Overview of Computer Security Evolution
This content provides a detailed timeline of computer security evolution from the 1970s to the 2000s, covering significant milestones such as the development of encryption algorithms, key distribution systems, emergence of malware, and the integration of security into various computing domains. It showcases the evolution of security research, methodologies, and the increasing importance of security in modern computing landscapes, with connections to diverse disciplines like law, sociology, and psychology.
Uploaded on | 0 Views
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Computer security overview Tuomas Aura CSE-C3400 Information security Aalto University, autumn 2014
Outline Timeline of computer security What is security anyway? 2
70s Multi-user operating systems need for protection Access control models: multi-level security, Bell- LaPadula 1976, BIBA 1977 DES encryption algorithm 1976 cryptanalysis, need for key distribution Public-key cryptosystems: Diffie-Hellman 1976, RSA 1978 Key distribution: certificates 1978 key exchange protocols: Needham-Schroeder 1978 4
80s Anonymity, Chaum s mixes 1981, anonymous payment 1982 Orange Book 1985: mandatory access control Commercial security models from accounting and auditing rules: Clark-Wilson 1987 X.509 PKI 1988 IBM PC software copy protection floppy disk virus 1987 Internet Morris worm 1988 5
90s More methodological approach to security research: Information flow security Secure operating systems: SEVMS until 1996 Formal analysis of key exchange protocols Wider availability of cryptography GSM cellular network 1991 Open-source cryptography: PGP 1991 Password sniffers SSH 1995 Commercial Internet SSL and VeriSign CA 1995 RSA patent expired in 2000 Windows 95 insecure PCs connected to Internet Spam: Cantor and Siegel 1994 PKI criticism trust management research Research intrusion detection Macro virus: Melissa 1999 DRM 6
2000s Malware Fast-spreading Internet worms: Code Red 2001 secure programming, safe languages security analysis and testing tools Botnets, spyware, malware analysis Computer crime: phishing Total information awareness 2002- Mobile device operating systems, app permissions Enterprise identity management Research on security in mobility, ah-hoc networks, sensor networks Security has become integral part of most areas of computing and computer science Connections to law, sociology, psychology, management, usability, design Social networks, privacy concerns 7
2010s Cyber defense and attack Stuxnet 2010, malware business, government sponsors Snowden 2013, PRISM (2007-) Advanced persistent threat Flaws still found in key security technologies: Heartbleed 2014, fake SSL certificates Critical infrastructure protection, smart grid security Mobile app security, cloud computing Mobile payments Bitcoin, ransomware Research on Internet of Things, vehicular communication What else? 8
What is security When talking about security, we are concerned about bad events caused with malicious intent Security vs. reliability Terminology: Threat = bad event that might happen Attack = someone intentionally causes the bad thing to happen Vulnerability = weakness in an information system that enables an attack Exploit = implementation of an attack Risk = probability of an attack damage in dollars Security is a non-functional property of a system
Security Goals CIA = confidentiality, integrity, availability Confidentiality protection of secrets Integrity only authorized modification of data and system configuration Availability no denial of service, business continuity Examples: secret agent names, web server The CIA model is a good starting point but not all: Access control no unauthorized use of resources Privacy control of personal data and space What else? 11
Security is a continuous process Continuous race between attackers and defenders Attackers are creative No security mechanisms will stop all attacks; attackers just move to new methods and targets Some types of attacks can be eliminated but others will take their place Compare with crime statistics: Do locks or prisons reduce crime in the long term? Security mechanisms will fail and new threats will arise Monitoring and auditing for new attacks Contingency planning: how to recover from a breach 15
Cost vs. benefit Rational attackers compare the cost of an attack with the gains from it Attackers look for the weakest link; thus, little is gained by strengthening the already strong bits Rational defenders compare the risk of an attack with the cost of implementing defenses Lampson: Perfect security is the enemy of good security But human behavior is not always rational: Attackers follow each other and flock all to the same path Defenders buy a peace of mind; avoid personal liability by doing what everyone else does Many things are explained better by group behavior than rational choice 17
Who is the attacker? We partition the world into good and bad entities Honest parties vs. attackers, red vs. blue Good ones follow specification, bad ones do not Different partitions lead to different perspectives on the security of the same system Typical attackers: Curious or dishonest individuals for personal gain Friends and family Hackers, crackers, script kiddies for challenge and reputation Companies for business intelligence and marketing Organized criminals for money Governments and security agencies NSA, SVR, GCHQ, DGSE, etc. Military SIGINT strategic and tactical intelligence, cyber defense Insiders are often the greatest threat Employee, administrator, service provider, customer, family member Often, not all types of attackers matter Who would you not want to read your diary or email? 18
Reading material Dieter Gollmann: Computer Security, 2nd ed. chapters 1 2; 3rd ed. chapters 1 and 3 Matt Bishop: Introduction to computer security, chapter 1 (http://nob.cs.ucdavis.edu/book/book-intro/intro01.pdf) Edward Amoroso: Fundamentals of Computer Security Technology, chapter 1 Ross Anderson: Security Engineering, 2nd ed., chapter 1 (1st ed. http://www.cl.cam.ac.uk/~rja14/Papers/SE-01.pdf) 19
Exercises What security threats and goals are there in the postal (paper mail) system? What different entities are there in the postal system? Do they have the same of different security concerns? Who could be the attacker? Does the answer change if you think from a different entity s viewpoint? Who are insiders? Can you think of attacks where it is necessary for two or more malicious parties to collude? What is the role of laws and punishment in computer security? Can the development of information security technology be unethical, or is engineering value neutral? Give examples. When is it (or when could it be) ok for you to attack against IT systems? Give examples. How do the viewpoints of security practitioners (e.g. system admin or company security officer) differ from academic researchers? How have the Snowden leaks in 2013 changed the overall picture of information security? 20
