Lecture 01 - f24.pptx
Transcript
CS 3067 – Information and Cybersecurity Lecture 1 Introduction to Computer Security What is the big deal about Information security? The only secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed...
CS 3067 – Information and Cybersecurity Lecture 1 Introduction to Computer Security What is the big deal about Information security? The only secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then, I have my doubts. — Gene Spafford professor of computer science at Purdue University Computer Security Measures and controls that ensure confidentiality, integrity, and availability of information system assets including hardware, software, firmware, and information being processed, stored, and communicated. (NIST 2013) The CIA Triad The CIA Triad Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information. Protecting sensitive information (e.g., encryption in online banking). The CIA Triad Integrity Guarding against improper information modification or destruction, including ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information. Ensuring the data has not been altered (e.g., digital signatures in file verification). The CIA Triad Availability Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system. Ensuring system functionality and accessibility (e.g., load balancing and backups). Expanding Beyond the CIA Triad Authentication: Verifying the identity of a user (e.g., biometrics, two- factor authentication). Non-repudiation: Ensuring that a party cannot deny the authenticity of their actions (e.g., digital signatures in contracts). Authorization: Defining what an authenticated user is allowed to do (e.g., access control policies). Terminology Attacks, Mechanisms and Services Security attacks: An assault on the system security to evade security objectives and violate the security policy of the system. Security mechanisms: A mechanism that is designed to prevent, detect, or recover from attacks. Security services: Which of the security functions we need: Identification, authorization, secrecy…. Security objectives are specified by a security policy. Terminology (Cont’) Vulnerability, Threat, and Attack Vulnerability Threat Attack A weakness in a system that A potential danger that A deliberate attempt to might be exploited to cause might exploit a vulnerability. evade security services and harm. A threat can be: violate the security policy. Accidental (natural Attacks exploit disasters, human error, …) vulnerabilities. Malicious (attackers, insider fraud, …) Security Threats Information Information source destination Normal Flow Security Threats (Cont’) Interruption Information Bad Information source guy destination Asset becomes lost, unavailable or unusable. Attack on the Availability. Example: destruction of hardware, cutting communication line, disabling file management system, etc. Security Threats (Cont’) Interception Information Bad Information source guy destination Unauthorized party gains access to the information. Attack on the Confidentiality. Examples: wiretapping, unauthorized copying of files. Security Threats (Cont’) Modification Information Bad Information source guy destination Unauthorized party tampers with the asset Attack on the Integrity. Examples: changing values of database, altering programs, modify content of a message. Security Threats (Cont’) Fabrication Information Bad Information source guy destination Unauthorized party inserts counterfeit object into the system. Attack on the Authenticity. Examples: insertion of offending messages, addition of records to a file, etc. Security Attacks Classification A means of classifying security attacks, used both in X.800 and RFC 4949, is in terms of passive attacks and active attacks A passive attack attempts to learn or make use of information from the system but does not affect system resources An active attack attempts to alter system resources or affect their operation Security Attacks Classification (Passive Attacks) Two types of passive attacks are: Passive The release of message contents Attacks Traffic analysis Interception (Confidentialit y) Release of Message Content Traffic Analysis Security Attacks Classification (Active Attacks) Involve some modification of the data stream or the creation of a false stream Difficult to prevent because of the wide variety of potential physical, software, and network vulnerabilities Goal is to detect attacks and to recover from any disruption or delays caused by them Security Attacks Classification (Active Attacks) Takes place when one entity pretends to be a different entity Masquerade Usually includes one of the other forms of active attack Involves the passive capture of a data unit and its Replay subsequent retransmission to produce an unauthorized effect Some portion of a legitimate message is altered, or Modification of messages are delayed or reordered to produce an messages unauthorized effect Prevents or inhibits the normal use or management Denial of service of communications facilities Security in Daily Life Recent Cybersecurity Incidents for Discussion Security in Daily Life SolarWinds Hack (2020): A software update to the SolarWinds Orion platform was compromised, allowing attackers (likely a nation-state) to infiltrate several government agencies and private corporations. Discussion Questions: What vulnerabilities were exploited in the supply chain? How could this have been prevented with better access controls and system monitoring? Security in Daily Life Colonial Pipeline Ransomware Attack (2021): A ransomware attack shut down a major fuel pipeline in the U.S., causing widespread disruption. Discussion Questions: How do attacks on critical infrastructure impact public safety and economy? What are the best prevention strategies for ransomware attacks in such environments? Security in Daily Life T-Mobile Data Breach (2021): Hackers gained access to personal information of over 40 million customers due to weak security measures. Discussion Questions: What were the key security flaws that led to this breach? How could data encryption and multi-factor authentication have mitigated the risks? Security in Daily Life Log4j Vulnerability (2021): A critical zero-day vulnerability in the popular logging library Log4j allowed attackers to execute arbitrary code on affected systems. Discussion Questions: How did this vulnerability highlight the risks in widely used open-source software? What measures could organizations take to quickly mitigate such widespread vulnerabilities? Next Lecture Lab/Activity: Analyzing Security Measures in Everyday Systems
