Information Security Sunday 10:00 – 13:00
Nov 18, 2014
Information Security
Sunday 10:00 – 13:00
Instructor:Dr. Ibrahim Ali [email protected]
Textbook: Information
Security Principles And Practices
Second Edition,
By: Mark Stamp
Publisher: J. Wiley & sons
Pub Date: 2011
Information Security
Course Outline
This module consists of four major partsoCryptography (5 weeks)oAccess control (2 weeks)oProtocols (3 weeks)oSoftware (3 weeks)
Assessment
Final exam 50%
Midterm exam 25%
Course work 25%
oAssay, Project, Seminar,
etc.
Introduction
Alice and Bob are the good guys
Trudy is the bad “guy”
Trudy is our generic “intruder”
Alice’s Online BankAlice opens “Alice’s Online
Bank” (AOB)What are Alice’s security
concerns?If Bob is a customer of AOB,
what are his security concerns?
How are Alice’s and Bob’s concerns similar? How are they different?
How does Trudy view the situation?
CIA
CIA are the three fundamental goals of information security.
CIA == Confidentiality, Integrity, and Availability
ConfidentialityAOB must prevent Trudy from
learning Bob’s account balance
Confidentiality: prevent unauthorized reading of information oCryptography used for
confidentiality
IntegrityTrudy must not be able to
change Bob’s account balanceBob must not be able to
improperly change his own account balance
Integrity: detect unauthorized writing of informationoCryptography used for integrity
AvailabilityAOB’s information must be
available whenever it’s needed
Alice must be able to make transactiono If not, she’ll take her business
elsewhereAvailability: Data is available
in a timely manner when needed
Availability is a “new” security concernoDenial of service (DoS) attacks
Beyond CIA: CryptoHow does Bob’s computer
know that “Bob” is really Bob and not Trudy?
Bob’s password must be verifiedoThis requires some clever
cryptography
What are security concerns of pwds?
Are there alternatives to passwords?
Beyond CIA: Protocols
When Bob logs into AOB, how does AOB know that “Bob” is really Bob?
As before, Bob’s password is verified
Unlike the previous case, network security issues arise
How do we secure network transactions?oProtocols are critically
importantoCrypto plays critical role in
protocols
Beyond CIA: Access Control
Once Bob is authenticated by AOB, then AOB must restrict actions of BoboBob can’t view Charlie’s account
info
oBob can’t install new software, etc.
Enforcing these restrictions: authorization
Access control includes both authentication and authorization
Beyond CIA: SoftwareCryptography, protocols, and
access control are implemented in softwareoSoftware is foundation on which
security restsWhat are security issues of
software?oReal world software is complex
and buggyoSoftware flaws lead to security
flawsoHow does Trudy attack software?oHow to reduce flaws in software
development?oAnd what about malware?
The People ProblemPeople often break security
oBoth intentionally and unintentionally
oHere, we consider the unintentional
For example, suppose you want to buy something onlineoTo make it concrete, suppose you
want to buy Information Security: Principles and Practice, 2nd edition from amazon.com
The People ProblemTo buy from amazon.com
oYour Web browser uses SSL protocol
oSSL relies on cryptographyoAccess control issues ariseoAll security mechanisms are in
softwareSuppose all of this security
stuff works perfectlyoThen you would be safe, right?
The People ProblemWhat could go wrong?Trudy tries man-in-the-middle
attackoSSL is secure, so attack doesn’t
“work”oBut, Web browser issues a
warningoWhat do you, the user, do?
If user ignores warning, attack works!oNone of the security
mechanisms failed oBut user unintentionally broke
security
Cryptography“Secret codes”This topic covers
oClassic cryptographyoSymmetric ciphersoPublic key cryptographyoHash functions++
Access ControlAuthentication
oPasswordsoBiometricsoOther methods of authentication
AuthorizationoAccess Control Lists/CapabilitiesoFirewalls, intrusion detection
(IDS)oMultilevel security (MLS),
security modeling, covert channel, inference control
Protocols“Simple” authentication
protocolsoFocus on basics of security
protocolsoLots of applied cryptography in
protocolsReal-world security protocols
oSSH, SSL, IPSec, KerberosoWireless: WEP, GSM
SoftwareSecurity-critical flaws in
softwareoBuffer overflowoRace conditions, etc.
MalwareoExamples of viruses and wormsoPrevention and detectionoFuture of malware?
SoftwareSoftware reverse engineering
(SRE)oHow hackers “dissect” software
Digital rights management (DRM)oShows difficulty of security in
softwareoAlso raises OS security issues
Software and testingoOpen source, closed source,
other topics
SoftwareOperating systems
oBasic OS security issueso“Trusted OS” requirementsoNGSCB: Microsoft’s trusted OS
for the PCSoftware is a BIG security
topicoLots of material to coveroLots of security problems to
consideroBut not nearly enough time
available…
Think Like TrudyIn the past, no respectable
sources talked about “hacking” in detailoAfter all, such info might help
Trudy
Recently, this has changedoLots of books on network
hacking, evil software, how to hack software, etc.
oClasses teach virus writing, SRE, etc.
Think Like TrudyGood guys must think like bad
guys!A police detective…
o…must study and understand criminals
In information securityoWe want to understand Trudy’s
methodsoMight think about Trudy’s
motivesoWe’ll often pretend to be Trudy
Think Like TrudyIs all of this security
information a good idea?
Bruce Schneier (referring to Security Engineering, by Ross Anderson):o“It’s about time somebody
wrote a book to teach the good guys what the bad guys already know.”
Think Like TrudyWe must try to think like TrudyWe must study Trudy’s
methodsWe can admire Trudy’s
clevernessOften, we can’t help but laugh
at Alice’s and/or Bob’s stupidity
But, we cannot act like TrudyoExcept in this class…
In This Course…Think like the bad guyAlways look for weaknesses
oFind the weak link before Trudy does
It’s OK to break the rulesoWhat rules?
Think like TrudyBut don’t do anything illegal!