ICS: The Security Mindset

## Security Fails
- You can find them [many places online](https://www.google.com/search?q=security+fails); Here is [one](https://www.boredpanda.com/funny-security-fails/?utm_source=google&utm_medium=organic&utm_campaign=organic)
  - You may want to open that in a private tab!

## What is Security?
>  Security is freedom from, or resilience against, potential harm (or other unwanted coercive change) from external forces.

from [Wikipedia](https://en.wikipedia.org/wiki/Security)

## What are "external forces"?
- In our context, usually malware written by individuals
    - But not always!  Stealing a computer to obtain the information on it is a non-software based approach...
- To fight them, we have to understand them...

## No security is 100% fool-proof
- Consider the 128 bit MD5 hash
  - One can brute force it!
  - There are $2^{128}=3.4*10^{38}$ possible hashes
  - So the chance of somebody guessing it is $100-\frac{1}{2^{128}}$ = 99.999999....% (a total of 42 9's)
- That seems secure until you use a fast computer to brute force it in an hour or so...
  - (there are mathematical weaknesses in MD5 that allow one to crack it in a minute or less)

## Consider (only) 1024 bit RSA
- There are approximately $1.88*10^{302}$ possible primes to brute force
  - And there are only an estimated [$10^{80}$ particles in the known universe](https://en.wikipedia.org/wiki/Elementary_particle#Common_elementary_particles)
- Let's assume that each particle could compute one prime each millisecond
  - That would take you $5.95*10^{211}$ years
  - And the universe is only about $13.75*10^{9}$ years old...
- Now 2048 bit is recommended, and 4096 is available
- [Source](https://crypto.stackexchange.com/questions/3043/how-much-computing-resource-is-required-to-brute-force-rsa)

Example: "Unbreakable" RSA

"Security" from xkcd # 538

If you know the enemy and know yourself,
you need not fear the result of a hundred battles.

If you know yourself but not the enemy,
for every victory gained you will also suffer a defeat.

If you know neither the enemy nor yourself,
you will succumb in every battle.

– Sun Tzu, Art of War, chapter 3
(Lionel Giles' translation)

## Thinking Like a Defender
- There are four parts that we'll go over
  - Security policy
  - Threat model
  - Risk assessment
  - Countermeasures

## Security policy
- What are we trying to protect?
- What properties are we trying to enforce?
  - Confidentiality
  - Integrity
  - Availability
  - Privacy
  - Authenticity

## Threat model 
- Who are the attackers? 
  - Motives?
  - Capabilities?
  - Access?

## Risk assessment
- What would security breaches cost us?
  - Direct costs: money, property, safety, ...
  - Indirect costs: reputation, future business, well being, ...
- How likely are these costs?
  - Probability of attacks?
  - Probability of success?

## Countermeasures
- Technical countermeasures
  - What most of this course is about!
- Non-technical countermeasures
  - Law, policy (government, institutional), procedures, training, auditing, incentives, etc.

## Security Costs
- No security mechanism is free
  - Direct costs: design, implementation, enforcement, false positives
  - Indirect costs: lost productivity, added complexity
- Challenge is rationally weigh costs vs. risk
  - Human psychology makes reasoning about high cost/low probability events hard

## Case Study: Designing a software grading system
- Thinking like an attacker:
  - What are the weakest links?
  - Security assumptions?
  - Thinking outside the box?

## Case Study: Designing a software grading system
- Thinking like a defender:
  - Security policy: what are we trying to protect?  What properties are we trying to enforce?
  - Threat model: who are the attackers?  What are their motives, capabilities, and access?
  - Risk assessment: what would a breach cost us, both in direct and indirect costs?  How likely are these costs?
  - Countermeasures: both technical and non-technical

## A pin tumbler lock
![](images/security-mindset/Pin_tumbler_no_key.svg)

## A pin tumbler lock
![](images/security-mindset/Pin_tumbler_no_key.svg)
- The purple & red rods are the metal *pins*
 - Purple are the *driver pins*, red are the *key pins*
- The 'breaks' between them must all align with the top of the *plug* (yellow in the diagram) to allow it to rotate in the cylinder
 - This opens the lock

## With a wrong key
![](images/security-mindset/Pin_tumbler_bad_key.svg)
The pins are not aligned so the plug can't rotate

## With the right key
![](images/security-mindset/Pin_tumbler_with_key.svg)
Note that the 'breaks' between the pins are lined up

## Unlocked lock
![](images/security-mindset/Pin_tumbler_unlocked.svg)

## How to pick a lock
- First, get a set of lock picks ($15 for a decent pair on Amazon)
  - Disclaimer: it is ILLEGAL to own a set of lockpicks in Virginia unless you are a certified locksmith
- And maybe some [practice locks](https://www.amazon.com/s/ref=nb_sb_noss_1?url=search-alias%3Daps&field-keywords=transparent+lock) which run as low as $9 on Amazon

## How to pick a lock
<iframe width="720" height="540" src="http://www.youtube.com/embed/Mz5IOFK38nU?rel=0" frameborder="0" allowfullscreen></iframe>
<a href='http://www.youtube.com/embed/Mz5IOFK38nU?rel=0'>direct link</a>

## Pop Quiz
Now that you know how easy it is to pick a cylinder lock, how many people feel *less* comfortable using cylinder locks?

