to cyber security
Week Introduction
FIT2093 INTRODUCTION TO CYBERSECURITY
www.monash.edu.au
Copyright By PowCoder代写 加微信 powcoder
Intro to Cyber Security
● WhatisCyberSecurity?
○ the Security Problem: Alice & Bob ++
● Security Goals: C,I,A + A
● Types of attacks on Security Goals
● Approaches for how to achieve Security Goals
● Security principles
● Brief Overview of this unit
Cyber Security: What?
Intro to Cyber Security
● Multipleparties
○ differentownership/values/sides ○ yethumanshavetointeract
○ protectindividualinterests/rights
○ somepartiesmalicious→misbehave ● Misbehaviour negatively affects
○ individualinterests/assets/thingsyoufeelareimportant 3
# Cyber Security: What? #
Intro to Cyber Security
● Multipleparties
○ differentownership/sides ○ I/me/mine/my
“my phone, I lend to you, but still my phone”
“my money I give you, need proof I did it”
“only do it if I’m there”
# Assets? #
Intro to Cyber Security
● Q: what things are important to individuals? ○ …
Q: What type of asset is most valuable to you? One which you don’t want compromised
Activity (5 mins)
1) Click the latest link in the Zoom chat
2) Add your question response to the Ed forum
# Assets #
Intro to Cyber Security
Assets that may need protection:
● Data/Information
● Hardware
■ Computer: process data
■ Network: transfer data
■ Infrastructure: store/transfer/process data
■ Sensors (IoT): sense data
● Software:processdata
● Communicationfacilities&networks:transferdata
i.e. what you own (data) or things that act on them
# How are Assets Attacked? # Intro to Cyber Security
● Q: What bad thing (attack) could happen to what you value the most (asset)? i.e. what attacks could apply to assets?
Q: How could your asset be attacked?
Activity (5 mins)
1) Click the latest link in the Zoom chat
2) Add your question response to the Ed forum
Recap: Keywords so far
Intro to Cyber Security
● TheProblem:
○ Multipleparties
■ individual→assets
■ malicious→misbehave/attacks
● TheSolution: ○ Cybersecurity
Cyber Security: What? Intro to Cyber Security
● systemsdesignedtoprotectassetsagainstattacks
● i.e.howtodesignsystemsthatworkeveninthepresenceofmalicious
(adversarial) entities ● systems?
○ technologies,processes,practices ● assets?
○ data,networks,computers,programs 11
# Example Scenario # Intro to Cyber Security
# Example Scenario # Intro to Cyber Security
● Monash’s2-factorAUTHsystem
Q: Example point of attack on Monash’s 2-factor Auth system?
Would it be enough to break the system?
Activity (5 mins)
1) Click the latest link in the Zoom chat
2) Add your question response to the Ed forum
Recap: Keywords so far
Intro to Cyber Security
● TheProblem:
○ Multipleparties
■ individual→assets
■ malicious→misbehave/attacks→atdifferentpoints
● TheSolution: ○ Cybersecurity
Principle #1
Intro to Cyber Security
● TheProblem:
○ attacks→atdifferentpoints
● TheSolution:
○ Cybersecurity
○ WeakestLinkPrinciple
■ Bydefault,“systemisonlyassecureastheweakestlink” ● defender:howmanypointstodefend?
● attacker:howmanypointstoattack?
● Q:exampleofweakestlink?
● Motivationformulti-factorsecuritymechanisms!
Security Goals
Attacks on …
Intro to Cyber Security
● Attacks aimed at some aspect of your assets: ○ Note:securityaimstopreventthese
● Secrecy / Confidentiality (C) ● Integrity (I)
● Authentication(A)
● Availability (A)
Q: How can you break confidentiality? Give an example.
Activity (5 mins)
1) Click the latest link in the Zoom chat
2) Add your question response to the Ed forum
# Attacks on CONFidentiality #
Intro to Cyber Security
Q: How can you break integrity? Give an example.
Activity (5 mins)
1) Click the latest link in the Zoom chat
2) Add your question response to the Ed forum
# Attacks on INTegrity #
Intro to Cyber Security
Q: How can you break authentication of the source? Give an example.
Activity (5 mins)
1) Click the latest link in the Zoom chat
2) Add your question response to the Ed forum
# Attacks on AUTHentication #
Intro to Cyber Security
Q: How can you break availability? Give an example.
