0% found this document useful (0 votes)
89 views

Lesson 01 - Network Security Overview

This document provides an introduction and overview of the course "Computer and Network Security". It discusses what security is, why it is important, and how it differs from other areas of computer science in focusing on preventing undesired behavior from adversaries. The document outlines that security is interdisciplinary and draws on many areas of computer science. It also notes that absolute security is impossible, and that security involves managing risks and tradeoffs between security, cost, and usability. The course aims to provide students with a sampling of security aspects and a "security mindset" rather than making them experts. The syllabus overview various security topics that will be covered over the course.
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
89 views

Lesson 01 - Network Security Overview

This document provides an introduction and overview of the course "Computer and Network Security". It discusses what security is, why it is important, and how it differs from other areas of computer science in focusing on preventing undesired behavior from adversaries. The document outlines that security is interdisciplinary and draws on many areas of computer science. It also notes that absolute security is impossible, and that security involves managing risks and tradeoffs between security, cost, and usability. The course aims to provide students with a sampling of security aspects and a "security mindset" rather than making them experts. The syllabus overview various security topics that will be covered over the course.
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 36

Computer and

Network Security

6/26/2019
Introduction and Overview

● What is computer/network security?


● Why is it important?
● Course philosophy and goals
● Course organization and information
● High-level overview of topics
● A broad perspective on “computer
security”
“Security”
● Most of computer science is concerned
with achieving desired behavior
● Security is concerned with preventing
undesired behavior

○ Different way of thinking!


○ An enemy/opponent/hacker/adversary who is
actively and maliciously trying to circumvent any

protective measures you put in place


One illustration of the difference

● Software testing determines whether a


given program implements a desired
functionality
○ Test I/O characteristics
○ Q/A
● How do you test whether a program does
not allow for undesired functionality?

○ Penetration testing helps, but only up to a


point
Security is interdisciplinary
● Draws on all areas of CS
○ Theory (especially cryptography)
○ Networking
○ Operating systems
○ Databases
○ AI/learning theory
○ Computer architecture/hardware
○ Programming languages/compilers
○ HCI, psychology
We are winning the security
battle
● Strong cryptography
● Firewalls, intrusion detection, virus
scanners
● Buffer overflow detection/prevention
● User education
Really??!

Security incidents
(reported)
Philosophy of this course
● We are not going to be able to cover
everything
○ We are not going to be able to even mention
everything
You will not be a security expert after this class
● Main goals(after this class, you should realize why it
○ A samplingwould be dangerous to think you are)
of many different aspects of security
○ The security “mindset”
You should have a better appreciation of
○ Become familiar with basic acronyms (RSA, SSL, PGP,
security
etc.), and “buzzwords” (phishing,
issues after this …)
class
○ Become an educated security consumer
○ Try to keep it interesting with real-world examples and
“hacking” projects
Textbook
● Recommended text:
○ “Network Security…” by Kaufman, Perlman, and Speciner (most recent
edition)
Class participation and readings

● Research papers and news articles will be


posted on the Google Classroom
○ Read these before class and come prepared
to discuss
● Material from these readings is fair game
for the exams, even if not covered in class

● Several readings already assigned


Syllabus
(tentative)
Syllabus

● Introduction…
○ Is security achievable…?
○ A broad perspective on security
● Cryptography
○ The basics
○ Cryptography is not the whole solution…
○ …but it is an important part of the solution
○ Along the way, we will see why cryptography
can’t solve all security problems
Syllabus

● System security
○ General principles
○ Security policies
○ Access control
○ OS security
○ “Trusted computing”
● Programming language security
○ Buffer overflows, input validation errors
○ Viruses/worms
Syllabus

● Network security
○ Identity, PKI
○ Authentication and key exchange protocols
○ Password and biometric authentication
○ Anonymity and pseudonymity

○ Privacy
○ Some real-world protocols (IPSec/SSL)
○ Attacks on network infrastructure (routing, DNS, DDos )
○ Wireless security
Syllabus

● Miscellaneous
○ Database security
○ Web security
○ Other topics (spam, …)
A High-Level Introduction
to Computer Security
A naïve view

● Computer security is about CIA:


○ Confidentiality, integrity, and availability

● These are important, but security is about


much more…
A naïve view

password
In reality…

● Where does security end?

password

forgot password?
One good attack
● Use public records to figure out
someone’s password
○ Or, e.g., their SSN, so can answer security
question…
● The problem is not (necessarily) that SSNs are
public
● The problem is that we “overload” SSNs, and use
them for more than they were intended
● Note: “the system” here is not just the
computer, nor is it just the network…
A naïve view

● Achieve “absolute” security


In reality…

● Absolute security is easy to achieve!


