 All right folks, let's get started. All right, so somebody, whoa, sorry. Okay, so somebody catches up, remind us what are the principles of security? Yes. One, give me one. Confidentiality. Okay, what does confidentiality mean? It means actually protecting something that you want to keep right there. There you go, yes. So I like to think, when you think about these components, you want to think about them more at a high level, right? Rather than the mechanisms of how you enforce confidentiality, exactly the way to think about it is only people who are authorized to get access to data get access to that data. Yes. Integrity. Integrity, so what's integrity? Somebody else? Yeah. Trustworthiness of data or the origin of data? Good, so trustworthiness, origin of data, so trying to think through and understand, is this data what it's supposed to be? Did anybody modify this data? Did anybody change this data? Is, let's say, the person who's creating this data and communicating it to me, did anybody else modify it along the way? Awesome, and what's the third part that we talked about? Availability. Availability, so what's that? Yeah, on the spot. Is it more accessible than the information is at any time, and is it more available by accessing it or is it not? Right, so thinking about how we access information, not just information, but systems as well, right? So a system, if it's insanely secure but nobody can use it, then it's basically useless, right? And it doesn't accomplish the organization's needs. Cool. Any other comments? Oh, now I see the access control and encryption part here. Yes. So these are concepts that we're going to talk about later that fit into confidentiality. Yeah. And how we can enforce confidentiality. But then, by themselves, if you mess up your access control policy and say that everyone can access anything, then you're still probably violating confidentiality. Any other comments on this? Cool. Okay, so we ended, was that Thursday? It seems like a long time ago. So we started talking about threats. What do we mean? Like, what is a threat in this context? Yeah. Like, perhaps like a virus? Why is a virus a threat? Who can you define a virus? What's a virus? Something that probably like attacks your system in a way that you don't want to. Okay. So then why is a virus a threat? It violates vulnerability. Ooh, good answer. Very broad in a good way. So, okay, so a virus, has anyone ever had a virus on their computer before? That they know of? Yeah, I'll include myself in that. So a virus you can think of as essentially an unwanted piece of code that is running on your computer. So it's something usually its intent is malicious. The intent could be to either, let's say, send out spam emails from your machine. It could be to try to launch a denial of service attack against a website. It could be sitting there on your computer, watching everything you're logging into and stealing your username and passwords to all the websites that you use and then sending that to the attacker. It can be a number of different things. And so usually, there's a number of ways they get on your computer. It can be as easy as you download an EXE because you think you're at some shady website and you have a crack for a game. And then you run that executable and it maybe uncracks the game but also unbeknownst to you installs and leads this virus that's running there. Or it could be, I mean that's the most complicated example is you're running an outdated web browser. You visit a web page, the JavaScript code on that web browser. On that web page exploits unknown vulnerability in your web browser or in your Flash plugin which then allows it to escape the JavaScript Sandbox and allows it to drop a file on your computer, execute it and start running as you. So all the different kind of ways. And so the threat there is there's some, you can think of this like code with malicious intent in some way of thinking about it. There's this code that has malicious intent that's on your system that is doing something that a bad person wants it to do, which you probably do not which could violate your confidentiality. So do we talk about ransomware? Kind of, I think we touched on it a little bit. So what's ransomware? Yeah, in the back. Yeah, so typically what the whole underground economy, what it used to be is these terms of kind of viruses. So what would happen is they actually started to specialize into separate subgroups so you had people who were really good at getting executable code on your machine and running as you. But they were like, hey, we don't want to figure out what to do with this machine. So we'll sell this as a service. We'll create a website where people can go pay us money to upload their malware and we'll run it on the thousands of machines or hundreds of thousands of machines that we have and charge that person money. So those people are the ones who send out spam and do all those kind of things. Eventually, somebody I guess realized, I guess you could kind of time it with the rise of kind of cryptocurrencies like Bitcoin of having a pseudo-anonymous way of paying and transferring money that's not refundable. So the idea was, well, now let's just attack the user directly because as we know they probably have sensitive information on their computers. Would you all agree with that? Yeah, we talked about some kinds of things. Documents, think about your homework assignment that you're working on, let's say a week before the deadline. I know we thought that was funny. You all started super early on all of your assignments. I've seen it. I did it too. I'm not judging just the reality. Think about a business. Do you think organizations on their desktop machines have important files on their systems? So I think we should. Did I ask how many people worked at a company? I don't think I did. Sorry, I thought I covered a class for another professor yesterday and so my mind is all jumbled. So people who've worked at a company, what kind of important files are on people's computers? Internal software. Internal software, so kind of like a custom software that's only for that company that they use to run their business. Classified information. Classified information if it's a military organization, yeah. Customer information. Customer information, so information about your customers. What else? Source code. Source code, the source code, yeah. Ooh, vulnerabilities on their servers. That would be a very organized organization if they actually have that information. But that's a good stuff, yeah. AWS credentials. So yeah, think about all that data and you think about the department here at ASU, right? There's files of all of you guys, all of your grades, who you are, all this kind of stuff. So essentially what the ransomware authors realize is rather than do this kind of indirect monetization where somebody else pays you to execute some malware on somebody's machine which maybe sends out spam which is how they get paid, why not just basically say, I have execution on your machine give me money and basically hold people hostage. This is where the ransomware comes in. And so what they started doing is they started encrypting all of the, let's say, important files on your hard drive. So let me encrypt images, documents, everything with a key that only a remote server knows. So as soon as it's done doing this, it pops up a message that says, hey, today's your lucky day. You owe us however many Bitcoin, three Bitcoin. We've encrypted, we're basically holding ransom all of your files. If you want access to them, you need to pay the ransom. Otherwise, all your data is going to be lost. So how many of these people do you think have backups of their data? How many of you have backups of your data? Good. With what? The Dropbox? Google Drive? Thumb Drive? Yeah. Good. You should go home and do that if you don't have it already. Because, yeah, this could, I mean, happen kind of despite your security hygiene. And so actually, so there's a couple funny things here. A, the documentation that these people have to write, the ransomware authors of how to go buy Bitcoin and send it to somebody is some of