Activity (5 mins)
1) Click the latest link in the Zoom chat
2) Add your question response to the Ed forum
# Attacks on AVaiLability #
Intro to Cyber Security
Recap: Keywords so far
Intro to Cyber Security
● TheProblem:
○ Multipleparties
■ individual→assets
■ malicious→attacksatdifferentpoints→ondifferentaspects:C,I,A,…
● Note:attacker’sgoal:breakC,I,A,…
● TheSolution: ○ Cybersecurity
■ Weakestlinkprinciple
■ aimtopreventattacksondifferentaspects
● Note:security’sgoal:preventattacker’sgoals,wantC,I,A,…
Recap: Keywords so far
Intro to Cyber Security
● TheProblem:
○ Multipleparties
■ individual→assets
■ malicious→attacksatdifferentpoints→breakC,I,A,…
● TheSolution: ○ Cybersecurity
■ Weakestlinkprinciple ■ Securitygoal:C,I,A,…
… some Terms … Intro to Cyber Security
○ circumstancesthathavethepotentialtocauselossorharm
● Vulnerability
○ aweaknessinacomputersystemthatmightbeexploitedtocauseloss (of information) or harm (the contents)
○ anactionthatexploitsavulnerability
○ anyactionthatcompromisesthesecurityofsystem/informationowned by organisation/individual
● Control(a.k.a.countermeasure)
○ Atechniqueorproceduretoremoveorreduceavulnerability.
# Example Threats #
Intro to Cyber Security
● infodisclosure
○ vs … what security goal?
● deception ○ vs…
● alteration ○ vs…
Vulnerability Types Intro to Cyber Security
● Designlevelvulnerabilities
○ Flawinlogicofhowsystem/protocolswork
■ either hardware, software, human protocol flaw
■ e.g.1.(softwareprotocolflaw):storeprivateinfoinclearformona publicly accessible company website
■ e.g.2.(humanprotocolflaw):lackoftrainingpolicyforall employees to verify credentials of caller before giving out private company information … e.g. banks
○ Maybeduetolackoforincorrectuseofsecuritycontrols/mechanisms ○ Shouldbefound&fixedatdesignstagebyasecuritydesignreview
Vulnerability Types Intro to Cyber Security
● Implementationlevelvulnerabilities
○ Flawindetailsofhowdesignisrealised
■ either hardware, software, human implementation flaw
■ e.g.1.(softwareimplementationflaw):bugincodeofasecurity mechanism that allows attacker to reveal private info
■ e.g.2.(humanpolicyimplementationflaw):employeesdon’t follow company security policy correctly, and reveal info to a caller without checking the latter’s credentials
○ Shouldbefoundinimplementationsecuritytesting/reviewstage 32
# Example Attacks: How #
Intro to Cyber Security
○ Exposure(leakageofsecrets)
○ Interception/Eavesdropping(oncommunication)
○ Inference,Observation(ofbehavior,patterns) ○ Intrusion(accesstosecrets)
# Example Attacks: How #
Intro to Cyber Security
○ Exposure(leakageofsecrets)
○ Interception/Eavesdropping(oncommunication)
○ Inference,Observation(ofbehavior,patterns)
○ hardtotrace/detect
○ besttoprevent
○ Intrusion(accesstosecrets)
Example Attack on CONF
Intro to Cyber Security
Vulnerability: incorrect use of password protection cryptographic mechanism (We’ll revisit this in user authentication lecture)
# Example Attacks: How #
Intro to Cyber Security
○ Fabrication(inject/insert/generatefakes/counterfeitsasvalid)
○ Modification(change/tamper,man-in-the-middle)
Example Attack on INT: Wannacry Ransomware
Intro to Cyber Security
Vulnerability: Operating System bug
# Example Attacks: How #
Intro to Cyber Security
○ Impersonation/Masquerade(pretendtobeanother)
○ Repudiation(denybeingthere/involved)
Example Attack on AUTH
Intro to Cyber Security
Vulnerability: command injection vulnerability in Java log4j logging library (We’ll revisit this kind of vulnerability in software/web app security lecture)
# Example Attacks: How #
Intro to Cyber Security
○ Interruption/Disruptiona.k.a.denialofservice(DoS)
■ e.g. unavailable/unusable/inaccessible/super slow
Example Attack on AVL
Intro to Cyber Security
Vulnerability: insufficient DoS mitigation mechanisms
Recap: Keywords so far
Intro to Cyber Security
● TheProblem:
○ Multipleparties
■ individual→assets,vs ■ malicious→attacks:
● atdifferentpoints→breakC,I,A,…
● how?by…interception,fabrication,…
● TheSolution: ○ Cybersecurity
■ Weakestlinkprinciple ■ Securitygoal:C,I,A,…
General Attack Types Intro to Cyber Security
○ e.g. eavesdrop, observe, infer, leak, sniff, traffic analysis, wiretap, …
○ hard to detect, best to prevent
○ e.g. replay, modify, delete, masquerade, …
○ hard to prevent, next best is to detect
Security Goals & How
General Security Approaches Intro to Cyber Security
● prevent:letitnothappen(pre-emptive)
● detect:knowifithappens
● recover:getbackthesecurity(postincident) detect
…recover…
… prevent…
Q: How to achieve CONFidentiality? Give an example.
