270 likes | 300 Views
CS 5950/6030 Network Security Class 1 ( W , 8/31 /05). Leszek Lilien Department of Computer Science Western Michigan University [Using some slides prepared by: Prof. Aaron Striegel, University of Notre Dame
E N D
CS 5950/6030 Network SecurityClass 1 (W, 8/31/05) Leszek Lilien Department of Computer Science Western Michigan University [Using some slides prepared by: Prof. Aaron Striegel, University of Notre Dame Prof. Barbara Endicott-Popovsky and Prof. Deborah Frincke, University of Washington]
Class 1 Outline • 1.1. Course Overview • Syllabus - Course Introduction • 1.2. Survey of Students’ Background and Experience • 1.3. Introduction to Security • Examples – Security in Practice • Discussion – What does security mean?
1.1. Course Overview (1) CS 5950/6030: Network Security - Fall 2005 Department of Computer Science Western Michigan University Description: Survey of topics in the area of computer and network security with a thorough basis in the fundamentals of computer/network security. Class: CEAS C0141, M W F 3:00 PM – 3:50 PM Instructor: Dr. Leszek (Leshek) Lilien, CEAS B-249, phone: 276-3116 Email: llilien@wmich.edu – please use for urgent matters only Notes: 1) Only mail coming from a WMU account (ending with “wmich.edu” will be read). 2) Files submitted as attachments will not be read unless they are scanned with up-to-date anti-viral software, and the message including them contains the following statement: I have scanned the enclosed file(s) with <name of software, its version>, which was last updated on <date>>. Office Hours: MW 4:30 PM -5:30 PM F 1:30 PM – 2:30 PM Web Pages:http://www.cs.wmich.edu/~llilien/cs5950-6030/index.html
Course Overview (2) Required Text: Pfleeger and Pfleeger, Security in Computing. Third Edition, Prentice Hall PTR, 2003, ISBN 0-13-035548-8. Course Overview: This course is a survey of topics in the realm of computer and network security. It introduces topics in computer security ranging from cryptographic techniques to trust to multilevel security to security ethics. Students will learn fundamental concepts of security that can be applied to many traditional aspects of computer programming and computer systems design. The course will culminate in a project where the students will have an opportunity to more fully investigate a topic related to the course. Course Objectives: • The course is designed to provide knowledge in the following areas: • Security terminology • Cryptographic techniques: terminology, basic techniques • Encryption systems: RSA, DES, public/private key • Program security: viruses, other malicious code, controls against program threats • Trusted computer systems: OS characteristics, certification levels, access control • Network security: threats and controls, authentication mechanisms, Kerberos, intrusion detection • Database security: security requirements, inference, multilevel security • Legal, ethical, privacy issue discussions
Course Overview (3) Performance Objectives: • At the end of the course, all students should be able to: • Describe and correctly use fundamental terminology in the area of computer/network security • Describe fundamental concepts of cryptography and assess the strengths and weaknesses of common cryptographic protocols • Identify weaknesses in program design and be able to categorize basic forms of attack against programs • Understand the basic concepts of security with regards to operating systems and access control • Assess the areas of trust in both operating systems and protocols • Describe database attacks and how to design against such attacks • Describe basic methods for network security • Intelligently discuss the legal, ethical, and privacy issues in computer security
Course Overview (4) Grading: • Grading components: • Quizzes 10% • Midterm Exam 25% • Final Exam 30% • Group Project (incl. final project presentation) 35% • Fixed standard grading scale (A: 90, BA: 85, B: 80, CB: 75, C: 70, DC: 65, D: 60) • I may curve a “bad” exam to improve the letter grades. • Inquiries about graded quizzes/exams must be made within one week after they are handed back. In case of a grading disagreement, written arguments for your claims are required. • Inmy book, there is the “AA” grade—known to the outside world as the “A+” grade —for extraordinary performance (best in class, etc.). Each student who receives it can get a written statement from me upon request (in case the student needs a strong evidence for a recommendation letter). Of course, WMU transcript will show an “A” only. • I might offer an extra credit for an optional coursework—such as presenting in class a software security tool or a research paper.
