SlideShare a Scribd company logo

Information Security, some illustrated principles

B
boskabout

Some principles of information security are mentioned and illustrated with some recent events in the Belgian Blogosphere and Facebook.

Education
1 of 96
Information security some illustrated principles
Waarom security?
Geheimen “aan niemand doorvertellen he!”
Controle “_Wie_ weet dat allemaal?”
Information wants to be free
Problemen?
www.facebook.net phishing
OMG pink poniezzz trojan horses
Botnets
crack!
sniffers
spam
Concepten
Data confidentiality
Entity Authentication (Identification)
Data authentication (integrity + who sent it)
Non-repudiation (origin vs receipt)
Denial of Service
Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
Vertrouwen (trust) ➡ Dieter Gollman: “Trust is not the ➡ Based on concept that ➡ reputation unifies security, it ➡ control and is an absolute punishment mess.” ➡ policy enforcement ➡ “If it is trusted, it ➡ ... or blind can hurt you.”
Vertrouwen (trust) ➡ Dieter Gollman: “Trust is not the ➡ Based on concept that ➡ reputation unifies security, it ➡ control and is an absolute punishment mess.” ➡ policy enforcement ➡ “If it is trusted, it ➡ ... or blind can hurt you.”
Vertrouwen (trust) ➡ Dieter Gollman: “Trust is not the ➡ Based on concept that ➡ reputation unifies security, it ➡ control and is an absolute punishment mess.” ➡ policy enforcement ➡ “If it is trusted, it ➡ ... or blind can hurt you.”
Vertrouwen Nieuws.be 27/11/’08 18u13: “A320 crasht in de Middellandse Zee.”
Vertrouwen Luchtvaartnieuws.nl op 5/10/’07: “US Airways bestelt 92 Airbussen.”
Nieuws.be: A320 Luchtvaartnieuws.nl: A350
Vertrouwen Nieuws.be 27/11/’08 20u25: “A320 crasht in de Middellandse Zee.”
Vertrouwen • In de praktijk: • cryptografische sleutel (bvb. encryptie) • toegangsrechten • digitale handtekeningen • “trusted computing”
Vertrouwen • In de praktijk: • cryptografische sleutel (bvb. encryptie) • toegangsrechten • digitale handtekeningen • “trusted computing”
Vertrouwen • In de praktijk: • cryptografische sleutel (bvb. encryptie) • toegangsrechten • digitale handtekeningen • “trusted computing”
Vertrouwen • In de praktijk: • cryptografische sleutel (bvb. encryptie) • toegangsrechten • digitale handtekeningen • “trusted computing”
Information Security Principles • Be clear about definitions
Don’ts
Don’ts • Security and complexity do not mix
Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
Don’ts • Security is not forever: • Cryptography: • 1958 vs now : peanuts • now vs 2058 : ? • Advances in: • reverse engineering • side channel attacks
Don’ts • Security is not forever: • Cryptography: • 1958 vs now : peanuts • now vs 2058 : ? • Advances in: • reverse engineering • side channel attacks
Don’ts • Security and complexity don’t mix • Security through obscurity does not work • 100% security doesn’t exist • Security is not forever
Do’s
Assumptions • Clearly state the assumptions behind the system. • Code re-use can be dangerous: design assumptions might no longer be valid!
Assumptions • GSM: • encryption until the base station • no need to authenticate the network (in Soviet mobile nation, network authenticates YOU!)
Assumptions • e-ID: • PIN code is kept secret by the user
Assumptions • RFID: • opponent cannot eavesdrop > 1 meter
Do’s • Clearly state the assumptions behind the system. • Need for integrated approach
Integrated approach
Do’s • Clearly state the assumptions behind the system. • Need for integrated approach • Find the right mix of technology and law
“Gentlemen don’t go in through the exit”
Digital Rights Management
Digital Millenium Copyright Act
Spam
Legislation • Electronic Signatures • Data retention • Eavesdropping • Computer Crime
Legislation • Electronic Signatures • Data retention • Eavesdropping • Computer Crime
Legislation • Electronic Signatures • Data retention • Eavesdropping • Computer Crime
Legislation • Electronic Signatures • Data retention • Eavesdropping • Computer Crime
Do’s • Clearly state the assumptions behind the system. • Need for integrated approach • Find the right mix of technology and law • Need for secure implementations
Secure implementations • “Nothing is more practical than a good theory” • “Theory is important, at least in theory”
Secure implementations • Consider: • Secure software/hardware (orlly?) • Side channel attacks • Buffer overflows • API errors • Random number generators • Model vs reality
Model vs Reality
Challenges
Challenges • Always room at the bottom: • RFID • Sensor networks • Smartphones
Challenges • Always room at the bottom • Human Factors: • usability (“This certificate is invalid.” - “OK”) • social engineering
Challenges • Always room at the bottom • Human Factors • It’s the economy, stupid!
Challenges • It’s the economy, stupid! • “No gain, no pain” • Examples: • Software (no liability) • Credit cards in France
Questions to you
1. Did you _really_ implement secure software?
2. Do you trust your news service(s)?
3. Do you use Facebook’s privacy features?
4. Do you respect someone else’s privacy on Facebook?
5. Do you care?
Questions?
Disclaimer
Credits • Introduction to security and course overview, prof. dr. ir. Bart Preneel, Intensive Program on Information and Communication Security, July 2006 • Google Images (most of the images) • Sigridschrijft.be / Sony (Terminator 4 poster)

