Transcript Computer Security week 16

Computer Security
Set of slides 1
Dr Alexei Vernitski
Information security
• In this module, we concentrate on information
security
• We speak less about physical security
• We do not speak about bugs in computer
software
Example from the news
• Bitcoin exchange Bitstamp halted after
security breach
http://www.ft.com/cms/s/0/668a1b0a-957d-11e4-b3a6-00144feabdc0.html#axzz3O33mRKjx
Example from a web site
• Your password is stored securely using RSA
Encryption with a 1024-bit key, which is the
standard used for secure online bank account
access.
• We use industry-standard 128 bit secure
socket layer SSL encryption to protect data
transmissions between your browser and our
servers, such as your personal information.
http://www.billmonitor.com/security.html
Questions
• Your password is stored
securely using RSA
Encryption with a 1024-bit
key, which is the standard
used for secure online bank
account access.
• We use industry-standard
128 bit secure socket layer
SSL encryption to protect
data transmissions between
your browser and our
servers, such as your
personal information.
• What is more secure: 1024
bits or 128 bits?
• Is either of these two
encodings secure?
• Or are they both secure? In
this case, why use both?
• What is RSA?
• Which security goals are
achieved by these
measures?
Security goals
• Confidentiality
• Integrity
• Availability
• Some others, such as non-repudiation
(read more in the textbooks)
Example: electronic voting system
• http://www.youtube.com/watch?v=QdpGd74DrBM
For discussion
• Confidentiality
• Integrity
• Availability
• Some others, such as
non-repudiation
• Consider an electronic
voting system
• How can these goals be
achieved or not
achieved?
Questions
• Your password is stored
securely using RSA
Encryption with a 1024-bit
key, which is the standard
used for secure online bank
account access.
• We use industry-standard
128 bit secure socket layer
SSL encryption to protect
data transmissions between
your browser and our
servers, such as your
personal information.
• What is more secure: 1024
bits or 128 bits?
• Is either of these two
encodings secure?
• Or are they both secure? In
this case, why use both?
• What is RSA?
• Which security goals are
achieved by these
measures?
Example from a web site
• We have industry standard and proprietary
network monitoring tools constantly running
in our system in order to prevent security
breaches and protect the security of your
data.
• In addition, our secure page employs industry
standard encryption.
http://www.facebook.com/help/212183815469410/
Questions
• We have industry
standard and proprietary
network monitoring tools
constantly running in our
system in order to
prevent security breaches
and protect the security
of your data.
• In addition, our secure
page employs industry
standard encryption.
• Which security goals are
important for Facebook?
• Which security goals are
achieved by the described
measures?
Example from a news item
• Sony has admitted that the personal data of
PSN users, which may have been illegally
accessed in a recent attack on the system, was
not encrypted.
• Thankfully, credit card information was stored
separately to the personal data and was
encrypted.
http://www.bit-tech.net/news/gaming/2011/04/28/sony-admits-personal-data-was-not-encrypted/1
Questions
• Sony has admitted that
the personal data of PSN
users, which may have
been illegally accessed in
a recent attack on the
system, was not
encrypted.
• Thankfully, credit card
information was stored
separately to the personal
data and was encrypted.
• Which security goals were
not achieved by Sony?
• Would encryption help to
achieve these goals?
From recent research
• Firms using encryption software are more
careless about controlling internal access to
encrypted data and their employees are more
careless about computer equipment
containing encrypted data.
http://policybythenumbers.blogspot.co.uk/2011/12/protecting-personal-data-through.html
For discussion
• Firms using encryption
software are more
careless about
controlling internal
access to encrypted
data and their
employees are more
careless about
computer equipment
containing encrypted
data.
• Do you agree with these
research findings?
• Does this mean that
encryption should not
be used?
Example from a web site
• iCloud is built with industry-standard security
practices and employs strict policies to protect
your data.
http://support.apple.com/kb/HT4865
• Apple takes precautions — including
administrative, technical and physical measures
— to safeguard your personal information against
loss, theft and misuse, as well as against
unauthorised access, disclosure, alteration and
destruction.
http://www.apple.com/uk/privacy/
Attack analysis
•
•
•
•
Threat
Vulnerability
Attack
Control
(read more in the textbooks)
Attack analysis
• It is important to remember that in this
context, words such as ‘threat’ and ‘control’
are used in special meanings
• A threat describes what can be stolen or
damaged
• A control describes how a vulnerability can be
stopped or repaired
An informal example
For discussion
• Sony has admitted that
the personal data of
PSN users, which may
have been illegally
accessed in a recent
attack on the system,
was not encrypted.
• Analyse this news item
using the terms
–
–
–
–
Threat
Vulnerability
Attack
Control
Example from a news item
• MI6 and the CIA have been warned that intelligence
may have been compromised by an agent in
Switzerland who downloaded vast quantities of data
onto portable hard drives and carried it out of a secure
building.
http://www.telegraph.co.uk/news/9722715/MI6-secrets-threatened-as-Swiss-spy-steals-a-mountain-ofdata.html
• The sources say that he downloaded "terabytes" of
classified material from the Swiss intelligence service's
servers onto portable hard drives. He then left the
government building with a backpack containing the
hard drives.
http://www.zdnet.com/swiss-spy-agency-warns-cia-mi6-over-massive-secret-data-theft-7000008282/
For discussion
• MI6 and the CIA have been
warned that intelligence may
have been compromised by an
agent in Switzerland who
downloaded vast quantities of
data onto portable hard drives
and carried it out of a secure
building.
• The sources say that he
downloaded "terabytes" of
classified material from the Swiss
intelligence service's servers onto
portable hard drives. He then left
the government building with a
backpack containing the hard
drives.
