SlideShare a Scribd company logo

Information Security, some illustrated principles

B
boskabout

Some principles of information security are mentioned and illustrated with some recent events in the Belgian Blogosphere and Facebook.

Education
1 of 96
Information security some illustrated principles
Waarom security?
Geheimen “aan niemand doorvertellen he!”
Controle “_Wie_ weet dat allemaal?”
Information wants to be free
Problemen?
www.facebook.net phishing
OMG pink poniezzz trojan horses
Botnets
crack!
sniffers
spam
Concepten
Data confidentiality
Entity Authentication (Identification)
Data authentication (integrity + who sent it)
Non-repudiation (origin vs receipt)
Denial of Service
Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
Vertrouwen (trust) ➡ Dieter Gollman: “Trust is not the ➡ Based on concept that ➡ reputation unifies security, it ➡ control and is an absolute punishment mess.” ➡ policy enforcement ➡ “If it is trusted, it ➡ ... or blind can hurt you.”
Vertrouwen (trust) ➡ Dieter Gollman: “Trust is not the ➡ Based on concept that ➡ reputation unifies security, it ➡ control and is an absolute punishment mess.” ➡ policy enforcement ➡ “If it is trusted, it ➡ ... or blind can hurt you.”
Vertrouwen (trust) ➡ Dieter Gollman: “Trust is not the ➡ Based on concept that ➡ reputation unifies security, it ➡ control and is an absolute punishment mess.” ➡ policy enforcement ➡ “If it is trusted, it ➡ ... or blind can hurt you.”
Vertrouwen Nieuws.be 27/11/’08 18u13: “A320 crasht in de Middellandse Zee.”
Vertrouwen Luchtvaartnieuws.nl op 5/10/’07: “US Airways bestelt 92 Airbussen.”
Nieuws.be: A320 Luchtvaartnieuws.nl: A350
Vertrouwen Nieuws.be 27/11/’08 20u25: “A320 crasht in de Middellandse Zee.”
Vertrouwen • In de praktijk: • cryptografische sleutel (bvb. encryptie) • toegangsrechten • digitale handtekeningen • “trusted computing”
Vertrouwen • In de praktijk: • cryptografische sleutel (bvb. encryptie) • toegangsrechten • digitale handtekeningen • “trusted computing”
Vertrouwen • In de praktijk: • cryptografische sleutel (bvb. encryptie) • toegangsrechten • digitale handtekeningen • “trusted computing”
Vertrouwen • In de praktijk: • cryptografische sleutel (bvb. encryptie) • toegangsrechten • digitale handtekeningen • “trusted computing”
Information Security Principles • Be clear about definitions
Don’ts
Don’ts • Security and complexity do not mix
Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
Don’ts • Security is not forever: • Cryptography: • 1958 vs now : peanuts • now vs 2058 : ? • Advances in: • reverse engineering • side channel attacks
Don’ts • Security is not forever: • Cryptography: • 1958 vs now : peanuts • now vs 2058 : ? • Advances in: • reverse engineering • side channel attacks
Don’ts • Security and complexity don’t mix • Security through obscurity does not work • 100% security doesn’t exist • Security is not forever
Do’s
Assumptions • Clearly state the assumptions behind the system. • Code re-use can be dangerous: design assumptions might no longer be valid!
Assumptions • GSM: • encryption until the base station • no need to authenticate the network (in Soviet mobile nation, network authenticates YOU!)
Assumptions • e-ID: • PIN code is kept secret by the user
Assumptions • RFID: • opponent cannot eavesdrop > 1 meter
Do’s • Clearly state the assumptions behind the system. • Need for integrated approach
Integrated approach
Do’s • Clearly state the assumptions behind the system. • Need for integrated approach • Find the right mix of technology and law
“Gentlemen don’t go in through the exit”
Digital Rights Management
Digital Millenium Copyright Act
Spam
Legislation • Electronic Signatures • Data retention • Eavesdropping • Computer Crime
Legislation • Electronic Signatures • Data retention • Eavesdropping • Computer Crime
Legislation • Electronic Signatures • Data retention • Eavesdropping • Computer Crime
Legislation • Electronic Signatures • Data retention • Eavesdropping • Computer Crime
Do’s • Clearly state the assumptions behind the system. • Need for integrated approach • Find the right mix of technology and law • Need for secure implementations
Secure implementations • “Nothing is more practical than a good theory” • “Theory is important, at least in theory”
Secure implementations • Consider: • Secure software/hardware (orlly?) • Side channel attacks • Buffer overflows • API errors • Random number generators • Model vs reality
Model vs Reality
Challenges
Challenges • Always room at the bottom: • RFID • Sensor networks • Smartphones
Challenges • Always room at the bottom • Human Factors: • usability (“This certificate is invalid.” - “OK”) • social engineering
Challenges • Always room at the bottom • Human Factors • It’s the economy, stupid!
Challenges • It’s the economy, stupid! • “No gain, no pain” • Examples: • Software (no liability) • Credit cards in France
Questions to you
1. Did you _really_ implement secure software?
2. Do you trust your news service(s)?
3. Do you use Facebook’s privacy features?
4. Do you respect someone else’s privacy on Facebook?
5. Do you care?
Questions?
Disclaimer
Credits • Introduction to security and course overview, prof. dr. ir. Bart Preneel, Intensive Program on Information and Communication Security, July 2006 • Google Images (most of the images) • Sigridschrijft.be / Sony (Terminator 4 poster)

