|
1
|
- Bill Figg, Ph.D.
- Assistant Professor
- BIS
|
|
2
|
- Security Engineering is about building systems to remain dependable in
the face of:
|
|
3
|
- Security Engineering requires cross-disciplinary expertise.
- Cryptography
- Hardware Tamper Resistance
- Applied Psychology
- Organizational Audit Methods
- Legal Restraints
|
|
4
|
- Failure May endanger Human Life
- Serious Damage to Major Economic Infrastructure
- Endanger Personal Privacy
- Undermine Business Sectors
|
|
5
|
- Making Sure Certain Things Don¡¯t Happen
- Reality Is More Complex
- System Requirements Differ From One System to Another
- Protect The Whole System
- Many Systems Fail Because Designers Protect The Wrong Things or The
Right Things in The Wrong Way
|
|
6
|
- A Number of Principals
- People
- Companies
- Computers and Communication Devices
- Security Protocols
- Designed Under Certain Assumptions About the Threat
|
|
7
|
- May Be Simple
- Swiping a Badge in a Card Reader to Enter a Building
- May Be Complex
- The World Network of Cash Machines Have Multiple Protocols How Cash
Machines Interact With Customers
|
|
8
|
- Often Innocuous Design Features Open Serious Flaws
- Banks Encrypted the Customers PIN Using a Key Known Only to the Central
Computers and Cash Machines. This Allowed Verification Locally Saving
Communication Costs.
- A Programmer Discovered He Could Substitute His Wife¡¯s Account
Information On His Card.
|
|
9
|
- Most Problems Occur Through Human Error
- Most Notably Password Security
- Failure to Maintain Security System Controls
- Improper Use of Equipment
|
|
10
|
- The Major Threat To Individual Security
- Simple Passwords and Careless Handling of Personal Records.
- Results in More Than ½ Million Cases Each Year
|
|
11
|
- Three Ways to Authenticate
- Retain Physical Control of the Device
- Presenting Something the Person Knows-Password
- Use a Biometric
- Something you have; Something you know or Something you are
|
|
12
|
- The Center of Computer Security
- Its Function is to Control Which Principals (persons, processes,
machines) Have Access to Which Resources in the System
|
|
13
|
- As We Work Up From the Hardware, Through the Operating System,
Middleware to the Application Layer Controls Become Progressively More
Complex and Less Reliable
|
|
14
|
- Operating Systems Typically Authenticate Principals Using Some Mechanism
Such as Passwords or Kerberos, Then Mediate Their Access to Other System
Resources
|
|
15
|
- Cryptography is Where Security Engineering Meets Mathematics.
- Security People Don¡¯t Always Understand the Available Crypto Tools
- Crypto People Don¡¯t Always Understand Real World Computer Problems
|
|
16
|
- Roman Historian Suetonius Tells That Julius Caesar Enciphered His
Dispatches by Writing D for A, E for B and so on.
- Blaise de Vigenere Improved on This Concept by Creating a Cipher for
King Charles IX. This Works by Adding a Key to Plain Text A=0, B=1¡.Z=25
and Addition is Carried Out Modulo 25 (we subtract as many multiples of
26 as needed to bring us back to range 0-25
|
|
17
|
- De Vigenere¡¯ Application Was the First Recorded Use of Mathematical
Formulas to Encrypt Messages
- C=P+K mod 26
|
|
18
|
- A Public Key Encryption is a Special Kind of Block Cipher in Which the
Elf ( random oracle) Will Perform the Encryption Corresponding to a
Particular Key for Anyone Who Requests IT.
- The Elf Will Only Perform Decryption for a Key¡¯s Owner. This is an
Application of an Encryption Algorithm
|
|
19
|
|
|
20
|
- The Expansion of Business into Remote Locations Has Created the Need for
Concurrent Exchange of Information.
- Distributed Systems Have Taken Many Network Forms
- Communication Should Follow the ACID Formula-Atomic, Consistent,
Isolated and Durable
|
|
21
|
|
|
22
|
- The US Military is the Best Example
- Databases can Hold Information of Different Levels of
Classification-(Confidential, Secret, Top Secret¡.)
- Databases Can Control Access to Information Based on a Principal¡¯s Level
of Access
|
|
23
|
- Often the Most Important Goal is not to Prevent Information Flowing Down
a Hierarchy but to Prevent it From Flowing Across Departmental or
Company Lines.
- This Comes into Play When Privacy Issues are at Stake.
- The Brewer-Nash Model Focuses on Vertical Boundary Controls
|
|
24
|
- Privacy Issues Have Come Into Question Because of the Need for
Organization Security.
- Roger Needham Said: ¡°Privacy is a transient notion. It started when
people stopped believing that God could see everything and stopped when
governments realized there was a vacancy to be filled.¡±
|
|
25
|
- Biometrics Identify People by Measuring Some Aspect of Individual
Anatomy or Physiology.
- Hand Geometry
- Fingerprint
- Voice
- Iris
|
|
26
|
- Can Also be Used to Identify Other Behavioral Characteristics
- Some Deeply Ingrained Skill - Handwriting
- Individual Characteristics ¨C Face Recognition
- Or Combinations - Voice
|
|
27
|
- Smart Cards Are the Most Common Secure Processors
- It IS a Self-Contained Microcontroller With a Microprocessor, Memory and
a Serial Interface
- Bought in Bulk Can Cost a Dollar Each
- Uses in Bank Cards, Telephones, Hotels ect¡
|
|
28
|
- Emsec Refers to Preventing a System Being Attacked Using Radiated
Electromagnetic Signals
- The Vulnerability of Computers and Other Electronic Equipment is the
Emission of Stray RF (radio frequencies). These Can be Picked Up by an
Opponent and Used to Reconstruct Data
|
|
29
|
- Electronic Warfare has Been a Separate Subject From Computer Security.
This is Changing
- They Share Common Technologies
- Military Technology and Research Has Commercial Applications
- Electronic Warfare is Our Main Teacher When it Comes to Denial of
Service Attacks
|
|
30
|
- Jamming Enemy Communications or Radar and Disrupting Equipment Using
High-Power Microwaves
|
|
31
|
- Ranges From Designing Systems Resistant to Jamming, Through Hardening
Equipment to Resist High-Power Microwave Attacks to the Location and
Destruction of Jammers through Anti-Radiation Detectors
|
|
32
|
- Supplying the Necessary Intelligence and Threat Recognition to Allow
Effective Attack and Protection
- Allows Recognition of Intentional and Unintentional Electromagnetic
Energy
|
|
33
|
- Phone Phreaking
- Attacks on Metering
- Attacks on Signaling
- Attacks on Switching and Configuration
- Insecure End Systems
- Feature Interaction
|
|
34
|
- The Purpose of Business is Profit and Profit is the Reward for Risk but
Unnecessary Risk Arises From:
- Complacency Cycle-Poor Internal Controls
- Solving the Wrong Problem
- Incompetent or Inexperienced Security Managers
- Moral Hazards
|
|
35
|
- Security Engineering
Concerns More Than Securing Computers With Passwords.
- Security Requirements Have to be Tweaked to Manage the Requirements
Evolution
- Fix a Bug
- Improve our systems
- Deal with an evolving environment
- Managing changes within the organization
|
Notes
