introduction to computer security
play

Introduction to Computer Security Session 0 Introduction and Threat - PowerPoint PPT Presentation

Nov 29, 2022 •282 likes •642 views

CSCI-UA.9480 Introduction to Computer Security Session 0 Introduction and Threat Modeling Prof. Nadim Kobeissi 0a Introduction Welcome! 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi Welcome to your new course! Open

  1. CSCI-UA.9480 Introduction to Computer Security Session 0 Introduction and Threat Modeling Prof. Nadim Kobeissi

  2. 0a Introduction Welcome! 2 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  3. Welcome to your new course! Open discussions. Important notes. We can adopt a seminar style and focus Don’t miss sessions. This is an intensive ● ● more on practical work. course: demanding assignments, packed Feel free to ask questions any time. sessions, strict grading. ● You can do the readings before or after Pioneers from all over the world will come ● ● class. give you invited talks. Assignments are due on the day of, before ● class. 3 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  4. About me. Originally studied philosophy, got into ● applied cryptography as a passion. First project: Cryptocat (while in undergrad.) ● Moved to Paris in 2015 to pursue Ph.D. in ● computer security and applied cryptography. I specialize in designing and formally verifying cryptographic protocols. Peer-reviewed publications, etc. ● Personal website: https://nadim.computer ● 4 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  5. Goals of this course. Understand the basic principles of: Acquire important knowledge in: ● ● Computer security. Applied cryptography. ○ ○ Cryptographic constructions underlying Designing and breaking secure systems. ○ ○ modern computer security. Operating system security. ○ Learn practical skills: ● Network security. ○ Web security. Design secure systems. ○ ○ Security economics. Write secure code. ○ ○ Exploit insecure code. ○ 5 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  6. Course layout. Parts: Graded items: ● ● 1. Cryptography Class participation (10%) ○ ○ 2. Network Security Three problem sets (20%) ○ ○ 3. Software Security Two practical assignments (20%) ○ ○ 4. Web Security Midterm exam (25%) ○ ○ 5. Security and Society Final exam (25%) ○ ○ Keep the course website bookmarked: ● https://computersecurity.paris 6 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  7. Course guidelines. Bring a laptop to every class but only open it Absences must be justified with a ● ● when asked. doctor’s note or similar. No smartphones during class. “Leaving class to go to the bathroom or ● ● No eating in class. yawning in class is considered rude in ● Academic integrity: there’s no need to France.” No problem in my class: please ● cheat. My job is to help you learn and yawn and go to the bathroom all the time. succeed. Check your syllabus for the whole list of ● guidelines. 7 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  8. 0b Typifying Attacks 8 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  9. “Cybersecurity, computer security or IT security is the protection of computer systems from theft of or damage to their hardware, software or electronic data, as well as from disruption or misdirection of the services they provide.” – Wikipedia. 9 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  10. “Security engineering is about building systems to remain dependable in the face of malice, error, or mischance. As a discipline, it focuses on the tools, processes and methods needed to design, implement and test complete systems, and to adapt existing systems as their environment evolves.” – Ross Anderson. 10 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  11. “Applied cryptography is the science and practice of designing and implementing real-world systems that derive their practical security guarantees primarily from mathematically ‘hard’ foundations, and only miscellaneously from access control.” – Me? I hope this is accurate. 11 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  12. Today’s reality. There’s a lot of buggy software out there… …and bugs don’t sell for cheap. 12 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  13. Today’s reality. There’s a lot of buggy software out there… …and bugs don’t sell for cheap. 13 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  14. Can you think of any types of attacks? On these platforms? Or on these? 14 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  15. Example: WannaCry Ransomware 15 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  16. 0c Threat Modeling The bird’s eye view. 16 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  17. Kerckhoff’s principle. Originated in cryptography… …but can be generalized to security systems. The security of a cipher should rely only on Assume the attacker knows the system. ● ● the secrecy of the key and not on the However, the attacker doesn’t have: ● secrecy of the cipher. Access control. ○ This came about in 1883, back when ● military encryption machines could be Authentication. ○ stolen by the enemy, leading to decryption. Ability to modify the system, etc. ○ 17 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  18. Threat model for a bank. Threats to consider for a bank. Inside threat : Main threat to bank ● bookkeeping is petty theft by bankers (1% get fired each year for this.) Outside threat : ATM machines. How to ● handle authentication? Prevent tampering? Secure communications? 18 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  19. Threat model for a bank. Some more threats to consider. Online banking : Users could be susceptible ● to trickery (phishing) or could have their account hijacked by exploiting bugs in the bank’s web applications or in their browser (XSS.) High-value messaging systems : Internal ● communications, regularizing balances between branches, etc. 19 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  20. Threat model for a bank. Let’s talk about “security theater.” What is the value of having giant stone walls ● or solid marble tables? Whole books have been written about ● “security theater” (Bruce Schneier most notably). 20 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  21. Did you know? ATMs were the first large-scale commercial deployment of cryptography and helped establish a number of standards. 21 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  22. Threat model for a military base. Threats to consider for a military base. Prevent enemies from jamming your radars ● while jamming theirs. Denial of service prevention takes a higher ● priority. 22 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  23. Test your knowledge! What is the better way to protect nuclear weapons from unauthorized access? ☐ A : Store them in a secret location. B : Require multiple authentication methods spread across multiple people. ☐ C : Dismantle the weapons, thereby removing the need to protect them. ☐ 23 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  24. Test your knowledge! What is the better way to protect nuclear weapons from unauthorized access? ☐ A : Store them in a secret location. 🗺 B : Require multiple authentication methods spread across multiple people. C : Dismantle the weapons, thereby removing the need to protect them. ☐ 24 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  25. Threat model for a military base. Why not A? Kerckhoff’s principle. ● Single point of compromise. ● Why not C? The security engineer rarely decides the ● requirements. 25 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  26. Threat model for a home. Let’s try to come up with one. What are the risks? ● Who are the adversaries? ● What are the systems? ● What are the points of failure? ● What are the failure scenarios and their ● impact? Now that you have your threat model, you can reason about the systems you must design and implement. 26 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  27. Defining 0d Security Systems An overview to get you started. 27 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  28. “Systems?” Now that you have your threat model, you can reason about the systems you must design and implement. But what are systems? ● Cryptographic protocols: TLS. ● Operating system: Linux. ● Application: WhatsApp. ● Embedded hardware: iPod. ● 28 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  29. “Alice and Bob?” In protocols , we reason about: Principals: Alice, Bob. ● Security goals: confidentiality, authenticity, ● forward secrecy… Use cases and constraints. ● Attacker model. ● Threat model. ● 29 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  30. “Application Security.” In applications and many user-facing systems , we reason about: User compromise: device compromise, ● impersonation, phishing… Server compromise: leaks, database ● hacks… Usability and security. ● 30 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer Security is the protection of computing systems and the data that they store or access 3 Why is Computer Security Important? Computer Security allows

