Notes A brief introduction to information security Part I Tyler Moore Computer Science & Engineering Department, SMU, Dallas, TX August 23, 2012 Some definitions Computer systems and networks Notes Outline Some definitions 1 What is security? What is digital information? What is information security? Computer systems and networks 2 Computer architecture Network architecture 2 / 41 What is security? Some definitions What is digital information? Computer systems and networks What is information security? Notes Safety vs. Security Safety Security Protects against Protects against intentional accidents malice Defends against nature Defends against intelligent beings Can be modeled using probability theory with Must model the strategy of historical data adversaries 4 / 41 What is security? Some definitions What is digital information? Computer systems and networks What is information security? Notes Safety vs. Security Safety Security Question: If you were in charge of a building’s security, how would preparations differ for a tornado versus a terrorist attack? Hint: When preparing for a tornado, should you consider whether neighboring buildings have been protected? 5 / 41
What is security? Some definitions What is digital information? Computer systems and networks What is information security? Notes What is digital information? Definition Digital information: information encoded in discrete numbers “Hi!” → 0x486921 6 / 41 What is security? Some definitions What is digital information? Computer systems and networks What is information security? Notes What are the implications of digital representation of information? 1 Costless to create perfect copies 2 Information can be transmitted anywhere immediately 3 Information can be remembered indefinitely ⇒ Easy to keep detailed record of transactions 4 Digitally encoded information lacks provenance ⇒ Modifications can’t be identified by just looking at the data 7 / 41 What is security? Some definitions What is digital information? Computer systems and networks What is information security? Notes What is information security? Information security is the endeavor to achieve protection goals specific to information. What are those goals? 1 Confidentiality : information is accessible only to authorized parties 2 Integrity : modification of information can be detected 3 Availability : authorized parties can access information (and use resources) when and where it is needed 8 / 41 What is security? Some definitions What is digital information? Computer systems and networks What is information security? Notes Confidentiality Exchange Broker � BUY,200,GOOG,$600.25 � Eve 9 / 41
� What is security? Some definitions What is digital information? Computer systems and networks What is information security? Notes Confidentiality caveats Confidentiality does not cover prior knowledge Breaches of confidentiality cannot be undone Breaches of confidentiality can be difficult to detect Question: what characteristics of digital information make protecting confidentiality difficult? 10 / 41 What is security? Some definitions What is digital information? Computer systems and networks What is information security? Notes Integrity Exchange Broker � BUY,200,GOOG,$600.25 � $550.25 Mallory 11 / 41 What is security? Some definitions What is digital information? Computer systems and networks What is information security? Notes Integrity caveats Protecting integrity = ⇒ correcting modifications Integrity simply ensures that information hasn’t been altered Integrity makes no claim of absolute correctness Question: what characteristics of digital information make protecting integrity difficult? 12 / 41 What is security? Some definitions What is digital information? Computer systems and networks What is information security? Notes Availability Exchange Broker � BUY,200,GOOG,$600.25 � � BUY,200,GOOG,$600.25 � Mallory 13 / 41
What is security? Some definitions What is digital information? Computer systems and networks What is information security? Notes Availability caveats Integrity is widely seen to be “harder” to guarantee than confidentiality or integrity Why? guarantees must often be made for more than the information Guarantees of the functionality of other parties may be required 14 / 41 What is security? Some definitions What is digital information? Computer systems and networks What is information security? Notes Who are these authorized parties the definitions speak of? Who is an authorized party? How are they authorized? By whom? Parties : human beings controlling computer system, or programs acting on their behalf Authorization : decision a principal must take on whether a party is allowed to undertake a task Authorization decision is the fundamental challenge of security engineering 15 / 41 What is security? Some definitions What is digital information? Computer systems and networks What is information security? Notes Identification vs. Authentication vs. Authorization Identification, authentication and authorization answer different questions Identification: Who are you? Authentication: Is it really you? Authorization: Knowing who you are, are you allowed to do something? Common mistake: conflating these concepts Deploying an authentication system does not solve the authorization problem 16 / 41 What is security? Some definitions What is digital information? Computer systems and networks What is information security? Notes How computers identify people In order to authorize a user to access computer resources, systems must figure out who they’re interacting with Computer systems store (ID, attribute) pairs Upon encountering a user, the system prompts for the ID and attribute. IDs should be unique If the attribute is only known to the user (e.g., a password), it can be used to authenticate the user to the system 17 / 41
What is security? Some definitions What is digital information? Computer systems and networks What is information security? Notes Case study: authentication and authorization at ATMs ATM Bank Authentication steps 1. Insert card 2. Request matching PIN 3. Enter PIN Authorization steps 4. How much to withdraw? 5. Request $100 6. Balance ≥ $100? 7. Approve withdrawal 8. Dispense $100 18 / 41 What is security? Some definitions What is digital information? Computer systems and networks What is information security? Notes Authentication failure: ATM fails to authenticate user ATM Bank Authentication steps 1. Insert card 2. Request matching PIN Guess PIN 3. Enter PIN Authorization steps Mallory 4. How much to withdraw? 5. Request $100 6. Balance ≥ $100? 7. Approve withdrawal 8. Dispense $100 19 / 41 What is security? Some definitions What is digital information? Computer systems and networks What is information security? Notes Card skimmers: ATM incorrectly authenticates user Source: http://krebsonsecurity.com/all-about-skimmers/ 20 / 41 What is security? Some definitions What is digital information? Computer systems and networks What is information security? Notes Authentication failure: User fails to authenticate ATM ATM ATM Bank Authentication steps Fake ATM 1. Insert card 2. Request matching PIN 3. Enter PIN Authorization steps Mallory 4. How much to withdraw? 5. Request $100 6. Balance ≥ $100? 7. Approve withdrawal 8. Dispense $100 21 / 41
What is security? Some definitions What is digital information? Computer systems and networks What is information security? Notes Fake ATMs: User fails to authenticate ATM Source: http://www.wired.com/threatlevel/2009/08/malicious-atm-catches-hackers/ 22 / 41 What is security? Some definitions What is digital information? Computer systems and networks What is information security? Notes Question: how does authentication fail on phishing websites? 23 / 41 Some definitions Computer architecture Computer systems and networks Network architecture Notes Four fundamental ideas of computer architecture 1 Code is data 2 Layers of abstraction 3 Moore’s law 4 Halting problem 25 / 41 Some definitions Computer architecture Computer systems and networks Network architecture Notes The von Neumann computer architecture The pervasive von Neumann computer architecture does not distinguish between instructions for computer programs and data Consequently, Code is Data ⇒ Enables great flexibility in reprogramming computers ⇒ Programs can be costlessly reproduced, not just data There are unfortunate security implications John von Neumann 26 / 41
Recommend
More recommend