Where we are and where were going

1
04/03

• Where we are and where were going
• Summarize Bishop Chapter 1
• Discuss Schneier
• Discuss Bishop Chapter 2

2
Topics and Readings

• Currently what is security?
• Next security models and policies (3 sessions
  including today)
• Chapters 2, 4, 5, 6, 7, and e-reserve chapter on
  government standards
• Afterward (14 sessions available)
• Cryptography (4 sessions)
• Secure coding (2 sessions)
• Malicious code (4 sessions)
• Network security (2 sessions)
• Wireless security (1 session)
• Detection and Forensics (1 to 2 sessions)

3
Bishop, Chapter 1

• Properties of any information system
• will deliver accurately (integrity)
• according to expectations (availability)
• only as appropriate (confidentiality)
• Since there is value in information, attacking
  any of these three properties might have positive
  value to the attacker
• inaccurate information might be exploited to the
  attackers value
• attacking availability decreases the value of the
  information system, and might as a result
  increase the value of a competitive system
  (zero-sum game)
• attacking confidentiality has value because
  information has value
• (and of course theres just the sheer fun of
  causing trouble and becoming famous)

4
Security and Policies

• Security is a relative thing
• what constitutes confidentiality, integrity,
  availability
• what resources are likely to be attacked
• A security policy (in theory) consists of binary
  statements about what constitutes
  confidentiality, integrity, and (to a lesser
  extent) availability
• security violation if non-privileged user sees
  the system log
• security violation if any program except the web
  server writes into the system log
• Security (in theory) is defined inductively
  system is secure if it starts in a secure state,
  and no operation can move it into a non-secure
  state (according to a policy)

5
Security Mechanisms

• Security mechanisms are built in support of
  policies
• file protection mechanisms in the OS
• correctness proofs / tests for software
• encryption policies
• secure rooms
• The statement that a mechanism enforces a policy
  is subjective and difficult to prove
• Mechanisms are costly, invasive, and imperfect,
  so its more accurate to talk about the expected
  cost and expected benefit of a policy
• economic and non-economic costs of implementation
• likelihood that certain violations will happen
  anyway
• costs of recovering from those violations
• Detection and Recovery are equal partners in
  building a secure system

6
Trust and Assurance

• Trust is exactly related to the uncertain nature
  of security characterizations
• its how the user reacts to the argument in
  support of the security mechanism (this mechanism
  is good enough that you should use the system)
• Assurance is exactly justifying the mechanism to
  the user
• Example credit cards on e-commerce sites
• cryptography will prevent an external snooper
  from getting your card number
• our internal controls will prevent an employee
  from getting your card number
• but if they do, we wont charge you for the goods

7
Final Words

• Security is in the eye of the stakeholders (the
  business, the customers)
• Security is not an all-or-nothing thing
• Security is holistic
• Apart from confidentiality (maybe), the issues
  are not unique to the security area
• integrity correctness
• assurance testing and model validation

8
For Next Time

• Bishop Chapter 4
• Bishop Chapter 5, skip 5.2.3, 5.2.4, 5.4
• On deck
• Bishop chapter 6
• Bishop chapter 7 (skip 7.1.2)
• Inside the Orange Book on e-reserve https//ere
  serves.tacoma.washington.edu/