While you are waiting for the session to start, can you familiarise yourself with the OWASP website. Its link https://owasp.org/ What is OWASP is about etc? Find any events that you can attend virtually
While you are waiting for the session to start, can you familiarise yourself with the OWASP website. Its link https://owasp.org/
What is OWASP is about etc?
Find any events that you can attend virtually
Introduction to Module
By
Dr. Imran Ullah Khan
Informatics, University of Sussex
2
Structure of the Module
Lectures:
Tuesday: 16:00-17:00, Zoom
Friday: 09-10am, Zoom
Labs:
Monday: 3-5pm, Zoom and Google sheet By Aamir
Tuesday: 9-11am, Zoom and Google sheet by Zickey
Wednesday: 11-1pm, Zoom and Google sheet by Zickey
Friday: 3-5pm, Zoom and Google sheet By Aamir
3
Any knowledge gained in this module, must NOT be applied to unauthorised targets.
Lectures and Labs
Stay on mute
Don’t need to turn on the camera
In Lab session
Lab assistant will be available in Zoom and Google sheet.
Any question you can ask either on Zoom or Google sheet. Google sheet provide the option to be anonymous.
Assessment:
50% coursework
Will be released in week 9
You will have three weeks to complete it, end of
week 11
50% final exam, Computer based Exam (Jan 2020)
Both of these components will be discussed in detail in Week 7 when we will have covered a large part of the module.
Learning aims of the module
Systematically discuss key dimensions of computer security (e.g. secrecy, authentication, integrity, anonymity), and their relationship to the main threats and attack techniques relevant to computer security.
Systematically describe the main building blocks of cryptography (e.g. public and private key encryption, cryptographic hashing), and their relationship with the key dimensions of computer security from LO1.
Deploy up-to-date tools and techniques for finding vulnerabilities in computer systems. Draft security policies and implement policy enforcement processes and mechanisms.
Design secure computer systems by using established computer security principles.
This module is NOT about
Ethical hacking
Web penetration
Network security
However, it does cover these things to some extent.
Once you have the basic knowledge and concepts are clear to you, you can build on the knowledge gained in this module.
Computer security is a huge topic, we can’t cover everything.
Rough Schedule
1 2 3 4 5 6 7 8 9 10 11
Theory, Concepts, Types of Malwares etc Cryptography Software security including web security Incident response Security laws Review
Module Covers
Principles and basic concepts of security
Cryptography including hashing
Vulnerabilities of applications: XSS, SQLi, Buffer overflows etc
Incident response: policies and frameworks
Laws related to cyber crimes: GDPR, Fraud acts etc
May cover digital forensic
Security is a wide topic, can not cover everything
11
Lab set up to cover software security
AWS VirtualBox
AWS – Amazon Web Services
AWS educate account vs other account options
Kali Linux
Target
a) Vulnerable web applications – DVWA
b) Windows OS – running vulnerable
application
Advantages:
1) AWS is booming
2) AWS provides support though it is limited and only related to EC2 instances, still very useful
Disadvantages:
Slowspeed – It is slow
Not lots of support in online forums/chats
Practice or testing without proper clear guidelines is hard
Virtual box
Kali linux
Targets
a) Web applications – DVWA
b) Windows OS – running vulnerable
application
Advantages:
Fast
Lots of online support, videos on YouTube,
Will suit independent learner
Disadvantages:
1) I will not cover it directly in my lab notes as there are lots of support available. I will provide some useful references.
Job prospect of security experts
Information security experts, cyber security, pen testing expert and security advisers etc.
Market worth: UK market largest in Europe, $5.5 billion.
General Data Protection Regulation (GDPR) will drive future spending on cyber security as companies seek to comply with the regulation.
Courses you might be interested
Free Open University course:
Introduction to Cyber Security
https://www.futurelearn.com/courses/introduction-to-cyber-security
8 Weeks and 3 hours per week
Next intake check its date online
£62 for unlimited access to resources and certificate of achievement
APMG exam
Cyber security challenge
https://www.cybersecuritychallenge.org.uk/
Companies bounty programs/Challenges
https://www.microsoft.com/en-us/msrc/bounty
https://developer.apple.com/security-bounty/
Hundreds of bounty programs; Check for other SMEs
The NIST Internal/Interagency Report NISTIR 7298 (Glossary of Key Information Security Terms , May 2013) defines the term computer security as follows:
“ Measures and controls that ensure confidentiality, integrity, and availability of information system
assets including hardware, software, firmware, and information being processed, stored, and communicated.”
15
Computer Security: Measures and controls that ensure confidentiality, integrity,
and availability of information system assets including hardware, software, firmware,
and information being processed, stored, and communicated.
This definition introduces three key objectives that are at the heart of computer
security:
• Confidentiality: This term covers two related concepts:
— Data confidentiality : Assures that private or confidential information is
not made available or disclosed to unauthorized individuals.
— Privacy : Assures that individuals control or influence what information
related to them may be collected and stored and by whom and to whom
that information may be disclosed.
• Integrity: This term covers two related concepts:
— Data integrity : Assures that information and programs are changed only
in a specified and authorized manner.
— System integrity : Assures that a system performs its intended function in
an unimpaired manner, free from deliberate or inadvertent unauthorized
manipulation of the system.
• Availability: Assures that systems work promptly and service is not denied to
authorized users.
16
Two of the most commonly mentioned are as follows:
• Authenticity: The property of being genuine and being able to be verified and
trusted; confidence in the validity of a transmission, a message, or message
originator. This means verifying that users are who they say they are and that
each input arriving at the system came from a trusted source.
• Accountability: The security goal that generates the requirement for actions
of an entity to be traced uniquely to that entity. This supports nonrepudiation,
deterrence, fault isolation, intrusion detection and prevention, and after-action
recovery and legal action. Because truly secure systems are not yet an achievable
goal, we must be able to trace a security breach to a responsible party.
Systems must keep records of their activities to permit later forensic analysis
to trace security breaches or to aid in transaction disputes.
Key Security Concepts
FIPS 199 provides a useful characterization of these three objectives in terms of requirements
and the definition of a loss of security in each category:
• Confidentiality: Preserving authorized restrictions on information access
and disclosure, including means for protecting personal privacy and proprietary
information. A loss of confidentiality is the unauthorized disclosure of
information.
• Integrity: Guarding against improper information modification or destruction,
including ensuring information non-repudiation and authenticity. A loss of
integrity is the unauthorized modification or destruction of information.
• Availability: Ensuring timely and reliable access to and use of information.
A loss of availability is the disruption of access to or use of information or an
information system.
17
Confidentiality
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information
Integrity
Guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity
Availability
Ensuring timely and reliable access to and use of information
Figure 1.1 Essential Network and Computer Security Requirements
Data
and
services
Availability
Integrity
A
ccountability
A
ut
he
nt
ic
ity
Co
nfi
de
nti
ali
ty