QMCS 490 Class Today

1
QMCS 490 - Class Today

• Information Security life cycle
• Introductions
• Security perimeters
• Assignment

2
The life cycle

• Identify your practical goals
• What real things do you want to accomplish?
• What threats interfere with them?
• Implement security measures
• What weaknesses exist?
• What security measures might work?
• What are the trade-offs against goals?
• Measure success
• Monitor for attacks or other failures
• Recover from problems
• Reassess goals and trade-offs

3
So what will the class look at?

• How to assess security in general
• Analyzing risk trade-offs
• Specific security issues and techniques
• Workstations
• LANs
• Distributed networks
• Internet access
• E-commerce
• If time, DRM and extreme security

4
Who are you, who am I

• Ask your neighbor
• Name, major
• Why are you taking this class?
• Do you 0wn a computer?
• I.e. can you log in as admin?
• Give a personal, security related fact.
• Experience, skill, incident, etc.

5
Why this course exists

• Start of an Information Security major
• Will be US govt certified
• Four principal special courses
• Intro course this one
• Operating Systems
• Networking
• Infosec Analysis capstone course
• Analysis course
• More labs and tools
• More (very dry) government policy stuff
• Info Warfare exercise at the end

6
The Syllabus nuts and bolts

• Grade assignments tests
• Also a participation grade
• Attend class, hand in work good test grade
• Good grade lt assignments, attend class
• Typical homework
• Analyze a security problem, draw a diagram
• I am planning a couple of labs
• We have limited lab space (5 machines)
• May do 30 minute shots at the labs
• I typically have people do research projects
• An outline, a paper, and a presentation.
• Not sure this time

7
The Syllabus

• Concepts well cover
• Practical security planning and assessment
• Risk trade offs - the concept
• Role of security policies
• Environments - in order of breadth
• Personal desktop/laptop
• Shared computer
• Local network
• Internet access from LAN
• Distributed LANs
• E-commerce

8
Two security assessment techniques

• Perimeter analysis
• Look at the boundary protecting an asset
• Look at access points in the boundary
• Who might want the asset?
• What attacks will break the boundary?
• What attacks will break the access points?
• Is the inside benign itself? Can it be hacked?
• Flow analysis (data flow, execution flow)
• Look at where data might flow
• Assess mechanisms to restrict the flow
• Assess attacks that can divert the flow
• Look at flow of execution and possible diversion

9
Part of this semesters agenda

• Im writing a book on elementary security
• Well look at chapters in this class
• I thought Id have one ready for today
• Its not finished yet.
• Internet Cryptography
• An old book, but
• It talks about security, perimeters, and
  information flow
• Provides the basics and concepts for networking
  crypto

10
Personal Computer Security

• Share a dorm room?
• Share an apartment?
• Share a home?
• My computer - a security objective
• Ill kill you if you touch it
• a policy statement?

11
Extreme Workstation Security

• Does this achieve our goals?

12
Threats Vulnerabilities
An attempt to steal or harm the asset is an attack
13
A real world example

• There is a company
• Thieves walk into their buildings every day
• The front door is unlocked all day long
• Valuable company property is just lying around
• The thieves pick it up and carry it away
• Most thieves, but not all, get away?
• WHAT IS THIS STUPID COMPANY?
• Why dont they lock the door, at least?

14
Security analysis your PC

• Threats?
• Who, why?
• Vulnerabilities?
• What bad can happen?
• What allows the badness to happen?
• Can we just lock it up?
• Put it in a room
• Put a lock on the door.
• Dont share the key
• Does this work?

15
Physically securing an area

• What is a secure perimeter?
• Contiguous - no breaks
• A barrier - actually blocks some attacks
• Minimal number of openings
• Access restrictions on the openings
• Example my house
• Wooden frame building - keeps out wild dogs
• Glass windows with storms - ditto
• Locked doors - ditto
• Metal fence - ditto
• Gates in the fence - ditto

16
Security Analysis

• What are the threats?
• Wild dogs
• Burglars
• People collecting for nasty charities
• What are the defenses?
• Are there effective attacks on them?
• Effective threats might use them

17
Is this a complete list of threats?

• Of course not.
• Study history, the news, experience,
  introspection
• Generate a better list
• A notion of threats
• Threat anyone with strongly different goals
• Example Burger King vs McDonalds
• Both sort of have the same goal sell burgers
• In fact, BK wants to sell BK burgers, while Mac
  wants to sell Mac burgers
• BK people are not trusted in McDonalds places

18
Potential vs Real Threats

• Potential Threat strongly different goals
• Not a member of the family, company, community
• Member of competing entity
• But not necessarily motivated to do you harm
• Real Threat history of attacks
• Good neighborhood neighbors not a threat
• Bad neighborhood neighbors have caused
  trouble in the past

19
Now, the Defenses

• Physical world
• Physical barriers, slows them down a lot
• Locks - slow them down, restricts access
• Alarms - calls for help
• Warnings - shows you care
• Computer world
• Examples?

20
What defenses are effective?

• Concept of work factor
• How hard does the attacker have to work to
  overcome the defense?
• May be computed in hours
• May be computed in likelihood over time
• Example average of 3 days, .25M to crack DES
• Effective
• Work Factor gt threats motivation or skill
• My Home Example
• Wild dogs motivated but not resourceful
• Charity people resourceful but not motivated
• Burglars may be both, but hopefully not too much
  so
• Or, deterred by the alarm, and the large dog

21
How does this relate to computers?

• Defenses are always a trade off
• The same reasoning applies to both
• All security begins with physical security

22
Evolution of Attacks and Defenses
Attacks
Defenses
??
One-Time Passwords
Password Tokens
Network Sniffing
Memory Protection
Password Sharing
Guess Detection
Keystroke Sniffing
Password Hashing
Guessing
Passwords
Steal the Password File
Remote Terminals
Masquerade
Example Passwords on Computers
23
The homework assignment

• Two parts
• A describe your computer sharing policy
• B describe physical protection of your computer

24
Creative Commons License

• This work is licensed under the Creative Commons
  Attribution-Share Alike 3.0 United States
  License. To view a copy of this license, visit
  http//creativecommons.org/licenses/by-sa/3.0/us/
  or send a letter to Creative Commons, 171 Second
  Street, Suite 300, San Francisco, California,
  94105, USA.