 All right, how many of you are Wednesday people that I haven't seen before? Oh, pretty good How many of you are Monday people? That I didn't go to Monday's mass Pretty good. All right, cool. See plenty of space like I said Wednesday people well, I guess just incredibly briefly briefly Hey, there we go The syllabus is here every all the information is on the syllabus right now I already covered this on Monday, so I'm not going to cover this again for you If you did not watch the video yet, you may be confused about that but watch the video We do not use Canvas in this course. I already covered all of this and then there is this handy-dandy What? Yeah, there we go the recorded lecture So all the lectures are recorded and posted online So go watch this video of Monday's class to Get what you missed if you did not watch that already and that will be the cadence going forward Cool and now we're going to learn so we didn't get super far on Monday Monday was just talking about The syllabus and the course structure and then we went over security So I guess I will rewind very briefly even though I said I wouldn't but that's okay. So You're here taking a security course What is security? Confidentiality what does confidentiality mean yeah keeping things secret or safe keeping information safe All right, let's uh, we can skip to here because we already covered this great. Okay, so I want some examples What are things that you want to be confidential? Passwords why? Yeah, for instance, is there like if you had my my ASU password, what could you do with that information? You give yourself an A you wouldn't give anyone else an A Wow, better hope he never gets the password What else could you do? Yeah, you can impersonate as me you could send an email saying that the class is canceled that the rest of the semester is cancelled Although that could get you noticed I may see the email saying classes cancelled think that's kind of cool and then not show up Yeah, okay, what are the things confidential that you you think should be kept confidential? Yeah Your search history not you in particular, but anybody's search history, right? That is the thing that maybe you don't want people to know or to see about what you're searching. Yeah Your credit card number why the credit card number? Yeah, because they can take your money although I guess it's secondly the bank's money until you've made a credit card company So why is this thing not following me? Yo, sorry. I'm talking to the robot. Okay, great credit card numbers. What else? Yeah So security number why just show security number important Loans yes people can take out loans in your name. Is that something that you want? Do you want to be liable for a loan that somebody else takes out of your name? No, awesome Cool. So confidentiality keeping things secret CIA. Does that mean to remember these? Integrity, what are some things that you would like the integrity of to be preserved? transactions Transactions so that you can see like what you purchase so that it's just something magical doesn't appear there that you did Or did not purchase the search history and the purchases Very important to people's privacy random students that I don't know What else yeah Yeah, so places where you want to store passwords so what What would happen if somebody could go in and like modify that stuff? Yeah, so depending on how it's done, right? So it could be the if they hacked into google maybe rather than leaking my password They could just change it to something new then that would be bad for me. That's great. Yeah Personal information to my personal information like what like your name Relive because they could also go in and change that or They could use that to their advantage too. Yeah, what movie? I think it was sneakers. Does anybody see the movie sneakers? It's like an older hacking style movie Is that the one where they like go in and basically like delete the guy you like cancel all his credit cards delete his bank account Make it so that he doesn't exist basically and so Yeah, that could be a major pain so that could be integrity. That's also an attack on availability though, right? So that would also be the fact of not being able to access something Why is not being able to access something important? Or why is that something that is important thinking about it from a defensive from a security perspective? Yeah, that's a great point. So there's actually a class of malware I was just talking to somebody before class called ransomware So it gets on your computer somehow. You download it. I think you're Getting a game and now you're not then all of a sudden it it encrypts every single file on your computer So all your documents all your pictures Everything is encrypted and then a pop-up appears. It says hey I have all your documents if you'd like these back, please pay me Half a bitcoin a quarter of a coin. I don't know what the going great is for these things But pay me some bitcoins and then we'll unlock your thing Right. So that's literally taking away your resources your access to things, right? They Usually for a person like you they wouldn't mess with confidentiality. They don't actually care about reading that data or altering it What they care about is restricting your access to it For companies, they actually ransom them and say hey, we're going to leak this data to the public unless you pay It's not just about getting access to the company Oftentimes companies do have backups so they can hopefully recover from these instances Cool. So these are the things so when we're thinking about going forward And we're going to talk about different aspects of security here I want you to be thinking in these terms the cia terms confidentiality integrity availability Right about okay when we talk about different types of threats to a system. Which one does this fall under? cool We're going to go right into threats Okay, so Specifically I need to go check something real quick Cool Okay, there we go. I want to make sure I was going in the right place okay, so with threats so The way to think about a threat is thinking about what things could happen Right. So part of what we think about when securing a system Right is we want to think about what are the attacks and threats that could happen there So Let's talk about I don't know a random thing your phone What are some threats that could you could face security threats with your phone? So I'm looking for a threat and which one of the cia does that fall under the gas station card readers Why are those a threat because they can can steal your credit? So the broad term for this is credit card skimming So they have little devices that they can put over the credit card reader So when you put your credit card in and pull it out the The gas pump reads your credit card and also the skimmer reads your credit card What what of the three cia is that an attack against? integrity are they changing your Your numbers of your credit card Yeah, it's kind of weird because they're going to use that to make charges But normally that'd be like a confidentiality thing right you want your credit card number to be secret and it's getting leaked through this Yeah, that's great. What else? Yeah, yeah, so uh, can you talk more about that? I don't actually remember the specific instance. This is a recent thing or Yeah, that actually probably has deeper implications, but I think yeah, you're right at the time there was a bug in His iphone's right? Yeah, so that that when you got sent a text message and it had certain characters That would trigger a bug which would cause your phone to crash And then if you have I guess a really annoying friend who kept