Computer and Communications Security COMP4631 Cunsheng Ding - - PowerPoint PPT Presentation

computer and communications security comp4631
SMART_READER_LITE
LIVE PREVIEW

Computer and Communications Security COMP4631 Cunsheng Ding - - PowerPoint PPT Presentation

Nov 19, 2023 561 likes •1.01k views

Computer and Communications Security COMP4631 Cunsheng Ding cding@cs.ust.hk https://home.cse.ust.hk/faculty/cding/hkust_only/ C. Ding - COMP4631 - L01 1 Outline of this Lecture Brief introduction to COMP4631 Physical security: an

slide-1
SLIDE 1
  • C. Ding - COMP4631 - L01

1

Computer and Communications Security COMP4631

Cunsheng Ding

cding@cs.ust.hk https://home.cse.ust.hk/faculty/cding/hkust_only/

slide-2
SLIDE 2
  • C. Ding - COMP4631 - L01

2

Outline of this Lecture

  • Brief introduction to COMP4631
  • Physical security: an important step

towards understanding computer security

slide-3
SLIDE 3
  • C. Ding - COMP4631 - L01

3

Course Introduction

slide-4
SLIDE 4
  • C. Ding - COMP4631 - L01

4

Course Structure

Core theory encryption authentication digital signature Practice Windows NT security Unix security Distributed system security Network security Web security

slide-5
SLIDE 5
  • C. Ding - COMP4631 - L01

5

Course Structure & Grading

Lecture Tutorial x 3 assignments, 1 exam

Grading:

slide-6
SLIDE 6
  • C. Ding - COMP4631 - L01

6

Main Topics

  • Computer security: an introduction
  • Conventional cryptosystems
  • Public-key cryptosystems
  • Key management
  • Hash functions, authentication
  • Digital signature, identification
  • Access control
  • Unix security
  • Windows NT security
  • Distributed system security
  • Network security
slide-7
SLIDE 7
  • C. Ding - COMP4631 - L01

7

Main Topics ctd.

  • IP security
  • Email security
  • WWW security
  • Firewalls
  • Virtual private networks
slide-8
SLIDE 8
  • C. Ding - COMP4631 - L01

8

Reference Books

  • Behrouz A. Forouz, Cryptography and

Network Security, McGraw Hill, 2008.

  • D. Gollmann, Computer Security, John Wiley

& Sons, 1999.

  • W. Stallings and L. Brown, Computer

Security: Principles and Practice, Pearson Education, 2008.

slide-9
SLIDE 9
  • C. Ding - COMP4631 - L01

9

On completion of this course you will be able to:

1. evaluate potential vulnerabilities and attacks

  • n computer and communication systems;
  • 2. learn the basic security tools;
  • 3. select and apply basic tools to build security

systems; and

  • 4. get familiar with real-world security systems.

Learning Outcomes

slide-10
SLIDE 10
  • C. Ding - COMP4631 - L01

10

Warning !

Prerequisites: Operating systems, Computer communication networks, Discrete mathematics

slide-11
SLIDE 11
  • C. Ding - COMP4631 - L01

11

Important Information

Take this course only if you have time to visit lectures, to work out assignments independently, and most importantly to have good math capability and a background in

  • perating systems and computer networks.
slide-12
SLIDE 12
  • C. Ding - COMP4631 - L01

12

Questions?

slide-13
SLIDE 13
  • C. Ding - COMP4631 - L01

13

Physical Security:

The first step towards understanding computer security

slide-14
SLIDE 14

Definition of Physical Security

  • Physical security refers to the protection
  • f building sites and equipment (and all

information and software contained therein) from theft, vandalism, natural disaster, manmade catastrophes, and accidental damage (e.g., from electrical surges, extreme temperatures, and spilled coffee).

  • C. Ding - COMP4631 - L01

14

slide-15
SLIDE 15
  • C. Ding - COMP4631 - L01

15

Definition in Wikipedia

  • Physical security describes measures

that prevent or deter attackers from accessing a facility, resource, or information stored on physical media.

