introduction to security
play

Introduction to Security Kira Chan K. Chan: CSE435: Software - PDF document

Feb 24, 2024 •489 likes •950 views

11/26/19 Introduction to Security Kira Chan K. Chan: CSE435: Software Engineering Software expectation In a regular messaging application, what do you expect? Let's assume you want to use it to meet your friend for Friday night dinner.

  1. 11/26/19 Introduction to Security Kira Chan K. Chan: CSE435: Software Engineering Software expectation • In a regular messaging application, what do you expect? • Let's assume you want to use it to meet your friend for Friday night dinner. • Messages are delivered • Delivers within a time limit threshold • No one else is reading your messages • Message is not altered • Application does not “lag” • Etc K. Chan: CSE435: Software Engineering K. Chan: CSE435: Software Engineering 1

  2. 11/26/19 Terminology • “A computer is secure if you can depend on it and its software to behave as you expect (intent).” ​ • ‘ Trust describes our level of confidence that a computer system will behave as expected.’ (intended)​ [Garfinkel & Spafford, Kasten] ​ K. Chan: CSE435: Software Engineering Why should we consider security? • Can you build a messaging application that satisfies requirements • Who are the requirements made for? • Stakeholders? • Users? • Does every user conform to the expectations you have set? • Resources and information contain monetary or other values • Security breaches could be damaging to your reputation • When is security usually taken into consideration? • Security is often an after thought • Added onto a system, it may not fully address the underlying issue • Lots of new “Band-Aids” to patch an issue, causes inefficiency K. Chan: CSE435: Software Engineering K. Chan: CSE435: Software Engineering 2

  3. 11/26/19 Potential impact • Wannacry • Encrypts user data and demand ransom to decrypt it • https://www.symantec.com/blogs/threat-intelligence/wannacry-ransomware-attack • Say I encrypted your laptop, your final exam is tomorrow • Ransom is every asset you have • Do you pay it? • Safety? • What if critical systems are compromised? K. Chan: CSE435: Software Engineering De Definition (NIST) • Computer security is the protection afforded to an automated information system in order to attain the applicable objective of preserving the integrity, availability and confidentiality of the system’s resources • https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-14.pdf K. Chan: CSE435: Software Engineering K. Chan: CSE435: Software Engineering 3

  4. 11/26/19 Confidentiality, Integrity and Availability • Confidentiality : information are not disclosed to unauthorized parties • Integrity : assure that information and program are only changed in an authorized manner • A message is actually from where it claims to have come from • Mailman delivers you a mail from your best friend overseas, how do you know if this message have not been modified? • Availability : assures that the systems work promptly, and services are not denied to authorized users when they request them K. Chan: CSE435: Software Engineering Castle analogy Img source: McCallum K. Chan: CSE435: Software Engineering K. Chan: CSE435: Software Engineering 4

  5. 11/26/19 Security challenges. • Defending a system is hard since we must secure all weak points • Attacker only needs to find one exploit • Users do not like complicated systems • Benefit of security is not considered until a breach occurs • IT tech person, why do we even hire this guy? • Impediment to the user K. Chan: CSE435: Software Engineering Terminology • Security Policy : a set of rules and practices that specify or regulate how a system provides security services to protect sensitive and critical system resources • Vulnerability : a flaw or weakness in a system that can be exploited • Threat : a potential violation of security; a possible danger that might exploit a vulnerability • Attack : an assault on the system that derives from a threat. • Threats carried out K. Chan: CSE435: Software Engineering K. Chan: CSE435: Software Engineering 5

  6. 11/26/19 Threats • Hardware: physical devices – easy target • “Involuntary computer-slaughter” • Accidental acts not intended to do harm • E.g. Spilling a drink on computer • “Voluntary computer slaughter” – machinicide: • Purposely break a machine • Software: equipment worthless without software • Deletion • Modification • Theft Slide provided from Dr. Cheng K. Chan: CSE435: Software Engineering Why are we talking about this? • Time is money • Organizations want a product that makes money, so time spent not making money producing software is wasted time. • Monetory consequences are often not considered until a breach. • Example: CSE3xx programs. • Did you consider security when you developed your programs? K. Chan: CSE435: Software Engineering K. Chan: CSE435: Software Engineering 6

  7. 11/26/19 Patches K. Chan: CSE435: Software Engineering Patches • Changes made to fix, improve or update your system • What are patches used for? • Bug-fixes • Improvements • New features • Why can we not just patch security issues away? K. Chan: CSE435: Software Engineering K. Chan: CSE435: Software Engineering 7

  8. 11/26/19 When to use patches for security • Security should be defined in your original design • Patches should only be given as emergency solution • User ignores patches a lot of time • Patches may not fix the fundamental issues K. Chan: CSE435: Software Engineering How do we provide security to a system? • Easiest way: no access. • Challenge is to prevent unauthorized access to system, while causing the least amount of impediment to legitimate users. User Security for experience system K. Chan: CSE435: Software Engineering K. Chan: CSE435: Software Engineering 8

