security
play

Security Jerry den Hartog Room: MF 6.063 - PowerPoint PPT Presentation

Jan 12, 2024 •195 likes •720 views

(An Introduction to Computer) Security Jerry den Hartog Room: MF 6.063 http://www.win.tue.nl/~jhartog/CourseSecurity/ What is Security? Lets start with some free association Course rse O Overvi rview Goal Challenge IT Infrastructures

  1. (An Introduction to Computer) Security Jerry den Hartog Room: MF 6.063 http://www.win.tue.nl/~jhartog/CourseSecurity/

  2. What is Security? Lets start with some free association

  3. Course rse O Overvi rview Goal Challenge IT Infrastructures & Security Goals Approach Course Privacy Schedule Confidentiality EHR Network Integrity Availability

  4. Course rse O Overvi rview Goal Challenge Threats & Countermeasures Approach Course Schedule EPD Network

  5. Course rse O Overvi rview Goal See www.win.tue.nl/~jhartog/CourseSecurity Challenge Approach Topic Wednesday Topic Friday Lab session Schedule Introduction Cryptography basics Web of Trust Cryptography Network security basics HTTP basics, Sniffing and tampering Malware, web services Hashes, Certificates, SQL injection and XSS security etc. Access Control (AC) Digital Rights AC and session Management information stealing Authentication Authentication Authentication Flaws, (Passwords, (Hardware tokens) Password cracking Biometrics) Security Protocols Exercises: Security Session stealing & Protocol and side phishing channel attack Privacy and Anonymity Exercises & Exam --- Preparation

  6. Se Security : : Wh What Wh When Wh Why & y & How Content Security What-When-Why-How What Why When How  What & When  How  Dependability ~ Security  Security approaches, models & tools  Security Attributes  Security trade-offs  Security Policies  Security architectures & engineering  Why  attacks & attackers  Analysing a scenario  common security issues  Security requirements  Measuring security  Conclusions

  7. Se Secu curity: WWW&H WWW&H Content What Why When What How The Why of Security How

  8. Se Secu curity: WWW&H WWW&H Content What To get Security... Why When How  prevent “disallowed” usage ? “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards” E. Spafford  ... and enable “allowed” usage ?  Difference “Dependability” and “Security” ?  Other options than prevention

  9. Se Secu curity: WWW&H WWW&H Content Dependability vs. Security What Why When Dependability Problem ? How program x  only works half of the time  crashes the computer  may cause the computer to explode  no longer works with the firewall installed  can stop the firewall from working  posts all your emails on a public website  tracks all your online activities  changes the data used by program y Security Problem ?

  10. The `What’ of security - Security Attributes Confidentiality Dependability Integrity Availability Privacy vs. Authenticity Non-repudiation Security (2) Accountability Basic Concepts and Taxonomy of Dependable and Secure Computing IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING

  11. The `What’ of security - Security Attributes C-I-A Privacy Online Privacy Authenticity Non-repudiation Accountability Peter Steiner 1993 Nik Scott 2008

  12. The `What’ of security - Security Attributes C-I-A Privacy Privacy Alice Authenticity Non-repudiation Accountability  EU directives (e.g. 95/46/EC) to protect privacy.  College Bescherming Persoonsgegevens (CBP)  What is privacy? • Users “ must be able to determine for themselves when, how, to what extent and for what purpose information about them is communicated to others ” (Definition PRIME, European project on privacy & ID management.)  Try to protect: Privacy Enhancing Technologies (PETs)

  13. The `What’ of security - Security Attributes C-I-A EU Data Protection Directive Privacy Authenticity Non-repudiation Personal data usage requirements: Accountability  Notice of data being collected  Purpose for data use  Consent for disclosure  Informed who is collecting their data  Kept secure  Right to access & correct data  Accountability of data collectors

  14. The `What’ of security - Security Attributes C-I-A Other Security Attributes Privacy Authenticity Non-repudiation  Authenticity Accountability  users or data are genuine  Prescription is real and issued by a genuine Md.  Non-repudiation  Cannot be denied (action/agreement/...)  Dr. cannot claim not issuing prescription To achieve (means): (Digital) signatures  Accountability  Ability to hold users accountable for their actions  Dr. can be identified, found and is liable for wrong prescriptions

  15. The `When’ of security - Security policies Security Policies & Models  Policy: Specifies “allowed” / “disallowed”  Context; applies to ..., approved/imposed by ...  Usage; required enforcement, dealing with breaches  Different notions of `security policy’:  from general intention statement “Data shall only be available to those with a `need-to-know’”  to formal, detailed specification “drwxr-xr-x”, access control list, XACML policy, etc.  Security Model  (Formal) Framework to express and interpret policies. E.g. relations on Users - Objects - Permissions - Groups.

