DOC PREVIEW
USC CSCI 530 - 02_intro-6up

This preview shows page 1 out of 2 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 2 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 2 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

CSCI 530, Spring 2010 Copyright © William C. Cheng T1CS530Introduction toSecurity SystemsBill Chenghttp://merlot.usc.edu/cs530-s10 CSCI 530, Spring 2010 Copyright © William C. Cheng T2What Is Securitysystemhardware & softwareWhat are you trying to secure?networkdatacan be difficultHow to evaluatewhat are the costs?administration/management(cont...)Security vs. Risk Managementbalance costs to protect with costs of compromisebalance costs to compromise with benefit to attackeran example of Risk Management: banksSecurity vs. Risk Management (cont...)difficult to defend against losses from robbery, creditcard fraud, identify theft CSCI 530, Spring 2010 Copyright © William C. Cheng T3What Is Security (Cont...)solution: charge fees, understand costs, buy insuranceprevent successful attacks vs. mitigate the consequencesIt’s not all technical CSCI 530, Spring 2010 Copyright © William C. Cheng T4What Do We Want From Securityenforced by hardwareProtectiondepends on trusted kerneldetermining identity of principalAuthenticationIntegrity(cont...)a principal can be a process or a uservirtual memory systemuser/kernel modes, rings 0-3, etc.no stepping around, no I/O accessescan use an access matrix to specify what subjectscan access what objectsauthenticity of documentIntegritythat it hasn’t changesthat inappropriate information is not disclosedConfidentiality CSCI 530, Spring 2010 Copyright © William C. Cheng T5What Do We Want From Security (Cont...)that the system continues to operateAvailabilitythat the system and data is reachable and readableprivacyEnforcement of policiesaccountability and auditpayment CSCI 530, Spring 2010 Copyright © William C. Cheng T6What Makes Up SecurityAuthenticationBasic services:AuthorizationAccounting (e.g., quota)AuditAssurance (e.g., software engineering, virus checkers)PaymentProtectionPolicyPrivacy (policy about individual)Confidentiality (about data)rules about who can do what, at what costgenerally hard to define for an organizationCSCI 530, Spring 2010 Copyright © William C. Cheng T7Security Weaknesses & Why We Are Not Securebuffer overrunholes in the spec?Buggy codeunspecified patternsProtocols design failuresit is usually a good idea to use well understood onesWeak crypto(cont...)"Social engineering"never use strcpy(), use strncpy() and memcpy()always check return code of library functions andsystem callsIncorrect policy specification CSCI 530, Spring 2010 Copyright © William C. Cheng T8Security Weaknesses (Cont...)unfortunately, this is usually against what vendors wantStolen keys or identitiesDenial of servicesystems should be shipped in secure mode (notopen mode)Misconfigurationweak key managementsingle sign-on feature (put password on local disk)hard to defend againstfailure in people?"Social engineering"plenty of bad people out there (and inside) CSCI 530, Spring 2010 Copyright © William C. Cheng T9Security Mechanismsscrambling of data for confidentiality and integrityEncryptione.g., Kerberos, X.509Key managemente.g., Kerberos, X.509AuthenticationACL (access control list)AuthorizationAccountingFirewallsChecksumsinterconnecting private nets over the InternetVPNsIntrusion detection and responseDevelopment toolsVirus scannersauditpush back authorization & firewall CSCI 530, Spring 2010 Copyright © William C. Cheng T10Security Mechanisms (Cont...)Policy managersTrusted hardware CSCI 530, Spring 2010 Copyright © William C. Cheng T11Today’s Security DeploymentMost of the deployment of security services today handlesthe easy stuff, implementing security at a single point inthe network, or at a single layer in the protocol stack:firewalls, VPN’sIPSecSSLUnfortunately, security isn’t that easy. It must be betterintegrated with the applicationat the level at which it must ultimately be specified,security policies pertain to application level objects,and identify application level entities


View Full Document

USC CSCI 530 - 02_intro-6up

Download 02_intro-6up
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view 02_intro-6up and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view 02_intro-6up 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?