Chapters 1 & 2

About the course

Syllabus

Assignments

Chapter 1

Introduction

Computer Security: protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).

FROM NIST COMPUTER SECURITY HANDBOOK

The CIA Triad

Triad

Confidentiality

Triad

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information.

Integrity

Triad

Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information.

Availability

Triad

Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system.

The CIA Triad

Triad

More Terminology (1)

Adversary (threat agent)

An entity that attacks, or is a threat to a system.

Attack

An assault on system security that derives from an intelligent threat; that is, an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system.

Countermeasure

An action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.

Risk

An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result.

More Terminology (2)

Security Policy

A set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources.

System Resource (Asset)

Data contained in an information system; or a service provided by a system; or a system capability, such as processing or bandwidth; or an item of system equipment (i.e., a system component, firmware, software, or documentation); or a facility that houses system operations and equipment.

 Threat

A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability.

Vulnerability

A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy.

Types of Attacks

Threat Consequences

unauthorized disclosure

exposure, interception, inference, intrusion

deception

masquerade, falsification, repudiation

disruption

incapacitation, corruption, obstruction

usurpation

misappropriation, misuse

Levels of Impact

levels of impact

Countermeasures

Policy, Mechanism, Service

Fundamentals of Security Design

fundamentals of security design

Challenges

Challenges Continued

Strategy

Chapter 1 Summary

Chapter 2

Identification

How do we know who a user really is?

Is there some way to verify?

Who are you?

How can I, who is obviously Chris Sexton, know who you are?

Who are you?

Identity

We need ways to verify a user’s identity.

What do you suggest?

Education Discount Examples
  • Email verification
  • ID card scans
  • SSO login verification

How can these methods be defeated?

Authentication

The set of methods we use to establish that a claim of identity is true.

This is different than authorization. Authentication only verifies an identity. It says nothing about what a user is allowed to do.

Three Factor Authentication

In order to verify a user, we will require a multi-factor verification of their identity including:

Something you know

Passwords!

Weak Passwords and Habits

Password managers

Let’s shop for tools to make passwords better.

Wirecutter: The Best Password Managers (Currently slightly out of date)

Something you have

Do you have 2FA enabled on all services yet?

Do you have a YubiKey?

2FA key management

Do you use Google Authenticator?

Stop that.

  • Authy
  • 1Password
  • LastPass (Premium)

Something you are

Many methods of "Something you are" do not translate well to general services, but may be applicable to sensitive resources.

Summary

Up next

Next time, we will discuss biometrics for authentication and discuss authorization and access control.