the best documentation on how to actually acquire Bitcoin, which is really funny. But when you think about it, that's what the criminals, the criminals aren't going to get paid if people don't know how to pay them, right? So really good tutorials on how to do this. Other funny things are people, I mean, so there's a couple funny things where people have found that sometimes the encryption is really bad, so they're able to make tools that can undo it. But fundamentally, once something's executing on your computer with your permissions, right, it can do anything to the computer that you can do, including deleting files. And if the cryptography is done correctly, then there's really nothing you can do to recover it except for use your backup or pay the money. So this has actually hit a number of real-world companies, I think. I know police departments have been hit, I believe there's a hospital that was hit at some point, and eventually they usually pay the ransom because to the company, it's like, I don't know, a couple thousand dollars to get their files back is worth it in that instance because otherwise they can't do anything. Yes? So like a general question, so like outside of ransomware, like what is the objective for people to create viruses? So usually it's control of your machine. So in general, they want, so if I'm going to take down, let's say, I don't know, I wouldn't target Amazon, but let's say a mid-tier, I don't know, a local website or a local company that's making money that relies on their website. If I wanted to extort them for money and say, hey, give me a thousand dollars or else your site goes down, if I just have my machine, I can't generate enough traffic to take them down. What I need to do is use at least a thousand machines, if not more, have them all create essentially what's called a botnet. I control these machines, I say, okay, take down that system, send a bunch of data to it, and then I send them an email saying, hey, it looks like your site's down, that's terrible. I run an anti-DDoS thing. If you pay me a couple thousand dollars, and so that's one way they gain money, the other main way is through credentials and credit cards, so by stealing username, passwords, credit cards, social security numbers, date of birth, address, this can all be sold on the underground economy where people will then go and make real-looking credit cards with your credit card number on it with somebody else's name so they can actually go use it to buy things. That's all kinds of crazy stuff. So this is, and that's a good question, so how does that relate to threats? Right, so it's compromising the three aspects that we just talked about, and when you're thinking about threats, and you're thinking about threats to a specific system, you can create more realistic threats if you understand what the essentially the attacker's mindset is, right, about what is their goal? Are they trying to make money? Are they politically motivated into you? Are they trying to steal state secrets? Like what are they actually trying to do at the end of the day? And so that can help you think of threats. So what are some of other threats that we should be considering or thinking about in general? Insider? Insider threat? What's an insider threat? You don't trust people on the inside? No. No? Why not? It varies from person to person, but someone can be an idiot and get into an organization and not like what they see in that and try to release some of that. Yeah, so an insider threat is basically you can think of as any threat that can occur based on somebody who's inside the company, inside the organization. It's not something that you would normally typically think about because we're mainly focused, I mean, when we think about threats, we think about external threats, right, like who's going to come attack us? But insiders can do just as much so there's a story, I think it was in the early mid-2000s in Australia where there was a CIS admin who was working at a sewage processing plant and this person was fired, which is what happens, right, and then this person was upset that they were fired, which also happens. But they decided to get revenge on the company. They realized all their credentials still worked to access all the systems. So they logged in and caused, I believe, send some commands to release the sewage gates or something so that a bunch of sewage flowed into the ocean and caused like actually it's like a huge e-logical problem. There is like sewage all over the beaches where nice hotels and tourists were, it actually caused a lot of damage. So I believe that person was found and prosecuted and spent some time in jail for doing that. So that's a really good example to think about. Like, okay, you fire somebody, well, how long do they have access to those systems for, right? Their digital credentials, do they still have, how do you know that they didn't install any backdoors on any of those systems, right? If they changed the route password on one of the systems, now it doesn't matter if you remove their credentials, they can still maybe log in. So these are important threats to consider. What else? Human factor, what do you mean by that? Right, so considering the human, which a little bit goes into insider threats, there have been instances of people, I don't know, well, yeah, so this is a classic pen testing trick of scatter USB drives in the parking lot, put a label on them that says, you know, Q4 salaries, or bonuses or something, right, and then so that's an incentive for people to plug them in. They take them, plug them into their computer, and depending on the operating system, it used to be that Windows would automatically auto run whatever USB drive you plugged in, and so then you'd be running code on their systems, and that's how you get it. So, yeah, the human factor is incredibly important. What other ways do humans play a role in threats? Fishing? Fishing, so what's fishing? Sending a malicious email with, typically, a web link that says it can vary from place to place, but if it's spear fishing, it might be something specific to that company of like an IT email script saying, hey, we need you to go to this site real quick and follow these steps here to do something on your system. Right, so has anybody ever gotten an email that says you know, something like that, or okay there was a problem with your account, your payment didn't go through, click here to fix it, or even things like paying your credit card, I don't say credit card, they're pretty good about that, but let's say paying your power bill or your rent or something, they send you an email to say, hey, go do this. How do you know it's actually them and not somebody spoofing the email of them? How do you know that that site that you go to is actually your bank site or your power company site and it's not somebody who created an identical looking site that's going to use that username password you send in and steal it? Yeah. You can usually like check like the URL. So you can check the URL, do you trust the URL? A lot of times I guess there's like some things that can throw something like suspicious. Yeah, what else? I mean I hate to say it, but a lot of them are just like terrible spellers. So that's actually, that's a phenomenon I can't remember the exact term, I think somebody called it basically the Nigerian scam theory in some sense, or some of these scams they're deliberately so like if it cost the spammer time to try to, for the scammer time to try to scam you, then it's in their benefit to actually weed out as many smart people who aren't going to fall for this scam maybe it's not smart, but to weed out as many people who aren't going to fall for this scam. So they sometimes deliberately do that so that the only people who reach them are people who didn't see any of those red flags, so they're going to be on the hook and are going to fall for whatever they do, which is kind of funny. But then you got to worry about the other way of, are you worried about somebody blindly sending an email to everyone in this class to try to scam all of you or to target one person to say I'm going to scam