Recommended

Identity theft ppt
Identity theft pptIdentity theft ppt
Identity theft ppt
Cut 2 Shreds
 
Indentify Theft Slide Show
Indentify Theft Slide ShowIndentify Theft Slide Show
Indentify Theft Slide Show
robinlgray
 
Spam Filtering
Spam FilteringSpam Filtering
Spam Filtering
Umar Alharaky
 
Security threats
Security threatsSecurity threats
Security threats
Qamar Farooq
 
Computer Hacking - An Introduction
Computer Hacking - An IntroductionComputer Hacking - An Introduction
Computer Hacking - An Introduction
Jayaseelan Vejayon
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service Attacks
Pascal Flöschel
 
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 201450 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014
Chris Nickerson
 
Castle Presentation 08-12-04
Castle Presentation 08-12-04Castle Presentation 08-12-04
Castle Presentation 08-12-04
Howard Hellman
 

Recommended

Identity theft ppt
Identity theft pptIdentity theft ppt
Identity theft ppt
Cut 2 Shreds
 
Indentify Theft Slide Show
Indentify Theft Slide ShowIndentify Theft Slide Show
Indentify Theft Slide Show
robinlgray
 
Spam Filtering
Spam FilteringSpam Filtering
Spam Filtering
Umar Alharaky
 
Security threats
Security threatsSecurity threats
Security threats
Qamar Farooq
 
Computer Hacking - An Introduction
Computer Hacking - An IntroductionComputer Hacking - An Introduction
Computer Hacking - An Introduction
Jayaseelan Vejayon
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service Attacks
Pascal Flöschel
 
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 201450 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014
Chris Nickerson
 
Castle Presentation 08-12-04
Castle Presentation 08-12-04Castle Presentation 08-12-04
Castle Presentation 08-12-04
Howard Hellman
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer Security
Vibrant Event
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
Vibrant Event
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer SecurityEthical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
Vibrant Technologies & Computers
 
sharing the data using audio and image Steganography-
sharing the data using audio and image Steganography- sharing the data using audio and image Steganography-
sharing the data using audio and image Steganography-
Nikhil Praharshi
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015
Daniel Miessler
 
Pre-Quiz Symantec Endpoint Encryption
Pre-Quiz Symantec Endpoint EncryptionPre-Quiz Symantec Endpoint Encryption
Pre-Quiz Symantec Endpoint Encryption
Matt Dawdy
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
Rob Fuller
 
Os Nightingale
Os NightingaleOs Nightingale
Os Nightingale
oscon2007
 
Beyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UIBeyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UI
mozilla.presentations
 
Juice Jacking 101
Juice Jacking 101Juice Jacking 101
Juice Jacking 101
Robert Rowley
 
7 Things People Do To Endanger Their Networks
7 Things People Do To Endanger Their Networks7 Things People Do To Endanger Their Networks
7 Things People Do To Endanger Their Networks
jaymemcree
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
vicenteDiaz_KL
 
Trustleap - Mathematically-Proven Unbreakable Security
Trustleap - Mathematically-Proven Unbreakable SecurityTrustleap - Mathematically-Proven Unbreakable Security
Trustleap - Mathematically-Proven Unbreakable Security
TWD Industries AG
 
Cyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile WorldCyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile World
University of Hertfordshire
 
