Syllabus --- . : http://e-class.ionio.gr/courses/DCS169/

. Security: (Oxford Dictionary)Freedom from danger or anxiety: () . 4 (Security) & (Safety)Security: Safety: , , , : 5 :

, ,

Forester and Morrison (1994) defined a computer crime as: a criminal act in which a computer is used as the principal tool.6 , , : , ,

/ :) ( ) ) / ( / )

, (e-crime, computer crime). [FM94] /

C. , ; (botnets, trojans),. , (Hacking,), (read, write) (DOS). (Spoofing / Masquerading), (Identity Theft) , (spam), . (Phishing)

Spoofing / Masquerading

Phishing

Phishing -K (social engineering), ;

Cisco 2010 Annual Sec. ReportSel. 10 mule. 21 StuxnetFacebook clickjacking

Quarterly Report, Panda Labs, April-June 2010Tabnapping

Cisco 2010 Annual Sec. Report

Quarterly Report, Panda Labs, April-June 2010

Video time

Cisco 2010 Annual Sec. Report

D. ;

http://www.ptatechnologies.com/PTA3.htm ;

. . , , , 2009 (Asset) . (Physical Assets): , , , , (Data Assets): (, ) (Software Assets): , ,

(Impact) .. K ..

(Threat) (impact) : , , , : , , , : , , 1 : Eve (eavesdrop)Packet sniffingTraffic analysis : Password cracking / breaking a crypto key : Mallory: Masquerading, Spoofing, MIM (replay) (Denial Of Service DOS) (modification)

(Interception)

(Interruption)

(Modification)

(Fabrication) 2

28 , , / () . , [*] :

[]

- (Interception) . (confidentiality) .- (Interruption) , , . , , , (DOS attacks). .. - (Modification) - (.. , (records) , ..)- (Fabrication) ( ) . (spoofing) (Man in the Middle attacks) .

(Interception) Packet sniffingTraffic analysisShoulder surfing 2

29 , , / () . , [*] :

[]

- (Interception) . (confidentiality) .- (Interruption) , , . , , , (DOS attacks). .. - (Modification) - (.. , (records) , ..)- (Fabrication) ( ) . (spoofing) (Man in the Middle attacks) .

(Interruption) / , , / 2

30 , , / () . , [*] :

[]

- (Interception) . (confidentiality) .- (Interruption) , , . , , , (DOS attacks). .. - (Modification) - (.. , (records) , ..)- (Fabrication) ( ) . (spoofing) (Man in the Middle attacks) .

(Modification) - : ,

2

31 , , / () . , [*] :

[]

- (Interception) . (confidentiality) .- (Interruption) , , . , , , (DOS attacks). .. - (Modification) - (.. , (records) , ..)- (Fabrication) ( ) . (spoofing) (Man in the Middle attacks) .

(Fabrication) ( ) / : Phishing, Spoofing, Man-in-the-Middle attacks 2

32 , , / () . , [*] :

[]

- (Interception) . (confidentiality) .- (Interruption) , , . , , , (DOS attacks). .. - (Modification) - (.. , (records) , ..)- (Fabrication) ( ) . (spoofing) (Man in the Middle attacks) .

3 : .. Interception attacks .. Modification & Fabrication attacks .. Interruption attacks

4 : / Outsiders: Hackers / Crackers / Vandals / HacktivistsOutsiders: (Social Engineers)

: - /Insiders: .. , & 34 ( .. /) ( .. /)

. , . (outsiders): Hackers / Crackers / Vandals / Hacktivists : (Footprinting IP , e-mail , , , ..), scanning & enumerating (( , / -), hacking ( ), .. : (Viruses), (Worms), (Trojan Horses), spyware/adware .. (Social Engineers):

. , ... / /..

5 .. ;.. CPU, , ,- ,- Buffer overflow attackse.g. , hackers, .

35 (, , , ..) (hackers, crackers, vandals,..)

(Vulnerabilities) (Vulnerability) , .: , .: ,

http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html/images/figure5.jpg

(Risk Analysis)Risk = Threat x Vulnerability x Impact (Asset value)

44 & (Risk Analysis) .. .

(Risk Management) , .

(Security Economics) (Infosec goal) :

>

(Security Controls)1 (prevention), (detection), (response);

,

Back-up, Computer forensics, malware removal, hot sites,

, access control, replication, Firewalls, , . , antivirus, , ,

(IDS), , penetration testing, - 1 52 D. o (prevention), (detection), (recovery) ;

/ :

. .., , , firewalls, , antivirus, (vulnerability scanners) . . , 100% . , . (alarm systems) . , (Intrusion Detection Systems) (monitoring, audit systems). , ( ) . . . / , . , . (survivability) : (/ ) (back-up), , (redundancy) (fault-tolerant systems) RAID, hot swapping, UPS, .. ` () XX XX (smartcards), X () XX XX XX () (ACLs), MAC, RBAC,XPasswords, CAPTCHAs Antivirus, Anti-spam, Anti-Spyware,..XXX X Firewalls (Packet Filters, Application Gateways)XX & (IDS/IPS)XXXhttp://www.cs.uwf.edu/~rdavid/CEN4540/sec3.ppt - 2 .x. passwords, firewalls, smartcards (Non-technical): , , (Cyber-ethics)54 (Logical Access Control) , .