• Analyse this news item
using the terms
–
–
–
–
Threat
Vulnerability
Attack
Control
Defence against attack:
types of control
You may use the following verbs to describe the
action of controls:
• Preempt
• Prevent
• Deter
• Detect
• Deflect
• Recover
(read more in the textbooks)
For discussion
• Student Rachel Hyndman, 20, from Glasgow,
believes she was the victim of webcam hacking.
She spotted the camera on her laptop had
switched itself on while she was watching a DVD
in the bath. She says: "I was sitting in the bath,
trying to relax, and suddenly someone potentially
has access to me in this incredibly private
moment and it's horrifying. To have it happen to
you without your consent is horribly violating.“
http://www.bbc.co.uk/news/uk-22967622
For discussion
• She spotted the camera
on her laptop had
switched itself on while
she was watching a DVD
in the bath. She says: "I
was sitting in the bath,
trying to relax, and
suddenly someone
potentially has access to
me in this incredibly
private moment and it's
horrifying.
• Discuss which types of
control could have been
used to defend against
the attack
–
–
–
–
–
–
Preemption
Prevention
Deterrence
Detection
Deflection
Recovery
For discussion
• Sony has admitted that
the personal data of
PSN users, which may
have been illegally
accessed in a recent
attack on the system,
was not encrypted.
• Discuss which types of
control could have been
used to defend against
the attack
–
–
–
–
–
–
Preemption
Prevention
Deterrence
Detection
Deflection
Recovery
Example: online shop
• http://www.amazon.co.uk/
• http://www.johnlewis.com/
• http://store.apple.com/uk
For discussion:
online shop
•
•
•
•
Confidentiality
Integrity
Availability
(also non-repudiation)
•
•
•
•
Threat
Vulnerability
Attack
Control
–
–
–
–
–
–
Preemption
Prevention
Deterrence
Detection
Deflection
Recovery
Security policy
Example: an excerpt from Amazon security policy
• We work to protect the security of your information during transmission
by using Secure Sockets Layer (SSL) software, which encrypts information
you input.
• We reveal only the last four digits of your credit card numbers when
confirming an order. Of course, we transmit the entire credit card number
to the appropriate credit card company during order processing.
• We maintain physical, electronic and procedural safeguards in connection
with the collection, storage and disclosure of personally identifiable
customer information. Our security procedures mean that we may
occasionally request proof of identity before we disclose personal
information to you.
• It is important for you to protect against unauthorised access to your
password and to your computer. Be sure to sign off when you finish using
a shared computer.
Try doing this in your own time
• Find the security policy of the University of
Essex.
• Read it, paying attention to security goals,
attack analysis and controls.
Sample exam questions
• List three main types of security goals
• Apple’s security policy says that Apple takes
measures ‘against unauthorised access,
disclosure, alteration and destruction’. Explain
precisely which security goals would be
compromised by each of the following:
unauthorised access, disclosure, alteration
and destruction.
Sample exam questions
• Read the news item:
– A former Sun newspaper reporter Ben Ashford has
been charged with an offence of unauthorised
access to computer material. The charge alleges
that he "caused a computer to perform a function
with intent to secure unauthorised access to a
program or data held in a computer, knowing that
such access was unauthorised".
• Explain precisely which security goals could be
compromised by Ben Ashford’s alleged actions
Sample exam questions
• Explain in your own words what the terms threat and
vulnerability mean
• Read the news item:
Social networking website LinkedIn has said some of its
members' passwords have been "compromised" after
reports that more than six million passwords had been
leaked onto the internet.
• Comment on this news item using all the necessary
terms for attack analysis
Sample exam questions
• Read the news item:
– Sony has admitted that the personal data of PSN
users, which may have been illegally accessed in a
recent attack on the system, was not encrypted.
– Thankfully, credit card information was stored
separately to the personal data and was
encrypted.
• Comment on this news item using your
knowledge of the types of controls
Sample exam questions
• Read the news item:
– MI6 and the CIA have been warned that intelligence may
have been compromised by an agent in Switzerland who
downloaded vast quantities of data onto portable hard
drives and carried it out of a secure building.
– The sources say that he downloaded "terabytes" of
classified material from the Swiss intelligence service's
servers onto portable hard drives. He then left the
government building with a backpack containing the hard
drives.
• Comment on this news item, using the correct terms
related to security goals, attack analysis and control
types.
Sample exam questions
• The web site of a company claims:
– We have industry standard and proprietary network
monitoring tools constantly running in our system in
order to prevent security breaches and protect the
security of your data.
– In addition, our secure page employs industry
standard encryption.
• Improve this fragment of the company’s security
policy, using the correct terms related to security
goals, attack analysis and control types.
Sample exam questions
• The web site of a company claims:
– Your password is stored securely using RSA
Encryption with a 1024-bit key
– We use industry-standard 128 bit secure socket
layer SSL encryption
• Defend this security policy, explaining why a
1024-bit encryption is used in one case, and a
128-bit encryption in the other.
Sample exam questions
• Consider the following news item:
– “Iran has been forced to disconnect key oil facilities after
suffering a malware attack. The computer virus is
believed to have hit the internal computer systems at
Iran's oil ministry and its national oil company. An Iranian
oil ministry spokesperson was quoted as saying that data
about users of the sites had been stolen as a result of the
attack. Core data about Iran's oil industry remained safe
because it was on computer systems that remain
separate from the net, they added.”
• Comment on this news item, using the correct terms
related to security goals, attack analysis and control
types.
Sample exam questions
• Read the news item:
– A student of Liverpool John Moores university set up
a bogus website which he used in a phishing scam to
get lecturers’ and other students’ log in details.
He then sent emails from academics’ accounts to
their colleagues asking them to forward on exam
papers.
• Comment on this news item, using the correct
terms related to security goals, attack analysis
and control types.