## Locks are no longer secure!
- What are we ever going to do?
- Keep in mind that no security is full-proof
  - Not even RSA
- Many lock companies provide higher quality locks for a higher price
  - They are much harder to pick, but not impossible

## How to break into this house?
![](https://upload.wikimedia.org/wikipedia/commons/thumb/d/d0/California_Bungalow.jpg/1280px-California_Bungalow.jpg)

## Locks and security
- A lock doesn't have to be full proof
  - But it does have to be difficult enough that one will try another avenue
    - Means of entry, another house, etc.
- Security is determined by the *weakest link*
  - Such as the window in the picture on the last slide

## Should the "weaknesses" of security be published?
- Some think no; consider the case of Professor Matt Blaze at UPenn
  - His research is security and cryptography
- He published an article that discussed safe cracking
  - [Safecracking for the computer scientist](https://www.mattblaze.org/papers/safelocks.pdf)
  - A frank discussion of the quality of safes and their weaknesses
- Some in the locksmith community [tried to silence him](https://groups.google.com/forum/#!topic/alt.locksmithing/WAVbLjCSMQM%5B1-25%5D); it didn't get very far...

## Introduction
- All the information herein is taken from the [Heaphy report](https://www.policefoundation.org/wp-content/uploads/2017/12/Charlottesville-Critical-Incident-Review-2017.pdf) or [Wikipedia's article](https://en.wikipedia.org/wiki/Unite_the_Right_rally)
  - The Heaphy report was commissioned by the Charlottesville City Council after the rally
  - Immediately after it was released, both the Chief of Police for Charlottesville and the Superintendent of the Virginia State Police (VSP) resigned
- Note that the *police officers* and the *VSP troopers* that were present did their jobs they were directed to do -- it was the leadership that screwed up

## Report results
> The report found that the Charlottesville Police Department had failed to adequately prepare for its events, had a flawed plan of response, and was not properly trained. The report also criticized actions by the Charlottesville City Council, attorneys from the city and state, the University of Virginia and the Virginia State Police.

from [Wikipedia's article on the rally](https://en.wikipedia.org/wiki/Unite_the_Right_rally#Heaphy_report)

### Police watched violence happen
From one (of many) [sources](https://www.propublica.org/article/police-stood-by-as-mayhem-mounted-in-charlottesville): "State police and National Guardsmen watched passively for hours as self-proclaimed Nazis engaged in street battles with counter-protesters. ProPublica reporter A.C. Thompson was on the scene and reports that the authorities turned the streets of the city over to groups of militiamen armed with assault rifles."
 
The image on the next slide shows this happening...

## Other problems
- Police did not have riot gear on (or ready) when people started showing up
- The protesters (the white supremacists) were entrusted to enter the park where they were told to do so (they didn't)
- An apparent lack of understanding how to plan for, control, and manage rioting demonstrators by the police leadership
- The list goes on and on...

## Countermeasures
- Some where "non-technical"
  - Lawsuits against the many armed militia groups resulted in legally binding agreements not to attend any more rallies in Charlottesville
  - Lawsuits against the organizers, many of which are still ongoing as of 2019
  - The proof that violence can happen at these allowed Charlottesville to legally deny a permit for an anniversary rally

## Countermeasure Results
- The [Unite the Right anniversary rally](https://en.wikipedia.org/wiki/Unite_the_Right_2) in 2018 in Washington, DC had 20-30 supporters and "thousands" of counter-demonstrators
  - It was described as a "pathetic failure" and "embarrassing"

## Apply the Security Mindset
- From Sun Tzu: understand your enemy (think like the attackers)
  - They did not comprehend the violence that the neo-Nazis were intending to participate in
    - Weapons were not banned!
  - The thought was that neo-Nazis would follow the rules about where to enter the park
  - They thought a simple sawhorse barrier would prevent traffic on 4th St SE
  - They did not understand the riots that were going to take place

## Apply the Security Mindset
- From Sun Tzu: understand yourself
  - They did not have adequate equipment (riot gear)
  - They did not understand their ability to move people in and out of the protest areas
    - And how to keep the groups separated
  - They did not understand (or admit) to their lack of knowledge to handle these events
    - Federal agencies could have been called in to help