CS5038: The Electronic Society Security 2: Concepts of Security
Feb 12, 2016
CS5038: The Electronic Society
Security 2: Concepts of Security
Outline
• Types of security: physical, information, hybrid• Concepts of information security– Declarative– Operational
• Applicability of concepts to physical and hybrid security.
• Security Economics: What’s it worth?• Policy, compliance, and trust
Physical Security
• Primarily about access control– Ensuring that people are kept within specified
zones of buildings, countries, etc.; for example, library access, immigration, clubs
• Also about integrity– Ensuring that necessary properties of specified
zones are maintained; for example, no sharp objects in the aircraft cabin, no landside liquids airside
Information Security
• Concerned with • Classically conceived as being about the
following three declarative components:– Confidentiality: about secrecy, who’s allowed– Integrity: about soundness, accuracy– Availability: about accessibility (to those allowed)
Hybrid Security
• Two hybrid attacks: – Server room/fire alarm– Engine management system firmware
Declarative and Operational Concepts
• Declarative concepts express what we want to achieve:– Confidentiality – Integrity– Availability– Investment
• Operational concepts are the mechanisms used to achieve these things:– Access control– Authentication– Education/training– Policies, regulation
Investments in (Information) Security
• Organizations have limited resources (people’s time, money, etc.) to invest in security
• Priorities expressed in terms of the declarative confidentiality, integrity, and availability
• Invest in policies, processes, and technologies − i.e., operational entities − to address these priorities
Example Types of Organizations, 1: Government Security Agency
• Top priority is usually confidentiality– State secrets to protect– Gathered intelligence to protect
• High concern for integrity– Important to base actions on uncorrupted information– Note about truth; for truth, go to the Philosophy
Department in the Old Brewery• Limited concern for availability– Often would be prepared to disconnect to protect I and
A, but not always
Example Types of Organizations, 2: Online Retailer
• Very high concern for availability– Loss of website or back-end for an hour costs a lot of money– Loss for a week might mean the business fails
• Some concern for confidentiality– Credibility may depend on never having has a credit card
compromised– Compare Amazon and eBay
• Limited concern for integrity– An online retailer might, for example, indicate how many copies of
a book are in stock– The actual number doesn’t need to be accurate, just need to give a
reliable indication of whether any given order can be fulfilled
Example Types of Organizations, 3: Academic Medical Research Organization
• Very high concern for integrity– Critical that experiments and conclusions based on
accurate data• Some concern for availability– Some experiments will be time-critical
• Limited concern for confidentiality– Data all anonymized anyway– May be part of mission to make it widely available
Exercise
• Think about some more organizations and what their security priorities might be
• For example– Banks– Schools, Colleges, and Universities– Environmental charities– Oil & Gas companies
• To what extent is the level of financial constraint significant?
Applicability of Concepts
• In fact, information security concepts are applicable to physical security.
• Consider airport security/customs/immigration:– Boarding card check is access control
(confidentiality, in effect)– Security scanners are about integrity
• Think about other examples
Utility and Economics
• How to value security and decide what investments to make?
• Management accountancy model: return-on-investment? Good book: Larry Gordon and Marty Loeb, Managing Cyber-security Resources
• Macro-economic model: restore system to nominal state? (These models are called impulse-response models.)
Utility Functions
• Idea: express, mathematically, how much the manager cares about deviations from targets for C, I, A, and investment, K
• Use weights − corresponding to the relative importance above − to capture the managers’ preferences:
U(C, I, A, K, t) = w1 f1(C – C*) + w2 f2(I – I*) + w3 f3(A – A*) + w4 f4(K – K*) C = … , I = … , A = … , K = … , all functions of time, t, and of ‘control varaibles’.
• Can explore these equations analytically or experimentally.
Shock and Restore
Notes on the Graphs• See Proc. Financial Cryptography and Data Security 2009, LNCS 5628: 148-162, Springer,
2009 for details (available from my website, only for the seriously intrigued)• Key points:
– Just look at the upper graphs (the lower ones are a technicality)– See how when a shock to confidentiality (i.e., a security breach) hits the system, the
characteristics of the system respond– All governed by carefully formulated utility functions of the kind described
• Targets for all of C, I, and A are 0. When the shock hits, C (blue) is way below target. This causes spend (red) to go way above target, and system availability to go way below target; that is, the system’s operations have to be curtailed and money spent to fix the problem; with these actions taken, all of C, I, and A begin to return to nominal.
• Notice the difference between the left and right graphs: the left is for the configuration/preferences of a deep-state organization like a government security agency, whereas the right is for something like an online retailer.
• The graphs show that the agency is much more willing to sacrifice availability than the retailer.
Policy, Compliance, and Trust
• These things are all inter-related• If an organization has a security policy, how
should it be implemented? – Forced compliance?– Employees/students/ … trusted to comply?– What about penalties?
• As before, different solutions are appropriate for different environments.
Example
• Policy: unencrypted laptops may not be taken out of the building
• Enforced compliance: search and inspect on exit:– Intrusive, causes resentment– Slow and expensive– Encourages avoidance strategies
• Trusted compliance: – Trust employees to comply, but impose very heavy
penalty (e.g., fire, prosecute) if found not in compliance
USB Sticks Study
• Research study part of a project, called ‘Trust Economics’, partly funded by the UK’s Technology Strategy Board. Involved HP Labs, UCL, Aberdeen, Bath, and Newcastle Universities, and Merrill Lynch
• City of London investment bank• Policy & implementation for USB stick security• Why is this important?
• The bank’s staff all work in several different locations:– The office, inside the firewall– At clients’ offices– At home– In transit
• These locations all have different security characteristics: different threats, different levels of protection, different consequences
The Problem
• USB sticks are used for good, practical reasons: convenient way to move information around the different locations, to work on it, share it, use it for client presentations
• But USB sticks expose information to lots of risks: at home, in transit, at the client; for example:– Corruption/theft of data– Loss of stick– Accidental archiving
What’s the Solution?• Encryption? It’s the obvious policy solution• How to implement?
– Technological enforcement?– Policy enforcement?
• What are the barriers?• The major problem, identified by extensive empirical study (structured interviews,
etc.) is a social one: – Bankers don’t like being embarrassed in front of clients, , losing face and maybe losing
business and they get embarrassed when they forget their passwords• Policies and implementations must take account of these things if they are to be
effective• In this case, we were able to conclude that enforced encryption would be the best
option only if the bank’s staff included ‘traitors’ actively trying to leak information• Generally, education and training, backed up with sanctions, works best
Summary
• Types of security: physical, information, hybrid• Concepts of information security– Declarative– Operational
• Applicability of concepts to physical and hybrid security.
• Security Economics: What’s it worth?• Policy, compliance, and trust