-
spending to secure military, intellignece, and other agency computer networks is forecasted to rise 44% to 10.7 billipm in 2013 from 7.4 billion this year
US Government
-
spending will grow 7% to 8% annually, significiantly faster than IT which has increased about 4% a year in the past 5 yrs
Security System
-
General Chilton said this is as much a domain as air land or sea
cyberspace
-
William Gibson came up with the term
Cyberspace
-
Hardware, Software, Storage Media, Data, Networks, People - What we are protecting
Computing System
-
Any available means, not necessarily obvious ways, not necessarily where defended, not necessarily how we expect
Principle of Easiest Penetration
-
Set of circumstances that can lead to loss or harm - rabid guard dog - hacker
Threat
-
Weakness in the security system - weak spot in a fence
Vulnerability
-
countered by controls
vulnerabilities
-
blocked by control of a vulnerability
threat
-
exploiting a vulnerability
Attack
-
Interception, Interruption, Modification(changes), Fabrication(counterfeits)
Threats
-
Interruption(DOS attack), Interception(Theft), Modification, Fabrication, Destruction - Laptops are a good example
Hardware Vulnerabilities
-
Fractional Rounding, Deletion, Modification, Theft
Software Vulnerabilities
-
A type of software vulnerabilities - including - logic bombs, viruses, trojan horses, back doors, keyloggers
modification
-
Interception, Destruction, CIA
Data Vulnerabilities
-
Protection equal to value - only until value is lost
Principle of Adequate Protection
-
Networks, Access(theft of service, malicious access, taking availability needed by legit users), People (social engineering)
Vulnerabilities in Other Exposed Assets
-
3 things needed to attack - can by applied to hackers and burglers(3rd only for hackers)
Method, Opportunity, Motive -- MOM
-
CIA =??
Confidentiality, Integrity, Availability aka security goals
-
secrecy, privacy - who should access what?
Confidentiality
-
Precise, Accurate, Unmodified, Modified only by authorized ways/people/processes, consistent, meeaningful and usable
Integrity
-
Data and services, can get what we need - when we need it- in timely fashion, fault tolerance, concurrency issues
Availability
-
another goal of security goals - can prove that you are you
Authenticity
-
another goal of security goals - you cannot deny that it was you who sent or recieved a transaction
non repudiation
-
Essential for e-commerce
Confidentiality, Integrity, Availability, Authenticity, Non-Repudiation
-
Any crime involving a computer or aided by the use of a computer
computer crime
-
disgruntled employees, hackers(crackers/ Script Kiddies), Professionals, Terrorists
Amateurs - computer criminals
-
the possibility for harm to occur - likelihood, want to prevent, deter, deflect, detect, recover
Risk
-
Never one single ____ or type of ____
control
-
Mix Vendors so you have
Defense in depth
-
Jim is an example of
Clear text
-
L7x is an example of
Cyphertext
-
Internal program controls(DBMS access limitations), O/S and Network Controls( different users, different rights), Independednt Control Programs (virus scanners, password checkers), Development Controls(quality control to minimize software faults)
Software Controls
-
Hardware encryption devices, Identfication of user identities, firewalls, intrusion detection systems, storage media control
Hardware Controls
-
What is the difference between Policies and Procedures
- Policy is broad statement
- Procedures are specific actions taken
-
locks, cables, secure rooms
Physical controls
-
Controls that are not used are not controls - efficient, easy to use, appropriate
Principle of Effectiveness
-
security is as strong as the weakest control
Principle of Weakest Link
-
S-
T-
R-
O-
- Sender
- Transmission Medium
- Recipient
- Outsider(Interceptor)
-
O prevents the message from reaching R
Block
-
O reads the message(confidentiality lost)
Intercept
-
O changes the message (integrity lost)
Modify
-
O makes a message that looks like it came from S (integrity lost)
Fabricate
-
encoding a message so its meaning is not obvious- turning plaintext into cyphertext
Encryption
-
Encryption is also known as
encoding or enciphering
-
transforming an encrypted message to plain text - also known as decoding or deciphering
decryption
-
encrptys and decrypts
cryptosystem
-
Encryption and Decryption keys are the same
Symmetric Encryption
-
Encryption and Decryption keys are different
Asymmetric encryption
-
"security through obscurity" = doom
this isn't really cryptology, just hiding things
Lemon Juice is Keyless
