© 2022/2023
Cyber Security:
An introduction
Jason R.C. Nurse
School of Computing
j.r.c.nurse@kent.ac.uk
@jasonnurse
@drjasonnurse
welcome to CO558 & CO634!
Modules’ focus areas:
• Cyber/Computer
Security topics
by
Jason R.C. Nurse
• Cryptography topics
by
Carlos Perez Delgado
Jason R.C. Nurse | @jasonnurse
2
welcome to CO558 & CO634!
Modules’ focus areas:
• Cyber/Computer
Security topics
by
Jason R.C. Nurse
• Cryptography topics
by
Carlos Perez Delgado
Jason R.C. Nurse | @jasonnurse
3
welcome to cyber security!
Our goals
• have an understanding of the threats faced by computer
operating systems, applications and networks and the various
countermeasures that can be used
• be able to make informed choices of the appropriate security
measures to put into place for a given network and/or operating
system
Jason R.C. Nurse | @jasonnurse
4
5
Report: Travelex paid hackers $2.3 million worth of Bitcoin after
ransomware attack https://grahamcluley.com/travelex-paid-ransom/
Jason R.C. Nurse | @jasonnurse
Ukraine cyber-attack: Russia to blame for hack, says Kyiv
https://www.bbc.co.uk/news/world-europe-59992531
6
Newcastle University, neighbouring Northumbria hit by ransomware attacks.
https://www.theregister.com/2020/09/08/newcastle_northumbria_universities_cyber_attack/
Jason R.C. Nurse | @jasonnurse
7
Newcastle University, neighbouring Northumbria hit by ransomware attacks.
https://www.theregister.com/2020/09/08/newcastle_northumbria_universities_cyber_attack/
Jason R.C. Nurse | @jasonnurse
8
Exams cancelled after Northumbria University cyber attack https://www.itpro.co.uk/security/cyberattacks/356965/northumbria-university-shutdown-after-cyber-attack
Jason R.C. Nurse | @jasonnurse
9
Northumbria Uni Campus Closed After Serious Cyber-Attack https://www.infosecuritymagazine.com/news/northumbria-uni-campus-closed/
Jason R.C. Nurse | @jasonnurse
10
https://www.ncsc.gov.uk/collection/10-steps
Jason R.C. Nurse | @jasonnurse
which of these is the ‘best’ password?
A. $tarwars
B. kent.SU2018
C. Frank2000
D. bij$223jOIUnKhe
E. p4$$w0rd
Jason R.C. Nurse | @jasonnurse
11
13
useful books
More in module specification & reading list
Security Engineering: https://www.cl.cam.ac.uk/~rja14/book.html
Jason R.C. Nurse | @jasonnurse
14
useful online resources
Katie
Moussouris
@jasonnurse
Jason R.C. Nurse | @jasonnurse
15
lecture outline
• Lecture 1: Introduction to Cyber Security (part 1)
• Lecture 2: Introduction to Cyber Security (part 2)
• Lecture 3: Security Risk Management
• Lecture 4: Cybercrimes and Adversarial Behaviours (part 1)
• Lecture 5: Cybercrimes and Adversarial Behaviours (part 2)
• Lecture 6: Authentication, Authorisation and Access control
• Lecture 7: Symmetric and Asymmetric Authentication
• Lecture 8: Security Controls
• Lecture 9: Legal, ethical and professional aspects
• Lecture 10: Usable Security
Jason R.C. Nurse | @jasonnurse
my module assessment
• CO558
§ 25% of module mark
§ Understanding security concepts and their application
§ Quiz class/take home
Jason R.C. Nurse | @jasonnurse
16
a gentle warning/disclaimer…
17
• Interactivity
§ Lectures are not one way, I’ll expect you (all) to talk to me*.
• Humour
§ I use humour, irony and satire in lectures!
§ Laughter is not required, but I’d appreciate it… XD
• Ethics
§ I do not agree with cybercriminals, pity their victims, and support (and cooperate)
with law enforcement, and so should you!
§ If I say anything apparently contradicting these basic principles, check the Humour
point above.
• Extra study
§ You are expected to do your own reading on the topics we cover in the lectures, e.g.,
following up on references, links, etc. and using reading lists.
* Any problems with this, please come to me directly and let me know.
Jason R.C. Nurse | @jasonnurse
18
introduction outline
• What is security?
• Security properties
• Security services
• Security attacks
Jason R.C. Nurse | @jasonnurse
19
what is (computer) security?
In your words, what is security?
What does computer security mean to you?
Jason R.C. Nurse | @jasonnurse
20
what is (plain, old) security?
“The state of being free from danger or threat.”
[Oxford Dictionary]
“Security refers to all the measures that are taken to
protect a place, or to ensure that only people with
permission enter it or leave it.”
[Collins Dictionary]
Jason R.C. Nurse | @jasonnurse
what is computer security (1): properties
“The protection afforded to an automated information system
in order to attain the applicable objectives of preserving the
integrity, availability, and confidentiality of information system
resources
(includes
hardware,
software,
firmware,
information/data and telecommunications.)”
[NIST Computer Security Handbook, 1995]
Jason R.C. Nurse | @jasonnurse
21
22
the CIA Triad
A common definition of a secure system is one that achieves:
Confidentiality
Only authorized parties can access, or even know about the existence of, a
particular asset
Integrity
Only authorized parties can modify, create, and delete assets
Availability
Ensure denial of service does not happen
Not only: also redundancy, load balancing, etc.
Jason R.C. Nurse | @jasonnurse
23
confidentiality
… is preventing unauthorized disclosure of information. Includes
secrecy, privacy
Everyone has something to hide/protect
Data confidentiality
Communication confidentiality
Encryption and Dummy traffic is part of the solution
Jason R.C. Nurse | @jasonnurse
24
integrity
… is preventing unauthorized modification of data and systems
Information accuracy
E.g. you should be able to check the message received has not been
modified during transmission
Hash functions useful here
Authentication, Encryption is part of the solution
Also includes originality and timeliness
satisfy yourself that the message indeed
comes from a real Author i.e. not has been
intercepted and altered during transmission
or sent by someone else
Jason R.C. Nurse | @jasonnurse
25
availability
… is preventing downtime of systems or inability to access data/information
Sometimes system availability is critical – think about aviation, or
healthcare
There are an increasing number of denial-of-service attacks. Most
certainly one of the most popular cyber-attacks today. Botnets using
DoS have taken down BBC, Reddit, Amazon, PayPal…
Firewalls (IP filtering), load-balancing systems are part of the solution
Jason R.C. Nurse | @jasonnurse
26
some other factors
Authentication is the process of confirming the truth or correctness of the
claimed artefact or identity
Authorisation is the process of granting permission to someone/thing do
some action (e.g., access files)
Non-repudiation is the ability for parties to prove that a message has been
sent by a specific person, and received by a specific person. Therefore
neither party can claim they did not send/receive the message.
What’s an example of a scenario where Non-repudiation is important?
Jason R.C. Nurse | @jasonnurse
what is computer security (2)
Freedom from undesirable events in a system
accidental or malicious
A measure of how well a system resists misuse
Insider (e.g., disgruntled employee) or outsider (e.g., hacker)
For a given model of the adversary & only that
Firewalls ‘great’ for protecting against hackers, but useless against a threat
on the inside
Some password systems rely on the fact that attackers have bounded
computational power.
Jason R.C. Nurse | @jasonnurse
27
computer security, information security,
ICT security, cyber security
Is there a difference?
If there is, what is it?
Jason R.C. Nurse | @jasonnurse
28
computer security, information security, ICT
security, cyber security
Von Solms, R. and Van Niekerk, J., 2013. From information security to cyber security. computers & security, 38, pp.97-102.
Jason R.C. Nurse | @jasonnurse
29
cyber security in more detail
Cyber security is the collection of tools, policies, security concepts, security
safeguards, guidelines, risk management approaches, actions, training, best
practices, assurance and technologies that can be used to protect the cyber
environment and organization and user’s assets.
Organisation and user’s assets include connected computing devices,
personnel, infrastructure, applications, services, telecommunications systems,
and the totality of transmitted and/or stored information in the cyber
environment.
Cyber security strives to ensure the attainment and maintenance of the
security properties of the organization and user’s assets against relevant
security risks in the cyber environment.
Jason R.C. Nurse | @jasonnurse
30
31
activity – 1
• Security stories from last few years
• Split lecture hall into 4 sections, each section has a different story
• Read and discuss your security story; find more info online !!
Be prepared to feedback on:
• Summarise story: what happened?
• Identify the key security property (confidentiality, integrity, availability)
• Was it accidental/malicious, internal/external?
Jason R.C. Nurse | @jasonnurse
32
activity – 1
• Equifax Breach
(https://www.theregister.com/2018/05/08/equifax_breach_may_2018/)
• NHS & WannaCry (https://www.nao.org.uk/report/investigation-wannacrycyber-attack-and-the-nhs/)
• Colonial Pipeline attack (https://krebsonsecurity.com/tag/colonial-pipelineransomware-attack/)
• Irish Health Service cyber-attack (https://www.bbc.co.uk/news/worldeurope-57184977)
Jason R.C. Nurse | @jasonnurse
34
The End of Part 1!
Thanks for coming!
Jason R.C. Nurse | @jasonnurse
35
next time…
Cyber Security:
An introduction – part 2
Jason R.C. Nurse | @jasonnurse
© 2022/2023
Cyber Security:
An introduction – part 2
Jason R.C. Nurse
School of Computing
j.r.c.nurse@kent.ac.uk
@jasonnurse
@drjasonnurse
outline
• What is security?
• Security properties
• Security services
• Security attacks
Jason R.C. Nurse | @jasonnurse
3
but first…
What are the 3 main security properties?
How is computer security different to cyber security?
Jason R.C. Nurse | @jasonnurse
4
activity – 1
• Equifax Breach (https://www.theregister.com/2018/05/08/equifax_breach_may_2018/)
• NHS & WannaCry (https://www.nao.org.uk/report/investigation-wannacry-cyber-attackand-the-nhs/)
• Colonial Pipeline attack (https://krebsonsecurity.com/tag/colonial-pipeline-ransomwareattack/)
• Irish Health Service cyber-attack (https://www.bbc.co.uk/news/world-europe-57184977)
Be prepared to feedback on:
• Summarise story: what happened?
• Identify the key security property (confidentiality, integrity, availability)
• was it accidental/malicious, internal/external?
Jason R.C. Nurse | @jasonnurse
5
why is security hard to get right?
Jason R.C. Nurse | @jasonnurse
6
why is security hard to get right?
Jason R.C. Nurse | @jasonnurse
7
why is security hard to get right?
Properties simple, mechanisms complex!
•
Attacks “outside the box”
§
•
Arms race
§
•
Attackers focus on them
Resistance against overheads
§
•
Between designers and attackers
Weakest links
§
•
Things never tough or planned before
the "human factor", Social engineering
Development as an “add-on”
§
Security included last, long after functionality
Jason R.C. Nurse | @jasonnurse
8
a bit of “fun”
• Attacks outside the box, weakest link & human factor
http://xkcd.com/538/
Jason R.C. Nurse | @jasonnurse
9
a reality with security
“Information security is, in the terms of the cliche, a journey, not a
destination”
Alan Calder and Steve Watkins
“Security is not a problem that you ever fully solve”
Mark Zuckerberg
“If you think technology can solve your security problems, then you don’t
understand the problems and you don’t understand the technology”
Bruce Schneier
Jason R.C. Nurse | @jasonnurse
10
vulnerabilities, threats, attacks, controls (an intro)
•
Vulnerability
§
•
Threat
§
•
Circumstances or events that could potentially lead to harm or loss
Attack
§
•
Weakness in the system, could originate from design, implementation, context,
…
Attempt to exploit a vulnerability
Control
§
§
Used to remove or limit the vulnerability
Action (disconnect), device (firewall), or a procedure (disaster recovery plan)
We revisit these terms later in the module…
Jason R.C. Nurse | @jasonnurse
11
activity – 2
From your security story, can you tell me:
§ what was the weakness of the system? (vulnerability)
§ what occurred that led to the harm/loss? (threat)
§ how was the weakness exploited? (attack)
§ were any control measures in play? (control)
Jason R.C. Nurse | @jasonnurse
12
security attacks, and their types
Interruption
Interception/eavesdropping
Modification
Fabrication
Jason R.C. Nurse | @jasonnurse
13
security attacks, and their types
Interception/Eavesdropping
An unauthorised party gains access to an asset
Access to confidential information
Copying copyrighted material (software, music)
Hardware stolen (e.g. smart cards, laptop, phone)
Interruption
An asset is destroyed or becomes unavailable
Hardware device, Software or data
Network attacks (e.g. denial of service)
Operating system (security loopholes, CPU bomb, etc.)
Jason R.C. Nurse | @jasonnurse
14
security attacks, and their types
Modification
An unauthorised party modifies an asset
Changing values in a data file or a database (e.g. bank account)
Altering a program (e.g. viruses)
Changing message content (e.g. email…)
Fabrication
An unauthorized party inserts counterfeit objects into the system
Messages inserted into network (bogus email for ‘phishing’
websites)
Add records to a database (e.g. fictional employees on a payroll)
Jason R.C. Nurse | @jasonnurse
15
attacker types
Amateurs – Script Kiddies
Not necessarily specialists
Crackers
Use the knowledge of an underground community
Hacktivists
Hacking for a cause
Terrorists
Can you think of any others?
Jason R.C. Nurse | @jasonnurse
16
computer and network incident taxonomy
A Common Language for
Computer Security
Incidents"; John D.
Howard & Thomas A.
Longstaff; Sandia
National Laboratories
Jason R.C. Nurse | @jasonnurse
17
activity - 3
From your security story, can you tell me:
§ what kind of attack was put in place (interception,
interruption, modification, fabrication)
§ who was the attacker (amateurs, cracker, hacktivist, terrorist)
Jason R.C. Nurse | @jasonnurse
18
security services
1. Confidentiality, traffic confidentiality
2. Integrity: data integrity, originality, timeliness
3. Authentication, authorization, access control
4. Availability
5. Nonrepudiation
Jason R.C. Nurse | @jasonnurse
19
why do we need security?
E.g., you buy an item from Amazon using a credit card
What are the possible attacks on this transaction?
Jason R.C. Nurse | @jasonnurse
20
why do we need security?
E.g., you buy an item from Amazon using a credit card
What are the possible attacks on this transaction?
