Introduction to Security

It’s important.

Unit Goals

To develop a sense of what the big questions are in security and to gain a little vocabulary surrounding the goals, issues, and techniques for “doing security.”

The Big Ideas

Networks are shared resources and need to be convenient to use. Convenience is often at odds with security.

Questions:

Security is about asset protection. Assets can be:

Asset protection involves:

Exercise: (Philosophical) Is money tangible or intangible?
Exercise: What other kinds of assets should be protected?

What Can Attackers Do?

Here is a very incomplete list, but it gets you started:

Exercise: Find out the difference between a virus and a worm.

How these things are done (packet sniffing, physical line tapping, connection hijacking, router compromising, packet flooding, etc.) will be covered later.

Exercise: If you’re impatient, look up “SYN flooding.” Why is that effective as a denial-of-service attack?
Don’t forget about non-technical dimensions

Phishing is a problem too. Humans can fall for lots of stuff.

Dimensions

To make systems secure we have many things to consider. We need:

DimensionWhat it isTechniques
ConfidentialityPreventing data from being disclosed (leaked) to the wrong people, either accidentally or by malicious eavesdroppersEncryption (both at rest and in transit)
IntegrityPreventing data from being accidentally or maliciously modified or corrupted (or if there is tampering, to know that it happened)Message Authentication Codes (MACs), CRCs, Checksums, Secure programming practices
AuthenticationEnsuring users (both senders and receivers) are who they say they arePasswords, Passphrases, Tokens, Keys, Cryptographic digital signatures, Certificates
AuthorizationRestricting what users are allowed to doRoles, Permissions
AccountabilityTracing actions back to the person that performed themLogs
AvailabilityServices must always be accessible and up as much as possible.Monitoring, Fault tolerance, Restore/restart, Scaling (scale-out so attackers cannot block all paths), Upstream filtering
Exercise: Describe a scenario in which Authentication and Integrity are required but Confidentiality is not.
Exercise: How is “non-deniability” related? Is it even possible?

Security is System-Wide

There is no one security module in a system. You have to think about security everywhere: in your day-to-day programming, at the application level, the transport level, the network level, etc.

Hardware Level

At this level you will find:

Operating System Level

The O.S. can provide:

Network Level

Here you will see things like:

Application Level

Applications can implement password schemes (disallowing weak passwords, expiring passwords (controversial), supporting security questions (controversial), implementing email links to secure password reset).

Programmers should be aware of as many known categories of vulnerabilities as possible and know how to avoid them. There are zillions of known vulnerabilities; some are related to C programming (pointers, etc.) and some specific to webapps, such as the OWASP Top Ten (But don’t just focus on the top 10, focus on all of them.)

We’ll cover secure software development later.

The Human Level

Be wary about phishing and other personal scams. People can pretend to be someone else (misrepresentation) and just ask you for credentials or even money. These may incidentally use a network but can also happen over other communication channels, including face-to-face.

Learning and Studying Security

We’ll be looking at:

Some Nice Resources

Don’t miss:

Summary

We’ve covered:

  • Key ideas and vocabulary
  • Characteristics of secure systems
  • Security dimensions
  • How security as applied at many levels system-wide
  • Topics in the study of security