Upload
balin
View
58
Download
0
Embed Size (px)
DESCRIPTION
Ιόνιο Πανεπιστήμιο Τμήμα Πληροφορικής Ακαδημαϊκό Έτος 20 10 -20 11 Εξάμηνο: Η’. Ασφάλεια Π.Σ. Ενότητα Α: Εισαγωγικές Έννοιες. http://di.ionio.gr/~emagos/security/lectures.html. Εμμανουήλ Μάγκος. Syllabus. Λίγα λόγια για το μάθημα Η έννοια της Ασφάλειας - PowerPoint PPT Presentation
Citation preview
Syllabus --- . : http://e-class.ionio.gr/courses/DCS169/
. Security: (Oxford Dictionary)Freedom from danger or anxiety: () . 4 (Security) & (Safety)Security: Safety: , , , : 5 :
, ,
Forester and Morrison (1994) defined a computer crime as: a criminal act in which a computer is used as the principal tool.6 , , : , ,
/ :) ( ) ) / ( / )
, (e-crime, computer crime). [FM94] /
C. , ; (botnets, trojans),. , (Hacking,), (read, write) (DOS). (Spoofing / Masquerading), (Identity Theft) , (spam), . (Phishing)
Spoofing / Masquerading
Phishing
Phishing -K (social engineering), ;
Cisco 2010 Annual Sec. ReportSel. 10 mule. 21 StuxnetFacebook clickjacking
Quarterly Report, Panda Labs, April-June 2010Tabnapping
Cisco 2010 Annual Sec. Report
Quarterly Report, Panda Labs, April-June 2010
Video time
Cisco 2010 Annual Sec. Report
D. ;
http://www.ptatechnologies.com/PTA3.htm ;
. . , , , 2009 (Asset) . (Physical Assets): , , , , (Data Assets): (, ) (Software Assets): , ,
(Impact) .. K ..
(Threat) (impact) : , , , : , , , : , , 1 : Eve (eavesdrop)Packet sniffingTraffic analysis : Password cracking / breaking a crypto key : Mallory: Masquerading, Spoofing, MIM (replay) (Denial Of Service DOS) (modification)
(Interception)
(Interruption)
(Modification)
(Fabrication) 2
28 , , / () . , [*] :
[]
- (Interception) . (confidentiality) .- (Interruption) , , . , , , (DOS attacks). .. - (Modification) - (.. , (records) , ..)- (Fabrication) ( ) . (spoofing) (Man in the Middle attacks) .
(Interception) Packet sniffingTraffic analysisShoulder surfing 2
29 , , / () . , [*] :
[]
- (Interception) . (confidentiality) .- (Interruption) , , . , , , (DOS attacks). .. - (Modification) - (.. , (records) , ..)- (Fabrication) ( ) . (spoofing) (Man in the Middle attacks) .
(Interruption) / , , / 2
30 , , / () . , [*] :
[]
- (Interception) . (confidentiality) .- (Interruption) , , . , , , (DOS attacks). .. - (Modification) - (.. , (records) , ..)- (Fabrication) ( ) . (spoofing) (Man in the Middle attacks) .
(Modification) - : ,
2
31 , , / () . , [*] :
[]
- (Interception) . (confidentiality) .- (Interruption) , , . , , , (DOS attacks). .. - (Modification) - (.. , (records) , ..)- (Fabrication) ( ) . (spoofing) (Man in the Middle attacks) .
(Fabrication) ( ) / : Phishing, Spoofing, Man-in-the-Middle attacks 2
32 , , / () . , [*] :
[]
- (Interception) . (confidentiality) .- (Interruption) , , . , , , (DOS attacks). .. - (Modification) - (.. , (records) , ..)- (Fabrication) ( ) . (spoofing) (Man in the Middle attacks) .
3 : .. Interception attacks .. Modification & Fabrication attacks .. Interruption attacks
4 : / Outsiders: Hackers / Crackers / Vandals / HacktivistsOutsiders: (Social Engineers)
: - /Insiders: .. , & 34 ( .. /) ( .. /)
. , . (outsiders): Hackers / Crackers / Vandals / Hacktivists : (Footprinting IP , e-mail , , , ..), scanning & enumerating (( , / -), hacking ( ), .. : (Viruses), (Worms), (Trojan Horses), spyware/adware .. (Social Engineers):
. , ... / /..
5 .. ;.. CPU, , ,- ,- Buffer overflow attackse.g. , hackers, .
35 (, , , ..) (hackers, crackers, vandals,..)
(Vulnerabilities) (Vulnerability) , .: , .: ,
http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html/images/figure5.jpg
(Risk Analysis)Risk = Threat x Vulnerability x Impact (Asset value)
44 & (Risk Analysis) .. .
(Risk Management) , .
(Security Economics) (Infosec goal) :
>
(Security Controls)1 (prevention), (detection), (response);
,
Back-up, Computer forensics, malware removal, hot sites,
, access control, replication, Firewalls, , . , antivirus, , ,
(IDS), , penetration testing, - 1 52 D. o (prevention), (detection), (recovery) ;
/ :
. .., , , firewalls, , antivirus, (vulnerability scanners) . . , 100% . , . (alarm systems) . , (Intrusion Detection Systems) (monitoring, audit systems). , ( ) . . . / , . , . (survivability) : (/ ) (back-up), , (redundancy) (fault-tolerant systems) RAID, hot swapping, UPS, .. ` () XX XX (smartcards), X () XX XX XX () (ACLs), MAC, RBAC,XPasswords, CAPTCHAs Antivirus, Anti-spam, Anti-Spyware,..XXX X Firewalls (Packet Filters, Application Gateways)XX & (IDS/IPS)XXXhttp://www.cs.uwf.edu/~rdavid/CEN4540/sec3.ppt - 2 .x. passwords, firewalls, smartcards (Non-technical): , , (Cyber-ethics)54 (Logical Access Control) , .