  • It can be as simple as a locked door
  • r as elaborate as multiple layers of

“armed guardposts”.

slide-16
SLIDE 16

Armed Guard Post

Security System

  • Security model

– No wood, no walls, only three guards. – Can be placed anywhere

  • Security policies

– The duties of each guard – Centralized or decentralized – How often should they move?

  • How to implement the

policies?

Armed Guardpost

  • C. Ding - COMP4631 - L01

16

slide-17
SLIDE 17
  • C. Ding - COMP4631 - L01

17

Physical Security: Example

  • Your house
  • A cash room in a bank
slide-18
SLIDE 18
  • C. Ding - COMP4631 - L01

18

Elements of Physical Security

The field of security engineering has identified three elements to physical security:

  • Obstacles, to frustrate trivial attackers and delay

serious ones. (Prevention)

  • Alarms, security lighting, security guard patrols or

closed-circuit television cameras, to make it likely that attacks will be noticed. (Detection)

  • Security response, to repel, catch or frustrate

attackers when an attack is detected. (Response) In a well designed system, these features must complement each other.

slide-19
SLIDE 19
  • C. Ding - COMP4631 - L01

19

Design of Physical Security

There are three layers of physical security:

  • Environmental design
  • Mechanical and electronic access control
  • Intrusion detection
slide-20
SLIDE 20
  • C. Ding - COMP4631 - L01

20

Environmental Design

  • The initial layer of

security for a campus, building, office, or physical space.

  • It is used to deter

threats.

  • Examples: warning,

fences, metal barriers, vehicle height-restrictors, site lighting.

slide-21
SLIDE 21
  • C. Ding - COMP4631 - L01

21

Mechanical & Electronic Access Control

  • The second layer of physical

security

  • Examples:

– Doors with locks – Doors with security guards

  • Access control policy is
  • implemented. Only

authorized people are allowed.

slide-22
SLIDE 22
  • C. Ding - COMP4631 - L01

22

Intrusion Detection

  • The third layer is

intrusion detection systems or alarms.

  • Intrusion detection

monitors for attacks.

  • It is less a

preventative measure and more of a response measure.

slide-23
SLIDE 23
  • C. Ding - COMP4631 - L01

23

Violating Physical Access Control

  • Masquerading: A person disguised as an

authorized user. This can be done using a forged ID or pretending to be a repair man.

  • Piggy-backing: A person who enters the

security perimeter by following an authorized user.

slide-24
SLIDE 24
  • C. Ding - COMP4631 - L01

24

Violating Physical Access Control

  • Lock-picking: Any lock can be picked. Or

better, go through dropped ceilings or removing the hinges from door.

  • http://www.wikihow.com/Pick-a-Lock-

Using-a-Paperclip

  • The Complete Guide to Lock Picking
  • https://repo.zenk-

security.com/Lockpicking/The%20Complete%20Guide%2 0To%20Lockpicking%20- %20Eddie%20the%20Wire%20-%20Loompanics.pdf

slide-25
SLIDE 25

Violating Physical Access Control

  • Visual/auditory

access:

  • Example: Russians

spied on Americans by installing a telephone near a code-room. They got the secret key by hearing electric balls on typewriters.

  • C. Ding - COMP4631 - L01

25

slide-26
SLIDE 26
  • C. Ding - COMP4631 - L01

26

A Case Study of Physical Security

slide-27
SLIDE 27
  • C. Ding - COMP4631 - L01

27

A Real-World Example

  • Problem: Suppose you are the President of

a country called The New Empire. You have

  • rdered the killing of many innocent people

in the world, and have thus many enemies. You would build a house as both your working office and residential place, which provides you as much security as possible.

  • Given a fixed amount of money for doing

this, how would you build a secure house?

slide-28
SLIDE 28
  • C. Ding - COMP4631 - L01

28

Some Design Requirements

  • The house should have at least one

entrance door which is controlled by a (physical or electronic) lock or guard.

  • It should have at least one window for

getting sunlight.

  • It should accommodate you (the President)

and your spouse.

  • It should provide a “certain level” of

security.

slide-29
SLIDE 29
  • C. Ding - COMP4631 - L01

29

Possible Attacks

  • Biological attacks from the air (you have to

breath).