An adversary could eavesdrop on the transaction
§ A protocol that prevents this by using encryption technique provides
“confidentiality”
§ Concealing the quantity or destination of communication is called “traffic
confidentiality”
Jason R.C. Nurse | @jasonnurse
21
why do we need security?
Even encrypted, an adversary could modify the message: bitflipping attack
§ A protocol that detects such message tampering provides “data
integrity”
The attacker could send extra copies of your message: replay
attack
§ A protocol that detects replays is said to provide
uniqueness/freshness
Jason R.C. Nurse | @jasonnurse
22
why do we need security?
Even with originality guaranteed, an adversary could intercept
your message and retransmit it with a delay
§ A protocol that detects such delaying provides “timeliness”
Data integrity, originality, and timeliness constitute different
aspects of “integrity”
Jason R.C. Nurse | @jasonnurse
23
why do we need security?
You could be directed to a fake web site
§ “Phishing” attack
§ “DNS cache poisoning” attack
§ A protocol that ensures that you are talking to whom you
think you are talking provides “authentication”
§ Authentication is important for both sides of the
communication (mutual auth.)
Jason R.C. Nurse | @jasonnurse
24
why do we need security?
Amazon can be attacked as well
A legitimate user could be authenticated and then remove files
from their server
§ A protocol that controls the access rights of users before granting
them access is said to provide “authorisation/access control”
An attacker could flood Amazon with a big number of requests;
customers will not be served: Denial of Service (DoS) attack
§ A protocol that ensures a degree of access provides “availability”
§ Distributed Denial-of-Service(DDoS) - is common
Jason R.C. Nurse | @jasonnurse
25
why do we need security?
Amazon or the customer could unilaterally deny that an order
was placed: Repudiation
§A protocol that can disprove bogus claims or denials provides
“Nonrepudiation”
Jason R.C. Nurse | @jasonnurse
26
why do we need *better* security?
Here’s an example of how hackers hack you using carefully
crafted social engineering attacks
https://www.youtube.com/watch?v=lc7scxvKQOo
Jason R.C. Nurse | @jasonnurse
27
The End!
Thanks for coming!
Jason R.C. Nurse | @jasonnurse
28
next time…
Security Risk
Management:
The context for applying
appropriate security…
Jason R.C. Nurse | @jasonnurse
29
Security Risk
Management:
The context for applying
appropriate security…
Jason R.C. Nurse
School of Computing
j.r.c.nurse@kent.ac.uk
@jasonnurse
@drjasonnurse
© 2022/2023
but first…
• What did we cover in the last lecture?
• What types of security attacks are these?
• Adding files to data server
• Using a network sniffer to gather passwords
• What are the security services?
Jason R.C. Nurse | @jasonnurse
2
outline
• What is security risk?
• What is security risk management?
• What are its main processes?
• What are some of the challenges
facing risk management today?
Jason R.C. Nurse | @jasonnurse
3
risk
How would you define risk generally?
What are some of the key elements that constitute risk?
Jason R.C. Nurse | @jasonnurse
4
security risk defined
Here are three definitions of security risk:
1. mathematical probability of occurrence of a threatening event
2. the qualitative evaluation of the combination of threat, vulnerability and
impact for a given state of a system
3. A measure of the extent to which an entity is threatened by a potential
circumstance or event, and typically a function of: (i) the adverse impacts
that would arise if the circumstance or event occurs; and (ii) the
likelihood of occurrence
Definition 3 is preferred... It’s from NIST SP800-30 R1*.
*Guide for Conducting Risk Assessments https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
Jason R.C. Nurse | @jasonnurse
5
security risk as a function
http://www.digitalthreat.net/wp-content/uploads/2009/06/risk-definition.jpg
http://dathq.com/portals/3/final%20risk.png
http://newschoolsecurity.com/wp-content/uploads/2010/09/landscapes.png
Jason R.C. Nurse | @jasonnurse
6
new definitions
You already know:
• Vulnerability, Threat, Attack, Control (see Lecture 1)
What you might not know:
• asset: something of value to the organisation
• impact/harm: negative consequences for an asset, e.g.
• undesired exposure of stored information
• unavailability of a service
• attack probability: the likelihood that an attack will take place
Jason R.C. Nurse | @jasonnurse
7
outline
• What is security risk?
• What is security risk management?
• What are its main processes?
• What are some of the challenges
facing risk management today?
Jason R.C. Nurse | @jasonnurse
8
security risk management
• two dictionary definitions of “manage”
1. to succeed in being able to do something
2. to exercise control over something
• meaning 2 is stronger than meaning 1
• “risk management” could just mean solving security problems in an
ad-hoc fashion
• but it’s much, much more…
• it should also be controllable and rigorous
Jason R.C. Nurse | @jasonnurse
9
security risk management
“Security risk management is a comprehensive process
that requires organizations to frame risk (i.e., establish
the context for risk-based decisions); assess risk; respond
to risk once determined; and monitor risk on an ongoing
basis …”
NIST Special Publication 800-39 Managing Information
Security Risk Organization, Mission, and Information System View
Jason R.C. Nurse | @jasonnurse
10
security risk management lifecycle
Identify
Analyse
Monitor
Treat
Jason R.C. Nurse | @jasonnurse
From Information
Security
Management
Principles, Andy
Taylor (ed)
11
security risk management lifecycle
Identify
Analyse
Monitor
Treat
Jason R.C. Nurse | @jasonnurse
From Information
Security
Management
Principles, Andy
Taylor (ed)
12
identify security risks
http://dathq.com/portals/3/final%20risk.png
First start thinking about what are the assets that are important to you, what
are the threats they may face, and what are the vulnerabilities that may be
exploited.
Jason R.C. Nurse | @jasonnurse
13
identify key assets
an asset is broadly defined as something valuable:
• money
• physical possessions
• information
• a facility, e.g. machinery or computer
• people
• intangibles, such as reputation
which one do you think is the most valuable to an organisation?
which one is most valuable to you?
Jason R.C. Nurse | @jasonnurse
14
identify security risks
For the critical assets:
• identify vulnerabilities in the assets
• define threats/attacks and relate to vulnerabilities
• define threat x vulnerability pairs to characterise the
risk. These will feed into the next risk management
stage
Jason R.C. Nurse | @jasonnurse
15
security risk statements
• A security risk statement is a method of presenting related
information in the expression of a security risk
The Security Risk Assessment Handbook, Douglas Landoll
Jason R.C. Nurse | @jasonnurse
17
security risk management lifecycle
Identify
Analyse
Monitor
Treat
Jason R.C. Nurse | @jasonnurse
From Information
Security
Management
Principles, Andy
Taylor (ed)
18
analysing security risks
For the each risk identified:
• determine its probability of occurrence (which is
informed by the threat/attack)
• define the impact/harm/loss to the related asset(s)
• combine probability and impact/harm/loss to determine
the risk rating
Jason R.C. Nurse | @jasonnurse
19
analysing security risks
• What is the level of each risk, in terms of
impact/harm/loss and probability?
Jason R.C. Nurse | @jasonnurse
Impact
Probability
Risk level
?
?
?
?
?
?
20
impact valuation – factors
• full impact valuation can be difficult to carry out
• factors contributing to impact include:
1. loss of confidentiality
• legal implications, e.g. General Data Protection Regulation
• personal implications
• loss of competitiveness, e.g. commercial formula
2. loss of integrity / unavailability
• costs of lost work
• recovery costs
3. indirect harm: impact on intangibles
• brand, reputation
Jason R.C. Nurse | @jasonnurse
21
attack probability – factors
• probability of attack is estimated based on:
• Organisational experience
• Published reports, e.g. CERT, NIST, ENISA
• Likely to be a high frequency of attacks if systems
visible from the Internet, e.g., Web servers
• Estimated cost of attack
• Expensive attacks are less likely (e.g. brute-force attacks on encryption
keys)
• Attractiveness of target
• High publicity value
• High criminal value
• Vulnerability exposure
• How accessible are their systems
• How likely is it that there are weaknesses in those systems
Jason R.C. Nurse | @jasonnurse
22
analysing security risks
What’s the likelihood of a hacker attacking, and the
impact if they compromise the following companies?
(1-2 mins)
Jason R.C. Nurse | @jasonnurse
23
qualitative versus quantitative
• qualitative risk analysis
• highly subjective
• hard to baseline
• Imprecise
• But… easy to communicate
https://www.gov.uk/terrorism-national-emergency/terrorism-threat-levels
Jason R.C. Nurse | @jasonnurse
24
qualitative versus quantitative
• quantitative risk analysis
• difficult to be confident above some values
• very challenging to quantify value of loss when so much is
intangible (e.g. loss to reputation)
• precise monetary values can give false precision
Single Loss Expectancy is the expected monetary loss every time a
security risk occurs.
£25,000
£75,000
…per risk...!
£100,000
requires excellent
knowledge of
asset and attacks,
& way of mapping
asset value loss
25%
£25,000
Jason R.C. Nurse | @jasonnurse
3
based on
historic events
25
security risk management lifecycle
Identify
Analyse
Monitor
Treat
Jason R.C. Nurse | @jasonnurse
From Information
Security
Management
Principles, Andy
Taylor (ed)
26
security risk evaluation & treatment
• the process by which the risks output from the assessment are balanced
and prioritised, and the response identified:
• Avoid: no longer engaging in the activity
• Mitigate: attempt to limit the probability and/or impact
• Transfer: moving the responsibility to a 3rd party e.g., the new trend
towards cyber insurance
• Accept: live with it
• as this is a cost / benefit decision some knowledge of potential
mitigations is required
• guiding principle is that controls should be commensurate with the risks
they protect against
Jason R.C. Nurse | @jasonnurse
27
security controls
• security controls as described before (Lecture 1) are used to
mitigate/reduce attacks or threats, and their impact
• types of control:
• preventive
• detective
• reactive
• corrective - actively reduces impact
• recovery - restores the asset after impact
• detection + reaction + timeliness ->>> prevention
What are some examples of these?
Jason R.C. Nurse | @jasonnurse
28
security risk management lifecycle
Identify
Analyse
Monitor
Treat
Jason R.C. Nurse | @jasonnurse
From Information
Security
Management
Principles, Andy
Taylor (ed)
29
monitoring and audit
• continuous monitoring of security risk aspects:
• log and audit network activity and security appliance alerts to
maintain situational awareness
Jason R.C. Nurse | @jasonnurse
30
http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data
monitoring and audit
• continuous monitoring of security risk aspects:
• monitor trends in threat
• monitor attack surface and vulnerability posture
“
Of course, all of this could have been avoided if security patches
had been applied to protect the Windows 7 systems common
throughout the NHS. Once again, there had been warnings sent out
by NHS Digital, but many trusts failed to act upon them - though in
that they were no different from many organisations around the
world that were also hit.
Jason R.C. Nurse | @jasonnurse
”
31
outline
• What is security risk?
• What is security risk management?
• What are its main processes?
• What are some of the challenges
facing risk management today?
Jason R.C. Nurse | @jasonnurse
32
risk management challenges
• the following are quite difficult problems:
• valuation of assets
• how to accurately value data, software & intangibles?
• likelihood of impact/harm
• how relevant is past data to future probabilities?
• the nature of future attacks is unpredictable
• resulting assessment of risk
• if data used to define risk and risk levels is uncertain, how certain can we
be about the resulting risk level ?
• how does risk assessment relate in new forms of technology e.g., Internet
of Things, or Artificial Intelligence?
• risk treatment contains subjectivity
• which risks to treat, which to accept? What are best controls?
Jason R.C. Nurse | @jasonnurse
33
summary
• What is security risk?
• What is security risk management?
• What are its main processes?
• What are some of the challenges facing risk
management today?
Thanks for coming!
Jason R.C. Nurse | @jasonnurse
34
next time…
Cybercrimes and
adversarial behaviours:
Cyber-attacks, attackers, and techniques
Cybercrimes and
adversarial behaviours :
© 2022/2023
Cyber-attacks, attackers, and
techniques
Jason R.C. Nurse
School of Computing
j.r.c.nurse@kent.ac.uk
@jasonnurse
@drjasonnurse
1
but first…
• What did we cover in the last lecture?
• What is a security risk, and what are it’s main factors?
• Qualitative risk analysis is easier than quantitative
risk analysis: true or false?
Jason R.C. Nurse | @jasonnurse
2
outline
• Cybercrime – types and context
• Adversaries and attackers
• Attacks and techniques
Jason R.C. Nurse | @jasonnurse
3
cybercrime – what is it?
What do you think it is?
(Work in pairs to find a one-sentence definition)
Jason R.C. Nurse | @jasonnurse
4
cybercrime – what is it?
• … any crime that involves a computer and a network
• ... any crime that can be conducting using a computer or
network
• … any crime (traditional or new) that can be conducted or
enabled through, or using, digital technologies.
Jason R.C. Nurse | @jasonnurse
5
cybercrime – types
One way to think about characterising cybercrime:
Crime in the
technology
Crime against the
technology
Crime using the
technology
• covers content in
computers
• e.g., pornographic
material related to
minors
• covers the integrity
of computers and
networks
• e.g., DDOS attacks
• crimes committed
using networked
computers
• e.g., Phishing
campaigns
Wall, D.S.: Policing cybercrimes: Situating the public police in networks of security within cyber-space.
Police Practice and Research 8(2), 183–205 (2007)
Jason R.C. Nurse | @jasonnurse
6
cybercrime – types
Another way to think about characterising cybercrime:
Computer-dependent crimes
Computer-enabled crimes
can only be committed
using computers and
networks (e.g., hacking,
malware, ransomware,
DDoS)
traditional crimes that are
enhanced in scale and
reach using computers
(e.g., online fraud, data
theft, phishing)
Home Office. (2013) Cyber crime: A review of the evidence
Research Report 75
Jason R.C. Nurse | @jasonnurse
7
cybercrime – context
2016… “You are now 20 times more likely to be robbed while at your
computer by a criminal based overseas than held up in the street,
new figures have revealed.”
Now…
If it were measured as a country, then cybercrime … would be the world’s
third-largest economy after the U.S. and China.
Cybersecurity Ventures expects global cybercrime costs to grow by 15
percent per year over the next five years, reaching $10.5 trillion USD annually
by 2025, up from $3 trillion USD in 2015. This represents the greatest transfer
of economic wealth in history, risks the incentives for innovation and
investment, is exponentially larger than the damage inflicted from natural
disasters in a year, and will be more profitable than the global trade
of all major illegal drugs combined.
