SlideShare uma empresa Scribd logo

Information Security, some illustrated principles

B
boskabout

Some principles of information security are mentioned and illustrated with some recent events in the Belgian Blogosphere and Facebook.

Educação
1 de 96
Information security some illustrated principles
Waarom security?
Geheimen “aan niemand doorvertellen he!”
Controle “_Wie_ weet dat allemaal?”
Information wants to be free
Problemen?
www.facebook.net phishing
OMG pink poniezzz trojan horses
Botnets
crack!
sniffers
spam
Concepten
Data confidentiality
Entity Authentication (Identification)
Data authentication (integrity + who sent it)
Non-repudiation (origin vs receipt)
Denial of Service
Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
Vertrouwen (trust) ➡ Dieter Gollman: “Trust is not the ➡ Based on concept that ➡ reputation unifies security, it ➡ control and is an absolute punishment mess.” ➡ policy enforcement ➡ “If it is trusted, it ➡ ... or blind can hurt you.”
Vertrouwen (trust) ➡ Dieter Gollman: “Trust is not the ➡ Based on concept that ➡ reputation unifies security, it ➡ control and is an absolute punishment mess.” ➡ policy enforcement ➡ “If it is trusted, it ➡ ... or blind can hurt you.”
Vertrouwen (trust) ➡ Dieter Gollman: “Trust is not the ➡ Based on concept that ➡ reputation unifies security, it ➡ control and is an absolute punishment mess.” ➡ policy enforcement ➡ “If it is trusted, it ➡ ... or blind can hurt you.”
Vertrouwen Nieuws.be 27/11/’08 18u13: “A320 crasht in de Middellandse Zee.”
Vertrouwen Luchtvaartnieuws.nl op 5/10/’07: “US Airways bestelt 92 Airbussen.”
Nieuws.be: A320 Luchtvaartnieuws.nl: A350
Vertrouwen Nieuws.be 27/11/’08 20u25: “A320 crasht in de Middellandse Zee.”
Vertrouwen • In de praktijk: • cryptografische sleutel (bvb. encryptie) • toegangsrechten • digitale handtekeningen • “trusted computing”
Vertrouwen • In de praktijk: • cryptografische sleutel (bvb. encryptie) • toegangsrechten • digitale handtekeningen • “trusted computing”
Vertrouwen • In de praktijk: • cryptografische sleutel (bvb. encryptie) • toegangsrechten • digitale handtekeningen • “trusted computing”
Vertrouwen • In de praktijk: • cryptografische sleutel (bvb. encryptie) • toegangsrechten • digitale handtekeningen • “trusted computing”
Information Security Principles • Be clear about definitions
Don’ts
Don’ts • Security and complexity do not mix
Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
Don’ts • Security is not forever: • Cryptography: • 1958 vs now : peanuts • now vs 2058 : ? • Advances in: • reverse engineering • side channel attacks
Don’ts • Security is not forever: • Cryptography: • 1958 vs now : peanuts • now vs 2058 : ? • Advances in: • reverse engineering • side channel attacks
Don’ts • Security and complexity don’t mix • Security through obscurity does not work • 100% security doesn’t exist • Security is not forever
Do’s
Assumptions • Clearly state the assumptions behind the system. • Code re-use can be dangerous: design assumptions might no longer be valid!
Assumptions • GSM: • encryption until the base station • no need to authenticate the network (in Soviet mobile nation, network authenticates YOU!)
Assumptions • e-ID: • PIN code is kept secret by the user
Assumptions • RFID: • opponent cannot eavesdrop > 1 meter
Do’s • Clearly state the assumptions behind the system. • Need for integrated approach
Integrated approach
Do’s • Clearly state the assumptions behind the system. • Need for integrated approach • Find the right mix of technology and law
“Gentlemen don’t go in through the exit”
Digital Rights Management
Digital Millenium Copyright Act
Spam
Legislation • Electronic Signatures • Data retention • Eavesdropping • Computer Crime
Legislation • Electronic Signatures • Data retention • Eavesdropping • Computer Crime
Legislation • Electronic Signatures • Data retention • Eavesdropping • Computer Crime
Legislation • Electronic Signatures • Data retention • Eavesdropping • Computer Crime
Do’s • Clearly state the assumptions behind the system. • Need for integrated approach • Find the right mix of technology and law • Need for secure implementations
Secure implementations • “Nothing is more practical than a good theory” • “Theory is important, at least in theory”
Secure implementations • Consider: • Secure software/hardware (orlly?) • Side channel attacks • Buffer overflows • API errors • Random number generators • Model vs reality
Model vs Reality
Challenges
Challenges • Always room at the bottom: • RFID • Sensor networks • Smartphones
Challenges • Always room at the bottom • Human Factors: • usability (“This certificate is invalid.” - “OK”) • social engineering
Challenges • Always room at the bottom • Human Factors • It’s the economy, stupid!
Challenges • It’s the economy, stupid! • “No gain, no pain” • Examples: • Software (no liability) • Credit cards in France
Questions to you
1. Did you _really_ implement secure software?
2. Do you trust your news service(s)?
3. Do you use Facebook’s privacy features?
4. Do you respect someone else’s privacy on Facebook?
5. Do you care?
Questions?
Disclaimer
Credits • Introduction to security and course overview, prof. dr. ir. Bart Preneel, Intensive Program on Information and Communication Security, July 2006 • Google Images (most of the images) • Sigridschrijft.be / Sony (Terminator 4 poster)

