Section 1: Threat Modeling TA Introduction Keanu Vestil, he/him - - PowerPoint PPT Presentation

section 1 threat modeling ta introduction
SMART_READER_LITE
LIVE PREVIEW

Section 1: Threat Modeling TA Introduction Keanu Vestil, he/him - - PowerPoint PPT Presentation

Mar 04, 2023 445 likes •694 views

CSE 484 / CSE M 584 Section 1: Threat Modeling TA Introduction Keanu Vestil, he/him (keanu@cs.washington.edu) Eric Zeng, he/him (ericzeng@cs.washington.edu) Office Hours TBD - stay tuned! Icebreaker In breakout rooms, share your answers to

slide-1
SLIDE 1

CSE 484 / CSE M 584

Section 1: Threat Modeling

slide-2
SLIDE 2

TA Introduction

Keanu Vestil, he/him (keanu@cs.washington.edu) Eric Zeng, he/him (ericzeng@cs.washington.edu) Office Hours TBD - stay tuned!

slide-3
SLIDE 3

Icebreaker

In breakout rooms, share your answers to the following questions:

  • What is your name?
  • Why are you taking this class?
  • Have you had any experiences with computer security and

privacy in your personal life?

slide-4
SLIDE 4

Administrativa

What’s assigned?

  • Ethics form - Due October 7
  • In-class activities (canvas “quizzes” during breakouts)
  • 3 Homeworks (HW1 due October 9)
  • 3 Labs
  • Final project
  • 584 students: research papers (1st due next Oct 8th)
slide-5
SLIDE 5

Student Resource List

(See course website, under sections)

slide-6
SLIDE 6

What is threat modelling?

  • An approach for analyzing the security of a computer system
  • Examine the potential vulnerabilities and risks of the system,

and how attackers might approach it ○ What are we protecting? ○ What does an attacker have to gain? ○ How would an attacker try to exploit the system?

slide-7
SLIDE 7

Threat Model

➔ Assets

What are we trying to protect? How valuable are those assets?

➔ Adversaries

Who might try to attack, and why?

➔ Vulnerabilities

How might the system be weak?

➔ Threats

What actions might an adversary take to exploit vulnerabilities?

➔ Risk

How important are assets? How likely is an exploit?

➔ Possible Defenses

slide-8
SLIDE 8

What does it mean to be “secure”?

The traditional goals of security are:

  • Confidentiality
  • Integrity
  • Authentication
  • Availability
slide-9
SLIDE 9

Confidentiality

Confidentiality is the concealment of information

network

Eavesdropping, packet sniffing, illegal copying

slide-10
SLIDE 10

Integrity

Integrity is the prevention of unauthorized changes

network

Intercept messages, tamper, and release again

slide-11
SLIDE 11

Authenticity

Authenticity is knowing who you’re talking to

network

Unauthorized assumption of

  • ther’s identity
slide-12
SLIDE 12

Availability

Availability is the ability to use information or resources

network

Overwhelm or crash servers, disrupt infrastructure

slide-13
SLIDE 13

Threat Modeling Examples: Social Media Services

Tip

Be aware what information you are giving away Be aware how they are being used

slide-14
SLIDE 14

What are we trying to protect?

Assets

  • User Data

○ Personal Info (Date of birth, SSN, phone #) ○ User generated content (messages, photos, posts) ○ Ad targeting information How valuable are those assets?

  • Potentially very personal
  • Cannot be measured by money
slide-15
SLIDE 15

Who might try to attack, and why?

Tip

Some adversaries might not be obvious. Users misuse can also cause unintentional problems.

Adversaries

  • Foreign governments
  • Other companies
  • Hackers
  • Employees
  • Other users
slide-16
SLIDE 16
  • Code vulnerabilities
  • Weak passwords
  • Social engineering
  • Insider threats (employees)
  • Physical threats

Vulnerabilities & Threats

How might the system be weak? How might an adversary exploit vulnerabilities?

slide-17
SLIDE 17

How important are assets?

Risks

How likely is a successful attack?

  • How many resources would the adversary need to

execute an attack?

  • Can deter, but attackers have asymmetric advantage
  • Legal and ethical aspects

○ Legal ramifications ○ Company reputation ○ Personal information of customers

slide-18
SLIDE 18

Asymmetric Advantage

An attacker only needs to win in one place.

slide-19
SLIDE 19
  • Write code using secure tools and practices
  • Store only the information you need to store
  • Limit employee access to user data
  • Enforce strong password rules for users

Defense-in-depth

slide-20
SLIDE 20

Section Activity:

Adversarial thinking about design assumptions https://canvas.uw.edu/courses/1396608/quizzes/1320385

slide-21
SLIDE 21

Some examples of systems….

Self-driving cars Echo Dot Grocery store self checkout

Quotes for illustration purposes only

https://canvas.uw.edu/courses/1396608/quizzes/1320385

slide-22
SLIDE 22

Section Student Survey

Please fill out this quick survey on Canvas to help us help you learn!

  • Name
  • Preferred Pronouns
  • What helps you participate in

class?

  • Is there anything I should know

to help you learn?

https://canvas.uw.edu/courses /1396608/quizzes/1320551

slide-23
SLIDE 23

Reminders!

  • Find people to work with! [Up to 3 people per

group]

  • Fill out the ethics form [Due next Wednesday

11:59 pm]

  • Check discussion board regularly!