Course Slides for CS_6035_01_Security Mindset (1)
leoyang0406
14 views
34 slides
Mar 11, 2025
Slide 1 of 34
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
About This Presentation
Course Slides for graduate class intro to internet security
Slide Content
CS 6035 Intro to Information Security
Changlai Du
Assistant Professor, Computer Science, GTSI
Jan. 08, 2024
Course Introduction and Security Mindset
Changlai Du
Assistant Professor, Computer Science, GTSI
Jan. 08, 2024
Course Introduction and Security Mindset
Course Introduction
2
2
Instructor
3
nDr. Changlai Du
nAssistant Professor at GTSI
nJoined GTSI August, 2023
nPhD in CS at VT
n8 years of industry experience
nResearch area: cybersecurity
nMonthly stipend RA and GRA positions
(tuition waived) available
nSpecial problems
nLiterature Review of AGI Safety (3 spots)
nSecurity in Memristor Computing Systems (1)
nEmail me your CV if interested
nEmail: [email protected]
nOffice: Room 409
nOffice#: +86-755-36881009 (ext. 382)
nWebsite:
https://faculty.gtsi.edu.cn/node/3561
nResearch site: https://changlai.github.io/
nHow about you?
3
nDr. Changlai Du
nAssistant Professor at GTSI
nJoined GTSI August, 2023
nPhD in CS at VT
n8 years of industry experience
nResearch area: cybersecurity
nMonthly stipend RA and GRA positions
(tuition waived) available
nSpecial problems
nLiterature Review of AGI Safety (3 spots)
nSecurity in Memristor Computing Systems (1)
nEmail me your CV if interested
nEmail: [email protected]
nOffice: Room 409
nOffice#: +86-755-36881009 (ext. 382)
nWebsite:
https://faculty.gtsi.edu.cn/node/3561
nResearch site: https://changlai.github.io/
nHow about you?
Course Information
nLectures
nFully in-person
nMonday and Wednesday 10:25am-11:40am
nRoom 403
nOffice Hours: Room 409, Mon and Wed, 1-3pm
nTextbook
nOptional
nComputer Security: Principle and Practice, 4th Edition, by William Stallings and Lawrie Brown
nClassroom tools
nCanvas to deliver course materials
nEd discussion to post anouncements and questions
nEmail for private questions
4
nLectures
nFully in-person
nMonday and Wednesday 10:25am-11:40am
nRoom 403
nOffice Hours: Room 409, Mon and Wed, 1-3pm
nTextbook
nOptional
nComputer Security: Principle and Practice, 4th Edition, by William Stallings and Lawrie Brown
nClassroom tools
nCanvas to deliver course materials
nEd discussion to post anouncements and questions
nEmail for private questions
4
Course Contents
nCS 6035 teaches the basic concepts and principles of information security, and the
fundamental approaches to secure computers and networks.
nSystem Security
nSecurity Mindset, Software Security, OS Security, Authentication, Access Control, Isolation and
Sandboxing, Malware
nCryptography
nSymmetric Crypto, Hashing, Integrity, DH and Key Exchange, RSA and Attacks on Protocols
nWeb and Networking
nIntrusion Detection, TLS, Web / Mobile / Database security, Privacy and Anonymity
nSecurity in Context
nSecurity Management, Law and Ethics, Side-channel Analysis, Physical Security
5
nCS 6035 teaches the basic concepts and principles of information security, and the
fundamental approaches to secure computers and networks.
