17.2.2016 Course material 2 � Counter Hack Reloaded:A Step by Step Guide to Computer Attacks and Effective Defenses, Edward Secure Programming Skoudis, Tom Liston, Prentice Hall � Hacking Exposed 7: Network Security Secrets & Solutions, Stuart McClure, Joel Scambray, George Kurtz, McGraw Hill Osborne Media Introduction � Secure Coding: Principles and Practices, Mark G. Graff, Kenneth R. Van Wyk, O'Reilly Media 1 � Software Security: Building Security, Ahmet Burak Can Gary McGraw, Addison Wesley Hacettepe University Course material Contents 3 4 � Writing Secure Code: Practical Strategies and Proven Techniques for Building Secure Applications in a � Introduction to program security, fundementals of secure Networked World, Michael programming Howard, David LeBlanc, 2nd ed. � Attacks based on shell environment flaws Edition, Microsoft Press � Integer overflow attacks � Foundations of Security: What Every � Buffer overflow attacks Programmer Needs To Know, Neil � Input validation attacks, Format string attacks Daswani, Christoph Kern, and Anita � Links and race conditions, Temporary storage and Kesavan randomness problems � Security in Computing, Charles P. � Canonicalization and Directory traversal problems Pfleeger, 3th Edition � Web environment and web applications � And Internet resources.. � Web application and session security, XSS, CSRF attacks, � Security tests and static code analysis tools Grading Policy Which Security Concept? 5 6 � Midterm 45% � Final Exam 50% � Attendance 5% ���������������� ����������������� ����������������� �������������������� 1
17.2.2016 Security Goals Why Computer Security? 7 8 Computers are under attacks and suffer damages Privacy (secrecy, confidentiality) � � only the intended recipient can see the communication � Who are the attackers? � Authenticity (integrity) � bored teenagers, criminals, organized crime � the communication is generated by the alleged sender organizations, rogue states, industrial espionage, � Authorization angry employees, … � limit the resources that a user can access � Why they do it? � Availability � make the services available 99.999…% of time � enjoyment, fame, profit, … Non repudiation � � computer systems are where the moneys are � no party can refuse the validity of its actions Auditing � � Take a log of everything done in the system How big is the security problem? Computer Security Issues 9 10 CERT Vulnerabilities reported � Computer worms � E.g., Morris worm (1988), Melissa worm (1999) � Computer viruses � Distributed denial of service attacks � Computer break ins � Email spams � E.g., Nigerian scam, stock recommendations � Identity theft � Botnets � Serious security flaws in many important systems � electronic voting machines � Spyware CERT Vulnerabities in 2012 Why does this happen? 11 12 � Lots of buggy software & wrong configurations... � Awareness is the main issue � Some contributing factors � Few courses in computer security � Programming text books do not emphasize security � Few security audits � Unsafe program languages � Programmers are lazy � Consumers do not care about security � Security may make things harder to use � Security is difficult, expensive and takes time https://www.us cert.gov/sites/default/files/US CERT_2012_Trends In_Retrospect.pdf 2
17.2.2016 What is This Course About? Terminologies 13 14 � Learn how to prevent attacks and/or limit their � Vulnerabilities (weaknesses) : A flaw in software, consequences. hardware, or a protocol that can be leveraged to violate security policies � No silver bullet; man made complex systems will have errors; errors may be exploited � Threats (potential scenario of attack) � Large number of ways to attack � Attack � Large collection of specific methods for specific purposes � Exploit (n) Code that takes advantage of a vulnerability � Learn to think about security when doing things � Exploit (v) To use an exploit to compromise a system through a vulnerability � Learn to understand and apply security principles � Controls (security measures) Security Principles Layers of Computer Systems 15 16 � Principle of weakest link � Computer systems has multiple layers � Principle of adequate protection � Hardware � Goal is not to maximize security, but to maximize utility while limiting risk to an acceptable level within � Operating systems reasonable cost � System software, e.g., databases � Principle of effectiveness � Applications � Controls must be used − and used properly − to be effective. they must be efficient, easy to use, and � Computer systems are connected through networks appropriate � Computer systems are used by humans � Psychological acceptability � Principle of defense in depth � Security by obscurity doesn’t work Why old software can Ethical use of security information 17 18 become insecure? � Security objectives or policies have changed � We discuss vulnerabilities and attacks � Laws have changed � Most vulnerabilities have been fixed � Business model changed � Some attacks may still cause harm � Company processes changed Environment has changed � Do ����� try these at home � � Configuration is out of date � Purpose of this class � Operating system has changed � Learn to prevent malicious attacks � Risks are different � Use knowledge for good purposes � Protections have changed (e.g., firewall rules) � Employees, units responsibilities have changed � Learn about cyber crimes: Vulnerabilities have been found � � https://tr.wikipedia.org/wiki/BiliLim_suçları � Exploits, worms, viruses exploit them � http://www.atamer.av.tr/bilisim suclari/ � Input has changed � e.g., old application made to work online (with a wrapper) � Protocol changed 3
17.2.2016 Law enforcement 19 � David Smith � Melissa virus: 20 months in prison � Ehud Tenenbaum (“The Analyzer”) � Broke into US DoD computers � sentenced to 18 months in prison, served 8 months � Dmitry Sklyarov � Broke Adobe ebooks � Arrested by the FBI, prosecuted under DMCA, stayed in jail for 20 days � Onur Kıpçak � http://www.hurriyet.com.tr/bilgisayar korsanina 135 yil hapis cezasi daha 40038386 4
Recommend
More recommend
