a brief introduction to information security
play

A brief introduction to information security Part II Tyler Moore - PDF document

Sep 03, 2022 •227 likes •369 views

Notes A brief introduction to information security Part II Tyler Moore Computer Science & Engineering Department, SMU, Dallas, TX August 28 & 30, 2012 Engineered defenses to achieve protection goals Security threats Countering

  1. Notes A brief introduction to information security Part II Tyler Moore Computer Science & Engineering Department, SMU, Dallas, TX August 28 & 30, 2012 Engineered defenses to achieve protection goals Security threats Countering security threats Notes Outline Engineered defenses to achieve protection goals 1 Threat models Access control for system security Cryptography for communication security Security threats 2 System vulnerabilities: violating engineering assumptions Cryptanalysis: violating physical or mathematical assumptions Violating assumptions about attacker behavior Violating assumptions about defender behavior Countering security threats 3 Ex post countermeasures Ex ante countermeasures 2 / 57 Engineered defenses to achieve protection goals Security threats Countering security threats Notes Let’s recap last time Safety vs. security Information security protection goals Confidentiality : information is accessible only to authorized 1 parties Integrity : modification of information can be detected 2 Availability : authorized parties can access information (and 3 use resources) when and where it is needed Identification vs. authentication vs. authorization Computer systems and networks 3 / 57 Engineered defenses to achieve protection goals Security threats Countering security threats Notes Information security overview Protection Goals Confidentiality Integrity Availability Satisfy goals 2. Security threats 3. Countering security threats 1. Engineer defenses 4 / 57

  2. Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes Engineered defenses to achieve protection goals Protection Goals Confidentiality Integrity Availability Satisfy goals 2. Security threats 3. Countering security threats 1. Engineer defenses 6 / 57 Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes Threat models All security is relative, but relative to what? ⇒ Threat models codify assumed adversary behavior Threat models articulate assumed adversary behavior Goal : disrupting defender’s protection goals, make money, 1 wreak havoc Knowledge : does the attacker know how the defense works? 2 Capabilities : Computational power available, time available to 3 target defenders, local vs. global eavesdropping, active vs. passive Question: could a threat model be fully specified by assuming a certain level of financial resources available to the adversary? 7 / 57 Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes Access control Recall claim from last class: authorization decision is the fundamental challenge of security engineering Access control is how computer systems enforce authorization decisions ⇒ definition: ensuring that authorized user can access and modify only those resources to which he is entitled 8 / 57 Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes The rise of the superuser Operating systems (OSes) separate processes that run the OS from processes run by users OS processes have many powers – reading all communications, installing software, etc. These powers can readily be abused by a malicious software designer Solution: create a superuser that can have OS-level capabilities, constrain what regular users can do 9 / 57

  3. Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes Operating System Security prevent side channels P i process i and covert channels R j resource j P 2 P 1 P 3 enforce authorization decisions KERNEL for inter-process communication and resource access R 3 R 1 R 2 Same principle on higher layers: virtualization , sandboxes , . . . 10 / 57 Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes Sharing resources: mandatory vs. discretionary access control Mandatory access control (MAC) Sysadmin decides what processes should read and write to others in accordance with a security policy Example security policy: two levels (hi and low) no read up: low cannot read hi no write down: hi cannot write to low Under MAC, OS enforces consistent policy to all files and processes in a “top-down” fashion + Consistent policies easier to enforce when baked into the OS - Inflexible policies encourage workarounds to get work done 11 / 57 Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes Discretionary access control (DAC) DAC a “bottom-up” approach to access control File owners set access control policies (e.g., which users can read, write or execute given files) OS then enforces the permissions set by the owner + Offers great flexibility in how files and processes can be accessed - Enforcing consistent policies harder - Makes user-account takeovers potentially more harmful 12 / 57 Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes Principle of least privilege Principle of least privilege : any file or process should be assigned the minimum level of permissions needed in order to complete required task + Limits the damage a process can cause others - Conflicts with desire to make systems easy-to-use and adaptable Question: what incentive conflict does a programmer face when requesting privileges? 13 / 57

  4. Notes Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes Cryptography Protecting information on a computer system is necessary but not sufficient to meet protection goals Must also protect communications between systems Cryptography (crypto for short) can be used to ensure confidentiality and integrity of communications 15 / 57 Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes Recall the broker example from last time Exchange Broker � BUY,200,GOOG,$600.25 � 16 / 57 Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes Crypto traditionally refers to Alice and Bob Alice Bob I love your music hate Mallory Eve 17 / 57

