SlideShare a Scribd company logo

Introduction to Information and System Security Overview

H
hughanders
EducationTechnologyNews & Politics
1 of 45
Download to read offline
Administrivia Setting the stage... Case studies Introduction to Information and System Security First lecture Hugh Anderson National University of Singapore School of Computing June, 2012 Hugh Anderson Introduction to Information and System Security First lecture 1
Isolation...
Administrivia Setting the stage... Case studies Outline 1 Administrivia Coordinates, officialdom, assessment What you’ll be learning Why should you learn? 2 Setting the stage... In the news earlier this year... Context for security studies 3 Case studies Airports, banks, the military, hospitals, homes Term definitions Hugh Anderson Introduction to Information and System Security First lecture 3
Administrivia Coordinates, officialdom, assessment Setting the stage... What you’ll be learning Case studies Why should you learn? Hugh’s coordinates Room COM2 #03-24 Telephone 6516-4262 E-mail hugh@comp.nus.edu.sg Open-door policy (I have one!) Please call me Hugh, and visit me in my room if you have any questions... Hugh Anderson Introduction to Information and System Security First lecture 4
Administrivia Coordinates, officialdom, assessment Setting the stage... What you’ll be learning Case studies Why should you learn? Official SOC description From the official course description... This module serves as an introductory module on information and computer system security. It illustrates the fundamentals of how systems fail due to malicious activities and how they can be protected. The module also places emphasis on the practices of secure programming and implementation. Topics covered include classical/historical ciphers, introduction to modern ciphers and cryptosystems, ethical, legal and organisational aspects, classic examples of direct attacks on computer systems such as input validation vulnerability, examples of other forms of attack such as social engineering/phishing attacks, and the practice of secure programming. Hugh Anderson Introduction to Information and System Security First lecture 5
Administrivia Coordinates, officialdom, assessment Setting the stage... What you’ll be learning Case studies Why should you learn? Assessment Assessment Grade Homework 15% Group project 20% Tests MCQ (Closed book - on the 9th July) 15% Final Exam Open Book 50% Total marks 100% Hugh Anderson Introduction to Information and System Security First lecture 6
Timetable Lectures, tutorials and project... June July 18 25 2 9 16 23 Lectures Tutorials Project EXAM (Fri, 27th, a.m.) Project will be a group one (up to 4 members in each group), with a presentation in the last week.
Administrivia Coordinates, officialdom, assessment Setting the stage... What you’ll be learning Case studies Why should you learn? Tutorials Tutorials/demos/discussions start next week... Give a written answer to the homework as you enter the tutorial room for assessment (A,B,C or F) There will be four assessed homework/assignments. Hugh Anderson Introduction to Information and System Security First lecture 8
Administrivia Coordinates, officialdom, assessment Setting the stage... What you’ll be learning Case studies Why should you learn? Resources Resources No textbook, but you may find the following texts useful: Ross Anderson’s “Security Engineering” book: http://www.cl.cam.ac.uk/˜rja14/musicfiles/manuscripts/SEv1.pdf Computer Security, Matt Bishop Directed readings - all available on the Internet. IVLE at http://ivle.nus.edu.sg/ Hugh Anderson Introduction to Information and System Security First lecture 9
Administrivia Coordinates, officialdom, assessment Setting the stage... What you’ll be learning Case studies Why should you learn? General area of the course topics In short... History and background Classical and modern cryptography Security of systems Building safer systems - secure programming techniques for programs, web sites... Hugh Anderson Introduction to Information and System Security First lecture 10
What you should learn... What you are expected to know... To be able to put security systems in context. For example: history, understanding of the “big picture”. To describe “security related” things using some technical terms. For example: keysize, PK, man-in-the-middle. To understand the roles of the components of security systems, understanding the underlying reasons for their properties. For example: certifying authorities. To aquire some practical skills that would help in programming more secure computer systems.
Why should you learn... ...and why should you care? Reason #1: Pick up these skills and pass the final exam :) Reason #2: It is fun in a kind of “You did what?” way. Reason #3: Knowing the issues, and underlying mechanisms, helps you ... build better systems in future. ... explain to the person on the helpdesk why their system is flawed, and what needs to be done to fix it. ... avoid being the victim of (computer) fraud. ... realistically assess threats to you, your organization, your country. ... fly with the eagles.
Administrivia Coordinates, officialdom, assessment Setting the stage... What you’ll be learning Case studies Why should you learn? My expectation... Please, please, please.... Attend classes and tutorials Ask if you don’t know Read references and handouts... Get interested in the subject Dont do anything you know is plain wrong... Hugh Anderson Introduction to Information and System Security First lecture 13
DBS/POSB attacks Big news last week...
Administrivia In the news earlier this year... Setting the stage... Context for security studies Case studies And a few days later... Tracked down... Hugh Anderson Introduction to Information and System Security First lecture 15
DBS/POSB attacks How was it done? Through the use of card skimmers on two machines in Bugis. Card skimming involves trying to collect your card details from the magnetic strip:
DBS/POSB attacks Card skimmers Magnetic strip read as it passes through the capture “shell”. The electronics includes a magnetic strip reader head, a small amount of electronics, a battery, a microcomputer and storage (an SD card).
DBS/POSB attacks Getting the PIN? Either a small (pinhole) camera looking down on the keypad, with an SD card memory, or an overlay over the keyboard, with a small microcomputer and memory.
Installing a skimmer...
More things to worry about:
NUS attacks News in January...
Administrivia In the news earlier this year... Setting the stage... Context for security studies Case studies NUS attacks What was done? Firstly - it was not NUS, but a departmental web server at NUS that was hacked. The hackers got irritated by a message on the web site, and made it a mission to hack it. They reported that the web site had minimal security. The attack was a SQL injection attack, which allowed them to download usercode/password hash entries stored in the SQL database attached to the web server. The passwords were not NUSNET ones, but ones specifically for the application on the departmental server. Hugh Anderson Introduction to Information and System Security First lecture 22
Administrivia In the news earlier this year... Setting the stage... Context for security studies Case studies Key points/jargon Summary: Card skimmers SQL injection Keystroke logging using cameras, or keypad overlays Passwords versus password hashes Hugh Anderson Introduction to Information and System Security First lecture 23
Administrivia In the news earlier this year... Setting the stage... Context for security studies Case studies Hard to find the boundaries of “Security” It is not "one thing"... Security is complex: Security can involve elements such as computers, people, locks, communication links and so on. The goals of security might involve authentication, integrity, accountability, and so on. A security system may involve an arbitrary combination of these elements and goals. Security is everyone’s poor relation... not perceived as a benefit until something goes wrong requires regular monitoring too often an after-thought regarded as impediment to using system Hugh Anderson Introduction to Information and System Security First lecture 24
Framework to hang our understanding on... Ross Anderson’s book suggests this framework: Differentiate between security policies and mechanisms policy: what is allowed/disallowed. What you are supposed to do. mechanism: ways of enforcing a policy. Ciphers, controls... assurance: how much reliance you place on each mechanism. incentives: motives of the people guarding and maintaining the system, and the attackers.