you. So I'm going to craft it exactly to get your interest and to get you to click on things. Yeah. Yes, this is a good practice that companies do, is they'll try to fish their own employees so that that way they can try to educate them about the dangers of these kinds of things. Because it's very easy to click on a link, end up on a page, type in your username password for whatever that page looks like, and then now all of a sudden you're giving your credentials, your username password to somebody else. Yeah. Yeah, I think I'd check on the padlock, the green padlock next to the address. I can buy a green padlock for any domain that I own. Which goes, it's a similar thing. Maybe if it's HTTPS. Yes, I could also buy it. It's not secured. Correct. But I can, again, if I control, so if I buy a domain name let's say I'll pick on Google, like if I buy G-O-0-O G-L-E dot com I can get an SSL certificate so it'll show a green lock. I can run HTTPS, and you have no way of knowing, and that's really asking characters, but now you can actually use all kinds of UTF-8 characters. There are a lot of characters in a lot of languages that look identical but are technically different characters, so you won't be able to tell. So a story that I'll tell that actually came up in depth on, I'll tell it on high level. So essentially one of the teams found out that one of the challenges, they were able to basically redirect somebody. So somebody would access the challenge in their name, and they were able to redirect a browser to go somewhere else. So what they did is they registered a fake domain. So our domain was, I think, O-O-overflow dot I-O. They did O-O-overflow but one of the L's was a capital I instead of an L. And so they registered that domain name, they bought an SSL certificate, and they set up a fake team interface. So they took the HTML, the team interface that we were giving them, created a new team interface, and then created a new challenge there in there that had a binary that if you downloaded and ran it was basically a trojan backdoor that let the original team have access to your system. Yeah, we were like, what are you guys doing? And apparently people fell for this. I won't name any names of any of the guilty or the innocent or the victims. And it was funny, we realized after the fact we had teams coming up to us going, when are you guys going to release the next challenge? We're like, what are you talking about? We haven't even said we're going to do anything? We'll do it whenever we're ready, go away. We didn't realize they had seen this page, thought they'd found some bug and had a fake challenge there. So anyway, so that goes to show you that even kind of the top hacking people can fall for these kinds of things because it's very easy to get tricked. Yes? Did you finish that team or was it like for things like that, it's almost anything goes. The rules are basically like no denial of service because that's lame and not fun for anyone. No like physical things, right? Like that's super lame. But beyond that and no like I think we've structured the game in the past. I've heard that some teams, so like you only broke one service but it's one that nobody else broke, you would sell your exploit to other teams for exploits for the other services. So you'd be like I'll give you this one that nobody has but you give me like these other three. So that's really discouraged because that's lame. It should be like your own team's skills. But yeah, no, when we heard that we were like that's super off and they told us of course after the game was over, right? So yeah, it was very cool. So yeah, phishing, huge threat. What are the threats? Big downloads yourself? Say it again? Demo's downloads? So yeah, so yeah, so that's kind of in the maybe like a Trojan horse or some kind of executable that you're just downloading that you have no idea what it does. What else? You guys you need to start thinking evil. You're evil. This is the part of the course where you continually have to put on your defender hat and then your attacker hat so you can think like an attacker to think about all the threats because if you haven't thought about a threat if you never thought about phishing attacks in a CTF, you're going to fall victim to it, right? Because you have nothing in place to defend against that. Yes, in the back. On the Wi-Fi? Oh yeah, okay. So you can yeah, so the so Wi-Fi, right? You can have an open Wi-Fi that has no password or a secured Wi-Fi. If you've never looked at it you don't have a lot of time in this course. But if it's an open Wi-Fi anyone can see any packet that you're sending from your machine to that router which means all I need to do is have a put your network card in promiscuous mode which listens to all the packets that are getting sent and I see everything that's getting sent and even more than that if you're making a request to a website I can spoof the reply I guess restricted to the fact that it's not HTTPS I can inject something in there to do stuff so this was actually a huge problem, there was a tool released in I can't remember when it was but called Firesheet where it would listen to the wireless network if it saw anybody's Facebook because Facebook was transmitting the cookies over HTTP so all you needed to do was steal that cookie and then you could become that user so this was an automated tool to look at all the people's Facebook and then just one click and you can make a Facebook as this user and then you'd be on Facebook as them and Facebook fixed that very quickly so they changed their website because of this tool which was super interesting so yeah, if you think about it if you're running a company with an open Wi-Fi then you can see all these things and this could be a huge threat that you're not considering there's a lot of people who can actually manage to get into a thing which I pretend to write like either credentials I'm talking about physical security nobody mentioned the problems I can come up with physical security would you trust me to be alone in a room with one of your laptops or desktops? yes why? because you work for ASU because I work for ASU why should you not? replace me with anybody else you could take that hard drive because I can take out the hard drive and if your hard drive is not encrypted I can look at all the data on your hard drive if your hard drive is encrypted but it's a weak password I may be able to brute force that password and get access to your data what else can I do? has nobody ever broken into a computer like have an old computer you don't know the root password what do you do? change the root password because you have access to the hard drive you can just change the file you can go in and put a new hash boot it up and now you're into that computer I could even I guess I should say I can't but people can we all are under this delusion that hardware is very sane but actually they've shown that if you think about your memory chips after the power goes out they actually have a bit of a life to them and you can extend that life by making the memory cold so they've actually done this study where they would I think it was before they turned off the hard drive I can't remember exactly how it was done but they would you know the cans of like computer spray you turn it upside down and it gets super cold so you do that basically like make the memory very cold turn off the computer stick it out, plug it in a new computer and then you can read all the memory that was on that computer which often times includes the encryption key for the hard drive your hard drive was encrypted so all kinds of crazy stuff that can happen with physical access which is why if you want to talk about well I have a very secure you know system, process, company whatever it is if somebody can waltz into your data center where all your computers are it's essentially game over because they can do almost anything what other threats not necessarily the rate to like home computers but I know like credit card skimmers are everywhere yeah so more personal security and when we talk about stealing credit cards so what's a credit card skimmer yeah yeah