. . , . Internet , , (= /) . . , , , , ... ( ) . : , , . ( ) . , , , phishing . / . - . /, , (contingeny plan), - , , -.
, . , : Firewall ; ; . , , , . , , .E. To 1 To 2 ;
To 2 ;
To 2 ;
To 2 ;
To 2 ;
3
1. (passwords, PINs, challenge-response) (smartcards, tokens) (Biometrics) : / (CAPTCHAs)
Passwords-Pins
Smartcards
Biometrics01234Accuracy >>Affordability >>http://www.csse.monash.edu.au/courseware/cse2500/ppt/Authentication.pptCAPTCHAs
2. Hot :ACLs, MLS and information flowSandboxing & VirtualizationApplication SecurityMemory securityFile system SecurityDatabase SecurityOS Kernel SecurityTrusted ComputingHardware SecurityTempest and Side Channel AttacksAssurance and EvaluationACLs, MLS and information flow
Sandboxing
Application Security
Memory
File system security
Bitlocker (Windows Vista)Database Security
OS Kernel Security
Tempest attacks
Assurance and Evaluation
3. Hot :Bots, BotnetsRootkitsSpam, Phishing & FraudIntrusion Detection
Botnets
Rootkits
Spam
Intrusion DetectionApplicationAntivirus Filter driverAntivirusServiceFile SystemDriversignaturedatabasekernelmodeusermode4. WebHot :Web browser securityWeb app & web server securityWeb privacy
Web browser security
Web app & web server security (1)
Buffer overflow attackShell1
Web app & web server security (2)
Buffer overflow attackShell1
SQL injection attack6. Hot :TCP/IP SecurityPenetration testingAuthenticated Key establishment and applicationsNetwork intrusion DetectionSecurity in Wireless networks
TCP/IP Security attacks (1)
TCP/IP Security attacks (2)
SYN FloodingDDOS attackPenetration Testing
Authenticated Key establishment and applications
Alice and Bob
Network Intrusion Detection
Security in Wireless Networks (1)
VANETsSecurity in Wireless Networks (2)
Security in Wireless Networks (3)
Security in RFID systems7. Hot :Security DomainsE-commerce transactionsE-voting/ e-auctionsDistributed Databases SecurityDistributed File Systems SecurityWS SecuritySecurity and Privacy in Pervasive Computing EnvironmentsSecurity and Privacy in Location-based Services (LBS)Security in banking/health sectorSecurity Domains
Kerberos . - Untraceable e-Cash
Online: ecash, Offline: CAFE
untraceableAcquirerMerchantBuyerIssueranonymouslysignCheck Issuers signatureSecure and Private e-ElectionsCountingVoting at Booth
Voting office
TallyingPoll list
Voters
Identification by poll listVoting Sheet
# slip
Secret voting
Observer/Administrator
Registration Internet ;Secure and Private e-Auctions
BiddersAuctioneerBBS Public communication channelBiddingOpeningPrime security issue 1. Secrecy of bid value 2. Anonymity of bidderDistributed Databases SecurityPrivacy-Preserving Data Mining (PPDM)
Client1Client2Client3Client4minerdata1data2data3data4
data1data2data3data4Security and Privacy inPervasive Computing Environments (PCEs)
Security and Privacy in Location-based Services (LBS)
Security & Privacy in e-Health environments
8. Hot :User anonymity & PrivacyFreedom-of-Speech & CensorshipSecurity and UsabilitySecurity PsychologySecurity Economics : - (Cyber-ethics)
User anonymity and Privacy (1)
User anonymity and Privacy (2)
User anonymity and Privacy (3)
Freedom-of-Speech & Censorship
Security and UsabilityTo
; ;Security and Usability
Security and Psychology
Bruce Schneier: DIMACS Workshop on Information Security Economics, 2007
Security Economics
9. ..Hot : (Standards)
, (Guidelines). . , , , 2009 Hot siteWarm SiteCold SiteRestore timeCost
, , / HardwareHuman Computer Interaction (HCI), , .. &
119 ( ) , , , . - ) . (hackers, crackers ..) ) ) -.) , Internet. , ( , , Internet, , ..)) (Hardware tamper-resistance) *- . / . ( ) (Information theory), (linear algebra) (number theory) .- . ) *) . ( , )) . (non-technical) /. , , (cyber ethics) ) . (, ) 1980 ( ).
EMBED MS_ClipArt_Gallery
EMBED MS_ClipArt_Gallery
EMBED MS_ClipArt_Gallery
EMBED MS_ClipArt_Gallery
EMBED MS_ClipArt_Gallery
People exaggerate risks that are:People downplay risks that are:
SpectacularPedestrian
RareCommon
PersonifiedAnonymous
Beyond their control, or externally imposedMore under their control, or taken willingly
Talked aboutNot discussed
Intentional or man-madeNatural
ImmediateLong-term
Rapidly occurringEvolving slowly over time
Affecting them personallyAffecting others
New and unfamiliarFamiliar
Uncertain
Directed against their children
Morally offensive
Associated with some ancillary benefit
Not like their current situationNot like their current situation