith - University of St Thomas - Minnesota
Who are you, who am I • Ask your neighbor: • Name, major • Why are you taking this class? • Do you “0wn” a computer? • I.e. can you log in as admin? • Give a personal, security related fact. • Experience, skill, incident, etc. R. Smith - University of St Thomas - Minnesota
Why this course exists • Start of an Information Security major • Will be US govt certified • Four principal ‘special’ courses • Intro course = this one • Operating Systems • Networking • Infosec Analysis = capstone course • Analysis course • More labs and tools • More (very dry) government policy stuff • Info Warfare exercise at the end R. Smith - University of St Thomas - Minnesota
The Syllabus: nuts and bolts • Grade = assignments + tests • Also a ‘participation’ grade • Attend class, hand in work = good test grade • Good grade <= assignments, attend class • Typical homework • Analyze a security problem, draw a diagram • I am planning a couple of labs • We have limited lab space (5 machines) • May do 30 minute shots at the labs • I typically have people do research projects • An outline, a paper, and a presentation. • Not sure this time R. Smith - University of St Thomas - Minnesota
The Syllabus • Concepts we’ll cover • “Practical” security planning and assessment • Risk trade offs - the concept • Role of security policies • Environments - in order of breadth • Personal desktop/laptop • Shared computer • Local network • Internet access from LAN • Distributed LANs • E-commerce R. Smith - University of St Thomas - Minnesota
Two security assessment techniques • Perimeter analysis • Look at the boundary protecting an asset • Look at access points in the boundary • Who might want the asset? • What attacks will break the boundary? • What attacks will break the access points? • Is the inside benign itself? Can it be hacked? • Flow analysis (data flow, execution flow) • Look at where data might flow • Assess mechanisms to restrict the flow • Assess attacks that can divert the flow • Look at “flow of execution” and possible diversion R. Smith - University of St Thomas - Minnesota
Part of this semester’s agenda • I’m writing a book on elementary security • We’ll look at chapters in this class • I thought I’d have one ready for today • It’s not finished yet. • Internet Cryptography • An “old” book, but … • It talks about security, perimeters, and information flow • Provides the basics and concepts for networking & crypto R. Smith - University of St Thomas - Minnesota
Personal Computer Security • Share a dorm room? • Share an apartment? • Share a home? • “My” computer - a security objective • “I’ll kill you if you touch it” • a policy statement? R. Smith - University of St Thomas - Minnesota
Extreme Workstation Security Does this achieve our goals? R. Smith - University of St Thomas - Minnesota
Threat Vulnerability Defense,Safeguard, or “Countermeasure” Asset Threats & Vulnerabilities An attempt to steal or harm the asset is an attack R. Smith - University of St Thomas - Minnesota
A real world example • There is a company • Thieves walk into their buildings every day • The front door is unlocked all day long • Valuable company property is just lying around • The thieves pick it up and carry it away • Most thieves, but not all, get away? • WHAT IS THIS STUPID COMPANY? • Why don’t they lock the door, at least? R. Smith - University of St Thomas - Minnesota
Security analysis: your PC • Threats? • Who, why? • Vulnerabilities? • What bad can happen? • What allows the badness to happen? • Can we just lock it up? • Put it in a room • Put a lock on the door. • Don’t share the key • Does this work? R. Smith - University of St Thomas - Minnesota
Physically securing an area • What is a secure perimeter? • Contiguous - no breaks • A barrier - actually blocks some attacks • Minimal number of openings • Access restrictions on the openings • Example: my house • Wooden frame building - keeps out wild dogs • Glass windows with storms - ditto • Locked doors - ditto • Metal fence - ditto • Gates in the fence - ditto R. Smith - University of St Thomas - Minnesota
Security Analysis • What are the threats? • Wild dogs • Burglars • People collecting for nasty charities • What are the defenses? • Are there effective attacks on them? • Effective = threats might use them R. Smith - University of St Thomas - Minnesota
Is this a complete list of threats? • Of course not. • Study history, the news, experience, introspection • Generate a ‘better’ list • A notion of “threats” • Threat = anyone with strongly different goals • Example: Burger King vs McDonald’s • Both “sort of” have the same goal: sell burgers • In fact, BK wants to sell BK burgers, while Mac wants to sell Mac burgers • BK people are not trusted in McDonald’s places R. Smith - University of St Thomas - Minnesota
Potential vs Real Threats • Potential Threat = strongly different goals • Not a member of the family, company, community • Member of competing entity • But not necessarily motivated to do you harm • Real Threat = history of attacks • “Good” neighborhood = neighbors not a threat • “Bad” neighborhood = neighbors have caused trouble in the past R. Smith - University of St Thomas - Minnesota
Now, the Defenses • Physical world • Physical barriers, slows them down a lot • Locks - slow them down, restricts access • Alarms - calls for help • Warnings - shows you care • Computer world • Examples? R. Smith - University of St Thomas - Minnesota
What defenses are “effective”? • Concept of “work factor” • How hard does the attacker have to work to overcome the defense? • May be computed in hours • May be computed in likelihood over time • Example: average of 3 days, $.25M to crack DES • Effective = • Work Factor > threat’s motivation or skill • My Home Example • Wild dogs motivated but not resourceful • Charity people resourceful but not motivated • Burglars may be both, but hopefully not too much so • Or, deterred by the alarm, and the large dog R. Smith - University of St Thomas - Minnesota
How does this relate to computers? • Defenses are always a trade off • The same reasoning applies to both • All security begins with physical security R. Smith - University of St Thomas - Minnesota
Evolution of Attacks and Defenses Attacks Defenses ?? One-Time Passwords Network Sniffing Password Tokens Password Sharing Memory Protection Keystroke Sniffing Guess Detection Guessing Password Hashing Steal the Password File Passwords Masquerade Remote Terminals Example: Passwords on Computers R. Smith - University of St Thomas - Minnesota
The homework assignment • Two parts • A: describe your computer sharing “policy” • B: describe physical protection of your computer R. Smith - University of St Thomas - Minnesota
Creative Commons License This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA. R. Smith - University of St Thomas - Minnesota