sending you that message Over and over again or not a friend What typo Of the cia is that an attack against or a threat against? Availability yeah, because you can't use it and depending on what that bug actually allows you to do It could allow an attacker Integrity or confidentiality breaks depending on if that allows that control over your phone using stuff. We'll talk about later Kind of depends on the specifics there. What else with the phone? Yeah Peter pure sharing what about it? Yeah, so if you have I think there's several threats there. So actually that could be a nice integrity threat So if you have airdrop Enabled by default, which you definitely should not it means like anybody can airdrop and try to send you files And if you're not careful about you accept or don't accept That could be somebody putting documents maybe planting documents on your phone that later They will use to blackmail you or do something like that even though those were never your documents in the first place um What about uh, I don't know. Do you have anything? If somebody were to steal your pin of your phone Would that be useful? What kind of a threat? Yeah, what do they have against that kind of threat like a defense against there? Is it biometrics? Biometrics. Yeah, so facial they have some facial recognition stuff Some of them have fingerprint readers Yeah, so two fact. Do you guys have that enabled for my asu? Good good good. We'll talk about why that's so good later. You don't have to agree now But yeah, so two factor authentication So then even if they have your pin or your passcode or something This actually does protect me if our friend over there Wanted to actually stole my my asu password They couldn't actually access the website without the second factor of me clicking okay on that duo So they need to steal my phone or and steal my password, right? So that increases the difficulty there. Cool Okay, so when we think about threats we're kind of thinking about These are just like ways to think about threats really they all come down to like the cia try out. Oh great Sorry, I'm all aware integrity nfc integrity Uh, cool. Sorry. I didn't see that. I gotta get better about reading this chat This twitch thing is so fun. I wonder can I watch myself on this video figure out how to access the comments of the video that I just Made disappear The answer is yes Oh, there we go hit the right button Okay, assuming it does nothing why does nobody like the web? Okay. That's required for my asu. Thank you for some I okay, so threats So these are some categories and really we're gonna go through a threat modeling exercise where we talk about threats to a system Um, but you can kind of group that into categories So you can think about disclosure threats. So that would be like your pin number, right accidental disclosure How can somebody get the pin to your phone? You can tell them what else? They could watch you do it. I think you said yeah, what else? Yeah Yeah, there's stuff that like they've done some research that you know, your phone has a gyroscope, right? Like that reports the orientation they can track Oftentimes they can guess your pin or something by the shake that it makes as you're typing that in Yeah, key logger key logger So they can install software on there that is keeping track of it Like if you use this machine right here that could have a key logger That's literally could be a software thing. It could be a hardware thing It's a physical device from where the keyboard comes out and then plugs into the system here Yeah screen recording they could record either my screen while I do it you could be yeah Oh, sorry Yeah, so it could be your friends that's called the shoulder surfing when they're looking over your shoulder while you're typing in your pin code They could be filming you nearby or later You could just be typing in your your thing. These are all disclosure style things where you can accidentally disclose that information Um deception would be threats that are trying to deceive somebody so that would be if Somebody else came into the room and pretended to be me like one of you. I guess that'd actually be kind of funny, but um Like if you did that you're you're deceiving some either system This would be like impersonating somebody online. Yep Do you every thing there's every single deception threat fall over social engineering or some of them not quite? Uh Not quite. I would say social engineering usually is a human component and these could be technical measures too. You could Trick a system into thinking that you're a trusted system We'll talk about like IP address spoofing and if there's a trust relationship between two IPs And I pretend to be that trusted IP. I'm deceiving the system into thinking about it Uh, yeah, uh disruptions is what we kind of don't get Yeah trying passwords a bunch that wouldn't necessarily fit into these threats, but that isn't a time they get to consider Yeah, so we'll talk about that a little bit more, but that's like social engineering, right? You're trying to trick a human into doing something on your behalf. Uh, people are very very good at this Uh disruption. So this would be uh, kind of like denial of service other types of attacks that we talked about fall under here Uh, and uh, you could also Like get more privileges than you, uh have access to But anyways, so these are common threats that appear multiple times in different contexts. So it's very important to uh To remember these because when we talk about threat modeling a system We want to be able to think through these types of threats. So for instance Snooping or wire tapping. What is the term wire tapping come from anyone? No Yeah, so like there's literally physical wire going from your house to all the neighbor's house And then there'd be a central wire so they'd get on a telephone pole figure out Which wire was the house they wanted to listen to and they would yeah physically tap into there to listen to A phone call. So it comes from phone call tapping phase There's all kinds of crazy like wire tapping as a term is very broad and it's basically like snooping in or listening in on a conversation that Um You do not originally have access to Um modifications or alterations very common threats of you're trying to manipulate data or modify data the term For this is like a man in the middle attack which we'll talk about in terms of network security Or basically you can think of an adversaries between your connections and altering and changing things It'd be like if I told the ta to tell the class something and they changed what I was going to say along the way Or I asked one of you to do that which seems more likely than I guess the ta one of the ta is uh altering the message We talked about this masquerading or spoofing. So pretending to be something else or pretending to be from somewhere else Um This is like a similar name there Now this isn't always a problem. And this is actually something we're going to get to in a bit But context is always incredibly important to security Uh, does anybody know what the term delegation means in like, I don't know businessy context or in like Like if you get an email from me, does that mean it comes from me? Yeah Why yeah, so Has anyone ever got an email from Michael pro? Do you think he sent that email to you personally like he wrote it Sat there was like I'm gonna send It's a send button, but it comes from his email address, right? so that's It's not somebody masquerading or spoofing as Michael pro but Email systems have actually built-in delegation capabilities So you can say this person in the organization can email on my behalf That's how that stuff is done