so you think about when you put your credit card through the magnetic stripe on there that the credit card reader is reading so what you do is put another device on front of it that reads the credit card as well stores it and then we'll send it wirelessly back to the back to the criminals so that they can then create fake credit cards and use them to purchase things on your account yeah can you access the chip cards now with bluetooth? I don't know the chip cards are supposed to be better but they can still be used in a lot of not because there's a lot of places that don't have that don't have the chip readers so you could still use the card there you could also use the card online once you have the number false flag stuff so it's like like maybe one or two credit card skimmers but the bank has to go out and like check all their ATMs and of course the bank can waste a ton of money on a threat that wasn't all that large in the first place interesting so yeah threats about let's say or okay so I didn't talk or what you might want to do is if you're trying to break into the bank do something like that essentially distract the security team with a minor issue while you launch your big attack to actually break into the bank or something right so yeah that's an interesting point cool so when we kind of think about threats we need to be when we're thinking about them we need to think about kind of you know you can think very broadly and you need to be considering not just the things we talked about but also other kinds of things what about threats against threats against deep learning so you want to elaborate on that like computer vision yeah so what about you think about voice, voice attacks right so yeah Alexa Siri all those kind of things which I'll actually tell another story about DEF CON this was for the qualification event it's one of the other people who I won't name is that me taking 466 some of you so Jan Trichestas really who's teaching that class created a challenge for DEF CON quals which we had in May and it was called ATOMTUNE so the idea was he took all of my youtube videos trained a basically voice recognition system on that and the challenge was say this phrase in ATOM's voice and you had like 30 seconds to do it if you couldn't do it if you didn't then you got the flag otherwise you didn't do it so what happened is all of these people all of these teams everywhere were watching my videos and downloading videos and getting snippets of my voice in order to fake this like fake voice authentication as me it was very weird I am very glad that nobody called me I was kind of worried that somebody would find my phone number and like get me to say whatever phrase it was but yeah it goes to show that AI machine learning all these kinds of things are also other systems and threats that we need to consider and think about when we're considering threats right so if you're basing everything on this voice recognition system well you better understand how good kind of these deep fakes are where they can not only where they can capture your voice and create kind of a similar sounding voice which may pass authentication there was also that purger game commercial that kept on linking to the Wikipedia page people would go and change that so we would say other stuff oh interesting I hadn't heard about that that's funny they have the commercial that says Alexa what's in the purger game how is it in English yeah yeah so yeah this gets kind of crazy when you think about threats but there's been people doing I think they called it dolphin attacks where the idea is you can embed in like a sound clip the hey Alexa do this thing whatever but in a way that's not audible to a human but it triggers the Alexa to do something so when you're listening to that you would never know that it's doing that but Alexa is actually listening to that and responding to that command which is pretty cool so yeah I don't trust any of this stuff except it's super handy and useful so what do you do okay so these are actually kind of all the things we've talked about when you think about threats disclosure of accidentally linking information deception threats or something and these are kind of just high level categories to get you to think about the things that we've talked about the specific categories themselves aren't super important but the idea here is thinking about kind of threats in these ways awesome so okay cool so let's see which ones we've talked about and which ones I have here so what's snooping or why are you tapping or even so you know how do packets get from us to Europe underwater yeah there's under seas cables that are linked between all the continents I believe there's been at least let's say stories because I don't know this is 100% true but there's been stories of submarines being close to those cables with taps on them so that people could see what data was being sent across them does everyone remember the yeah key logging in the same category I would say it's kind of tricky I think it's more of a semantic distinction in the end it's the same end result I'd say key logging requires somebody to execute something on your machine but maybe so like if you think this keyboard here if you put a device at the end of this keyboard that listened to everything that was there and transmitted those keys somewhere else I'd say that probably fits more under snooping if it's just a key logger that's running on my machine that's kind of a malware kind of thing because it had to execute on my machine first to then do that what was I saying oh snooping wire tapping oh yeah another interesting story about this so is the the NSA Edward Snowden leaks so one of the things that was mentioned in those leaks was that that the NSA so when you think about a big company like Google Google's very good about encrypting everything that goes from you to Google they use SSL they make sure that everything's encrypted but Google runs these huge data centers so Google was not encrypting the information like in between servers or in between data centers and so your data would go into Google and then it would get processed in a bunch of places it turns out when they Edward Snowden leaks that the NSA was tapping all of that internal communication that was going on so they were getting all that data I think and not just a big on Google I think it was also Microsoft and maybe another I don't remember if it was also Amazon so then so you think about they never thought about that threat when they were thinking about threats to their organization and their customer data should we worry about inter server communications the answer was no until it was demonstrated to them that's not the case and you should be worried about that threat and so they ended up encrypting all of their internal communications too now so that was kind of interesting modifications altering data so you think about if I'm going to make let's say like a stock order to my stock broker or whatever and I say buy you know 100 shares of this but somebody modifies that to say sell 100 shares of this or turns it into buy 100 million shares of this you know that could have serious consequences and so those are also threats we didn't think about so some of the terms we use to think about this are man in the middle so the idea being if you're in the middle of a communication between two parties can you modify or change the values of the messages so essentially thinking again about integrity can you violate the integrity of the messages so that they don't know each party doesn't know what they're talking about masquerading or spoofing so this is kind of an interesting thing how do you know that I'm actually the person who's supposed to be teaching this course because I stood up here on Thursday and who would do that for an hour and 15 minutes and then again on Tuesday we know that it's you because you have a picture on your website so okay so picture on my website that's my I mean maybe I made that to be a fake website well there's a nice one it's an ASU website maybe the ASU website how do you know they verified my ID because you have to verify it what do you