CIS 5373 Systems Security

Similar documents
Attack Vectors in Computer Security

The Credential Phishing Handbook. Why It Still Works and 4 Steps to Prevent It

Lecture 4: Threats CS /5/2018

ANATOMY OF AN ATTACK!

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Endpoint Protection : Last line of defense?

Copyright

Dissecting Data Breaches. What Keeps Going Wrong?

MOBILE THREAT LANDSCAPE. February 2018

Security Audit What Why

IBM Security Network Protection Solutions

Information Security in Corporation

Moshe Elias, Product Marketing, Allot. Network Intelligence to See, Control & Secure IT

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Web Application Vulnerabilities: OWASP Top 10 Revisited

Cyber Security Issues

IC B01: Internet Security Threat Report: How to Stay Protected

Information Security CS 526


Security and Authentication

CHAPTER 8 SECURING INFORMATION SYSTEMS

Mobile App Security and Malware in Mobile Platform

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Mobile Trends And The New Threats Is Your SAP System Vulnerable to Cyber Attacks? Stephen Lamy, Virtual Forge

Cyber fraud and its impact on the NHS: How organisations can manage the risk

10 FOCUS AREAS FOR BREACH PREVENTION

Online Threats. This include human using them!

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

IS THERE A HOLE IN YOUR RISC-V SECURITY STACK? JOTHY ROSENBERG DOVER MICROSYSTEMS

SOCIAL NETWORKING IN TODAY S BUSINESS WORLD

Security Awareness & Best Practices Best Practices for Maintaining Data Security in Your Business Environment

Artificial Intelligence Drives the next Generation of Internet Security

Cybersecurity The Evolving Landscape

Symlink attacks. Do not assume that symlinks are trustworthy: Example 1

How to Improve Your. Cyber Health. Cybersecurity Ten Best Practices For a Healthy Network

Introduction Privacy, Security and Risk Management. What Healthcare Organizations Need to Know

Personal Cybersecurity

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

CloudSOC and Security.cloud for Microsoft Office 365

Cyber Crime Update. Mark Brett Programme Director February 2016

The Cyber War on Small Business

Developing Secure Systems. Associate Professor

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

Information System Security. Nguyen Ho Minh Duc, M.Sc

Gladiator Incident Alert

Evolution of Spear Phishing. White Paper

the SWIFT Customer Security

IMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP

CS System Security Mid-Semester Review

P2_L12 Web Security Page 1

Developing Secure Systems. Introduction Aug 30, James Joshi, Professor, SCI

Internet of Things (IoT) Attacks. The Internet of Things (IoT) is based off a larger concept; the Internet of Things came

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Protection. Disclaimer: some slides are adopted from book authors slides with permission 1

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

Securing the SMB Cloud Generation

2017 Varonis Data Risk Report. 47% of organizations have at least 1,000 sensitive files open to every employee.

Facebook API Breach. Jake Williams Rendition Infosec

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Enterprise Ready. Sean Yarger. Sr. Manager, Mobility and Identity. Making Android Enterprise Ready 1

C1: Define Security Requirements

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

F5 Application Security. Radovan Gibala Field Systems Engineer

Language-Based Protection

TLS 1.1 Security fixes and TLS extensions RFC4346

Qualification Specification. Level 2 Award in Cyber Security Awareness For Business

Cybersecurity in Government

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

21ST CENTURY CYBER SECURITY FOR MEDIA AND BROADCASTING

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

Deliver Strong Mobile App Security and the Ultimate User Experience

CMSC 414 Computer and Network Security

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Protection and Security. Sarah Diesburg Operating Systems CS 3430

ISACA West Florida Chapter - Cybersecurity Event

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

ISO/IEC Common Criteria. Threat Categories

IBM Cloud Internet Services: Optimizing security to protect your web applications

Getting over Ransomware - Plan your Strategy for more Advanced Threats

Featured Articles II Security Research and Development Research and Development of Advanced Security Technology

CERTIFIED SECURE COMPUTER USER COURSE OUTLINE

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Teradata and Protegrity High-Value Protection for High-Value Data

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

Securing Information Systems

Lessons from the Human Immune System Gavin Hill, Director Threat Intelligence

Cyber Security Panel Discussion Gary Hayes, SVP & CIO Technology Operations. Arkansas Joint Committee on Energy March 16, 2016

