Embed Size (px)
Citation preview
1
Information Security and Cryptography
資訊安全與密碼學
Lecture 1February 25, 2015
洪國寶
2
Outline
• Course information• Motivations• Information Security Basics• Threats to Security • Considering Security Tradeoffs• Outline of the course
3
Course information (1/6)• Instructor: Professor Gwoboa Horng
– Office hour: – TA:
• Basic assumption– Little is assumed of the students except a general background in
computing. – I will cover the main aspects in enough detail for the students to
understand the gist.
• Course web page: – http://140.120.14.97/course.htm– e-campus
4
Course information (2/6)• Textbook: none
(There is no required textbook for this course.)• Reference: Information Security Illuminated,
Solomon and Chapple, Jones and Bartlett Publishers, Inc. 2005. http://books.google.com.tw/books?id=EJRBdwUN8z4C&pg=PR1
&dq=Information+Security+Illuminated
• Web resources– 國家資通安全會報技術服務中心 http://www.icst.org.tw/– http://windowsecurity.com/– http://www.esecurityplanet.com/
5
Course information (3/6)• 參考書籍近代密碼學及其應用賴溪松、韓亮、張真誠
松崗 旗標出版社
資訊與網路安全概論黃明祥林詠章著
美商麥格羅 希爾 資訊科學系叢書
資訊安全-網際網路安全與數位鑑識科學
王旭正, 高大宇,and ICCL(資訊密碼暨資料建構實驗室), 博碩文化出版社, 2007.
6
Course information (4/6)
• The objective of this course is to introduce to the students the most current and critical information security practices. On completion of this course students should be able to: – Demonstrate an understanding of the importance of
cryptography with applications to information security. – Describe the features of security mechanisms which
are generally used to implement security policies.– Display a breadth of knowledge of the security
vulnerabilities affecting information systems.
7
Course information (5/6)
• This class is – Not a lab or programming course
• But we may have programming assignments/projects.
– Not a math course, either• But strong math background will help.
8
Course information (6/6)
• Grading (Tentative)
– Homework 25% (You may collaborate when solving the homework, however when writing up the solutions you must do so on your own.)
– Midterm exam 30%– Final exam (and / or report) 30%– Class participation 15%
9
Outline
• Course information• Motivations• Information Security Basics• Threats to Security• Considering Security Tradeoffs• Outline of the course
10
Motivations
• Computers are everywhere; they impact almost every aspect of modern life to one degree or another.The act of placing information in computerized systems is an act of trust. We trust that the information is secure.Some real examples of security incidents ■
11
Some real examples (1/14)
12
Some real examples (2/14)2015/1/9
13
Some real examples (3/14)
14
Some real examples (4/14)
15
Some real examples (5/14)
16
Some real examples (6/14)
17
Some real examples (7/14)
18
Some real examples (8/14)
19
Some real examples (9/14)
20
Some real examples (10/14)2014/12/18
21
Some real examples (11/14)
22
Some real examples (12/14)
23
Some real examples (13/14)
24
Some real examples (14/14)
25
Some real examples (Recapitulation)
• Security incidents – Hacker intrusion– Spam/hoax (data integrity)– Program security– Virus – Password compromise (access control)– Denial of service
• More examples– http://www.esecurityplanet.com/news
26
Crime/loss breakdown
Human errors55%
Dishonestemployees
10%
Outsiderattacks
2%Viruses
4%Physicalsecurity
problems20%
Disgruntledemployees
9%
Source: Computer Security InstituteSource: Computer Security Institute
27
Outline
• Course information• Motivations• Information Security Basics• Threats to Security• Considering Security Tradeoffs • Outline of the course
28
Information Security Basics
• What is computer / information security?– Answer depends upon the perspective of the person you’re
asking– Network administrator has a different perspective than an
end user or a security professional– “A computer is secure if you can depend on it and its
software to behave as you expect” [Garfinkel,Spafford]
29
Information Security Reality
• Professor Gene Spafford• “The only system which is truly secure is one which is
switched off and unplugged, locked in a titanium lined safe,
buried in a concrete bunker, and is
surrounded by nerve gas and very highly paid armed guards.
Even then, I wouldn’t stake my life on it.”
30
Information Security Basics (continued)
• CIA Triad (Security professionals)– Goals for implementing security practices– Confidentiality, Integrity, and Availability
• DAD Triad (Malicious individuals)– Goals for defeating the security of an organization– Disclosure, Alteration, and Denial ■
31
CIA Triad
32
CIA Triad (continued)
• Confidentiality– Confidential information should not be accessible to
unauthorized users
• Integrity– Data may only be modified through an authorized
mechanism
• Availability– Authorized users should be able to access data for
legitimate purposes as necessary ■
33
Confidentiality – Related Concepts
• Privacy– Personal data is protected
• Secrecy– Sensitive organizational data is protected ■
34
Integrity – Related Concepts
• Accuracy– Are the data accurate?