  16. The `When’ of security - Security policies Security Policies & Models  Policy: Specifies “allowed” / “disallowed”  Context;  applies to ...,  approved/imposed by ...  Etc.  Usage;  required enforcement  dealing with breaches  Different notions of `security policy’  Security Model

  17. The `When’ of security - Security policies Security Policies & Models  Policy: Specifies “allowed” / “disallowed”  Different notions of `security policy’:  from general intention statement “Data shall only be available to those with a `need-to-know’”  to formal, detailed specification “drwxr-xr-x”, access control list, XACML policy, etc.  Security Model

  18. The `When’ of security - Security policies Security Policies & Models  Policy: Specifies “allowed” / “disallowed”  Different notions of `security policy’:  Security Model  (Formal) Framework to express and interpret policies. E.g. relations on Users - Objects - Permissions - Groups

  19. Summerizing the What & When  Security attributes – what to achieve  Security Policies – When to achieve them  Security Model – Setting to interpret policies

  20. What The Why of Security How

  21. A day’s worth of security news (2012)  Android-malware verstopt zich via steganografie  Microsoft: hang op als we bellen  Google mailt gebruikers over nieuw privacybeleid  OpenDNS laat Mac-gebruiker onzichtbaar internetten  "Google Chrome ruimt andermans rotzooi op”  Cybercriminelen vluchten naar Sovjet-Unie  FBI zet 15.000 euro op hoofd internetoplichter  Microsoft en Google samen tegen phishing  Leerlingen opgepakt wegens hacken schoolcijfers  DigiD offline wegens hash collision-lek  Rootkit infecteert pc via Windows Media Player  Android-malware besmet miljoenen gebruikers Source: Security.nl

  22. A day’s worth of security news (28-1-13)  58.000 toezichtcamera's open voor hackers  CBP: overheid weet veel te veel van ons  'WhatsApp schendt privacy gebruikers'  Autorun-worm houdt huis in Pakistan  200MB groot virus verrast onderzoekers  Pornosites veroorzaken piek in politievirussen  5 beveiligingstips voor WordPress-gebruikers  Afmeldlink e-mail blijft grootste bron van ergernis  Pentagon vervijfvoudigt aantal cybersoldaten  'Brussel moet privacy burgers beter beschermen'  Veel gemeenten lek door verouderde software  'Apple laat verwijderde iPhone sms'jes staan'  Oracle gaat veiligheid Java verbeteren Source: Security.nl

  23. Attackers & Attacks  (WHAT) Break Security goals (Attributes)  (WHY) Reach Attacker goals  (WHO) IBM Attacker classification  I: Clever outsiders  II: Knowledgeable insiders  III: Funded Organisations  (WHO’) CPA - CCA - etc.  Formalization attack context  Attacker goals and capabilities

  24. Some common security issues  Security as an after thought  Needs to be addressed from the start  Forgetting security depends on the whole system  Focusing where the risk isn't (...more below)  Single point of failure  Breach of a security feature causes complete breakdown of system  Security by obscurity  Obscurity may help but it is dangerous to have the security design depend on it (Kerckhoff’s principle)

  25. Some common security issues (2)  Lack of Security policies  Lack of Preventative management  Keep systems up to date (e.g. patching)  Practice failure situations  Lack of Use of security features  E.g. Windows XP included firewall but not active (pre SP2)  Only need to check single checkbox  Relying on users for security AliceBob  expertise, awareness, priorities

  26. Weakest Link – Different aspects of security  ``A chain is as strong as its weakest link’’  Security needs to be addressed in its whole; Looking at a single aspect is like looking at a single link.  system design (security not addressed)  quality of software (bugs in code)  strength of encryption (bad algorithm, bad `randomness’, length/chose of key)  system usage (bad passwords, not using security features)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann & Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday & Friday, 9:00 10:30 William Stallings

670 views • 19 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

715 views • 11 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety Sensitive Information Not for public or media release F.S. 119.071. Required by law, rule and regulation: Homeland Security Directive 5 and 8.

