sec-01-intro.pdf

Transcript

Introduction Vorlesung “Einführung in die IT-Sicherheit” Prof. Dr. Martin Johns Institute of Application Security Our institute (research group) — Head — Prof. Dr. Martin Johns — Team — 8 PhD students and (many) student assistants Website http://www.tu-bs.de/ias Page 2 Overview Topic of the unit Introduction and Organisation Parts of the unit Part #1: Organisation of the course Part #2: Computer security today Part #3: Security goals and threats Part #4: Security mechanisms Page 3 Lecture and Exercises Title: "Einführung in die IT-Sicherheit" Lecture + Exercises (5 ECTS; 2+2 SWS) Modules INF-ISS-007 and INF-ISS-009 Bachelor and Master students welcome Passing the class: Studienleistung (weekly exercise sheets) Prüfungsleistung (exam at the end of the semester) Page 4 The Lecture “Crash course in IT Security Goal: Touch the majority of practical relevant security topics Topics Security Mechanism (today) Cryptography Security Protocols Authentication & Access Control Network Security Web Security Low Level Security Malware & Intrusion Detection Page 5 About the Exercises Weekly sheets with practical and theoretical tasks You need to solve 50% of the exercises (Studienleistung) Best preparation for the written exam Exercises will include programming tasks in Python Practical experimenting with security concepts Implementation of attacks and defenses No fear! Tutorial in the lecture Page 6 About the Exercises # Pythtasks on is Weekly sheets with practical and theoretical simple! a = "world" b = 10 exercises (Studienleistung) You need to solve 50% of the Best preparation for the written examd#efA function hello(): print("welcome f riends") Exercises will include programming tasks in Python # An if statemen t b == 10: securityifconcepts hello() Practical experimenting with Implementation of attacks and defenses # A No fear! Tutorial in the lecture Page 6 loop for i in range(b ): print("hello %d" % i) Exam of the Course Exam at the end of the semesters Day and time: To be announced Format: Klausur Passing the exam You need to have at least 50% of the points to pass There will be no second written exam this semester Page 7 Computer security today Vorlesung “Einführung in die IT-Sicherheit” Prof. Dr. Martin Johns Why Computer Security? Computer systems are ubiquitous in our daily life Computers store and process our data and information Computers access and control our resources Only few situations where computers are not involved Valuable data Page 9 Private data Dangerous data Insecurity of Computers Continuous discovery of security vulnerabilities 🔥 Implementing secure software and hardware very hard Often ignorance and unawareness of developers Some examples of recent vulnerabilities Printer Nightmare — remote code execution on Windows Dirty Cow — local privilege escalation on Linux Meltdown and Spectre — hardware aws in many processors Page 10 fl Security Breaches Numerous security breaches at popular Internet services Millions of identi es exposed to attackers per year Leaked data often includes names, addresses, passwords … Wall Street Journal, 2021 Forbes, 2020 T-Mobile hacker who stole data on 235 million Instag 50 Million Customers: ‘Their ram, TikTok and YouTube user pr o les exposed in Security Is Awful’Wattpad data breach leadin g massive data leak to the leak of 270 million user records fi Page 11 fi Cybercrime Criminal economy SOPHOS 2021 THREAT REPOR Wide range of attacks targeting users and companies Often combination with malicious software (malware) That’s where companies like Coveware come in. The company represents ransomware targets, as a high-stakes negotiator with their attackers. Coveware’s CTO Alex Holdtman confirmed our suspicion, that ransomware heavyweights are the primary driving factor in the demand for sky-high ransoms. Example: Recent ransomware campaigns Average ransom payouts, quarterly Q4 2019 Q1 2020 Q2 2020 Q3 2020 $84,116.00 $111,605.17 $178,254.19 $233,817.30 Fig.2. The average ransom demand has risen 21% in the past quarter and has nearly tripled over the past year. Source: Coveware. In just the past quarter, the average ransom payout has risen by 21%, but Coveware believes the averages 12 or two very large ransom attacks. The average ransom payout in the justcan be skewed by Page just one completed quarter is now the equivalent of $233,817.30, payable in cryptocurrency. A year ago, the average payout was $84,116. Skilled Attackers