CMSC 414 Computer (and Network) Security

slurpslapoutΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 3 χρόνια και 10 μήνες)

93 εμφανίσεις

CMSC 414

Computer (and Network) Security

Jonathan Katz


Introduction and overview


What is computer/network security?


Course philosophy and goals


High
-
level overview of topics


Course organization and information

“Security”


Most of computer science is concerned with
achieving desired behavior


In some sense, security is concerned with
preventing
un
desired behavior


Different way of thinking!


An enemy/opponent/hacker/adversary may be
actively

and
maliciously

trying to circumvent
any protective measures you put in place

Computer vs. network security


One view:


Computer security: focuses on security aspects
of
systems

in isolation


Network security: focuses on security of
data

as
it is transmitted between networked systems


Not always a clear
-
cut dividing line…

Some examples…


Computer security


Viruses


Secure data storage


OS Security


Network security


Authentication protocols


Encryption of transmitted data


Firewalls

Broader impacts of security


Explosive growth of interest in security


Most often following notable security failures…


Impact on/interest from
all

(?) areas of CS


Theory (especially
cryptography
)


Databases


Operating systems


AI/learning theory


Networking


Computer architecture/hardware


Programming languages/compilers


HCI

Philosophy


We are
not

going to be able to cover everything


Main goals


Exposure to different aspects of security; meant mainly
to “pique” your interest


The “mindset” of security: a new way of
thinking…about more than computer networks


Become familiar with basic crypto, acronyms (RSA,
SSL, PGP, etc.), and “buzzwords”


Security is a process, not a product

Student participation (I hope!)


If something interests you, let me know


Depending on time, may be able to cover in
more detail


Can always suggest further references


Monitor the media


Email me relevant/interesting stories


Class participation counts!

High
-
level overview


Introduction…


Including various classes of attacks


Cryptography


Cryptography is not the (whole) solution…


…but is is an important part of the solution


Along the way, we will see why cryptography
can’t solve all security problems

High
-
level overview II


Security policies and analysis


Attack trees


Access control


Confidentiality/integrity


Key management


Principles for secure design/implementation

High
-
level overview III


Network security


Identity


Authentication


Some real
-
world protocols


Wireless security

High
-
level overview IV


Miscellaneous (as time permits)



Firewalls


Intrusion detection


Buffer overflows; secure programming
languages


Viruses and malicious logic


Etc…

Course Organization

Staff


Me


TAs (Introduce)


Contact information, office hours, listed on
course webpage

Course webpage

http://www.cs.umd.edu/~jkatz/comp_sec


Contains information about course
organization, updated syllabus, various
links, etc.


No paper handouts; all handouts will be
distributed from the course webpage


Check often for announcements

Textbooks


I will primarily use two texts:


“Computer Security” by Bishop


“Network Security…” by Kaufman, Perlman,
and Speciner


Neither is officially required, but both will
make it easier to follow the course


Exams may rely on material in these books,
even if not covered in class

Other readings


Will be linked from the course webpage


Material from these readings is fair game
for the exams, even if not covered in class
(unless stated otherwise)


Please suggest other readings or relevant
news articles!

Course requirements


Homeworks


About 5
-
6 throughout the semester


Collaboration with
one

other student allowed;
answers must be written independently


If you consult references, you
must

reference


Project


In three parts throughout the semester


Will require implementation using JCE


TAs will help with using JCE and Java…


Computer accounts


Each student will receive a computer
account for homeworks and the project


We are still looking into this…

Grading


See course webpage


Note: class participation counts!


Suggest readings and references related to
course and/or project


Speak up in class!

Security: an Introduction

Two papers linked from webpage


“Reflections on trusting trust”


“Managed security monitoring”


Both leave a fairly negative impression of
security…


…at the very least, they show that security
is not easy, and cannot just be applied as a
“magic bullet”

“Trusting trust”


(summarize article)


Does one really need to be this paranoid??


Probably not


Sometimes, yes


Shows that security is complex…and
probably impossible (in theory?)

“Managed security monitoring”


(Summarize article)


Is the state of network security really this bad?
(Arguably, yes)


Although network monitoring and risk
management are important, security is too


Security is not an ends unto itself


If you really want to be secure, disconnect yourself
from the Internet

An Overview of Computer

Security

Basic components


Confidentiality


Integrity


Availability

Confidentiality


Encryption


Access control

Integrity


Trustworthiness of data or resources


Prevention vs. detection


Blocking unauthorized attempts to change
data, or attempts to change data in
unauthorized ways


The second is much harder…


Correctness vs. trustworthiness of data

Availability


Denial of service attacks


Denying access can lead to more serious
attacks


I.e., if credit card verification is down

Threats (or “attacks”)


Snooping, eavesdropping


Modification, alteration


Masquerading, spoofing


False repudiation/denial of receipt


Network delay, denial of service

Policy vs. mechanism


Security policy


Statement of what is and is not allowed


Security mechanism


Method for enforcing a security policy


One is meaningless without the other…


Problems when combining security policies
of multiple organizations