A quick quiz... Which of these two vehicles has a door lock? Value SING$ 20,000 Value SING$ 350,000,000 Answer?
Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Airport security - 2001 attacks and afterwards Consider the 911 attacks... There was actually not any failure of the security systems in place at the time: Knives with blades less than 3 inches were OK in 2001. A failure of policy, not mechanism. Since 911? Still poor policy choices: passenger screening is aggressive and costly, (approx $15 billion), whereas strongly reinforced cockpit doors could remove most risk (est $100 million). Ground staff are seldom screened, planes do not have locks. Why such poor policy choices? Incentives for policy makers favour visible controls over effective ones. Assurance? System screening picks up less than half the weapons. Hugh Anderson Introduction to Information and System Security First lecture 27
Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Bank security Policy in banks: "The bank never loses!" Mechanism: banks maintain a kind of distributed bookkeeping system. Customer accounts, and (daily) transactions. Internal: Main threats to banks are internal - their own staff. Main defenses are double-entry bookkeeping (First described in the 15th century), controls on large transactions, and staff required to take vacations. External: Buildings built to look imposing, but just a facade - “security theatre” - (a thief with a gun wins). ATMs (as we have seen) are susceptible to attacks. Bank websites use a mix of techniques - 2-factor authentication, HTTPS. Phishing attempts to bypass this by attacking clients. Cryptography for communication. Hugh Anderson Introduction to Information and System Security First lecture 28
Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Military security In all sorts of areas... Electronic warfare and defense - jamming of radar, so opponent cannot see your planes; jamming trigger systems for IEDs. Military communications - not just encryption, but also hiding the source (the location of a transmitter can be attacked, so the military use LPI - low probability of intercept - radio links). Military logistics - who can mobilize 10,000 people and 30,000 meals in a day? Management systems for the military have different requirements from commercial systems - basic rule is that restricted information cannot flow to an unrestricted area. Weapons control (eg nuclear weapons) need much higher levels of assurance than (say) commercial areas. Hugh Anderson Introduction to Information and System Security First lecture 29
Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Hospital security Policies mostly to ensure patient safety and privacy Consider patient record systems: A mechanism might be that “Nurses can see the patient record for patients cared in their own department over the last 90 days”. However, this might be tricky to implement given that Nurses can move departments - the patient record system would become dependent on the hospital personnel system. Record anonymizing for research can be tricky. Consider the next slide on database attacks. A requirement for accuracy of web based data (reference texts, drug side effects). Hugh Anderson Introduction to Information and System Security First lecture 30
During the SARS outbreak... Releasing (unexpected) information from databases Day’s average temperature of SOC staff by nationality: Singaporean PRC Poland German Australian NZ .... 36.8 36.9 37.1 36.5 38.2 38.1 .... Numbers of SOC staff by nationality... Singaporean PRC Poland German Australian NZ .... 23 14 3 5 2 1 .... By inference you can deduce that Hugh’s temperature was too high!
Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Home security Really? Consider... Web-based banking, over your home wifi. Your car key/immobliizer. Your (GSM) phone (much harder to clone now than it was five years ago). No unexpected charges. Your TV set-top box, electronic gas/electricity meter and so on. In some Condos, burglar alarm, lock and security systems. Hugh Anderson Introduction to Information and System Security First lecture 32
Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Key points/jargon Summary: Policy, mechanism, assurance and incentives Controls, visible and effective controls, security theatre 2-factor authentication, HTTPS, Phishing Database attacks Hugh Anderson Introduction to Information and System Security First lecture 33
Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies What is a system? It can vary... 1 Product or component: such as a smartcard, a PC, or a communication protocol. 2 Collection: some products/components, and an OS, network, making up an organization’s infrastructure. 3 Application: the above and some set of applications. 4 Composite: the above and IT staff, and perhaps users, management, clients, customers... A system can thus refer to small things or big things. This indeterminacy about even basic words leads to confusion, and errors. Salespeople might concentrate their efforts on (say) the first two areas, whereas a business may think of it’s system in terms of the fourth area. Hugh Anderson Introduction to Information and System Security First lecture 34
Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Services/Goals, Attacks and Threats Basic terms: Vulnerability/Threats: If there is a weakness (vulnerability), then a potentially harmful situation (threat) may occur. Services/Goals: ensuring adequate service in a computer system CIA! Good guys need ’em. Attacks/Controls: An attack=threat+vulnerability. A control is a way of reducing the effect of a vulnerability. MOM! Bad guys need ’em. Hugh Anderson Introduction to Information and System Security First lecture 35
The CIA triad... FIPS specify three objectives/goals: confidentiality: concealing information - resources may only be accessed by authorized parties; integrity: trustworthiness of data - resources may only be modified by authorized parties in authorized ways; availability: preventing DOS/denial-of-service - resources are accessible in a timely manner.
The CIAAA gang-of-five... Many observers identify more... Authenticity: logins, password checks Accountability: non-repudiation of a prior commitment
Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Services/Goals, Real world analogues: CIA (Computer versions much faster) Security problems in society reoccur in computers Confidentiality = locks/encoding/secrecy/privacy. Integrity = handshakes/signature Availability = Union go-slows... But... The goals can conflict... (Consider ease of confidentiality versus lack of availability) The goals may not be met... (Consider password length versus human memory) Hugh Anderson Introduction to Information and System Security First lecture 38
Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Attacks: MOM! Three aspects of attacks: Method: tools, knowledge; Opportunity: time, access; Motive: what advantage is there? An important basic principle for attacks: The weakest link: An attacker only needs one small flaw in a system. Hugh Anderson Introduction to Information and System Security First lecture 39
Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Types of threats Threats disclosure: unauthorized access (snooping/interception); deception: accept false data (man-in-the-middle/modification); disruption: prevent correct operation (denial-of-service/interruption); usurpation: unauthorized control (spoofing/fabrication). Hugh Anderson Introduction to Information and System Security First lecture 40
Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Types of attacks Snooping/Interception Alice Bob Ted Hugh Anderson Introduction to Information and System Security First lecture 41
Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Types of attacks Man-in-the-middle/Modification Alice Bob Ted Hugh Anderson Introduction to Information and System Security First lecture 42
Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Types of attacks Denial of Service/Interruption Alice Bob Ted Hugh Anderson Introduction to Information and System Security First lecture 43
Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Types of attacks Spoofing/Fabrication Alice Bob Ted Hugh Anderson Introduction to Information and System Security First lecture 44
Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Types of attacks And persuasion human factors and social engineering: Hugh Anderson Introduction to Information and System Security First lecture 45

