What are the four key aspects to assessing a threat for a given system?
- Think like an attacker.
- Learn to program defensively.
- Learn to reason about threats and risks.
- Learn the costs and benefits of defending/not defending against certain threats
What is Computer Security?
The study of how systems work in the presence of adversaries,
Who are Adversaries?
Some entity that is actively trying to get the system to misbehave/do something it isn’t supposed to do.
In OUR context, adversaries are other people or algorithms, and they adapt much more quickly than nature does.
Example: we build a building with shocks to prevent earthquakes (earthquakes are the adversaries, the thing we are trying to protect is our infrastructure).
What is the Security Mindset?
It means to think like both an attacker and a defender.
When thinking as an attacker:
- Understand techniques for circumventing a defense.
- Look for ways security can break, not the reasons why it won’t.
When thinking like a defender:
- Know what you’re defending and against whom.
- Weigh the benefits vs costs: no system is ever completely secure.
- Decide what you care most about defending.
- Narrow down list of assets to protect and people to protect from and then do cost/benefit analysis.
What is Rational Paranoia?
It is being a little paranoid about security provided that you’ve done a good cost/benefit analysis.
When thinking like an attacker, what do you need to do?
- Look for the weakest links (maybe old libraries being used?).
- Identify assumptions that security depends on.
- Do not think like the designer of the system. Think outside the box.
- Think like someone who will cheat the system.
When thinking like an defender, what do you need to do?
- Create a security policy - what are you trying to defend and what does security mean?
- Build a thread model - who is the adversary, what do they want, what can they do, how much money/time will they put into breaking the system?
- Assess Risk - What is the worst case scenario if the attacker succeeds?
- Countermeasures - how can we prevent some of these attacks? Is it worth it to prevent them?
What does a Security Policy entail?
It outlines what assets you are trying to defend and what we mean by “secure”. There are four elements we want to protect:
- Authenticity: we want to ensure that a message was generated by the right person.
- Integrity: we want to ensure that no one has tampered with the messages/data we have.
- Confidentiality: we want to ensure that only certain parties who are authorized see the data.
- Availability: we want to ensure that people who are supposed to have access to data can actually get access.
What are Threat Models?
Threat models outline:
- Who the adversary is.
- What their capabilities are.
- What kind of attacks we want to prevent.
- What attacks we should ignore (cost/benefit analysis).
Examples:
Capabilities: Adversaries have different capabilities. For example, if a classmate is an adversary, it’s not a huge issue because they have far fewer resources to attack you. A government might have super computers though, so that is a more dangerous/powerful adversary.
Kinds of Attacks: We can’t make an exhaustive list of attacks we know could happen, but we do need a list of narrowed down attacks that are important that we can protect against. We need to prevent attacks that are focused against our security policy. Anything outside of that is less important.
Cost/Benefit Analysis: There are some attacks we know can happen but we don’t worry about. For example, Facebook doesn’t worry about spies who come into the company to collect information. Protecting against this is too difficult, it’s not worth doing.
How do we assess risk of different attacks?
There are direct and indirect costs.
A direct cost might be an attack that results in an attacker crashing our service.
An indirect cost might be an attacker leaking social security numbers which leads to a class action law suit against us.
The equation for risk is: probability of attack * probability of success * what you have to lose.
To minimize risk, you an do things like use technical and non-technical defenses (audits, policies, etc.), or you can minimize incentives for attackers to attack.
Insider attacks are a big issue to worry about as well.