Recommended

Identity theft ppt
Identity theft pptIdentity theft ppt
Identity theft pptCut 2 Shreds
 
Indentify Theft Slide Show
Indentify Theft Slide ShowIndentify Theft Slide Show
Indentify Theft Slide Showrobinlgray
 
Spam Filtering
Spam FilteringSpam Filtering
Spam FilteringUmar Alharaky
 
Security threats
Security threatsSecurity threats
Security threatsQamar Farooq
 
Computer Hacking - An Introduction
Computer Hacking - An IntroductionComputer Hacking - An Introduction
Computer Hacking - An IntroductionJayaseelan Vejayon
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service AttacksPascal Flöschel
 
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 201450 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014Chris Nickerson
 
Castle Presentation 08-12-04
Castle Presentation 08-12-04Castle Presentation 08-12-04
Castle Presentation 08-12-04Howard Hellman
 

Recommended

Identity theft ppt
Identity theft pptIdentity theft ppt
Identity theft pptCut 2 Shreds
 
Indentify Theft Slide Show
Indentify Theft Slide ShowIndentify Theft Slide Show
Indentify Theft Slide Showrobinlgray
 
Spam Filtering
Spam FilteringSpam Filtering
Spam FilteringUmar Alharaky
 
Security threats
Security threatsSecurity threats
Security threatsQamar Farooq
 
Computer Hacking - An Introduction
Computer Hacking - An IntroductionComputer Hacking - An Introduction
Computer Hacking - An IntroductionJayaseelan Vejayon
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service AttacksPascal Flöschel
 
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 201450 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014Chris Nickerson
 
Castle Presentation 08-12-04
Castle Presentation 08-12-04Castle Presentation 08-12-04
Castle Presentation 08-12-04Howard Hellman
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer SecurityVibrant Event
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Vibrant Event
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer SecurityEthical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer SecurityVibrant Technologies & Computers
 
sharing the data using audio and image Steganography-
sharing the data using audio and image Steganography- sharing the data using audio and image Steganography-
sharing the data using audio and image Steganography- Nikhil Praharshi
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015Daniel Miessler
 
Pre-Quiz Symantec Endpoint Encryption
Pre-Quiz Symantec Endpoint EncryptionPre-Quiz Symantec Endpoint Encryption
Pre-Quiz Symantec Endpoint EncryptionMatt Dawdy
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
Os Nightingale
Os NightingaleOs Nightingale
Os Nightingaleoscon2007
 
Beyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UIBeyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UImozilla.presentations
 
Juice Jacking 101
Juice Jacking 101Juice Jacking 101
Juice Jacking 101Robert Rowley
 