690 views • 19 slides
Introduction to Computer Security Why do we need computer security? What are our goals and

Introduction to Computer Security Why do we need computer security? What are our goals and

Introduction to Computer Security Why do we need computer security? What are our goals and what threatens them? Lecture 1 Page 1 CS 236 Online Why Is Security Necessary? Because people arent always nice Because a lot of

415 views • 25 slides
Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer

Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer

Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer Security? Generally concerned with protection of computer related assets Risk analysis and management! Manage could mean prevention of

537 views • 26 slides
Outline The web from a security perspective CSci 5271 Introduction to Computer Security SQL

Outline The web from a security perspective CSci 5271 Introduction to Computer Security SQL

Outline The web from a security perspective CSci 5271 Introduction to Computer Security SQL injection Web security, part 1 Announcements intermission Stephen McCamant University of Minnesota, Computer Science & Engineering Web

522 views • 5 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 24: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science & Engineering

219 views • 5 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 25: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science & Engineering

419 views • 4 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J CSCI 6268/TLEN 5831, Fall 2004 Introduction UC Davis PhD in 2000 Cryptography Interested in broader security as well

492 views • 12 slides
CSCI 8260 Spring 2016 Computer and Networks Security INTRODUCTION 1 Research in Computer

CSCI 8260 Spring 2016 Computer and Networks Security INTRODUCTION 1 Research in Computer

CSCI 8260 Spring 2016 Computer and Networks Security INTRODUCTION 1 Research in Computer Security Studies in what ways security mechanisms may fail Can we gain access to a computer system without authorizaDon? Can we compromise

986 views • 84 slides
Outline CSci 5271 Big-Picture Introduction Introduction to Computer Security Day 1:

Outline CSci 5271 Big-Picture Introduction Introduction to Computer Security Day 1:

Outline CSci 5271 Big-Picture Introduction Introduction to Computer Security Day 1: Introduction and Logistics Course Logistics Stephen McCamant University of Minnesota, Computer Science & Engineering What is computer security? Two

362 views • 7 slides
Outline Brief introduction to networking CSci 5271 Introduction to Computer Security

Outline Brief introduction to networking CSci 5271 Introduction to Computer Security

Outline Brief introduction to networking CSci 5271 Introduction to Computer Security Announcements intermission Day 13: Network, etc., security overview Some classic network attacks Stephen McCamant University of Minnesota, Computer Science

504 views • 5 slides
Introduction to Computer Security Formal Security Models Pavel Laskov Wilhelm Schickard

Introduction to Computer Security Formal Security Models Pavel Laskov Wilhelm Schickard

Introduction to Computer Security Formal Security Models Pavel Laskov Wilhelm Schickard Institute for Computer Science Security instruments learned so far Symmetric and asymmetric cryptography confidentiality, integrity, non-repudiation

319 views • 29 slides
Outline Security risk and management Some terminology CSci 5271 Introduction to Computer

Outline Security risk and management Some terminology CSci 5271 Introduction to Computer

