CS 5950/6030 Network Security Class 1 (W, 8/31/05

)
Leszek Lilien Department of Computer Science Western Michigan University [Using some slides prepared by: Prof. Aaron Striegel, University of Notre Dame Prof. Barbara Endicott-Popovsky and Prof. Deborah Frincke, University of Washington]

Class 1 Outline 
1.1. Course Overview ± Syllabus - Course Introduction  1.2. Survey of Students¶ Background and

Experience 
1.3. Introduction to Security ± Examples ± Security in Practice ± Discussion ± What does security mean?

2

cs. Office Hours: MW 4:30 PM -5:30 PM F 1:30 PM ± 2:30 PM Web Pages: http://www.edu ± please use for urgent matters only Notes: 1) Only mail coming from a WMU account (ending with ³wmich. CEAS B-249. Course Overview (1) CS 5950/6030: Network Security . Class: Instructor: CEAS C0141.html 3 .edu´ will be read). and the message including them contains the following statement: I have scanned the enclosed file(s) with <name of software.1. its version>. which was last updated on <date>>. 2) Files submitted as attachments will not be read unless they are scanned with upto-date anti-viral software. M W F 3:00 PM ± 3:50 PM Dr. phone: 276-3116 Email: llilien@wmich.wmich.Fall 2005 Department of Computer Science Western Michigan University Description: Survey of topics in the area of computer and network security with a thorough basis in the fundamentals of computer/network security. Leszek (Leshek) Lilien.edu/~llilien/cs5950-6030/index.1.

The course will culminate in a project where the students will have an opportunity to more fully investigate a topic related to the course.Course Overview (2) Required Text: Pfleeger and Pfleeger. Prentice Hall PTR. multilevel security  Legal. authentication mechanisms. 2003. Third Edition. intrusion detection  Database security: security requirements. other malicious code. Course Objectives:  The course is designed to provide knowledge in the following areas:  Security terminology  Cryptographic techniques: terminology. It introduces topics in computer security ranging from cryptographic techniques to trust to multilevel security to security ethics. inference. access control  Network security: threats and controls. Course Overview: This course is a survey of topics in the realm of computer and network security. basic techniques  Encryption systems: RSA. DES. Security in Computing. ethical. public/private key  Program security: viruses. ISBN 0-13-035548-8. Kerberos. controls against program threats  Trusted computer systems: OS characteristics. Students will learn fundamental concepts of security that can be applied to many traditional aspects of computer programming and computer systems design. privacy issue discussions 4 . certification levels.

and privacy issues in computer security 5 .Course Overview (3) Performance Objectives:  At the end of the course. all students should be able to:  Describe and correctly use fundamental terminology in the area of computer/network security  Describe fundamental concepts of cryptography and assess the strengths and weaknesses of common cryptographic protocols  Identify weaknesses in program design and be able to categorize basic forms of attack against programs  Understand the basic concepts of security with regards to operating systems and access control  Assess the areas of trust in both operating systems and protocols  Describe database attacks and how to design against such attacks  Describe basic methods for network security  Intelligently discuss the legal. ethical.

etc. In case of a grading disagreement. 6 . CB: 75. Each student who receives it can get a written statement from me upon request (in case the student needs a strong evidence for a recommendation letter). B: 80. there is the ³AA´ grade²known to the outside world as the ³A+´ grade ² for extraordinary performance (best in class. written arguments for your claims are required. In my book. final project presentation) 35%     Fixed standard grading scale (A: 90. I might offer an extra credit for an optional coursework²such as presenting in class a software security tool or a research paper. Of course. WMU transcript will show an ³A´ only.).Course Overview (4) Grading:  Grading components: ± ± ± ± Quizzes 10% Midterm Exam 25% Final Exam 30% Group Project (incl. D: 60) ± I may curve a ³bad´ exam to improve the letter grades. C: 70. Inquiries about graded quizzes/exams must be made within one week after they are handed back. DC: 65. BA: 85.

 Quiz solutions will be posted. most probably online.  Quizzes will be announced no later than at the preceding lecture.Course Overview (5) Course Policies: 1. please contact the instructor in advance. in addition to the standard lecture material. 2. you should write down anything that is written down using the board or the document projector. You are encouraged to slow me down if you need more time to take notes.  Attendance at lectures is required. Lecture  Lecture notes may or may not be on-line so taking notes during class is highly encouraged. 7 . If you must miss a lecture.  Lectures will be driven by student interaction. Quizzes  2-4 quizzes are planned. Especially.