7 Things People Do To Endanger Their Networks
7 Things People Do To Endanger Their Networks7 Things People Do To Endanger Their Networks
7 Things People Do To Endanger Their Networksjaymemcree
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
Trustleap - Mathematically-Proven Unbreakable Security
Trustleap - Mathematically-Proven Unbreakable SecurityTrustleap - Mathematically-Proven Unbreakable Security
Trustleap - Mathematically-Proven Unbreakable SecurityTWD Industries AG
 
Cyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile WorldCyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile WorldUniversity of Hertfordshire
 
Disagree with "I Agree"
Disagree with "I Agree"Disagree with "I Agree"
Disagree with "I Agree"Pronovix
 
APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...
APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...
APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...apidays
 
Computer & Data Security
Computer & Data SecurityComputer & Data Security
Computer & Data SecurityFrederik Questier
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublinDerek King
 
Care and Feeding of Healthy Computers
Care and Feeding of Healthy ComputersCare and Feeding of Healthy Computers
Care and Feeding of Healthy ComputersLorens Tech Solutions
 
Perimeter Defense in a World Without Walls
Perimeter Defense in a World Without WallsPerimeter Defense in a World Without Walls
Perimeter Defense in a World Without WallsDan Houser
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfPatidar M
 

More Related Content

Similar to Information Security, some illustrated principles

Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer SecurityVibrant Event
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Vibrant Event
 
sharing the data using audio and image Steganography-
sharing the data using audio and image Steganography- sharing the data using audio and image Steganography-
sharing the data using audio and image Steganography- Nikhil Praharshi
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015Daniel Miessler
 
Pre-Quiz Symantec Endpoint Encryption
Pre-Quiz Symantec Endpoint EncryptionPre-Quiz Symantec Endpoint Encryption
Pre-Quiz Symantec Endpoint EncryptionMatt Dawdy
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
Os Nightingale
Os NightingaleOs Nightingale
Os Nightingaleoscon2007
 
Beyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UIBeyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UImozilla.presentations
 
7 Things People Do To Endanger Their Networks
7 Things People Do To Endanger Their Networks7 Things People Do To Endanger Their Networks
7 Things People Do To Endanger Their Networksjaymemcree
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
Trustleap - Mathematically-Proven Unbreakable Security
Trustleap - Mathematically-Proven Unbreakable SecurityTrustleap - Mathematically-Proven Unbreakable Security
Trustleap - Mathematically-Proven Unbreakable SecurityTWD Industries AG
 
Disagree with "I Agree"
Disagree with "I Agree"Disagree with "I Agree"
Disagree with "I Agree"Pronovix
 
APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...
APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...
APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...apidays
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublinDerek King
 
Care and Feeding of Healthy Computers
Care and Feeding of Healthy ComputersCare and Feeding of Healthy Computers
Care and Feeding of Healthy ComputersLorens Tech Solutions
 
Perimeter Defense in a World Without Walls
Perimeter Defense in a World Without WallsPerimeter Defense in a World Without Walls
Perimeter Defense in a World Without WallsDan Houser
 

Similar to Information Security, some illustrated principles (20)

Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer Security
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer SecurityEthical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
 
sharing the data using audio and image Steganography-
sharing the data using audio and image Steganography- sharing the data using audio and image Steganography-
sharing the data using audio and image Steganography-
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015
 
Pre-Quiz Symantec Endpoint Encryption
Pre-Quiz Symantec Endpoint EncryptionPre-Quiz Symantec Endpoint Encryption
Pre-Quiz Symantec Endpoint Encryption
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
Os Nightingale
Os NightingaleOs Nightingale
Os Nightingale
 
Beyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UIBeyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UI
 
Juice Jacking 101
Juice Jacking 101Juice Jacking 101
Juice Jacking 101
 
7 Things People Do To Endanger Their Networks
7 Things People Do To Endanger Their Networks7 Things People Do To Endanger Their Networks
7 Things People Do To Endanger Their Networks
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
 
Trustleap - Mathematically-Proven Unbreakable Security
Trustleap - Mathematically-Proven Unbreakable SecurityTrustleap - Mathematically-Proven Unbreakable Security
Trustleap - Mathematically-Proven Unbreakable Security
 
Cyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile WorldCyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile World
 
Disagree with "I Agree"
Disagree with "I Agree"Disagree with "I Agree"
Disagree with "I Agree"
 
APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...
APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...
APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...
 