3
Jason R.C. Nurse | @jasonnurse
8
8
outline
• Cybercrime – types and context
• Adversaries and attackers
• Attacks and techniques
Jason R.C. Nurse | @jasonnurse
9
adversaries and attackers (extends lecture 2)
Amateurs – Script Kiddies
Not the ‘traditional criminals’
Crackers
Use the knowledge of an underground community
Cybercriminals
Can you list
examples of
each type?
Cyber-enabled and cyber-dependent criminals
Hacktivists
Hacking for a political/ideological cause
Cyber-terrorists
Conduct terror/extreme attacks to cause harm/destruction
Nation State actors
Typically regarded as the most powerful group
(Insider threats
Insider that conduct attacks against their organisation
May be within the cybercriminal group)
Jason R.C. Nurse | @jasonnurse
10
adversaries and attackers
MageCart Syndicate
DarkSide
Lazarus Group
Shadow Brokers
Can you list a significant attack conducted by each of these groups?
Jason R.C. Nurse | @jasonnurse
11
adversaries and attackers
Jason R.C. Nurse | @jasonnurse
12
outline
• Cybercrime – types and context
• Adversaries and attackers
• Attacks and techniques
Jason R.C. Nurse | @jasonnurse
13
attacks and techniques
Social
engineering
Online
harassment
Identityrelated
crimes &
online fraud
Hacking
Denial of
service and
information
Which do you think is the most common?
4
Jason R.C. Nurse | @jasonnurse
14
social engineering
Social
engineering
Phishing emails
Identity- are responsible for
Denial of
Online
related
service and
about 91 percent
ofHacking
cyber attacks.
Harassment
crimes &
fraud
information
https://cofense.com/enterprise-phishing-susceptibility-report/
4
Jason R.C. Nurse | @jasonnurse
15
0day = zero day = vulnerability/exploit known to someone,
but unknown to those who should be protecting against it.
4
Jason R.C. Nurse | @jasonnurse
16
Social Engineering involves applying
deceitful methods to coerce individuals
into behaving certain ways or performing
some task…
Jason R.C. Nurse | @jasonnurse
17
https://www.youtube.com/watch?v=NiCyaFcs9qI
Jason R.C. Nurse | @jasonnurse
18
Jason R.C. Nurse | @jasonnurse
19
Jason R.C. Nurse | @jasonnurse
20
Jason R.C. Nurse | @jasonnurse
21
Jason R.C. Nurse | @jasonnurse
22
“Currently I happen to be travelling home on a ticket that is half the price of a
valid ticket for this journey, even though the ticket inspector has ‘checked my
ticket’.
A relatively well-known technique, particularly amongst magicians, is to distract
you at a key moment in order to misdirect your attention. In this case the key
moment is the specific point when the inspector views the (invalid) ticket. Using
the knowledge that we shall we exploring in Section 2, I understand that the
inspector will see what he expects to see, and if I asked a question at precisely
the right time, he is very likely to subconsciously carry on with the inspection,
whilst consciously thinking about my question. In this case, the question was
simply to ask what time we were due to reach our final destination. I also
offered a subtle command to his subconscious, when finding the ticket in my
shirt pocket, and offering it to him accompanied by the instruction ‘this is the
right ticket’.”
Mann, I., 2008. Hacking the Human: Social Engineering
Techniques and Security Countermeasures
11
Jason R.C. Nurse | @jasonnurse
23
Jason R.C. Nurse | @jasonnurse
24
Scammers Are Using QR
Codes to Plunder Parking
Meter Payments
The scam has hit several major
Texas cities already.
https://gizmodo.com/scammers-are-using-qr-codes-to-plunderparking-meter-pa-1848347940
https://twitter.com/SATXPolice/status/1473025923951775755
Jason R.C. Nurse | @jasonnurse
25
Jason R.C. Nurse | @jasonnurse
26
online harassment
Social
engineering
Online
harassment
Roughly four-in-ten Americans have
Identitypersonally
experienced online
Denial of
related
harassment, and
62% consider
it a
Hacking
service and
crimes &
information
major
fraud problem. Many want
technology firms to do more, but
they are divided on how to balance
free speech and safety issues online
https://www.pewinternet.org/2017/07/11/online-harassment-2017/
Jason R.C. Nurse | @jasonnurse
27
Jason R.C. Nurse | @jasonnurse
28
Online harassment can broadly be
regarded as the targeting of individuals
with unwanted / unsolicited terms or
actions.
4
Jason R.C. Nurse | @jasonnurse
29
What are the main types of online harassment?
(Work in groups of three to define a set of main types)
Jason R.C. Nurse | @jasonnurse
30
Anyone know what this
stands for, or its origin?
Sextortion &
revenge porn
Origin of troll face:
The Trollface was
originally drawn by
Carlos Ramirez, an
Oakland-based artist
known by his
DeviantART handle
Whynne, as part of a
MS Paint webcomic
about the pointless
nature of trolling on
4chan's /v/ (video
games) board.
https://ryersonjournalism.ca/tag/online-harassment/
4
Jason R.C. Nurse | @jasonnurse
31
Trolling is the action of posting inflammatory messages
deliberately with the intention of being disruptive, starting
arguments, and upsetting individuals.
Four groups of trolls:
1. Haters – Like to inflame situations for no real benefit to others
2. Lolcows – Like to provoke others so the attention is on them
3. Bzzzters – Like to chat regardless of accuracy or usefulness of contributions
4. Eyeballs – Like to watch what others do for the ‘opportune’ moment to
post a provocative message
Bishop, J. (2014). Dealing with Internet Trolling in Political Online Communities: Towards the This
Is Why We Can't Have Nice Things Scale. International Journal of E-Politics (IJEP), 5(4), 1-20.
Jason R.C. Nurse | @jasonnurse
32
Cyberbullying is ‘‘an aggressive, intentional act carried out by a
group or individual, using electronic forms of contact, repeatedly
and over time against a victim who cannot easily defend him or
herself.”
Main components to this definition:
1. aggressive,
2. intentional,
3. repetitive, and
4. with a power imbalance.
Smith, P. K., Mahdavi, J., Carvalho, M., Fisher, S., Russell, S., & Tippett, N.
(2008). Cyberbullying: Its nature and impact in secondary school pupils.
Journal of Child Psychology and Psychiatry, 49, 376–385.
Jason R.C. Nurse | @jasonnurse
33
Sextortion is the gathering of sexual images or video its use to
blackmail individuals for further sexual footage or other favours.
Hi, victim. I write yоu becаusе I put а mаlware оn the wеb раge with porn
whiсh yоu hаve visitеd. My virus grаbbed all your рersonal infо аnd turnеd on
yоur сamеrа which сaрtured the рroсеss оf your onаnism. Just aftеr that the
soft savеd yоur соntaсt list.I will dеlеte thе сompromising video and infо if you
pаy me 999 USD in bitcoin. This is address fоr рaymеnt : xx give yоu 30 hоurs
aftеr you ореn my mеssаge for making the trаnsactiоn. As sоon аs yоu reаd
the mеssаgе I'll see it right awаy. This address is соnneсtеd tо yоu, my systеm
will dеlete еverything automаtically aftеr trаnsfer соnfirmаtiоn. If yоu nееd 48
h just reрly оn this letter with +.Yоu сan visit thе pоlicе stаtion but nobоdy cаn
hеlp yоu. Dоnt fоrget аbоut thе shame and tо ignore, Yоur life can be ruined.
Sextortion (cyber-enabled blackmail)
Jason R.C. Nurse | @jasonnurse
34
https://www.gov.uk/government/consultations/online-harms-white-paper
Jason R.C. Nurse | @jasonnurse
35
identity-related crimes & online fraud
Online fraud is now the
most
common crime
Social
Online in
the
country with
almost
engineering
harassment
one in ten people
falling victim, the latest
figures have revealed.
(2017)
Identityrelated
crimes &
online fraud
Over £63m was
Denial of
lost nationally
Hacking
serviceby
and
victims of information
investment fraud
(2021)
https://www.telegraph.co.uk/news/2017/01/19/fraud-cyber-crime-now-countrys-common-offences/
https://www.bbc.co.uk/news/uk-47016671
https://www.actionfraud.police.uk/news/new-figures-reveal-victims-lost-over-63m-to-investment-fraud-scams-on-social-media
4
Jason R.C. Nurse | @jasonnurse
36
Identity-related crimes & online fraud mainly
seek to use information about people to con
them for the criminal’s financial gain.
Jason R.C. Nurse | @jasonnurse
37
What are the main types of online fraud?
(Work in groups of three to define a set of main types)
Jason R.C. Nurse | @jasonnurse
38
Identity fraud
Account takeover
Bank card and cheque fraud
Health scams
Fraud recovery fraud
Charity donation fraud
Romance scams
Internet auction fraud
Government agency scams
Holiday fraud
Business opportunity fraud
West African or 419 scam
Event scams
Jason R.C. Nurse | @jasonnurse
39
https://www.actionfraud.police.uk/news/action-fraud-report-reveals-7-millionlost-to-holiday-fraud
Jason R.C. Nurse | @jasonnurse
40
https://www.which.co.uk/news/2019/03/thousands-targeted-by-tv-license-refund-scam/
Jason R.C. Nurse | @jasonnurse
41
A fraudster posing as the Hollywood actor ‘bombarded’ a vulnerable British fan
with WhatsApp messages begging her to transfer money. The ‘starstruck’ woman
admitted she was fooled into believing the messages were coming from Statham
himself because the con artist was reaching out via a Facebook fanpage
dedicated to The Transporter star.
After grooming the woman, the con artist requested that she transfer money via
Western Union to cover wages for Jason’s latest film that it had been ‘delayed’.
https://metro.co.uk/2019/04/30/fraudster-posing-jason-statham-scams-100kvulnerable-woman-online-fan-page-9352173/
Jason R.C. Nurse | @jasonnurse
42
42
Jason R.C. Nurse | @jasonnurse
43
43
summary
• Cybercrime – types and context
• Adversaries and attackers
• Attacks and techniques (partially)
Thanks for coming!
Jason R.C. Nurse | @jasonnurse
44
next time…
Cybercrimes and
adversarial behaviours:
Cyber-attacks, attackers, and techniques
(part 2)
45
Cybercrimes and
adversarial behaviours :
© 2022/2023
Cyber-attacks, attackers, and
techniques – part 2
Jason R.C. Nurse
School of Computing
j.r.c.nurse@kent.ac.uk
@jasonnurse
@drjasonnurse
1
but first…
• What’s the difference between the following?
• Computer-dependent crimes
• Computer-enabled crimes
• How does social engineering work? What are some examples
of common social engineering attacks?
Jason R.C. Nurse | @jasonnurse
2
outline
• Cybercrime – types and context
• Adversaries and attackers
• Attacks and techniques
Jason R.C. Nurse | @jasonnurse
3
hacking
“I am convinced that there are
Identityonly
two
types
of
companies:
Social
Online
related
those
that have
been hacked
and&
engineering
harassment
crimes
online
fraud
those that will be. And even
they
are converging into one category:
companies that have been hacked
and will be hacked again.”
Hacking
Robert Mueller, Former Director of the
FBI
Jason R.C. Nurse | @jasonnurse
Denial of
service and
information
4
4
How would you define hacking? When I say the
word ‘hacking’, what activities comes to mind?
(Work in groups of two to define a set of main types)
Jason R.C. Nurse | @jasonnurse
5
5
“The Most Accurate Hacking Scene Ever” ;-)
https://www.youtube.com/watch?v=K7Hn1rPQouU
Jason R.C. Nurse | @jasonnurse
6
Hacking refers to activities that result in the compromise
of computing systems and/or digital information.
Jason R.C. Nurse | @jasonnurse
7
Malicious software (or malware) describes applications that compromise
the confidentiality, integrity or availability of systems and information.
The most popular types (outside of ransomware) are:
Viruses are … programs that replicate when executed and spread to other files and
systems. They are known for attaching themselves to other programs.
Worms are … similar to viruses but they are standalone and do not need to be
attached to a file. The prime purpose of worms is to self-replicate especially to
other computers on the network (e.g., a home, university, or public network).
Trojan horses … are programs that appear legitimate but have another core purpose,
which commonly is acting as a back door into computers or systems
Spyware are… programs that secretly collect information about users, which could
span from gathering specific information (e.g., passwords, banking information,
search habits
What aspects of CIA relate to each?
Jason R.C. Nurse | @jasonnurse
8
Password hacking & account
takeover…
What are the ways that an attacker
could find out a company or user’s password?
Informed guessing
20
19
20
19
20
18
Guessing
https://www.ncsc.gov.uk/news/most-hacked-passwords-revealed-as-ukcyber-survey-exposes-gaps-in-online-security
Jason R.C. Nurse | @jasonnurse
9
Password hacking & account
takeover…
Eavesdropping
What are the ways that an attacker
could find out a company or user’s password?
Password hacking tools
Public
Wi-Fi
Cain and Abel
Jason R.C. Nurse | @jasonnurse
10
Password hacking & account
takeover…
Kali Password Attacks | Explained https://www.youtube.com/watch?v=fPHkO6T_g8A
(in lecture: 00:48-05:07)
Jason R.C. Nurse | @jasonnurse
11
Password hacking & account
takeover…
What are the ways that an attacker
could find out a company or user’s password?
Jason R.C. Nurse | @jasonnurse
12
Cross site scripting (XSS) is a way that attackers manipulate a webpage to
serve malicious content to users that visit that page in the future
https://medium.com/@vishwaraj101/next-xss-gonna-cost-you-some-cpu-65e3b3cb998d
https://www.wired.com/story/british-airways-hack-details/
Jason R.C. Nurse | @jasonnurse
13
Cross site scripting (XSS) is a way that attackers manipulate a webpage to
serve malicious content to users that visit that page in the future
Example in a controlled environment:
https://www.google.co.uk/about/appsecurity/learning/xss/
Jason R.C. Nurse | @jasonnurse
14
denial of service / information
Social
engineering
Online
harassment
Identityrelated
crimes &
online fraud
Hacking
Denial of
service and
information
https://www.sophos.com/en-us/medialibrary/pdfs/other/aptinfographic.pdf?cmp=70130000001xIObAAM
Jason R.C. Nurse | @jasonnurse
15
A denial of service attack is one where cybercriminals
block individuals from accessing legitimate websites and
services.
This is normally achieved by bombarding the
websites/services with an enormous number of fabricated
requests (e.g., page visits), which causes legitimate
requests to be dropped or the organizations
websites/services to crash under the load.