The groups are free to propose their own topics for the final project but must obtain my buy-in before starting their work. 8. They will not be graded but lessons learned may be checked by my quiz questions.  The final project: ± The final project will be done in teams consisting normally of 3-4 students.  The midterm exam will be announced at least a week in advance (it should be expected around October 15).  The final exam will be held during the finals week. The midterm exam will be held during normal class time. Dec. Project(s)  Small projects: ± 1-2 small projects will be individual and self-guided (using guidelines provided by me). as scheduled (Th.Course Overview (6) 3. 8 . ± The results obtained in the final project will be presented by the students in class at the end of the semester. 4. 2:45 PM ± 4:45 PM). ± I will propose a set of topics for the final project to help students in final project selection. Exams  There will be two exams for the class.

if necessary). ± The project reports must be submitted both as hard copies and in an electronic format. ± Late project reports will lose 33% per day beyond the due date. please let me know.  This class will be a class where many of the topics build upon one another. All text and figures must be prepared using a word processor (and a drawing program. I will try to accommodate your wishes. both technical contents and quality of (written and/or oral) presentation will be evaluated for the total project credit. 9 .Course Overview (7)  Project presentation requirements: ± For all projects. If there is a technology related to security that you would like to know more about. above). Other Notes:  The topics for the course will be quite flexible. ‡ Required electronic format: PDF. Therefore. ± No handwritten project reports will be accepted. depending on the availability of time. please ask questions in class if you do not understand the material. ‡ The message including project files must include information on antiviral software used (cf.

These policies include cheating. Without such a reason. a special appointment can be made. plagiarism. falsification and forgery. fabrication. A make-up quiz/exam can be given only when the student presents a valid reason with documented evidence for missing the test/exam. You should consult with me if you are uncertain about an issue of academic honesty prior to the submission of an assignment or test. You will be given the opportunity to review the charge(s). 10 . 274-276) or the Graduate Catalog (pp. 25-27) that pertain to Academic Honesty. you will be referred to the Office of Student Conduct. you will have the opportunity for a hearing.Course Overview(8)    Since email and telephone limit interaction. complicity and computer misuse. the student will loose all quiz/exam points. (In justified cases. If you believe you are not responsible. If there is reason to believe you have been involved in academic dishonesty. please see me during my office hours in case of any course difficulties.) No questions will be answered on the date of a quiz/exam. Academic Honesty Statement (WMU Policy) You are responsible for making yourself aware of and understanding the policies and procedures in the Undergraduate Catalog (pp. multiple submission.

/Year ________ OR:Grad.2. UDP. Survey of Students¶ Background and Experience (1) Background Survey CS 5950/6030 Network Security .) 0 1 2 3 Cryptography (basic ciphers. IP. etc.D.) 0 1 2 3 Computer Security (access control.Fall 2005 Please print all your answers. etc.) 0 1 2 3 Network Protocols (TCP. UNIX/Linux/Solaris/etc.g. 5 = Excellent). student) ________________ Major _____________________________________________________________________ PART 1. Experience (use.. Background and Experience 1-1)Please rate your knowledge in the following areas (0 = None. security fundamentals. RSA.) 0 1 2 3 4 4 4 4 5 5 5 5 11 . DES. Ph.1./Year or Status (e. PGP. First name: __________________________ Last name: _____________________________ Email _____________________________________________________________________ Undergrad. etc. etc. administration.

which you know.Survey of Students¶ Background and Experience (2) 1-2) Please list (by number and name) all classes in operating systems. networks. databases. and rate your skill level in each (1-5). and security taken at institutions other than WMU (name the institutions): OS: ________________________________________________________________ Networks: ___________________________________________________________ Databases: __________________________________________________________ Security: ___________________________________________________________ 1-4) Please list up to 3 programming languages. databases. and security taken at WMU: OS: ________________________________________________________________ Networks: ___________________________________________________________ Databases: __________________________________________________________ Security: ___________________________________________________________ 1-3) Please list (by name) classes in operating systems. networks. Language 1: ______________________________ Rating: _______________ Language 2: ______________________________ Rating: _______________ Language 3: ______________________________ Rating: _______________ 12 .

internships. ideas. formal models) course or a more practical course? ___________________________________________________________________ Why? ___________________________________________________________________ 13 .). networks. and security (incl.Survey of Students¶ Background and Experience (3) 1-5) Please list any other notable/important background or experience in OS. work. etc. Motivation and Expectations 2-1) Why did you sign up for this course? ___________________________________________________________________ ___________________________________________________________________ 2-2) Would you prefer a more theoretical (principles. databases. ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ 1-6) Operating system you feel most comfortable with (circle one or more): Windows Linux Solaris Other: ___________ PART 2. projects.

Any Other Comments ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ Thank you! 14 . what would those be (in your preference order)? Topic 1: ____________________________________________________________ Topic 2: ____________________________________________________________ Topic 3: ____________________________________________________________ PART 3.Survey of Students¶ Background and Experience (4) 2-3) If there were 2-3 topics related to security that you would like to know more about.