Computer & Data Security
Computer & Data SecurityComputer & Data Security
Computer & Data Security
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
 
Care and Feeding of Healthy Computers
Care and Feeding of Healthy ComputersCare and Feeding of Healthy Computers
Care and Feeding of Healthy Computers
 
Perimeter Defense in a World Without Walls
Perimeter Defense in a World Without WallsPerimeter Defense in a World Without Walls
Perimeter Defense in a World Without Walls
 

Recently uploaded

INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfPatidar M
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
TEACHER REFLECTION FORM (NEW SET........).docx
TEACHER REFLECTION FORM (NEW SET........).docxTEACHER REFLECTION FORM (NEW SET........).docx
TEACHER REFLECTION FORM (NEW SET........).docxruthvilladarez
 
ClimART Action | eTwinning Project
ClimART Action | eTwinning ProjectClimART Action | eTwinning Project
ClimART Action | eTwinning Projectjordimapav
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONHumphrey A Beña
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxVanesaIglesias10
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 
Millenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptxMillenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptxJanEmmanBrigoli
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptxmary850239
 
Measures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped dataMeasures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped dataBabyAnnMotar
 
Presentation Activity 2. Unit 3 transv.pptx
Presentation Activity 2. Unit 3 transv.pptxPresentation Activity 2. Unit 3 transv.pptx
Presentation Activity 2. Unit 3 transv.pptxRosabel UA
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 

Recently uploaded (20)

INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdf
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
TEACHER REFLECTION FORM (NEW SET........).docx
TEACHER REFLECTION FORM (NEW SET........).docxTEACHER REFLECTION FORM (NEW SET........).docx
TEACHER REFLECTION FORM (NEW SET........).docx
 
ClimART Action | eTwinning Project
ClimART Action | eTwinning ProjectClimART Action | eTwinning Project
ClimART Action | eTwinning Project
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptx
 
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptxYOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
 
Millenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptxMillenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptx
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx
 
Measures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped dataMeasures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped data
 
Presentation Activity 2. Unit 3 transv.pptx
Presentation Activity 2. Unit 3 transv.pptxPresentation Activity 2. Unit 3 transv.pptx
Presentation Activity 2. Unit 3 transv.pptx
 
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptxYOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
 
Paradigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTAParadigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTA
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 

