CSCD27 Introduction - Speaker Deck

Slide 1

Slide 1 text

CSCD27  Computer and Network Security Thierry Sans

Slide 2

Slide 2 text

Why security matters?

Slide 3

Slide 3 text

The Telegraph August 2016

Slide 4

Slide 4 text

Krebs On Security July 2015

Slide 5

Slide 5 text

Fox News February 2016

Slide 6

Slide 6 text

Reuters September 2015 Identity Force February 2016

Slide 7

Slide 7 text

The New York Times October 2014

Slide 8

Slide 8 text

CNN February 2016

Slide 9

Slide 9 text

The New York Times August 2016 Citizen Lab (UofT)

Slide 10

Slide 10 text

Dark Reading August 2016

Slide 11

Slide 11 text

Techcrunch August 2016

Slide 12

Slide 12 text

Why do have security issues? • Bugs  buffer overﬂows, cross-site scripting attacks … • Insecure conﬁguration   improper authorization, incomplete mediation … • No secure by design   most of network protocols running the internet

Slide 13

Slide 13 text

Why security should matters to you? • Because you are going to build computer systems, networks and software

Slide 14

Slide 14 text

Welcome to CSCD27

Slide 15

Slide 15 text

Legacy • CSCD27 Computer and Network Security  Alan Rosselet  University of Toronto Scarborough • 15-349 Introduction to Computer and Network Security  Iliano Cervesato, Khaled Harras and Thierry Sans  Carnegie Mellon University Qatar

Slide 16

Slide 16 text

Course Objectives SCSD27 is an undergraduate course that provides a theoretical and technical overview of the ﬁeld of computer security

Slide 17

Slide 17 text

Learning goals 1. Acquire a good understanding of basic concepts such as: • software vulnerabilities analysis and defense • networking security • applied cryptography 2. Acquire a methodology to design and analyze the security of critical systems 3. Acquire a good practice to stay up-to-date with the ﬁeld

Slide 18

Slide 18 text

Course work, evaluation and grading Tracks Theory Practice Tutorials Discussion Labs Graded Work 1 Final Exam 3 Assignments Grade weight 40% 60%

Slide 19

Slide 19 text

Course Topics 1. Applied Cryptography 2. Network Security 3. Computer Security

Slide 20

Slide 20 text

1. Applied Cryptography • Classical crypto systems • Modern crypto systems : symmetric vs asymmetric • Hash functions and digital signatures • Cryptography protocols for authentication and encryption

Slide 21

Slide 21 text

2. Network Security Vulnerabilities and defense for the network stack Protocol Secure Layer Application DNS DNSsec Transport TCP TLS (a.k.a. SSL) Internet IP IPSec Link ARP, 802.11 …

Slide 22

Slide 22 text

3. Computer Security • Operating Systems • Programs • Malicious code • Email and Web

Slide 23

Slide 23 text

Course website https://mathlab.utsc.utoronto.ca/courses/cscd27f16/

Slide 24

Slide 24 text

Ethical Hacking • You will be exposed to attack methods • You should uphold to a high standard of professional and personal ethic • Your knowledge of attack methods does not imply permission to exploit them … even if it seems “harmful fun” • UofT policies are strictly enforced • Canadian Criminal Code is strictly enforced

Slide 25

Slide 25 text

How to succeed in this course • Come to lectures, tutorials … blah blah blah • Do the work … blah blah blah • Be curious, be stubborn and get your hands dirty

Slide 26

Slide 26 text

Basic Security Jargon

Slide 27

Slide 27 text

Correctness (Safety) vs Security Safety Satisfy speciﬁcations “for reasonable inputs,   get reasonable outputs” Security Resist attacks “for unreasonable inputs,   get reasonable outputs” The attacker is an active entity

Slide 28

Slide 28 text

Security Theater Threats Possibility of damage Vulnerabilities Weakness in the system Attacks Exploitation of vulnerabilities to realize a threat Countermeasures (Controls)  Limits possibility or consequence of damage enables exploits mitigates disables mitigates removes reduces realizes

Slide 29

Slide 29 text

C I A - Security Properties Conﬁdentiality Information is disclosed   to legitimate users Integrity Information is modiﬁed   by legitimate users Information is accessible   to legitimate users Availability

Slide 30

Slide 30 text

Sub Properties Conﬁdentiality Integrity Availability Secrecy Privacy Pseudonymity Anonymity Authenticity Non-repudiation Accountability and many others ...

Slide 31

Slide 31 text

In some cases, properties can be conﬂicting “Do not record the identity of the user that performed an action” (Anonymity) “Knowing that someone has done an action”   (Accountability) “Someone cannot deny having done an action” (Non-repudiation)

Slide 32

Slide 32 text

Dealing with security ✓ Security is often a compromised ✓ Security is engineered

Slide 33

Slide 33 text

Risk Analysis & Policy, Mechanisms and Assurance System Security What is it supposed to do? Speciﬁcation Risk Analysis & Security Policy How does it do it? Implementation Mechanisms Does it really do it? Validation Assurance

Slide 34

Slide 34 text

Risk Analysis & Security Policy Goal Inferring what can go wrong with the system Outcome Set of security goals Principles You never prevent a threat, you lower the risk  Performing an attack is more or less difﬁcult  the assets to protect versus the attacker’s efforts

Slide 35

Slide 35 text

Mechanisms Goal Deﬁne a strategy to realize the security goals Outcome Set of security mechanisms Principle Deploying security mechanisms has a cost   (cost of recovering versus cost of deployment

Slide 36

Slide 36 text

Assurance Goal Make sure that the security mechanisms realize the security goals Outcome Methodology Principle This is the holy grail !