technically, but again, it's like who can send emails as what is not just like a A precise terminology it depends a lot based on this. So Repudiation this is a term that is super interesting. Um Basically it kind of I think of it as like deniability also in here So for instance, uh, if you were I'm just gonna say trading stocks But I guess we can say something more fun of like trading bitcoins and you Uh were You went to buy like 100 bitcoins from coinbase, let's say And then they dropped in price And then you call coinbase and you're like what the heck I never made that order. I'm not the one who made that That must have been somebody else You should that's not my responsibility, right? So you're able to repudiate the fact that you actually did this action Is that good for coinbase? No, because you just do that if ever went down if it went up you'd be like, yeah, those were my pick ones. That's great. Yeah Is this like when someone says like my account was hacked? Yeah, so that's a great thing This is a I think a thing that you've probably seen when they claim that their account was hacked in order to say that like Give themselves deniability that they did something So the flip side of this will look at later some crypto things where you can actually like Guaranteed that you said something or that The somebody that's holding some Digital key is the person that said something. Yeah, you can also claim that your kid did it. Yeah, that's very good That's uh, these are all good. How do you all know this so much is that because you see people using it or you use it yourselves I guess we'll never know uh another way denial of receipt. So Like the coinbase order, right? So let's say from now flipping it around you are honest coinbase is not You go to coinbase and say I want a hundred bitcoins. They make that order secretly For that price they wait 30 seconds if the price goes up They tell you sorry We never got your order and they sell those turn on and sell those on the on the market and then that way they recruit that that price increase Right because you don't have a way to prove that they got the rhythm. They got it. So this is kind of a similar thing of Uh, a threat would be saying like hey, I never received that So there's crypto and other things that you can use to actually prove that somebody did receive something Uh and a classic one. So we talked about this a little bit We definitely talked about denial of services denial of service as a category like taking something down by They're throwing a bunch of data at it But there's actually more basic things like delay. Actually, I guess this also comes up in the stock thing like delaying and and action And that can cause problems Cool. Okay. So Why we're here is kind of the thing about uh, so I guess why are we talking about all these attacks? Am I going to turn you all into a little attack machines Hopefully kind of but why? You can be ethical hackers, but why does the ethical hat work for us? Yeah It's before yeah, so they can find they can find problems Before their release. I like to think of it in uh, if you're a sports person, I think sports terms really help you need to be able to do You need to know offense in order to do defense, right? If you're trying to defend something and you don't know what an attacker is capable of You won't even conceive of possible threats that an attacker could do Right. So this is why it's really important to learn both sides of that to be an effective defender You must know about threats. Yeah, thanks. So somebody just wrote that in the chat. That was great And so there's a couple main ways that we kind of Think about defending against threats and we'll go into more details here, but uh, it turned There's two main things that we use and we'll actually I guess we can talk about it a little bit in the context of what We already talked about of like two factor authentication. So one is like security policies. This is basically How should a system be used, right? Somebody has to decide some of those things did As anyone read the asu acceptable computer use policy It's not a test you can say no But some of you did Yeah, it talks about like what things you can do on the computer, right? That way it does it prevent So I think it's like, I don't know. Do you actually remember what it says? Yeah, it's like no copyright infringements. They're over the Bitcoin or BitTorrent client. I bet there may be cryptocurrency mining stuff on there Does that document itself stop you from doing any of those things on asu computers? Why not? What was it? It's just a document and none of you read it either. So How can I possibly stop you from doing something, right? Yeah, so that's just that is a document. It's a piece of paper that specifies what should be done That way if you violate it asu has a recourse against you and you can say guess what? You can now I don't know. I'm going to use the computers or whatever that thing says you can't do Now similar thing we're talking about so Passwords or sorry we talk about asu passwords and two-factor authentication so What's the policy there? Is there a policy? Say you're required to have it. You're required to have it. That is the policy, right? So the policy is to have my asu account. You have to have two-factor That is a policy. Does that do anything by itself? No, it doesn't do anything. It's just a it's just a policy. It's just a piece of paper just like an acceptable use policy But and this is why you need a security mechanism, right? The policy doesn't say you have to implement duo and it has to be like this and you have to give students a way to sign up, right? The mechanism of how that is enforced is the policy another thing I like to use an analogy would be like Your house so does anybody lock their door when they leave their house? Yeah, why? Yeah, so I think I see where you're going so the policy would be above my door don't enter my house But the mechanism is it's locked so since you tried you failed. I would put it slightly differently But yes, it's like you're you have an implicit policy that says hey when you leave the house you should lock it and maybe My parents were crazy about that so they always like yelling at me about that anytime you left the house and didn't lock it Right, that was the house policy when you leave the house you lock the door That that is the policy the mechanism is actually like locking the door, right? The lock enforces that policy that unauthorized people can't come in Yeah That's interesting I would say it's not just to stop good. Yeah The policy specifies what should be done and the mechanism makes sure that it Is that way so yeah policy? That's a good point because policy can be Uh I'm trying to think of what I can say I have a great example, but it involves something that I don't know if I can want to record him last but Yeah, the policy is also constrained like yeah employees are what they should do Like you can have a company policy that says like hey We can't transfer any money outside of the account unless it's approved by the head of finance and one other person So that'd be like a two person thing um That is great and would probably prevent the threat of somebody impersonating the ceo and calling the treasurer and saying The like I need this money done now and to transfer this which actually happens all the time That would prevent that but but a mechanism that requires two people to click in the system would probably prevent it further Yeah, so that's a that's that's an interesting way of phrasing it Yeah, somebody online locks their doors so that cats don't get out. That's a great thing. Yeah, that's like uh Cool. Okay, so now we're