○ How…?

● Absolute security is impossible to achieve!


○ Why…?

● Good security is about risk management


Security as a trade-off

● The goal is not (usually) “to make the


system as secure as possible”…
● …but instead, “to make the system as
secure as possible within certain constraints” (cost,
usability, convenience)
● Must understand the existing constraints
○ E.g., passwords…
Cost-benefit analysis
● Important to evaluate what level of security
is necessary/appropriate
○ Cost of mounting a particular attack vs. value
of attack to an adversary
○ Cost of damages from an attack vs. cost of
defending against the attack
○ Likelihood of a particular attack

● Sometimes the best security is to make


sure you are not the easiest target for an
attacker…
“More” security not always better

● “No point in putting a higher post in the


ground when the enemy can go around it”
● Need to identify the weakest link
○ Security of a system is only as good as the
security at its weakest point…
● Security is not a “magic bullet”
● Security is a process, not a product
Computer Security is not just about
Security
● Detection, response, audit
○ How do you know when you are being attacked?
○ How quickly can you stop the attack?
○ Can you identify the attacker(s)?
○ Can you prevent the attack from recurring?
● Recovery
○ Can be much more important than prevention
● Economics, insurance, risk
management…
● Offensive techniques
● Security is a process, not a product…
Computer Security is not
just about Computers
● What is “the system”?
● Physical security
● Social engineering
○ Bribes for passwords
○ Phishing
● “External” means of getting information
○ Legal records
○ Trash cans
● Security is a process, not a product…(!)
Security mindset

● Learn to think with a “security mindset” in


general
○ What is “the system”?
○ How could this system be attacked?
■ What is the weakest point of attack?
○ How could this system be defended?
■ What threats am I trying to address?
■ How effective will a given countermeasure be?
■ What is the trade-off between security, cost, and
usability?
ACTIVITY: Airline Security

● Ask: what is the cost (economic and


otherwise) of current airline security?
● Ask: do existing rules (e.g., banning liquids)
make sense?
● Ask: are the tradeoffs worth it?
○ (Why do we not apply the same rules to train
travel?)
○ (Would spending money elsewhere be more
effective?)
● Ask: how would you get on a plane if you were
on the no-fly list?
Summary
● “The system” is not just a computer or a
network
● Prevention is not the only goal
○ Cost-benefit analysis
○ Detection, response, recovery
● Nevertheless…in this course, we will focus
on computer security, and primarily on prevention
○ If you want to be a security expert, you need
to keep the rest in mind
Why is computer security
so hard?
● Computer networks are “systems of systems”
○ Your system may be secure, but then the surrounding
environment changes
● Too many things dependent on a small number of
systems
● Society is unwilling to trade off features for security
● Ease of attacks
○ Cheap
○ Distributed, automated
○ Anonymous
○ Insider threats
● Security not built in from the beginning
● Humans in the loop…
● Computers ubiquitous…
Computers are everywhere…
● …and can always be attacked
● Electronic banking, social networks, e-
voting
● iPods, iPhones, PDAs, RFID transponders

● Automobiles
● Appliances, TVs
● (Implantable) medical devices
● Cameras, picture frames(!)
○ See
http://www.securityfocus.com/news/11499
“Trusting trust”
(or: how hard is security?)
“Trusting trust”
● Consider a compiler that embeds a
trapdoor into anything it compiles
● How to catch?
○ Read source code? (What if replaced?)
○ Re-compile compiler?
● What if the compiler embeds the trojan code whenever it
compiles a compiler?
○ (That’s nasty…)
“Trusting trust”
● Whom do you trust?
● Does one really need to be this
paranoid??
○ Probably not
○ Sometimes, yes
● Shows that security is complex…and
essentially impossible
● Comes back to risk/benefit trade-off
Next
Meeting:
Cryptography

You might also like