usable security finish physical security spring 2016
play

Usable Security [finish] & Physical Security Spring 2016 - PowerPoint PPT Presentation

May 28, 2023 •267 likes •395 views

CSE 484 / CSE M 584: Computer Security and Privacy Usable Security [finish] & Physical Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

  1. CSE 484 / CSE M 584: Computer Security and Privacy Usable Security [finish] & Physical Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Question • Q. What are the root causes of usability issues in computer security? 5/26/16 CSE 484 / CSE M 584 - Spring 2016 2

  3. Why is Usable Security Hard? 1. Lack of intuition – See a safe, understand threats. Not true for computers. 2. Who’s in charge? – Doctors keep your medical records safe, you manage your passwords. 3. Hard to gauge risks – “It would never happen to me!” 4. No accountability – Asset-holder is not the only one you can lose assets. 5. Awkward, annoying, or difficult 6. Social issues 5/26/16 CSE 484 / CSE M 584 - Spring 2016 3

  4. Question • Q. What approaches can we take to mitigate usability issues in computer security? 5/26/16 CSE 484 / CSE M 584 - Spring 2016 4

  5. Response #1: Education and Training • Education: – Teaching technical concepts, risks • Training – Change behavior through: • Drill • Monitoring • Feedback • Reinforcement • Punishment • May be part of the solution – but not the solution 5/26/16 CSE 484 / CSE M 584 - Spring 2016 5

  6. Response #2: Security Should Be Invisible • Security should happen – Naturally – By Default – Without user input or understanding • Recognize and stop bad actions • Starting to see some invisibility – SSL/TLS – VPNs – Automatic Security Updates – User-driven access control 5/26/16 CSE 484 / CSE M 584 - Spring 2016 6

  7. Response #2: Security Should Be Invisible • “Easy” at extremes, or for simple examples – Don’t give everyone access to everything • But hard to generalize • Leads to things not working for reasons user doesn’t understand • Users will then try to get the system to work, possibly further reducing security – E.g., “dangerous successes” for password managers 5/26/16 CSE 484 / CSE M 584 - Spring 2016 7

  8. Response #3: “3 Word UI”: “Are You Sure?” • Security should be invisible – Except when the user tries something dangerous – In which case a warning is given • But how do users evaluate the warning? Two realistic cases: – Always heed warning. But see problems / commonality with Response #2 (“security should be invisible”) – Always ignore the warning. If so, then how can it be effective? 5/26/16 CSE 484 / CSE M 584 - Spring 2016 8

  9. Response #4: Focus on Users, Use Metaphors • Clear, understandable metaphors: – Physical analogs; e.g., red-green lights • User-centered design: Start with user model • Unified security model across applications – User doesn’t need to learn many models, one for each application • Meaningful, intuitive user input – Don’t assume things on user’s behalf – Figure out how to ask so that user can answer intelligently 5/26/16 CSE 484 / CSE M 584 - Spring 2016 9

  10. Response #5: Least Resistance • “Match the most comfortable way to do tasks with the least granting of authority” – Ka-Ping Yee, Security and Usability • Should be “easy” to comply with security policy • “Users value and want security and privacy, but they regard them only as secondary to completing the primary tasks” – Karat et al, Security and Usability 5/26/16 CSE 484 / CSE M 584 - Spring 2016 10

  11. Now: Physical Security • Relate physical security to computer security – Locks, safes, etc • Why? – More similar than you might think! – Lots to learn: • Computer security issues are often abstract; hard to relate to • But physical security issues are often easier to understand – Hypothesis: • Thinking about the “physical world” in new (security) ways will help you further develop the “security mindset” • You can then apply this mindset to computer systems, … 5/26/16 CSE 484 / CSE M 584 - Spring 2016 11

  12. Lockpicking • The following slides will not be online. • But if you’re interested in the subject, we recommend: – Blaze, “Cryptology and Physical Security: Rights Amplification in Master-Keyed Mechanical Locks” – Blaze, “Safecracking for the Computer Scientist” – Tool, “Guide to Lock Picking” – Tobias, “Opening Locks by Bumping in Five Seconds or Less” • Careful: possessing lock picks is legal in Washington State, but not everywhere! 5/26/16 CSE 484 / CSE M 584 - Spring 2016 12

Recommend

Admin Monday is a holiday! Project checkpoint #2 due Wed, 5/31, 11:59pm Lab 3 due Fri

Admin Monday is a holiday! Project checkpoint #2 due Wed, 5/31, 11:59pm Lab 3 due Fri

CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security [finish], Usable Security [start] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada

764 views • 48 slides
Software$Security$ (finish) $ & $ Cryptography $(brief$intro) $ Spring'2016' '

Software$Security$ (finish) $ & $ Cryptography $(brief$intro) $ Spring'2016' '

CSE$484$/$CSE$M$584:$$Computer$Security$and$Privacy$ $ Software$Security$ (finish) $ & $ Cryptography $(brief$intro) $ Spring'2016' ' Franziska'(Franzi)'Roesner'' franzi@cs.washington.edu'

419 views • 29 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Usable Security Spring 2015 Franziska (Franzi) Roesner

Usable Security Spring 2015 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Usable Security Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan

1.11k views • 55 slides
Admin Today: finish web privacy, start mobile security Friday: Lab #2 due (8pm)

Admin Today: finish web privacy, start mobile security Friday: Lab #2 due (8pm)

CSE 484 / CSE M 584: Computer Security and Privacy Web Privacy [finish] Mobile Platform Security [start] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner,

