the security theme
play

The Security Theme: an introduction School of Computer Science The - PowerPoint PPT Presentation

Advanced Computer Science Security Theme The Security Theme: an introduction School of Computer Science The University of Manchester 1 Advanced Computer Science Security Theme Outline Ratio of hackers to security professionals Why


  1. Advanced Computer Science Security Theme The Security Theme: an introduction School of Computer Science The University of Manchester 1

  2. Advanced Computer Science Security Theme • Outline Ratio of hackers to security professionals • Why do we need a ~ 1000:1* • Computer Security Security Theme? • Military Intelligence • Core Modules • The laws of thermodynamics** – Cryptography • But you can manage the – Cyber security risks . . . • Some Research • …disrupt and counter the kill chain… Activities • . . . taking heed of the Security Theme! *SANS (SysAdmin, Audit, Network, Security) Institute 2 **You can’t win . . . you can’t even break even

  3. Advanced Computer Science Security Theme The challenge… 3

  4. Advanced Computer Science Security Theme ‘Hacking’ -as-a-service • Consulting services such as botnet setup ($350-$400) • Infection/spreading services (~$100 per 1K installs) • Botnets & Rentals [Direct Denial of Service (DDoS) $535 for 5 hours a day for one week] , e-mail spam ($40 / 20K e-mails) and Web spam ($2/30 posts) • Blackhat Search Engine Optimization (SEO) ($80 for 20K spammed backlinks) • Inter-Carrier Money Exchange and Mule services (25% commission) • Recruited CAPTCHA Breaking ($1/1000 CAPTCHAs) • Crimeware Upgrade Modules: Using Zeus Modules as an example, range anywhere from $500 to $10K Source: Fortinet 2013 Cybercrime Report 4

  5. Advanced Computer Science Security Theme So we need a fifth column… …to protect the systems of today and build tomorrow’s systems safely 5

  6. Advanced Computer Science Security Theme Cyber Security: topics • Risk assessment • Requirement and policy specifications • Solutions and countermeasures – Intrusion detection/prevention – Secure software – Authentication and authorisation – Virtual Private Networks – Firewalls – Digital certification and Public Key Infrastructures – Real-life exemplar security systems (cloud computing security, web security, email security wireless network security, electronic payment systems, etc) • Audits and reviews • System security planning • Penetration testing 6 • Digital forensics

  7. Advanced Computer Science Security Theme How • Lectures • Cryptography • Guest lectures – Examination (60%) – Coursework (40%) – CY40R; • Cyber security Digital forensics – Coursework (2x25%) – McAfee; • Groupwork Malware and intruders: • Case studies vulnerabilities and • Report countermeasures • Review/inspect – NCC Group; • Templates – Penetration Testing Report – Risk treatment plan – Examination (50%) • Employment potential 7

  8. Advanced Computer Science Security Theme Business Continuity Cyber security Security COMP61421 Incidents and Events Information Information Assets Information Realised Assets Information Assets Risk Assets Dependencies Business Risk Impact Assessment Risk Controls Controls Controls (Value…C -I-A) (Risk Register) Treatments (Controls) Risk People: Attitude Human Process Technology Factors Behaviour 8

  9. Advanced Computer Science Security Theme Objectives Business Conformance Continuity Security Performance Incidents and Leadership Monitor Evaluate Events Direct Ethical framework IT Governance Use Development Information Information Assets Abuse Information Realised Assets Information Assets Risk Assets Operations Failure Dependencies Risk Appetite Business Risk Impact Assessment Risk Controls Controls Controls (Value…C -I-A) (Risk Register) Treatments (Controls) Project Risk People: Management Attitude Human IT Governance Programme Process Technology Factors Management 9 COMP60721 Behaviour Portfolio Management Security Architecture

  10. Advanced Computer Science Security Theme Help… new and constant Bad Good • • You become the Fifth Column 20000 new pieces of malware per hour (McAfee) • 1. Cryptography 15 friends invited on Facebook…21,000 accepted • 2. Cyber security £60,000 for losing an unencrypted laptop • Fined £100,000 for faxing details of a child sex abuse case to a member of the public • Fined £2.75m for loosing a laptop with records of 46,000 people 10

  11. Advanced Computer Science Security Theme 11

  12. Advanced Computer Science Security Theme Summary: the two laws of security 1. Never reveal everything you know. And now Dr Zhang on some more projects … 12

  13. Advanced Computer Science Security Theme Some research Projects/Activities • • FAME-Permis Designs of systems or solutions for security and • Traceable Identity privacy in distributed Privacy systems • FIDES • Cloud and Ubiquitous Computing, and electronic • Context-aware Security commerce… Provision • …covering issues such as • Wireless Network risk-based authentication, Security authorisation, intrusion • Adaptive Security detections, and trust management. Solutions 13

  14. Advanced Computer Science Security Theme The FAME - Permis Project • A middleware extension to Shibboleth to support – Inter-organisational resource sharing – Single sign-on – User identity privacy – Fine-grained access control 14

  15. Advanced Computer Science Security Theme LoA linked AC (FAME-permis) is successful 6. Authentication ASI-API User’s Home Site AuthServices x, y, z, … Where Are Web Server You From? FAME Login Shib-HS Server (F-LS) WAYF Protected by 3. Re-direct to HS F-LS 4. Authenticate yourself 2. Re-direct to WAYF with AuthService x for Handle The Internet Host Authentication Module (HAM) Shib Target - Browser 1. User request Resource Gateway TI-API SHIRE 5. Authentication 7. Handle dialogue PKCS#11 8.Handle tokens, Java SHAR Cards, ... 15

  16. Advanced Computer Science Security Theme FIDES • Aim to secure e-Commerce transactions, e.g. – e-Payment vs e-Goods (e-Purchase). – e-Goods/e-mail vs Signed receipt (Certified delivery). – Signed contract vs Signed contract (Contract signing). – e-Goods vs e-Goods (Barter). • can be used to develop new secure business applications, such as e-procurement. 16

  17. Advanced Computer Science Security Theme Context-aware Security Provision • Use your context data to determine the level of security protection – Your location • This room, or • Airport lunge – Your device • Wireless PDA, or • More capable desktop – Your past access history/profile • Have you been a good guy, or • You have tried to breach some rules 17

  18. Advanced Computer Science Security Theme Context-aware Access Control Resource Access Policy Requester Decision Policy PDP PEP Policy Store Context Context Service Context Source Acquisition Sensors 18

  19. Advanced Computer Science Security Theme Context-aware Adaptive Routing in MANETs Context-aware multiple route adaptation can increase reliability with low costs. B P M Internet A X C 19

  20. Advanced Computer Science Security Theme Other project opportunities may include… • • Whitelisting software Protect- Operate - Self- preserve : designing a • A method to articulate universal secure architecture requirements for security • (MARS) Rules of engagement : Legitimate use of the Dark • Measuring security maturity Internet and Deep Web to understand the costs and • benefits of countermeasures Security economics modeller • • Balancing technical security Security dashboard controls with human factors • Information and cyber • security threat analyser An application to test websites for compliance and • IT Strategy design tool award a commensurate trust mark 20

  21. Advanced Computer Science Security Theme Module Leader/Lecturers • Dr Ning Zhang ning.zhang@manchester.ac.uk • Dr Daniel Dresner Minst.ISP daniel.dresner@manchester.ac.uk • Dr Richard Banach banach@manchester.ac.uk 21

  22. Advanced Computer Science Security Theme 22

Recommend


More recommend