393 views • 11 slides
Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

ITS335 Intro. to Security Concepts Threats, Attacks, Assets Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2

965 views • 34 slides
Trusted Components Reuse, Contracts and Patterns Prof. Dr. Bertrand Meyer Dr. Karine Arnout

Trusted Components Reuse, Contracts and Patterns Prof. Dr. Bertrand Meyer Dr. Karine Arnout

1 Last update: 19 October 2004 Trusted Components Reuse, Contracts and Patterns Prof. Dr. Bertrand Meyer Dr. Karine Arnout Trusted Components: Reuse, Contracts and Patterns - Lecture 17 Chair of Softw are Engineering 2 Lecture 17:

430 views • 39 slides
PRO-CO W: Proto col Compli ance on the W eb Bala chander Krishnamur thy Mar tin

PRO-CO W: Proto col Compli ance on the W eb Bala chander Krishnamur thy Mar tin

PRO-CO W: Proto col Compli ance on the W eb Bala chander Krishnamur thy Mar tin Arlitt bala@resea rch.att.com a rlitt@hpl.hp.com A T&T Labs - Resea rch HP Labs Bala chander Krishnamur thy 1 State of the W eb

535 views • 15 slides
Reliably Determining the Outcome Reliably Determining the Outcome of Computer Network Attacks of

Reliably Determining the Outcome Reliably Determining the Outcome of Computer Network Attacks of

Reliably Determining the Outcome Reliably Determining the Outcome of Computer Network Attacks of Computer Network Attacks th Annual FIRST Conference 18 th Annual FIRST Conference 18 Capt David Chaboya Dr Richard Raines, Dr Rusty Baldwin, Dr

447 views • 34 slides
.NET Passport Security Framework CPSC 328 Spring 2009 UDDI Review Publish/Find

.NET Passport Security Framework CPSC 328 Spring 2009 UDDI Review Publish/Find

.NET Passport Security Framework CPSC 328 Spring 2009 UDDI Review Publish/Find functionality Yellow Pages businessService White Pages businessEntity Green Pages bindingTemplate tModel

671 views • 9 slides
Introducing Asp.Net La risposta Microsoft alle esigenze del server side (leggi JSP)

Introducing Asp.Net La risposta Microsoft alle esigenze del server side (leggi JSP)

Cos? Introducing Asp.Net La risposta Microsoft alle esigenze del server side (leggi JSP) Levoluzione (rivoluzione) di ASP Ing. Gabriele Zannoni La tecnologia per la scrittura di pagine gabriele.zannoni@unibo.it dinamiche

344 views • 7 slides
How and why this doctorate school edition is conceived ISAPP and The Pierre Auger Observatory

How and why this doctorate school edition is conceived ISAPP and The Pierre Auger Observatory

ISAPP School 2019 at the Pierre Auger Observatory WELCOME TO Cosmic Ray Vision from the r Southern Sky Malargue, March 1-9 2019 Lorenzo Perrone for the Organizing committee How and why this doctorate school edition is conceived ISAPP and

569 views • 22 slides
Data Types by Erol Seke For the course Introduction to Programming OSMANGAZI UNIVERSITY

Data Types by Erol Seke For the course Introduction to Programming OSMANGAZI UNIVERSITY

Data Types by Erol Seke For the course Introduction to Programming OSMANGAZI UNIVERSITY MATLAB to C 1. Syntax is a little bit different. 2. You need to write a complete program to run. we could write scripts (a sequence of commands) in

1.63k views • 20 slides
Tom Lehman Mid-Atlantic Crossroads University of Maryland Perspective/Reference

Tom Lehman Mid-Atlantic Crossroads University of Maryland Perspective/Reference

Global Lambda Integrated Facility (GLIF) Technical Working Group Meeting #19 Honolulu, Hawaii January 16, 2013 Tom Lehman Mid-Atlantic Crossroads University of Maryland Perspective/Reference Points/Assumptions SDN is an abstract,

297 views • 10 slides

More recommend