Recomendados

Identity theft ppt
Identity theft pptIdentity theft ppt
Identity theft pptCut 2 Shreds
 
Indentify Theft Slide Show
Indentify Theft Slide ShowIndentify Theft Slide Show
Indentify Theft Slide Showrobinlgray
 
Spam Filtering
Spam FilteringSpam Filtering
Spam FilteringUmar Alharaky
 
Security threats
Security threatsSecurity threats
Security threatsQamar Farooq
 
Computer Hacking - An Introduction
Computer Hacking - An IntroductionComputer Hacking - An Introduction
Computer Hacking - An IntroductionJayaseelan Vejayon
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service AttacksPascal Flöschel
 
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 201450 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014Chris Nickerson
 
Castle Presentation 08-12-04
Castle Presentation 08-12-04Castle Presentation 08-12-04
Castle Presentation 08-12-04Howard Hellman
 

Recomendados

Identity theft ppt
Identity theft pptIdentity theft ppt
Identity theft pptCut 2 Shreds
 
Indentify Theft Slide Show
Indentify Theft Slide ShowIndentify Theft Slide Show
Indentify Theft Slide Showrobinlgray
 
Spam Filtering
Spam FilteringSpam Filtering
Spam FilteringUmar Alharaky
 
Security threats
Security threatsSecurity threats
Security threatsQamar Farooq
 
Computer Hacking - An Introduction
Computer Hacking - An IntroductionComputer Hacking - An Introduction
Computer Hacking - An IntroductionJayaseelan Vejayon
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service AttacksPascal Flöschel
 
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 201450 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014Chris Nickerson
 
Castle Presentation 08-12-04
Castle Presentation 08-12-04Castle Presentation 08-12-04
Castle Presentation 08-12-04Howard Hellman
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer SecurityVibrant Event
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Vibrant Event
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer SecurityEthical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer SecurityVibrant Technologies & Computers
 
sharing the data using audio and image Steganography-
sharing the data using audio and image Steganography- sharing the data using audio and image Steganography-
sharing the data using audio and image Steganography- Nikhil Praharshi
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015Daniel Miessler
 
Pre-Quiz Symantec Endpoint Encryption
Pre-Quiz Symantec Endpoint EncryptionPre-Quiz Symantec Endpoint Encryption
Pre-Quiz Symantec Endpoint EncryptionMatt Dawdy
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
Os Nightingale
Os NightingaleOs Nightingale
Os Nightingaleoscon2007
 
Beyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UIBeyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UImozilla.presentations
 
