introduction to security
play

Introduction to Security Kira Chan K. Chan: CSE435: Software - PDF document

Feb 24, 2024 •489 likes •950 views

11/26/19 Introduction to Security Kira Chan K. Chan: CSE435: Software Engineering Software expectation In a regular messaging application, what do you expect? Let's assume you want to use it to meet your friend for Friday night dinner.

  1. 11/26/19 Introduction to Security Kira Chan K. Chan: CSE435: Software Engineering Software expectation • In a regular messaging application, what do you expect? • Let's assume you want to use it to meet your friend for Friday night dinner. • Messages are delivered • Delivers within a time limit threshold • No one else is reading your messages • Message is not altered • Application does not “lag” • Etc K. Chan: CSE435: Software Engineering K. Chan: CSE435: Software Engineering 1

  2. 11/26/19 Terminology • “A computer is secure if you can depend on it and its software to behave as you expect (intent).” ​ • ‘ Trust describes our level of confidence that a computer system will behave as expected.’ (intended)​ [Garfinkel & Spafford, Kasten] ​ K. Chan: CSE435: Software Engineering Why should we consider security? • Can you build a messaging application that satisfies requirements • Who are the requirements made for? • Stakeholders? • Users? • Does every user conform to the expectations you have set? • Resources and information contain monetary or other values • Security breaches could be damaging to your reputation • When is security usually taken into consideration? • Security is often an after thought • Added onto a system, it may not fully address the underlying issue • Lots of new “Band-Aids” to patch an issue, causes inefficiency K. Chan: CSE435: Software Engineering K. Chan: CSE435: Software Engineering 2

  3. 11/26/19 Potential impact • Wannacry • Encrypts user data and demand ransom to decrypt it • https://www.symantec.com/blogs/threat-intelligence/wannacry-ransomware-attack • Say I encrypted your laptop, your final exam is tomorrow • Ransom is every asset you have • Do you pay it? • Safety? • What if critical systems are compromised? K. Chan: CSE435: Software Engineering De Definition (NIST) • Computer security is the protection afforded to an automated information system in order to attain the applicable objective of preserving the integrity, availability and confidentiality of the system’s resources • https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-14.pdf K. Chan: CSE435: Software Engineering K. Chan: CSE435: Software Engineering 3

  4. 11/26/19 Confidentiality, Integrity and Availability • Confidentiality : information are not disclosed to unauthorized parties • Integrity : assure that information and program are only changed in an authorized manner • A message is actually from where it claims to have come from • Mailman delivers you a mail from your best friend overseas, how do you know if this message have not been modified? • Availability : assures that the systems work promptly, and services are not denied to authorized users when they request them K. Chan: CSE435: Software Engineering Castle analogy Img source: McCallum K. Chan: CSE435: Software Engineering K. Chan: CSE435: Software Engineering 4

  5. 11/26/19 Security challenges. • Defending a system is hard since we must secure all weak points • Attacker only needs to find one exploit • Users do not like complicated systems • Benefit of security is not considered until a breach occurs • IT tech person, why do we even hire this guy? • Impediment to the user K. Chan: CSE435: Software Engineering Terminology • Security Policy : a set of rules and practices that specify or regulate how a system provides security services to protect sensitive and critical system resources • Vulnerability : a flaw or weakness in a system that can be exploited • Threat : a potential violation of security; a possible danger that might exploit a vulnerability • Attack : an assault on the system that derives from a threat. • Threats carried out K. Chan: CSE435: Software Engineering K. Chan: CSE435: Software Engineering 5

  6. 11/26/19 Threats • Hardware: physical devices – easy target • “Involuntary computer-slaughter” • Accidental acts not intended to do harm • E.g. Spilling a drink on computer • “Voluntary computer slaughter” – machinicide: • Purposely break a machine • Software: equipment worthless without software • Deletion • Modification • Theft Slide provided from Dr. Cheng K. Chan: CSE435: Software Engineering Why are we talking about this? • Time is money • Organizations want a product that makes money, so time spent not making money producing software is wasted time. • Monetory consequences are often not considered until a breach. • Example: CSE3xx programs. • Did you consider security when you developed your programs? K. Chan: CSE435: Software Engineering K. Chan: CSE435: Software Engineering 6

