CMPUT 299 Security in a Networked World
Description
Revised: November 22nd, 2007
As the saying goes: "a chain is as strong as its weakest link" and nothing could better describe the situation with the security of todays network-centric computing infrastructure and the vast number of applications and services relying on it. In our case, the "chain" is an assemblage of protocols, physical communication links, devices (hosts, routers, mobile phones, etc.), executable code (servers, client-side scripts, etc.), and (not to forget) human users. All elements of the chain need to be trustworthy. Yet, each and every one of them is a source of potential vulnerabilities. Examples include malfunctioning code (intentionally, i.e. malware, or accidentally, i.e., buggy software), unprotected communication channels (e.g., wireless channels), etc.
The security problem is multi-faceted and we will encounter cases where the weakest link happens to be the user. Note that it is virtually impossible for a casual user to explicitly check the trustworthiness of each and every element in the networked-system chain. Users end up trusting systems, without necessarily knowing them. An objective is to have automated security mechanisms that are transparent to the user. We will discuss how such mechanisms are implemented. However, convenience of the users is not always a good guide, since users, instead of being vigilant, become sloppy, tired, and careless. A secure system must balance the level of user discomfort it might introduce with the value of the information assets it protects. In todays world, the value of information assets can translate to billions of dollars, and can be even linked with critical systems, yet a single weak password at a key system might be enough to bring it down.
Intrusions to networked information systems are becoming increasingly sophisticated (while less refined exploitations are still in abundance) and understanding how they are possible and what are the usual remedies should be a key component of any Computing Science curriculum. The purpose of the course is to take you on the grand tour of the "chain" and to point out the problems and weaknesses frequently encountered. You will learn about the tools that help identify, and fix, security problems. As an alternative to the "arms race" of fixing what is found "broken" we will also discuss what principles we should adhere to in the first place to build secure systems. We will frequently present solutions that rely on cryptography but we will also point out that cryptography alone is not the solution. It is a tool that needs to be applied the right way. In fact, when applied the wrong way, it provides a false sense of security that is more damaging because it discourages vigilance. A perfect example from the recent past of cryptography applied the wrong way is the WEP encryption scheme that is still being used by many wireless local area networks.
© 2007, Ioanis Nikolaidis
