Capabilities degrees of access the security mindset

Info icon This preview shows pages 13–25. Sign up to view the full content.

¡ Capabilities? ¡ Degrees of access?
Image of page 13

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

The Security Mindset ¡ Thinking like an attacker § Understand techniques for circumventing security. § Look for ways security can break, not reasons why it won’t. ¡ Thinking like a defender § Know what you’re defending, and against whom. § Weigh benefits vs. costs: No system is ever completely secure. § “Rational paranoia!”
Image of page 14
Why Study Attacks? ¡ Identify vulnerabilities to fix and determine a (new) defense. ¡ Create incentives for vendors to be careful in the future. ¡ Learn about new classes of threats. ¡ Help designers build stronger systems. ¡ Help users more accurately evaluate risk. Attacks Defenses
Image of page 15

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

“Insecurity”? Hierarchy Level-2 Problem: “Weakness” Factors that predispose systems to vulnerability Level-1 Problem: “Vulnerability” Specific errors that could be exploited in an assault. Level-0 Problem: “Assault” Actual malicious attempt to cause harm. “Attack” Assault recipe, vulnerabilities are ingredients
Image of page 16
Thinking Like an Attacker ¡ Look for weakest links – easiest to attack. ¡ Identify assumptions that security depends on. Are they false? ¡ Think outside the box: Not constrained by system designer’s worldview. Always practice thinking like an attacker: For every system you interact with, think about what it means for it to be secure, and image how it could be exploited by an attacker.
Image of page 17

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

Image of page 18
Exercises ¡ Breaking into the Beyster building?
Image of page 19

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

Exercises ¡ What are some security systems that you interact with in everyday life?
Image of page 20
Thinking as a Defender ¡ Security policy § What are we trying to protect? § What properties are we trying to enforce? ¡ Threat model § Who are the attackers? Capabilities? Motivations? § What kind of attack are we trying to prevent? ¡ Risk assessment § What are the weaknesses of the system? § What will successful attacks cost us? § How likely? ¡ Countermeasures § Costs vs. benefits? § Technical vs. nontechnical? ¡ (More on each of these in the upcoming slides…) Challenge is to think rationally and rigorously about risk. Rational paranoia.
Image of page 21

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

Security Policies ¡ What assets are we trying to protect? ¡ What properties are we trying to enforce? § Confidentiality § Integrity § Availability § Privacy § Authenticity
Image of page 22
Threat Models ¡ Who are our adversaries? § Motives? § Capabilities? ¡ What kinds of attacks do we need to prevent? (Think like the attacker!) ¡ Limits: Kinds of attacks we should ignore?
Image of page 23

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

Assessing Risk Remember: Rational paranoia ¡ What would security breaches cost us?
Image of page 24
Image of page 25
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern