Information Security CS 526 Lecture 1

1
Information Security CS 526Lecture 1

• Overview of the Course

2
See the Course Homepage

• http//www.cs.purdue.edu/homes/ninghui/courses/526
  _Fall08/index.html

3
Why Information Security?

• Information systems (and stored information) are
  under attacks and suffer damages
• Who are the attackers?
• bored teenagers, criminals, organized crime
  organizations, rogue states, industrial
  espionage, malicious insiders,
• Why they do it?
• fun,
• fame,
• profit,
• information is money

4
Information Security Issues

• Computer break-ins
• Computer worms
• Distributed denial of service attacks
• Email spams
• Identity theft
• Spyware
• Botnets
• Serious security flaws in many important systems
• electronic voting machines

5
A likely spam email

• From Femi Madariola (maddey2001_at_yahoo.com)
• To imolloy_at_cs.purdue.edu ninghui_at_cs.purdue.edu
  jiangtao.li_at_intel.com
• Subject RE Dynamic Virtual Credit Card Numbers
• Dear Sir/Ma,
• I'm mailing you as regards a project i read which
  was co-authored by you with the aforementioned
  title. I will like to commend you on the project
  which was well written, well doctored piece of
  work and very enlightening.
• I'm writing this mail on behalf of BottomNaira
  enterprises for two reasons and they are
• 1.) we want to know if the project you wrote
  about is implementable as a business solution,
• 2.) we also want to know if you would be willing
  to provide us with the algorithm for the software
  or help us in the implementation of the software.

6
A likely spam email (cond)

• BottomNaira Enterprises is a small business
  company based in Nigeria run by young
  entrepreneurs, that helps Nigerians pay for
  purchases made abroad using e-commerce. This is a
  niche we were able to explore in Nigeria due to
  the poor credit ratings of most 95 of Nigerians.
  Our website is undergoing some repairs at the
  moment but you can google bottomnaira, to be sure
  this is not a scam mail. We have outdated system
  that we use currently which is costing the
  company much more money, time and team effort.
  That is why we've been looking around for a more
  improved model and refined model like the one
  proposed in your project.
• We would really appreciate it if you can get back
  to us as soon as possible with a reply to this
  mail.
• Thank you for your anticipated co-operation.
• Femi Madariola
• for BottomNaira enterprises.

7
Security is Secondary

• What protection/security mechanisms one has in
  the physical world?
• Why the need for security arises?
• Security is secondary to the interactions that
  make security necessary.

8
Security is not Absolute

• Is your car secure?
• What does secure mean?
• What security mechanisms improve your cars
  security?
• Security is relative
• to the kinds of loss one consider
• security objectives/properties need to be stated
• to the threats/adversaries under consideration.
• security is always under certain assumptions

9
Information Security is Interesting

• The most interesting/challenging threats to
  security are posed by human adversaries
• security is harder than reliability
• Information security is a self-sustained field
• Security is about risk/cost tradeoff
• thought often the tradeoff analysis is not
  explicit
• Security is not all technological
• humans are often the weakest link

10
Information Security is Challenging

• In which ways information security is more
  difficult than physical security?
• adversaries can come from anywhere
• computers enable large-scale automation
• adversaries can be difficult to identify
• adversaries can be difficult to punish
• potential payoff can be much higher
• In which ways information security is easier than
  physical security?

11
Information Security Goals

• Confidentiality (secrecy, privacy)
• only those who are authorized to know can know
• Integrity (authenticity)
• only modified by authorized parties and in
  authorized ways
• Availability
• those authorized to access can get access

12
Tools for Information Security

• Cryptography
• Access control
• Processes and tools for developing more secure
  software
• Monitoring and analysis
• Recovery and response

13
Security Principles

• Principle of adequate protection
• Goal is not to maximize security, but to maximize
  utility while limiting risk to an acceptable
  level within reasonable cost
• Principle of effectiveness
• Controls must be used?and used properly?to be
  effective. they must be efficient, easy to use,
  and appropriate
• Psychological acceptability
• Principle of weakest link
• Principle of defense in depth
• Security by obscurity doesnt work

14
Ethical use of security information

• We discuss vulnerabilities and attacks
• Most vulnerabilities have been fixed
• Some attacks may still cause harm
• Do not try these at home
• Purpose of this class
• Understand information security threats
• Learn to prevent malicious attacks and/or limit
  their consequences
• Learn to think about security when doing things

15
Readings for This Lecture

• Information Security
• on wikipedia
• http//en.wikipedia.org/wiki/Information_security

16
Coming Attractions

• Symmetric Cryptography