computer security
play

Computer Security David Wagner, C79, 4/4/2013 Thursday, April 4, 13 - PowerPoint PPT Presentation

May 03, 2023 •171 likes •962 views

Computer Security David Wagner, C79, 4/4/2013 Thursday, April 4, 13 themes so far: - measuring risk - cognitive biases - probability reduction (e.g., vaccines) - harm reduction (e.g., treatment) Thursday, April 4, 13 themes so far: -

  1. Computer Security David Wagner, C79, 4/4/2013 Thursday, April 4, 13

  2. themes so far: - measuring risk - cognitive biases - probability reduction (e.g., vaccines) - harm reduction (e.g., treatment) Thursday, April 4, 13

  3. themes so far: - measuring risk - cognitive biases - probability reduction (e.g., vaccines) - harm reduction (e.g., treatment) today: dealing with uncertain risks Thursday, April 4, 13

  4. computer security is immature Thursday, April 4, 13

  5. Thursday, April 4, 13

  6. traditional view: computer security is risk management Thursday, April 4, 13

  7. Thursday, April 4, 13

  8. Thursday, April 4, 13

  9. Thursday, April 4, 13

  10. Thursday, April 4, 13

  11. Thursday, April 4, 13

  12. Thursday, April 4, 13

  13. traditional view: computer security is risk management Thursday, April 4, 13

  14. risk = E[loss] = P(breach) × cost(breach) Thursday, April 4, 13

  15. risk = E[loss] = P(breach) × cost(breach) often not known Thursday, April 4, 13

  16. risk = E[loss] = P(breach) × cost(breach) often not known does the system have a vulnerability? Thursday, April 4, 13

  17. risk = E[loss] = P(breach) × cost(breach) often not known does the system have a vulnerability? will attackers exploit it? Thursday, April 4, 13

  18. 1 million lines of code Thursday, April 4, 13

  19. 1 million lines of code × 1 bug / thousand lines of code Thursday, April 4, 13

  20. 1 million lines of code × 1 bug / thousand lines of code = 1000 bugs Thursday, April 4, 13

  21. 1 million lines of code × 1 bug / thousand lines of code = 1000 bugs attacker only needs to find 1 bug; defender must find all of them Thursday, April 4, 13

  22. 1 million lines of code × 1 bug / thousand lines of code = 1000 bugs attacker only needs to find 1 bug; defender must find all of them don’t know whether system is vulnerable Thursday, April 4, 13

  23. attackers choose how and whether to attack Thursday, April 4, 13

  24. attackers choose how and whether to attack attacks change rapidly Thursday, April 4, 13

  25. attackers choose how and whether to attack attacks change rapidly no good data about prob. of breach Thursday, April 4, 13

  26. risk = E[loss] = P(breach) × cost(breach) often not known Thursday, April 4, 13

  27. implications Thursday, April 4, 13

  28. security market is sometimes dysfunctional Thursday, April 4, 13

  29. market for lemons Thursday, April 4, 13

  30. thinking about risks, when there are multiple players Thursday, April 4, 13

  31. Thursday, April 4, 13

  32. US banks spent less on security but fraud rates higher in UK Thursday, April 4, 13

  33. UK: US: US banks spent less on security but fraud rates higher in UK Thursday, April 4, 13

  34. UK: liability for fraud on customer US: US banks spent less on security but fraud rates higher in UK Thursday, April 4, 13

  35. UK: liability for fraud on customer US: liability for fraud on bank US banks spent less on security but fraud rates higher in UK Thursday, April 4, 13

  36. UK: liability for fraud on customer US: liability for fraud on bank huh? US banks spent less on security but fraud rates higher in UK Thursday, April 4, 13

  37. UK: US: Thursday, April 4, 13

  38. UK: fraud? you must have been careless. tough luck, sucks to be you US: Thursday, April 4, 13

  39. UK: fraud? you must have been careless. tough luck, sucks to be you US: fraud? no problem, we’ll reimburse you Thursday, April 4, 13

  40. UK: fraud? you must have been careless. tough luck, sucks to be you US: fraud? no problem, we’ll reimburse you good for customers, but also good for banks Thursday, April 4, 13

  41. moral hazard UK banks got lazy and careless, leading to an epidemic of fraud Thursday, April 4, 13

  42. lesson: align incentives Thursday, April 4, 13

  43. rule of thumb: place liability on whoever is in the best position to do something about it Thursday, April 4, 13

  44. externalities Thursday, April 4, 13

  45. spam Thursday, April 4, 13

  46. spam ~ 90% of all email is spam Thursday, April 4, 13

  47. spam ~ 90% of all email is spam costs US $20 billion per year, in lost productivity Thursday, April 4, 13

  48. costs recipient: costs sender: Thursday, April 4, 13

  49. costs recipient: 10 ¢ per spam costs sender: < 0.001 ¢ per spam Thursday, April 4, 13

  50. Viagra spams → 1 sale 10 million $3.5 million in revenue per year, for one botnet Thursday, April 4, 13

  51. why is this possible? Thursday, April 4, 13

  52. why is this possible? bots Thursday, April 4, 13

  53. cost of spam not born by those enabling it (an externality) Thursday, April 4, 13