think did they yeah so that's kind of an interesting thing to think about right so yeah I've seen your YouTube channel nobody no one other than a professor you know post all those videos hey you never know people are crazy it's a long call and eventually this is going to take out for me could you also think of like like what might your motive be if you're like someone else like why would you exactly motive like what am I here to gain for somebody else right like I don't know that would be silly yeah you think about upside too so think about and that's thinking about the context right it's like I'm not if I started to say oh and by the way if you want to aim this course send me a couple bitcoins this address then I should start triggering alarm bells because that's like a high value thing and so maybe somebody is probably not something a professor would do so maybe this is not who this person says they are or maybe they're super shady and should be fired all those things are possible truths and think you know this comes up a lot in it's easy to think about in the physical world because it's hard to verify identity but this also comes up what we talked about in the fishing example right because here you're visiting a website and it's a website pretending to be another website right so it's trying to masquerade or spoof as that other website so except in the case so anyone what's tricky here is that this actually this masquerading or spoofing thing is actually built into a lot of systems so do you think Michael Crow answers every email that he gets? personally he sits down he's a machine just cranks out emails I don't even want to imagine how long that would take to go through his emails so most email systems allow some form of delegation where you can say okay this person my executive admin they are able to respond to emails as me or this is also you know I have some people at ASU I work with a lot and so they can actually see my calendar and change events and do stuff because I don't want them to bug me about it so they can just go do it so this is actually an interesting thing because on the surface masquerading or pretending to be somebody else seems like a clear security violation but there are legitimate business cases and in those cases it's called delegation right you want somebody else to act as you so what do you want in order to make that be not a clear a clear security threat so are we going to verify the delegate? yes you want to verify the delegate just as you're verified I was going to say something along the same lines be able to verify who is masquerading someone else log the activity yeah you want to log all of the delegates so you can go back and see and audit that and say okay did they do anything weird that they shouldn't be doing and that way you can trust them to do things and you can also verify at some point that they did things correctly and that way that gives you somebody sending me an email as a high ranking person they can say oh that was a disgruntled admin we can see that from the logs it wasn't actually them we didn't really talk about this what's repudiation I think the one has received it could be received or sent right so anybody can send an email or something that they regret no you're all perfect you tweet everything that you want to tweet and nothing more right yeah so repudiation is the ability or you think about I make a stock purchase with my stock broker and I say I want to buy a thousand of these and then the stock crashes and I go oh but I never sent that that wasn't me that must have been somebody else so buy and so the the bank has to put things in place to say do not share your password with anyone and make sure it's a strong password so nobody can guess so when you log into the website we know it's actually you because anything we do on your behalf you are responsible for right so this is and there's cool crypto things that you can do to ensure this where you can verify that I actually said something you can think of this even in a classroom setting if I say the exam is going to be on this date at this time and I later say oh actually that didn't happen you would all be rightfully upset about that right you showed up for the exam date and if I could so you want a way to prove that I actually said that at that point in time a similar type of thing I guess on the reverse is kind of a denial of receipt so to say like oh I never got this that would be another threat that we need to worry about and even delay so when could delay be a threat you're kind of mad at someone and you decide to tackle pharmacy and delay the pharmacy from sending out like every time you saw it wow I got dark yes that's a good threat that's a good attacker hat I like it so logistically things not arriving on time when they should which could be life threatening in that case what else yeah yeah so the whole concept of basically like high frequency trading is that they make trades on the order of like micro seconds like they pay a lot of money to be I believe in the same like server racks as the stock exchange so they can process and respond to things very quickly I believe there's a whole complicated thing of setting up like I believe it's like I want to say microwaves or something to like decrease the delay that information takes to go from a stock exchange to other places so if you're able to delay other people on that then that could be a huge financial win for you because that information is important the attacker needs time to fake the voice the attacker needs time to fake my voice or fake a voice in general so maybe they want more time to launch their attacks or something yeah that's a good one actually so cool thing I mentioned I haven't mentioned here I don't think did I talk to you guys about the email thing in the bank there's a service that exists on the like underground community so everyone's familiar with spam do you all think spam filters are pretty good blocking out spam more or less use gmail you're going to get very little spam so there's a service that exists which will send random emails to an email address of your choosing so you pay for it they will just send keep sending emails with completely random content so does there mark those as spam on the content let's say it's gibberish or random in general if it's not going to match any previously seen spam if it doesn't mention Viagra or whatever the spam terms are nowadays it's not going to get flagged right so it's going to go through so why does this service exist to annoy someone who yes that's actually probably useful what about more than annoying could it actually be used very other emails very other emails yeah so you think about let's say you're planning on breaking into a bank you can be rest assured that they have a lot of detection systems that are going to send emails to the security team whenever they notice things happening or when there's a transaction over a large amount things like that so what you do beforehand is you sign right before you're about to launch your attack you sign the emails up with a security team to this service so their inbox gets flooded with all of this garbage that is hard to delete and it's just coming through and then that way they don't see the alerts because they're dealing with this thing so you can think of that in terms of this a delay threat where okay yes you have this awesome monitoring system that alerts you through email but how can you guarantee that you'll see that email right when it comes in and it's not being delayed by something else cool and also denial of service which we talked about with availability right so how easy is it how many the main thing to think about is how much resources would it take somebody in order to block all legitimate users from accessing this system is it ten dollars probably not a lot of money is it a hundred dollars a thousand dollars if it's going to take a million dollars then you may be okay with that right thing like this system is not important enough for us to justify a multi-million dollars worth of resources attack well we go down that's fine but the other is to burn a million dollars on