Washington] 15 . U. 34% reported the intrusions to law enforcement. more respondents (74%) cited their Internet connection as a frequent point of attack than cited their internal systems as a frequent point of attack (33%).) [Barbara Edicott-Popovsky and Deborah Frincke. only 16% acknowledged reporting intrusions to law enforcement. CSSE592/492. Introduction to Security (1) 1.3.1.1. These 223 respondents reported $455M in financial losses. (In 1996.3. Examples ± Security in Practice From CSI/FBI Report 2002  90% detected computer security breaches within the last year  80% acknowledged financial losses  44% were willing and/or able to quantify their financial losses.  The most serious financial losses occurred through theft of proprietary information and financial fraud: 26 respondents: $170M 25 respondents: $115M For the fifth year in a row.

6% percent reported financial fraud (only 3% in 2000). 38% suffered unauthorized access or misuse on their Web sites within the last twelve months. [includes insider attacks]   12% reported theft of transaction information.More from CSI/FBI 2002      40% detected external penetration 40% detected denial of service attacks. [cf. Washington] 16 . 78% detected employee abuse of Internet access privileges 85% percent detected computer viruses. U. Barbara Edicott-Popovsky and Deborah Frincke. 21% didn¶t know. CSSE592/492.

government services and emergency services. electrical power systems. water supply systems. U. [Barbara Edicott-Popovsky and Deborah Frincke. Washington] 17 . gas and oil.Critical Infrastructure Areas « telecommunications. CSSE592/492. banking and finance. transportation.

Threat Spectrum [cf. CSSE592/492. Washington] 18 . Barbara Edicott-Popovsky and Deborah Frincke. U.

[cf. Washington] 19 .Cyberterrorism  The Internet Black Tigers conducted a successful "denial of service" attack on servers of Sri Lankan government embassies  Italian sympathizers of the Mexican Zapatista rebels attacked web pages of Mexican financial institutions. Barbara Edicott-Popovsky and Deborah Frincke. 2000. Testimony before Senate.  Rise of ³Hack-tivism´ Freeh. CSSE592/492. U.

102nd Congress. Barr.  Buying and selling bank account name lists. 2 Aug. CSSE592/492. customer names. Washington Post. U.Threats to Personal Privacy  Buying and selling confidential information from Social Security files. House Ways and Means Committee.  Browsing IRS files. 1993 (4) Freeh. Washington] 20 .. and user passwords from an e-commerce site.  A Princeton University student stole ~1800 credit card numbers. 1992. S. 10. Testimoney 2000 [Barbara Edicott-Popovsky and Deborah Frincke.

Identity Theft  ³The theft of computer hard drives from TriWest Healthcare Alliance could turn into one of the largest identity thefts on record if the information is misused. Washington] 21 . U. CSSE592/492. the Federal Trade Commission said.´ [Barbara Edicott-Popovsky and Deborah Frincke.

You Will Never Own a Perfectly Secure System. U. What is ÄSecurity?´ You Will Never Own a Perfectly Secure System. [Barbara Edicott-Popovsky and Deborah Frincke.1.3. CSSE592/492.2. Washington] 22 . You Will Never Own a Perfectly Secure System.

Well « Maybe If You Do This: (even then there are standards) [Barbara Edicott-Popovsky and Deborah Frincke. CSSE592/492. U. Washington] .

Washington] . Barbara Edicott-Popovsky and Deborah Frincke. CSSE592/492.³Secure´ Computer System  To decide whether a computer system is ³secure´. you must first decide what ³secure´ means to you. U. then identify the threats you care about. Denial of Service Cyberterrorism Modified Databases Virus Espionage Identity Theft Equipment Theft Stolen Customer Data [cf.

Barbara Edicott-Popovsky and Deborah Frincke. U.3. Availability (CIA) Confidentiality: Who is authorized? Integrity: Is the data Ägood?´ Availability: Can access data whenever need it? Confidentiality S Integrity Availability S = Secure [cf. Integrity.3.1. Washington] 25 . CSSE592/492. Pillars of Security: Confidentiality.

CSSE592/492. Barbara Edicott-Popovsky and Deborah Frincke. availability suffers due to locks on data under verification) Packet Switch Bridge File Server Gateway Other Networks [cf. integrity suffers due to lost updates) Ex: Have extensive data checks by different people/systems to increase integrity (confidentiality suffers as more people see data. Washington] 26 .Balancing CIA Biographical Data Payroll Data Health Data Confidentiality Integrity Sensitive Data Availability Need to balance CIA Ex: Disconnect computer from Internet to increase confidentiality (availability suffers. U.

Continued ± Class 2 27 .

Sign up to vote on this title
UsefulNot useful