Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS470, A.SelcukThe Big Picture1 The Big Picture Practical, Economic, Legal Considerations CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin.

Similar presentations


Presentation on theme: "CS470, A.SelcukThe Big Picture1 The Big Picture Practical, Economic, Legal Considerations CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin."— Presentation transcript:

1 CS470, A.SelcukThe Big Picture1 The Big Picture Practical, Economic, Legal Considerations CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk

2 CS470, A.SelcukThe Big Picture2 Prudent Practices for Info.Sec. Compartmentalize –Not everyone should have access to everything –e.g. root vs. user accounts, kernel vs. user mode –“least privilege” principle –need-to-know basis Secure the weakest link (10,000 bit symmetric key doesn’t make sense) Use chock points –Constrain access to the system (gateways, firewalls, etc.)

3 CS470, A.SelcukThe Big Picture3 Prudent Practices (cont’d) Provide “defense in depth” E.g., in bank security: door lock – alarm – safe E.g., firewall – IDS – an internal firewall Don’t release unnecessary information E.g., version of the OS, of the program running, etc. Embrace simplicity Educate & convince users Question your assumptions constantly

4 CS470, A.SelcukThe Big Picture4 80/20 Rule of InfoSec Pareto principle: Top 20% owns 80% of the land. 80/20 Rule of InfoSec (according to Symantec): Remove unneeded services –remove components, programs, services from your system until the minimum "business needed" remain. Keep Patch Levels Current (helped by Item 1) –use automation whenever possible –priority to public and internal servers Enforce Strong Passwords –long, mixed-character passwords –periodic changes

5 CS470, A.SelcukThe Big Picture5 Economic Drawbacks Ordinary users don’t care much about security (care more about fancy features) First mover advantage –Ship the product now; get it right by v3. (e.g., Microsoft IE) Asymmetric information –There is no easy way to tell a good security product from a bad one –which pulls prices & quality down

6 CS470, A.SelcukThe Big Picture6 Economic Drawbacks (of lesser significance) Differentiated pricing –To keep low-cost alternatives poorer in quality (on purpose) –any security-product applications? Network effects –Number of users determine the value of product –E.g., telephone, fax, the Internet, E-bay, etc. –Security: not-so-tight security helps attracting developers & users (any practical cases?)

7 CS470, A.SelcukThe Big Picture7 Legal Drawbacks Who is liable (in addition to the attacker)? –the faulty software manufacturer? –the attack origin ISP? –the victim’s system administrator? –the network operators? Involved parties can help to reduce the potential of an attack, but don’t have much incentive to do so.

8 CS470, A.SelcukThe Big Picture8 Other Drawbacks Lack of information sharing –Market forces discourage revealing past incidents (for consumer confidence) –e.g., Citibank, 1995 (“Don’t publicize”) –Result: No reliable information or estimates (Sol’n attempt: CERTs, “Center for Internet Security”) Position of the interior –Attacker has the initiative of when & where to hit Potential Solution (partial): –UL model, pushed by the insurance industry (may solve the problem of product evaluation) –Limitation: Hard to evaluate software security

9 CS470, A.SelcukThe Big Picture9 Detection, Response, Risk Management Prevention alone is not sufficient. Detection & response mechanisms are also needed. (E.g., no door lock can alone prevent burglaries) Risk management –Risks will always be with us; it’s important to know how to manage them. Every security system must answer: –Defense against what kind of adversary, with what resources? –What is the potential loss?


Download ppt "CS470, A.SelcukThe Big Picture1 The Big Picture Practical, Economic, Legal Considerations CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin."

Similar presentations


Ads by Google