Jason R.C. Nurse | @jasonnurse
16
Pogrebna, G. & Skilton, M. (2019) Navigating New Cyber Risks: How Businesses Can Plan,
Build and Manage Safe Spaces in the Digital Age. Springer.
Jason R.C. Nurse | @jasonnurse
17
the power of DoS attacks
The sites were down for around three-and-a-half hours. During
that time, all of the BBC’s websites — as well as online
services like the iPlayer and its news sites — were inaccessible.
2 August 2021
Jason R.C. Nurse | @jasonnurse
18
the power of DoS attacks
Jason R.C. Nurse | @jasonnurse
19
the power of DoS/DDoS attacks
Jason R.C. Nurse | @jasonnurse
20
ransomware
… type of malware that uses encryption to hold a victim's
information/systems at ransom; only allowing them to be decrypted if
some request is fulfilled (e.g., most typically, paying a ransom demand)
Significance of ransomware…
• Ransomware is the most prominent malware threat.
• Experts estimate that a ransomware attack will occur every 11 seconds in 2021.
• The average ransom fee requested has increased from $5,000 in 2018 to around
$200,000 in 2020.
• The most common tactics hackers use to carry out ransomware attacks are email
phishing campaigns, RDP vulnerabilities, and software vulnerabilities.
• On average, only 65% of the encrypted data was restored after the ransom was paid
• In 2021, the largest ransomware payout was made by an insurance company at $40
million, setting a world record.
https://secure2.sophos.com/en-us/medialibrary/pdfs/whitepaper/sophos-state-of-ransomware-2021-wp.pdf
https://www.varonis.com/blog/ransomware-statistics-2021/
Jason R.C. Nurse | @jasonnurse
21
ransomware
REvil
Jason R.C. Nurse | @jasonnurse
22
22
ransomware
Jason R.C. Nurse | @jasonnurse
23
23
ransomware: anatomy
DEMO: The Anatomy of Ransomware https://www.youtube.com/watch?v=aykf0P5Qtb8
(lecture: 03:22-08:06)
Jason R.C. Nurse | @jasonnurse
24
live cybercrimes & cyberattacks map
https://threatmap.checkpoint.com/ThreatPortal/livemap.html
https://cybermap.kaspersky.com/
https://www.fireeye.com/cyber-map/threat-map.html
Jason R.C. Nurse | @jasonnurse
25
other places worth checking out…
https://www.reddit.com/r/netsec/
https://www.reddit.com/r/hacking/
https://sectools.org/
All links are shared here for your reference and for educational purposes only. Please be mindful that
some tools are used for crime and therefore, various authorities may be taking note of their use.
Jason R.C. Nurse | @jasonnurse
26
summary
• Cybercrime – types and context
• Adversaries and attackers
• Attacks and techniques
Thanks for coming!
Jason R.C. Nurse | @jasonnurse
27
next time…
Authentication,
Authorisation &
Access control:
Key security services
28
further reading
The following slides will be helpful at understanding
the topics discussed. You are strongly advised to read
them, and conduct your own independent research.
29
Cyber Kill Chain
• Characterising 7 stages of a
cyber-attack in a “kill chain”
(i.e., series of attack steps)
https://www.lockheedmartin.com/enus/capabilities/cyber/cyber-kill-chain.html
• What Is the Cyber Kill Chain
and How It Can Protect Against
Attacks
https://www.computer.org/publications/tech
-news/trends/what-is-the-cyber-kill-chainand-how-it-can-protect-against-attacks
Jason R.C. Nurse | @jasonnurse
30
Authentication,
Authorisation &
Access control:
© 2022/2023
Key security services
Jason R.C. Nurse
School of Computing
j.r.c.nurse@kent.ac.uk
@jasonnurse
@drjasonnurse
Jason R.C. Nurse | @jasonnurse
1
but first…
• What did we cover in the last lecture?
• Explain how a DDoS works.
• Why is ransomware such a significant issue today?
Jason R.C. Nurse | @jasonnurse
2
outline
• What is authentication
• Authentication factors
• Password security
• Multi-factor authentication
• Authorisation and Access control
Jason R.C. Nurse | @jasonnurse
3
What is authentication about?
What does it aim to achieve?
Do we need authentication in security?
Jason R.C. Nurse | @jasonnurse
4
authentication
… verifying the identity of a user, process, or device,
often as a prerequisite to allowing access to resources in
an information system. (NIST SP800-30)
Jason R.C. Nurse | @jasonnurse
5
types of authentication
•
Something I Know
•
Something I Possess
•
Something I Am
•
A combination of these three (Multi-factor
authentication)
Jason R.C. Nurse | @jasonnurse
6
types of authentication
Jason R.C. Nurse | @jasonnurse
7
something I know
●
●
Could be:
● Passwords/Passphrases
● Some Shared Secret
● Obscure Information
Relatively Weak, but commonplace
● How many companies use mother’s maiden name?
● Problems with offline attacks
● rainbow tables
● solutions like PBKDF2 & bcrypt
Jason R.C. Nurse | @jasonnurse
8
what’s the best password (all things considered)?
A. $tarwars
B. kent.SU2018
C. Frank2000
D. bij$223jOIUnKhe
E. p4$$w0rd
It depends…
• D is hardest to break but also
hardest to remember, so people
might write it down
• C is easy to remember (name, birth
year) but easy to break.
• A & E may strike a reasonable
security usability balance, but l33t
speak is well known now
• B might be the best, all things
considered…
Jason R.C. Nurse | @jasonnurse
9
password entropy
●
●
●
Password entropy is about minimising the odds of an
individual guess being right
Defending against brute force and dictionary attacks
● stronger passwords have greater entropy
Two ways to go about increasing it
● Increase the size of the character set
● Increase the length of the password
Jason R.C. Nurse | @jasonnurse
10
password entropy
●
Think on the number of “valid” passwords, in a given
scheme
n
● [A-Z]+ = 26 = 4.7n bits:
●
log2 (26n) = n * log2 (26) = n * log(26)/log(2) = n * 1.41 / 0.3
Throw in numbers and punctuation =~ 45n = 5.5n bits
● …or just make n bigger
●
●
●
Usage of random password generators
● Though they also have their own problems
Around ~128 bits is considered (-NSA) secure enough today
Jason R.C. Nurse | @jasonnurse
11
a small exercise
Here are three password schemes. I would like you to
calculate the number of possible combinations for a
brute force attack.
Feel free to use phones/calculators in this instance.
Jason R.C. Nurse | @jasonnurse
12
a small exercise
●
Scheme 1: 4 alphabetical characters, non-case sensitive
●
Scheme 2: 6 alphanumerical characters, case sensitive
●
Scheme 3: 8 alphanumerical characters, case sensitive,
including punctuation. Assume 10 punctuation {.,:,',:,%,
etc.} characters
Jason R.C. Nurse | @jasonnurse
13
a small exercise
●
Scheme 1: 4 alphabetical characters, non-case sensitive
●
Scheme 2: 6 alphanumerical characters, case sensitive
●
Scheme 3: 8 alphanumerical characters, case sensitive,
including punctuation. Assume 10 punctuation {.,:,',:,%,
etc.} characters
264 = 456,976 → 18.801 bits
6
● (26+26+10) = 56,800,235,584 → 35.72 bits
8
● (26+26+10+10) = 722,204,136,308,736 → 49.35 bits
●
Jason R.C. Nurse | @jasonnurse
14
strong passwords
http://xkcd.com/936/
Jason R.C. Nurse | @jasonnurse
15
password generation
• We assumed passwords generated from random
characters, i.e. where all combinations are equally likely
• If some passwords are more common than others then
entropy is lower
• e.g., the entropy for a word picked from the Oxford dictionary
is 17 bits of entropy, given that there are only 200k words in it,
even if the longest is
Pneumonoultramicroscopicsilicovolcanoconiosis (45 characters
= 210 bits of entropy)
Jason R.C. Nurse | @jasonnurse
16
dictionary attacks
• Attackers may use a "dictionary"
• wordlist of tens of thousands of common words/passwords
• e.g., password, 123456, 12345678, qwerty, abc123, 1111111, iloveyou, etc...
• Dictionaries could be used to prevent users to choose common
passwords from the dictionary
• Password/passphrases should be generated
• randomly (best way)
• or from to something that is very personal, e.g., remember a long phrase
or poem, and use the first letter of each to give a random-looking, but
easy to remember string (and hope is not too common)
Jason R.C. Nurse | @jasonnurse
17
online password attacks
• This would all be fine for online attacks:
• If request+reply = 1kB on a 1Gbps connection that is this is 125k
req/sec, or on a 20Mbps connection that is 2.5k req/sec
• Can make it more difficult:
• Lock accounts after a few failed login attempts
• Ask the user logging in to perform a task unsuitable to bots, e.g., CAPTCHAs
(Completely Automated Public Turing test to tell Computers and Humans
Apart)
• ... so it would take ages for passwords with decent entropy
Jason R.C. Nurse | @jasonnurse
18
offline attacks
• Users often reuse passwords across different service accounts
• Passwords should not be stored in clear text or encrypted with keys
• Passwords should be hashed
What is password hashing?
What is a difference between hashing and traditional encryption?
Jason R.C. Nurse | @jasonnurse
19
offline attacks
• Users often reuse passwords across different service accounts
• Passwords should not be stored in clear text or encrypted with keys
• Passwords should be hashed
What is password hashing?
What is a difference between hashing and traditional encryption?
“Hashing is the practice of using an algorithm to map data of any size to a fixed
length. This is called a hash value (or sometimes hash code or hash sums or even a
hash digest if you’re feeling fancy). Whereas encryption is a two-way function,
hashing is a one-way function. While it’s technically possible to reverse-hash
something, the computing power required makes it unfeasible. Hashing is one-way.”
https://www.thesslstore.com/blog/difference-encryption-hashing-salting/
Jason R.C. Nurse | @jasonnurse
20
offline attacks
• If password hashes are stolen
• they cannot be used directly to login into same/other systems
• but attackers can try to recover password from hash:
• by hashing billions of passwords per second; if hash matches, they have found the
password
• Crackers can join together and build huge tables of passwords
and hashes (rainbow tables) so that given a hash they can find out
the original passwords (example of time/memory tradeoff)
• e.g., https://crackstation... https://www.hashkiller...
• Defences:
• Passwords should be hashed using a "slow" hashing algorithm like bcrypt/scrypt to
slow down offline attacks
• Salt should be used when hashing to defeat rainbow tables attacks
• Do not implement your own password hashing, use a library for password hashing
(e.g. crypt or password_hash in PHP)
Jason R.C. Nurse | @jasonnurse
21
offline attacks
Jason R.C. Nurse | @jasonnurse
22
other attacks on passwords
• Trick you into giving away password (e.g., phishing)
• Exploit password recovery mechanisms (e.g., having access to
personal information about you)
• Timing attacks in some cases how long it takes to give an
answer can give away the password
Jason R.C. Nurse | @jasonnurse
23
something I possess
●
●
●
Could be a purpose made dongle or key fob
● A proximity key fob
● A Smart Card / RFID
Could be more general purpose
● Mobile
● Passport
Items can be stolen, but can be used to strengthen other
authentication methods
● Something I have, and something I know
● Two Factor Authentication
What are some other examples?
Jason R.C. Nurse | @jasonnurse
24
mobile phone example
●
Example of Two Factor Authentication (Gmail, etc.)
User logs in with a username and password
● Server sends a text message with a one-time code to the user’s registered
mobile phone
● User enters code from sms
● Everyone lives happily ever after – OK, not quite but (a bit) better security
●
●
Thus, the server has proof that the user knows something that only they’re
supposed to know, and that the user has something that only they’re
supposed to have
●
The server is sufficiently convinced that the user really is who they say
they are
Jason R.C. Nurse | @jasonnurse
25
mobile phone example
SMS and voice calls are not encrypted. Instead, they're transmitted in clear text, making them easier to intercept.
SMS codes are vulnerable to phishing. A tool called Modlishka uses actual content from the site it's mimicking to get you
to enter your info and dumps you out on that site at the end so you don't even realize you were there.
Phone company employees can be fooled. Attackers can trick an employee into transferring a phone number to the
attacker's SIM card, meaning the security codes get sent to them instead of you.
Outages. Authentication apps and security keys work offline. SMS needs the phone service to be available to work and
sometimes the phone system can go down when the internet does not.
SMS isn't likely to get more secure. As multi-factor authentication becomes more common, more attackers will target it.
Attackers usually target the weakest link in security and with MFA, SMS is the weakest link.
https://www.techrepublic.com/article/top-5-reasons-not-to-use-sms-for-multi-factor-authentication/
Jason R.C. Nurse | @jasonnurse
26
Sim
swap/port
attack
https://medium.com/coinmonks/the-mostexpensive-lesson-of-my-life-details-of-sim-porthack-35de11517124
https://www.researchgate.net/figure/SIMswapping-fraud-scheme-15_fig1_337291807
Jason R.C. Nurse | @jasonnurse
27
mobile phone example
Google Authenticator
Microsoft Authenticator
Jason R.C. Nurse | @jasonnurse
Etc..
28
something I am
●
●
TouchID
Biometrics – measurements of the characteristics of our human
bodies
● Fingerprints, DNA, Iris or Retina Scans
In theory, the “most secure” sort of authentication
FaceID
Jason R.C. Nurse | @jasonnurse
WindowsHello
29
something I am
●
Can you think of any way around these? Maybe reference your latest spy/crime
movie! J
Fingerprints can be copied in gelatin/latex
● Or there’s the more direct approach (though forceful!), also for retinas
● You can acquire a sample of someone’s DNA easily…
●
●
Important to note that systems do not typically do a complete match
● They match markers/key points against a saved template
● Significant false negative and false positive rate
● Not consistent across different legislations
Jason R.C. Nurse | @jasonnurse
30
outline
• What is authentication
• Authentication factors
• Password security
• Multi-factor authentication
• Authorisation and Access control
Jason R.C. Nurse | @jasonnurse
31
authorisation and access control
• After authentication, the system knows “who” it is engaging with (or
who is requesting to access/use some service or data)
• Authorisation determines whether that entity (person, device, etc.)
should be allowed access or not
• Access control is the process of allowing or blocking the requests for
access/use
Jason R.C. Nurse | @jasonnurse
32
authorisation and access control
Access
Control List
(ACL)
Access Control = Authentication + Authorisation
A reference monitor performs two tasks.
• It authenticates any evidence supplied by the subject with an access request.
Traditionally, the user identity the subject was speaking for was authenticated.