Recommended

Question & Answer 2.0: A System to facilitate interaction during and after a ...
Question & Answer 2.0: A System to facilitate interaction during and after a ...Question & Answer 2.0: A System to facilitate interaction during and after a ...
Question & Answer 2.0: A System to facilitate interaction during and after a ...Kai Michael Höver
 
Note taking for university students
Note taking for university studentsNote taking for university students
Note taking for university studentsAlaa Al-Musalli, Ph.D.
 
Global Issues - International Security
Global Issues - International SecurityGlobal Issues - International Security
Global Issues - International Securityguest2f82ae
 
Critical theory (chapter 6)
Critical theory (chapter 6)Critical theory (chapter 6)
Critical theory (chapter 6)HelvieMason
 
PUBLIC POLICY: AN INTRODUCTION
PUBLIC POLICY: AN INTRODUCTIONPUBLIC POLICY: AN INTRODUCTION
PUBLIC POLICY: AN INTRODUCTIONTanzania Public Service College
 
Computer Security.ppt
Computer Security.pptComputer Security.ppt
Computer Security.pptSharudinBoriak1
 
Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information securityMajor Hayden
 
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity laurieannwilliams
 

More Related Content

Similar to Introduction to Information and System Security Overview

Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
 
Information security management.doc
Information security management.docInformation security management.doc
Information security management.docAvinash Avuthu
 
Brief Tour of Machine Learning
Brief Tour of Machine LearningBrief Tour of Machine Learning
Brief Tour of Machine Learningbutest
 
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docxPROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docxwoodruffeloisa
 
Lecture5 Expert Systems And Artificial Intelligence
Lecture5 Expert Systems And Artificial IntelligenceLecture5 Expert Systems And Artificial Intelligence
Lecture5 Expert Systems And Artificial IntelligenceKodok Ngorex
 
Psychological Security: Introducing the PsySec Field
Psychological Security: Introducing the PsySec FieldPsychological Security: Introducing the PsySec Field
Psychological Security: Introducing the PsySec FieldZach(ary) Eikenberry
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Processphanleson
 
University of maryland infa 620 homework help
University of maryland infa 620 homework helpUniversity of maryland infa 620 homework help
University of maryland infa 620 homework helpOlivia Fournier
 
Study on Cyber Security:Establishing a Sustainable Cyber Security Framework f...
Study on Cyber Security:Establishing a Sustainable Cyber Security Framework f...Study on Cyber Security:Establishing a Sustainable Cyber Security Framework f...
Study on Cyber Security:Establishing a Sustainable Cyber Security Framework f...Rihab Rahman
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityPriyanka Aash
 
Cybersecurity career options & Getting started
Cybersecurity career options & Getting started Cybersecurity career options & Getting started
Cybersecurity career options & Getting started Balaji Rajasekaran
 