Pegasus malware Targeted attacks … against industry … against governments … against NPOs Example: Stuxnet Worm Malware detected in 2010 Disruption of ICS systems Sabotage against Iran Page 13 (The Guardian, 2020) Security is di erent! Established concepts are put into questions Intersection with many areas of computer science Often, it’s a game of good and evil players Practice and theory of security are often fun Monitoring, detection and analysis of real attacks Reasoning about limits of attacks and defenses Page 14 ff Security is di erent from other disciplines ff Security goals and threats Vorlesung “Einführung in die IT-Sicherheit” Prof. Dr. Martin Johns Part #3 The “Big Picture” Prevention Disclosure Con dentiality Disruption Availability Security goals De tec tio sis aly An n Integrity Deception Security mechanisms fi Page 16 Usurpation Security Threats Security Goals Security goals (memory hook: “CIA”) Con dentiality of information and resources Integrity of information and resources Availability of information and resources Basic de nitions Threat = potential violation of a protective goal Security = protection from intentional threats Safety = protection from accidental threats fi fi Page 17 Con dentiality Con dentiality Protection of resources from unauthorized disclosure Security measures Encryption of data, resource hiding Examples of attacks An attacker eavesdrop a telephone conversation An attacker reads the emails on your computer fi fi Page 18 Integrity Integrity Security measures Examples of attacks An attacker changes the receipt of a bank transaction An attacker tampers with les on your computer Page 19 fi Authorization, checksums, digital ngerprints fi Protection of resources from unauthorized manipulation Availability Availability Security measures Protection of resources from unauthorized disruption Restriction, redundancy, diversity Examples of attacks An attacker crashes the web server of a company An attacker formats the hard disk of your computer Page 20 Threats & Attacks Basic classes of threats Disclosure = unauthorized access to information Deception = acceptance of false data (e.g. masquerading) Disruption = interruption or prevention of correct operation Usurpation = unauthorized control of resources Attack = attempt to violate a security goal (intentional threat) Often combinations of di erent threat classes Page 21 ff Security mechanisms Vorlesung “Einführung in die IT-Sicherheit” Prof. Dr. Martin Johns Security Mechanisms Security policies and mechanisms Policy = statement of what is and what is not allowed Mechanism = method or tool enforcing a security policy Strategies for security mechanisms Prevention of attacks, e.g. encryption Detection of attacks, e.g. virus scanner Analysis of attacks, e.g. forensic Security is a cyclic and never-ending process Page 23 Prevention Detection Analysis Strategy: Prevention Prevention of attacks Prevention of attacks prior to violation of security goals Example Authentication and encryption Restriction of access to information/resources Limitations Inapplicable in many settings, e.g. open services Page 24 Strategy: Detection Detection of attacks Detection of attacks during violation of security goals Example Anti-virus scanners Detection of malicious code on computers Limitations Ine ective against unknown and “invisible” attacks ff Page 25 Strategy: Analysis Analysis of attacks Analysis of attacks after violation of security goals Example Computer forensics Investigation and analysis of security incidents Limitations Severe damage might have already occurred Page 26 Further Concepts Authenticity = truthfulness of information and resources Accountability = linking of actions and users Realization of non-repudiation in computer systems Privacy = Security and control of personal information May be viewed as an aspect of integrity Property of individuals and not of data … and many more Page 27 The “Big Picture” (again…) Prevention Disclosure Con dentiality Disruption Availability Security goals De tec tio sis aly An n Integrity Deception Security mechanisms fi Page 28 Usurpation Security Threats Summary Page 29 Summary Security central issue of computer science Omnipresence of threats and attacks Increasing importance due to cybercrime Key concepts of security Basic security goals: con dentiality, integrity, availability Various types of threats and attacks Security mechanisms for prevention, detection, analysis Page 30 fi