the security theme -...
TRANSCRIPT
1
The Security Theme
2
The Security Theme
The Security Theme:an introduction
School of Computer Science
The University of Manchester
Outline• Why do we need a
Security Theme?
• Core Modules
– Cryptography
– Computer and Network Security
• Some Research Activities
• Computer Security
• Military Intelligence
• The laws of thermodynamics*
• But you can manage the risks . . .
• . . . taking heed of the Security Theme!
The Security Theme * You can’t win . . . you can’t even break even
3
?How can this work?
Steam comes of age . . .
4
The computer comes of age . . .
The Security Theme
5
‘Hacking’-as-a-service• Consulting services such as botnet setup ($350-$400)
• Infection/spreading services (~$100 per 1K installs)
• Botnets & Rentals [Direct Denial of Service (DDoS) $535 for 5 hours a day for one week], e-mail spam ($40 / 20K e-mails) and Web spam ($2/30 posts)
• Blackhat Search Engine Optimization (SEO) ($80 for 20K spammed backlinks)
• Inter-Carrier Money Exchange and Mule services (25% commission)
• Recruited CAPTCHA Breaking ($1/1000 CAPTCHAs)
• Crimeware Upgrade Modules: Using Zeus Modules as an example, range anywhere from $500 to $10K
The Security ThemeSource: Fortinet 2013 Cybercrime Report
Threats/Risks: a few examples• Employee of a small telecoms provider inadvertently infected
laptop with malicious software - total loss of its data.
• Large pharmaceutical company took nearly a month to discover an attacker had accessed its internal network; configuration was poorly designed and out of date. Correction: >100 staff-days.
• Large technology company suffered when one of its customers carried out an unauthorised destructive penetration test taking down their systems and led to customer complaints.
• Employee in large government body sent sensitive e-mails from work e-mail to personal account - only discovered by accident.
• Disgruntled employee of large utility company stole sensitive information (accessed as part of his job) and began selling it.
• A hard disk at a government body failed. The replacement disk installed by a third party had a virus on it…
Source: ISBS 2013 BIS/PWC
6
Ratio of hackers to security professionals~ 1000:1*
*SANS (SysAdmin, Audit, Network, Security) Institut e
So we need a fifth column…
The Security Theme
…to protect the systems of today and build tomorrow’s systems safely
7
Syllabus at a glanceAccess Control
Anti-virus software
Business Continuity Management
Communications and Operations Management
Compliance
Cryptography
Cryptographic solutions
Cyber security
Digital forensics
Firewalls
Human Resources Security
Information Asset Management
Information Security Incident Management
Systems Acquisition, Development and Maintenance
Intrusion detection/prevention
Organizing Information Security
Penetration testing
Physical and Environmental Security
Public Key Infrastructures
Risk Assessment and Treatment
Security Breaches
Security Policy
Security quality assurance
Standards
System Lifecycles
System security planning
Trust
Virtual Private Networks
Vulnerability scanners
Cryptography: topics• Conventional cryptosystems
• Public-key cryptosystems
• Cryptographic hash functions and message authentication codes
• Key management and establishment protocols
• Digital signatures
• Security services provided with conventional and/or public-key cryptosystems
The Security Theme
8
The Security Theme
Computer and Network Security: topics• Risk assessment • Requirement and policy specifications• Solutions and countermeasures
– Intrusion detection/prevention
– Secure software
– Authentication and authorisation
– Virtual Private Networks
– Firewalls
– Digital certification and Public Key Infrastructures
– Real-life exemplar security systems (web security, email security wireless network security, electronic payment systems, etc)
• Audits and reviews• System security planning• Vulnerability scanners• Penetration testing• Digital forensics
• Lectures
• Guest lectures– CY40R;
Digital forensics
– McAfee;Malware and intruders: vulnerabilities and countermeasures
– NCC Group;Penetration Testing
– WebsenseDealing with contemporary threats
• Cryptography– Examination (50%)
– Coursework (50%)
• Computer and Network Security– Coursework (2x25%)
• Groupwork
• Case studies
• Report
• Review/inspect
• Templates
– Report
– Risk treatment plan
– Examination (50%)
• Employment potential
How
9
The Security Theme• Goal:
• We examine
– The state-of-the-art
– Future directions
• You get
– Problem solving skills
– Theoretical and conceptual understanding
– Insight into cutting edge research issues
This Security theme is aimed at introducing the technologies, standards, policies, proceduresand practices that can be used to secure information, cyber, computer systems and networks.