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...TI Safe
 
Enterprise incident response 2017
Enterprise incident response 2017Enterprise incident response 2017
Enterprise incident response 2017zapp0
 
Preparing for a New Career in Cyber - Pulsedive
Preparing for a New Career in Cyber - PulsedivePreparing for a New Career in Cyber - Pulsedive
Preparing for a New Career in Cyber - PulsediveGrace Chi
 
Slide Deck – Class Session 1 – FRSecure CISSP Mentor Program
Slide Deck – Class Session 1 – FRSecure CISSP Mentor ProgramSlide Deck – Class Session 1 – FRSecure CISSP Mentor Program
Slide Deck – Class Session 1 – FRSecure CISSP Mentor ProgramFRSecure
 
Statistical Machine Learning from Data - Introduction to ...
Statistical Machine Learning from Data - Introduction to ...Statistical Machine Learning from Data - Introduction to ...
Statistical Machine Learning from Data - Introduction to ...butest
 

Similar to Introduction to Information and System Security Overview (20)

Lecture 1 - Course Orientation PPIT by Dr Rab Nawaz Jadoon
Lecture 1 - Course Orientation PPIT by Dr Rab Nawaz JadoonLecture 1 - Course Orientation PPIT by Dr Rab Nawaz Jadoon
Lecture 1 - Course Orientation PPIT by Dr Rab Nawaz Jadoon
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security Practitioner
 
Information security management.doc
Information security management.docInformation security management.doc
Information security management.doc
 
Brief Tour of Machine Learning
Brief Tour of Machine LearningBrief Tour of Machine Learning
Brief Tour of Machine Learning
 
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docxPROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
 
Lecture5 Expert Systems And Artificial Intelligence
Lecture5 Expert Systems And Artificial IntelligenceLecture5 Expert Systems And Artificial Intelligence
Lecture5 Expert Systems And Artificial Intelligence
 
Psychological Security: Introducing the PsySec Field
Psychological Security: Introducing the PsySec FieldPsychological Security: Introducing the PsySec Field
Psychological Security: Introducing the PsySec Field
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Process
 
University of maryland infa 620 homework help
University of maryland infa 620 homework helpUniversity of maryland infa 620 homework help
University of maryland infa 620 homework help
 
Study on Cyber Security:Establishing a Sustainable Cyber Security Framework f...
Study on Cyber Security:Establishing a Sustainable Cyber Security Framework f...Study on Cyber Security:Establishing a Sustainable Cyber Security Framework f...
Study on Cyber Security:Establishing a Sustainable Cyber Security Framework f...
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
 
CyberSecurity - Linda Sharp
CyberSecurity - Linda SharpCyberSecurity - Linda Sharp
CyberSecurity - Linda Sharp
 
Cybersecurity career options & Getting started
Cybersecurity career options & Getting started Cybersecurity career options & Getting started
Cybersecurity career options & Getting started
 
Visual reasoning
Visual reasoningVisual reasoning
Visual reasoning
 
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
 
Enterprise incident response 2017
Enterprise incident response 2017Enterprise incident response 2017
Enterprise incident response 2017
 
Topic 8 expert system
Topic 8 expert systemTopic 8 expert system
Topic 8 expert system
 
Preparing for a New Career in Cyber - Pulsedive
Preparing for a New Career in Cyber - PulsedivePreparing for a New Career in Cyber - Pulsedive
Preparing for a New Career in Cyber - Pulsedive
 
Slide Deck – Class Session 1 – FRSecure CISSP Mentor Program
Slide Deck – Class Session 1 – FRSecure CISSP Mentor ProgramSlide Deck – Class Session 1 – FRSecure CISSP Mentor Program
Slide Deck – Class Session 1 – FRSecure CISSP Mentor Program
 
Statistical Machine Learning from Data - Introduction to ...
Statistical Machine Learning from Data - Introduction to ...Statistical Machine Learning from Data - Introduction to ...
Statistical Machine Learning from Data - Introduction to ...
 

Recently uploaded

BÀI TẬP BỔ TRỢ TIẾNG ANH 8 - I-LEARN SMART WORLD - CẢ NĂM - CÓ FILE NGHE (BẢN...
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 - I-LEARN SMART WORLD - CẢ NĂM - CÓ FILE NGHE (BẢN...BÀI TẬP BỔ TRỢ TIẾNG ANH 8 - I-LEARN SMART WORLD - CẢ NĂM - CÓ FILE NGHE (BẢN...
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 - I-LEARN SMART WORLD - CẢ NĂM - CÓ FILE NGHE (BẢN...Nguyen Thanh Tu Collection
 
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...DhatriParmar
 
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Association for Project Management
 
Mythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWMythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWQuiz Club NITW
 
The Emergence of Legislative Behavior in the Colombian Congress
The Emergence of Legislative Behavior in the Colombian CongressThe Emergence of Legislative Behavior in the Colombian Congress
The Emergence of Legislative Behavior in the Colombian CongressMaria Paula Aroca
 
Employablity presentation and Future Career Plan.pptx
Employablity presentation and Future Career Plan.pptxEmployablity presentation and Future Career Plan.pptx
Employablity presentation and Future Career Plan.pptxryandux83rd
 
An Overview of the Calendar App in Odoo 17 ERP
An Overview of the Calendar App in Odoo 17 ERPAn Overview of the Calendar App in Odoo 17 ERP
An Overview of the Calendar App in Odoo 17 ERPCeline George
 