  • Missile attacks from the air.
  • Break-in from the entrance door (there must be

at least one door).

  • Tunnel attacks.
  • Fire break.
  • Attacks from your spouse and security guards.
  • Can you find out all possible attacks?
slide-30
SLIDE 30
  • C. Ding - COMP4631 - L01

30

Security Model

  • Chinese Wall Model

(other models too, e.g. the guard post model)

  • Human-machine

approach (security guards + locks)

  • Security policy:

access control

a b c d

slide-31
SLIDE 31
  • C. Ding - COMP4631 - L01

31

The First Design Decision:

what is the focus of security controls?

  • Access control on

the doors, assuming that

– all the walls are tall enough; – all the walls are very strong; – all doors are very strong. a b c d

slide-32
SLIDE 32
  • C. Ding - COMP4631 - L01

32

The Second Design Decision:

where to place security controls?

  • The doors:

– The man approach: guards only – The machine approach: locks only – man-machine approach: a combination

  • Which approach is

better?

a b c d

slide-33
SLIDE 33
  • C. Ding - COMP4631 - L01

33

The Second Design Decision:

where to place security controls?

  • The man approach

– It is possible for one single person to use her/his beauty or detrimental gas to settle all the guards. – If one lock, this may not be possible. – Possible to bribe all.

a b c d

slide-34
SLIDE 34
  • C. Ding - COMP4631 - L01

34

The Second Design Decision:

where to place security controls?

  • The machine

approach

– What happens if you have a heart attack? – In case of fire and you cannot find the key to door D, what will happen? a b c d

slide-35
SLIDE 35
  • C. Ding - COMP4631 - L01

35

The Second Design Decision:

where to place security controls?

  • Conclusion:

– Man-machine approach is better!

  • Questions:

– How many locks and how many guards? – Which doors are controlled by locks and guards? – Male or female? a b c d

slide-36
SLIDE 36
  • C. Ding - COMP4631 - L01

36

The Third Design Decision:

simplicity and assurance (1)

  • Access control policy:

– For each door define who has access right. – The access control on door D is crutial (why).

  • Guard at A is not

allowed to access other

  • doors. Guard at D is not

allowed to cross A without the permission of the President.

a b c d

slide-37
SLIDE 37
  • C. Ding - COMP4631 - L01

37

The Third Design Decision:

Simplicity and assurance (2)

  • Complicated access

control policy makes it less efficient.

  • Simple policy does

not give enough security assurance.

  • Solution:

compromise

a b c d

slide-38
SLIDE 38
  • C. Ding - COMP4631 - L01

38

The Fourth Design Decision:

centralized or distributed?

  • How to coordinate

the access controls

  • f all doors?
  • In case of doubt,

which guard makes the final decision?

a b c d

slide-39
SLIDE 39
  • C. Ding - COMP4631 - L01

39

Security Evaluation

  • Remark: Once you have finished designing

your house, you have to evaluate whether your system meets all the security requirements.

  • Question: Is it easy to prove or disprove

that a security requirement is met?

slide-40
SLIDE 40
  • C. Ding - COMP4631 - L01

40

Absolute Secure System?

  • Question A: Is there any absolute secure

system in the world?

  • Question B: Could you enumerate all

possible attacks on the system?

  • Concluding remark: It is extremely hard to

design a secure system!

slide-41
SLIDE 41
  • C. Ding - COMP4631 - L01

41

Physical Security

  • Physical security helps

– not only understand computer security; – but also strengthen computer security.

  • Physical security is combined with

information security in many real-world applications.

slide-42
SLIDE 42
  • C. Ding - COMP4631 - L01

42

  • Physical security is a vital part of any security

plan and is fundamental to all security efforts.

  • Without it, information security, software

security, user access security and network security are considered more difficult, if not possible, to initiate.

Importance of Physical Security

slide-43
SLIDE 43
  • C. Ding - COMP4631 - L01

43

More on Physical Security

  • http://www.cpni.gov.uk/advice/Physical-

security/

  • http://physicalsecurity.com/
  • https://nces.ed.gov/pubs98/safetech/chapter5.as

p