320 likes | 473 Views
CmpSci 515 (591s). Introduction to Computer and Network Security Jake Cunningham jake@nic.umass.edu Brian Neil Levine brian@cs.umass.edu Chris Misra crispy@nic.umass.edu Tuesday/Thursday 11:15-12:30pm LGRC room A339. Overview of Today’s Lecture. Course mechanics Course overview
E N D
CmpSci 515 (591s) Introduction to Computer and Network Security Jake Cunningham jake@nic.umass.edu Brian Neil Levine brian@cs.umass.edu Chris Misra crispy@nic.umass.edu Tuesday/Thursday 11:15-12:30pm LGRC room A339
Overview of Today’s Lecture • Course mechanics • Course overview • Course policies and legalities • The ethics of computer security
Course Mechanics • Prerequisites: CS 377 and CS 453 • Familiarity with • Operating system concepts • Unix • Understanding of TCP/IP protocols • Grading • 60% labs and homeworks • 20% midterm exam • 20% final exam • Class participation can change your grade for better or worse.
Brian’s Office Hours • Mondays and Tuesdays 2:30-3:30pm • Room 346 in the Computer Science Bldg. • Email is the best way to reach me. • My office number is 577-0238.
Class Objectives An introduction to concepts in • Computer Security and Network Security To understand vulnerabilities, threats, and counter measures present in computer and network systems. • Practical experience with the systems and tools involved.
Class Objectives • We want to train you to be a computer and network security experts. • This class is the basis for a security community at UMass. • This class is discussion oriented (3 instructors!) and a forum for all current security topics. • Please post related articles you may find to the mailing list.
The Security Lab • Our course has a special room in the LGRC-Tower for our exclusive use. • Equipment is thanks to • a 3-year NSF Combined Research-Curriculum Development (CRCD) grant (18 PCs) • a CAIDA equipment grant for Internet Education Labs (cisco 7100 Routers) • Help from OIT!
Texts • White Hat Security by Avi Rubin • Avi is giving a talk Thursday at 4pm room 150. Attend! • You probably want to keep handy whatever text you used for your network class. • There are plenty of resources online (e.g., Kurose & Ross).
Computer Security Ethics Fundamental security definitions Review of Unix administration and tools. Basic cryptography Buffer overflows Securing unix systems Vulnerability taxonomy Sniffing/Snorting (monitoring) Incident Handling ARP Attacks and Session Hijack Firewalling More Crypto Kerberos PKI/SSL/VPN etc Wireless DNS Rootkits/Virus/Worms DOS/DDOS (Jake) Nimda Intrusion Detection Systems More Snorting Course Topics
Assignments • There will be a number of practical lab exercises on security. • One class presentation. • Assignments are due on the date specified at the beginning of class. • No late homeworks will be accepted. • If you need extra time, ask. • If you have special needs, tell me now!
Bugtraq Presentation • Each student must make a 5-10 minute presentation once during the semester. • For the presentation, you will read the bugtraq mailing list for the prior week. http://www.securityfocus.com/ • At the end of the week, you will present the most important item from the list.
Academic Honesty • All work must be your own. • Cheaters are harmful to honest students in the class and other living things. • You can discuss readings, and explain concepts to each other, but you can’t just give away answers, or write-up assignments together, etc. • Complete lab exercises on your own. • Lab assistance is ok when the assignment is a given, obvious task. Credit your helper. • Cheating equals failure.
Honor Code • Assignments for this class include tasks normally prohibited by the acceptable use policy at UMass, and tasks prohibited by law on outside systems. • Accordingly, enrolling in this class requires your participation in an honor code. • Please read and sign the handout. • In order to have the most open educational environment possible, we trust you • with our most dear and precious resources; • to protect us from evil; • not to need a second chance.
Why are you taking this course? • As part of the class, we will teach you how exploits work so that you may learn how to defend against them. • Think about the objective of this class hard. • We are teaching you to become knowledgeable security experts. • There is no love or respect for hackers in this community. • Be respected.
Aspire • People who are respected most are those • who are knowledgeable enough to understand all of a system’s strengths and weaknesses; • that understand systems well enough to set up secure environments; • who can write new tools for securing existing systems • who can design new services that are secure and robust. • As we’ll see, it takes no expertise to execute an attack; but securing a system takes real knowledge.