taking us down yeah what's the line between like a really long delay it is very fine so it depends on what you're talking about so denial of service is kind of morphed into its own thing when we talk about like a DOS attack or a distributed denial of service attack so it has a little bit more concrete where you're trying to overload a system but delay is kind of more subtle in thinking about that more but you can achieve a delay effect with the denial of service so yeah can you explain the way again the delay so delay would be some kind of threat where I mean that's let's take it not into a pharmacy example but you know you're running a business and you're making some widget foo and you depend on inputs bar and baz and so somebody maybe even doesn't hack you but backs into your contractors to delay that shipment of your bars or vases or whatever your inputs and so they don't arrive on time which means you can't deliver your widgets on time which means you're in breach of contract you owe people money it's a huge big problem just because somebody added an artificial delay into the process cool so how do we defend against threats show our hands in the air there's too many of them we can't possibly do anything let's just give up and the ostrich approach you can carry your head into the sand do nothing yeah yes okay so and that's it'll be a policy right so you could create some kind of things if you're worried let's say about people masquerading as other users on your system you could create a password policy that says all passwords must be like this or passwords can't be like this you need to guess all these kinds of things hardware hardware yeah so you may in hardware to combat specific threats so if you're worried about denial of service buy more machines you buy a server to run in front you can pay a company like cloud player or akamai to help you deal with the denial of service attack maybe securing your devices so like if it's a server you might defend like have like guards or something yeah so actually you can use a a lot of actually data centers will have kind of things where it's like two factor authentication you need to show your ID card to a person there's like a thumbprint reader maybe even a retina scanner inside the thing they'll have I think it's called a man trap which is like a thing that like a big cage that comes down on somebody if they're not authorized to be there and try to break in the server the server rack itself could be locked so you are the only people who have the keys to get in there right so yeah you can do those kind of things what else maybe have like some fake soft targets to directly direct all the attacks yeah so this is kind of the idea is the honeypot approach so you can create some fake systems and say watch anything that happens the systems right because they're fake nobody's actually using them so I know if there's any traffic to them it's probably malicious traffic or something bad is happening the trick about redirecting them to that is you need to be able to identify an attack in the first place if you can identify an attack in the first place you should just stop it in most cases yeah so I'd say educate maybe your user base yeah so try to identify what threats come from humans or come from users and spend money effort on educating them right which is what happens do you all have to take like the ASU information security training only just us oh cool awesome you should be taking that too yeah man you think about ASU ASU is a crazy problem I was talking with it's actually all your fault no but I was talking with I think it was but I was talking to somebody and they mentioned one of them when you think about a company what do you think the average turnover rate of employees is per year like turnover rate means how many employees leave per year and how many new employees come in yeah we're up I would say 10 maybe less even 5% you think about a whole big company what do you think the turnover rate is for ASU including students yeah including students like not just employees because they're all on the same network we're all on the ASU network it's like 25% because you have a huge basically a quarter of you all graduate as seniors and then a new quarter of students come in and so the ASU network basically not just the network but you have to deal with people who you haven't really trained to be on your network they're coming in it's just they're bringing all kinds of devices it's like defending a university network I'm happy that there's people who do that back to this yep please like a general way it's kind of like predicting what might like attacks before they happen right so one of the exactly so not just predicting attacks but predicting what is an attacker likely to do so you can do this in a number of ways right you can actually simulate an attacker you can go hire a company to break into your systems this is usually called a penetration test it could be even a physical penetration test so I'll try to bring in some people this semester I'll try to bring in some people this semester to give guest lectures on this on some of this stuff who actually do this for a living but I remember listening to some stories where the goal is to get up to the third floor like you know the 20th floor of some building some super secure building and the company hires you to do that and so they have all these tricks about how to get in without a badge and all this stuff and you know just like a normal security computer pen test it's like I don't know 90% of the time you're able to get in it's like crazy yeah I'm like protocols the way in front of the building living protocols I have been well-defined so means of communication okay so between maybe like people or like in the company or the organization yeah so I kind of put those under policies too so these are like you have policies policies can be any number of things like a one really good policy to have would be how does money transfer out of your company who is authorized to spend money from the corporate checkbook there's actually a large case of basically I think they call it whale fishing where instead of so normal fishing is just you're sending out emails to collect credentials on whatever service spearfishing is you're targeting a specific person whale fishing is you're targeting like the CEO or you're targeting the usually the CFO and trying to convince them to send money from the account from the corporate account to you so what one case that I've heard happen is I think it was the pen testing team so this was like a good scenario they call the CEO in the middle of the night on their home phone to see what the CEO sounded like yelling and then one of the people on the team practice that voice and then when they knew the CEO was on travel called the CFO yelling about I need you know we've got to transfer this money to this account I'm closing the deal with so and so and we need you know $50,000 into this account you got to make it happen it's got to happen now otherwise we're going to lose the deal and then they start to do that process right so that goes to protocols and not having procedures in place of how you know like a two step a two phase commit in some sense of who is authorized to do that what happens when a CEO asks you for something crazy like that do you double check with them check with them and maybe the CFO to make sure this is something you know those kinds of things right and having those procedures and policies in place is super important because then that protects you know the employees from being like I can't do this it's not part of the policy right it's not part of the proper protocol yeah audit everything yeah so this is a good so this is when thinking about how to what happens after something happens right so it's very easy to spend all of your time thinking about building a beautiful castle with beautiful walls and hiring guards and thinking about how to protect things but the reality is something is always going to happen right so a key component is thinking about what I mean if something happens how can I figure out what happened and then that way I can put