Lecture 1

Information Security

Sunday 10:00 – 13:00

Instructor:Dr. Ibrahim Ali [email protected]

Textbook: Information

Security Principles And Practices

Second Edition,

By: Mark Stamp

Publisher: J. Wiley & sons

Pub Date: 2011

Information Security

Course Outline

This module consists of four major partsoCryptography (5 weeks)oAccess control (2 weeks)oProtocols (3 weeks)oSoftware (3 weeks)

Assessment

Final exam 50%

Midterm exam 25%

Course work 25%

oAssay, Project, Seminar,

etc.

Introduction

Alice and Bob are the good guys

Trudy is the bad “guy”

Trudy is our generic “intruder”

Alice’s Online BankAlice opens “Alice’s Online

Bank” (AOB)What are Alice’s security

concerns?If Bob is a customer of AOB,

what are his security concerns?

How are Alice’s and Bob’s concerns similar? How are they different?

How does Trudy view the situation?

CIA

CIA are the three fundamental goals of information security.

CIA == Confidentiality, Integrity, and Availability

ConfidentialityAOB must prevent Trudy from

learning Bob’s account balance

Confidentiality: prevent unauthorized reading of information oCryptography used for

confidentiality

IntegrityTrudy must not be able to

change Bob’s account balanceBob must not be able to

improperly change his own account balance

Integrity: detect unauthorized writing of informationoCryptography used for integrity

AvailabilityAOB’s information must be

available whenever it’s needed

Alice must be able to make transactiono If not, she’ll take her business

elsewhereAvailability: Data is available

in a timely manner when needed

Availability is a “new” security concernoDenial of service (DoS) attacks

Beyond CIA: CryptoHow does Bob’s computer

know that “Bob” is really Bob and not Trudy?

Bob’s password must be verifiedoThis requires some clever

cryptography

What are security concerns of pwds?

Are there alternatives to passwords?

Beyond CIA: Protocols

When Bob logs into AOB, how does AOB know that “Bob” is really Bob?

As before, Bob’s password is verified

Unlike the previous case, network security issues arise

How do we secure network transactions?oProtocols are critically

importantoCrypto plays critical role in

protocols

Beyond CIA: Access Control

Once Bob is authenticated by AOB, then AOB must restrict actions of BoboBob can’t view Charlie’s account

info

oBob can’t install new software, etc.

Enforcing these restrictions: authorization

Access control includes both authentication and authorization

Beyond CIA: SoftwareCryptography, protocols, and

access control are implemented in softwareoSoftware is foundation on which

security restsWhat are security issues of

software?oReal world software is complex

and buggyoSoftware flaws lead to security

flawsoHow does Trudy attack software?oHow to reduce flaws in software

development?oAnd what about malware?

The People ProblemPeople often break security

oBoth intentionally and unintentionally

oHere, we consider the unintentional

For example, suppose you want to buy something onlineoTo make it concrete, suppose you

want to buy Information Security: Principles and Practice, 2nd edition from amazon.com

The People ProblemTo buy from amazon.com

oYour Web browser uses SSL protocol

oSSL relies on cryptographyoAccess control issues ariseoAll security mechanisms are in

softwareSuppose all of this security

stuff works perfectlyoThen you would be safe, right?

The People ProblemWhat could go wrong?Trudy tries man-in-the-middle

attackoSSL is secure, so attack doesn’t

“work”oBut, Web browser issues a

warningoWhat do you, the user, do?

If user ignores warning, attack works!oNone of the security

mechanisms failed oBut user unintentionally broke

security

Cryptography“Secret codes”This topic covers

oClassic cryptographyoSymmetric ciphersoPublic key cryptographyoHash functions++

Access ControlAuthentication

oPasswordsoBiometricsoOther methods of authentication

AuthorizationoAccess Control Lists/CapabilitiesoFirewalls, intrusion detection

(IDS)oMultilevel security (MLS),

security modeling, covert channel, inference control

Protocols“Simple” authentication

protocolsoFocus on basics of security

protocolsoLots of applied cryptography in

protocolsReal-world security protocols

oSSH, SSL, IPSec, KerberosoWireless: WEP, GSM

SoftwareSecurity-critical flaws in

softwareoBuffer overflowoRace conditions, etc.

MalwareoExamples of viruses and wormsoPrevention and detectionoFuture of malware?

SoftwareSoftware reverse engineering

(SRE)oHow hackers “dissect” software

Digital rights management (DRM)oShows difficulty of security in

softwareoAlso raises OS security issues

Software and testingoOpen source, closed source,

other topics

SoftwareOperating systems

oBasic OS security issueso“Trusted OS” requirementsoNGSCB: Microsoft’s trusted OS

for the PCSoftware is a BIG security

topicoLots of material to coveroLots of security problems to

consideroBut not nearly enough time

available…

Think Like TrudyIn the past, no respectable

sources talked about “hacking” in detailoAfter all, such info might help

Trudy

Recently, this has changedoLots of books on network

hacking, evil software, how to hack software, etc.

oClasses teach virus writing, SRE, etc.

Think Like TrudyGood guys must think like bad

guys!A police detective…

o…must study and understand criminals

In information securityoWe want to understand Trudy’s

methodsoMight think about Trudy’s

motivesoWe’ll often pretend to be Trudy

Think Like TrudyIs all of this security

information a good idea?

Bruce Schneier (referring to Security Engineering, by Ross Anderson):o“It’s about time somebody

wrote a book to teach the good guys what the bad guys already know.”

Think Like TrudyWe must try to think like TrudyWe must study Trudy’s

methodsWe can admire Trudy’s

clevernessOften, we can’t help but laugh

at Alice’s and/or Bob’s stupidity

But, we cannot act like TrudyoExcept in this class…

In This Course…Think like the bad guyAlways look for weaknesses

oFind the weak link before Trudy does

It’s OK to break the rulesoWhat rules?

Think like TrudyBut don’t do anything illegal!