nSystem Security
nSecurity Mindset, Software Security, OS Security, Authentication, Access Control, Isolation and
Sandboxing, Malware
nCryptography
nSymmetric Crypto, Hashing, Integrity, DH and Key Exchange, RSA and Attacks on Protocols
nWeb and Networking
nIntrusion Detection, TLS, Web / Mobile / Database security, Privacy and Anonymity
nSecurity in Context
nSecurity Management, Law and Ethics, Side-channel Analysis, Physical Security
5
Grading
nQuizzes: 10%
n10 true/false and multiple-choice quizzes; each is worth 1%
nOne quiz per week, released on a Friday and due in ten days (Mondays)
nProjects: 52%
n4 projects, 13% each
nSoftware security; Malware analysis; Cryptography; Web security
nExams: 30%
nTwo in-class exams, each worth 15%
nTrue/false and multiple-choice questions
nClosed-everything lasting for 60 minutes
nClass Presence and Active Participation: 8%
nPresence 4%, participation 4%
6
nQuizzes: 10%
n10 true/false and multiple-choice quizzes; each is worth 1%
nOne quiz per week, released on a Friday and due in ten days (Mondays)
nProjects: 52%
n4 projects, 13% each
nSoftware security; Malware analysis; Cryptography; Web security
nExams: 30%
nTwo in-class exams, each worth 15%
nTrue/false and multiple-choice questions
nClosed-everything lasting for 60 minutes
nClass Presence and Active Participation: 8%
nPresence 4%, participation 4%
6
nYour final grade will be assigned as a letter grade according to the following scale:
nFinal grade based on curve
nA: at least 0.5 standard deviation higher than the class average
nC: more than one standard deviation below class average
nF: more than two standard deviations below the class average
nIf normal distribution
nA > 70%
n70% > B > 14%
n14% > C
Grading Scale
7
nFinal grade based on curve
nA: at least 0.5 standard deviation higher than the class average
nC: more than one standard deviation below class average
nF: more than two standard deviations below the class average
nIf normal distribution
nA > 70%
n70% > B > 14%
n14% > C
Grading Scale
7
Instructor Expectations
nEager to learnand to share ideas with others
nActive participation in class and discussion forums expected
nEd Discussions is used for online discussions
nI will not answer questions about projects at the last minute (get started early)
nGet to know me via office hours
8
nEager to learnand to share ideas with others
nActive participation in class and discussion forums expected
nEd Discussions is used for online discussions
nI will not answer questions about projects at the last minute (get started early)
nGet to know me via office hours
8
Security Mindset
9
9
Understanding the Differences
nInformation Security (CS-6035)
nSystem Security (CS-6238)
nNetwork Security (CS-6262)
nComputer Security
nCyber Security
10Image: http://www.securitymanagers.net/information-security-vs-cybersecurity/
nInformation Security (CS-6035)
nSystem Security (CS-6238)
nNetwork Security (CS-6262)
nComputer Security
nCyber Security
10Image: http://www.securitymanagers.net/information-security-vs-cybersecurity/
Why Cyber Security?
11
11
Terminology 1/2
nAdversary (threat agent)
nIndividual, group, organization, or government that conducts or has the intent to conduct
detrimental activities.
nAttack
nAny kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy
information system resources or the information itself.
nCountermeasure
nA device or techniques that has as its objective the impairment of the operational
effectiveness of undesirable or adversarial activity, or the prevention of espionage, sabotage,
theft, or unauthorized access to or use of sensitive information or information systems.
nRisk
nA measure of the extent to which an entity is threatened by a potential circumstance or event,
and typically a function of 1) the adverse impacts that would arise if the circumstance or event
occurs; and 2) the likelihood of occurrence.
12
nAdversary (threat agent)
nIndividual, group, organization, or government that conducts or has the intent to conduct
detrimental activities.
nAttack
nAny kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy
information system resources or the information itself.
nCountermeasure
nA device or techniques that has as its objective the impairment of the operational
effectiveness of undesirable or adversarial activity, or the prevention of espionage, sabotage,
theft, or unauthorized access to or use of sensitive information or information systems.
nRisk
nA measure of the extent to which an entity is threatened by a potential circumstance or event,
and typically a function of 1) the adverse impacts that would arise if the circumstance or event
occurs; and 2) the likelihood of occurrence.
12
Terminology 2/2
nSecurity Policy
nA set of criteria for the provision of security services. It defines and constrains the activities of
a data processing facility in order to maintain a condition of security for systems and data.
nSystem Resource (Asset)
nA major application, general support system, high impact program, physical plant, mission
critical system, personnel, equipment, or a logically related group of systems.
nThreat
nAny circumstance or event with the potential to adversely impact organizational operations (including
mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the
Nation through an information system via unauthorized access, destruction, disclosure, modification of
information, and/or denial of service.
nVulnerability
nWeakness in an information system, system security procedures, internal controls, or
implementation that could be exploited or triggered by a threat source.
13
nSecurity Policy
nA set of criteria for the provision of security services. It defines and constrains the activities of
a data processing facility in order to maintain a condition of security for systems and data.
nSystem Resource (Asset)
nA major application, general support system, high impact program, physical plant, mission
critical system, personnel, equipment, or a logically related group of systems.
nThreat
nAny circumstance or event with the potential to adversely impact organizational operations (including
mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the
Nation through an information system via unauthorized access, destruction, disclosure, modification of
information, and/or denial of service.
nVulnerability
nWeakness in an information system, system security procedures, internal controls, or
implementation that could be exploited or triggered by a threat source.
13
Security Concepts and Relationships
14Image: Computer Security: Principle and Practice, 4th Edition, P30
14Image: Computer Security: Principle and Practice, 4th Edition, P30
Vulnerabilities and Attacks 1/2
15
15
Vulnerabilities and Attacks 2/2
16
16
Black Market Prices Quiz
nWhat is your hacked/stolen dataworth on the Black Market (as of March 2015)?
nEnter dollar amountsin the boxes next to the data.