The Security Lab Hub Server Hub Hub
The Security Lab • Those PCs are the only machines you can use to complete lab exercises in this class. • In the labs, we will execute attacks on common vulnerabilities and then setup counter measures. • Running these exploits elsewhere on campus or anywhere violates our honor code. • Downloading these tools elsewhere violates our honor code. (Counter measures are obviously ok. Analysis tools probably are a fine line sometimes.) • If you want to try out a tool or exploit, we’ll install it in the lab.
Accounts in the Lab • All machines are shared, there is no way to save files other than to a floppy. • All labs are designed to take about three hours and can usually be saved on a floppy. • Some labs are destructive and require a re-install of the OS. (Accidents are ok too!) • Never expect your work to remain on your machine when you return. • Having a root account is a privileged role: don’t steal other’s work. • Just because administrators can read your mail doesn’t make it ethical to do so.
The Setup • To run exercises, we will provide you with a disk imageof a complete operating system. • Normally, you will launch an attack from your partition, and attack the partition of another computer. • Or something similar. • For example...
For example Bogus DNS entry • In a DNS cache poisoning lab, you will place bogus DNS entries into the cache of another machine. • You will then setup a defense on the Victim. • When you are done, re-install the victim’s OS clean from the server for another student to try. Victim Your machine
More rules • Don’t break into the server or violate any of its systems. • Exploits are only to be run against the lab machines. • You aren’t to allow anyone outside the class into the security lab. • You aren’t to assist anyone outside the class with violating the acceptable use agreement.
How did we secure the server? • The server is the only computer that can connect to the outside world. • The server is normally connected to the lab and firewalled. None of you have accounts on the server. • One ethernet card connects either to the lab or the campus. The campus cable runs to a locked closet and the cable must be attached to the campus network by hand. • When we do this, we could run the computer from a “live” CD-rom. The file system will be mounted read-only.
Is this important? • Why study computer security? • Perhaps the threat of bugs or unintended error a greater concern? • Does the security of a system or service pose a limitation that should concern us? • Is there possible harm or risks to be aware of when dealing computers? • Is there a danger in teaching exploits?
Security Threats are Rising in Number • The number of computer security vulnerabilities reported to CERT each year is growing too.
Security Threats are Rising in Number • The number of computer security incidents reported to CERT each year is growing incredibly. • http://www.cert.org/stats/cert_stats.html
Why study computer security? • (1) Computer security is fundamental to individual privacy. • Many of us keep personal data on our accounts: emails, bookmarks, coursework. • Many of us use the network to send personal data or retrieve personal data. • Many remote computers keep personal data for us: financial data and accounts, medical history. • We want to protect these resources.
Why study computer security? • (2) Our society is increasingly reliant on the proper operation of computer systems and integrity of their data. • Financial and commercial operations, medical operations, meteorological, government, social welfare, and so on. (not to mention the Internet itself.) • The protection of these systems is as vital as our dependence on the services they provide. • An understanding to their limitations is vital. • Exploited systems have resulted in people’s deaths. (Unavailable forecasts have caused a ship at sea to be lost.)
Ethics • So far, we’ve been talking mostly about the legalities of the course; limits on what you can do. • Let’s talk about the ethics of our subject and our of profession; limits on what we should do. • The study of ethics provides us with a framework for judgments we must make within our profession. • As a computer scientists, the study and teaching of computer security is an ethical responsibility.
What are our responsibilities? • The ACM code of ethics instructs us to • “1.1 ...design systems that will be used in socially responsibly ways, will meet social needs, and will avoid harmful effects to health and welfare. • “2.5 Give comprehensive and thorough evaluations of computer systems and their impacts, including analysis of possible risks. • “2.7 Improve public understanding of computing and its consequences... Including the impacts of computer systems and their limitations.”
What are our responsibilities • And as users, the ACM code of ethics instructs us to: • 1.2 Avoid harm to others. • 1.3 Be honest and trustworthy. • 1.7 Respect the privacy of others. • 1.8 Honor confidentiality. • 2.3 Know and respect existing laws pertaining to professional work. • 2.8 Access computing and communication resources only when authorized to do so.
IEEE Code of Ethics • Similarly, the IEEE instructs us • to accept responsibility in making engineering decisions consistent with the safety, health and welfare of the public, and to disclose promptly factors that might endanger the public or the environment; • to improve the understanding of technology, its appropriate application, and potential consequences;
Consider your actions • Our actions as citizens are governed by legalities. • The study of ethics provides us with a framework for judgments we must make within our profession. • Our code of ethics is what holds us together as a profession; it’s what we profess. • Our actions as computer professionals must uphold our common ethics.