The Security Theme
Computer and network securityCOMP61421
Dependencies
Business Impact
(Value…C-I-A)
Information Assets
Risk Assessment
(Risk Register)
RiskAttitude
People:Human Factors
Behaviour
TechnologyProcess
ControlsControlsControlsRisk
Treatments(Controls)
Information AssetsInformation
AssetsInformation Assets
Realised Risk
Business Continuity
Security Incidents and
Events
10
Objectives
IT Governance
Risk Appetite
Conformance
PerformanceMonitor
Ethical framework
PortfolioManagement
LeadershipDirect
Evaluate
Security Architecture
Programme Management
Project Management
Development
Operations
Use
Abuse
Failure
Dependencies
Business Impact
(Value…C-I-A)
Information Assets
Risk Assessment
(Risk Register)
Realised Risk
RiskAttitude
People:Human Factors
Behaviour
TechnologyProcess
ControlsControlsControlsRisk
Treatments(Controls)
Business Continuity
Security Incidents and
Events
Information AssetsInformation
AssetsInformation Assets
IT GovernanceCOMP60721
Help…new and constantBad
• 20000 new pieces of malware per hour (McAfee)
• 15 friends invited on Facebook…21,000 accepted
• £60,000 for losing an unencrypted laptop
• Fined £100,000 for faxing details of a child sex abuse case to a member of the public
• Fined £2.75m for loosing a laptop with records of 46,000 people
Good• You become the Fifth Column
1. Cryptography
2. Computer and
Network
Security
11
Summary: the two laws of security
1.Never reveal everything you know.
The Security Theme
And now Dr Zhang on some projects…
Some research Projects/Activities• Designs of systems or
solutions for security and privacy in distributed systems
• Cloud and Ubiquitous Computing, and electronic commerce…
• …covering issues such as risk-based authentication, authorisation, intrusion detections, and trust management.
• FAME-Permis
• Traceable Identity Privacy
• FIDES
• Context-aware Security Provision
• Wireless Network Security
• Adaptive Security Solutions
The Security Theme
12
The Security Theme
The FAME - Permis Project• A middleware extension to Shibboleth to support
– Inter-organisational resource sharing
– Single sign-on
– User identity privacy
– Fine-grained access control
The Security Theme
LoA linked AC (FAME-permis)
2. Re-direct to WAYFfor Handle
Shib-HSProtected by
F-LS
User’s Home SiteWeb Server
6. Authentication
is successful
1. User request
4. Authenticate yourselfwith AuthService x
3. Re-direct to HS
AuthServicesx, y, z, …
AS
I-AP
I
Host AuthenticationModule (HAM)
Browser
PKCS#11tokens, JavaCards, ...
TI-API
WAYF
SHAR
SHIRE
8.Handle
Shib Target -Resource Gateway
The Internet
5. Authenticationdialogue
7. Handle
FAME LoginServer (F-LS)
Where AreYou From?
13
The Security Theme
FIDES• Aim to secure e-Commerce transactions, e.g.
– e-Payment vs e-Goods (e-Purchase).
– e-Goods/e-mail vs Signed receipt (Certified delivery).
– Signed contract vs Signed contract (Contract signing).
– e-Goods vs e-Goods (Barter).
• can be used to develop new secure business applications, such as e-procurement.
The Security Theme
Context-aware Security Provision• Use your context data to determine the level of
security protection
– Your location
• This room, or
• Airport lunge
– Your device
• Wireless PDA, or
• More capable desktop
– Your past access history/profile
• Have you been a good guy, or
• You have tried to breach some rules
14
The Security Theme
Context-aware Access Control
Context Acquisition
Sensors
Context Source
AccessRequester
PolicyStore
Policy
PolicyDecision
ContextServiceContextService
PEPPDP
Resource
Context-aware Adaptive Routing in MANETs
The Security Theme
Context-aware multiple route adaptation can increase reliability with low costs.
A
C
B
P
InternetM
X
15
Other project opportunities may include…
• Whitelisting software
• A method to articulate requirements for security (MARS)
• Measuring security maturity to understand the costs and benefits of countermeasures
• Security dashboard
• Information and cyber security threat analyser
• IT Strategy design tool
• Protect- Operate - Self-preserve: designing a universal secure architecture
• Rules of engagement: Legitimate use of the Dark Internet and Deep Web
• Security economics modeller
• Balancing technical security controls with human factors
• An application to test websites for compliance and award a commensurate trust mark
The Security Theme
Module Leader/Lecturers• Dr Ning Zhang
• Dr Daniel Dresner Minst.ISP
• Dr Richard [email protected]
16
http://news.bbc.co.uk/1/hi/technology/20090104.stm
Manchester protects knowledge
Page last updated at 09:33 GMT, Friday, 2 March 2012
‘Do as we say and as we do’ brings reputation and revenue to Manchester
Information security comes naturally to staff
and students at the University of
Manchester whether it’s the papers
confirming their ground-breaking research
in material science or protecting patient
identities to allow data to be used in life-
saving informatics research for public
health. Students take their responsibilities
especially seriously in the School of
Computer Science where sensible
postgraduates focus on this vital theme.
‘Talking to the business development
manager gives me confidence that security
issues are so
embedded in the university they can only make good of my
endowment,’ said Shere Khan, CEO of Dubai’s Cloud Holdings. ‘I
really can’t wait to give them senior positions in my company,’ he
affirmed. The university’s MSc projects in security are also moving
ever faster through the end user landscape making IT more secure.
Each student it teaches becomes another brick in the human firewall
bringing information and cyber security within reach internationally.
!Product solution
17
The Security Theme
Thank you. Questions...and comments?
34