Shark introduction Morphology and its behaviour characteristics
Shark introduction Morphology and its behaviour characteristicsShark introduction Morphology and its behaviour characteristics
Shark introduction Morphology and its behaviour characteristicsArubSultan
 
ICS 2208 Lecture Slide Notes for Topic 6
ICS 2208 Lecture Slide Notes for Topic 6ICS 2208 Lecture Slide Notes for Topic 6
ICS 2208 Lecture Slide Notes for Topic 6Vanessa Camilleri
 
CHUYÊN ĐỀ ÔN THEO CÂU CHO HỌC SINH LỚP 12 ĐỂ ĐẠT ĐIỂM 5+ THI TỐT NGHIỆP THPT ...
CHUYÊN ĐỀ ÔN THEO CÂU CHO HỌC SINH LỚP 12 ĐỂ ĐẠT ĐIỂM 5+ THI TỐT NGHIỆP THPT ...CHUYÊN ĐỀ ÔN THEO CÂU CHO HỌC SINH LỚP 12 ĐỂ ĐẠT ĐIỂM 5+ THI TỐT NGHIỆP THPT ...
CHUYÊN ĐỀ ÔN THEO CÂU CHO HỌC SINH LỚP 12 ĐỂ ĐẠT ĐIỂM 5+ THI TỐT NGHIỆP THPT ...Nguyen Thanh Tu Collection
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQuiz Club NITW
 
BÀI TẬP BỔ TRỢ TIẾNG ANH 11 THEO ĐƠN VỊ BÀI HỌC - CẢ NĂM - CÓ FILE NGHE (GLOB...
BÀI TẬP BỔ TRỢ TIẾNG ANH 11 THEO ĐƠN VỊ BÀI HỌC - CẢ NĂM - CÓ FILE NGHE (GLOB...BÀI TẬP BỔ TRỢ TIẾNG ANH 11 THEO ĐƠN VỊ BÀI HỌC - CẢ NĂM - CÓ FILE NGHE (GLOB...
BÀI TẬP BỔ TRỢ TIẾNG ANH 11 THEO ĐƠN VỊ BÀI HỌC - CẢ NĂM - CÓ FILE NGHE (GLOB...Nguyen Thanh Tu Collection
 
DBMSArchitecture_QueryProcessingandOptimization.pdf
DBMSArchitecture_QueryProcessingandOptimization.pdfDBMSArchitecture_QueryProcessingandOptimization.pdf
DBMSArchitecture_QueryProcessingandOptimization.pdfChristalin Nelson
 
The role of Geography in climate education: science and active citizenship
The role of Geography in climate education: science and active citizenshipThe role of Geography in climate education: science and active citizenship
The role of Geography in climate education: science and active citizenshipKarl Donert
 
Tree View Decoration Attribute in the Odoo 17
Tree View Decoration Attribute in the Odoo 17Tree View Decoration Attribute in the Odoo 17
Tree View Decoration Attribute in the Odoo 17Celine George
 
How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17Celine George
 
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxUnraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxDhatriParmar
 
Congestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationCongestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationdeepaannamalai16
 
4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptx4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptxmary850239
 

Recently uploaded (20)

BÀI TẬP BỔ TRỢ TIẾNG ANH 8 - I-LEARN SMART WORLD - CẢ NĂM - CÓ FILE NGHE (BẢN...
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 - I-LEARN SMART WORLD - CẢ NĂM - CÓ FILE NGHE (BẢN...BÀI TẬP BỔ TRỢ TIẾNG ANH 8 - I-LEARN SMART WORLD - CẢ NĂM - CÓ FILE NGHE (BẢN...
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 - I-LEARN SMART WORLD - CẢ NĂM - CÓ FILE NGHE (BẢN...
 
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
 
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
 
Mythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWMythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITW
 
The Emergence of Legislative Behavior in the Colombian Congress
The Emergence of Legislative Behavior in the Colombian CongressThe Emergence of Legislative Behavior in the Colombian Congress
The Emergence of Legislative Behavior in the Colombian Congress
 
Mattingly "AI & Prompt Design" - Introduction to Machine Learning"
Mattingly "AI & Prompt Design" - Introduction to Machine Learning"Mattingly "AI & Prompt Design" - Introduction to Machine Learning"
Mattingly "AI & Prompt Design" - Introduction to Machine Learning"
 
Employablity presentation and Future Career Plan.pptx
Employablity presentation and Future Career Plan.pptxEmployablity presentation and Future Career Plan.pptx
Employablity presentation and Future Career Plan.pptx
 
An Overview of the Calendar App in Odoo 17 ERP
An Overview of the Calendar App in Odoo 17 ERPAn Overview of the Calendar App in Odoo 17 ERP
An Overview of the Calendar App in Odoo 17 ERP
 
Shark introduction Morphology and its behaviour characteristics
Shark introduction Morphology and its behaviour characteristicsShark introduction Morphology and its behaviour characteristics
Shark introduction Morphology and its behaviour characteristics
 
ICS 2208 Lecture Slide Notes for Topic 6
ICS 2208 Lecture Slide Notes for Topic 6ICS 2208 Lecture Slide Notes for Topic 6
ICS 2208 Lecture Slide Notes for Topic 6
 