  5. Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes Crypto B.C. Julius Caesar enciphered messages by shifting letters by three Those receiving the message knew to shift back Plaintext: THISISIMPORTANT Caesar Secret key: DDDDDDDDDDDDDDD Ciphertext: WKLVLVLPSRUWDQW 18 / 57 Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes Vigen` ere cipher Shift each letter by a different amount, repeating after n letters Plaintext: THISISIMPORTANT Vigen` ere Secret key: DABDABDABDABDAB Ciphertext: WHJVITLMQRRUDNU 19 / 57 Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes One-time pad Shift each letter by a different amount, never repeating Plaintext: THISISIMPORTANT One-time pad Secret key: DABHJIZXEBTULQP Ciphertext: WHJZRAHJTPKNLDI Question: what is the key length? 20 / 57 Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes Symmetric cryptography Key distribution center k AB k AB Alice Bob { I love your music } k AB 21 / 57

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to information security Lecture #1 Security in Organizations 2011 Eric Verheul 1

Introduction to information security Lecture #1 Security in Organizations 2011 Eric Verheul 1

Introduction to information security Lecture #1 Security in Organizations 2011 Eric Verheul 1 Outline The lectures I will give Information Security events in the media What is Information Security? Recap Study for next

749 views • 45 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
System Security I: Introduction TDDD17 Information Security, Second Course Ulf Kargn

System Security I: Introduction TDDD17 Information Security, Second Course Ulf Kargn

System Security I: Introduction TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University System Security 2 Security in computer systems Hardware (System)

838 views • 56 slides
Introduction to Information Security CODATA School Hannah Short (CERN), Sebastian Lopienski

Introduction to Information Security CODATA School Hannah Short (CERN), Sebastian Lopienski

Introduction to Information Security CODATA School Hannah Short (CERN), Sebastian Lopienski (CERN) August 12, 2018 Introduction to Information Security 2 Lecturers These slides have been compiled by members of the CERN Computer Security Team

948 views • 66 slides
Information Technology Security Presentation to Joint Legislative Committee on Information

Information Technology Security Presentation to Joint Legislative Committee on Information

Information Technology Security Presentation to Joint Legislative Committee on Information Technology Oversight Chip Moore State Chief Information Security Officer Office of Information Technology Services December 13, 2012 Introduction

353 views • 12 slides
HOW TO WRITE AN INFORMATION SECURITY POLICY INTRODUCTION This section is intended to help you

HOW TO WRITE AN INFORMATION SECURITY POLICY INTRODUCTION This section is intended to help you

HOW TO WRITE AN INFORMATION SECURITY POLICY INTRODUCTION This section is intended to help you produce an information security policy. Some of the information contained here is of a particularly detailed and complex nature and may not, therefore,

469 views • 8 slides
Introduction to the course Information Security Daniel Bosk Department of Information Systems

Introduction to the course Information Security Daniel Bosk Department of Information Systems

Scope and aims Course structure and content overview Course content Assessment Introduction to the course Information Security Daniel Bosk Department of Information Systems and Technology Mid Sweden University, Sundsvall School of

801 views • 29 slides
Introduction to Security Prof. Tom Austin San Jos State University Why should we learn about

Introduction to Security Prof. Tom Austin San Jos State University Why should we learn about

CS 166: Information Security Introduction to Security Prof. Tom Austin San Jos State University Why should we learn about information security? Computer Security in the News Computer Crime for Fun & Profit Attackers have gone from

942 views • 48 slides
So You Want to Be an Information Security Officer? Presented by: Art Bakke Information Security

So You Want to Be an Information Security Officer? Presented by: Art Bakke Information Security

So You Want to Be an Information Security Officer? Presented by: Art Bakke Information Security Officer Background Personal Starion Bank Arts Goals Highlight the typical responsibilities of an Information Security Officer from

778 views • 22 slides
17Nov19 Information Security Essentials Recognizing Threats in Your Daily Routine This

17Nov19 Information Security Essentials Recognizing Threats in Your Daily Routine This

17Nov19 Information Security Essentials Recognizing Threats in Your Daily Routine This module will teach you what is information security, how to identify and avoid potential security risks in the workplace and beyond. 1 Introduction

406 views • 7 slides
DIGITAL PLANETS SECURITY SOLUTION INTRODUCTION OUR OFFERED SERVICES Vulnerability Security

DIGITAL PLANETS SECURITY SOLUTION INTRODUCTION OUR OFFERED SERVICES Vulnerability Security

DIGITAL PLANETS SECURITY SOLUTION INTRODUCTION OUR OFFERED SERVICES Vulnerability Security Information Assessment Brand Operation Consultancy & Security Protection Penetration Awareness Centre Testing External Networks

474 views • 44 slides
INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC

INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC

Leading a Secured Digital Life. INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC Hyderabad keeping yourself and your family safe in a tech driven world Ministry of Electronics & Information

510 views • 11 slides
11/15/2012 Storage of Classified Information DoD Information Security Program 1 Information

11/15/2012 Storage of Classified Information DoD Information Security Program 1 Information

11/15/2012 Storage of Classified Information DoD Information Security Program 1 Information Security Webinar Storage of Classified Information Host: Treva Alexander, SAPPC Information Security Course Manager, DSS - CDSE Gained experience in