new procedures in place that's great okay cool so essentially the way I think about these and the way to think about threats and having to fend against them it really boils down to two things and pretty much everything we've said so one is policies so we talked about policies how should people be operating or how should systems be operating as an organization what are you kind of requiring people to do the second one is security mechanisms so what mechanisms have you put in place to try to ensure certain things what's the difference here between these two policies are more oriented and mechanisms are more technology oriented and there's a there's a very tight coupling here between them it's not just like this black and white this is a policy and this is a mechanism let's think about a lock on a door is that a policy or a mechanism it's a mechanism it's a lock there's a key associated with it that can open up that door so what's the policy do we have a lock that's unlocked all the time is that an effective security mechanism no clearly not because it's not whatever your overall security goal is that's not actually doing anything if your goal is to keep out people who should not be out then it's not doing anything so what kind of policy would you need there rules for who holds the key who has a copy of the key can the key be copied how the key passes from person to person what else would you need when it's locked when to lock the door so you think about a store if the door is locked while the store is open that would be an availability problem because nobody can get in and actually maybe worse nobody can get out that could be another fire hazard escort procedures escort procedures in what sense if I don't hold the key but I need access to that room anyway can someone that holds the key bring me in there with them right so exactly and that's a great question that's often lost an example that's often lost is is the person holding the key basically own that room and everything that happens in it and so they can just bring whoever they want in they can make copies of that key what's the policy on who they bring into that room or to that store how often locks need to be changed how often to change locks what happens after an employee who owned that key is let go do we create new locks do we rekey everything that way we know they don't have access right so these are all and you can see we've touched on a lot of things that are mixes of mechanisms and policies so we have this key and this lock mechanism but how to actually use that effectively to accomplish our security goals is really the realm of the policy right about when is it supposed to be locked whose responsibility is it to lock it when they leave are they responsible I mean responsible for doing that right so you have a policy that says the last employee to leave the store must lock the store and in the morning at 8am you must unlock the door and then you have to worry about what happens if somebody needs maintenance crews need to go in or the cleaning crew what happens if the store gets cleaned at night all these kind of things actually need to be thought about cool okay so now we're going to with the remaining time this is fun we're going to talk about a house so every note a house is but you've seen one you understand a house in general okay so if we think of a house as something we want to defend what are the threats to this house feed burglars what is that when you break that down intruder what's an intruder say it again trespassers you guys are just naming synonyms these are all good synonyms I'm not saying they're wrong yes so somebody is unauthorized to be in your house who wants to get into your house for the purposes of stealing something but do we really care what their purpose is not really kind of it kind of depends there yeah in the back natural disasters what kind of natural disasters are you worried about hurricane hurricanes in the middle of the desert dust storms there you go or trees falling on your house in a dust storm or wind heavy event what was that what's an EMP that is a threat so this is part of thinking about defending a system you need to consider all kinds of threats yeah walking up and hucking a bomb at your house okay you could throw us from organs with like 200 to 300 feet away you could just be lobbing bombs at a house right so if you think of it higher you're worried about destruction to the property from an unauthorized person because if you're defending your house in such a way that nobody can destroy it then you can't remodel your house because you'll stop whatever construction crew is coming in to do stuff what do you say maybe just a fire in general a fire yeah destruction scorpions that was a good terrible one yeah I had this happen I think it's the first time I've sought 340 where a student had a scorpion on their backpack and it was stung by a scorpion so we had to spray the whole room so if you see a scorpion kill it that should be a normal rule because apparently other students saw it and didn't say anything look out look out for your fellow students okay okay that's good so basically like you'd be worried about termites or something getting into the wood of the house yeah I just like had a question it's like so we're listing off all these threats and stuff so how do we determine which thread is like worth defending exactly how do you know cost-benefit analysis like a statistic thing well oh you know we never have hurricanes here so why defend against hurricanes right okay so we said we never have hurricanes here why defend against hurricanes how do we know where the house is we're building in Arizona did I say we're building in Arizona yeah you did say desert I said we're in the desert why would you think about a hurricane maybe let me check the tape they can comment what else didn't we say about the house how much we're going to spend on the house how big is it how big is it how many entry points already existing like water electrical things what does the house like physically look like what's it for what's it for for one of you is it for me is it for somebody with a net worth like a billion dollars like Bill Gates do you think we'd have to consider different threats for every one of those different scenarios right Bill Gates is going to have to be thinking about a lot different threats then maybe he may be much more worried about intruders than we'll be worried about or the people hucking bombs threat he may be worried about that and we may be less worried about that right so I deliberately specified the house to get us to then think about threats but then go back around so okay so then what kind of house do we want to build so let's say it's for a normal ish person does that make sense normal person I don't know how many stories do you want two in a basement do they do basements in Arizona some do interesting okay cool basement what are we making it out of I don't know let's say would but that may impact our let's say we already have a house let's say we're not building it so we have a house made out of like normal house stuff I don't know I'm not that familiar with all that stuff which is and so okay so then when we think about the threats so what threats cost-benefit analysis and it's not something that you can really kind of hang a I don't know there's been a lot of attempts to try to quantify it if you can quantify it reliably you'll be a very rich person because this is something that is very difficult to do quantifying the cost-benefit analysis of threats to a system so when we think about that so normal house so what kind so what kind of threat so like are we worried about aliens coming and some of you maybe and that would be very bad right so if you're sucked up into an alien spaceship from your house that may be something you want your house to prevent right so the negative is really bad but if you think about the possibility of that thing happening it's probably astonishingly low until some weird news comes out at some point so we can basically kind of ignore that threat and say but as part of considering threats we can think about it but then we kind