  54. solution? Thursday, April 4, 13

  55. • regulation: prohibit the harmful activity • taxation: tax the harmful activity, so market price reflects the true cost to society • liability: make those causing harm liable for end effects • mitigation: develop solutions so others are harmed less Thursday, April 4, 13

  56. Thursday, April 4, 13

  57. let’s count the externalities: Thursday, April 4, 13

  58. let’s count the externalities: 1. attackers used bots to send lots of traffic Thursday, April 4, 13

  59. let’s count the externalities: 1. attackers used bots to send lots of traffic 2. attackers exploited open DNS relays to boost amount of traffic Thursday, April 4, 13

  60. let’s count the externalities: 1. attackers used bots to send lots of traffic 2. attackers exploited open DNS relays to boost amount of traffic 3. ISPs don’t block outgoing traffic with obviously spoofed source address Thursday, April 4, 13

  61. externalities make risks harder to manage Thursday, April 4, 13

  62. cyberwar cyberespionage cybercrime Thursday, April 4, 13

  63. Thursday, April 4, 13

  64. Thursday, April 4, 13

  65. Thursday, April 4, 13

  66. Thursday, April 4, 13

  67. Thursday, April 4, 13

  68. Thursday, April 4, 13

  69. Thursday, April 4, 13

  70. Thursday, April 4, 13

  71. Thursday, April 4, 13

  72. Thursday, April 4, 13

  73. Thursday, April 4, 13

  74. Thursday, April 4, 13

  75. Thursday, April 4, 13

  76. cyberwar cyberespionage cybercrime Thursday, April 4, 13

  77. cyberwar cyberespionage cybercrime exercise: name some externalities Thursday, April 4, 13

  78. general strategies for dealing with risk: • prevention: reduce probability of bad thing • mitigation: reduce cost of bad thing • risk transfer: shift cost to someone else (insurance, taxation, liability, ...) Thursday, April 4, 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer Security is the protection of computing systems and the data that they store or access 3 Why is Computer Security Important? Computer Security allows

690 views • 19 slides
Quick Intro to Computer Security What is computer security? Securing communication

Quick Intro to Computer Security What is computer security? Securing communication

Carnegie Mellon Quick Intro to Computer Security What is computer security? Securing communication Cryptographic tools Access control User authentication Computer security and usability Thanks to Mike Reiter for the

412 views • 38 slides
Introduction to Computer Security Why do we need computer security? What are our goals and

Introduction to Computer Security Why do we need computer security? What are our goals and

Introduction to Computer Security Why do we need computer security? What are our goals and what threatens them? Lecture 1 Page 1 CS 236 Online Why Is Security Necessary? Because people arent always nice Because a lot of

415 views • 25 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J CSCI 6268/TLEN 5831, Fall 2004 Introduction UC Davis PhD in 2000 Cryptography Interested in broader security as well

492 views • 12 slides
Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer

Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer

Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer Security? Generally concerned with protection of computer related assets Risk analysis and management! Manage could mean prevention of

537 views • 26 slides
Computer Security Foundations What is Security? Attacker Assets Threat Counter- measure

Computer Security Foundations What is Security? Attacker Assets Threat Counter- measure

IN3210 Network Security Computer Security Foundations What is Security? Attacker Assets Threat Counter- measure Computer Security Security of computers and networks Protection of digital assets Axioms of Computer Security:

240 views • 23 slides
Basic Ciphers Computer Security: Ensure security of data kept on the computer Ahmet Burak

Basic Ciphers Computer Security: Ensure security of data kept on the computer Ahmet Burak

8.10.2019 Information Security Basic Ciphers Computer Security: Ensure security of data kept on the computer Ahmet Burak Can Network Security: Hacettepe University Ensure security of communication over insecure medium

267 views • 10 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J Lecture #2 Aug 25 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Economist Survey Please read it Main points Security is a MUCH

600 views • 27 slides
CS 480/ 557 Computer Security I ntroduction to I nf ormation 1. Physical Security 2.Human

CS 480/ 557 Computer Security I ntroduction to I nf ormation 1. Physical Security 2.Human

Overview CS 480/ 557 Computer Security I ntroduction to I nf ormation 1. Physical Security 2.Human Security 3.Program Security Security Computer security threats Unintentional: - Coding faults - Operational faults -

238 views • 8 slides
CSE 543 - Computer Security Lecture 11 - OS Security October 2, 2007 URL:

CSE 543 - Computer Security Lecture 11 - OS Security October 2, 2007 URL:

CSE 543 - Computer Security Lecture 11 - OS Security October 2, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 OS Security An secure OS should provide the

873 views • 28 slides
Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 3:

Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 3:

Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 3: Foundations of Computer Security Chapter 3: 2 Agenda Security strategies Prevention detection reaction Security objectives

839 views • 38 slides
Computer Security 3e Security.di.unimi.it/sicurezza1314 Chapter 3: 1 Chapter 3: Foundations of

Computer Security 3e Security.di.unimi.it/sicurezza1314 Chapter 3: 1 Chapter 3: Foundations of