329 views • 14 slides
Information System Security Chapter 1:Introduction Dr. Loai Tawalbeh Faculty of Information

Information System Security Chapter 1:Introduction Dr. Loai Tawalbeh Faculty of Information

Information System Security Chapter 1:Introduction Dr. Loai Tawalbeh Faculty of Information system and Technology, The Arab Academy for Banking and Financial Sciences. Jordan Dr. Loai Tawalbeh summer 2006 Chapter 1 Introduction

253 views • 10 slides
Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security Information Systems Course Business Course site: http://67327.cmuis.net Schedule Reading Assignments in-class labs -- laptops w/ 272

981 views • 10 slides
Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security Information Systems Course Business Course site: https://67327.cmuis.net Schedule Reading Assignments in-class labs -- laptops w/ 272

1.31k views • 11 slides
27/05/2014 1 27/05/2014 2 27/05/2014 3 27/05/2014 4 27/05/2014 Pr Progr ogram Descr

27/05/2014 1 27/05/2014 2 27/05/2014 3 27/05/2014 4 27/05/2014 Pr Progr ogram Descr

27/05/2014 1 27/05/2014 2 27/05/2014 3 27/05/2014 4 27/05/2014 Pr Progr ogram Descr cript iption on Calculator Cal Performs basic mathematical functions such as addition, subtraction, multiplication, division. Also includes

854 views • 17 slides
ELEN E6884/COMS 86884 Speech Recognition Lecture 7 Michael Picheny, Ellen Eide, Stanley F. Chen

ELEN E6884/COMS 86884 Speech Recognition Lecture 7 Michael Picheny, Ellen Eide, Stanley F. Chen

ELEN E6884/COMS 86884 Speech Recognition Lecture 7 Michael Picheny, Ellen Eide, Stanley F. Chen IBM T.J. Watson Research Center Yorktown Heights, NY, USA { picheny,eeide,stanchen } @us.ibm.com 20 October 2005 ELEN E6884: Speech

1.75k views • 106 slides
Windows 7 at CERN Juraj Sucik Micha Budzowski IT/OIS CERN IT Department CH-1211 Geneva 23 4

Windows 7 at CERN Juraj Sucik Micha Budzowski IT/OIS CERN IT Department CH-1211 Geneva 23 4

Operating Systems OIS & Information Services Working with Windows 7 at CERN Juraj Sucik Micha Budzowski IT/OIS CERN IT Department CH-1211 Geneva 23 4 April, 2011 Switzerland www.cern.ch/i t OIS Motivation Windows 7 The

962 views • 27 slides
The Canvas learning management system and L A T EXML The L A T EX workflow is still the best

The Canvas learning management system and L A T EXML The L A T EX workflow is still the best

1/33 The Canvas learning management system and L A T EXML The L A T EX workflow is still the best Will Robertson July 20, 2018 2/33 Introduction What is a learning management system? Specifications for the project The authoring interface

560 views • 34 slides
Authenticated Key Exchange from Ring Learning with Errors Jiang Zhang Zhenfeng Zhang Jintai

Authenticated Key Exchange from Ring Learning with Errors Jiang Zhang Zhenfeng Zhang Jintai

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Authenticated Key Exchange from Ring Learning with Errors Jiang Zhang Zhenfeng Zhang Jintai Ding Michael Snook zgr Dagdelen DIMACS Workshop on the Mathematics of

339 views • 33 slides
Network Structure Grant Schoenebeck, Aaron Snook, Fang-Yi Yu Sybil Attack An attack to

Network Structure Grant Schoenebeck, Aaron Snook, Fang-Yi Yu Sybil Attack An attack to

Sybil Detection Using Latent Network Structure Grant Schoenebeck, Aaron Snook, Fang-Yi Yu Sybil Attack An attack to compromise a recommendation systems by forging identities. Recommendation System How is that restaurant? Bad Good Good

880 views • 29 slides
AKE via 2-key KEM Haiyang Xue, Xianhui Lu, Bao Li, Bei Liang Jingnan He Outline Authenticated

AKE via 2-key KEM Haiyang Xue, Xianhui Lu, Bao Li, Bei Liang Jingnan He Outline Authenticated

Understanding and Constructing AKE via 2-key KEM Haiyang Xue, Xianhui Lu, Bao Li, Bei Liang Jingnan He Outline Authenticated key exchange Motivations & our contributions AKE 2-key KEM AKE in a post quantum world

821 views • 36 slides
Outsource, Cosource, or Insource The Primer Patricia Boepple SVP Global Client Solutions

Outsource, Cosource, or Insource The Primer Patricia Boepple SVP Global Client Solutions

Outsource, Cosource, or Insource The Primer Patricia Boepple SVP Global Client Solutions Global Shares Christopher Dohrmann Executive Director Business Development USA Accurate Equity Marianne Snook, CEP Chief Executive Officer August

535 views • 31 slides

More recommend