• Consistency– Does the data correspond to the information it represents?– Are the data contradictory? ■
35
Availability – Related Concepts• Reliability
– What is the mean time between failure? How often (on average) does the system fail?
– What is the percentage of uptime?• Resilience
– How resistant is the system to failure of individual components?– What is the mean time to recovery? How quickly (on average) can the
system be restarted in the event of failure? • Performance
– How does the system cope with excessive load?– Particularly relevant for denial of service attacks ■
36
DAD Triad
37
DAD Triad (continued)• Disclosure
– Unauthorized individuals gain access to confidential information
• Alteration– Data is modified through some unauthorized mechanism
• Denial– Authorized users cannot gain access to a system for
legitimate purposes
• DAD activities may be malicious or accidental ■
38
Introducing Networks
• In early days, computer security focused on protecting individual systems
• Advent of Local Area Networks (LANS) and Internet make the job much more difficult
• Security considerations include:– Protecting TCP/IP protocol– Firewalls– Intrusion detection systems ■
39
Outline
• Course information• Motivations• Information Security Basics• Threats to Security• Considering Security Tradeoffs• Outline of the course
40
Threats to Security• Threats to security fall into three main categories:
– hackers, – malicious code objects, and – organizational insiders.
41
Threats to Security (continued)• Hacker
– Anyone who attempts to penetrate the security of an information system, regardless of intent
– There are a number of different reasons that people do this, and not all hackers are truly malicious.
• Corporate spies searching for trade secrets• Investors seeking “inside information”• Teenagers seeking thrills
42
Threats to Security (continued)• Malicious code object
– Virus, worm, Trojan horse– A computer program that carries out malicious actions
when run on a system
43
Threats to Security (continued)
• Malicious insider– Someone from within the organization that attempts to go
beyond the rights and permissions that they legitimately hold
– Security professionals and system administrators are particularly dangerous
– Never give one person too much unconstrained power
44
Classify Security Attacks as
• Passive attacks - eavesdropping on, or monitoring of, transmissions to:– obtain message contents, or– monitor traffic flows
• Active attacks – modification of data stream to:– masquerade of one entity as some other– replay previous messages– modify messages in transit– denial of service ■
45
Passive Attack: release of message contents
46
Passive Attack: traffic analysis
47
Active Attack: replay
48
Active Attack: denial of service
49
Breakdown by type of attack
Break-in49%
Denial ofservice
8%
Mailbombs8%
Spoofing6%
Violation ofAUP9%
Unautho-rized use
11%
Other9%
Source: ARNES SISource: ARNES SI--CERTCERT
50
Examples of security attacks
• Social engineering
51
Examples of security attacks
• Impersonation
52
Outline
• Course information• Motivations• Information Security Basics• Threats to Security• Considering Security Tradeoffs• Outline of the course
53
Considering Security Tradeoffs (1/2)
• Security can be looked at as a tradeoff between (cost of) risks and benefits– Cost of implementing the security mechanism and the
amount of damage it may prevent
• Tradeoff considerations are security, user convenience, business goals, and expenses ■
54
• An important tradeoff involves user convenience– Between difficulty of use and willingness of users– If users won’t use a system because of cumbersome
security mechanisms, there is no benefit to having security– If users go out of their way to circumvent security, the
system may be even more vulnerable
Considering Security Tradeoffs (2/2)
55
Information Security Policy
• Cornerstone of a security effort is to – Implement proper policies– Educate users about those policies
• Information security policies should be – Flexible enough not to require frequent rewrites– Comprehensive enough to ensure coverage of situations– Available to all members of the organization– Readable and understandable ■
56
Outline
• Course information• Motivations• Information Security Basics• Threats to Security• Considering Security Tradeoffs• Outline of the course
57
Outline of the course (1/3)• PART I: Information security (choose some of the following topics)
– Introducing information security – Access Control Methodologies– General Security Principles and Practices– User authentication– Handling Security Incidents– Securing TCP/IP – Operating System Security – Firewall Security– Network and Server Attacks and Penetration– Security Audit Principles and Practices– Intrusion Detection Systems and Practices– System Security Scanning and Discovery
58
Outline of the course (2/3)
• PART II: Cryptography (choose some of the following topics)
– Introduction to cryptography– Symmetric encryption– Public key encryption– Hash functions– Key agreement protocols– Digital signature schemes
59
Outline of the course (3/3)
• PART III: Applications (choose some of the following topics)
– Web security– IPsec– RFID– Bitcoin– Cloud
60
Questions?
