Scribd
Upload
2 views

Chapter 1 Introduction ToInformationSecurity

The document introduces the course IS492 Information Security, focusing on key concepts such as confidentiality, integrity, and availability (CIA), as well as cryptography, access control, protocols, and software security. It emphasizes the importance of understanding both the good and bad perspectives in security, using characters like Alice, Bob, and Trudy to illustrate security concerns and potential vulnerabilities. The course aims to equip students with the knowledge to think like attackers in order to identify and mitigate security risks.

Uploaded by

mqgedah
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
2 views

Chapter 1 Introduction ToInformationSecurity

The document introduces the course IS492 Information Security, focusing on key concepts such as confidentiality, integrity, and availability (CIA), as well as cryptography, access control, protocols, and software security. It emphasizes the importance of understanding both the good and bad perspectives in security, using characters like Alice, Bob, and Trudy to illustrate security concerns and potential vulnerabilities. The course aims to equip students with the knowledge to think like attackers in order to identify and mitigate security risks.

Uploaded by

mqgedah
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 25

Kingdom of Saudi Arabia

Ministry of Higher Education


Al-Imam Muhammad Ibn Saud Islamic University
College of Computer and Information Sciences

Chapter 1: Introduction
IS492 Information Security

Chapter 1 - Introduction
The Cast of Characters

• Alice and Bob are the good guys

 Trudy is the bad “guy”


 Trudy is our generic “intruder”

Chapter 1 - Introduction 2
Alice’s Online Bank
 Alice opens Alice’s Online Bank (AOB)

 What are Alice’s security concerns?

 If Bob is a customer of AOB, what are his security

concerns?

 How are Alice’s and Bob’s concerns similar? How are they

different?

 How does Trudy view the situation?

Chapter 1 - Introduction 3
CIA == Confidentiality, Integrity, and Availability

AOB must prevent Trudy from learning Bob’s account

balance

Confidentiality: prevent unauthorized reading of

information.
• Cryptography used for confidentiality

Chapter 1 - Introduction 4
Trudy must not be able to change Bob’s account balance

Bob must not be able to improperly change his own

account balance

Integrity: detect unauthorized writing of information


• Cryptography used for integrity

Chapter 1 - Introduction 5
• AOB’s information must be available whenever it’s
needed.

• Alice must be able to make transaction


• If not, she’ll take her business elsewhere.

• Availability: Data is available in a timely manner


when needed.

• Availability is a “new” security concern


• Denial of service (DoS) attacks

6
Beyond CIA: Crypto

How does Bob’s computer know that “Bob” is really Bob

and not Trudy?

Bob’s password must be verified

What are security concerns of passwords?

Are there alternatives to passwords?

Chapter 1 - Introduction 7
As before, Bob’s password is verified

Unlike the previous case, network security issues

arise

How do we secure network transactions?


• Protocols are critically important
• Crypto plays critical role in protocols

Chapter 1 - Introduction 8
Beyond CIA: Access Control
Once Bob is authenticated by AOB, then AOB
must restrict actions of Bob
Bob can’t view Charlie’s account info

Bob can’t install new software, etc.

Enforcing these restrictions: authorization

Access control includes both authentication and

authorization

Chapter 1 - Introduction 9
Cryptography, protocols, and access control are
implemented in software
• Software is foundation on which security rests.

What are security issues of software?


Real world software is complex and buggy
Software flaws lead to security flaws
How does Trudy attack software?
How to reduce flaws in software development?
And what about malware?
Chapter 1 - Introduction 10
The People Problem
People often break security

• Both intentionally and unintentionally


• Here, we consider the unintentional.

For example, suppose you want to buy something online


• To make it concrete, suppose you want to buy Information Security:
Principles and Practice, 2nd edition from amazon.com

Chapter 1 - Introduction 11
The People Problem
To buy from amazon.com…

Your Web browser uses SSL protocol

SSL relies on cryptography

Access control issues arise

All security mechanisms are in software.

Suppose all of this security stuff works perfectly


Then you would be safe, right?

Chapter 1 - Introduction 12
The People Problem
• What could go wrong?
•/
• Trudy tries man-in-the-middle attack
SSL is secure, so attack doesn’t “work”

But, Web browser issues a warning


What do you, the user, do?

• If user ignores warning, attack works!


None of the security mechanisms failed
But user unintentionally broke security

Chapter 1 - Introduction 13
Your Course
• The Course consists of four major parts

Cryptography

Access control

Protocols

Software

• Note: Our focus is on technical issues

Chapter 1 - Introduction 14
Cryptography
• “Secret codes”.

• The Course covers

Classic cryptography

Symmetric ciphers

Public key cryptography

Chapter 1 - Introduction 15
Access Control
Authentication
1. Passwords
2. Biometrics
3. Other methods of authentication

Authorization
1. Access Control Lists/Capabilities
2. Firewalls,intrusion detection (IDS)

Chapter 1 - Introduction 16
Protocols
“Simple” authentication protocols

Focus on basics of security protocols

Lots of applied cryptography in protocols

Real-world security protocols

SSH, SSL, IPSec, Kerberos

Wireless: WEP, GSM

Chapter 1 - Introduction 17
Software
• Security-critical flaws in software
• Buffer overflow
• Race conditions, etc.

• Malware

Examples of viruses and worms

Prevention and detection

Future of malware?

Chapter 1 - Introduction 18
Software
• Software reverse engineering (SRE)
• How hackers “dissect” software

• Digital rights management (DRM)


• Shows difficulty of security in software
• Also raises OS security issues

• Software and testing


• Open source, closed source, other topics

Chapter 1 - Introduction 19
Software
• Operating systems
• Basic OS security issues
• “Trusted OS” requirements
• NGSCB: Microsoft’s trusted OS for the PC

• Software is a BIG security topic


• Lots of material to cover
• Lots of security problems to consider
• But not nearly enough time available…

Chapter 1 - Introduction 20
Think Like Trudy
• In the past, no respectable sources talked about “hacking”
in detail
• After all, such info might help Trudy

• Recently, this has changed


• Lots of books on network hacking, evil software, how to hack
software, etc.
• Classes teach virus writing, SRE, etc.

Chapter 1 - Introduction 21
Think Like Trudy
Good guys must think like bad guys!

A police detective…
• …must study and understand criminals

In information security


• We want to understand Trudy’s methods
• Might think about Trudy’s motives
• We’ll often pretend to be Trudy

Chapter 1 - Introduction 22
Think Like Trudy
We must try to think like Trudy

We must study Trudy’s methods

We can admire Trudy’s cleverness

Often, we can’t help but laugh at Alice’s and/or Bob’s

stupidity
But, we cannot act like Trudy
• Except in this class…

Chapter 1 - Introduction 23
Think Like Trudy
• Is all of this security information a good idea?

• Bruce Schneier (referring to Security Engineering, by


Ross Anderson):
• “It’s about time somebody wrote a book to teach the good guys
what the bad guys already know.”

Chapter 1 - Introduction 24
In This Course…
• Think like the bad guy
• Always look for weaknesses
• Find the weak link before Trudy does

• It’s OK to break the rules


• What rules?

• Think like Trudy

• But don’t do anything illegal!

Chapter 1 - Introduction 25

You might also like