. . , . Internet , , (= /) . . , , , , ... ( ) . : , , . ( ) . , , , phishing . / . - . /, , (contingeny plan), - , , -.

, . , : Firewall ; ; . , , , . , , .E. To 1 To 2 ;

To 2 ;

To 2 ;

To 2 ;

To 2 ;

3

1. (passwords, PINs, challenge-response) (smartcards, tokens) (Biometrics) : / (CAPTCHAs)

Passwords-Pins

Smartcards

Biometrics01234Accuracy >>Affordability >>http://www.csse.monash.edu.au/courseware/cse2500/ppt/Authentication.pptCAPTCHAs

2. Hot :ACLs, MLS and information flowSandboxing & VirtualizationApplication SecurityMemory securityFile system SecurityDatabase SecurityOS Kernel SecurityTrusted ComputingHardware SecurityTempest and Side Channel AttacksAssurance and EvaluationACLs, MLS and information flow

Sandboxing

Application Security

Memory

File system security

Bitlocker (Windows Vista)Database Security

OS Kernel Security

Tempest attacks

Assurance and Evaluation

3. Hot :Bots, BotnetsRootkitsSpam, Phishing & FraudIntrusion Detection

Botnets

Rootkits

Spam

Intrusion DetectionApplicationAntivirus Filter driverAntivirusServiceFile SystemDriversignaturedatabasekernelmodeusermode4. WebHot :Web browser securityWeb app & web server securityWeb privacy

Web browser security

Web app & web server security (1)

Buffer overflow attackShell1

Web app & web server security (2)

Buffer overflow attackShell1

SQL injection attack6. Hot :TCP/IP SecurityPenetration testingAuthenticated Key establishment and applicationsNetwork intrusion DetectionSecurity in Wireless networks

TCP/IP Security attacks (1)

TCP/IP Security attacks (2)

SYN FloodingDDOS attackPenetration Testing

Authenticated Key establishment and applications

Alice and Bob

Network Intrusion Detection

Security in Wireless Networks (1)

VANETsSecurity in Wireless Networks (2)

Security in Wireless Networks (3)

Security in RFID systems7. Hot :Security DomainsE-commerce transactionsE-voting/ e-auctionsDistributed Databases SecurityDistributed File Systems SecurityWS SecuritySecurity and Privacy in Pervasive Computing EnvironmentsSecurity and Privacy in Location-based Services (LBS)Security in banking/health sectorSecurity Domains

Kerberos . - Untraceable e-Cash

Online: ecash, Offline: CAFE

untraceableAcquirerMerchantBuyerIssueranonymouslysignCheck Issuers signatureSecure and Private e-ElectionsCountingVoting at Booth

Voting office

TallyingPoll list

Voters

Identification by poll listVoting Sheet

# slip

Secret voting

Observer/Administrator

Registration Internet ;Secure and Private e-Auctions

BiddersAuctioneerBBS Public communication channelBiddingOpeningPrime security issue 1. Secrecy of bid value 2. Anonymity of bidderDistributed Databases SecurityPrivacy-Preserving Data Mining (PPDM)

Client1Client2Client3Client4minerdata1data2data3data4

data1data2data3data4Security and Privacy inPervasive Computing Environments (PCEs)

Security and Privacy in Location-based Services (LBS)

Security & Privacy in e-Health environments

8. Hot :User anonymity & PrivacyFreedom-of-Speech & CensorshipSecurity and UsabilitySecurity PsychologySecurity Economics : - (Cyber-ethics)

User anonymity and Privacy (1)

User anonymity and Privacy (2)

User anonymity and Privacy (3)

Freedom-of-Speech & Censorship

Security and UsabilityTo

; ;Security and Usability

Security and Psychology

Bruce Schneier: DIMACS Workshop on Information Security Economics, 2007

Security Economics

9. ..Hot : (Standards)

, (Guidelines). . , , , 2009 Hot siteWarm SiteCold SiteRestore timeCost

, , / HardwareHuman Computer Interaction (HCI), , .. &

119 ( ) , , , . - ) . (hackers, crackers ..) ) ) -.) , Internet. , ( , , Internet, , ..)) (Hardware tamper-resistance) *- . / . ( ) (Information theory), (linear algebra) (number theory) .- . ) *) . ( , )) . (non-technical) /. , , (cyber ethics) ) . (, ) 1980 ( ).

EMBED MS_ClipArt_Gallery

EMBED MS_ClipArt_Gallery

EMBED MS_ClipArt_Gallery

EMBED MS_ClipArt_Gallery

EMBED MS_ClipArt_Gallery

People exaggerate risks that are:People downplay risks that are:

SpectacularPedestrian

RareCommon

PersonifiedAnonymous

Beyond their control, or externally imposedMore under their control, or taken willingly

Talked aboutNot discussed

Intentional or man-madeNatural

ImmediateLong-term

Rapidly occurringEvolving slowly over time

Affecting them personallyAffecting others

New and unfamiliarFamiliar

Uncertain

Directed against their children

Morally offensive

Associated with some ancillary benefit

Not like their current situationNot like their current situation