Course Overview (5) Course Policies: 1. Lecture • Lecture notes may or may not be on-line so taking notes during class is highly encouraged. Especially, you should write down anything that is written down using the board or the document projector. You are encouraged to slow me down if you need more time to take notes. • Attendance at lectures is required. If you must miss a lecture, please contact the instructor in advance. • Lectures will be driven by student interaction, in addition to the standard lecture material. 2. Quizzes • 2-4 quizzes are planned. • Quizzes will be announced no later than at the preceding lecture. • Quiz solutions will be posted, most probably online.
Course Overview (6) 3. Exams • There will be two exams for the class. • The midterm exam will be announced at least a week in advance (it should be expected around October 15). The midterm exam will be held during normal class time. • The final exam will be held during the finals week, as scheduled (Th, Dec. 8, 2:45 PM – 4:45 PM). 4. Project(s) • Small projects: • 1-2 small projects will be individual and self-guided (using guidelines provided by me). They will not be graded but lessons learned may be checked by my quiz questions. • The final project: • The final project will be done in teams consisting normally of 3-4 students. • I will propose a set of topics for the final project to help students in final project selection. The groups are free to propose their own topics for the final project but must obtain my buy-in before starting their work. • The results obtained in the final project will be presented by the students in class at the end of the semester.
Course Overview (7) • Project presentation requirements: • For all projects, both technical contents and quality of (written and/or oral) presentation will be evaluated for the total project credit. • No handwritten project reports will be accepted. All text and figures must be prepared using a word processor (and a drawing program, if necessary). • The project reports must be submitted both as hard copies and in an electronic format. • Required electronic format: PDF. • The message including project files must include information on anti-viral software used (cf. above). • Late project reports will lose 33% per day beyond the due date. Other Notes: • The topics for the course will be quite flexible. If there is a technology related to security that you would like to know more about, please let me know. I will try to accommodate your wishes, depending on the availability of time. • This class will be a class where many of the topics build upon one another. Therefore, please ask questions in class if you do not understand the material.
Course Overview(8) • Since email and telephone limit interaction, please see me during my office hours in case of any course difficulties. (In justified cases, a special appointment can be made.) • No questions will be answered on the date of a quiz/exam. • A make-up quiz/exam can be given only when the student presents a valid reason with documented evidence for missing the test/exam. Without such a reason, the student will loose all quiz/exam points. Academic Honesty Statement (WMU Policy) You are responsible for making yourself aware of and understanding the policies and procedures in the Undergraduate Catalog (pp. 274-276) or the Graduate Catalog (pp. 25-27) that pertain to Academic Honesty. These policies include cheating, fabrication, falsification and forgery, multiple submission, plagiarism, complicity and computer misuse. If there is reason to believe you have been involved in academic dishonesty, you will be referred to the Office of Student Conduct. You will be given the opportunity to review thecharge(s). If you believe you are not responsible, you will have the opportunity for a hearing. You should consult with me if you are uncertain about an issue of academic honesty prior to the submission of an assignment or test.
1.2. Survey of Students’Backgroundand Experience (1) Background Survey CS 5950/6030 Network Security - Fall 2005 Please print all your answers. First name: __________________________ Last name: _____________________________ Email _____________________________________________________________________ Undergrad./Year________ OR:Grad./Year or Status (e.g., Ph.D. student) ________________ Major _____________________________________________________________________ PART 1. Background and Experience 1-1) Please rate your knowledge in the following areas (0 = None, 5 = Excellent). UNIX/Linux/Solaris/etc. Experience (use, administration, etc.) 0 1 2 34 5 Network Protocols (TCP, UDP, IP, etc.) 0 1 2 34 5 Cryptography (basic ciphers, DES, RSA, PGP, etc.) 0 1 2 34 5 Computer Security (access control, security fundamentals, etc.) 0 1 2 34 5
Survey of Students’Backgroundand Experience (2) 1-2) Please list (by number and name) all classes in operating systems, networks, databases, and security taken at WMU: OS: ________________________________________________________________ Networks: ___________________________________________________________ Databases: __________________________________________________________ Security: ___________________________________________________________ 1-3) Please list (by name) classes in operating systems, networks, databases, and security taken at institutions other than WMU (name the institutions): OS: ________________________________________________________________ Networks: ___________________________________________________________ Databases: __________________________________________________________ Security: ___________________________________________________________ 1-4) Please list up to 3 programming languages, which you know, and rate your skill level in each (1-5). Language 1: ______________________________ Rating: _______________ Language 2: ______________________________ Rating: _______________ Language 3: ______________________________ Rating: _______________
Survey of Students’Backgroundand Experience (3) 1-5) Please list any other notable/important background or experience in OS, networks, databases, and security (incl. work, internships, projects, etc.). ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ 1-6) Operating system you feel most comfortable with (circle one or more): Windows Linux Solaris Other: ___________ PART 2. Motivation and Expectations 2-1) Why did you sign up for this course? ___________________________________________________________________ ___________________________________________________________________ 2-2) Would you prefer a more theoretical (principles, ideas, formal models) course or a more practical course? ___________________________________________________________________ Why? ___________________________________________________________________
Survey of Students’Backgroundand Experience (4) 2-3) If there were 2-3 topics related to security that you would like to know more about, what would those be (in your preference order)? Topic 1: ____________________________________________________________ Topic 2: ____________________________________________________________ Topic 3: ____________________________________________________________ PART 3. Any Other Comments ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ Thank you!