  9. 11/26/19 How to design your system? • Design of security should be as small and simple as needed • Easy to test/verify its strength, fewer flaws • Open Design : security mechanism should not be a secret! • Why? • Experts can review and point to flaws • Reverse engineering can expose your software • You will not know if your software have been compromised K. Chan: CSE435: Software Engineering How to design your system (cont.) • Psychological acceptability : the security mechanisms should not interfere with the work of the user • Consider our messaging app • Asks for user password every 30 seconds • Less extreme of an example: require restart every 12 hours • User will disarm if not! • Layering : Multiple layers of security. Failure at one point will not leave your system compromised • Example: messaging application • Encrypt stored messages • Ensure other applications on same device cannot access those files • Least astonishment : no surprises! • Functions should conform to user expectation K. Chan: CSE435: Software Engineering K. Chan: CSE435: Software Engineering 9

  10. 11/26/19 Remainder of presentation • I will focus on what you can do as a developer to help secure your system • What to do and what not to do K. Chan: CSE435: Software Engineering Risk Assessment • Three questions to answer: • What am I trying to protect? • What do I need to protect against? • How much time, effort, and money am I willing to spend to obtain these protection? • Three key steps: • Identify assets • Identify threats • Calculate risks • Risk: expected loss from the probability that a threat that will exploit a vulnerability in the system Slide provided from Dr. Cheng K. Chan: CSE435: Software Engineering K. Chan: CSE435: Software Engineering 10

  11. 11/26/19 Identify Asset • What are you trying to protect against? Recall CIA • Data? • Message confidentiality? • System resources? • Availability? • Categories of vulnerabilities: • Corruption (loss of integrity) • Leaky (loss of confidentiality) • Unavailable or slow access (loss of availability) K. Chan: CSE435: Software Engineering Identify Threats • What is the threat? • Hackers? • Political opponents • Rival companies • Activist • What is the intent/objective of the threat? K. Chan: CSE435: Software Engineering K. Chan: CSE435: Software Engineering 11

  12. 11/26/19 3 classes of intruder skill level • Apprentice : minimal technical skills • Use existing technologies • Most intruders belong in this category • Easy to defend • Why? • Journeymen : modifies and extends attack toolkits • Master : high-level technical skills • Capable of discovering new attacks • Understands underlying protocol used • Writes their own attacks and toolkits • Hardest to defend against K. Chan: CSE435: Software Engineering Calculating risk • How likely is a particular threat? • What is the chance that X will happen, and what is the consequence of it? • If an event happens on regular basis, you can estimate based on previous experiences. K. Chan: CSE435: Software Engineering K. Chan: CSE435: Software Engineering 12

  13. 11/26/19 Different kind of attacks you may consider as a developer K. Chan: CSE435: Software Engineering Denial of Service (DoS) • Attack on availability of a system • Deny legitimate user the ability to use a system or its resources • Distributed Denial of Service attack (DDoS) K. Chan: CSE435: Software Engineering K. Chan: CSE435: Software Engineering 13

Recommend

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT

INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT

ADVANCED COMPUTER SECURITY INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT IS SECURITY? A systems security policies describe What the system is supposed to do Store and provide access

479 views • 16 slides
Introduction to the Introduction to the Work of the Security Council Work of the Security

Introduction to the Introduction to the Work of the Security Council Work of the Security

Introduction to the Introduction to the Work of the Security Council Work of the Security Council Security Council Practices and Charter Research Branch Security Council Affairs Division Department of Political Affairs United Nations August

490 views • 28 slides
Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

ITS335 Intro. to Security Concepts Threats, Attacks, Assets Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2

965 views • 34 slides
Introduction to the Introduction to the Work of the Security Council Work of the Security

Introduction to the Introduction to the Work of the Security Council Work of the Security

Introduction to the Introduction to the Work of the Security Council Work of the Security Council Security Council Affairs Division Department of Political Affairs United Nations August 2013 Outline What is the Security Council?

189 views • 16 slides
Chapter7. Security 7.1 Introduction 7.2 Overview of security techniques 7.3 Cryptographic

Chapter7. Security 7.1 Introduction 7.2 Overview of security techniques 7.3 Cryptographic

Chapter7. Security 7.1 Introduction 7.2 Overview of security techniques 7.3 Cryptographic algorithms 7.4 Digital signatures 7.5 Cryptography pragmatics 7.1. Introduction Why need security mechanisms in DS? Share of resources

364 views • 24 slides
Confidentiality and disclosure Mohamed Sayed Saidngar@yahoo.com Introduction - Introduction to

Confidentiality and disclosure Mohamed Sayed Saidngar@yahoo.com Introduction - Introduction to