Information Security, some illustrated principles

  • 1. Information security some illustrated principles
  • 7. www.facebook.net phishing
  • 8. OMG pink poniezzz trojan horses
  • 9.
  • 10.
  • 14. spam
  • 17. Entity Authentication (Identification)
  • 21. Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
  • 22. Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
  • 23. Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
  • 24. Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
  • 25. Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
  • 26. Vertrouwen (trust) ➡ Dieter Gollman: “Trust is not the ➡ Based on concept that ➡ reputation unifies security, it ➡ control and is an absolute punishment mess.” ➡ policy enforcement ➡ “If it is trusted, it ➡ ... or blind can hurt you.”
  • 27. Vertrouwen (trust) ➡ Dieter Gollman: “Trust is not the ➡ Based on concept that ➡ reputation unifies security, it ➡ control and is an absolute punishment mess.” ➡ policy enforcement ➡ “If it is trusted, it ➡ ... or blind can hurt you.”
  • 28. Vertrouwen (trust) ➡ Dieter Gollman: “Trust is not the ➡ Based on concept that ➡ reputation unifies security, it ➡ control and is an absolute punishment mess.” ➡ policy enforcement ➡ “If it is trusted, it ➡ ... or blind can hurt you.”
  • 29. Vertrouwen Nieuws.be 27/11/’08 18u13: “A320 crasht in de Middellandse Zee.”
  • 30. Vertrouwen Luchtvaartnieuws.nl op 5/10/’07: “US Airways bestelt 92 Airbussen.”
  • 31. Nieuws.be: A320 Luchtvaartnieuws.nl: A350
  • 32. Vertrouwen Nieuws.be 27/11/’08 20u25: “A320 crasht in de Middellandse Zee.”
  • 33. Vertrouwen • In de praktijk: • cryptografische sleutel (bvb. encryptie) • toegangsrechten • digitale handtekeningen • “trusted computing”
  • 34. Vertrouwen • In de praktijk: • cryptografische sleutel (bvb. encryptie) • toegangsrechten • digitale handtekeningen • “trusted computing”
  • 35. Vertrouwen • In de praktijk: • cryptografische sleutel (bvb. encryptie) • toegangsrechten • digitale handtekeningen • “trusted computing”
  • 36. Vertrouwen • In de praktijk: • cryptografische sleutel (bvb. encryptie) • toegangsrechten • digitale handtekeningen • “trusted computing”
  • 37. Information Security Principles • Be clear about definitions
  • 39. Don’ts • Security and complexity do not mix
  • 40. Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
  • 41. Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
  • 42. Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
  • 43. Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
  • 44. Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
  • 45. Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
  • 46. Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
  • 47. Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
  • 48. Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
  • 49. Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
  • 50. Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
  • 51. Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
  • 52. Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
  • 53. Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
  • 54. Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
  • 55. Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
  • 56. Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
  • 57. Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
  • 58. Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
  • 59. Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
  • 60. Don’ts • Security is not forever: • Cryptography: • 1958 vs now : peanuts • now vs 2058 : ? • Advances in: • reverse engineering • side channel attacks
  • 61. Don’ts • Security is not forever: • Cryptography: • 1958 vs now : peanuts • now vs 2058 : ? • Advances in: • reverse engineering • side channel attacks
  • 62. Don’ts • Security and complexity don’t mix • Security through obscurity does not work • 100% security doesn’t exist • Security is not forever
  • 64. Assumptions • Clearly state the assumptions behind the system. • Code re-use can be dangerous: design assumptions might no longer be valid!
  • 65. Assumptions • GSM: • encryption until the base station • no need to authenticate the network (in Soviet mobile nation, network authenticates YOU!)
  • 66. Assumptions • e-ID: • PIN code is kept secret by the user
  • 67. Assumptions • RFID: • opponent cannot eavesdrop > 1 meter
  • 68. Do’s • Clearly state the assumptions behind the system. • Need for integrated approach
  • 70. Do’s • Clearly state the assumptions behind the system. • Need for integrated approach • Find the right mix of technology and law
  • 71. “Gentlemen don’t go in through the exit”
  • 74. Spam
  • 75. Legislation • Electronic Signatures • Data retention • Eavesdropping • Computer Crime
  • 76. Legislation • Electronic Signatures • Data retention • Eavesdropping • Computer Crime
  • 77. Legislation • Electronic Signatures • Data retention • Eavesdropping • Computer Crime
  • 78. Legislation • Electronic Signatures • Data retention • Eavesdropping • Computer Crime
  • 79. Do’s • Clearly state the assumptions behind the system. • Need for integrated approach • Find the right mix of technology and law • Need for secure implementations
  • 80. Secure implementations • “Nothing is more practical than a good theory” • “Theory is important, at least in theory”
  • 81. Secure implementations • Consider: • Secure software/hardware (orlly?) • Side channel attacks • Buffer overflows • API errors • Random number generators • Model vs reality
  • 84. Challenges • Always room at the bottom: • RFID • Sensor networks • Smartphones
  • 85. Challenges • Always room at the bottom • Human Factors: • usability (“This certificate is invalid.” - “OK”) • social engineering
  • 86. Challenges • Always room at the bottom • Human Factors • It’s the economy, stupid!
  • 87. Challenges • It’s the economy, stupid! • “No gain, no pain” • Examples: • Software (no liability) • Credit cards in France
  • 89. 1. Did you _really_ implement secure software?
  • 90. 2. Do you trust your news service(s)?
  • 91. 3. Do you use Facebook’s privacy features?
  • 92. 4. Do you respect someone else’s privacy on Facebook?
  • 93. 5. Do you care?
  • 96. Credits • Introduction to security and course overview, prof. dr. ir. Bart Preneel, Intensive Program on Information and Communication Security, July 2006 • Google Images (most of the images) • Sigridschrijft.be / Sony (Terminator 4 poster)