CS470, A.Selcuk The Big Picture 1

The Big PicturePractical, Economic, Legal Considerations

CS 470

Introduction to Applied Cryptography

Instructor: Ali Aydin Selcuk

CS470, A.Selcuk The Big Picture 2

Prudent Practices for Info.Sec.

• Compartmentalize– Not everyone should have access to everything– e.g. root vs. user accounts, kernel vs. user mode– “least privilege” principle– need-to-know basis

• Secure the weakest link(10,000 bit symmetric key doesn’t make sense)

• Use chock points– Constrain access to the system (gateways, firewalls,

etc.)

CS470, A.Selcuk The Big Picture 3

Prudent Practices (cont’d)

• Provide “defense in depth”E.g., in bank security: door lock – alarm – safe

E.g., firewall – IDS – an internal firewall

• Don’t release unnecessary informationE.g., version of the OS, of the program running, etc.

• Embrace simplicity• Educate & convince users• Question your assumptions constantly

CS470, A.Selcuk The Big Picture 4

80/20 Rule of InfoSec

Pareto principle: Top 20% owns 80% of the land.80/20 Rule of InfoSec (according to Symantec):• Remove unneeded services

– remove components, programs, services from your system until the minimum "business needed" remain.

• Keep Patch Levels Current (helped by Item 1)– use automation whenever possible– priority to public and internal servers

• Enforce Strong Passwords – long, mixed-character passwords– periodic changes

CS470, A.Selcuk The Big Picture 5

Economic Drawbacks

• Ordinary users don’t care much about security(care more about fancy features)

• First mover advantage– Ship the product now; get it right by v3.

(e.g., Microsoft IE)

• Asymmetric information– There is no easy way to tell a good security product

from a bad one– which pulls prices & quality down

CS470, A.Selcuk The Big Picture 6

Economic Drawbacks(of lesser significance)

• Differentiated pricing– To keep low-cost alternatives poorer in quality (on

purpose)– any security-product applications?

• Network effects– Number of users determine the value of product– E.g., telephone, fax, the Internet, E-bay, etc.– Security: not-so-tight security helps attracting

developers & users (any practical cases?)

CS470, A.Selcuk The Big Picture 7

Legal Drawbacks

• Who is liable (in addition to the attacker)?– the faulty software manufacturer?– the attack origin ISP?– the victim’s system administrator?– the network operators?

• Involved parties can help to reduce the potential of an attack, but don’t have much incentive to do so.

CS470, A.Selcuk The Big Picture 8

Other Drawbacks

• Lack of information sharing– Market forces discourage revealing past incidents

(for consumer confidence) – e.g., Citibank, 1995 (“Don’t publicize”)– Result: No reliable information or estimates

(Sol’n attempt: CERTs, “Center for Internet Security”)

• Position of the interior– Attacker has the initiative of when & where to hit

• Potential Solution (partial): – UL model, pushed by the insurance industry (may solve

the problem of product evaluation)– Limitation: Hard to evaluate software security

CS470, A.Selcuk The Big Picture 9

Detection, Response, Risk Management

• Prevention alone is not sufficient. Detection & response mechanisms are also needed. (E.g., no door lock can alone prevent burglaries)

• Risk management – Risks will always be with us; it’s important to know

how to manage them.

• Every security system must answer: – Defense against what kind of adversary, with what

resources?– What is the potential loss?