Confidentiality and disclosure Mohamed Sayed Saidngar@yahoo.com Introduction - Introduction to data security. - Security requirements. - Types of security threats. - Security risks. - Technologies and security solutions. Introduction

411 views • 37 slides
Introduction to Network Security Chapter 10 Web Security Dr. Doug Jacobson - Introduction to 1

Introduction to Network Security Chapter 10 Web Security Dr. Doug Jacobson - Introduction to 1

Introduction to Network Security Chapter 10 Web Security Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics WWW HTTP: Hyper Text Transfer Protocol HTTP Security HTML Protocol HTML Security

1.09k views • 74 slides
Advanced Systems Security: Introduction to OS Security Trent Jaeger Systems and Internet

Advanced Systems Security: Introduction to OS Security Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Introduction to OS Security Trent

770 views • 28 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer Security is the protection of computing systems and the data that they store or access 3 Why is Computer Security Important? Computer Security allows

690 views • 19 slides
Introduction to Computer Security Why do we need computer security? What are our goals and

Introduction to Computer Security Why do we need computer security? What are our goals and

Introduction to Computer Security Why do we need computer security? What are our goals and what threatens them? Lecture 1 Page 1 CS 236 Online Why Is Security Necessary? Because people arent always nice Because a lot of

415 views • 25 slides
Preparing for the Unthinkable Cyber Security Chicago 2018 Agenda Introduction Security

Preparing for the Unthinkable Cyber Security Chicago 2018 Agenda Introduction Security

Preparing for the Unthinkable Cyber Security Chicago 2018 Agenda Introduction Security Landscape Meraki Security Demo Security Landscape The Growing Importance of Security MALWARE HAS RISEN BY MORE THAN 10X IN THE LAST YEAR 70% M ALW AR E

604 views • 35 slides
Com puter Security Last tim e Introduction Threat analysis Threats Introduction

Com puter Security Last tim e Introduction Threat analysis Threats Introduction

Com puter Security Last tim e Introduction Threat analysis Threats Introduction to access control Policy matrix Specification Design Implementation Operation and Maintenance Security in the Course Lectures

784 views • 40 slides
Software Defjned Networking Security Outline Introduction What is SDN? SDN attack

Software Defjned Networking Security Outline Introduction What is SDN? SDN attack

Software Defjned Networking Security Outline Introduction What is SDN? SDN attack surface Recent vulnerabilities Security response Defensive technologies Next steps Introduction Security nerd, recovering

790 views • 39 slides
Introduction to Security Attacks Services Mechanisms CSS441: Security and Cryptography

Introduction to Security Attacks Services Mechanisms CSS441: Security and Cryptography

CSS441 Introduction Concepts Architecture Introduction to Security Attacks Services Mechanisms CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

678 views • 23 slides
INTRODUCTION COMPUTER & NETWORK SECURITY CMSC 414 JAN 25 2018 TODAY What is

INTRODUCTION COMPUTER & NETWORK SECURITY CMSC 414 JAN 25 2018 TODAY What is

INTRODUCTION COMPUTER & NETWORK SECURITY CMSC 414 JAN 25 2018 TODAY What is security? Why is it so hard to achieve? Administrative The security mindset Analyzing a systems security 1. Summarize the system 2.

801 views • 43 slides
1 Multilevel Security Different security levels for resources Important systems A

1 Multilevel Security Different security levels for resources Important systems A

Last time Threats Introduction Threat analysis Policy Introduction to access Specification control matrix Design Implementation Operation and Maintenance 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 1 Security in the

444 views • 13 slides
DIGITAL PLANETS SECURITY SOLUTION INTRODUCTION OUR OFFERED SERVICES Vulnerability Security

DIGITAL PLANETS SECURITY SOLUTION INTRODUCTION OUR OFFERED SERVICES Vulnerability Security

DIGITAL PLANETS SECURITY SOLUTION INTRODUCTION OUR OFFERED SERVICES Vulnerability Security Information Assessment Brand Operation Consultancy & Security Protection Penetration Awareness Centre Testing External Networks

474 views • 44 slides
Outline The web from a security perspective CSci 5271 Introduction to Computer Security SQL

Outline The web from a security perspective CSci 5271 Introduction to Computer Security SQL

Outline The web from a security perspective CSci 5271 Introduction to Computer Security SQL injection Web security, part 1 Announcements intermission Stephen McCamant University of Minnesota, Computer Science & Engineering Web

522 views • 5 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
Introduction to Network Security Security Chapter 7 Transport Layer Protocols Dr. Doug

Introduction to Network Security Security Chapter 7 Transport Layer Protocols Dr. Doug

Introduction to Network Security Security Chapter 7 Transport Layer Protocols Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics TCP Layer Responsible for reliable end-to-end transfer of application data.

632 views • 32 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 24: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science & Engineering

219 views • 5 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 25: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science & Engineering

419 views • 4 slides

More recommend