gonna go through as a group for let's say as long as it's 245 I'll remember that so Okay, so like 15 ish minutes. This is like a fun example an exercise. We're going to defend the house. We want to defend the house so The key things we need to first think about so we're gonna go through discuss as a group threats to policies and mechanisms Which should we do first before we get started? Yeah Policies Yeah, so we may want to do policies first and then or sorry threats first so that we can understand What's out there and then do we create a policy and a mechanism for every threat? Yeah What was that? Ideally Do you live in an ideal world? Is this where you want to be on our? So So for instance that is a threat right to the what of the CIA of our house And availability depending on who's in integrity and availability of the house right and so should we defend against missiles? Ideally Yeah So Yeah, so there's a step zero that we didn't even talk about right so I was tricking you about which of the three threats policies or mechanisms to do first because What house are we talking about? Does it matter? Right, is it the white house Is it your house? Is it my house? Is it bill gates' house? Right all of those may have different budgets like we talked about that may impact the policies and mechanisms we put in place It could also impact maybe not the threat specifically, but Part of what we also will consider especially when talking about what policies or mechanisms do we put in place? Is how likely do we think those threats are right? So the threat is like is Could somebody be worried? Well, all right Anyways, okay, so let's say it's a so what kind of house do you want to defend? A house on top of a hill by itself Like a normal house. Yeah So I would say A blueprint would be helpful, but why Why doesn't so it's scalable that you can defend many houses? So maybe we could apply that's interesting. So we're going to apply threats to different houses Was yeah We can maybe see where the weak points are like windows. Are there any windows in this house? Will that impact your threats? Yeah Yeah, so what kind of mechanisms we implement may be dictated by the physical space That we're in okay. So fun part. What are some threats that we should now the kind of the way I like to approach this is When thinking through the threats we can be very like We can think through all kinds of threats The point is to think about all types of things that attackers could do And then later we talk about the policies and mechanisms. So what are some threats to this house on a hill? Ballistic missile pray what else? Yeah Burglary right somebody breaking into the house And we're doing what? Stealing our things in there. Yeah, wait, but what's the threat right? So the threat is vehicles outside. Why? Ah, okay, so the vehicles outside we may be interested in that So maybe we could have a garage that we could park the cars in yeah Squatters we may be maybe it's a house. We're not in all the time We may be interested in other people coming in and not stealing our stuff but just living in our space Yeah, so that's still under burglary Right, is there anything separate there? Maybe? Yeah Monthly we may be interested in months The threat of a month slide particularly if we're on the top of a giant hill. Yeah red shirt or checking shirt. Sorry Our sin We may be worried about the building being on fire or somebody deliberately said Vandalism people uh, spray painting our house or doing anything to our house. Yeah What was that? Oh That sounds very threatening, but is there a specific threat in there? Okay, so yeah, uh, let's phrase that slightly different A previously authorized user to the house is then unauthorized and we definitely don't want them in the house for a variety of reasons right, uh, yeah Weather damage. Yeah, so like damage to the house hurricanes, uh, lightning Uh, boobs, like I don't know all kinds of stuff. Yeah back here Yeah, so like break so falls under burglary, but we can think of different egress ways so that we can consider this actually goes back to the other good point about the Somebody dressing up as a as a contractor or something to get access to the house. It's still under the threat of burglary or stealing our unauthorized access Maybe even but the different avenues we may need to think through especially if we have a policy that like Hey only, uh I don't know only somebody I give the key to can access the house, but if that's also a contractor that would be in there Yeah Was that stalking stalking? Yeah stalkers in our house. Maybe we A mechanism for that. Maybe super wide. We're on top of the hill But our gate is like the entire place around the hill and then we have a security like security cameras everywhere So that only we can approach it. Yeah Yeah A cat giving a threat I think the cat people would probably disagree with you But yeah, like or the dog it didn't get done people as well. Yeah, that could be a threat of like Yeah, I don't know it's not I think you can use your imagination. Yeah Say a lot of Yeah, yeah, yeah, okay, so Man, you sound like an actual homeowner Like DJ house stuff. Uh, yeah, like stuff failing like the electricity and talk about fire Maybe electricity is old that was put in the 50s. Uh, so you want to think about that? Yeah Vandalism great in the very back Ah, yeah, somebody can access into onto your network. We even talk about any security stuff, right? Or cyber stuff We were talking about like home access and everything. Yeah Bugs and pests. Yeah, anybody have that that's freaking terrible Termites can cause physical damage like all kinds of stuff Cool. Yeah Yeah, smart appliances in the home. Uh, have you heard those stories of people? Hacking into baby monitors and then talking to babies while they're sleeping. That's really freaking weird Nobody said my favorite one yet. I think you guys are not creative enough. I don't want to challenge you on that I think you're very creative What about are you worried about aliens coming and Either independence day style blowing the house away or abducting you Maybe the first person maybe it's an opportunity. Not a problem But why not why didn't you say that one? Why'd you say all the other ones? Yeah Yeah Yeah, because that's the thing to think about with all of these threats, right as we move throughout the threat modeling process You want to brainstorm a lot of different threats and then you want to think about How likely are those threats should we spend a ton of money defending against aliens? How are you going to do that exactly? Well, what if they're invading to your house specifically That's It's bad luck. It's very bad luck. But that's a there's I guess that's an interesting like collective defense argument Yeah, maybe I don't know we talk about money, but like I guess tinfoil is not super expensive. Maybe that's why people wear tinfoil hats It's cheap That's what you say publicly, but yeah, but maybe there's some elements that only your house cat has and like In the whole universe Yeah, oh have a decoy house. That's great on the twitch And then somebody said how many decoys can we afford great questions, right? So let's focus on one threat right now for a second and let's talk about the threat of burglary, right? So somebody wants to come into our house who's not authorized. They want to steal our stuff take our stuff and take it out of the house So what policies what are some policies we can put in place? So hey, I guess the first question should we be concerned about burglary? Why Why not because it's expensive all this stuff costs money, you know what much locks cost you can get locks you can get a Security system like if this is going to cost you a thousand dollars a month and you have fifty dollars in your home Is that smart? Probably not right. These are all trade-offs of like how much to invent we talked about a decoy house But who has money for a decoy house? So anyway, so thinking about so we have burglary Right, so what are some policies we can put in place? Yeah, okay security by obscurity in what sense in the in the burglary context Say it again Oh a lock, uh, I wouldn't necessarily say that's obscurity while you can break it. It does make it slightly more difficult, right? Depending on the lock, but uh, yeah, that's interesting, but that's a also more of a mechanism. So what's on the policy side? Yeah That'd be great. So yeah, so uh a policy could be Anything that's worth over. I don't know a thousand dollars. We're going to put in a safe deposit box in a bank So we just don't have expensive things in the house So this does two things right can reduce the chance that you get wrong If people know about you and know about stuff and it can Reduce the impact saying like okay. This is kind of what we're talking about. I'm assuming You assume people can break things then you can also reduce the impact of that Yeah, we can buy a sign. Do we need to buy the dog too? No, we could just buy the sign. Yeah, that's actually this is a true thing a lot of People that have like the security system signs like in their windows and stuff oftentimes they've stopped the service Or that was like a previous owner and they just kept the sign because again that kind of like You know It's going towards this notion this idea that hey We don't have to have perfect security But if we can have better security than our neighbors And if somebody's looking for a place to rob and it doesn't matter to them who to rob Then they'll just rob the other person Right that doesn't maybe apply if we're known as a drug dealer who has millions of dollars in cash in our house, right? Because like we said at the valuable things They won't There's other pieces of information that maybe they can figure out that we have things there So maybe all that other stuff is worth it other policies. Yeah Louder A physical safe. Yeah, we could have a safe and put our stuff in it Is that enough to guarantee like what's The policy I guess would be let's have a safe and let's put our valuable things in it Yeah, yeah Yeah, so that's also the trade-offs, right? What are we putting in this safe? How much money is this safe? You have to get like some safes that are like uh built into the Grounder the cement or the what's it called foundation of the house All that kind of stuff you have to think about and like is it even worth it to do all this If they can just steal the safe and break it at their leisure then who cares Yeah, that's great. So a policy could be hey pretend like uh like in home alone. I don't see the movie They like pretends that there's people in the house so the robbers don't come It's like a similar type of thing turning they have an actual automated things that will turn the lights on and off or Paying a trusted party to house sit and to be there. Yeah Yeah, we didn't even talk about super basic things like make sure the house is locked when we leave, right? Or make sure there's no windows open. That's another thing What if it's a small hell A security system could be that could be a policy. Hey, we should purchase security services services Although you'd have to kind of think about like Trust it. I wasn't even thinking about that. That's one thing, right? We should also think how far are we from law enforcement or something, right? If this alarm goes off and for the security system But we're on a hill that's super secluded and it's going to take 20 minutes for somebody to get there Anyways, guess what they break in and 15 minutes. They're out with all your stuff, right? So we have to think if that's an effective if that policy and mitigation are effective for our risk and our threat. Yeah Escape plan for what for what? Ah Yeah, I guess that's really good. I was thinking more burglary in the sense of like we're not there instead of like home invasion But yeah, that would be a policy Like what do we do and a mechanism could be a safe room Right, we have a safe room in the house that we go into or whatever Tell no one about the house could be a policy. How do you make sure nobody follows you home? Look over your shoulder. How good are you at that? Great Yeah, we can actually buy an insurance policy, right? So insurance literally the idea there is I pay some company A certain amount of money per month and on the offhand chance that a very low probability event happens They reimburse me for some of that So we've been able to say hey all the stuff in our house is worth like a hundred thousand dollars So we get an insurance policy for a hundred thousand dollars. So maybe it breaks in and steals it all Maybe we pay some deductible, but we're covered on that Right, and then this is why anybody? Pay like car insurance That was the joke. Yes. Thank you. Yes, you should be doing that if you're driving a car just checking, right? What are some of the things that increase your? Cost of your insurance Your age because you're more likely to get into a crash right that increases the risk of something happening Which then increases the chance of out if you have a lock on your car if you have an alarm on your car I think it impact, right? So literally insurance companies whole jobs are figuring out this ratio like how likely this is to happen versus not happen Defending the house the fiscal structure itself or we're just defending stuff inside. Yes, exactly. That's great Like put in the phone for like someone said Yeah, so that's like again part of that step zero is like what are we defending and what are our goals, right? So if it's your house, you would essentially know what you care about But if somebody brought you in and hired you to do threat modeling and to do this exercise for a system You would have to figure that out. Uh, cool. Okay. We can do this. Yeah Uh Yeah, so it's like a deterrence threat of like not only do you want to show that you have the security like You don't really want to have it But you want to show potential robbers that you have it to deter them from doing it unless they like a challenge So, okay, so we talked about that. I think we talked about while we were discussing policies some good mechanisms These are things we talked about like the security system itself the locks Uh, let's say very quickly for our burglary example Will we just say well, I got locks And i'm good Some of you are shaking your head. Why? burglary threat fixed. Yeah They could break the windows, right? So they could break the locks. We talked about that earlier, right? They could pick the locks themselves like the mechanisms can be bypassed and this is why When we're thinking about how do we defend against a threat? We don't just think about well I do this one thing and then I go home Right, we may have multiple layers of security. It's known as defense in depth of saying like, okay I'm gonna have several policies and mechanisms to try to combat this threat This could be I'm going to have locks on the doors for burglary. I mean have locks on the doors I'm going to I have a security system that hooks up to the windows that can tell if they're shattered or whatever I'm going to not keep any valuables in my house over $10,000 It could be if we didn't talk about this, but maybe I'm going to put The money under the bed or something like have you heard about this of like decoy money where you would like leave $100 in cash in a drawer that somebody's likely to