• It evaluates the request with respect to the given policy.
https://cybok.org/media/downloads/AAA_issue_1.0_q3qspzo.pdf
Jason R.C. Nurse | @jasonnurse
33
types of access control approaches
• Discretionary (DAC) (authorisation-based) policies control access based on the
identity of the requestor and on access rules stating what requestors are (or are
not) allowed to do.
• Mandatory (MAC) policies control access based on mandated regulations
determined by a central authority.
• Role-based (RBAC) policies control access depending on the roles that users have
within the system and on rules stating what accesses are allowed to users in given
roles.
• Attribute-based (ABAC) policies control access depending on the attributes of
entities (subject and object), operations, and the environment relevant to a request.
Samarati P., de Vimercati S.C. (2001) Access Control: Policies, Models, and Mechanisms. In: Focardi R., Gorrieri R. (eds)
Foundations of Security Analysis and Design. FOSAD 2000. Lecture Notes in Computer Science, vol 2171. Springer.
Hu, V. C., Kuhn, D. R., Ferraiolo, D. F., & Voas, J. (2015). Attribute-based access control. Computer, 48(2), 85-88.
Jason R.C. Nurse | @jasonnurse
34
access list examples
Access matrix
CO558-634examnotes.docx
BobAssignment.pdf
Jason
Own, Read, Write
Read
Alice (lecturer)
Read, Write
Own, Read, Write
Bob (student)
ACLs by file
CO558-634examnotes.docx
• Jason: Own, Read, Write
• Alice: Read, Write
BobNotes.docx
Own, Read, Write
BobAssignment.pdf
• Bob: Own, Read, Write
• Jason: Read
BobNotes.pdf
• Bob: Own, Read, Write
Samarati P., de Vimercati S.C. (2001) Access Control: Policies, Models, and Mechanisms. In: Focardi R., Gorrieri R. (eds)
Foundations of Security Analysis and Design. FOSAD 2000. Lecture Notes in Computer Science, vol 2171. Springer.
Jason R.C. Nurse | @jasonnurse
35
a linux-based example
Can anyone tell me what this is, and interpret it?
Jason R.C. Nurse | @jasonnurse
36
a linux-based example
Jason R.C. Nurse | @jasonnurse
37
a linux-based example
ACLs allow one to apply a more specific set of permissions to a file or directory
without (necessarily) changing the base ownership and permissions (e.g., previous
slide). Essentially, they let a system "tack on" access for other users or groups.
~test$ getfacl /test
# file: test
# owner: user
# group: user
user::rwx
group::rwx
other::---
~test$ setfacl -d -m students:rw- /test
~test$ getfacl /test
# file: test
# owner: user
# group: user
user::rwx
group::rwx
other::--default:user::rwx
default:user:students:rwx
default:group::rwx
default:mask::rwx
default:other::--Jason R.C. Nurse | @jasonnurse
Sets default access control list for
the /test directory
More here:
https://www.redhat.com/sys
admin/linux-access-controllists (read it!)
38
summary
• What is authentication
• Authentication factors
• Password security
• Multi-factor authentication
• Authorisation and Access control
Thanks for coming!
Jason R.C. Nurse | @jasonnurse
39
next time…
Symmetric &
Asymmetric
Authentication:
A closer look
Jason R.C. Nurse | @jasonnurse
40
Symmetric &
Asymmetric Authentication:
A closer look
Jason R.C. Nurse
School of Computing
j.r.c.nurse@kent.ac.uk
jasonnurse.github.io
@jasonnurse
@drjasonnurse
Jason R.C. Nurse | @jasonnurse
© 2022/2023
but first…
• What did we cover in the last lecture?
• What are the main types of authentication?
• A hint: Passwords are like underwear…
• What happened in cyber security this last week?
Jason R.C. Nurse | @jasonnurse
2
outline
• Symmetric authentication protocol
• Key distribution
• Needham Schroeder
• Asymmetric authentication
Jason R.C. Nurse | @jasonnurse
3
authentication
… verifying the identity of a user, process, or device, often as a
prerequisite to allowing access to resources in an information
system. (NIST SP800-30)
Symmetric authentication… about?
… core theme is using the same cryptographic keys
for authentication process
Jason R.C. Nurse | @jasonnurse
4
authentication using symmetric crypto
●
We call this Challenge/Response
note the key (shared secret here) is never sent
● still need to watch out for Replay Attacks
●
Alice
Shared Secret K
Bob
A (Hi, I am Alice)
rb (Prove you are Alice)
Computes
{ rb }K
Generates rb
{ rb }K (Here is your proof)
Ok or Fail
Jason R.C. Nurse | @jasonnurse
Generates
{ { rb }K }K checks
if same as rb
challenge needs to be generated by…
Authenticator (Bob)
Would this work?
Alice
Generates ra
Computes { ra }K
Shared Secret K
Bob
A, ra, { ra }K (Hi, proof that I am Alice)
Ok or Fail
Generates
{ { ra }K }K checks
if same as ra
• No! Any attacker who can see the conversation can then
always impersonate Alice (Replay Attack)
Jason R.C. Nurse | @jasonnurse
6
distributed systems & password auth.
• Imagine you want to be able to authenticate to lots of different services,
all using passwords. Here are your options:
• could use same password everywhere
• could use different passwords for each
• could use a password manager
• I could trust a third party (e.g., login
with Google, Apple, Microsoft, etc.)
Jason R.C. Nurse | @jasonnurse
scalability of symmetric authentication
• If N people want to authenticate to each other with shared
secrets, you need N*(N-1)/2 secrets
• Scales very poorly (square of N)
• Lots of key generation and distribution problems
• Key distribution protocols
• A server generates keys and distribute them in a secure way (Needham
– Schroeder and Kerberos)
• Key agreement protocols
• Parties agree on a shared key each contributing some key material to
the shared key (Diffie-Hellman)
Jason R.C. Nurse | @jasonnurse
8
key distribution
• Even if the secret is stored securely, how is it transmitted
between parties?
• We need to worry about eavesdropping
• People listening to our secret
• Replay attacks
Jason R.C. Nurse | @jasonnurse
exercise: 5 mins
Thus far we have assumed that there is a shared key
between the two parties that want to communicate.
But, how do they attain this shared key?
Task: Try to design a protocol*, or think of key
elements of a protocol, that would allow the secure
distribution/sharing of keys.
*system of rules or procedures
Jason R.C. Nurse | @jasonnurse
Needham Schroeder Protocol
Alice (KAS)
Server Bob
(KAS, KBS) (KBS)
A, B
{K AB ,{K AB }K BS }K AS
A,{K AB }K BS
{N B }K AB
{ f (N B )}K AB
• Needs a trusted intermediary
• Every User share a master
key with the server S
• thus we only have n
(master) keys for n users
• Alice-Server key: KAS, BobServer key KBS
Non-secure Needham – Schroeder (v1)
• Alice asks server for a key to Talk to Bob
• Server generates a session key KAB, encrypts with Alice’s master key (KAS)
• Gives Alice same key KAB encrypted with Bob’s master key KBS (a "ticket")
• Alice forwards Bob’s ticket (encrypted session key) to him
• Bob decrypts the session key using KBS, obtaining KAB
• Bob's sends a challenge (random nonce NB) encrypted with the session key KAB to verify Alice identity
• Alice decrypts the nonce, does a simple operation on it, and sends it back, encrypted again with the
session key
Jason R.C. Nurse | @jasonnurse
11
Needham Schroeder Protocol
Alice
Server Bob
A, B
Charlie
Server Bob
{K AB ,{K AB }K BS }K AS
C, B
{K CB ,{K CB }K BS }K CS
A,{K AB }K BS
A,{K CB }K BS
{N B }K AB
{N B }KCB
{ f (N B )}K AB
{ f (N B )}KCB
Non-secure Needham – Schroeder (v1)
Attack on non-secure Needham – Schroeder (v1)
• Charlie can easily impersonate Alice with Bob
• To prevent that we need to have Alice identity (A) be part of the Ticket so that Bob
knows the session key is
Jason R.C. Nurse | @jasonnurse
12
Needham Schroeder Protocol
Alice
Server Bob
A, B
Alice
Charlie
A, B
Server
A, C
{K AB ,{A, K AB }K BS }K AS
{K AC ,{A, K AC }KCS }K AS
{A, K AB }K BS
{N B }K AB
{K AC ,{A, K AC }KCS }K AS
{ f (N B )}K AB
{A, K AC }KCS
{ f (N B )}K AC
Non-secure Needham – Schroeder (v2)
{N B }K AC
Attack on non-secure Needham – Schroeder (v2)
• Man in the middle attack (MITM) Charlie can impersonate Bob (note, message never
reaches Bob)
• To prevent that we need to have Bob identity (B) be part of the server response to
Alice
Jason R.C. Nurse | @jasonnurse
13
Needham Schroeder Protocol
Alice
Server Bob
A, B
*
Alice
Charlie
A, B
{K AB , B,{A, K AB }K BS }K AS
{K AB , B,{A, K AB }K BS }K AS
{A, K AB }K BS
{A, K AB }K BS
{N B }K AB
{N B }K AB
{ f (N B )}K AB
{ f (N B )}K AB
Non-secure Needham – Schroeder (v3)
Attack on non-secure Needham – Schroeder (v3)
• Almost safe, but Charlie can replay to Alice a previous session key
• cause key wearing of one session key, ultimately leading to its compromise
• attempt to replay the old conversation with Bob (assuming Alice would interpret the communication again as
valid)
• Alternatively if KBS becomes compromised, Charlie can replay a response that used that key and fully impersonate
Bob even if Bob changed KBS
• To prevent all these we need to make sure that the reply is fresh, adding a nonce NA to the first message which is
echoed back in the server reply
Jason R.C. Nurse | @jasonnurse
14
Needham Schroeder Protocol
Alice
Server Bob
A, B, N A
{K AB , B, N A ,{A, K AB }K BS }K AS
But… there are always other attacks…
Charlie
{A, K AB }K BS
{A, K AB }K BS
{N B }K AB
{N B }K AB
{ f (N B )}K AB
{ f (N B )}K AB
Needham – Schroeder protocol
Bob
Attack on Needham – Schroeder based on
compromised KAB
• This is the complete protocol published by Needham and Schroeder
• Adding a nonce NA to the first message which is echoed back in the server reply – this
ensures the reply is fresh
• Denning and Sacco: if a session key KAB is compromised Charlie can impersonate Alice
with Bob
• To prevent that Bob needs to be sure that the ticket is fresh, to do so provides a nonce to
Alice before she contacts the server
Jason R.C. Nurse | @jasonnurse
15
Needham – Schroeder with Handshake
Alice
Bob
A
{A, N Bʹ }K BS
!, #, $! ,
!, $ "
Server
# $!"
{K AB , B, N A ,{A, K AB , N Bʹ }K BS }K AS
{A, K AB , N Bʹ }K BS
{N B }K AB
{ f (N B )}K AB
Needham – Schroeder protocol with Alice-Bob handshake
Jason R.C. Nurse | @jasonnurse
16
problems with symmetric authentication
• Lots of secrets!
• We have to store them securely
• We have to share them in the first place
• Eavesdropping these initial communications, or hacking the secure storage blows
the whole thing
• Needham-Schroeder & Kerberos improves scalability, but would you want to
manage the key server for the whole Uni? Google?
• key server becomes a primary target
• We could use a key agreement protocol (see further reading at end)
• We could use Asymmetric Authentication
Jason R.C. Nurse | @jasonnurse
outline
• Symmetric authentication protocol
• Key distribution
• Needham Schroeder
• Asymmetric authentication
Jason R.C. Nurse | @jasonnurse
18
asymmetric authentication
•
•
•
Asymmetric Authentication builds on Asymmetric Encryption
Asymmetric Encryption = Different keys
Generate keys in pairs, one key is kept (privately) by one party,
the other can be disclosed to all
•
We call them private and public keys
Jason R.C. Nurse | @jasonnurse
19
uses of asymmetric encryption
Can use the keys either way round:
•
Encrypt with the public key, and only the person with the
private key can read the message
• Encrypt with the private key, and anyone with the public
key can decrypt it, but they can be sure that it was the
private key holder that wrote it
We are particularly interested in the 2nd usage…
•
•
Jason R.C. Nurse | @jasonnurse
20
uses of asymmetric encryption
•
•
•
Everyone can have a public/private key pair
Bob needs to know Alice’s public key in order to
authenticate her
If Alice uses her private key to encrypt something, we refer
to this as signing
Jason R.C. Nurse | @jasonnurse
21
uses of asymmetric encryption
•
Below shows the signing process and how it all fits together
Challenge sent
to request proof
of Alice’s identity
Encrypt/sign
with private key
(of Alice)
Jason R.C. Nurse | @jasonnurse
Verify identity of Alice
based on public key
22
why bother with symmetric?
Okay then, if this is so much better, why bother with the
stuff on symmetric encryption / authentication from
previous classes?
Any ideas?
Jason R.C. Nurse | @jasonnurse
23
why bother with symmetric?
•
Okay then, if this is so much better, why bother with
the stuff on symmetric encryption / authentication
from previous classes?
• Asymmetric encryption is much, much slower L
• Estimates of 1000 times slower for some
implementations!
• Remember, we need to care about the security
and usability balance…
•
Can we do anything about that?
• Yes! – sign a hash (summary)
of the message
Jason R.C. Nurse | @jasonnurse
24
hashing
•
A hashing function takes any arbitrary message, and gives us a
fixed length string of random-looking letters and numbers
•
Turns up everywhere in computing
•
•
Hash tables
•
Password storage (discussed before…)
A good hashing function makes it difficult to find another input
message that gives the same hash
•
•
We call duplicate hashes a collision
Like a digital fingerprint of the message
Jason R.C. Nurse | @jasonnurse
25
signing and using a Hash
•
Alice writes her message
•
Alice makes a hash of the message
•
Alice encrypts the hash with her private key
•
Alice includes the encrypted hash with message
•
So, message is sent plaintext
•
•
Not a problem in this particularly scenario. Remember,
attacker would have the public key anyway… Its public!
Bob decrypts the hash using Alice’s public key, and re-hashes
the message to check that it matches
•
If the message has been tampered with, it won’t match!
Jason R.C. Nurse | @jasonnurse
26
keeping your private key private
“Customers of HTTPS certificate reseller Trustico are reeling after being told
their website security certs – as many as 23,000 – will be rendered useless
within the next 24 hours.