Outline Security risk and management Some terminology CSci 5271 Introduction to Computer Security Logistics intermission Day 2: Intro to Software and OS Security Example security failures Stephen McCamant University of Minnesota, Computer

608 views • 8 slides
Outline Security risk and management Some terminology CSci 5271 Introduction to Computer

Outline Security risk and management Some terminology CSci 5271 Introduction to Computer

Outline Security risk and management Some terminology CSci 5271 Introduction to Computer Security Logistics intermission Day 2: Intro to Software and OS Security Example security failures Stephen McCamant University of Minnesota, Computer

395 views • 7 slides
INTRODUCTION COMPUTER & NETWORK SECURITY CMSC 414 JAN 25 2018 TODAY What is

INTRODUCTION COMPUTER & NETWORK SECURITY CMSC 414 JAN 25 2018 TODAY What is

INTRODUCTION COMPUTER & NETWORK SECURITY CMSC 414 JAN 25 2018 TODAY What is security? Why is it so hard to achieve? Administrative The security mindset Analyzing a systems security 1. Summarize the system 2.

801 views • 43 slides
INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT

INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT

ADVANCED COMPUTER SECURITY INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT IS SECURITY? A systems security policies describe What the system is supposed to do Store and provide access

479 views • 16 slides
Introduction to Computing Principles

Introduction to Computing Principles

Introduction to Computing Principles Computer Safe Computer Security Attacks Practices What is Computer Security? Computer Security, also known as cybersecurity or IT

974 views • 63 slides
OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm,

OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm,

Shib Shibbolet oleth Develo Developmen ent a t and Su d Supp pport Services t Services OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm, 7 May 2008 EuroCAMP, Stockholm, 7 May 2008 Shib

666 views • 20 slides
Chapter 1: Introduction to Computer Science and Media Computation Story What is computer

Chapter 1: Introduction to Computer Science and Media Computation Story What is computer

Chapter 1: Introduction to Computer Science and Media Computation Story What is computer science about? What computers really understand, and where Programming Languages fit in Media Computation: Why digitize media? How can it

410 views • 27 slides
LFG Syntactic Theory Winter Semester 2009/2010 Antske Fokkens Department of Computational

LFG Syntactic Theory Winter Semester 2009/2010 Antske Fokkens Department of Computational

Introduction F-structures LFG Syntactic Theory Winter Semester 2009/2010 Antske Fokkens Department of Computational Linguistics Saarland University 17 November 2009 Antske Fokkens Syntax Lexical Functional Grammar 1 / 33 Introduction

718 views • 34 slides
IPv6?? Yawn amiright? Actually, IPv6 adoption is now very robust. E.g.: Google Clients

IPv6?? Yawn amiright? Actually, IPv6 adoption is now very robust. E.g.: Google Clients

Dont Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy Jakub (Jake) Czyz, University of Michigan & QuadMetrics, Inc. Matthew Luckie, University of Waikato Mark Allman, International Computer Science

552 views • 17 slides
more on expectation 1 2 properties of expectation properties of expectation Linearity, II

more on expectation 1 2 properties of expectation properties of expectation Linearity, II

properties of expectation Linearity of expectation, I For any constants a, b : E[ aX + b ] = a E[ X ] + b more on expectation 1 2 properties of expectation properties of expectation Linearity, II Note: Linearity is special! Let X

322 views • 5 slides
Informatics 1 Computation and Logic CNF DNF and quantifiers Michael Fourman 1 Boolean Algebra

Informatics 1 Computation and Logic CNF DNF and quantifiers Michael Fourman 1 Boolean Algebra

Informatics 1 Computation and Logic CNF DNF and quantifiers Michael Fourman 1 Boolean Algebra x ( y z ) = ( x y ) z x ( y z ) = ( x y ) z associative x ( y z ) = ( x y ) ( x z ) x ( y

344 views • 17 slides
Key safety messages: The following slides are a subset of the talk provided on 17 May

Key safety messages: The following slides are a subset of the talk provided on 17 May

30/05/2017 17 May 2017 Rural Dividend Event Sue Senger, PhD, RPBio, PAg Windwalker Consulting Services St't'imc Government Services Key safety messages: The following slides are a subset of the talk provided on 17 May 2017 1

439 views • 8 slides
SIZING UP RESPONSIVE IMAGES TALK MAKE A PLAN BEFORE YOU DRUPAL MARCH 5, 2016 MARC DRUMMOND

SIZING UP RESPONSIVE IMAGES TALK MAKE A PLAN BEFORE YOU DRUPAL MARCH 5, 2016 MARC DRUMMOND

SIZING UP RESPONSIVE IMAGES TALK MAKE A PLAN BEFORE YOU DRUPAL MARCH 5, 2016 MARC DRUMMOND DATE SPEAKER Photo credit: Dave Emerson, Trouble, Flickr Creative Commons Marc Drummond Front-end Developer, Lullabot @MarcDrummond

1.61k views • 115 slides

More recommend