Towards Trustworthy Internet of Things for Mission-Critical Applications. Arjmand Samuel, Ph.D. Microsoft Azure - Internet of Things

CSI: VIDEO SURVEILLANCE CONVERTING THE JUGGERNAUT

Securing Information Systems

Cyber security tips and self-assessment for business

A (sample) computerized system for publishing the daily currency exchange rates

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

PrecisionAccess Trusted Access Control

AKAMAI CLOUD SECURITY SOLUTIONS

Transcription:

CIS 5373 Systems Security Topic 1: Introduction to Systems Security Endadul Hoque 1

Why should you care? Security impacts our day-to-day life Become a security-aware user Make safe decisions Become a security-aware developer Design and build secure systems Become a security researcher Identify security flaws and propose mitigations *Based on https://lifeasageek.github.io/class/cs52700-fall16/slides/intro.pdf 2

What is Security? Definition: Security Security is the application and enforcement of policies through mechanisms over data and resources Policies specify what we want to enforce (e.g., only Alice should read file F) Common goals: confidentiality, integrity, availability Mechanisms specify how we enforce the policy (i.e., an implementation of a policy, encryption) Goal has nothing to say about mechanism 3 *Based on https://lifeasageek.github.io/class/cs52700-fall16/slides/intro.pdf

Systems Security Security applied to computer systems Hardware, software, network, and computing power Protection against theft, damage, misuse, and disruption of the services they provide [Source: Wikipedia] 4

Our Focus Several layers of systems security Software security Operating systems security Network Security Web/Internet Security 5

Why is systems security hard? Things can go wrong in multiple fronts 1 Problems with policy Examples: Reset password by answering security questions Reset password by providing last 4 digits of credit card numbers 6

Why is systems security hard? Things can go wrong in multiple fronts 2 Problems with assumptions Examples: Human factors the weakest link in phishing attacks Hardware is trustworthy Attackers computational power 7

Why is systems security hard? Things can go wrong in multiple fronts 3 Problems with mechanisms Bugs/vulnerabilities in implementations Examples: Impersonation attacks Apple s goto fail Information leakage OpenSSL s Heartbleed bug Unauthorized access Unlimited password-guessing allowed for one icloud API 8

Bugs Definition: Software bugs A software bug is an error, flaw, failure, defect or fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in unintended ways. [Wikipedia] According to [1] Faults Activate Errors Propagate Failures [1] Avizienis et al., Basic Concepts and Taxonomy of Dependable and Secure Computing, IEEE TDSC, 1(1), 2014 (https://www.nasa.gov/pdf/636745main_day_3-algirdas_avizienis.pdf) 9

Faults, Errors & Failures Faults Physical defects or flaws occurring in some components (hardware or software) E.g., Buffer overflow Errors Introduce inaccuracy in system s state due to some faults E.g., Memory corruption Failures Not delivering the correct/expected service E.g., System crash 10

Faults, Errors & Failures 11

Faults, Errors & Failures A fault is active when it causes an error, otherwise it is dormant Many errors do not reach the system s external interface, as a result, no failure is observed 12

Vulnerabilities Definition: Vulnerabilities A vulnerability is a weakness which allows an attacker to violate the system s security policies. [Wikipedia] A vulnerability is exploitable If an exploit (e.g., malicious inputs) exists Depend on the goal(s) of the attacker(s) Some vulnerabilities are not related to software Human factors can result in, e.g., phishing attacks Security bugs Bugs in security enforcing software (e.g., OS kernel, SSL/TLS) Lead to vulnerabilities and leave a system open to attacks 13

Symantec Cyber crime hit the big time in 2016, with high-profile victims and bigger than ever financial rewards discovered more than 430 million new unique pieces of malware in 2015, up 36 percent from the year before. Trend Micro predicts a 25% growth in the number of new ransomware families in 2017 IoT devices will play a bigger role in DDoS attacks the average payout for a ransomware attack is $722, which could reach up to $70K if an enterprise network is hit. 14

Real-world Security Incidents 15

Apple s goto fail 16 http://zd.net/1mlouxz

Heartbleed TLS heartbeat extension A keep-alive feature One end of the connection sends a payload of arbitrary data to the other end The other end sends back an exact copy of that data to prove everything's OK. Bug in OpenSSL Buffer over-read due to missing bounds check Reveal in-memory authentication credentials Threat to confidentiality https://xkcd.com/1354/ 17

Coming Up Software vulnerabilities 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback