usable security finish physical security spring 2016
play

Usable Security [finish] & Physical Security Spring 2016 - PowerPoint PPT Presentation

May 28, 2023 •267 likes •395 views

CSE 484 / CSE M 584: Computer Security and Privacy Usable Security [finish] & Physical Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

  1. CSE 484 / CSE M 584: Computer Security and Privacy Usable Security [finish] & Physical Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Question • Q. What are the root causes of usability issues in computer security? 5/26/16 CSE 484 / CSE M 584 - Spring 2016 2

  3. Why is Usable Security Hard? 1. Lack of intuition – See a safe, understand threats. Not true for computers. 2. Who’s in charge? – Doctors keep your medical records safe, you manage your passwords. 3. Hard to gauge risks – “It would never happen to me!” 4. No accountability – Asset-holder is not the only one you can lose assets. 5. Awkward, annoying, or difficult 6. Social issues 5/26/16 CSE 484 / CSE M 584 - Spring 2016 3

  4. Question • Q. What approaches can we take to mitigate usability issues in computer security? 5/26/16 CSE 484 / CSE M 584 - Spring 2016 4

  5. Response #1: Education and Training • Education: – Teaching technical concepts, risks • Training – Change behavior through: • Drill • Monitoring • Feedback • Reinforcement • Punishment • May be part of the solution – but not the solution 5/26/16 CSE 484 / CSE M 584 - Spring 2016 5

  6. Response #2: Security Should Be Invisible • Security should happen – Naturally – By Default – Without user input or understanding • Recognize and stop bad actions • Starting to see some invisibility – SSL/TLS – VPNs – Automatic Security Updates – User-driven access control 5/26/16 CSE 484 / CSE M 584 - Spring 2016 6

  7. Response #2: Security Should Be Invisible • “Easy” at extremes, or for simple examples – Don’t give everyone access to everything • But hard to generalize • Leads to things not working for reasons user doesn’t understand • Users will then try to get the system to work, possibly further reducing security – E.g., “dangerous successes” for password managers 5/26/16 CSE 484 / CSE M 584 - Spring 2016 7

  8. Response #3: “3 Word UI”: “Are You Sure?” • Security should be invisible – Except when the user tries something dangerous – In which case a warning is given • But how do users evaluate the warning? Two realistic cases: – Always heed warning. But see problems / commonality with Response #2 (“security should be invisible”) – Always ignore the warning. If so, then how can it be effective? 5/26/16 CSE 484 / CSE M 584 - Spring 2016 8

  9. Response #4: Focus on Users, Use Metaphors • Clear, understandable metaphors: – Physical analogs; e.g., red-green lights • User-centered design: Start with user model • Unified security model across applications – User doesn’t need to learn many models, one for each application • Meaningful, intuitive user input – Don’t assume things on user’s behalf – Figure out how to ask so that user can answer intelligently 5/26/16 CSE 484 / CSE M 584 - Spring 2016 9

  10. Response #5: Least Resistance • “Match the most comfortable way to do tasks with the least granting of authority” – Ka-Ping Yee, Security and Usability • Should be “easy” to comply with security policy • “Users value and want security and privacy, but they regard them only as secondary to completing the primary tasks” – Karat et al, Security and Usability 5/26/16 CSE 484 / CSE M 584 - Spring 2016 10

  11. Now: Physical Security • Relate physical security to computer security – Locks, safes, etc • Why? – More similar than you might think! – Lots to learn: • Computer security issues are often abstract; hard to relate to • But physical security issues are often easier to understand – Hypothesis: • Thinking about the “physical world” in new (security) ways will help you further develop the “security mindset” • You can then apply this mindset to computer systems, … 5/26/16 CSE 484 / CSE M 584 - Spring 2016 11

  12. Lockpicking • The following slides will not be online. • But if you’re interested in the subject, we recommend: – Blaze, “Cryptology and Physical Security: Rights Amplification in Master-Keyed Mechanical Locks” – Blaze, “Safecracking for the Computer Scientist” – Tool, “Guide to Lock Picking” – Tobias, “Opening Locks by Bumping in Five Seconds or Less” • Careful: possessing lock picks is legal in Washington State, but not everywhere! 5/26/16 CSE 484 / CSE M 584 - Spring 2016 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Admin Monday is a holiday! Project checkpoint #2 due Wed, 5/31, 11:59pm Lab 3 due Fri

Admin Monday is a holiday! Project checkpoint #2 due Wed, 5/31, 11:59pm Lab 3 due Fri

CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security [finish], Usable Security [start] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada

764 views • 48 slides
Software$Security$ (finish) $ & $ Cryptography $(brief$intro) $ Spring'2016' '

Software$Security$ (finish) $ & $ Cryptography $(brief$intro) $ Spring'2016' '

CSE$484$/$CSE$M$584:$$Computer$Security$and$Privacy$ $ Software$Security$ (finish) $ & $ Cryptography $(brief$intro) $ Spring'2016' ' Franziska'(Franzi)'Roesner'' franzi@cs.washington.edu'

419 views • 29 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Usable Security Spring 2015 Franziska (Franzi) Roesner

Usable Security Spring 2015 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Usable Security Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan

1.11k views • 55 slides
Admin Today: finish web privacy, start mobile security Friday: Lab #2 due (8pm)

Admin Today: finish web privacy, start mobile security Friday: Lab #2 due (8pm)

CSE 484 / CSE M 584: Computer Security and Privacy Web Privacy [finish] Mobile Platform Security [start] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner,

535 views • 29 slides
Usable security for control systems Jun Ho Huh Honeywell ACS Labs, research scientist

Usable security for control systems Jun Ho Huh Honeywell ACS Labs, research scientist

Usable security for control systems Jun Ho Huh Honeywell ACS Labs, research scientist junho.huh@honeywell.com Honeywell.com What is usable security? Building security solutions that are intuitive and easy to use Many security

350 views • 9 slides
Social Engineering and Physical Security Spring 2015

Social Engineering and Physical Security Spring 2015

CSE 484 / CSE M 584: Computer Security and Privacy Social Engineering and Physical Security Spring 2015 Franziska (Franzi) Roesner

425 views • 13 slides
Introduction to Human Computer Interaction Course on NPTEL, Spring 2018 Week 7 Usable Security

Introduction to Human Computer Interaction Course on NPTEL, Spring 2018 Week 7 Usable Security

Introduction to Human Computer Interaction Course on NPTEL, Spring 2018 Week 7 Usable Security Ponnurangam Kumaraguru (PK) Associate Professor ACM Distinguished & TEDx Speaker Linkedin/in/ponguru/ 1 fb/ponnurangam.kumaraguru,

949 views • 60 slides
Web Security: Web Application Security Spring 2016 Franziska (Franzi) Roesner

Web Security: Web Application Security Spring 2016 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Web Application Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John

874 views • 34 slides
Mobile Platform Security (finish) Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks

Mobile Platform Security (finish) Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks

CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security (finish) Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John

807 views • 78 slides
Web Security: Basic Web Security Model Spring 2016 Franziska (Franzi) Roesner

Web Security: Basic Web Security Model Spring 2016 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Basic Web Security Model Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John

498 views • 31 slides
Tools for Security Physical security Access control Encryption Authentication

Tools for Security Physical security Access control Encryption Authentication

Tools for Security Physical security Access control Encryption Authentication Encapsulation Intrusion detection Common sense Lecture 2 Page 1 CS 236 Online Physical Security Lock up your computer Actually,

465 views • 35 slides
Election Security and Integrity What is election security? What is election integrity? Election

Election Security and Integrity What is election security? What is election integrity? Election

Election Security and Integrity What is election security? What is election integrity? Election Security = Physical Security + Cybersecurity Physical Security Security plans Secure storage of voting machines and electronic pollbooks

341 views • 13 slides
CS 480/ 557 Computer Security I ntroduction to I nf ormation 1. Physical Security 2.Human

CS 480/ 557 Computer Security I ntroduction to I nf ormation 1. Physical Security 2.Human

Overview CS 480/ 557 Computer Security I ntroduction to I nf ormation 1. Physical Security 2.Human Security 3.Program Security Security Computer security threats Unintentional: - Coding faults - Operational faults -

238 views • 8 slides
Digital Security of Physical Objects Slava Voloshynovskiy Stochas:c Informa:on Processing Group