CHUYÊN ĐỀ ÔN THEO CÂU CHO HỌC SINH LỚP 12 ĐỂ ĐẠT ĐIỂM 5+ THI TỐT NGHIỆP THPT ...
CHUYÊN ĐỀ ÔN THEO CÂU CHO HỌC SINH LỚP 12 ĐỂ ĐẠT ĐIỂM 5+ THI TỐT NGHIỆP THPT ...CHUYÊN ĐỀ ÔN THEO CÂU CHO HỌC SINH LỚP 12 ĐỂ ĐẠT ĐIỂM 5+ THI TỐT NGHIỆP THPT ...
CHUYÊN ĐỀ ÔN THEO CÂU CHO HỌC SINH LỚP 12 ĐỂ ĐẠT ĐIỂM 5+ THI TỐT NGHIỆP THPT ...
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
 
BÀI TẬP BỔ TRỢ TIẾNG ANH 11 THEO ĐƠN VỊ BÀI HỌC - CẢ NĂM - CÓ FILE NGHE (GLOB...
BÀI TẬP BỔ TRỢ TIẾNG ANH 11 THEO ĐƠN VỊ BÀI HỌC - CẢ NĂM - CÓ FILE NGHE (GLOB...BÀI TẬP BỔ TRỢ TIẾNG ANH 11 THEO ĐƠN VỊ BÀI HỌC - CẢ NĂM - CÓ FILE NGHE (GLOB...
BÀI TẬP BỔ TRỢ TIẾNG ANH 11 THEO ĐƠN VỊ BÀI HỌC - CẢ NĂM - CÓ FILE NGHE (GLOB...
 
DBMSArchitecture_QueryProcessingandOptimization.pdf
DBMSArchitecture_QueryProcessingandOptimization.pdfDBMSArchitecture_QueryProcessingandOptimization.pdf
DBMSArchitecture_QueryProcessingandOptimization.pdf
 
The role of Geography in climate education: science and active citizenship
The role of Geography in climate education: science and active citizenshipThe role of Geography in climate education: science and active citizenship
The role of Geography in climate education: science and active citizenship
 
Tree View Decoration Attribute in the Odoo 17
Tree View Decoration Attribute in the Odoo 17Tree View Decoration Attribute in the Odoo 17
Tree View Decoration Attribute in the Odoo 17
 
How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17
 
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxUnraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
 
Congestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationCongestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentation
 
4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptx4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptx
 