This is allegedly due to a security blunder in which the private keys for said
certificates ended up in an email sent by Trustico. Those keys are supposed
to be secret, and only held by the cert owners, and certainly not to be
disclosed in messages. In the wrong hands, they can be used by malicious
websites to masquerade as legit operations.”
https://www.theregister.co.uk/2018/03/01/trustico_digicert_symantec_spat/
Jason R.C. Nurse | @jasonnurse
27
distributing public keys
•
To do asymmetric authentication, users need to know other users’ public keys
•
How do they find them out?
•
•
If Eve replaces Alice’s public key initially, nobody will believe Alice’s
messages are real, and Eve could still impersonate her
We use a trusted third party and certificates
What are examples of trusted third parties in the ‘real world’?
Jason R.C. Nurse | @jasonnurse
28
distributing public keys
•
The trusted third party has a public key known to everyone
•
Generates a certificate saying that a key belongs to a
person, encrypted with its private key, naturally
•
•
Certificate can’t be altered J
Trusted third party is a Certificate Authority
Jason R.C. Nurse | @jasonnurse
29
distributing public keys
•
You could always hand over a public key yourself… That’d
be pretty secure!
•
Get a public key from someone you already trust (a trusted
introducer)
•
Get a certified key from a public repository
Jason R.C. Nurse | @jasonnurse
30
trust models
•
Monopoly Model
•
•
Just one trusted entity
Oligarchy
•
•
What are the pros and
cons to these 3
approaches? (2-3mins)
Many root CAs, like we have in browsers
Anarchy (Web of Trust)
•
PGP – e.g., everyone can sign everyone else’s certificates –
a friend can sign another friend’s certificate to ‘validate’ that
friend’s identity.
Jason R.C. Nurse | @jasonnurse
31
certificate chains
•
•
There’s no one ring to rule them all trusted Certificate Authority
If you look at which SSL “root” certificates are trusted by your browser,
you’ll see about 50.
https://www.globalsign.com/images/apple-root-certificates.png
Jason R.C. Nurse | @jasonnurse
32
certificate chains
•
A certificate authority can sign a certificate for someone else, saying
they do a good job at checking other people, so they too can issue
certificates.
•
•
Verisign, Thawte, Comodo, DigiCert
We talk about chains of certificates, which means that a certificate
saying K is Alice’s public key is signed by C, and their certificate is
signed by D, all the way up to a root CA
Jason R.C. Nurse | @jasonnurse
33
certificate chains
https://www.youtube.com/watch?v=msBrdFiSvW4
Jason R.C. Nurse | @jasonnurse
34
certificate chains
https://www.youtube.com/watch?v=msBrdFiSvW4
Jason R.C. Nurse | @jasonnurse
35
issues with messing with certificates
“The critical threat is present on Lenovo PCs that have adware from a company called
Superfish installed. As unsavory as many people find software that injects ads into Web
pages, there's something much more nefarious about the Superfish package. It installs a
self-signed root HTTPS certificate that can intercept encrypted traffic for every website
a user visits. When a user visits an HTTPS site, the site certificate is signed and
controlled by Superfish and falsely represents itself as the official website certificate.”
https://arstechnica.com/information-technology/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/
Jason R.C. Nurse | @jasonnurse
36
issues with messing with certificates
https://www.thesslstore.com/blog/lenovo-settles-ftc-superfish-security-incident/
Jason R.C. Nurse | @jasonnurse
37
certificate formats
•
Two main certificate formats in use today:
•
X.509
•
•
•
•
Widely accepted, industry standard format
Used by MS, Verisign, etc.
Signed by a single certification authority
PGP
•
•
•
Allows multiple owners for a key
Allows multiple certifiers for a key
Supports self-certification, and anyone can certify anyone else’s
key
Jason R.C. Nurse | @jasonnurse
38
summary
• Symmetric authentication protocol
• Key distribution
• Needham Schroeder
• Asymmetric authentication
Thanks for coming!
Jason R.C. Nurse | @jasonnurse
39
next time…
Security controls:
Preventing, detecting and
recovering from attacks
Jason R.C. Nurse | @jasonnurse
further reading
The following slides will be helpful at understanding
the topics discussed. You are strongly advised to read
them, and conduct your own independent research.
Jason R.C. Nurse | @jasonnurse
do not invent your security protocol
• A friendly warning
• do not invent, modify or try to implement security protocols by yourself:
things can go wrong rather quickly, e.g., mutual authentication challenge
response
[slightly different notation:
• K(M) for encrypting M with K
• KA,B to highlight key is shared
between A and B]
Jason R.C. Nurse | @jasonnurse
44
... or things will go wrong
• It seems a very long exchange… let's try to piggyback some
message
• Since A is going to authenticate B, let's challenge B in the
first round
Jason R.C. Nurse | @jasonnurse
45
... very quickly
New session:
I’m (claiming
to be) Alice,
prove to me
you’re Bob
I’m (claiming to be) Alice, prove to me you’re Bob
I’m Bob, prove to me you’re Alice
I’m Bob, prove to
me you’re Alice
Original
session:
Here’s my
(ill-gotten)
proof
that I’m Alice
• Reflection attack
• An attacker can request the response of the challenge! (fix: use even for request, odd for response)
• Key wearing
• An active attacker can solicit use of the key
(causing
wearing”)
Jason
R.C. Nurse |“key
@jasonnurse
46
Kerberos v5
Kerberos - Network
Authentication Protocol
https://www.youtube.com/
watch?v=WXgKiiFqJbI
Kerberos Authentication
https://www.fortinet.com/re
sources/cyberglossary/kerb
eros-authentication
Adds a Ticket Granting Server (for scalability), and Timestamps
Jason R.C. Nurse | @jasonnurse
Diffie-Hellman protocol
●
●
Key agreement protocol...
Everyone agrees 2 initial (public) numbers
● P which is prime (and normally big)
● q which is an integer – generator of Zp
Alice and Bob pick (private) random numbers, Alice picks a and
Bob picks b
●
Now, Alice and Bob compute a public key based from their
private numbers (a* & b* )
●
Alice does: a* = qa mod p
b
● Bob does: b* = q mod p
●
Jason R.C. Nurse | @jasonnurse
Diffie-Hellman protocol
Alice and Bob can now compute the same session key (x)
Nobody else can do it, because they don’t know a or b, just the
public keys
●
Alice uses: x = (b*)a mod p
b mod p
● Bob uses: x = (a*)
●
See Public Key Cryptography: Diffie-Hellman Key Exchange
(short version)
https://www.youtube.com/watch?v=3QnD2c4Xovk
●
A problem is Man-In-The-Middle attacks
Jason R.C. Nurse | @jasonnurse
© 2022/2023
Security controls:
Preventing, detecting and
recovering from attacks
Jason R.C. Nurse
School of Computing
j.r.c.nurse@kent.ac.uk
jasonnurse.github.io
@jasonnurse
@drjasonnurse
but first…
• What did we cover in the last lecture?
• What’s the purpose of the Needham Schroeder
Protocol?
• Explain how certificate chains work?
Jason R.C. Nurse | @jasonnurse
2
outline
• Types of security controls
• Cyber Essentials (UK)
• NCSC 10 Steps to Cyber Security (UK)
• CIS Cyber Security Controls (US)
• NIST Cyber Security Framework (US)
Jason R.C. Nurse | @jasonnurse
3
what are security controls?
• Security controls are used to mitigate/reduce attacks or threats,
and their impact
• Types of control:
• preventive
• detective
• reactive
• corrective - actively reduces impact
• recovery - restores the asset after impact
Jason R.C. Nurse | @jasonnurse
4
types of security controls
• Preventative – controls intended to stop an unauthorised or
undesired incident from occurring.
• E.g., firewalls, intrusion prevention systems, employee vetting
• Detective – controls intended to detect that an unauthorised or
undesired incident has occurred.
• E.g., intrusion detection systems, system audit logs, CCTV
• Reactive – controls intended to support a response to an
unauthorised or undesired incident that has occurred.
• E.g., recovery systems
Jason R.C. Nurse | @jasonnurse
5
levels of security controls
• Physical – controls related to physical presence/access.
• E.g., locks, CCTV
• Technical/logical – controls related to software/hardware.
• E.g., antivirus software, application whitelisting
• Administrative – controls related to policies, procedures,
guidelines.
• E.g., acceptable usage policy (AUP), organisational security policy
Jason R.C. Nurse | @jasonnurse
6
types/levels of security controls
Types of
security
control
Levels of security control
Physical
Technical Administrative
Preventative
??
??
??
Detective
??
??
??
Reactive
??
??
??
What are some examples of controls for each of the areas?
Jason R.C. Nurse | @jasonnurse
7
types/levels of security controls
Levels of security control
Physical
Technical
Administrative
Types of
security
control
Preventative
Locks, gates
Firewalls, IPS,
antivirus, system
access rights
Employee vetting,
Security awareness
training
Detective
CCTV, security
cameras
IDS, audit logs,
honeypots
Employee reporting
of suspicious
behaviour/incident
Reactive
Restoration,
detain
perpetrator
Reduce/change
system access
Execute incident
response plan
Jason R.C. Nurse | @jasonnurse
8
outline
• Types of security controls
• Cyber Essentials (UK)
• NCSC 10 Steps to Cyber Security (UK)
• CIS Cyber Security Controls (US)
• NIST Cyber Security Framework (US)
Jason R.C. Nurse | @jasonnurse
9
Cyber Essentials (2016-2021)
• Cyber Essentials (CE) is a Government backed scheme to help
organisations, whatever their size, against a whole range of the
most common cyber attacks.
• CE notices the fact that most cyber-attacks have a common
basis, and exploit certain key vulnerabilities
• Proposes 5 security controls as the “essentials”
https://www.ncsc.gov.uk/cyberessentials/overview
Jason R.C. Nurse | @jasonnurse
10
Cyber Essentials
1. Use a firewall to secure your internet connection
You should protect your Internet connection with a firewall. This
effectively creates a ‘buffer zone’ between your IT network and other,
external networks.
In the simplest case, this means between your computer (or computers)
and ‘the internet’. Within this buffer zone, incoming traffic can be
analysed to find out whether or not it should be allowed onto your
network.
There will be network firewalls and device firewalls.
https://www.ncsc.gov.uk/cyberessentials/advice
Jason R.C. Nurse | @jasonnurse
11
Cyber Essentials
2. Choose the most secure settings for your devices and software
Manufacturers often set the default configurations of new software and
devices to be as open and multi-functional as possible. They come with
‘everything on’ to make them easily connectable and usable.
Unfortunately, these settings can also provide cyber attackers with
opportunities to gain unauthorised access to your data, often with ease.
Organisations should always:
• Check the settings, Use passwords, Use extra security
https://www.ncsc.gov.uk/cyberessentials/advice
Jason R.C. Nurse | @jasonnurse
12
Cyber Essentials
3. Control who has access to your data and services
To minimise the potential damage that could be done if an account is
misused or stolen, staff accounts should have just enough access to
software, settings, online services and device connectivity functions for
them to perform their role. Extra permissions should only be given to
those who need them.
Organisations should pay close attention to:
• Administrative accounts, Access to software
https://www.ncsc.gov.uk/cyberessentials/advice
Jason R.C. Nurse | @jasonnurse
13
Cyber Essentials
4. Protect yourself from viruses and other malware
Malware is short for ‘malicious software’. Defending against malware:
•
•
•
Anti-malware measures are often included for free within popular operating
systems. For example, Windows has Defender. These should be used on all
computers and laptops.
Allowed list can also be used to prevent users installing and running applications
that may contain malware. The process involves an administrator creating a list of
applications allowed on a device.
Sandboxing. Where possible, use versions of the applications that support
sandboxing. For instance, most modern web browsers implement some form of
sandbox protection. A sandboxed application is run in an isolated environment with
very restricted access to the rest of your device and network.
https://www.ncsc.gov.uk/cyberessentials/advice
Jason R.C. Nurse | @jasonnurse
14
Cyber Essentials
5. Keep your devices and software up to date
No matter which phones, tablets, laptops or computers your
organisation is using, it’s important that the manufacturer still supports
the device with regular security updates and that you install those
updates as soon as they are released. This is true for both Operating
Systems and installed apps or software. Happily, doing so is quick, easy,
and free.
Also known as ‘Patching’: Manufacturers and developers release regular
updates which not only add new features, but also fix any security
vulnerabilities that have been discovered.
https://www.ncsc.gov.uk/cyberessentials/advice
Jason R.C. Nurse | @jasonnurse
15
Cyber Essentials
• Two levels of certification
• Cyber Essentials – Organisations assess themselves against five basic
security controls and a qualified assessor verifies the information
provided.
• Cyber Essentials Plus – A qualified assessor examines the same five
controls, testing that they work through a technical audit.
• Cyber Essentials readiness toolkit
• https://getreadyforcyberessentials.iasme.co.uk/questions/
What do you think are some of the pros/cons to Cyber Essentials?
https://www.ncsc.gov.uk/cyberessentials/overview
https://www.ncsc.gov.uk/information/cyber-essentials-faqs
Jason R.C. Nurse | @jasonnurse
16
outline
• Types of security controls
• Cyber Essentials (UK)
• NCSC 10 Steps to Cyber Security (UK)
• CIS Cyber Security Controls (US)
• NIST Cyber Security Framework (US)
Jason R.C. Nurse | @jasonnurse
17
NCSC 10 Steps to Cyber Security
This guidance is
aimed at medium to
large organisations
that have someone
dedicated to
managing the
organisation's cyber
security.
Jason R.C. Nurse | @jasonnurse
https://www.ncsc.gov.uk/c
ollection/10-steps
18
NCSC 10 Steps to Cyber Security
Risk management: Take a risk-based approach to securing your data and systems.
Engagement and training: Collaboratively build security that works for people in
your organisation.
Asset management: Know what data and systems you have and what business
need they support.
Architecture and configuration: Design, build, maintain and manage systems
securely.
Vulnerability management: Keep your systems protected throughout their
lifecycle.
https://www.ncsc.gov.uk/collection/10-steps
Jason R.C. Nurse | @jasonnurse
19
NCSC 10 Steps to Cyber Security
Identity and access management: Control who and what can access your systems
and data.
Data security: Protect data where it is vulnerable.
Logging and monitoring: Design your systems to be able to detect and
investigate incidents.
Incident management: Plan your response to cyber incidents in advance
Supply chain security: Collaborate with your suppliers and partners
https://www.ncsc.gov.uk/collection/10-steps
Jason R.C. Nurse | @jasonnurse
20
Cyber Essentials & NCSC 10 Steps
to Cyber Security
Where do these standards overlap? How do they differ?