535 views • 29 slides
Usable security for control systems Jun Ho Huh Honeywell ACS Labs, research scientist

Usable security for control systems Jun Ho Huh Honeywell ACS Labs, research scientist

Usable security for control systems Jun Ho Huh Honeywell ACS Labs, research scientist junho.huh@honeywell.com Honeywell.com What is usable security? Building security solutions that are intuitive and easy to use Many security

350 views • 9 slides
Social Engineering and Physical Security Spring 2015

Social Engineering and Physical Security Spring 2015

CSE 484 / CSE M 584: Computer Security and Privacy Social Engineering and Physical Security Spring 2015 Franziska (Franzi) Roesner

425 views • 13 slides
Introduction to Human Computer Interaction Course on NPTEL, Spring 2018 Week 7 Usable Security

Introduction to Human Computer Interaction Course on NPTEL, Spring 2018 Week 7 Usable Security

Introduction to Human Computer Interaction Course on NPTEL, Spring 2018 Week 7 Usable Security Ponnurangam Kumaraguru (PK) Associate Professor ACM Distinguished & TEDx Speaker Linkedin/in/ponguru/ 1 fb/ponnurangam.kumaraguru,

949 views • 60 slides
Web Security: Web Application Security Spring 2016 Franziska (Franzi) Roesner

Web Security: Web Application Security Spring 2016 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Web Application Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John

874 views • 34 slides
Mobile Platform Security (finish) Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks

Mobile Platform Security (finish) Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks

CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security (finish) Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John

807 views • 78 slides
Web Security: Basic Web Security Model Spring 2016 Franziska (Franzi) Roesner

Web Security: Basic Web Security Model Spring 2016 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Basic Web Security Model Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John

498 views • 31 slides
Tools for Security Physical security Access control Encryption Authentication

Tools for Security Physical security Access control Encryption Authentication

Tools for Security Physical security Access control Encryption Authentication Encapsulation Intrusion detection Common sense Lecture 2 Page 1 CS 236 Online Physical Security Lock up your computer Actually,

465 views • 35 slides
Election Security and Integrity What is election security? What is election integrity? Election

Election Security and Integrity What is election security? What is election integrity? Election

Election Security and Integrity What is election security? What is election integrity? Election Security = Physical Security + Cybersecurity Physical Security Security plans Secure storage of voting machines and electronic pollbooks

341 views • 13 slides
CS 480/ 557 Computer Security I ntroduction to I nf ormation 1. Physical Security 2.Human

CS 480/ 557 Computer Security I ntroduction to I nf ormation 1. Physical Security 2.Human

Overview CS 480/ 557 Computer Security I ntroduction to I nf ormation 1. Physical Security 2.Human Security 3.Program Security Security Computer security threats Unintentional: - Coding faults - Operational faults -

238 views • 8 slides
Digital Security of Physical Objects Slava Voloshynovskiy Stochas:c Informa:on Processing Group

Digital Security of Physical Objects Slava Voloshynovskiy Stochas:c Informa:on Processing Group

1 Digital Security of Physical Objects Slava Voloshynovskiy Stochas:c Informa:on Processing Group University of Geneva Switzerland SCURIT DE LINFORMATION, 2016 2 Outline Physical object security Why not tradi:onal security? Proposed

789 views • 21 slides
Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Spring 2018 CS 155 Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories n Physical, platform malware, malicious apps Defense against physical theft Thurs

1.28k views • 64 slides
Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim

Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim Kobeissi 1.5a Usable Security: Then and Now 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi Humans are

1.24k views • 67 slides
DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research

DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research

DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research and Instruction in Technologies for Electronic Security Department of Computer Science University of Illinois at Chicago The Domain Name

598 views • 48 slides
The End of Software Security (and some Cryptography) Spring 2016 Ada (Adam) Lerner

The End of Software Security (and some Cryptography) Spring 2016 Ada (Adam) Lerner

CSE 484 / CSE M 584: Computer Security and Privacy The End of Software Security (and some Cryptography) Spring 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

870 views • 76 slides
Usable Security Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan

Usable Security Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan

CSE 484 / CSE M 584: Computer Security and Privacy Usable Security Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell,

715 views • 34 slides
Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web application weaknesses XSS AJAX weaknesses SQL Injection Attacks (Slides from Lars Olson)

588 views • 41 slides
What Does the Brain Tell Us about Usable Security? Anthony Vance Brigham Young University Given

What Does the Brain Tell Us about Usable Security? Anthony Vance Brigham Young University Given

What Does the Brain Tell Us about Usable Security? Anthony Vance Brigham Young University Given a choice between dancing pigs and security, users will pick dancing pigs every time. Felton and McGraw (1999) clicky lusers BYU LAB

1.12k views • 84 slides
Usable Security of Named Data Networking Yingdi Yu 1 Traditional communication model of

Usable Security of Named Data Networking Yingdi Yu 1 Traditional communication model of

Usable Security of Named Data Networking Yingdi Yu 1 Traditional communication model of Internet Speaking to a host end-to-end channel Communication security container-based authenticity: X.509, Certificate

678 views • 57 slides
CS 598 - Computer Security in the Physical World: Project Submission #1 & Pacemakers and

CS 598 - Computer Security in the Physical World: Project Submission #1 & Pacemakers and

CS 598 - Computer Security in the Physical World: Project Submission #1 & Pacemakers and Implantable Cardiac Defibrillators Professor Adam Bates Fall 2016 Security & Privacy Research at Illinois (SPRAI) Oct 4th Deliverable

792 views • 20 slides

More recommend