Juice Jacking 101
Juice Jacking 101Juice Jacking 101
Juice Jacking 101Robert Rowley
 
7 Things People Do To Endanger Their Networks
7 Things People Do To Endanger Their Networks7 Things People Do To Endanger Their Networks
7 Things People Do To Endanger Their Networksjaymemcree
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
Trustleap - Mathematically-Proven Unbreakable Security
Trustleap - Mathematically-Proven Unbreakable SecurityTrustleap - Mathematically-Proven Unbreakable Security
Trustleap - Mathematically-Proven Unbreakable SecurityTWD Industries AG
 
Cyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile WorldCyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile WorldUniversity of Hertfordshire
 
Disagree with "I Agree"
Disagree with "I Agree"Disagree with "I Agree"
Disagree with "I Agree"Pronovix
 
APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...
APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...
APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...apidays
 
Computer & Data Security
Computer & Data SecurityComputer & Data Security
Computer & Data SecurityFrederik Questier
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublinDerek King
 
Care and Feeding of Healthy Computers
Care and Feeding of Healthy ComputersCare and Feeding of Healthy Computers
Care and Feeding of Healthy ComputersLorens Tech Solutions
 
Perimeter Defense in a World Without Walls
Perimeter Defense in a World Without WallsPerimeter Defense in a World Without Walls
Perimeter Defense in a World Without WallsDan Houser
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"National Information Standards Organization (NISO)
 

Mais conteúdo relacionado

Semelhante a Information Security, some illustrated principles

Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer SecurityVibrant Event
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Vibrant Event
 
sharing the data using audio and image Steganography-
sharing the data using audio and image Steganography- sharing the data using audio and image Steganography-
sharing the data using audio and image Steganography- Nikhil Praharshi
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015Daniel Miessler
 
Pre-Quiz Symantec Endpoint Encryption
Pre-Quiz Symantec Endpoint EncryptionPre-Quiz Symantec Endpoint Encryption
Pre-Quiz Symantec Endpoint EncryptionMatt Dawdy
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
Os Nightingale
Os NightingaleOs Nightingale
Os Nightingaleoscon2007
 
Beyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UIBeyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UImozilla.presentations
 
7 Things People Do To Endanger Their Networks
7 Things People Do To Endanger Their Networks7 Things People Do To Endanger Their Networks
7 Things People Do To Endanger Their Networksjaymemcree
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
Trustleap - Mathematically-Proven Unbreakable Security
Trustleap - Mathematically-Proven Unbreakable SecurityTrustleap - Mathematically-Proven Unbreakable Security
Trustleap - Mathematically-Proven Unbreakable SecurityTWD Industries AG
 
Disagree with "I Agree"
Disagree with "I Agree"Disagree with "I Agree"
Disagree with "I Agree"Pronovix
 
APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...
APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...
APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...apidays
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublinDerek King
 
Care and Feeding of Healthy Computers
Care and Feeding of Healthy ComputersCare and Feeding of Healthy Computers
Care and Feeding of Healthy ComputersLorens Tech Solutions
 
Perimeter Defense in a World Without Walls
Perimeter Defense in a World Without WallsPerimeter Defense in a World Without Walls
Perimeter Defense in a World Without WallsDan Houser
 

Semelhante a Information Security, some illustrated principles (20)

Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer Security
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer SecurityEthical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
 
sharing the data using audio and image Steganography-
sharing the data using audio and image Steganography- sharing the data using audio and image Steganography-
sharing the data using audio and image Steganography-
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015
 
Pre-Quiz Symantec Endpoint Encryption
Pre-Quiz Symantec Endpoint EncryptionPre-Quiz Symantec Endpoint Encryption
Pre-Quiz Symantec Endpoint Encryption
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
Os Nightingale
Os NightingaleOs Nightingale
Os Nightingale
 
Beyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UIBeyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UI
 