Introduction to Information and System Security Overview

  • 1. Administrivia Setting the stage... Case studies Introduction to Information and System Security First lecture Hugh Anderson National University of Singapore School of Computing June, 2012 Hugh Anderson Introduction to Information and System Security First lecture 1
  • 3. Administrivia Setting the stage... Case studies Outline 1 Administrivia Coordinates, officialdom, assessment What you’ll be learning Why should you learn? 2 Setting the stage... In the news earlier this year... Context for security studies 3 Case studies Airports, banks, the military, hospitals, homes Term definitions Hugh Anderson Introduction to Information and System Security First lecture 3
  • 4. Administrivia Coordinates, officialdom, assessment Setting the stage... What you’ll be learning Case studies Why should you learn? Hugh’s coordinates Room COM2 #03-24 Telephone 6516-4262 E-mail hugh@comp.nus.edu.sg Open-door policy (I have one!) Please call me Hugh, and visit me in my room if you have any questions... Hugh Anderson Introduction to Information and System Security First lecture 4
  • 5. Administrivia Coordinates, officialdom, assessment Setting the stage... What you’ll be learning Case studies Why should you learn? Official SOC description From the official course description... This module serves as an introductory module on information and computer system security. It illustrates the fundamentals of how systems fail due to malicious activities and how they can be protected. The module also places emphasis on the practices of secure programming and implementation. Topics covered include classical/historical ciphers, introduction to modern ciphers and cryptosystems, ethical, legal and organisational aspects, classic examples of direct attacks on computer systems such as input validation vulnerability, examples of other forms of attack such as social engineering/phishing attacks, and the practice of secure programming. Hugh Anderson Introduction to Information and System Security First lecture 5
  • 6. Administrivia Coordinates, officialdom, assessment Setting the stage... What you’ll be learning Case studies Why should you learn? Assessment Assessment Grade Homework 15% Group project 20% Tests MCQ (Closed book - on the 9th July) 15% Final Exam Open Book 50% Total marks 100% Hugh Anderson Introduction to Information and System Security First lecture 6
  • 7. Timetable Lectures, tutorials and project... June July 18 25 2 9 16 23 Lectures Tutorials Project EXAM (Fri, 27th, a.m.) Project will be a group one (up to 4 members in each group), with a presentation in the last week.
  • 8. Administrivia Coordinates, officialdom, assessment Setting the stage... What you’ll be learning Case studies Why should you learn? Tutorials Tutorials/demos/discussions start next week... Give a written answer to the homework as you enter the tutorial room for assessment (A,B,C or F) There will be four assessed homework/assignments. Hugh Anderson Introduction to Information and System Security First lecture 8
  • 9. Administrivia Coordinates, officialdom, assessment Setting the stage... What you’ll be learning Case studies Why should you learn? Resources Resources No textbook, but you may find the following texts useful: Ross Anderson’s “Security Engineering” book: http://www.cl.cam.ac.uk/˜rja14/musicfiles/manuscripts/SEv1.pdf Computer Security, Matt Bishop Directed readings - all available on the Internet. IVLE at http://ivle.nus.edu.sg/ Hugh Anderson Introduction to Information and System Security First lecture 9
  • 10. Administrivia Coordinates, officialdom, assessment Setting the stage... What you’ll be learning Case studies Why should you learn? General area of the course topics In short... History and background Classical and modern cryptography Security of systems Building safer systems - secure programming techniques for programs, web sites... Hugh Anderson Introduction to Information and System Security First lecture 10
  • 11. What you should learn... What you are expected to know... To be able to put security systems in context. For example: history, understanding of the “big picture”. To describe “security related” things using some technical terms. For example: keysize, PK, man-in-the-middle. To understand the roles of the components of security systems, understanding the underlying reasons for their properties. For example: certifying authorities. To aquire some practical skills that would help in programming more secure computer systems.
  • 12. Why should you learn... ...and why should you care? Reason #1: Pick up these skills and pass the final exam :) Reason #2: It is fun in a kind of “You did what?” way. Reason #3: Knowing the issues, and underlying mechanisms, helps you ... build better systems in future. ... explain to the person on the helpdesk why their system is flawed, and what needs to be done to fix it. ... avoid being the victim of (computer) fraud. ... realistically assess threats to you, your organization, your country. ... fly with the eagles.
  • 13. Administrivia Coordinates, officialdom, assessment Setting the stage... What you’ll be learning Case studies Why should you learn? My expectation... Please, please, please.... Attend classes and tutorials Ask if you don’t know Read references and handouts... Get interested in the subject Dont do anything you know is plain wrong... Hugh Anderson Introduction to Information and System Security First lecture 13
  • 14. DBS/POSB attacks Big news last week...
  • 15. Administrivia In the news earlier this year... Setting the stage... Context for security studies Case studies And a few days later... Tracked down... Hugh Anderson Introduction to Information and System Security First lecture 15
  • 16. DBS/POSB attacks How was it done? Through the use of card skimmers on two machines in Bugis. Card skimming involves trying to collect your card details from the magnetic strip:
  • 17. DBS/POSB attacks Card skimmers Magnetic strip read as it passes through the capture “shell”. The electronics includes a magnetic strip reader head, a small amount of electronics, a battery, a microcomputer and storage (an SD card).
  • 18. DBS/POSB attacks Getting the PIN? Either a small (pinhole) camera looking down on the keypad, with an SD card memory, or an overlay over the keyboard, with a small microcomputer and memory.
  • 20. More things to worry about:
  • 21. NUS attacks News in January...
  • 22. Administrivia In the news earlier this year... Setting the stage... Context for security studies Case studies NUS attacks What was done? Firstly - it was not NUS, but a departmental web server at NUS that was hacked. The hackers got irritated by a message on the web site, and made it a mission to hack it. They reported that the web site had minimal security. The attack was a SQL injection attack, which allowed them to download usercode/password hash entries stored in the SQL database attached to the web server. The passwords were not NUSNET ones, but ones specifically for the application on the departmental server. Hugh Anderson Introduction to Information and System Security First lecture 22
  • 23. Administrivia In the news earlier this year... Setting the stage... Context for security studies Case studies Key points/jargon Summary: Card skimmers SQL injection Keystroke logging using cameras, or keypad overlays Passwords versus password hashes Hugh Anderson Introduction to Information and System Security First lecture 23
  • 24. Administrivia In the news earlier this year... Setting the stage... Context for security studies Case studies Hard to find the boundaries of “Security” It is not "one thing"... Security is complex: Security can involve elements such as computers, people, locks, communication links and so on. The goals of security might involve authentication, integrity, accountability, and so on. A security system may involve an arbitrary combination of these elements and goals. Security is everyone’s poor relation... not perceived as a benefit until something goes wrong requires regular monitoring too often an after-thought regarded as impediment to using system Hugh Anderson Introduction to Information and System Security First lecture 24
  • 25. Framework to hang our understanding on... Ross Anderson’s book suggests this framework: Differentiate between security policies and mechanisms policy: what is allowed/disallowed. What you are supposed to do. mechanism: ways of enforcing a policy. Ciphers, controls... assurance: how much reliance you place on each mechanism. incentives: motives of the people guarding and maintaining the system, and the attackers.