of set that aside and say okay we're not going to actually do that so a big part about you know I guess preventing preventing threats is determining how much of your functionality you lose when you prevent threats so like if you movie trap all your windows and doors then how are you going to get in? yes it's also depending on the state illegal I don't know I'm not a lawyer but in some places it's like if you movie trap stuff you're liable for what happens to somebody when they and then you think about threats we think about wealth one of the things we didn't talk about is what about the person living in the house has a medical emergency right they would want the ambulance to come in and help them and if their place is movie trapped they're not going to get the help they need so that's definitely something to think about so what other threats are you thinking about the neighborhood you're living in? the neighborhood we live in say it louder? yeah so you may be it just may change your threat posture about what you're worried about right and do you need I don't know if you really value your privacy you may want huge fences that are super thick or whatever or you may be fine with no fences I mean there's some neighborhoods or areas where that happens what else for kind of threats we'll start thinking about how realistic and should we be thinking like defending against that getting swatted getting swatted so what's getting swatted so someone called the SWAT team yeah so this is an unfortunate thing that happens where somebody will spoof a call to a police station say I'm being helped hostage I'm at so and so address and then they send a SWAT team over there and it's your address and nobody's helped hostage it's actually I think somebody died from that happening a while back so yeah I mean that's a hard one to defend from just a house level but it's possible little kids are going to bring your doorbell over ooh doorbell ditchers so if you're worried about neighborhood kids ringing your doorbell because you're apparently an old man or something people getting on your lawn and you want the kids to get off your lawn what else what other threats maybe you have a pool a pool? yeah you may have a pool so you may I don't know if this is a problem in Arizona but my parents were just saying that they had they're renovating their backyard and they had a bunch of deer tracks leading like to the pool area and then out but they're super worried because there's a cover on the pool and they're worried that a deer is going to fall in the pool and end up like dying in the pool so now they're worried about what mechanisms they're going to put into place so that deer don't go into that area so you think about things like that what else do you want to make sure when we're tilted and skimp on materials okay so yeah you want to think about threats and that's more to kind of the availability the structure of the house making sure the houses sound in some sense there's little you can do unless you know what to do or you have somebody else out of it right so the reality there is depending on your budget right and that's another thing to think about we talked about the realism of a threat so we talked about I mean think about is should I be worried so if we're building a house for a normal person should they be worried about people tunneling into the ground and tunneling up into their basement no probably not should Bill Gates or somebody like that be worried about that maybe I mean it depends on what you have in the house right but you know it happens to banks that if you're worth a lot of money you maybe want to consider that yeah in the back I can't hear you ooh yeah this happens a lot now stealing stuff up the front porch you get a lot of Amazon deliveries and people steal packages up your front porch yeah this is a much and which so then okay so then this is a good discussion let's talk briefly about what what kind of policies will we put in place to defend these threats and mechanisms let's go with both so take a threat say what you want to defend against why you think it's a legitimate threat and talk about how you try to defend it yeah against yeah okay yeah so you can put bars on your windows right so why so that would be a mechanism that you can put in install into your house to prevent burglaries through windows what else yeah spread fire you can keep an extinguisher and make sure you always have your cell phone so you can hold fire there you go so you could so that would be so the making sure you have a fire extinguisher would be a mechanism right the policy would be replacing that fire extinguisher every year or however long it needs to be along with that what you didn't say is making sure you have fire alarms in every room of the house smoke detectors there you go the smoke detectors in every room and then you need a policy about how often you check the smoke detectors making sure that they're still working that they have batteries right because if they die then your mechanism is ineffective what was the last thing you said I just said make sure you have a phone phone right so that would be policy right so that would be you may actually want to have a landline because if there's a fire maybe well your cell phone would probably work if an EMP goes off and you're worried about that your landline is still going to work most likely a policy for keeping people from stealing your packages might be having them get a signature or putting it in like a PO box so one thing would be requiring all packages to have a signature that again has the trade off where now that's super annoying if you're not home in a specific area where they can leave or maybe another way would be you have like a fenced out area where the UPS or whatever drivers know the code to get in to drop the package off but other people don't so that can cut down on that so yeah to go in whether you're home to party or not either close lock all the time you don't lock every time you close it or yeah so definitely okay so good so policy would be always lock the door when you get home do you all do this okay see I thought okay yeah so I grew up both of my parents were with the Sacramento Sheriff's Department so we like always locked our door just like a natural thing you go home lock the door and then I started living with people in college and I realized that was not a standard thing Adam why do you keep locking these doors like we're here I don't want anyone else to come in like I don't know you go in you close the door I don't lock the door what's the big problem so yeah the mechanism might be a security system right you may install a security system that also has downsides in terms of usability which you may come home or you may invite somebody over to your house maybe not give them the code all kinds of things you know so you have to think about this because all these things we talked about all cost money right so you don't have a if your house is let's say I don't know $300,000 if you're going to spend a million dollars to secure it that might not be the best way to invest your money right yeah yeah here guard dog yeah so you may get a guard dog mechanism right that can depending on the dog hopefully it's actually a guard dog and doesn't just lick whoever comes to the house yeah insurance yes so a lot of the natural disasters you say well it's really difficult for me to prevent a tree falling on my house I'm going to pay a company who will reimburse me if something like that happens and so that way you can get you if that happens you're not out the entire value of the house you are paying to kind of mitigate some of that yeah would that be policy good question I think it would be a mechanism I would say but the policy would be I have to have insurance like homeowners insurance right that's what I think your policy would be you have to have insurance and the mechanism would be actually have it like and the policy would be I need to pay my insurance premiums on time right because if you don't have that then that mechanism you have doesn't actually work cool alright this is a great discussion I appreciate that and see you on