If you were the head of security at the following organisations,
which of these standards would you aim to implement, and why?
Jason R.C. Nurse | @jasonnurse
21
outline
• Types of security controls
• Cyber Essentials (UK)
• NCSC 10 Steps to Cyber Security (UK)
• CIS Cyber Security Controls (US)
• NIST Cyber Security Framework (US)
Jason R.C. Nurse | @jasonnurse
22
CIS Cyber Security Controls
The CIS Controls are a prioritized set of Safeguards to mitigate the most prevalent
cyber-attacks against systems and networks. They are mapped to and referenced
by multiple legal, regulatory, and policy frameworks.
CIS Controls v8 has been enhanced to keep up with modern systems and
software. Movement to cloud-based computing, virtualization, mobility,
outsourcing, Work-from-Home, and changing attacker tactics prompted the
update and supports an enterprise's security as they move to both fully cloud and
hybrid environments.
https://www.cisecurity.org/controls/cis-controls-list/
Jason R.C. Nurse | @jasonnurse
23
CIS Cyber Security Controls
CIS Controls™ https://www.youtube.com/watch?v=CX4UE9zT69Y
Jason R.C. Nurse | @jasonnurse
24
Jason R.C. Nurse | @jasonnurse
https://www.cisecurity.
org/controls/ciscontrols-list/
25
Jason R.C. Nurse | @jasonnurse
https://www.cisecurity.
org/controls/ciscontrols-list/
26
Jason R.C. Nurse | @jasonnurse
https://www.cisecurity.
org/controls/ciscontrols-list/
27
Implementation Groups (IGs) are the recommended guidance to prioritise implementation
of the CIS Controls. In an effort to assist enterprises of every size, IGs are divided into three
groups.
Each IG identifies a set of Safeguards that they need to implement. There is a total of 153
Safeguards in CIS Controls v8.
Every enterprise should start with IG1. IG1 is defined as “basic cyber hygiene,” the
foundational set of cyber defence Safeguards that every enterprise should apply to guard
against the most common attacks.
IG2 builds upon IG1, and IG3 is comprised of all the Controls and Safeguards.
https://www.cisecurity.org/controls/implementation-groups/
Jason R.C. Nurse | @jasonnurse
28
outline
• Types of security controls
• Cyber Essentials (UK)
• NCSC 10 Steps to Cyber Security (UK)
• CIS Cyber Security Controls (US)
• NIST Cyber Security Framework (US)
Jason R.C. Nurse | @jasonnurse
29
NIST Cyber Security Framework
The Framework is guidance, based on existing standards, guidelines, and
practices for organizations to better manage and reduce cybersecurity risk.
In addition to helping organizations manage and reduce risks, it was
designed to foster risk and cybersecurity management communications
amongst both internal and external organizational stakeholders.
https://www.nist.gov/cyberframework/framework
Jason R.C. Nurse | @jasonnurse
30
https://www.nist.gov/cyberframework/framework
Jason R.C. Nurse | @jasonnurse
31
https://www.nist.gov/cyberframework/framework
Jason R.C. Nurse | @jasonnurse
32
https://www.nist.gov/cyberframework/framework
Jason R.C. Nurse | @jasonnurse
33
summary
• Types of security controls
• Cyber Essentials (UK)
• NCSC 10 Steps to Cyber Security (UK)
• CIS Cyber Security Controls (US)
• NIST Cyber Security Framework (US)
Thanks for coming!
Jason R.C. Nurse | @jasonnurse
34
next time…
Legal, professional and
ethical aspects in cyber
further reading
The following slides will be helpful at understanding
the topics discussed. You are strongly advised to read
them, and conduct your own independent research.
security control sets
• Cyber Essentials
•
•
https://www.ncsc.gov.uk/cyberessentials/overview
https://getreadyforcyberessentials.iasme.co.uk/
• 10 Steps to Cybersecurity
•
https://www.ncsc.gov.uk/collection/10-steps
• CIS CSC
•
https://www.cisecurity.org/controls/cis-controls-list/
• NIST CSF
•
•
https://www.nist.gov/cyberframework/framework
https://www.nist.gov/cyberframework/online-learning
© 2022/2023
Usable Security:
The what, the why, and
the how…
Jason R.C. Nurse
School of Computing
j.r.c.nurse@kent.ac.uk
jasonnurse.github.io
@jasonnurse
@drjasonnurse
but first…
• What did we cover in the last lecture?
• What are the main types of security control?
• Can you name some examples?
• How many years can you be imprisoned for
related to unauthorised access of computer
material?
Jason R.C. Nurse | @jasonnurse
2
outline
• What is Usable Security?
• Why is it important?
• How to do Usable Security:
• Guidelines
• Evaluation techniques
• But, it’s actually not this simple…
Jason R.C. Nurse | @jasonnurse
3
what is it?
• … A field concerned with making the security features of systems
easy to understand and use. (Nurse et al.)
• … Focuses on the design, evaluation, and implementation of
interactive secure systems. (Kainda et al.)
• … The study of interaction between humans and computers, or
human–computer interaction, specifically as it pertains to
information security. (Wikipedia)
https://en.wikipedia.org/wiki/Human%E2%80%93computer_interaction_%28security%29
Kainda, R., et al. (2010, February). Security and usability: Analysis and evaluation. In Availability, Reliability,
and Security, 2010. ARES'10 International Conference on (pp. 275-282). IEEE.
Nurse, J.R.C. et al. (2011, September). Guidelines for usable cybersecurity: Past and present. In Cyberspace
Safety and Security (CSS), 2011 Third International Workshop on (pp. 21-26). IEEE.
Jason R.C. Nurse | @jasonnurse
4
what are security features?
Do you remember them? Can you describe them?
Jason R.C. Nurse | @jasonnurse
5
what are usability features?
• Usability is a central concept to HCI, which considers how easy a
system is to use.
• 5 main components:
• Learnability: How easy is it for users to accomplish basic tasks the first time
they encounter the design?
• Efficiency: Once users have learned the design, how quickly can they
perform tasks?
• Memorability: When users return to the design after a period of not using
it, how easily can they re-establish proficiency?
• Errors: How many errors do users make, how severe are these errors, and
how easily can they recover?
• Satisfaction: How pleasant is it to use the design?
http://www.nngroup.com/articles/usability-101-introduction-to-usability/
Jason R.C. Nurse | @jasonnurse
6
why is usable security important?
https://pressupinc.com/blog/2014/04/write-passwords-never-reuse/
Jason R.C. Nurse | @jasonnurse
7
why is
usable
security
important?
https://wiki.sei.cmu.edu/confluence/display/seccode/Top+10+Secure+Coding+Practices
Jason R.C. Nurse | @jasonnurse
8
why is usable security important?
“We conclude that PGP
5.0 is not usable
enough to provide
effective security for
most computer users,
despite its attractive
graphical user interface,
supporting our
hypothesis that user
interface design for
effective security
remains an open
problem.”
Jason R.C. Nurse | @jasonnurse
9
the challenge of usable security
Can you think of any technology examples that do well in all
three, or at least Security & Usability? (2-3 mins)
Jason R.C. Nurse | @jasonnurse
10
summarising the main problems
• Security interfaces tend to be too confusing and clumsy
• Security is usually a secondary goal (and therefore users are unmotivated)
• Strain on users to remember several security settings, configurations and
passwords
• Task workload and increasing complexity of security systems and interfaces
• Abundance of technical terminology
• Forcing uninformed security decisions on users
Nurse, J.R.C. et al. (2011). Guidelines for usable cybersecurity: Past and present. In Cyberspace
Safety and Security (CSS), 2011 Third International Workshop on (pp. 21-26). IEEE.
Jason R.C. Nurse | @jasonnurse
11
outline
• What is Usable Security?
• Why is it important?
• How to do Usable Security:
• Guidelines
• Evaluation techniques
• But, it’s actually not this simple…
Jason R.C. Nurse | @jasonnurse
12
guidelines, or tips & tricks!
• Reduce mental load associated with cybersecurity system activities
• Make security state visible, and security functionality visible and accessible
• Give informative and useful feedback on security operations
• Design such that security does not reduce performance
• Give guidance on what tasks users need to perform and where necessary,
provide recommendations support
• Reduce the use of technical and security-specific terms and jargon
• Provide help, advice and documentation
Nurse, J.R.C. et al. (2011). Guidelines for usable cybersecurity: Past and present. In Cyberspace
Safety and Security (CSS), 2011 Third International Workshop on (pp. 21-26). IEEE.
Jason R.C. Nurse | @jasonnurse
13
example 1: passwords
Security says…
§ it is at least 8 characters in length,
§ contains at least three of the following
four character groups: an uppercase
letter (A - Z), a lowercase letter (a - z),
a number (0 - 9,), a non-alphanumeric character (e.g.!,
$, #, %)
§ has not been used in your previous 24 passwords, and
does not contain your username or full name.
But Usable Security
says…
Which guideline(s)
does this apply?
https://upload.wikimedia.org/wikipedia/commons/f/f1/Mediawiki_1.25_sign_in_form.png
Jason R.C. Nurse | @jasonnurse
14
example 1: passwords
Three random words or #thinkrandom (NCSC)
A good way to create a strong and memorable password is to use three
random words. Numbers and symbols can still be used if needed, for
example 3redhousemonkeys27!
Be creative and use words memorable to you, so that people can’t guess
your password. Your social media accounts can give away vital clues about
yourself so don’t use words such as your child’s name or favourite sports
team which are easy for people to guess.
Cyber criminals are very smart and know many of the simple substitutions
we use such as ‘Pa55word!” which utilises symbols to replace letters.
https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0
Jason R.C. Nurse | @jasonnurse
15
example 2: passwords
Jason R.C. Nurse | @jasonnurse
16
example 3: pins
https://www.techlicious.com/blog/pattern-lock-for-android-easy-to-guess/
https://www.computerworld.com/article/3041302/
security/4-new-ways-to-bypass-passcode-lockscreen-on-iphones-ipads-running-ios-9.html
https://www.flickr.com/photos/intelfreepress/17199034187
Jason R.C. Nurse | @jasonnurse
17
Windows Hello
example 4: biometrics
http://www.techradar.com/how-to/software/how-to-use-windows-hello-1301455
Jason R.C. Nurse | @jasonnurse
18
example 4: biometrics
Making Windows 10 More Personal With Windows Hello
https://www.youtube.com/watch?v=1AsoSnOmhvU
Jason R.C. Nurse | @jasonnurse
19
outline
• What is Usable Security?
• Why is it important?
• How to do Usable Security:
• Guidelines
• Evaluation techniques
• But, it’s actually not this simple…
Jason R.C. Nurse | @jasonnurse
21
evaluation technique: expert evaluation
• Usability experts inspect usability aspects of a system using their
knowledge and a range of usability rules and heuristics
• Examples:
• cognitive walkthrough – walk through every task and assess it
• heuristic evaluations – compare with set of guidelines
• Benefits: Use of experts, allows focus on high-priority usability
principles
• Drawbacks: Unlikely to discover unforeseen usability problems
Nurse, J.R.C. et al. (2011). Guidelines for usable cybersecurity: Past and present. In Cyberspace
Safety and Security (CSS), 2011 Third International Workshop on (pp. 21-26). IEEE.
Jason R.C. Nurse | @jasonnurse
22
evaluation technique: expert evaluation
• A representative sample of users are recruited to participate in
experiments to test a cybersecurity system’s usability
• Examples:
• laboratory-based user testing, questionnaires, interviews, observing
users (one-way mirrors) and recording and assessing system use
• Benefits: Interaction with target group, supply rich sources of
data
• Drawbacks: Time consuming, expensive, need to find willing
participants
Jason R.C. Nurse | @jasonnurse
23
outline
• What is Usable Security?
• Why is it important?
• How to do Usable Security:
• Guidelines
• Evaluation techniques
• But, it’s actually not this simple…
Jason R.C. Nurse | @jasonnurse
24
graphical passwords – weaknesses
(via a study)
Study aim: Investigate the ability to predict graphical passwords i.e.,
where users would click.
Approach:
• Conducted online study with 150 participants
• Asked participants to select one of three images
• Asked them to create a password (using PassPoints, i.e., selecting 5 points in
sequence) using their image.
• Assessed where participants’ selected for their passwords and whether this could
be predicted based on the individual’s characteristics or any other factors, e.g.,
image saliency.
Devlin, M., Nurse, J.R.C., Hodges, D., Goldsmith, M., & Creese, S. (2015, August). Predicting graphical passwords. In International
Conference on Human Aspects of Information Security, Privacy, and Trust (pp. 23-35). Springer, Cham.
Jason R.C. Nurse | @jasonnurse
25
graphical passwords – weaknesses
Pick an image,
and choose 3 points
that you would click.
(1 min)
Jason R.C. Nurse | @jasonnurse
26
graphical passwords – weaknesses
Jason R.C. Nurse | @jasonnurse
27
biometrics – weaknesses
https://www.flickr.com/photos/intelfreepress/17199034187
Jason R.C. Nurse | @jasonnurse
28
biometrics – weaknesses
How to fake a fingerprint and break into a phone https://www.youtube.com/watch?v=tj2Ty7WkGqk
Jason R.C. Nurse | @jasonnurse
29
usable security
“ User-centred design means understanding what your users
need, how they think, and
how they behave - and incorporating that understanding
into every aspect of your process (Jesse James Garrett)
”
Usable security applies all of the same principles, with a
focus on security.
Jason R.C. Nurse | @jasonnurse
30
summary
• What is Usable Security?
• Why is it important?
• How to do Usable Security:
• Guidelines
• Evaluation techniques
• But, it’s actually not this simple…
Thanks for coming!