Activity (5 mins)
1) Click the latest link in the Zoom chat
2) Add your question response to the Ed forum
3) Add your “hearts” to your favourite responses
Confidentiality (C): How?
Intro to Cyber Security
● Gist of the Goal: secret data remains CONFidential
○ gist:hardtodetectattacksonCONF,trytoprevent ○ notallcanaccess
○ onlysomecanaccess:beselective
● Q:howtoenforcethis?
○ accesscontrol:checkwho,&grantaccess ○ encryption:lock,onlysomehavekey
Q: How to achieve INTegrity? Give an example.
Activity (5 mins)
1) Click the latest link in the Zoom chat
2) Add your question response to the Ed forum
3) Add your “hearts” to your favourite responses
Integrity (I): How?
Intro to Cyber Security
● Preventmodifications?
○ For physically protected system: yes, use access control ○ E.g. remote login to physically protected server
○ For physically exposed communication & systems: no!
○ e.g. Internet communications, cloud storage
○ don’t own the channel/system, no control, can’t prevent
● Detect modifications
○ next best option
○ use something like checksum, check if data unchanged
○ Q: if data changed, can’t we change the checksum ?
○ Q: how to enforce? make it selective
■ onlygoodguyscancomputecorrectchecksum
Q: How to achieve AUTHenticity? Give an example.
Activity (5 mins)
1) Click the latest link in the Zoom chat
2) Add your question response to the Ed forum
3) Add your “hearts” to your favourite responses
Authentication (A): How?
Intro to Cyber Security
● checkwho/identity
● Q:howtocheck?
○ uniquefeaturethes/he
■ knows:e.g.password
■ has:e.g.passport ■ is:e.g.biometrics
Principle #2
Intro to Cyber Security
● TheProblem:
○ dilemma:securityvscost/performance
● TheSolution:
○ TimelinessPrinciple
■ onlyneedtoprotectuntilassetlosesvalue
○ EffectivenessPrinciple
■ correct,efficient,easytouse,appropriate ■ won’tcostmorethanasset’svalue
Recap: Keywords so far
Intro to Cyber Security
● TheProblem:
○ Multipleparties
■ individual→assets,vs ■ malicious→attacks:
● atdifferentpoints→breakC,I,A,… ● how?by…interception,,…
● TheSolution: ○ Cybersecurity
■ Principles:Weakestlink,timeliness,effectiveness ■ Securitygoals:C,I,A,…+How?
Topics covered in this Unit
Topics Plan
Intro to Cyber Security
Part I: Basic Techniques for Cybersecurity
● Wk2:Cryptography:SymmetricKey:mechanismsforCONFsecurity
● Wk3:Cryptography:PublicKeyI:mechanismsforCONFsecurity
● Wk4:Cryptography:PublicKeyII
● Wk5:CryptographytechniquesforInformationINTegrity&AUTH
● Wk6:SecurityProtocols
● Wk7:Software&SystemSecurityI:vulnerabilities&defences(+in-semtest) …mid-sem break…
● Wk8:Software&SystemSecurityII:entityAUTH&accesscontrol(+
Assignment 1 due)
Topics Plan
Intro to Cyber Security
Part II: Applications & Emerging Topics
● Wk9:WebApplicationSecurity
● Wk10:DatabaseSecurity,Privacy&Blockchain
● Wk11:Machinelearning/AIincybersecurity(+Assignment2due) ● Wk12:InvitedIndustrylecture/EmergingtopicsinCybersecurity
Further Reading
• Chapter 1 of the textbook: Computer Security: Principles and Practice” by & , , 2015
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com