Juice Jacking 101
Juice Jacking 101Juice Jacking 101
Juice Jacking 101
 
7 Things People Do To Endanger Their Networks
7 Things People Do To Endanger Their Networks7 Things People Do To Endanger Their Networks
7 Things People Do To Endanger Their Networks
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
 
Trustleap - Mathematically-Proven Unbreakable Security
Trustleap - Mathematically-Proven Unbreakable SecurityTrustleap - Mathematically-Proven Unbreakable Security
Trustleap - Mathematically-Proven Unbreakable Security
 
Cyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile WorldCyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile World
 
Disagree with "I Agree"
Disagree with "I Agree"Disagree with "I Agree"
Disagree with "I Agree"
 
APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...
APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...
APIdays Paris 2018 - Disagree with “I Agree”. Enforcing Better GDPR Complianc...
 
Computer & Data Security
Computer & Data SecurityComputer & Data Security
Computer & Data Security
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
 
Care and Feeding of Healthy Computers
Care and Feeding of Healthy ComputersCare and Feeding of Healthy Computers
Care and Feeding of Healthy Computers
 
Perimeter Defense in a World Without Walls
Perimeter Defense in a World Without WallsPerimeter Defense in a World Without Walls
Perimeter Defense in a World Without Walls
 

Último

Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...anjaliyadav012327
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 

Último (20)

Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 

Information Security, some illustrated principles

  • 1. Information security some illustrated principles
  • 7. www.facebook.net phishing
  • 8. OMG pink poniezzz trojan horses
  • 9.
  • 10.
  • 14. spam
  • 17. Entity Authentication (Identification)
  • 21. Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
  • 22. Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
  • 23. Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
  • 24. Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
  • 25. Terminology & definitions • Cryptographers and computer security people talk a different language (e.g. ‘authentication’ vs ‘authorisation’) • Integrity(Data authentication? Entity authentication?) • Availability (Denial of Service? Non-repudiation?) • Confidentiality • Trust
  • 26. Vertrouwen (trust) ➡ Dieter Gollman: “Trust is not the ➡ Based on concept that ➡ reputation unifies security, it ➡ control and is an absolute punishment mess.” ➡ policy enforcement ➡ “If it is trusted, it ➡ ... or blind can hurt you.”
  • 27. Vertrouwen (trust) ➡ Dieter Gollman: “Trust is not the ➡ Based on concept that ➡ reputation unifies security, it ➡ control and is an absolute punishment mess.” ➡ policy enforcement ➡ “If it is trusted, it ➡ ... or blind can hurt you.”
  • 28. Vertrouwen (trust) ➡ Dieter Gollman: “Trust is not the ➡ Based on concept that ➡ reputation unifies security, it ➡ control and is an absolute punishment mess.” ➡ policy enforcement ➡ “If it is trusted, it ➡ ... or blind can hurt you.”
  • 29. Vertrouwen Nieuws.be 27/11/’08 18u13: “A320 crasht in de Middellandse Zee.”
  • 30. Vertrouwen Luchtvaartnieuws.nl op 5/10/’07: “US Airways bestelt 92 Airbussen.”
  • 31. Nieuws.be: A320 Luchtvaartnieuws.nl: A350
  • 32. Vertrouwen Nieuws.be 27/11/’08 20u25: “A320 crasht in de Middellandse Zee.”
  • 33. Vertrouwen • In de praktijk: • cryptografische sleutel (bvb. encryptie) • toegangsrechten • digitale handtekeningen • “trusted computing”
  • 34. Vertrouwen • In de praktijk: • cryptografische sleutel (bvb. encryptie) • toegangsrechten • digitale handtekeningen • “trusted computing”
  • 35. Vertrouwen • In de praktijk: • cryptografische sleutel (bvb. encryptie) • toegangsrechten • digitale handtekeningen • “trusted computing”
  • 36. Vertrouwen • In de praktijk: • cryptografische sleutel (bvb. encryptie) • toegangsrechten • digitale handtekeningen • “trusted computing”
  • 37. Information Security Principles • Be clear about definitions
  • 39. Don’ts • Security and complexity do not mix
  • 40. Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
  • 41. Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
  • 42. Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
  • 43. Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
  • 44. Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
  • 45. Don’ts • Security and complexity do not mix: • operating system • network architecture • applications • mobile code • services: XML, SOAP, VoIP (through the firewall!) • always on connections (botnets!)
  • 46. Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
  • 47. Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
  • 48. Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
  • 49. Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
  • 50. Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
  • 51. Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
  • 52. Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
  • 53. Don’ts • Security through obscurity: • mobile phone systems: GSM in US • DVD copyright protection (DVD Jon!) • Sony rootkit • Diebold voting machines • Microsoft • Cisco router OS • physical locks • blacking out text in PDF (hack: “read out loud”)
  • 54. Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
  • 55. Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
  • 56. Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
  • 57. Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
  • 58. Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
  • 59. Don’ts • Risk avoidance: • accept the risk • reduce risk with technology • reduce risk with procedures • reduce risk with insurance • reduce risk with disclaimers • transfer the risk (e.g.: from data to key)
  • 60. Don’ts • Security is not forever: • Cryptography: • 1958 vs now : peanuts • now vs 2058 : ? • Advances in: • reverse engineering • side channel attacks
  • 61. Don’ts • Security is not forever: • Cryptography: • 1958 vs now : peanuts • now vs 2058 : ? • Advances in: • reverse engineering • side channel attacks
  • 62. Don’ts • Security and complexity don’t mix • Security through obscurity does not work • 100% security doesn’t exist • Security is not forever
  • 64. Assumptions • Clearly state the assumptions behind the system. • Code re-use can be dangerous: design assumptions might no longer be valid!
  • 65. Assumptions • GSM: • encryption until the base station • no need to authenticate the network (in Soviet mobile nation, network authenticates YOU!)
  • 66. Assumptions • e-ID: • PIN code is kept secret by the user
  • 67. Assumptions • RFID: • opponent cannot eavesdrop > 1 meter
  • 68. Do’s • Clearly state the assumptions behind the system. • Need for integrated approach
  • 70. Do’s • Clearly state the assumptions behind the system. • Need for integrated approach • Find the right mix of technology and law
  • 71. “Gentlemen don’t go in through the exit”
  • 74. Spam
  • 75. Legislation • Electronic Signatures • Data retention • Eavesdropping • Computer Crime
  • 76. Legislation • Electronic Signatures • Data retention • Eavesdropping • Computer Crime
  • 77. Legislation • Electronic Signatures • Data retention • Eavesdropping • Computer Crime
  • 78. Legislation • Electronic Signatures • Data retention • Eavesdropping • Computer Crime
  • 79. Do’s • Clearly state the assumptions behind the system. • Need for integrated approach • Find the right mix of technology and law • Need for secure implementations
  • 80. Secure implementations • “Nothing is more practical than a good theory” • “Theory is important, at least in theory”
  • 81. Secure implementations • Consider: • Secure software/hardware (orlly?) • Side channel attacks • Buffer overflows • API errors • Random number generators • Model vs reality
  • 84. Challenges • Always room at the bottom: • RFID • Sensor networks • Smartphones
  • 85. Challenges • Always room at the bottom • Human Factors: • usability (“This certificate is invalid.” - “OK”) • social engineering
  • 86. Challenges • Always room at the bottom • Human Factors • It’s the economy, stupid!
  • 87. Challenges • It’s the economy, stupid! • “No gain, no pain” • Examples: • Software (no liability) • Credit cards in France
  • 89. 1. Did you _really_ implement secure software?
  • 90. 2. Do you trust your news service(s)?
  • 91. 3. Do you use Facebook’s privacy features?
  • 92. 4. Do you respect someone else’s privacy on Facebook?
  • 93. 5. Do you care?
  • 96. Credits • Introduction to security and course overview, prof. dr. ir. Bart Preneel, Intensive Program on Information and Communication Security, July 2006 • Google Images (most of the images) • Sigridschrijft.be / Sony (Terminator 4 poster)