Lecture Basic Concepts
Lecture Basic Concepts
Lecture Basic Concepts
Mario Čagalj
University of Split
Introduction
3
Incentives at Odds with Cybersecurity
An incentive is anything that moves/motivates
you to do something
Intrinsic incentives comes from within a person
Extrinsic incentives through material reward or punishment
Intrinsic incentives
Edward Snowden
A company fires a system administrator
People have a tendency to show off and prove their point
Extrinsic incentives
Your personal data and habits have an economic value, even
if you do not value it that much [Dark Web Price Index 2022]
4
Professional Paranoia
Paranoia vs professional paranoia
Hope for the best, but expect the worst and enjoy life
5
Overview of Information
Security
Based on:
An Introduction to Information Security, NIST
Computer Security: Principles and Practice, Stallings and Brown
Information Security
The protection of information and information systems
from unauthorized access, use, disclosure, disruption,
modification, or destruction in order to ensure
confidentiality, integrity, and availability.
[An Introduction to Information Security]
NIST (National Institute of Standards and Technology)
7
Key Information Security Concepts
Information security rests on CIA
Confidentiality (hrv. povjerljivost)
Integrity (hrv. cjelovitost)
Availability (hrv. dostupnost)
8
Confidentiality
Refers to hiding of proprietary information or
resources, including protection of personal privacy
Only authorized people or systems can access protected data
9
Confidentiality
An interesting spike here [Tor Metrics]
10
Confidentiality
[Tor Metrics]
11
Confidentiality
Access control mechanisms support confidentiality
Access control through encryption (cryptography)
Access control by means of passwords and permissions
Think and answer:
Name an important difference between the two mechanisms
Which one would you suggest as a security consultant?
12
Integrity
Refers to the trustworthiness (hrv. vjerodostojnost) of
data or resources
Protection against information modification and
ensuring information non-repudiation and authenticity
Data Integrity – the property that data (in storage, during
processing, and in transit) has not been altered in an
unauthorized manner
System Integrity – the quality that a system has when it
performs its intended function in an unimpaired manner, free
from unauthorized manipulation of the system
13
Integrity
Integrity protection mechanisms fall into two classes
Prevention mechanisms - block any unauthorized attempts to
change the data or to change the data in unauthorized ways
(e.g., authentication and access control)
Detection mechanisms - do not try to prevent violations of
integrity; they simply report that the data’s integrity is no
longer trustworthy (e.g., cryptographic hash functions,
message authentication codes, digital signatures)
14
Confidentiality vs Integrity
15
Confidentiality vs Integrity
16
Avaliability
Ensuring timely and reliable access to and use of
information and systems
Unavailable system is at least as bad as no system at all
The aspect of availability that is relevant to security is that
someone may deliberately arrange to deny access to data or
to a service by making it unavailable
Denial-of-Service (DoS) attacks - attempts to block
avaliability
17
Example: SYN Flooding DoS
TCP 3-way SYN flooding
handshake
Client Server Client Server
SYN=1
Wa
SYN=2
it
SeqC=3000, SYN=1 SYN=3
Store SYN=4
data
Store
AckS=3001, ACK=1 SYN=2, ACK=2
data
SYN=3, ACK=3
timeout
until
Wait
timeout
until
Wait
connection
established
TCP
time time
Backlog queue fills up with
half-open connections.
18
Security Terminology [RFC 4949]
System resource: hardware, software, data, communication facilities and
networks (assets to be protected)
Security policy: rules stating what is allowed and what is not allowed
19
Relations Among Security Terms
value
owners
wish to minimize
impose
to reduce
countermeasurs
that may
poses
vulnerabilities
may be aware of
leading
adversary to
give risk
rise to that to
increase
threats assets
to
wish to abuse and/or may damage
20
Vulnerabilities and Attacks
System resource (asset) vulnerabilities
May be corrupted (loss of integrity)
Become leaky (loss of confidentiality)
Become unavaliable (loss of avaliabity)
21
Vulnerabilities and Attacks
Man-in-the-middle (MitM)
22
Example: ARP Spoofing Threat
Address Resolution Protocol (ARP) maps IP to MAC addresses
23
Example: ARP Spoofing Threat
Another machine sends an unsolicited ARP reply
24
Example: Man-in-the-Browser (MitB)
MitB is a proxy trojan horse that infects a web browser
and has the ability to modify pages, modify transaction
content or insert additional transactions
25
Example: Man-in-the-Browser (MitB)
MitB is a proxy trojan horse that infects a web browser
and has the ability to modify pages, modify transaction
content or insert additional transactions
No TLS protocol nor two (2F) or three factor (3F)
authentication can help (to counter a MitB attack one
has to utilize explicit transaction verification)
Demo time
26
Scope of Computer Security
Computer System Computer System
Sensitive files must be
3 4
secured (file security)
Data must be securely
2 Data transmitted through Data
Access to (network security)
the data must
be controlled
(protection)
Guard Guard
1 Access to the computer
facility must be controlled
(user authentication )
27
Computer Assets and Some Threats
28
Some Trends at Odds with Computer Security
Connected
Devices
high
Attacker Tools
Sophistication
Intruders
low
knowledge