55 Security - HackMD

# 55 Security ###### tags: `dartmouth` 1. **Fundamentals** (Ch. 1) - Confidentiality, Integrity, and Availability - **Confidentiality**: the ability of a system to ensure that an asset is *viewed* only by authorized parties - **Integrity**: the ability of a system to ensure that an asset is *modified* only by authorized parties - **Availability**: the ability of a system to ensure that an asset *can be used* by any authorized parties - Identification and Authentication - **Identification**: the act of asserting who a person is - **Authentication**: the act of proving that asserted identity: that the person is who she says she is 2. **Authorization and Access Control** (Ch. 2.0-2.2) - Saltzer’s and Schroeder’s principles of secure design - **Economy of mechanism**: Keep the design as simple and small as possible - **Fail-safe defaults**: Base access decisions on permission rather than exclusion - **Complete mediation**: Every access to every object must be checked for authority - **Open design**: The design should not be secret - **Separation of privilege**: Where feasible, a protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter of only a single key - **Least privilege**: Every program and every user of the system should operate using the least set of privileges necessary to complete the job - **Least common mechanism**: Minimize the amount of mechanism common to more than one user and depended on by all users - **Psychological acceptability**: It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly - **Work factor**: Compare the cost of circumventing the mechanism with the resources of a potential attacker - **Compromise recording**: It is sometimes suggested that mechanisms that reliably record that a compromise of information has occurred can be used in place of more elaborate mechanisms that completely prevent loss - Access control - **Access control**: limiting who can access what in what ways - **Effective Policy Implementation**: - Check every access - Enforce least privilege - Verify acceptable usage 3. **Ciphers and cryptographic hashes** (Ch. 2.3 and appendix) - Symmetric and asymmetric ciphers and their uses - Symmetric cipher: DES, Triple-DES, AES - Asymmetric cipher: RSA - Cryptographic hash functions - Easy to compute HASH(x) - Hard to provide x given HASH(x) - Infeasible to calculate two messages x and y such that HASH(x) = HASH(y) - Small change in input x results in a large change in the output HASH(x) - Digital signatures - Certificates and public key infrastructure - PKI Hierarchy - Cross certification - Bridge CA 4. **Malware** (Ch. 5) - Viruses and worms in general - **Virus**: code with malicious purpose; intended to spread - **Worm**: program that spreads copies of itself through a network - **Trojan horse**: program with benign apparent effect but second, hidden, malicious effect 5. **Networks** (Ch. 6, but not wireless) - Network threats - **interception**, or unauthorized viewing - **modification**, or unauthorized change - **fabrication**, or unauthorized creation - **interruption**, or preventing authorized access - Denial of service and distributed denial of service protections (**DoS/DDoS**) - DoS attacks usually try to flood a victim with excessive demand. - DDoS attacks change the balance between adversary and victim by marshalling many forces on the attack side. - bot and botnet - SSL (Secure Sockets Layer) and VPN - **SSL**: encrypted communication between a browser and the remote web host (its websites) - **VPN**: encrypted links within a network - simulates the security of a dedicated, protected communication line on a shared network. - Firewalls - **Firewall**: a computer traffic cop that permits or blocks data flow between two parts of a network architecture. It is the only link between parts. - Firewalls enforce predetermined rules governing what traffic can flow. - ![](https://i.imgur.com/f0cj7pu.png) - Intrusion detection and prevention systems (IDS) (Ch. 6.8) - **IDS**: a device, typically another separate computer, that monitors activity to identify malicious or suspicious events. - **Intrusion prevention systems**: extend IDS technology with built-in protective response. 6. **Cloud** (Ch. 8) - What is a cloud service? - On-demand self-service. - Broad network access. - Resource pooling. - Rapid elasticity. - Measured service. - Risks to consider when choosing cloud services - Identify assets - Determine vulnerabilities - Estimate likelihood of exploitation - Compute expected loss - Survey and select new controls - Project savings - Security tools for cloud environments (Ch. 8.3) - Data Protection in the Cloud - Cloud Storage - Data Loss Prevention (DLP) - Cloud Application Security - Logging and Incident Response 7. **Security management**(Ch. 10) - Security & Incident response - **Incident Response Plans**: tells whom to contact in the event of an incident, which may be just an unconfirmed, unusual situation - define what constitutes an *incident* - identify who is responsible for *taking charge* of the situation - describe the plan of *action* - Advance Planning - Responding: Incident Response Teams - “*Is this really an incident?*” is the most important question. - After the Incident Is Resolved: - *Is any security control action to be taken?* - *Did the incident response plan work?* - Business continuity planning (Ch. 10.2) - **Business continuity planning**: guides response to a crisis that threatens a business’s existence. - focuses on business needs - Assess the business impact of a crisis. - Develop a strategy to control impact. - Develop and implement a plan for the strategy - who in charge? what to do? who does it? - Handling natural and human-caused disasters 8. **Privacy** (Ch. 9) - Privacy: what is it? - **Privacy**: the right to control who knows certain things about you. - sensitive data (object) - affected parties (subject) - controlled disclosure (access right) - **Privacy** as an aspect of **security** ![](https://i.imgur.com/cj7t11H.png) - **Authentication** effects on privacy (Ch. 9.3) - Authentication is confirming an asserted identity. Inferring an identity from authentication data is far harder and less certain. - ![](https://i.imgur.com/7xFYhl8.png) - Privacy and the Internet (Ch. 9.5) - Privacy enhancing technology (e.g., Zero Knowledge) 9. **Legal and ethics** (Ch. 11.0-11.6) - Value of information - Information has value unrelated to whatever medium contains it - Information Can Be Replicated - Information Has a Minimal Marginal Cost - The Value of Information Is Often Time Dependent - Information Is Often Transferred Intangibly - legal and ethical issues/challenges - Computer crime is a multinational activity. - Computer attacks affecting many people tend to be complex, involving people and facilities in several countries, thus complicating prosecution. - Even with the definitions included in the statutes, the courts must interpret what a computer is. 10. **IoT** (Ch. 13.1) - **IoT**: A world of interconnected smart devices not ordinarily thought of as computers. - Security and privacy issues of the IoT 11. **Voting** (Ch. 13.3) - Goals of elections - Constraints on elections - Pros and Cons of election/ballot technology options 12. **Cyberwar** (Ch. 13.4) - What is cyberwar? - Attribution - Asymmetry - Defense and deterrence 13. **AI Risks** (notes and slides)