1.3. Introduction to Security (1)1.3.1. Examples – Security in Practice • From CSI/FBI Report 2002 • 90% detected computer security breaches within the last year • 80% acknowledged financial losses • 44% were willing and/or able to quantify their financial losses. These 223 respondents reported $455M in financial losses. • The most serious financial losses occurred through theft of proprietary information and financial fraud: 26 respondents: $170M 25 respondents: $115M • For the fifth year in a row, more respondents (74%) cited their Internet connection as a frequent point of attack than cited their internal systems as a frequent point of attack (33%). • 34% reported the intrusions to law enforcement. (In 1996, only 16% acknowledged reporting intrusions to law enforcement.) [Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
More from CSI/FBI 2002 • 40% detected external penetration • 40% detected denial of service attacks. • 78% detected employee abuse of Internet access privileges • 85% percent detected computer viruses. • 38% suffered unauthorized access or misuse on their Web sites within the last twelve months. 21% didn’t know. [includes insider attacks] • 12% reported theft of transaction information. • 6% percent reported financial fraud (only 3% in 2000). [cf. Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
Critical Infrastructure Areas … telecommunications, electrical power systems, gas and oil, banking and finance, transportation, water supply systems, government services and emergency services. [Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
Threat Spectrum [cf. Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
Cyberterrorism • The Internet Black Tigers conducted a successful "denial of service" attack on servers of Sri Lankan government embassies • Italian sympathizers of the Mexican Zapatista rebels attacked web pages of Mexican financial institutions. • Rise of “Hack-tivism” Freeh, Testimony before Senate, 2000. [cf. Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
Threats to Personal Privacy • Buying and selling confidential information from Social Security files. • Browsing IRS files. • Buying and selling bank account name lists. • A Princeton University student stole ~1800 credit card numbers, customer names, and user passwords from an e-commerce site. House Ways and Means Committee, 102nd Congress, 1992.10., Washington Post, S. Barr, 2 Aug. 1993 (4) Freeh, Testimoney 2000 [Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
Identity Theft • “The theft of computer hard drives from TriWest Healthcare Alliancecould turn into one of the largest identity thefts on record if theinformation is misused, the Federal Trade Commission said.” [Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
1.3.2. What is„Security?” You Will Never Own a Perfectly Secure System. You Will Never Own a Perfectly Secure System. You Will Never Own a Perfectly Secure System. [Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
Well … Maybe If You Do This: (eventhen there are standards) [Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
Cyberterrorism Denial of Service Modified Databases Virus Espionage Identity Theft Equipment Theft Stolen Customer Data “Secure” Computer System • To decide whether a computer system is “secure”, you must first decide what “secure” means to you, then identify the threats you care about. [cf. Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
Integrity Confidentiality Availability 1.3.3. Pillars of Security: Confidentiality, Integrity, Availability (CIA) Confidentiality: Who is authorized?Integrity: Is the data „good?”Availability: Can access data whenever need it? S S = Secure [cf. Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
Health Data Payroll Data Biographical Data Sensitive Data Packet Switch Bridge Integrity File Server Confidentiality Gateway Availability Other Networks Balancing CIA Need to balance CIA Ex: Disconnect computer from Internet to increase confidentiality (availability suffers, integrity suffers due to lost updates) Ex: Have extensive data checks by different people/systems to increase integrity (confidentiality suffers as more people see data, availability suffers due to locks on data under verification) [cf. Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]