find and then the actual cash that you have you put somewhere else Like under the slats of the bed or something. Don't check there in my house, but I just made that up But like, you know the idea of being like, hey, they find it. They get some money great They go away. They don't bother looking super in depth. These are all different mechanisms that we could do there Cool. Okay super fun Cool. So we talked about this a little bit with our policies. What we're trying to do here Is with a policy we're trying to prevent bad things from happening Right. This of course assumes that people follow the policies or that the mechanisms actually are implemented properly We may want to detect when things happen. So think about the example we just talked about with the house You have locks you have a security system Which one prevents things and which one detects things Yeah, so the locks prevent and the cameras detect. So why the heck do we want cameras if we have these locks? Seems better to prevent than detect, right Yeah, so one thing one reason would be are they able to bypass? Wait, okay Yeah, are they able to bypass any of our mechanisms? Because if we can't if we have no detection, we'll never know Yeah Yeah, so we may be able to if our job is defending houses Maybe it'd be super useful to observe people breaking into houses and to see how they work and to see We can learn from that to design a new safer better house Yeah, this is great Recovery is another thing to think about right? This is again That actually goes back to what we talked about with insurance policies part of that is recovery We want to be able to if something bad happens to us. We want to recover from that So there can be other reasons but these are kind of a good approach to be thinking about policies and you're trying to implement a policy in a in a system What are we trying to do here? And I hope it was clear and then usually like It's kind of the other way to think about this is in a loop So you try to implement policies and mechanisms to prevent things And then if you know those might fail so you should definitely have ways to detect things And then if you detect something you investigate it Recover and then try to implement new policies and mechanisms so that doesn't happen again Right, so this is like a cycle that you could go into To try to secure a system So Cool, how do we want to define how did we define policies? How is the asu computer use policy defined? It's not a trick question Yeah with words with words. Yes, it seems like a silly question a silly answer to give to a question It's true with words. Is that the only way we can define policies? That a natural language. What's great about natural language? Everybody understands it most most people Should kind of maybe understand what you're saying. Has it ever happened where I said something and a student misheard me in class? Yeah, so like if you said always lock the door when you leave and they heard never lock the door when you leave Or always unlock the door when you leave. Maybe the worst case. Yeah You can act on words. Yeah, that's great any other What other so we talk a little bit one of the cons of spoken or natural language Yeah, it may not be documented or it may be Even the worst so verbose that it's hard to read or understand How many of you have read the privacy policies or the end user license agreements that you have agreed to whenever you've literally used any website in existence? Yeah, how many of those have you read? Have you read every single one of every website that you've ever used or been to for you've done four? They all suck Yeah, they're long. They're boring They're all kind of different and at the end of the day who cares you're going to use the thing anyways, right? So what are you doing to anyways? So this is part of it, right even the policy of you using this thing is In natural language, but it's like embedded in something that is so opaque. It's hard to understand. Yeah Could be subjective. Yeah, so I may say you should do this Does that mean you have to do it? Does that mean sometimes you should do it or Right? Yeah Yeah, so like uh, yeah, that's kind of that's interesting. That's like a difference between written and verbal descriptions and those kind of things, right? Yeah, that's uh And then yeah, I mean that is the purpose of all of these things is just so they can say they did it You can you know kind of like the Acceptable computer use policy in the sense of like if you violate it they can go do something about it You can't claim I didn't know it because it was part of your thing that you're supposed to review So if you don't review that it's on you Yeah, I couldn't say your data in a contract so by using this app You're giving the company use of your data and you think of course that makes sense I'm using the app the company should take all the data that I'm using in this app But if it's not precise, maybe your data means all the data on your phone so I can upload all your photos and everything Even though you didn't necessarily under like realize that so it was applying. That's a great point. Yeah, so problems Um on the far end we can use math to define things. Anyone take a math class So I think the answer should be yes, right? when I say like, uh, I was supposed to try to do a math equation or something but like, uh I don't know when you prove something in math like in geometry. Is there any indiguity about what you're proving or what you mean? Assuming you understand all the symbols what they mean and everything, right? but like fundamentally the purpose of describing things as math is so that we can Describe something precisely to somebody else, right exactly what we mean There are actually stuff in policies that are very analogous where you can write you can actually write security policies in math or something relating to it you can write things saying like And this would get implemented in a mechanism But that like okay this type of person and this type of role cannot do something unless somebody else has this role And then improves it you could write that out as a formula as math What are some drawbacks to that? Not everyone will know the math. Yeah or wants to know the math What else? Maybe too constraining I'd say the the expressiveness right? What is the This formalism that you're using how could can you express everything you want for instance? One aspect that comes up a lot in like access control stuff is hospitals, right? So you have a hospital you have an access control system of who can go into what room and whatever Which is great. This is what you want, right? There's actually like all kinds of laws about HIPAA and health information, but Uh, if there's an emergency And this outside doctor who's a surgeon needs access into this operating room But your policy didn't specify that in this case of an emergency an outside person can get access They then can't get access because your formalism can't even express that concept like Formalisms and mathematics. It's hard to express concepts of an emergency, right? There's something that's bad that's happening. So we need to do something about it So this is again the expressivity problem. Does it actually capture what you want? Does it not? But it definitely has benefits another benefit We didn't talk about as you can actually then prove things about the system and you can say aha my policy does in fact Achieve my goal or stop this threat because I can prove it Kind of a mix in between the two. There's policy languages. There's like, uh xacm l access control AC xml x acml I don't know what it is, but it's basically like a language where you can define policies in