Keyless Cipher
-
From the greek kryptos meaning hidden and graphos meaning written
cryptography
-
sutdies encryption and encrypted messages
cryptanalyst
-
works for a legitimate sender
cryptographer
-
research into and story of encryption and decryption - includes both cryptography and cryptanalysis
cryptology
-
1. break a single message
2. Find patterns to develop a decryption algorithm
3. Infer meaning without breaking encryption
4. deduce the key
5. find the weaknesses in the implementation or environment or use of encryption
6. find general weaknesses in the algorithm without necessarily intercepting messages
cryptanalysis
-
goal is to read the message - not necessarily know the algorithm - faster computers change things
breakable encryption
-
substituting one character/symbol for each character of the message - monoalphabetic cipher, simple substitution, a shift cipher is a form of this
substitution cipher
-
is a shift or substitiution cipher - adding ay to the end of workds and shifting the first letter
pig latin
-
the ciphertext for a given plaintext letter p is obtained by adding a shift of 3 giving us the ciphertext letter c a=d etc
Caesar Cipher
-
Ceaser Cipher weaknesses?
retains spacing betweens words and reveals double letters
-
characteristics of pairs of adjacent letters in a cipher
digram
-
characteristics of 3 adjacent letters in a cipher
Trigrams
-
combining two or more ciphers
product cipher
-
discovered in 1500s, attributed to vignere in the 1900s - decipher with a prearranged chart called a vigenere tableau - relies on a key - creates a different shift for each letter of the alphabet
Vignere Tableau
-
instead of a random string, we agree on a book or poem to use at some page, paragraph - beale cipher is a form of this
book cipher
-
a precurser to the one time pad - developed by Gilbert Vernam of ATT in 1917 for use with teletypers- used a paper tape key of random numbers - both the receiver and the sender have the same paper tape key = shared secrect
vernam cipher
-
the remainder after a division process
modulus
-
perfect encryption - we each get a duplicate pad of random large, non repeating keys - works just liek vernam cipher except a duplicate pad of sheets filled with random numbers is owned by both the sender and receiver
one time pads
-
logistics of sharing pads, danger of sharing pads, synchronizing what page on the pad to use, securley destroying used sheets/pads - not necessarily random
problems with one time pads
-
have been around a long time- only viable using a one time pad or some other shared secret
substition ciphers
-
rearranging the symbols(letters) of a message into blocks - also known as columnar transpositions
tranpostions(permutations)
-
generally speaking trranspostitions increase_____ because things are more jubled up, spaes and word/letter patterns disappear
secutiry
-
downsides of _____ - one mistake corrupts the rest of the message, requires a lot of space that grows with the size of the message- need n=entire message to decode
transpositions(permutations)
-
According to ____ ___ a good cipher =
amount of secrecy needed should determine the amount of labor appropriate for the encryption and decryption
set of keys and the enciphering algorith should be free from complexity
implementation of the process should be as simple as possible
errors in ciphering should not propagate and cause corruption of further information in the message
the size of the enciphered text should be no larger than the text of the original message
claude shannon
-
founded information theory, digital computer theory and digital circuit thery
shannon
-
based on sound mathematics, analyzed by competent experts, withstood the "test of time"
trustworth encryption systems
-
O should not be able to predict what will happen to the ciphertext by changing one character in the plaintext
confusion
-
the cipher should spread the info from the plaintext over the entire cyphertext
diffusion
-
convert one symbol of plaintext immediately into one symbol of ciphertext - Pros:fast, few errors Cons: low diffusion, can be corrupted if one character of the key is missiong or wrong, insertion and modification(if break code, can swap letters around)
strem ciphers
-
encrypts group of plaintext symbos as one block -Pro: high diffusion, free from insertion -Con:slow, error propagation
block ciphers
-
probabilities, distributions, characteristics of the ciphertext, context
ciphertext only analysis
-
we have ciphertext and plaintext from a message 0 we try and break E(encryption algorithm)
known plaintext analysis
|
|