  • 26. A quick quiz... Which of these two vehicles has a door lock? Value SING$ 20,000 Value SING$ 350,000,000 Answer?
  • 27. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Airport security - 2001 attacks and afterwards Consider the 911 attacks... There was actually not any failure of the security systems in place at the time: Knives with blades less than 3 inches were OK in 2001. A failure of policy, not mechanism. Since 911? Still poor policy choices: passenger screening is aggressive and costly, (approx $15 billion), whereas strongly reinforced cockpit doors could remove most risk (est $100 million). Ground staff are seldom screened, planes do not have locks. Why such poor policy choices? Incentives for policy makers favour visible controls over effective ones. Assurance? System screening picks up less than half the weapons. Hugh Anderson Introduction to Information and System Security First lecture 27
  • 28. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Bank security Policy in banks: "The bank never loses!" Mechanism: banks maintain a kind of distributed bookkeeping system. Customer accounts, and (daily) transactions. Internal: Main threats to banks are internal - their own staff. Main defenses are double-entry bookkeeping (First described in the 15th century), controls on large transactions, and staff required to take vacations. External: Buildings built to look imposing, but just a facade - “security theatre” - (a thief with a gun wins). ATMs (as we have seen) are susceptible to attacks. Bank websites use a mix of techniques - 2-factor authentication, HTTPS. Phishing attempts to bypass this by attacking clients. Cryptography for communication. Hugh Anderson Introduction to Information and System Security First lecture 28
  • 29. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Military security In all sorts of areas... Electronic warfare and defense - jamming of radar, so opponent cannot see your planes; jamming trigger systems for IEDs. Military communications - not just encryption, but also hiding the source (the location of a transmitter can be attacked, so the military use LPI - low probability of intercept - radio links). Military logistics - who can mobilize 10,000 people and 30,000 meals in a day? Management systems for the military have different requirements from commercial systems - basic rule is that restricted information cannot flow to an unrestricted area. Weapons control (eg nuclear weapons) need much higher levels of assurance than (say) commercial areas. Hugh Anderson Introduction to Information and System Security First lecture 29
  • 30. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Hospital security Policies mostly to ensure patient safety and privacy Consider patient record systems: A mechanism might be that “Nurses can see the patient record for patients cared in their own department over the last 90 days”. However, this might be tricky to implement given that Nurses can move departments - the patient record system would become dependent on the hospital personnel system. Record anonymizing for research can be tricky. Consider the next slide on database attacks. A requirement for accuracy of web based data (reference texts, drug side effects). Hugh Anderson Introduction to Information and System Security First lecture 30
  • 31. During the SARS outbreak... Releasing (unexpected) information from databases Day’s average temperature of SOC staff by nationality: Singaporean PRC Poland German Australian NZ .... 36.8 36.9 37.1 36.5 38.2 38.1 .... Numbers of SOC staff by nationality... Singaporean PRC Poland German Australian NZ .... 23 14 3 5 2 1 .... By inference you can deduce that Hugh’s temperature was too high!
  • 32. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Home security Really? Consider... Web-based banking, over your home wifi. Your car key/immobliizer. Your (GSM) phone (much harder to clone now than it was five years ago). No unexpected charges. Your TV set-top box, electronic gas/electricity meter and so on. In some Condos, burglar alarm, lock and security systems. Hugh Anderson Introduction to Information and System Security First lecture 32
  • 33. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Key points/jargon Summary: Policy, mechanism, assurance and incentives Controls, visible and effective controls, security theatre 2-factor authentication, HTTPS, Phishing Database attacks Hugh Anderson Introduction to Information and System Security First lecture 33
  • 34. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies What is a system? It can vary... 1 Product or component: such as a smartcard, a PC, or a communication protocol. 2 Collection: some products/components, and an OS, network, making up an organization’s infrastructure. 3 Application: the above and some set of applications. 4 Composite: the above and IT staff, and perhaps users, management, clients, customers... A system can thus refer to small things or big things. This indeterminacy about even basic words leads to confusion, and errors. Salespeople might concentrate their efforts on (say) the first two areas, whereas a business may think of it’s system in terms of the fourth area. Hugh Anderson Introduction to Information and System Security First lecture 34
  • 35. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Services/Goals, Attacks and Threats Basic terms: Vulnerability/Threats: If there is a weakness (vulnerability), then a potentially harmful situation (threat) may occur. Services/Goals: ensuring adequate service in a computer system CIA! Good guys need ’em. Attacks/Controls: An attack=threat+vulnerability. A control is a way of reducing the effect of a vulnerability. MOM! Bad guys need ’em. Hugh Anderson Introduction to Information and System Security First lecture 35
  • 36. The CIA triad... FIPS specify three objectives/goals: confidentiality: concealing information - resources may only be accessed by authorized parties; integrity: trustworthiness of data - resources may only be modified by authorized parties in authorized ways; availability: preventing DOS/denial-of-service - resources are accessible in a timely manner.
  • 37. The CIAAA gang-of-five... Many observers identify more... Authenticity: logins, password checks Accountability: non-repudiation of a prior commitment
  • 38. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Services/Goals, Real world analogues: CIA (Computer versions much faster) Security problems in society reoccur in computers Confidentiality = locks/encoding/secrecy/privacy. Integrity = handshakes/signature Availability = Union go-slows... But... The goals can conflict... (Consider ease of confidentiality versus lack of availability) The goals may not be met... (Consider password length versus human memory) Hugh Anderson Introduction to Information and System Security First lecture 38
  • 39. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Attacks: MOM! Three aspects of attacks: Method: tools, knowledge; Opportunity: time, access; Motive: what advantage is there? An important basic principle for attacks: The weakest link: An attacker only needs one small flaw in a system. Hugh Anderson Introduction to Information and System Security First lecture 39
  • 40. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Types of threats Threats disclosure: unauthorized access (snooping/interception); deception: accept false data (man-in-the-middle/modification); disruption: prevent correct operation (denial-of-service/interruption); usurpation: unauthorized control (spoofing/fabrication). Hugh Anderson Introduction to Information and System Security First lecture 40
  • 41. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Types of attacks Snooping/Interception Alice Bob Ted Hugh Anderson Introduction to Information and System Security First lecture 41
  • 42. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Types of attacks Man-in-the-middle/Modification Alice Bob Ted Hugh Anderson Introduction to Information and System Security First lecture 42
  • 43. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Types of attacks Denial of Service/Interruption Alice Bob Ted Hugh Anderson Introduction to Information and System Security First lecture 43
  • 44. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Types of attacks Spoofing/Fabrication Alice Bob Ted Hugh Anderson Introduction to Information and System Security First lecture 44
  • 45. Administrivia Airports, banks, the military, hospitals, homes Setting the stage... Term definitions Case studies Types of attacks And persuasion human factors and social engineering: Hugh Anderson Introduction to Information and System Security First lecture 45