CNT5410 - Computer and Network Security Review/Wrapup Professor Kevin Butler Fall 2015 Florida Institute for Cyber Security (FICS)
Review • What did we talk about this semester? • Cryptography ‣ secret vs public-key ‣ key exchange (Diffie-Hellman) ‣ symmetric ciphers and modes of operation ‣ hashing, MAC, HMAC ‣ encryption and digital signatures ‣ constructions based on crypto primitives (e.g., hash chains) Florida Institute for Cyber Security (FICS) 2
Review • Authentication ‣ credentials and types thereof (passwords, biometrics, tokens) ‣ Kerberos ‣ PKI • Network security ‣ TCP sequence number attacks ‣ ARP spoofing ‣ DNS security ‣ Securing legacy protocols ‣ IPsec Florida Institute for Cyber Security (FICS) 3
Review • Intrusion detection ‣ Insider threat ‣ rootkit ‣ network and host intrustion detection system ‣ behavior and signature based IDS ‣ anomaly detection ‣ Bayesian rate fallacy • Firewalls ‣ blacklisting vs whitelisting ‣ firewall policy Florida Institute for Cyber Security (FICS) 4
Review • Malware and bonnets ‣ Ransomware ‣ C&C architectures ‣ Fraud ‣ Bot cycles (scan-infect-download-communicate) ‣ Prevention mechanisms ‣ Bayesian fallacy ‣ ROC curves Florida Institute for Cyber Security (FICS) 5
Review • Web security ‣ legacy and new web models ‣ cookie design ‣ content injection ‣ IFRAME compromise ‣ cross-site scripting ‣ browser security architectures ‣ SSL Florida Institute for Cyber Security (FICS) 6
Review • Cloud computing ‣ Types of cloud service architectures ‣ Threat and trust models ‣ Multi-Tenancy ‣ Cloud side channels Florida Institute for Cyber Security (FICS) 7
Review • Anonymous networks and censorship resistance ‣ TOR ‣ Hidden services ‣ Mix vs DC-nets ‣ Limitations ‣ Anonymous publishing ‣ Private browsing Florida Institute for Cyber Security (FICS) 8
• Mobile Networks and Devices ‣ Rigidity in cellular networks ‣ SMS attacks ‣ Android communication mechanisms ‣ Secure application design and deployment ‣ End-to-end principle Florida Institute for Cyber Security (FICS) 9
Wrapup • So, what does it all mean? Florida Institute for Cyber Security (FICS) 10
The state of security • … issues are in public consciousness ‣ Press coverage is increasing … ‣ Losses mounting … (billions and billions) ‣ Affect increasing …… (ATMs, commerce, infrastructure) ‣ Public is at risk .... • What are we doing? “… sound and fury signifying nothing …” (well, it’s not quite that bad) Florida Institute for Cyber Security (FICS) 11
The problems … • What is the root cause? ‣ Security is not a key goal ... ... and it never has been... ... so, we need to figure out how to change the way we do engineering (and science) ... ... to make computers secure. • Far too much misunderstanding about basic security and the use of technology (security theatre) Florida Institute for Cyber Security (FICS) 12
The current solutions … • Make better software ‣ “we mean it” - B. Gates (2002) ‣ “no really …” - B. Gates (2003) ‣ “Linux/OS X/Sun OS etc. is bad too …” - B. Gates (2005) ‣ “Vista will fix everything” - B. Gates (2006) ‣ “Vista fixes everything” - B. Gates (2007) ‣ “Sorry about Vista ....” - B. Gates (2007.5) ‣ “Windows 7.0 will fix everything” - B. Gates (2008) • CERT/SANS-based problem/event tracking ‣ Experts tracking vulnerabilities ‣ Patch system completely broken • Destructive research ‣ Back-pressure on product developers ‣ Arms-race with bad guys • Problem: reactive, rather than proactive Florida Institute for Cyber Security (FICS) 13
The real solutions … • Fix the economic incentive equation … ‣ Eventually, MS/Sun/Apple/*** will be in enough pain that they change the way they make software • Education ‣ Things will get better when people understand when how to use technology • Fix engineering practices ‣ Design for security • Apply technology ‣ What we have been talking about ‣ Policy: how do we as technologists balance security and privacy? Florida Institute for Cyber Security (FICS) 14
Your new skills arsenal • “A little knowledge is a dangerous thing” • More and more, real lives at stake through subverting computers • “With great power comes great responsibility” Florida Institute for Cyber Security (FICS) 15
The bottom line • The Web/Internet and new technologies have limited ability to address security and privacy concerns … • … computer science is making the world less safe !! • … it is incumbent on us as scientists to meet these challenges. ‣ Evangelize importance of security … ‣ Provide sound technologies … ‣ Define better practices … ‣ Choose your questions wisely… Florida Institute for Cyber Security (FICS) 16
Additional Courses • Systems Security (grad. certificate) • Cryptography • Hardware security • Embedded systems security • Mobile computing security • Research opportunities Florida Institute for Cyber Security (FICS) 17
Thank You butler@ufl.edu Florida Institute for Cyber Security (FICS) 18
Recommend
More recommend