  7. 11/26/19 Patches K. Chan: CSE435: Software Engineering Patches • Changes made to fix, improve or update your system • What are patches used for? • Bug-fixes • Improvements • New features • Why can we not just patch security issues away? K. Chan: CSE435: Software Engineering K. Chan: CSE435: Software Engineering 7

  8. 11/26/19 When to use patches for security • Security should be defined in your original design • Patches should only be given as emergency solution • User ignores patches a lot of time • Patches may not fix the fundamental issues K. Chan: CSE435: Software Engineering How do we provide security to a system? • Easiest way: no access. • Challenge is to prevent unauthorized access to system, while causing the least amount of impediment to legitimate users. User Security for experience system K. Chan: CSE435: Software Engineering K. Chan: CSE435: Software Engineering 8

  9. 11/26/19 How to design your system? • Design of security should be as small and simple as needed • Easy to test/verify its strength, fewer flaws • Open Design : security mechanism should not be a secret! • Why? • Experts can review and point to flaws • Reverse engineering can expose your software • You will not know if your software have been compromised K. Chan: CSE435: Software Engineering How to design your system (cont.) • Psychological acceptability : the security mechanisms should not interfere with the work of the user • Consider our messaging app • Asks for user password every 30 seconds • Less extreme of an example: require restart every 12 hours • User will disarm if not! • Layering : Multiple layers of security. Failure at one point will not leave your system compromised • Example: messaging application • Encrypt stored messages • Ensure other applications on same device cannot access those files • Least astonishment : no surprises! • Functions should conform to user expectation K. Chan: CSE435: Software Engineering K. Chan: CSE435: Software Engineering 9

  10. 11/26/19 Remainder of presentation • I will focus on what you can do as a developer to help secure your system • What to do and what not to do K. Chan: CSE435: Software Engineering Risk Assessment • Three questions to answer: • What am I trying to protect? • What do I need to protect against? • How much time, effort, and money am I willing to spend to obtain these protection? • Three key steps: • Identify assets • Identify threats • Calculate risks • Risk: expected loss from the probability that a threat that will exploit a vulnerability in the system Slide provided from Dr. Cheng K. Chan: CSE435: Software Engineering K. Chan: CSE435: Software Engineering 10

  11. 11/26/19 Identify Asset • What are you trying to protect against? Recall CIA • Data? • Message confidentiality? • System resources? • Availability? • Categories of vulnerabilities: • Corruption (loss of integrity) • Leaky (loss of confidentiality) • Unavailable or slow access (loss of availability) K. Chan: CSE435: Software Engineering Identify Threats • What is the threat? • Hackers? • Political opponents • Rival companies • Activist • What is the intent/objective of the threat? K. Chan: CSE435: Software Engineering K. Chan: CSE435: Software Engineering 11

  12. 11/26/19 3 classes of intruder skill level • Apprentice : minimal technical skills • Use existing technologies • Most intruders belong in this category • Easy to defend • Why? • Journeymen : modifies and extends attack toolkits • Master : high-level technical skills • Capable of discovering new attacks • Understands underlying protocol used • Writes their own attacks and toolkits • Hardest to defend against K. Chan: CSE435: Software Engineering Calculating risk • How likely is a particular threat? • What is the chance that X will happen, and what is the consequence of it? • If an event happens on regular basis, you can estimate based on previous experiences. K. Chan: CSE435: Software Engineering K. Chan: CSE435: Software Engineering 12

  13. 11/26/19 Different kind of attacks you may consider as a developer K. Chan: CSE435: Software Engineering Denial of Service (DoS) • Attack on availability of a system • Deny legitimate user the ability to use a system or its resources • Distributed Denial of Service attack (DDoS) K. Chan: CSE435: Software Engineering K. Chan: CSE435: Software Engineering 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT

INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT

ADVANCED COMPUTER SECURITY INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT IS SECURITY? A systems security policies describe What the system is supposed to do Store and provide access

479 views • 16 slides
Introduction to the Introduction to the Work of the Security Council Work of the Security

Introduction to the Introduction to the Work of the Security Council Work of the Security

Introduction to the Introduction to the Work of the Security Council Work of the Security Council Security Council Practices and Charter Research Branch Security Council Affairs Division Department of Political Affairs United Nations August

490 views • 28 slides
Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

ITS335 Intro. to Security Concepts Threats, Attacks, Assets Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2

965 views • 34 slides
Introduction to the Introduction to the Work of the Security Council Work of the Security

Introduction to the Introduction to the Work of the Security Council Work of the Security

Introduction to the Introduction to the Work of the Security Council Work of the Security Council Security Council Affairs Division Department of Political Affairs United Nations August 2013 Outline What is the Security Council?

189 views • 16 slides
Chapter7. Security 7.1 Introduction 7.2 Overview of security techniques 7.3 Cryptographic

Chapter7. Security 7.1 Introduction 7.2 Overview of security techniques 7.3 Cryptographic

Chapter7. Security 7.1 Introduction 7.2 Overview of security techniques 7.3 Cryptographic algorithms 7.4 Digital signatures 7.5 Cryptography pragmatics 7.1. Introduction Why need security mechanisms in DS? Share of resources

364 views • 24 slides
Confidentiality and disclosure Mohamed Sayed Saidngar@yahoo.com Introduction - Introduction to

Confidentiality and disclosure Mohamed Sayed Saidngar@yahoo.com Introduction - Introduction to

Confidentiality and disclosure Mohamed Sayed Saidngar@yahoo.com Introduction - Introduction to data security. - Security requirements. - Types of security threats. - Security risks. - Technologies and security solutions. Introduction

411 views • 37 slides
Introduction to Network Security Chapter 10 Web Security Dr. Doug Jacobson - Introduction to 1

Introduction to Network Security Chapter 10 Web Security Dr. Doug Jacobson - Introduction to 1

Introduction to Network Security Chapter 10 Web Security Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics WWW HTTP: Hyper Text Transfer Protocol HTTP Security HTML Protocol HTML Security

1.09k views • 74 slides
Advanced Systems Security: Introduction to OS Security Trent Jaeger Systems and Internet

Advanced Systems Security: Introduction to OS Security Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Introduction to OS Security Trent

770 views • 28 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer Security is the protection of computing systems and the data that they store or access 3 Why is Computer Security Important? Computer Security allows

690 views • 19 slides
Introduction to Computer Security Why do we need computer security? What are our goals and

Introduction to Computer Security Why do we need computer security? What are our goals and

Introduction to Computer Security Why do we need computer security? What are our goals and what threatens them? Lecture 1 Page 1 CS 236 Online Why Is Security Necessary? Because people arent always nice Because a lot of

415 views • 25 slides
Preparing for the Unthinkable Cyber Security Chicago 2018 Agenda Introduction Security

Preparing for the Unthinkable Cyber Security Chicago 2018 Agenda Introduction Security

Preparing for the Unthinkable Cyber Security Chicago 2018 Agenda Introduction Security Landscape Meraki Security Demo Security Landscape The Growing Importance of Security MALWARE HAS RISEN BY MORE THAN 10X IN THE LAST YEAR 70% M ALW AR E

604 views • 35 slides
Com puter Security Last tim e Introduction Threat analysis Threats Introduction

Com puter Security Last tim e Introduction Threat analysis Threats Introduction

Com puter Security Last tim e Introduction Threat analysis Threats Introduction to access control Policy matrix Specification Design Implementation Operation and Maintenance Security in the Course Lectures

784 views • 40 slides
Software Defjned Networking Security Outline Introduction What is SDN? SDN attack

Software Defjned Networking Security Outline Introduction What is SDN? SDN attack

Software Defjned Networking Security Outline Introduction What is SDN? SDN attack surface Recent vulnerabilities Security response Defensive technologies Next steps Introduction Security nerd, recovering