Jason R.C. Nurse | @jasonnurse
31
Legal, professional and
ethical aspects:
Responsibility in Cyber
Sarah Turner, PhD Student and Research Associate
Institute of Cyber Security for Society
Stand for ambition.
kent.ac.uk
Overview of today’s talk
• Law
• Ethics
• How this might affect you
slt41@kent.ac.uk
thepublicturner
Unless otherwise credited, pictures from unsplash.com or iconfinder.com
The law
What type of things do you think of
when you think about how cyber
security and the law interact?
slt41@kent.ac.uk
thepublicturner
The law
What types of things related to
cyber security do you think could –
technically – be considered
criminal offences under English
law?
slt41@kent.ac.uk
thepublicturner
The law
Computer Misuse Act 1990
• Unauthorised access to computer material
• Unauthorised access with intent to commit or facilitate commission of further offences
• Unauthorised modification of computer material
slt41@kent.ac.uk
thepublicturner
The law
Computer Misuse Act 1990
“…the CMA suffered a premature birth,
which left it weak and vulnerable when
the internet, as we know it, arrived…”
Macewan (2008)
Macewan, NF 2008, 'The Computer Misuse Act 1990: lessons from its past
and predictions for its future' , Criminal Law Review, 12 , pp. 955-967.
slt41@kent.ac.uk
thepublicturner
Image from Geekwire.com
The law
Computer Misuse Act 1990
• Unauthorised access to computer material
• Unauthorised access with intent to commit or facilitate commission of further offences
• Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of
computer
• Unauthorised acts causing, or creating risk of, serious damage
• Making, supplying, obtaining articles for use in offenses above
slt41@kent.ac.uk
thepublicturner
The law
Computer Misuse Act 1990
1) Unauthorised access to computer material
What does this mean?
What’s the punishment?
slt41@kent.ac.uk
thepublicturner
The law
Computer Misuse Act 1990
1) Unauthorised access to computer material
What does this mean?
Knowingly accessing a computer – or parts of a computer system – that you are not allowed to.
What’s the punishment?
slt41@kent.ac.uk
thepublicturner
The law
Computer Misuse Act 1990
1) Unauthorised access to computer material
What does this mean?
Knowingly accessing a computer – or parts of a computer system – that you are not allowed to.
What’s the punishment?
Up to 2 years imprisonment.
slt41@kent.ac.uk
thepublicturner
The law
Computer Misuse Act 1990
2) Unauthorised access with intent to commit or facilitate commission of further offences
What does this mean?
What’s the punishment?
slt41@kent.ac.uk
thepublicturner
The law
Computer Misuse Act 1990
2) Unauthorised access with intent to commit or facilitate commission of further offences
What does this mean?
You do the offense in section 1 (accessing a computer you’re not allowed to access) to (try to)
carry out another offence – e.g. theft, blackmail (by using data on the computer).
What’s the punishment?
slt41@kent.ac.uk
thepublicturner
The law
Computer Misuse Act 1990
2) Unauthorised access with intent to commit or facilitate commission of further offences
What does this mean?
You do the offense in section 1 (accessing a computer you’re not allowed to access) to (try to)
carry out another offence – e.g. theft, blackmail (by using data on the computer).
What’s the punishment?
Up to 5 years imprisonment.
slt41@kent.ac.uk
thepublicturner
The law
Computer Misuse Act 1990
3) Unauthorised acts with intent to impair, or with recklessness as to impairing, operation
of computer
What does this mean?
What’s the punishment?
slt41@kent.ac.uk
thepublicturner
The law
Computer Misuse Act 1990
3) Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of
computer
What does this mean?
Doing something – intentionally or not – to hinder access to material on a computer
(the DDoS clause). Doesn’t have to be permanent impairment.
What’s the punishment?
slt41@kent.ac.uk
thepublicturner
The law
Computer Misuse Act 1990
3) Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of
computer
What does this mean?
Doing something – intentionally or not – to hinder access to material on a computer
(the DDoS clause). Doesn’t have to be permanent impairment.
What’s the punishment?
Up to 10 years imprisonment.
slt41@kent.ac.uk
thepublicturner
The law
Computer Misuse Act 1990
3ZA) Unauthorised acts causing, or creating risk of, serious damage
What does this mean?
What’s the punishment?
slt41@kent.ac.uk
thepublicturner
The law
Computer Misuse Act 1990
3ZA) Unauthorised acts causing, or creating risk of, serious damage
What does this mean?
Computer misuse where the aim is to cause damage to – for example – critical national infrastructure,
and the maximum penalty from the prior section (3) isn’t enough.
What’s the punishment?
slt41@kent.ac.uk
thepublicturner
The law
Computer Misuse Act 1990
3ZA) Unauthorised acts causing, or creating risk of, serious damage
What does this mean?
Computer misuse where the aim is to cause damage to – for example – critical national infrastructure,
and the maximum penalty from the prior section (3) isn’t enough.
What’s the punishment?
Up to 14 years imprisonment.
slt41@kent.ac.uk
thepublicturner
The law
Computer Misuse Act 1990
3A) Making, supplying, obtaining articles for use in offenses above
What does this mean?
What’s the punishment?
slt41@kent.ac.uk
thepublicturner
The law
Computer Misuse Act 1990
3A) Making, supplying, obtaining articles for use in offenses above
What does this mean?
Makes an offence of creating, selling, buying and using tools that can be used maliciously –
although it has to be proved that the individual was using/intending to use them maliciously.
What’s the punishment?
slt41@kent.ac.uk
thepublicturner
The law
Computer Misuse Act 1990
3A) Making, supplying, obtaining articles for use in offenses above
What does this mean?
Makes an offence of creating, selling, buying and using tools that can be used maliciously –
although it has to be proved that the individual was using/intending to use them maliciously.
What’s the punishment?
Up to 2 years imprisonment.
slt41@kent.ac.uk
thepublicturner
The law
In discussion with Jim Browning,
a scam baiter:
First presenter: “So why is it
illegal? I don't see why this
should be illegal?”
slt41@kent.ac.uk
thepublicturner
https://www.bbc.co.uk/programmes/p0b259nv
The law
Jim Browning: “...if I access somebody's
computer without their permission I'm
breaking a law - how far this goes because
don't forget the only way that I can access their
computers is if they tried to scam me and in fact
they have effectively illegally accessed my
computer to begin with - ...it's probably not
a defense against this...
I run that risk and I certainly wouldn't encourage
other people to do exactly what I do but I think
it's a balanced risk because I do enough to find
out who these guys are to expose their
techniques to help people.
Although that's not really a big defense I
think it's the only way that anyone can
actually at the moment get back at these
scammers.”
slt41@kent.ac.uk
thepublicturner
https://www.bbc.co.uk/programmes/p0b259nv
The law
Second interviewer: "... I guess there's a piece
of me that wonders could you be doing what
you're doing or something similar in a legal
way? Is there a structure that's part of a police
force, for example, that is looking at catching
these kinds of scammers?”
Jim Browning: “Yeah I've actually asked the
police exactly that question - why don't you
do what I have been doing? - I think it's
because of the laws here. Everybody is a little
bit nervous about [the fact that] as soon as you
access somebody's computer without their
permission then you can get yourself in
trouble and I guess the police can't be seen to
be doing that either. For me what should be
changing is the law around that.”
slt41@kent.ac.uk
thepublicturner
https://www.bbc.co.uk/programmes/p0b259nv
The law
The difficulty of dual use
• Tor "used to access the dark web"
• Virtual Machines "hide operating systems –
like Kali Linux"
• Kali Linux "often used for hacking"
• Wifi Pineapple "used to capture sensitive
data"
• Discord "often used to share hacking tips"
• Metasploit "makes hacking simple"
slt41@kent.ac.uk
thepublicturner
https://twitter.com/G_IW/status/1227700420178567170
The law
Computer Misuse Act 1990
Will we see change?
slt41@kent.ac.uk
thepublicturner
https://www.cyberupcampaign.com/news/new-research-legitimate-cyber-security-activities-in-the-21st-century
The law
It’s not just CMA 1990…
• Interception of communications in
the course of transmission – s3(1)
of the Investigatory Powers Act
2016
• Data Protection Act 2018, ss170173
• Disclosing personal data
without consent
• Procuring personal data
without consent
• Selling personal data without
consent
slt41@kent.ac.uk
thepublicturner
The law
slt41@kent.ac.uk
thepublicturner
Not all cyber crimes are just about computers
https://www.gov.uk/government/publications/national-cyber-strategy-2022/national-cyber-security-strategy-2022
The law
Cyber enabled crime
• Economic
• Fraud
• IP theft (piracy, counterfeiting, forgery)
• Illegal items being sold online
• Malicious and offensive comms
• Offenses that specifically target individuals
• Revenge porn
• Cyber stalking, harassment
• Coercion, control
• Child sexual offenses
• Extreme pornography, obscene publications, prohibited images
slt41@kent.ac.uk
thepublicturner
https://www.gov.uk/government/publications/national-cyber-strategy-2022/national-cyber-security-strategy-2022
The law
• 24 CMA offences
• Voyeurism
• Possessing indecent
images of children
• Making indecent images
of children
• Possessing extreme
pornographic images
• 26 months in
prison...various other
restraining orders etc
slt41@kent.ac.uk
thepublicturner
The law
Remembering a
friend's login details to
use their computer
without their
knowledge, reading
their messages.
Using a tool to knock a
friend offline, to stop
them winning the
online game you are
playing together.
slt41@kent.ac.uk
thepublicturner
Using a friend's
unlocked tablet to
access their gaming
account and buy
credits with the
attached credit card.
Hacking into a police
network, resulting in
delays to answering
emergency calls –
even though you didn't
intend this.
Downloading a tool to
bypass login
credentials – although
you haven't used it
yet...
https://www.nationalcrimeagency.gov.uk/who-we-are/publications/523-cyber-choices-hacking-it-legal-computer-misuse-act-1990/file
The law
slt41@kent.ac.uk
thepublicturner
The law
What was the most
commonly noted route
into cyber crime in the
National Crime Agency’s
“Pathways into Cyber
Crime” Intelligence
Assessment1?
slt41@kent.ac.uk
thepublicturner
1https://www.nationalcrimeagency.gov.uk/who-we-are/publications/6-pathways-into-cyber-crime-1/file
The law
Pathways into Cyber Crime (2017, based on research
between 2013-2017)
Primary gateway: online gaming forums (cheat websites,
modding forums)
Sense of community – wanting to learn and impress their
peers (and themselves): not necessarily a financial
motive at all
“Cyber crime is not solitary and anti-social…forum
interaction and building of reputation scores drives
you cyber criminals”
slt41@kent.ac.uk
thepublicturner
The law
https://www.wired.com/story/confessions-marcus-hutchins-hacker-who-saved-the-internet/
slt41@kent.ac.uk
thepublicturner
Today’s Talk
• Law
• Ethics
• How this might affect you
slt41@kent.ac.uk
thepublicturner
Ethics
slt41@kent.ac.uk
thepublicturner
Tech and ethics is one of the most prevalent –
and tiring – problems of our time…
slt41@kent.ac.uk
https://twitter.com/pinkhairedcyn/status/1489062927785205760
https://www.bbc.com/worklife/article/20230127-how-worker-surveillance-is-backfiring-on-employers
https://www.technologyreview.com/2023/01/26/1067317/podcast-roomba-irobot-robot-vacuums-artificial-intelligence-training-dataprivacy-consent-agreement-misled/
thepublicturner
Ethics washing
slt41@kent.ac.uk
thepublicturner
Image from
https://twitter.com/alistairkyte/status/119904472100127
1297 / HBO “Silicon Valley” (2019)
Can corporations really ethics wash?
https://www.theverge.com/2021/4/13/22370158/google-ai-ethics-timnit-gebru-margaretmitchell-firing-reputation
https://www.businessinsider.com/twitter-trust-and-safety-council-member-dissolving-it-wasdangerous-2022-12?r=US&IR=T
slt41@kent.ac.uk
thepublicturner
So…what?
So, this is all well and good, but –
what does this mean for you?
slt41@kent.ac.uk
thepublicturner
So…what?
slt41@kent.ac.uk
https://www.wired.co.uk/article/internet-of-things-smart-home-domestic-abuse
https://nypost.com/2019/12/12/creep-hacks-familys-ring-camera-tells-tennessee-girl-hes-santa-claus/
https://themarkup.org/privacy/2021/12/06/the-popular-family-safety-app-life360-is-selling-precise-location-data-on-its-tens-of-millions-of-user
https://www.theguardian.com/technology/2022/jan/20/apple-airtags-stalking-complaints-technology
thepublicturner
So…what?
https://techmonitor.ai/technology/cybersecurity/rise-and-rise-of-bug-bounty-hunting
slt41@kent.ac.uk
thepublicturner
So…what?
Product Security and Telecommunications
Infrastructure Act 2022
Requires:
Manufacturers to receive and act on vulnerability
disclosures (section 10)
Authorised Representatives, Importers, Distributors
to limit sales or take other action in the case of knowing
about a manufacturer's failure to comply (e.g. with
updating on the back of vulnerability disclosures)
(sections 13, 16-20, 23-25)
slt41@kent.ac.uk
thepublicturner
Walking a tightrope…
https://youtu.be/gj4Ie_ausZ4
slt41@kent.ac.uk
thepublicturner
Walking a tightrope…
https://www.theregister.com/2021/02/12/footfallcam_twitter_kerfuffle/
https://arstechnica.com/tech-policy/2022/02/missouri-governors-wild-claims-about-journalist-debunked-in-police-report/
slt41@kent.ac.uk
thepublicturner
So…what?
https://www.sans.org/blog/ethical-phishing-the-slippery-slope-with-employee-deception/
slt41@kent.ac.uk
thepublicturner
So…what?
https://www.nytimes.com/2021/05/13/world/europe/phishing-test-covid-bonus.html
slt41@kent.ac.uk
thepublicturner
So…what?
https://twitter.com/ZetaZetan/status/1616628998314000384
slt41@kent.ac.uk
thepublicturner
What do you think about…
A researcher, intending to test the strength of an open-source
community's reviewing protocol, commits changes that fixes some issues
– but introduces other serious bugs – just to see if they get caught during
the review process. They do not get approval from anyone in the
community (or the university's ethics committee) to do this.
• Is this ethical?
• Who does this hurt?
slt41@kent.ac.uk
thepublicturner
What do you think about…
•
•
Is this ethical?
•
Is this white hat hacking?
•
What about the Hawthorne effect?
•
They pulled their commits before they made it too far...and no damage to the
system
Who does this hurt?
•
They wasted the time of the people checking their commits, who assumed they
were acting in good faith
•
"Nobody hired this group..."
•
Is it human experimentation?
https://www.theverge.com/2021/4/30/22410164/linux-kernel-university-of-minnesotabanned-open-source
slt41@kent.ac.uk
thepublicturner
What do you think about…
A student realises that some incorrectly flagged settings on Moodle
means that they can access the sample answers for all their upcoming
assessments. They tell their closest 50 friends. They do not flag it to
the course convenor.
• Is this ethical?
• Who does this hurt?
slt41@kent.ac.uk
thepublicturner
Thank
you
you.