university-logo
Computer and Information Security
Lecture 1Simen Hagen
Introduction
Course Description
This course builds on
Operating Systems
Network and System Administration 1
Lectures and all class assignments will be in English 10 ECTS
No final exam
university-logo
The lectures
Lectures
Time:Wednesday, 08:30 - 10:15 Location:P35-PI257
Problem Classes (Øvingstimer)
Time:Tuesday, 12:30 - 14:15 Location:P35-PI257
Curriculum
Required Reading
This book is the curriculum:
Computer Security, Dieter Gollmann All references, if not otherwise specified, will be to this book
university-logo
Curriculum
Required Reading, option 1
This book is the curriculum:
Introduction to Computer Security, Matt Bishop
This book covers the curriculum, and is a good book, but is a bit more detailed.
Curriculum
Required Reading, option 2
Computer Security: Art and Science, Matt Bishop This book can be used in stead of the other Bishop book It has even more information than the Bishiop book on the previous slide
university-logo
Curriculum
Required Reading, option 3
Network Security Essentials: Applications and Standards, William Stallings
Have not been able to review it properly Seems to have potential. Can be used in place of the others.
Curriculum
Optional Reading
Other books worth reading:
Secrets and Lies, Bruce Schneier
The Code Book, Simon Singh
The art of intrusion, Kevin Mitnick
university-logo
My expectations
Course: 10 ECTS Work week: 40 hours
Your work load: 13 hours 20 minutes every week
Handing in Work
When writing an answer, do not copy. This means that you may not copy from:
The Internet From Co-students
Work previously handed in by former students Any other source, including, but not limited to
Books Magazines Papers
university-logo
Handing in Work
Legal ways to copy
You may “copy” others work if you are
Quoting (or Citing) Paraphrasing Rephrase
But only do this on short sections.
Definition (Quote) “Repeat or copy out, typically with an indication that one is not the original author or speaker.” Definition (Paraphrase) “Express the meaning of the writer using different words.” Definition (Rephrasing) “Express in an alternative way, especially with the purpose of changing the detail or perspective of the original idea.”
Handing in Work
Do it, and to it well
Discuss with fellow students. Research your questions. Do the work by yourself.
Do not just copy from others.
university-logo
Computers and Security
Security is security, whether it is on a computer or not. The principles are general.
We want to protect our assets. So what is valuable to us?
Money Information
Freedom of speech . . .
Risk and Certainty
There is alway an element of risk.
What level of risk can we accept?
We want to protect our property or interest. Restrict or grant access.
university-logo
Risk and Certainty
Criteria for measuring computer security:
Confidentiality/Privacy The ability to keep things private/confidential.
Trust Can we trust this data?
Authenticity Are we talking with whom we think we are talking?
Integrity Is the system compromised/altered?
Non-repudiation It should not be possible to deny having done an action.
Threats to the system
Physical Threats
The environment that the computer is a part of can be dangerous. Weather Rain Lightning Natural Disasters Flood Earthquake Hurricane Power failures
university-logo
Threats to the system
Human Threats
Humans can be dangerous to computer systems. Stealing Trickery Bribery Hacking Spying Sabotage Accident etc. . .
Threats to the system
Software threats
Computers can be a threat to other computers. Malicious software is a huge problem.
Virus
Trojan Horses Logic Bombs
university-logo
Threats to the system
What are the risks?
As mentioned, there are many threats to the system. So what do we stand to lose?
We might lose
the control of the system the ability to use the system
privacy (e.g. private or sensitive information) data (deleted files)
face/reputation money
Goals of security
Prevention Detection Recovery
university-logo
Security Mantra
Security Mantra #1
Every problem in security boils down to a question of trust.
Who or what do we trust?
So what do we trust?
Predictability
We trust things that are predictable. We believe we are secure if we trust.
university-logo
Security Mantra
Security Mantra #2
Security is a property of systems.
Security should be designed or built into the system from the start.
Where do we need security?
User Interface Functionality Algorithms/Methods System calls Hardware Communicationuniversity-logo
What can we do to be secure?
Failure
All systems fail. We have to make sure that they fail predictably.
Main theme
What can we do to ensure predictability?
What can we do to be secure?
Create protocols Limit functionality Standardise Behaviour Interface Communicationuniversity-logo
Policy
Definition (From Merriam-Webster Online)
a: a definite course or method of action selected from among alternatives and in light of given conditions to guide and determine present and future decisionsb: a high-level overall plan embracing the general goals and acceptable procedures especially of a governmental body
Definition (From Wikipedia)
A policy is a plan of action for tackling issues.
Security policy
Definition (Policy)
Asecurity policyis a statement of what is, and what is not, allowed.
university-logo
Policy
There are several challenges with making policies: We have to state what we value.
We do not always agree on what is valuable. Security is often inconvenient.
Management is necessary (assign and control of privileges).
Final thoughts
Do you trust the information in this course?
Do you trust the identity and authenticity of the source? Can you verify that I am who I say I am?
Do I have a hidden agenda? How much proof is enough?
university-logo