3 digit security code on your credit card
Credit card information
PayPal/Ebayaccount
Health information
17
nWhat is your hacked/stolen dataworth on the Black Market (as of March 2015)?
nEnter dollar amountsin the boxes next to the data.
3 digit security code on your credit card
Credit card information
PayPal/Ebayaccount
Health information
17
Mindset Quiz
nWhat is the estimated value of world-wide losses due to cybercrimein 2021?
Less than $10 Billion (US)
Close to $500 Billion (US)
Trillions of US Dollars
18
nWhat is the estimated value of world-wide losses due to cybercrimein 2021?
Less than $10 Billion (US)
Close to $500 Billion (US)
Trillions of US Dollars
18
Thoughts
nWhy is the problem so difficult?
nWhat can be done about it?
nWhy is the problem so difficult?
nWhat can be done about it?
How to Address Cyber Security? 1/3
nThe three security objectives for information
nConfidentiality: Preserving authorized restrictions on information access and disclosure,
including means for protecting personal privacy and proprietary information. A loss of
confidentiality is the unauthorized disclosure of information.
nIntegrity: Guarding against improper information modification or destruction, including
ensuring information nonrepudiation and authenticity. A loss of integrity is the unauthorized
modification or destruction of information.
nAvailability: Ensuring timely and reliable access to and use of information. A loss of
availability is the disruption of access to or use of information or an information system.
20NIST standard FIPS 199
nThe three security objectives for information
nConfidentiality: Preserving authorized restrictions on information access and disclosure,
including means for protecting personal privacy and proprietary information. A loss of
confidentiality is the unauthorized disclosure of information.
nIntegrity: Guarding against improper information modification or destruction, including
ensuring information nonrepudiation and authenticity. A loss of integrity is the unauthorized
modification or destruction of information.
nAvailability: Ensuring timely and reliable access to and use of information. A loss of
availability is the disruption of access to or use of information or an information system.
20NIST standard FIPS 199
How to Address Cyber Security? 2/3
nMake threats go away (crime should not pay)
nPrevention
nDetection
nResponse
nRecovery and remediation
nPolicy (what) vs. mechanism (how)
21
nMake threats go away (crime should not pay)
nPrevention
nDetection
nResponse
nRecovery and remediation
nPolicy (what) vs. mechanism (how)
21
How to Address Cyber Security? 3/3
nReduce vulnerabilities
nFollow basic design principles for secure systems
nComplexity is the enemy (economy of mechanism)
nFail-safe defaults
nComplete mediation
nOpen Design
nLeast Privilege
nPsychological acceptability
n…
22
nReduce vulnerabilities
nFollow basic design principles for secure systems
nComplexity is the enemy (economy of mechanism)
nFail-safe defaults
nComplete mediation
nOpen Design
nLeast Privilege
nPsychological acceptability
n…
22
Security Mindset
nLearn to think with a “security mindset” in general
nWhat is “the system”?
nHow could this system be attacked?
nWhat is the weakest point of attack?
nHow could this system be defended?
nWhat threats am I trying to address?
nHow effective will a given countermeasure be?
nWhat is the trade-off between security, cost, and usability?
nLearn to think with a “security mindset” in general
nWhat is “the system”?
nHow could this system be attacked?
nWhat is the weakest point of attack?
nHow could this system be defended?
nWhat threats am I trying to address?
nHow effective will a given countermeasure be?
nWhat is the trade-off between security, cost, and usability?
Summary
nDifferences between securities
nSecurity concepts and relationships
nSecurity objectives
nHow to address cyber security
24
nDifferences between securities
nSecurity concepts and relationships
nSecurity objectives
nHow to address cyber security
24
“Security”
nMost of computer science is concerned with achieving desired behavior
nSecurity is concerned with preventing undesiredbehavior
nDifferent way of thinking!
nAn enemy/opponent/hacker/adversary who is activelyand maliciouslytrying to circumvent any
protective measures you put in place
nMost of computer science is concerned with achieving desired behavior
nSecurity is concerned with preventing undesiredbehavior
nDifferent way of thinking!
nAn enemy/opponent/hacker/adversary who is activelyand maliciouslytrying to circumvent any
protective measures you put in place
Why is Computer Security so Hard?
