1 / 21

CSCE 201 Introduction to Information Security Fall 2010

CSCE 201 Introduction to Information Security Fall 2010. Reading list: Easttom: Chapter 1 and 3 Other useful sites (recommended only)

mark-lynch
Download Presentation

CSCE 201 Introduction to Information Security Fall 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSCE 201Introduction to Information Security Fall 2010

  2. Reading list: • Easttom: Chapter 1 and 3 • Other useful sites (recommended only) • Information Technology Security Evaluation Criteria (ITSEC ), Commission of the European Communities, 1991, http://www.iwar.org.uk/comsec/resources/standards/itsec.htm • University Technology Services, Information Security, http://uts.sc.edu/index.shtml

  3. Homework 1DUE Sept. 8, 2010 Exercise 1: Do Project 1.3 in your textbook, using resource Microsoft Security guide on 4 steps to protect your computer, (http://www.microsoft.com/security/pypc.aspx ) and an additional resource of your choosing Exercise 2: Consider the three security objectives: confidentiality, integrity, and availability. Explain how these objectives are met by your personal computer. Be specific, e.g., availability of the system and data files is supported by regular system backups every week and by copying all data files to separate CDs daily.

  4. Methods of Defense • Prevent: block attack • Deter: make the attack harder • Deflect: make other targets more attractive • Detect: identify misuse • Tolerate: function under attack • Recover: restore to correct state • Documentation and reporting

  5. Information Security Planning • Organization Analysis • Risk management • Mitigation approaches and their costs • Security policy and procedures • Implementation and testing • Security training and awareness

  6. Risk Management

  7. Threats RISK Vulnerabilities Consequences Risk Assessment

  8. System Security Engineering (Traditional View) Specify System Architecture Identify and Install Safeguards Identify Threats, Vulnerabilities, Attacks Prioritize Vulnerabilities Estimate Risk Risk is acceptably low

  9. Human Actions • Domains: • Play: hackers vs. owners • Crime: perpetrators vs. victims • Individual rights: individuals vs. individuals/organizations/government • National security: national level activities

  10. Play • Playing pranks • Actors: hackers/crackers/phreakers • Motivation: challenge, knowledge, thrill • Culture: social/educational • “global networks” • publications • forums • Law

  11. Crime • Intellectual Property Crimes • IT targets: research and development, manufacturing and marketing plan, customer list, etc. • Attacker: insiders, formal insiders • 1996: Economic Espionage Act (U.S. Congress) • Fraud • Telemarketing scam, identity theft, bank fraud, telecommunication fraud, computer fraud and abuse • Fighting crime

  12. Individual Rights • Privacy • Secondary use of information • Free speech • Harmful/disturbing speech • Theft and distribution of intellectual property • Censorship

  13. National Security • Foreign Intelligence • Peace time: protecting national interests • Open channels, human spies, electronic surveillance, electronic hacking (?) • War time: support military operations • U.S. Intelligence Priorities: • Intelligence supporting military needs during operation • Intelligence about hostile countries • Intelligence about specific transnational threats • Central Intelligence Agency (CIA) • Primary targets in U.S.A.: high technology and defense-related industry

  14. Terrorism • Traditional: • Intelligence collection • Psyops and perception management • New forms: • Exploitation of computer technologies • Internet propaganda • Cyber attacks (electronic mail flooding, DOS, etc.) • Protection of national infrastructure

  15. Design Principles of Computer Security Layer of the computer system Application Software User (subject) Resource (object) Hardware Focus of the security policy

  16. Focus of Control • 1st Design Decision: in a give application, should the protection mechanism in a computer system focus on: data, operations or users?

  17. Man-Machine Scale • 2nd Design Decision: In which layer of the computer system should a security mechanism be placed? Applications Services Operating system OS kernel Hardware

  18. Complexity vs. Assurance • 3rd Design Decision: Do you prefer simplicity and higher assurance to a feature-rich security environment?

  19. Centralized vs. Decentralized Controls • 4th Design Decision: Should the tasks of defining and enforcing security be given to a central entity or should they be left to individual components in a system?

  20. The Layer Below • 5th Design Decision: How can you prevent an attacker getting access to a layer below the protection mechanism?

  21. Next Class • Making Decisions about Security • Chapter 3 in your textbook

More Related