LM9 – Security & Privacy

Introduction – (Lecture Capture located at bottom of page)

First, security, privacy, and ethics go hand in hand and are a necessary basis for trust and therefore online transactions (e.g. e-commerce and social media).  As continually repeated in class…  security is the first thing we think about when designing, developing, or evaluating any resource and this requires that we understand the technology from its foundation throughout the stack. 

It has been said that security is 75% policy and 25% application.  As a user – I can choose to never connect my computer to the Internet or any network.  This would be a policy and intuitively we can see this policy would provide security assurance of my computer.

Now in review, from LM7 – Networking: Security is a critical component of networking since users must have confidence in communication services. A network must (1) ensure confidence by restricting message access to intended and authorized recipients, processes, and devices and, (2) provide communications integrity by ensuring that information is available and that it has not been accidentally or intentionally altered during transmission (i.e. Information Assurance).

What are some other policies I might create and enforce as an administrator or simply apply as a user?  As an administrator – I could require that every computer in my domain has antivirus software installed and virus definitions are updated upon booting any system.  Increasingly I could require all hard drives to be encrypted (Mac Filevault 2, Windows Bit Locker, etc.) and these are sound policies.  On a personal and even humorous level, I will not open emails from many people because who knows where they’ve been on their computers/Internet – :).

Information Assurance (from DoD)

Information Assurance (IA) is defined by Department of Defense Instruction (DoDI) 8500.01E as “measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation.” As a basis, let’s understand these and their related concepts.

Availability

Availability ensures the ability of end users to access the information. This is ensured by rigorously maintaining and ensuring the proper operation of networks (also sufficient bandwidth), hardware, and software (i.e. security and functional updates).  Please recall the definition of a Network Architecture:  a conceptual blueprint that provides the necessary basis to define, build, and maintain a physical and logical network and must provide and account for; (1) fault tolerance, (2) Quality of Service (QoS), (3) security, and (4) scalability.

Integrity

Integrity means that messages or data have not been corrupted or tampered with. This involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. As a result, this is an issue for both Internet communications, Web pages, and personal and corporate data.

Confidentiality

Network confidentiality means network traffic sniffed at the packet level cannot be read and this is accomplished through encryption. Confidentiality may be thought of as secrecy. Note: Data or Information Confidentiality is related to authorization in that it limits access to certain types of information.

Non-repudiation

Non-repudiation goes beyond authentication as it establishes a verifiable link to an agent’s identity. Consider that a simple username and password can be input by someone other than the individual. Digital certificates and signatures issued by a certificate authority are used to establish and verify and agent’s identity and are necessary for legal documents and court evidence.

Access Control

Identification

Identification is the claiming of identity and you do this when you supply a username and password. There are three levels of identification listed in decreasing order of security.

Something I am – e.g. Biometrics

Something I have (Possessed Object) – key or passcard

Something I know (Possessed Knowledge) – username/password

On this note, all CIS students must change their default passwords and please see this page’s Security & Privacy Tips submenu item for a nice password trick.  Students who need WIReD assistance or username/password information need to contact the Registrar’s Office.

Two-Factor – using 2 of the above identification classes

Authentication

The system’s process of verifying the identity of an individual, usually based on a username and password, or in other words, the identification presented above must be verified. From the system’s standpoint, the system checks the username and password provided by the user with its password files.

Authorization

Authorization is the process of giving individuals access to system objects based on their identity. Note again that authentication introduced above is distinct from authorization. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual.

Responsibility

Moral, legal, or mental accountability.  Note that you may delegate authority but not responsibility.

Chapter 9 Textbook Material Lecture Video

Note: there is a lot of great content in the sub-menu and the 2 other LM9  Lecture Recordings are the Digital Forensics Intro located in the LM5 sub-menu and the WiFi & Security Tips located in this LM9 sub-menu.