Digital Security of Physical Objects Slava Voloshynovskiy Stochas:c Informa:on Processing Group

1 Digital Security of Physical Objects Slava Voloshynovskiy Stochas:c Informa:on Processing Group University of Geneva Switzerland SCURIT DE LINFORMATION, 2016 2 Outline Physical object security Why not tradi:onal security? Proposed

789 views • 21 slides
Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Spring 2018 CS 155 Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories n Physical, platform malware, malicious apps Defense against physical theft Thurs

1.28k views • 64 slides
Stanford CS193p Developing Applications for iOS Fall 2013-14 Stanford CS193p Fall 2013 Today

Stanford CS193p Developing Applications for iOS Fall 2013-14 Stanford CS193p Fall 2013 Today

Stanford CS193p Developing Applications for iOS Fall 2013-14 Stanford CS193p Fall 2013 Today More Objective-C Creating objects nil The very important type id (and the concept of dynamic binding) Introspection Demo (improving match:

807 views • 53 slides
CMSC 430 Introduction to Compilers Programming Language Design and Implementation Introduction

CMSC 430 Introduction to Compilers Programming Language Design and Implementation Introduction

CMSC 430 Introduction to Compilers Programming Language Design and Implementation Introduction Fall 2018 Why take this course? Programming languages matter In theory, almost all languages are equivalent (Turing complete) In

493 views • 9 slides
Making C Less Dangerous in the Linux Kernel Kees Cook | @keescook LINUX.CONF.AU 21-25 January

Making C Less Dangerous in the Linux Kernel Kees Cook | @keescook LINUX.CONF.AU 21-25 January

Making C Less Dangerous in the Linux Kernel Kees Cook | @keescook LINUX.CONF.AU 21-25 January The Linux of Things | #LCA2019 | @linuxconfau 2019 Christchurch, NZ Making C Less Dangerous in the Linux Kernel Linux Conf AU January 25,

505 views • 29 slides
VAPD A Visionary System for Uncertainty Aware Decision Making in Crime Analysis Florian

VAPD A Visionary System for Uncertainty Aware Decision Making in Crime Analysis Florian

VAPD A Visionary System for Uncertainty Aware Decision Making in Crime Analysis Florian Stoffel, Dominik Sacha, Geoffrey Ellis, Daniel A. Keim 2 CCA Comparative Case Analysis CCA aims to find patterns in incidents or crime events that

430 views • 21 slides
Wont Somebody Think of the Children? Examining COPPA Compliance at Scale Irwin Reyes,

Wont Somebody Think of the Children? Examining COPPA Compliance at Scale Irwin Reyes,

Wont Somebody Think of the Children? Examining COPPA Compliance at Scale Irwin Reyes, Primal Wijesekera, Joel Reardon, Amit Elazari Bar On, Abbas Razaghpanah, Narseo Vallina-Rodriguez, Serge Egelman 2 dynamic analysis platform to

1.3k views • 35 slides
W H I T E W A T E R S L I D E Assembly & Installation Instructions I M P O R T A

W H I T E W A T E R S L I D E Assembly & Installation Instructions I M P O R T A

W H I T E W A T E R S L I D E Assembly & Installation Instructions I M P O R T A N T ! THESE INSTRUCTIONS MUST REMAIN WITH THE SLIDE OWNER! Visit inter-fab.com/safety to view important slide safety messages with your kids!

469 views • 20 slides
Information and crisis Megan Finn Prepared for History of Information 12 April 2011 1 Finn -

Information and crisis Megan Finn Prepared for History of Information 12 April 2011 1 Finn -

Information and crisis Megan Finn Prepared for History of Information 12 April 2011 1 Finn - HofI - UC Berkeley - 12 Apr 2011 Today Understanding Infrastructure and the post office You: on Twitter in Egypt

428 views • 24 slides
The Greatest Letter Ever Written! Rom 7:7-12 What then shall we say? That the law is sin? By no

The Greatest Letter Ever Written! Rom 7:7-12 What then shall we say? That the law is sin? By no

The Greatest Letter Ever Written! Rom 7:7-12 What then shall we say? That the law is sin? By no means! Yet if it had not been for the law, I would not have known sin. I would not have known what it is to covet if the law had not said,

495 views • 11 slides

More recommend