210 likes | 322 Views
CSCE 201 Introduction to Information Security Fall 2010. Reading list: Easttom: Chapter 1 and 3 Other useful sites (recommended only)
E N D
Reading list: • Easttom: Chapter 1 and 3 • Other useful sites (recommended only) • Information Technology Security Evaluation Criteria (ITSEC ), Commission of the European Communities, 1991, http://www.iwar.org.uk/comsec/resources/standards/itsec.htm • University Technology Services, Information Security, http://uts.sc.edu/index.shtml
Homework 1DUE Sept. 8, 2010 Exercise 1: Do Project 1.3 in your textbook, using resource Microsoft Security guide on 4 steps to protect your computer, (http://www.microsoft.com/security/pypc.aspx ) and an additional resource of your choosing Exercise 2: Consider the three security objectives: confidentiality, integrity, and availability. Explain how these objectives are met by your personal computer. Be specific, e.g., availability of the system and data files is supported by regular system backups every week and by copying all data files to separate CDs daily.
Methods of Defense • Prevent: block attack • Deter: make the attack harder • Deflect: make other targets more attractive • Detect: identify misuse • Tolerate: function under attack • Recover: restore to correct state • Documentation and reporting
Information Security Planning • Organization Analysis • Risk management • Mitigation approaches and their costs • Security policy and procedures • Implementation and testing • Security training and awareness
Threats RISK Vulnerabilities Consequences Risk Assessment
System Security Engineering (Traditional View) Specify System Architecture Identify and Install Safeguards Identify Threats, Vulnerabilities, Attacks Prioritize Vulnerabilities Estimate Risk Risk is acceptably low
Human Actions • Domains: • Play: hackers vs. owners • Crime: perpetrators vs. victims • Individual rights: individuals vs. individuals/organizations/government • National security: national level activities
Play • Playing pranks • Actors: hackers/crackers/phreakers • Motivation: challenge, knowledge, thrill • Culture: social/educational • “global networks” • publications • forums • Law
Crime • Intellectual Property Crimes • IT targets: research and development, manufacturing and marketing plan, customer list, etc. • Attacker: insiders, formal insiders • 1996: Economic Espionage Act (U.S. Congress) • Fraud • Telemarketing scam, identity theft, bank fraud, telecommunication fraud, computer fraud and abuse • Fighting crime
Individual Rights • Privacy • Secondary use of information • Free speech • Harmful/disturbing speech • Theft and distribution of intellectual property • Censorship
National Security • Foreign Intelligence • Peace time: protecting national interests • Open channels, human spies, electronic surveillance, electronic hacking (?) • War time: support military operations • U.S. Intelligence Priorities: • Intelligence supporting military needs during operation • Intelligence about hostile countries • Intelligence about specific transnational threats • Central Intelligence Agency (CIA) • Primary targets in U.S.A.: high technology and defense-related industry
Terrorism • Traditional: • Intelligence collection • Psyops and perception management • New forms: • Exploitation of computer technologies • Internet propaganda • Cyber attacks (electronic mail flooding, DOS, etc.) • Protection of national infrastructure
Design Principles of Computer Security Layer of the computer system Application Software User (subject) Resource (object) Hardware Focus of the security policy
Focus of Control • 1st Design Decision: in a give application, should the protection mechanism in a computer system focus on: data, operations or users?
Man-Machine Scale • 2nd Design Decision: In which layer of the computer system should a security mechanism be placed? Applications Services Operating system OS kernel Hardware
Complexity vs. Assurance • 3rd Design Decision: Do you prefer simplicity and higher assurance to a feature-rich security environment?
Centralized vs. Decentralized Controls • 4th Design Decision: Should the tasks of defining and enforcing security be given to a central entity or should they be left to individual components in a system?
The Layer Below • 5th Design Decision: How can you prevent an attacker getting access to a layer below the protection mechanism?
Next Class • Making Decisions about Security • Chapter 3 in your textbook