Disagree with "I Agree"
Disagree with "I Agree"Disagree with "I Agree"
Disagree with "I Agree"
Pronovix
 
APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...
APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...
APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...
apidays
 
Computer & Data Security
Computer & Data SecurityComputer & Data Security
Computer & Data Security
Frederik Questier
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
Derek King
 
Care and Feeding of Healthy Computers
Care and Feeding of Healthy ComputersCare and Feeding of Healthy Computers
Care and Feeding of Healthy Computers
Lorens Tech Solutions
 
Perimeter Defense in a World Without Walls
Perimeter Defense in a World Without WallsPerimeter Defense in a World Without Walls
Perimeter Defense in a World Without Walls
Dan Houser
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
Ramakrishna Reddy Bijjam
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
Jisc
 

More Related Content

Similar to Information Security, some illustrated principles

Os Nightingale
Os NightingaleOs Nightingale
Os Nightingale
oscon2007
 
Cyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile WorldCyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile World
University of Hertfordshire
 

Similar to Information Security, some illustrated principles (20)

Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer Security
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer SecurityEthical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
 
sharing the data using audio and image Steganography-
sharing the data using audio and image Steganography- sharing the data using audio and image Steganography-
sharing the data using audio and image Steganography-
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015
 
Pre-Quiz Symantec Endpoint Encryption
Pre-Quiz Symantec Endpoint EncryptionPre-Quiz Symantec Endpoint Encryption
Pre-Quiz Symantec Endpoint Encryption
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
Os Nightingale
Os NightingaleOs Nightingale
Os Nightingale
 
Beyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UIBeyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UI
 
Juice Jacking 101
Juice Jacking 101Juice Jacking 101
Juice Jacking 101
 
7 Things People Do To Endanger Their Networks
7 Things People Do To Endanger Their Networks7 Things People Do To Endanger Their Networks
7 Things People Do To Endanger Their Networks
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
 
Trustleap - Mathematically-Proven Unbreakable Security
Trustleap - Mathematically-Proven Unbreakable SecurityTrustleap - Mathematically-Proven Unbreakable Security
Trustleap - Mathematically-Proven Unbreakable Security
 
Cyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile WorldCyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile World
 
Disagree with "I Agree"
Disagree with "I Agree"Disagree with "I Agree"
Disagree with "I Agree"
 
APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...
APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...
APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...
 
Computer & Data Security
Computer & Data SecurityComputer & Data Security
Computer & Data Security
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
 
Care and Feeding of Healthy Computers
Care and Feeding of Healthy ComputersCare and Feeding of Healthy Computers
Care and Feeding of Healthy Computers
 
Perimeter Defense in a World Without Walls
Perimeter Defense in a World Without WallsPerimeter Defense in a World Without Walls
Perimeter Defense in a World Without Walls
 

Recently uploaded

Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdfVishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
ssuserdda66b
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 

Recently uploaded (20)

Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdfVishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptx
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 

