The Security Theme: an introduction School of Computer Science The - - PowerPoint PPT Presentation

Advanced Computer Science Security Theme

The Security Theme: an introduction

School of Computer Science The University of Manchester

1

Advanced Computer Science Security Theme

Outline

• Why do we need a

Security Theme?

• Core Modules

– Cryptography – Cyber security

• Some Research

Activities

• Ratio of hackers to security

professionals ~ 1000:1*

• Computer Security
• Military Intelligence
• The laws of

thermodynamics**

• But you can manage the

risks . . .

• …disrupt and counter the kill

chain…

• . . . taking heed of the

Security Theme!

**You can’t win . . . you can’t even break even 2

*SANS (SysAdmin, Audit, Network, Security) Institute

Advanced Computer Science Security Theme

3

The challenge…

Advanced Computer Science Security Theme

‘Hacking’-as-a-service

• Consulting services such as botnet setup ($350-$400)
• Infection/spreading services (~$100 per 1K installs)
• Botnets & Rentals [Direct Denial of Service (DDoS) $535 for 5 hours

a day for one week], e-mail spam ($40 / 20K e-mails) and Web

spam ($2/30 posts)

• Blackhat Search Engine Optimization (SEO) ($80 for 20K

spammed backlinks)

• Inter-Carrier Money Exchange and Mule services (25%

commission)

• Recruited CAPTCHA Breaking ($1/1000 CAPTCHAs)
• Crimeware Upgrade Modules: Using Zeus Modules as an example,

range anywhere from $500 to $10K Source: Fortinet 2013 Cybercrime Report 4

Advanced Computer Science Security Theme

So we need a fifth column…

…to protect the systems of today and build tomorrow’s systems safely

5

Advanced Computer Science Security Theme

Cyber Security: topics

• Risk assessment
• Requirement and policy specifications
• Solutions and countermeasures

– Intrusion detection/prevention – Secure software – Authentication and authorisation – Virtual Private Networks – Firewalls – Digital certification and Public Key Infrastructures – Real-life exemplar security systems (cloud computing security, web security, email security wireless network security, electronic payment systems, etc)

• Audits and reviews
• System security planning
• Penetration testing
• Digital forensics

6

Advanced Computer Science Security Theme

• Lectures
• Guest lectures

– CY40R; Digital forensics – McAfee; Malware and intruders: vulnerabilities and countermeasures – NCC Group; Penetration Testing

• Cryptography

– Examination (60%) – Coursework (40%)

• Cyber security

– Coursework (2x25%)

• Groupwork
• Case studies
• Report
• Review/inspect
• Templates

– Report – Risk treatment plan

– Examination (50%)

• Employment

potential

How

7

Advanced Computer Science Security Theme

Cyber security

COMP61421

Dependencies Business Impact (Value…C-I-A) Information Assets Risk Assessment (Risk Register) Risk Attitude People: Human Factors Behaviour Technology Process Controls Controls Controls Risk Treatments (Controls) Information Assets Information Assets Information Assets Realised Risk Business Continuity Security Incidents and Events

8

Advanced Computer Science Security Theme

Objectives IT Governance Risk Appetite Conformance Performance Monitor Ethical framework Portfolio Management Leadership Direct Evaluate Security Architecture Programme Management Project Management Development Operations Use Abuse Failure Dependencies Business Impact (Value…C-I-A) Information Assets Risk Assessment (Risk Register) Realised Risk Risk Attitude People: Human Factors Behaviour Technology Process Controls Controls Controls Risk Treatments (Controls) Business Continuity Security Incidents and Events Information Assets Information Assets Information Assets

IT Governance COMP60721

9

Advanced Computer Science Security Theme

Help…new and constant

Bad

• 20000 new pieces of

malware per hour (McAfee)

• 15 friends invited on

Facebook…21,000 accepted

• £60,000 for losing an

unencrypted laptop

• Fined £100,000 for faxing

details of a child sex abuse case to a member of the public

• Fined £2.75m for loosing a

laptop with records of 46,000 people

Good

• You become the Fifth Column
• 1. Cryptography
• 2. Cyber security

10

Advanced Computer Science Security Theme

11

Advanced Computer Science Security Theme

Summary: the two laws of security

1.Never reveal everything you know.

And now Dr Zhang on some more projects…

12

Advanced Computer Science Security Theme

Some research Projects/Activities

• Designs of systems or

solutions for security and privacy in distributed systems

• Cloud and Ubiquitous

Computing, and electronic commerce…

• …covering issues such as

risk-based authentication, authorisation, intrusion detections, and trust management.

• FAME-Permis
• Traceable Identity

Privacy

• FIDES
• Context-aware Security

Provision

• Wireless Network

Security

• Adaptive Security

Solutions

13

Advanced Computer Science Security Theme

The FAME - Permis Project

• A middleware extension to Shibboleth to support

– Inter-organisational resource sharing – Single sign-on – User identity privacy – Fine-grained access control

14

Advanced Computer Science Security Theme

LoA linked AC (FAME-permis)

• 2. Re-direct to WAYF

for Handle Shib-HS Protected by F-LS User’s Home Site Web Server

• 6. Authentication

is successful

• 1. User request
• 4. Authenticate yourself

with AuthService x

• 3. Re-direct to HS

AuthServices x, y, z, … ASI-API Host Authentication Module (HAM) Browser PKCS#11 tokens, Java Cards, ... TI-API

WAYF SHAR SHIRE 8.Handle Shib Target - Resource Gateway

The Internet

• 5. Authentication

dialogue

• 7. Handle

FAME Login Server (F-LS) Where Are You From?

15

Advanced Computer Science Security Theme

FIDES

• Aim to secure e-Commerce transactions, e.g.

– e-Payment vs e-Goods (e-Purchase). – e-Goods/e-mail vs Signed receipt (Certified delivery). – Signed contract vs Signed contract (Contract signing). – e-Goods vs e-Goods (Barter).

• can be used to develop new secure business

applications, such as e-procurement.

16

Advanced Computer Science Security Theme

Context-aware Security Provision

• Use your context data to determine the level of

security protection

– Your location

• This room, or
• Airport lunge

– Your device

• Wireless PDA, or
• More capable desktop

– Your past access history/profile

• Have you been a good guy, or
• You have tried to breach some rules

17

Advanced Computer Science Security Theme

Context-aware Access Control

Context Acquisition Sensors Context Source Access Requester

Policy Store

Policy Policy Decision

Context Service PEP PDP Resource

18

Advanced Computer Science Security Theme

Context-aware Adaptive Routing in MANETs Context-aware multiple route

adaptation can increase reliability with low costs. A C B P Internet M X

19

Advanced Computer Science Security Theme

Other project opportunities may include…

• Whitelisting software
• A method to articulate

requirements for security (MARS)

• Measuring security maturity

to understand the costs and benefits of countermeasures

• Security dashboard
• Information and cyber

security threat analyser

• IT Strategy design tool
• Protect- Operate - Self-

preserve: designing a universal secure architecture

• Rules of engagement:

Legitimate use of the Dark Internet and Deep Web

• Security economics modeller
• Balancing technical security

controls with human factors

• An application to test

websites for compliance and award a commensurate trust mark

20

Advanced Computer Science Security Theme

Module Leader/Lecturers

• Dr Ning Zhang

ning.zhang@manchester.ac.uk

• Dr Daniel Dresner Minst.ISP

daniel.dresner@manchester.ac.uk

• Dr Richard Banach

banach@manchester.ac.uk

21

Advanced Computer Science Security Theme

22