Computer Security 3e Security.di.unimi.it/sicurezza1314 Chapter 3: 1 Chapter 3: Foundations of Computer Security Chapter 3: 2 Agenda Security strategies Prevention detection reaction Security objectives Confidentiality

1.08k views • 42 slides
Computer Security 3e Security.di.unimi.it/sicurezza1516 Chapter 3: 1 Chapter 3: Foundations of

Computer Security 3e Security.di.unimi.it/sicurezza1516 Chapter 3: 1 Chapter 3: Foundations of

Computer Security 3e Security.di.unimi.it/sicurezza1516 Chapter 3: 1 Chapter 3: Foundations of Computer Security Chapter 3: 2 Agenda Security strategies Prevention detection reaction Security objectives Confidentiality

553 views • 39 slides
CSE 543 - Computer Security Lecture 12 - MAC Security October 4, 2007 URL:

CSE 543 - Computer Security Lecture 12 - MAC Security October 4, 2007 URL:

CSE 543 - Computer Security Lecture 12 - MAC Security October 4, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Mandatory Access Control Is about administration

462 views • 19 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J Lecture #13 Oct 11 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #2 later today Allocate last 30 mins No Class

488 views • 30 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J Lecture #25 Dec 1 st 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Remainder of the semester: Quiz #3 is Today 40 mins

414 views • 20 slides
Penetra'on Tes'ng Considered Harmful (haroon@thinkst.com) Who i am..

Penetra'on Tes'ng Considered Harmful (haroon@thinkst.com) Who i am..

Penetra'on Tes'ng Considered Harmful (haroon@thinkst.com) Who i am.. (&amp; Why this talk?) haroon@thinkst.com Some Tools Some Papers Some Books So ? Some

1.38k views • 137 slides
O nline Reput at ion Syst ems Roger D ingledine T he Free Haven Project 1 B ased on linkability

O nline Reput at ion Syst ems Roger D ingledine T he Free Haven Project 1 B ased on linkability

O nline Reput at ion Syst ems Roger D ingledine T he Free Haven Project 1 B ased on linkability Reput at ion can help solve market for lemons Useful even in pseudonymous/ dynamic environment s B ut somet imes dangerous if people can

270 views • 7 slides
EARLY STAGE SALES AND BUSINESS DEVELOPMENT Marcy Campbell Senior VP, Worldwide Sales and

EARLY STAGE SALES AND BUSINESS DEVELOPMENT Marcy Campbell Senior VP, Worldwide Sales and

EARLY STAGE SALES AND BUSINESS DEVELOPMENT Marcy Campbell Senior VP, Worldwide Sales and Business Development Starting Point Starting Point When we got started at Qubole We had a great pipeline of over 100 prospects most of whom were

273 views • 13 slides
SM&amp;CR post-implementation forum The event will commence shortly at 13:30. Challenges and best

SM&amp;CR post-implementation forum The event will commence shortly at 13:30. Challenges and best

SM&amp;CR post-implementation forum Thank you for joining. SM&amp;CR post-implementation forum The event will commence shortly at 13:30. Challenges and best practices 17 SEPTEMBER 2020 | 13:30 - 16:30 BST Legal partner Sponsor Control l

413 views • 40 slides
Information Economics The Signaling Theory Ling-Chieh Kung Department of Information Management

Information Economics The Signaling Theory Ling-Chieh Kung Department of Information Management

Introduction Bayesian updating The first example Information Economics The Signaling Theory Ling-Chieh Kung Department of Information Management National Taiwan University The Signaling Theory 1 / 26 Ling-Chieh Kung (NTU IM) Introduction

297 views • 26 slides
Markov Chains DS GA 1002 Probability and Statistics for Data Science

Markov Chains DS GA 1002 Probability and Statistics for Data Science

Markov Chains DS GA 1002 Probability and Statistics for Data Science http://www.cims.nyu.edu/~cfgranda/pages/DSGA1002_fall17 Carlos Fernandez-Granda Definition Recurrence Periodicity Convergence Markov-chain Monte Carlo Markov property The

1.33k views • 112 slides
Markov Chains and MCMC CompSci 590.04 Instructor:

Markov Chains and MCMC CompSci 590.04 Instructor:

Markov Chains and MCMC CompSci 590.04 Instructor: AshwinMachanavajjhala Lecture 4 : 590.04 Fall 15 1 Announcement First assignment has been posted

477 views • 31 slides
Markov Chain Monte Carlo Ryan Martin UIC www.math.uic.edu/~rgmartin 1 Based on Chapters 89 in

Markov Chain Monte Carlo Ryan Martin UIC www.math.uic.edu/~rgmartin 1 Based on Chapters 89 in

Stat 451 Lecture Notes 07 12 Markov Chain Monte Carlo Ryan Martin UIC www.math.uic.edu/~rgmartin 1 Based on Chapters 89 in Givens &amp; Hoeting, Chapters 2527 in Lange 2 Updated: April 4, 2016 1 / 42 Outline 1 Introduction 2 Crash

645 views • 42 slides

More recommend