790 views • 39 slides
Introduction to Security Attacks Services Mechanisms CSS441: Security and Cryptography

Introduction to Security Attacks Services Mechanisms CSS441: Security and Cryptography

CSS441 Introduction Concepts Architecture Introduction to Security Attacks Services Mechanisms CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

678 views • 23 slides
RIGIDITY OF GROUP ACTIONS II. Orbit Equivalence in Ergodic Theory Alex Furman (University of

RIGIDITY OF GROUP ACTIONS II. Orbit Equivalence in Ergodic Theory Alex Furman (University of

RIGIDITY OF GROUP ACTIONS II. Orbit Equivalence in Ergodic Theory Alex Furman (University of Illinois at Chicago) March 1, 2007 Ergodic Theory of II 1 Group Actions II 1 Systems: discrete countable group ( X , B , ) std

890 views • 70 slides
PowerFactory Users Conference and Future Networks Technical Seminar DIgSILENT Pacific &

PowerFactory Users Conference and Future Networks Technical Seminar DIgSILENT Pacific &

PowerFactory Users Conference and Future Networks Technical Seminar DIgSILENT Pacific & The University of Sydney 5-6 September 2013, Sydney Harbour Marriott Hotel 1 Future Networks ( or SmartGrid) Some Issues in Deployment of

606 views • 22 slides
When does variation lead to change? A dynamical systems model of a stress shift in English Morgan

When does variation lead to change? A dynamical systems model of a stress shift in English Morgan

When does variation lead to change? A dynamical systems model of a stress shift in English Morgan Sonderegger 1 (Department of Computer Science, University of Chicago) Workshop on Language and Cognition 1/18/08 1 This work is in collaboration

594 views • 38 slides
Technical-Economic impact of UWB personal area networks on a UMTS cell: Market-driven dynamic

Technical-Economic impact of UWB personal area networks on a UMTS cell: Market-driven dynamic

Preamble Case study: 3G Supplementary material Technical-Economic impact of UWB personal area networks on a UMTS cell: Market-driven dynamic spectrum allocation revisited Virgilio RODRIGUEZ and Friedrich JONDRAL Institut fr

269 views • 25 slides
Marge-bot: better Giting with python Europython 2018 Alexander Schmolck Mika Bostrom

Marge-bot: better Giting with python Europython 2018 Alexander Schmolck Mika Bostrom

Marge-bot: better Giting with python Europython 2018 Alexander Schmolck Mika Bostrom What's wrong about this picture? What's wrong with this picture? What's wrong about this picture? Outline The typical CI setup or going from green

1.19k views • 77 slides
COORDINATING DISTRIBUTED SYSTEM CONFIGURATION CHANGES WITH HUMMING CONSENSUS Scott Lystig

COORDINATING DISTRIBUTED SYSTEM CONFIGURATION CHANGES WITH HUMMING CONSENSUS Scott Lystig

COORDINATING DISTRIBUTED SYSTEM CONFIGURATION CHANGES WITH HUMMING CONSENSUS Scott Lystig Fritchie, Basho Japan PaPOC 2016, London 2016-04-18 Machi village or town Motivation Building a distributed, fault-tolerant blob/file

905 views • 41 slides
Project Planning/Management Dr. Crawford 1/24/2018 School of Mines Overview Project

Project Planning/Management Dr. Crawford 1/24/2018 School of Mines Overview Project

Project Planning/Management Dr. Crawford 1/24/2018 School of Mines Overview Project Planning Effective Meetings School of Mines Project lifecycle School of Mines Project Planning 1. Define the Project Goals and Scope 2. Breakdown

269 views • 16 slides
Professional Issues Professions and Professionals Law and Government (Bott, Chapter 1) Read

Professional Issues Professions and Professionals Law and Government (Bott, Chapter 1) Read

Professional Issues Professions and Professionals Law and Government (Bott, Chapter 1) Read Chapter 1 and understand what is meant by: Jurisdiction Civil Law Criminal Law Burden of Proof S tandard of Proof S

358 views • 21 slides

More recommend