Академический Документы
Профессиональный Документы
Культура Документы
Principles of Cybersecurity
1: Principles of Cybersecurity 1
What is Cybersecurity?
1: Principles of Cybersecurity 2
What is Cybersecurity?
1: Principles of Cybersecurity 3
What is Cybersecurity?
Protection of assets, systems, secrets
Security
Privacy
1: Principles of Cybersecurity 4
COMP3632
Date: Tuesday & Thursday
1: Principles of Cybersecurity 5
Grading
1: Principles of Cybersecurity 6
Online Self-Assessment
1: Principles of Cybersecurity 7
Assignments
Each Assignment has a:
- Written Component
- Programming Component
There is a grace period (no penalty) of exactly 48
hours after the Assignment due date.
If you need an extension of more than 48 hours,
you must tell me with a valid reason before the
Assignment due date.
For Assignment 1, there is an early milestone
due date.
1: Principles of Cybersecurity 8
Contact
E-mail: taow@cse.ust.hk
Please preface your e-mail title with COMP3632.
Any questions are welcome!
1: Principles of Cybersecurity 9
Principles of CIA
Confidentiality
Secret information remains secret
Integrity
Information remains correct
Availability
Information remains accessible
1: Principles of Cybersecurity 10
Principles of CIA
<Login>
Attacker
Alice (Eavesdropper) Bob
Which principle is violated?
(Confidentiality, Integrity, Availability)
1: Principles of Cybersecurity 11
Principles of CIA
<Fake login>
<Login>
Wrong login.
Attacker
Alice (Man in the middle) Bob
Which principle is violated?
(Confidentiality, Integrity, Availability)
1: Principles of Cybersecurity 12
Principles of CIA
Distributed Denial of Service (DDoS)
contain to control
Vulnerabilities Attackers
exploited by
1: Principles of Cybersecurity 15
Hardware
Systems
Software
Data
Assets
Values
(Trust, goodwill, continuity)
1: Principles of Cybersecurity 16
Where do vulnerabilities come from?
Vulnerabilities
Design Implementation
Theoretical limitations Coding error
1: Principles of Cybersecurity 17
Vulnerability by design
1: Principles of Cybersecurity 18
Spiderman Rule
With great power
comes great responsibility!
1: Principles of Cybersecurity 19
Privacy
Is privacy the same as confidentiality?
Attacker
Alice (Eavesdropper) Bob
1: Principles of Cybersecurity 20
Privacy
Is privacy the same as confidentiality?
Attacker
Alice (Eavesdropper) Bob
1: Principles of Cybersecurity 21
Privacy
Information Identity
1: Principles of Cybersecurity 22
Components of Analysis
have
Systems Assets
Defenses
contain to control
Vulnerabilities Attackers
exploited by
1: Principles of Cybersecurity 23
Defensive Strategy
Risk Management:
A risk is something that could damage,
destroy, or disclose data
% of assets exposed
to the risk
1: Principles of Cybersecurity 25
Principles of Secure Design
Security by Design:
1: Principles of Cybersecurity 26
Principles of Secure Design
Is the Internet secure by design?
The goal [of ARPANET] was to exploit new computer technologies to meet the
needs of military command and control against nuclear threats, achieve
survivable control of US nuclear forces...
1: Principles of Cybersecurity 27
Saltzer and Schroeders
Principles of Secure Design
1) Open Design
1: Principles of Cybersecurity 28
Saltzer and Schroeders
Principles of Secure Design
1) Open Design
Opposite of Security through Obscurity:
1: Principles of Cybersecurity 29
Saltzer and Schroeders
Principles of Secure Design
1) Open Design
Examples of Security through Obscurity:
1: Principles of Cybersecurity 30
Saltzer and Schroeders
Principles of Secure Design
1) Open Design
1: Principles of Cybersecurity 31
Saltzer and Schroeders
Principles of Secure Design
1) Open Design
1: Principles of Cybersecurity 33
Saltzer and Schroeders
Principles of Secure Design
2) Economy of Mechanism
KISS Principle: Keep it simple/stupid
1: Principles of Cybersecurity 34
Saltzer and Schroeders
Principles of Secure Design
2) Economy of Mechanism
1: Principles of Cybersecurity 35
Saltzer and Schroeders
Principles of Secure Design
3) Least Common Mechanism
1: Principles of Cybersecurity 36
Saltzer and Schroeders
Principles of Secure Design
3) Least Common Mechanism
Shared Restricted
1: Principles of Cybersecurity 37
Saltzer and Schroeders
Principles of Secure Design
4) Least Privilege
1: Principles of Cybersecurity 38
Saltzer and Schroeders
Principles of Secure Design
4) Least Privilege
1: Principles of Cybersecurity 39
Saltzer and Schroeders
Principles of Secure Design
5) Separation of Privileges
1: Principles of Cybersecurity 40
Saltzer and Schroeders
Principles of Secure Design
5) Separation of Privileges
1: Principles of Cybersecurity 41
Saltzer and Schroeders
Principles of Secure Design
6) Complete mediation
1: Principles of Cybersecurity 42
Saltzer and Schroeders
Principles of Secure Design
6) Complete mediation
Login to system
View grades
.../grades/student/tao_wang/grades.xps
1: Principles of Cybersecurity 44
Saltzer and Schroeders
Principles of Secure Design
7) Fail-safe defaults
POODLE
(Padding Oracle on Downgraded Legacy Encryption)
1: Principles of Cybersecurity 45
Saltzer and Schroeders
Principles of Secure Design
8) Psychological Acceptability
1: Principles of Cybersecurity 46
Saltzer and Schroeders
Principles of Secure Design
1: Principles of Cybersecurity 47
Saltzer and Schroeders
Principles of Secure Design
Psychology Reality
HTTPS HTTPS
1: Principles of Cybersecurity 48
Which Principles are Used/Violated?
Tom Cruises partner needs to enter
a secure facility, which has three
combination locks and biometric
analysis (fingerprint, gait analysis)
To put his profile on the system so he
can bypass the biometric tests, Tom
Cruise dives into a water control
system, tears out the old profile drive,
and inserts a new profile drive
Once inside, his partner steals
information about 2.4 billion pounds
in various bank accounts of the PM
1: Principles of Cybersecurity 49
Which Principles are Used/Violated?
I am scared, so I install the
recommended anti-virus. A window
pops up asking for admin privileges,
I grant it.
The anti-virus code is not available,
so I dont know what its really doing;
I can only trust it
The anti-virus is actually a virus, and
it exploits a buffer overflow in glibc
glibc is used by all programs written
in C; many programs can trigger the
virus
1: Principles of Cybersecurity 50
Summary
What is cybersecurity?
for privacy
analysis
1: Principles of Cybersecurity 51
Summary
Saltzer-Schroeder Principles of Secure Design:
1) Open Design
2) Economy of Mechanism
3) Least Common Mechanism
4) Least Privilege
5) Separation of Privileges
6) Complete mediation
7) Fail-safe defaults
8) Psychological acceptability
1: Principles of Cybersecurity 52