I I 3YSTEMS AND NTERNET NFRASTRUCTURE 3ECURITY ETWORK AND 3ECURITY 2ESEARCH ENTER EPARTMENT OF OMPUTER 3CIENCE AND NGINEERING 0ENNSYLVANIA 3TATE 5NIVERSITY 5NIVERSITY 0ARK 0 CMPSC443 Introduction to Computer and Network Security Module Wrapup Professor Patrick McDaniel Spring 2009 CMPSC443 Introduction to Computer and Network Security Page 1 Wrap up So what does it all mean CMPSC443 Introduction to Computer and Network Security Page 2 Security is about incentives Systems are secure when it is in the best interest of those who develop provide administer those systems and not before Question why is identity theft such a major problem Answer because the people who provide the services banks trading houses credit card companies etc are not the ones who get affected the most by it Service providers don t perform because it would cost too much money in delayed lost transactions CMPSC443 Introduction to Computer and Network Security Page 3 Computing systems Microsoft builds poorly secured systems because oddly customers demand it The customer a demands software be backward compatible with old insecure systems b demands usability over security c doesn t follow instructions consistently e g patching d wants to do insecure things Note Apple HP Sun Linux Intel are no different CMPSC443 Introduction to Computer and Network Security Page 4 What people want People enterprises governments basically everyone want to be secure without changing behavior See Vista debacle for a case study on this Of course being secure on a computer is like being secure in real life you need to make informed decisions about what you do and how you do it This often means you can not do things the easy way but a more secure way Accept that you cannot do some things I cannot connect into my home network from outside no matter how convenient that would be You have to have be involved in your security CMPSC443 Introduction to Computer and Network Security Page 5 OK fine but none of this lets the companies off the hook Most commercial and noncommercial systems have terrible or completely absent security features Most security solutions being provided are broken or at least don t deliver the security advertised Reality even if companies had the will to invest enough to secure their products they wouldn t where to begin CMPSC443 Introduction to Computer and Network Security Page 6 The state of security issues are in public consciousness Press coverage is increasing Losses mounting billions and billions Affect increasing ATMs commerce Public is at risk What are we doing sound and fury signifying nothing W Shakespeare well its not quite that bad CMPSC443 Introduction to Computer and Network Security Page 7 The problems What is the root cause Security is not a key goal and it never has been so we need to figure out how to change the way we do engineering and science to make computers secure Far too much misunderstanding about basic security and the use of technology This is also true of physical security think TSA CMPSC443 Introduction to Computer and Network Security Page 8 The current solutions Make better software we mean it B Gates 2002 no really B Gates 2003 Linux OS X Sun OS etc is bad too B Gates 2005 Vista will fix everything B Gates 2006 Vista fixes everything B Gates 2007 Sorry about Vista B Gates 2007 5 Windows 7 0 will fix everything B Gates 2008 Windows 7 0 fixes everything S Ballmer 2009 CMPSC443 Introduction to Computer and Network Security Page 9 The current slns cont CERT SANS based problem event tracking Experts tracking vulnerabilities Patch system completely broken Destructive research Back pressure on product developers Arms race with bad guys Problem reactive rather than proactive CMPSC443 Introduction to Computer and Network Security Page 10 The real solutions Fix the economic equation Eventually MS Sun Apple will be in enough pain that they change the way they make software Education Things will get better when people understand when how to use technology accept that they must change behaviors Fix engineering practices Design for security Apply technology What we have been talking about CMPSC443 Introduction to Computer and Network Security Page 11 The bottom line The Web Internet and new technologies have limited ability to address security and privacy concerns computer science is making the world less safe it is incumbent in us as scientists to meet these challenges Evangelize importance of security Provide sound technologies Define better practices CMPSC443 Introduction to Computer and Network Security Page 12 Thank You mcdaniel cse psu edu CMPSC443 Introduction to Computer and Network Security Page 13 Final Exam Thursday May 7th 10 10AM 12 00PM 258 Willard Close book closed note 14 short answers 3pts each 4 long answer 7pts each 3 problem questions 10pts each Same length hardness of mid term You have almost 2 hours so you should have plenty of time CMPSC443 Introduction to Computer and Network Security Page 14 Sample Questions Short answer question Why are active attacks easier to detect than passive attacks Long answer question Explain what resource imbalances are and why managing them is so important to protecting a network Problem question Acme archival storage systems is a company that promises to securely store customer data They provide a online system that the customer submits documents for storage which Acme encrypts using AES and a key specific to each request Acme only accepts requests from 8am to 5pm Monday through Friday and they are open on all holidays not falling on a weekend For the purposes of this exercise you can assume that Acme has been in operation for exactly 700 days A customer document di is encrypted as E di kr where the key kr is computed the kr h ti and ti is the timestamp with millisecond granularity of the request submission What is the entropy of the key CMPSC443 Introduction to Computer and Network Security Page 15 Hints for final read the slides know terminology know that network security inclusive of the entire second half is focus know the principles and laws I introduced in class crypto is important any time I put equations or made you do work in out of class that is an opportunity for me to test make sure you have read everything I assigned it supports the material in class and fills in gaps I don t have time to fill CMPSC443 Introduction to Computer and Network Security Page 16