nComputer networks are “systems of systems”
nYour system may be secure, then the environment changes
nToo many things dependent on a small number of systems
nSociety is unwilling to trade off features for security
nEase of attacks
nCheap
nDistributed, automated
nAnonymous
nInsider threats
nSecurity not built in from the beginning
nHumans in the loop…
nComputers ubiquitous…
nComputer networks are “systems of systems”
nYour system may be secure, then the environment changes
nToo many things dependent on a small number of systems
nSociety is unwilling to trade off features for security
nEase of attacks
nCheap
nDistributed, automated
nAnonymous
nInsider threats
nSecurity not built in from the beginning
nHumans in the loop…
nComputers ubiquitous…
Computers are Everywhere…
n…and can always be attacked
nElectronic banking, social networks, e-voting
niPods, iPhones, PDAs, RFID transponders
nAutomobiles
nAppliances, TVs
n(Implantable) medical devices
nCameras, picture frames
n…and can always be attacked
nElectronic banking, social networks, e-voting
niPods, iPhones, PDAs, RFID transponders
nAutomobiles
nAppliances, TVs
n(Implantable) medical devices
nCameras, picture frames
A Naïve View
password
password
In Reality…
nWhere does security end?
password
forgot password?
nWhere does security end?
password
forgot password?
Security is Interdisciplinary
nDraws on allareas of CS
nTheory (especially cryptography)
nNetworking
nProgramming languages/compilers
nOperating systems
nDatabases
nAI/learning theory
nComputer architecture / hardware
nHCI, psychology
nDraws on allareas of CS
nTheory (especially cryptography)
nNetworking
nProgramming languages/compilers
nOperating systems
nDatabases
nAI/learning theory
nComputer architecture / hardware
nHCI, psychology
Security Mindset
nLearn to think with a “security mindset” in general
nWhat is “the system”?
nHow could this system be attacked?
nWhat is the weakest point of attack?
nHow could this system be defended?
nWhat threats am I trying to address?
nHow effective will a given countermeasure be?
nWhat is the trade-off between security, cost, and usability?
nLearn to think with a “security mindset” in general
nWhat is “the system”?
nHow could this system be attacked?
nWhat is the weakest point of attack?
nHow could this system be defended?
nWhat threats am I trying to address?
nHow effective will a given countermeasure be?
nWhat is the trade-off between security, cost, and usability?
Security as a Trade-off
nThe goal is not (usually) “to make the system as secure as possible”…
n…but instead, “to make the system as secure as possible within certain constraints”
(cost, usability, convenience)
nMilitary vs. personal networks
nMust understand the existing constraints
nE.g., passwords…
nThe goal is not (usually) “to make the system as secure as possible”…
n…but instead, “to make the system as secure as possible within certain constraints”
(cost, usability, convenience)
nMilitary vs. personal networks
nMust understand the existing constraints
nE.g., passwords…
Cost-benefit analysis
nImportant to evaluate what level of security is necessary/appropriate
nCost of mounting a particular attack vs. value of attack to an adversary
nCost of damages from an attack vs. cost of defending against the attack
nLikelihood of a particular attack
nSometimes the best security is to make sure you are not the easiest target for an
attacker…
nImportant to evaluate what level of security is necessary/appropriate
nCost of mounting a particular attack vs. value of attack to an adversary
nCost of damages from an attack vs. cost of defending against the attack
nLikelihood of a particular attack
nSometimes the best security is to make sure you are not the easiest target for an
attacker…
“More” security not always better
n“No point in putting a higher post in the ground when the enemy can go around it”
nNeed to identify the weakest link
nSecurity of a system is only as good as the security at its weakest point…
nSecurity is not a “magic bullet”
nSecurity is a process, not a product
n“No point in putting a higher post in the ground when the enemy can go around it”
nNeed to identify the weakest link
nSecurity of a system is only as good as the security at its weakest point…
nSecurity is not a “magic bullet”
nSecurity is a process, not a product
Tags
Categories
EducationDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 14
- Slides 34
- Age 266 days
Related Slideshows
11
TLE-9-Prepare-Salad-and-Dressing.pptxkkk
MaAngelicaCanceran
32 views
12
LESSON 1 ABOUT MEDIA AND INFORMATION.pptx
JojitGueta
24 views
60
GRADE-8-AQUACULTURE-WEEKQ1.pdfdfawgwyrsewru
MaAngelicaCanceran
40 views
26
Feelings PP Game FOR CHILDREN IN ELEMENTARY SCHOOL.pptx
KaistaGlow
39 views
![Jeopardy_Figures_of_Speech_Template.pptx [Autosaved].pptx](https://slidepub.com/thumb/5828/284015828.jpg)
54
Jeopardy_Figures_of_Speech_Template.pptx [Autosaved].pptx
acecamero20
23 views
7
Jeopardy_Figures_of_Speech.pptxvdsvdsvsdvsd
acecamero20
24 views