xml that can be interpreted by programs That's also something we didn't talk about. That's super nice for a formal Proof is you could then load that into a program that can operate on that and understand it Whereas if I try to tell my program, hey, my buddy needs access to my house like tomorrow Can you please give them access it would say? Sorry, uh chat gbt stuff can't do that yet. So too bad Okay So how do we know that our security policy is correct? Do we want it to be correct? Yeah, because otherwise what are we doing in the first place right? If it's not if it doesn't actually counter the threat that we care about then why are we talking about? So should we just like say yep, we said it so it's correct No, why not so we just assume it's not correct Maybe try and break it. Yeah, how or why? Yeah Finding loopholes Say it again loopholes signing loopholes. Yeah, thank you. That's great. Yeah, so finding either loopholes in the policy Thinking through going back to our threats thinking through. Okay. These are the threats we thought about These are what this policy should defend against running through them in our heads or as a group Okay, does this policy actually mitigate this threat and stop this threat? We can think of are there other threats that we didn't consider that this doesn't find We may want to check our assumptions What did we assume about this policy? We talked a lot about burglars. We talked about having a great security system locks But we didn't talk about the threat of somebody tunneling into our hill and breaking into the floor into our house Are those policies and those mechanisms enough for that threat? I'm probably not and we may not want to consider that but we may want to know the assumption so we're assuming And and even stating this is important right for the the threat of burglary We're assuming that somebody breaks in through the doors or the windows of our house cool, uh, we also usually Assume well We assume we can even assume the policy is correct or stated differently the policies implemented correctly Right, we may want to have other policies that check to make sure that things are happening So for instance bigger policies, uh People lock the door after they leave you have smart locks. You can actually check that the thing is locked afterwards You can do spot checks and check at certain times whether the door is locked or unlocked um We may also assume that the mechanism correctly implements the policy This is kind of what we talked about with the locks So locks can be kind of easily well not easily but people can bypass locks and they can be depending on the quality of your locks um a good example that I like here is Uh The lab where I did my phd at UC Santa Barbara They were contacted by the secretary of state of california to analyze like e voting machines And so they were doing a red team analysis and were brought in to try to break into them and one of the professors there dick hemmer Who is really he he was brought into the room They show him this like hey, this is this beautiful cabinet like It's got you see that lock right there. That's a diamond encrusted something something lock It's like the top of the grave. You can't possibly ever open that lock and he's like cool cool showing the other stuff As soon as the people leave you just turn this thing around And looks and there's just screws in the back It takes in a screwdriver unscrews it and boop this huge super fancy thing is just taken off and now he has access to the computer underneath Um, so this is again, you can have this policy of hey, we need to have the best locks But what about the hinges on your door? Right, what about other ways that people could come in that don't require those things? So thinking about those things is really important Uh trust is trust important Right, we talked about even with the locks We've I think I briefly mentioned this on monday, but like you have a key through your lock So how do you have your friend access to your house while you're not there? You give them a key or a copy of your key and then what? You're trusting them that what? Then they don't take your stuff. What else are you trusting them? Yeah What power do they have? Yeah, and not just them anyone right anyone with that one They don't make a copy of the key and go back later right because they were only authorized for that one period of time Right, so you're trusting that they don't let anyone else in that they don't make any further copies of that key There's actually a lot of trust involved in a key. Yeah Oh, sorry Yeah, you're trusting that they give them back, right? So it's important to think about when looking at security policies and sort of security mechanisms What things are we trusting right? It's like, who are we trusting here? And is that what we want right? This is actually the one And smart locks are can be kind of annoying because they may have like a smart lock in their home or apartment or something Do you like it? Don't like it? Yeah, there's definitely benefits if you're ever locked out can be nice just punching a thing Some of them have a thing where you can generate a unique code for a specific person And you can activate that only during certain times they can have access So it's like you give them a copy of your key On the flip side if the internet goes out or the power goes out and then the stupid thing doesn't work That's like the most annoying Thing that does not happen with the key anyways important thing is like Understanding when you're discussing and you're thinking about the policies. Hey does like For this policy to be correct. Who is trusted in this scenario? Cool. All right. So we talked about mechanisms. You can broadly kind of I think mainly I think of them as as technical mechanisms You can have maybe specific procedures that people go through but this is what we talked about there We want our mechanisms to be secure like we talked about we'd love for our security mechanisms to be perfect We'd love for locks where people not to be able to pick them We'd love I guess windows to not be broken But all these things advancements cost money and change how we think about those things We also want them to be precise So For instance, if I had a policy that uh, nobody should be allowed in my house I guess we could put like A wall around our house and like wall off the house from anybody else And then when we wanted in we'd like break down that wall or something Yeah See or a dome we could dome the hill maybe or something But like that's not that mechanism while it may work and it actually does do our goal It's not very precise like it's not limiting the scope of the protection to just the thing that we want Cool, okay, this is all leading to The a of the old name of this course assurance What is assurance? I took this class Yeah, so I Very close. I'd say you're getting close I think the thing to learn from this course is you can't really guarantee anything, right? So even if you hire me to secure your place, I can't guarantee that I can I can I can make it safe or when you're developing software you're getting an iPhone or whatever, right? The question is How confident are you that it is secure? Right, so you're always trying to get the assurance you're increasing your assurance in the security of the system And this is like so by doing this threat modeling exercise Right going through all the threats understanding policies and mechanisms for this house We may have some level of assurance that the system that we're building is actually correct So it's kind of like a like how do you trust that some system is secure Now a question for you is how much should we trust it? And