Information Security, some illustrated principles

  • 1. Information security some illustrated principles
  • 7. www.facebook.net phishing
  • 8. OMG pink poniezzz trojan horses
  • 9.
  • 10.
  • 14. spam
  • 17. Entity Authentication (Identification)
  • 21. Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
  • 22. Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
  • 23. Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
  • 24. Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
  • 25. Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
  • 26. Vertrouwen (trust) ➡ Dieter Gollman: “Trust is not the ➡ Based on concept that ➡ reputation unifies security, it ➡ control and is an absolute punishment mess.” ➡ policy enforcement ➡ “If it is trusted, it ➡ ... or blind can hurt you.”
  • 27. Vertrouwen (trust) ➡ Dieter Gollman: “Trust is not the ➡ Based on concept that ➡ reputation unifies security, it ➡ control and is an absolute punishment mess.” ➡ policy enforcement ➡ “If it is trusted, it ➡ ... or blind can hurt you.”
  • 28. Vertrouwen (trust) ➡ Dieter Gollman: “Trust is not the ➡ Based on concept that ➡ reputation unifies security, it ➡ control and is an absolute punishment mess.” ➡ policy enforcement ➡ “If it is trusted, it ➡ ... or blind can hurt you.”
  • 29. Vertrouwen Nieuws.be 27/11/’08 18u13: “A320 crasht in de Middellandse Zee.”
  • 30. Vertrouwen Luchtvaartnieuws.nl op 5/10/’07: “US Airways bestelt 92 Airbussen.”
  • 31. Nieuws.be: A320 Luchtvaartnieuws.nl: A350
  • 32. Vertrouwen Nieuws.be 27/11/’08 20u25: “A320 crasht in de Middellandse Zee.”
  • 33. Vertrouwen • In de praktijk: • cryptografische sleutel (bvb. encryptie) • toegangsrechten • digitale handtekeningen • “trusted computing”
  • 34. Vertrouwen • In de praktijk: • cryptografische sleutel (bvb. encryptie) • toegangsrechten • digitale handtekeningen • “trusted computing”
  • 35. Vertrouwen • In de praktijk: • cryptografische sleutel (bvb. encryptie) • toegangsrechten • digitale handtekeningen • “trusted computing”
  • 36. Vertrouwen • In de praktijk: • cryptografische sleutel (bvb. encryptie) • toegangsrechten • digitale handtekeningen • “trusted computing”
  • 37. Information Security Principles • Be clear about definitions
  • 39. Don’ts • Security and complexity do not mix
  • 40. Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
  • 41. Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
  • 42. Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
  • 43. Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
  • 44. Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
  • 45. Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
  • 46. Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
  • 47. Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
  • 48. Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
  • 49. Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
  • 50. Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
  • 51. Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
  • 52. Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
  • 53. Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
  • 54. Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
  • 55. Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
  • 56. Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
  • 57. Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
  • 58. Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
  • 59. Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
  • 60. Don’ts • Security is not forever: • Cryptography: • 1958 vs now : peanuts • now vs 2058 : ? • Advances in: • reverse engineering • side channel attacks
  • 61. Don’ts • Security is not forever: • Cryptography: • 1958 vs now : peanuts • now vs 2058 : ? • Advances in: • reverse engineering • side channel attacks
  • 62. Don’ts • Security and complexity don’t mix • Security through obscurity does not work • 100% security doesn’t exist • Security is not forever
  • 64. Assumptions • Clearly state the assumptions behind the system. • Code re-use can be dangerous: design assumptions might no longer be valid!
  • 65. Assumptions • GSM: • encryption until the base station • no need to authenticate the network (in Soviet mobile nation, network authenticates YOU!)
  • 66. Assumptions • e-ID: • PIN code is kept secret by the user
  • 67. Assumptions • RFID: • opponent cannot eavesdrop > 1 meter
  • 68. Do’s • Clearly state the assumptions behind the system. • Need for integrated approach
  • 70. Do’s • Clearly state the assumptions behind the system. • Need for integrated approach • Find the right mix of technology and law
  • 71. “Gentlemen don’t go in through the exit”
  • 74. Spam
  • 75. Legislation • Electronic Signatures • Data retention • Eavesdropping • Computer Crime
  • 76. Legislation • Electronic Signatures • Data retention • Eavesdropping • Computer Crime
  • 77. Legislation • Electronic Signatures • Data retention • Eavesdropping • Computer Crime
  • 78. Legislation • Electronic Signatures • Data retention • Eavesdropping • Computer Crime
  • 79. Do’s • Clearly state the assumptions behind the system. • Need for integrated approach • Find the right mix of technology and law • Need for secure implementations
  • 80. Secure implementations • “Nothing is more practical than a good theory” • “Theory is important, at least in theory”
  • 81. Secure implementations • Consider: • Secure software/hardware (orlly?) • Side channel attacks • Buffer overflows • API errors • Random number generators • Model vs reality
  • 84. Challenges • Always room at the bottom: • RFID • Sensor networks • Smartphones
  • 85. Challenges • Always room at the bottom • Human Factors: • usability (“This certificate is invalid.” - “OK”) • social engineering
  • 86. Challenges • Always room at the bottom • Human Factors • It’s the economy, stupid!
  • 87. Challenges • It’s the economy, stupid! • “No gain, no pain” • Examples: • Software (no liability) • Credit cards in France
  • 89. 1. Did you _really_ implement secure software?
  • 90. 2. Do you trust your news service(s)?
  • 91. 3. Do you use Facebook’s privacy features?
  • 92. 4. Do you respect someone else’s privacy on Facebook?
  • 93. 5. Do you care?
  • 96. Credits • Introduction to security and course overview, prof. dr. ir. Bart Preneel, Intensive Program on Information and Communication Security, July 2006 • Google Images (most of the images) • Sigridschrijft.be / Sony (Terminator 4 poster)