what factors would implement your change your thinking on how to trust something? So what's your assurance in your phone the security of your phone? High medium low and why? Low why Yeah, maybe what four digits six now by default could be four digits Not a lot of four digit numbers Right that could be easily tried but again, there's also stuff in there of like well If you put in the thing too many times it locks you out so you can't just keep trying over and over um I guess the funny thing there is the new new ish thing. I haven't heard about it in a while. I think it was four months ago that the Play that criminals would do is they'd steal your phone while you had it unlocked and we're using it Like you'd be at a bar using your phone Somebody would steal your phone run away with it and then go in and change your iCloud password Because you can do that while the phone is unlocked and and you oh no You do need the pin so they would shoulder surf you to steal the pin. That's right They'd watch you unlock it then steal the unlock phone Then go in change your iCloud password, which won't say of that They can reset everything and then they have a nice phone that they can sell for lots of money um So Can we quantify how do we quantify trust? What do I mean by quantify just a fancy word that means turn into a number So how Yeah, so that would definitely That would definitely increase my ability to trust a system right so I'd say like well if you have a house one only has locks and the other one has locks and a security system and External cameras that people are watching I may trust the second system more But how much more do I trust it? Is it 20 percent? 10 percent 50 percent Yeah Yeah, you could come up with metrics. Who's coming up with those metrics? How do you grade those metrics? If I was doing it, I'd say my house is super secure right because I made that I'm selling house security services Yeah Safety wise and there's cool. That's interesting. So using the analogy of like car testing, although I think the interesting thing there is not like a Industry thing and not actually done by the government to crash test readings But I actually don't remember but anyways, it doesn't matter But yes, they're able to give safety ratings to cars by putting them through things and saying like hey and rating them on certain aspects Yeah, I think I can't remember exactly how that works. I thought it was like they did it So the government wouldn't step in and start regulating it cool Yeah, that's a It's I'd say the it's a super interesting model. The problem is always going to be what do you test versus like The other stuff. I think if I remember correctly current concerns are like People make the cars bigger which helps on the crash tests But then when if you have a small car then you get screwed in a crash Right exactly and like other things would be like this house problem It's All these situations could be unique and different right a house on a hill versus a house in a suburban neighborhood versus bill gates house on a lake like So coming up with a standardized testing mechanism could be difficult. Yeah, yeah, you could You could use statistics rate of burglaries with it versus without it What if your system you're testing is a burglar detection system? Would you expect more burglaries with it or without it? Yeah, but what if they're still successful, but you don't know about the unsuccessful ones because you haven't discovered. It's actually the burglary context is Yeah, the burglary context is bad But this is actually a big problem with security in cybersecurity is people will sell great systems or Companies will invest money in security actually implement detection systems and then go. Oh my god. We're under attack Like it was almost better when we didn't know about this Um So yeah, anyways, the point is this is very difficult to do and if it's something that you end up doing That's like this actually is a huge market. Yeah louder. All right. We still got five minutes We're gonna go until the end There is no uh, is there an industry standard for the security of software? There Are certain nisks things that are like best practices There is for sure Like engineering standards for when you want to like get your software onto an airplane But those have different implications uh than like the security parts. So the importance is no I think Correct, you know, there's there's definitely not and those cards crash. Uh, okay So very briefly. Okay. So one thing to um Think about when thinking about the assurance of now shifting a little bit to a software system So if we want to trust the software system, we need to be thinking about security at all levels of the software development life cycle If you only come in at the very end, it's often a very terrible, uh Like there's there can be massive problems. So you want to start at the beginning phase with the specification What is this system actually supposed to do? How do we define that we can define it formally we can define it with english You can find flaws even at the specification level Um design. How is the system designed? Does the design satisfy the specification? This is like a uh a flow process of looking at the design seeing if it's satisfied Again, the more work you do in understanding threats policies and mechanisms of this stage The better and the higher your assurances that the final thing will be secure Implementation so of course as we know you have to like build software and like write code that does stuff Um one of the key questions does this implementation satisfy the design and does the design satisfy the specification? Uh again, how to prove this is difficult. There are uh research and actually formally proving all these things Um and finally even if you and there's a key thing even if you build the most secure system in the world You it's a beautiful perfect specification perfect design perfect implementation as any of you written code that's perfect No, I've seen code like yours not yours yet, but I've seen code like yours. It's not perfect My code is not perfect. Nobody's code is perfect. You're all humans. You will make mistakes Even if your code was absolutely perfect It still needs to be deployed and run on a system and that can cause vulnerabilities. I've seen it and I've done it myself Um Cool. Okay. We talked about this cost benefit analysis, right? Is the security mechanism worth the cost? It all depends on what you're securing and what the uh what things consider Uh Okay, we still got a minute Okay, we talked we did this risk analysis, right? We looked at threats and said, okay. Well What's the likelihood that a bad thing's happened and a company is every laptop equally valuable No, the ceo's laptop Maybe way more valuable than any other laptop because they have access to more things They can transfer money out of the account Risk can change over time Companies earning reports are super private and super sensitive Right before they're released to everyone on earth and the entire public. So You can think of risk as not remaining constant Laws we've actually talked about laws already, but they can restrict what policies and mechanisms you can use And this actually comes up a lot and question. I want you to think about when it comes like Customs, right? Customs are not laws that restrict things Would you want a company your company that you work for implement a put a microchip under your finger So that you can easily check out at like the company store and stuff? No sounds kind of cool. Think about that. It's like Just like go your dorm room like you're in No, okay. Think about if you want this and talk to your friends about it