PD4CS

• Confidentiality: Ensure that only authorized people get access to information. For example, there are many laws about who is authorized to access a person’s medical records. This information is often stored digitally and must be secured so as to make it infeasible for any unauthorized user to gain access to it.
• Integrity: Make sure that information is accurate. The world, especially the digital world, generates  data and information. Companies gather and analyze large amounts of data in order to make decisions.  Companies work on a network where many users have access to the same files. With many users involved, it is important that the system administrator make sure the information accessed is accurate and has not been changed incorrectly, whether unwittingly or maliciously.
• Availability: It is not enough to keep malicious or unauthorized users away from information. Sometimes, a substantial amount of damage can be done just by keeping authorized users from the information. An example of this is known as a Denial of Service (DOS) attack. A DOS attack bombards a website with so many requests that the site crashes, denying service and information to legitimate users. This can be not only inconvenient to users, but also extremely expensive to organizations and corporations.
• Non-repudiation: As the world becomes increasingly more digital, things that were once done with paper and pen are now often being done electronically. For example, many contracts are now signed digitally. The idea behind non-repudiation is to make sure that if Alice signs an electronic contract with Bob, she can’t come back later and deny signing it.

See https://en.wikipedia.org/wiki/Information_security for more information.

Much of everyday life is done online. We shop, bank, socialize, communicate, and research online. We have personal and valuable information stored digitally–social security numbers, credit card numbers, bank account numbers, medical information, etc. Massive amounts of personally identifying information are stored digitally and accessed through networks, including wireless networks. There are more and more devices connecting to such networks and data is increasingly stored in clouds, meaning that it is stored using a network of Internet-hosted servers rather than a personal computer or local server.

If a malicious attacker gains access to that information, he or she could assume someone’s identity, steal money, ruin credit, hack in to personal devices, etc.  The “Internet of Things” describes a world in which all kinds of things are connected to the Internet–such as cars, refrigerators, etc. This results in a large number of devices and therefore lots of information being connected to the Internet. The ease in storing massive quantities of data means that more organizations and businesses are doing so. The market for illegally acquired information has increased motivation for dangerous agents to acquire various information assets. Cybercrime is becoming increasingly more lucrative. Hence, the need for ensuring information security will only increase.

With more and more devices being connected, information is not only more easily accessible, but it is also more vulnerable. A vulnerability in one small part of the network can result in a vulnerability for the entire network. Ask your students if they or someone they know have experienced a situation in which valuable information was accessed illegally. What information was stolen? How was it done? What security measures could have been taken to prevent it? What were the repercussions? It might also be a good place to look at some major security breaches that affected a lot of people connected to a single corporation. Some fairly recent examples include Target, Anthem, and Sony.

Everyone from individual users to system administrators in major corporations to government officials to security agencies have to take responsibility for securing information. Think about the things you do online every day. How many passwords do you have to maintain? How do you keep track of your passwords? Are they strong passwords?

Discuss with your students some everyday situations and what a malicious attacker might do to gain access to valuable information. How would you go about getting someone’s password? How would you go about getting their credit card information? How would you shut down someone’s website? An important skill in security is to learn to think like an attacker. The bad guys are always thinking of new ways to do new things they consider lucrative. It is important for the good guys to try to anticipate the next move.

Individual users should be aware of possible security vulnerabilities and use good security practices and good judgment with their personal data, as well as any data they have access to because of their jobs. Companies need to be responsible in how they store customer data, but remember that a system is only as strong as its weakest link. Take a bank account, for example. The bank may set up a secure website that uses good security practices, storing personal information in encrypted form, and making it difficult for an attacker to gain access to a customer’s information. But what if a user chooses a password that is not only easy to remember but also easy to guess? Or what if a user is not aware of phishing scams?

There are security agencies who help companies and government agencies develop good security protocols, but it is important for every user of digital resources to be aware of the kinds of attacks that are possible and to take measures to protect their own and others’ information.

A simple answer is: everywhere–that is, everywhere where information and data are stored in digital form. Most of us interact with digital information every day usually through the Internet. We browse websites, we socialize through social networks, we do our banking online, etc. The first place security is needed is in our everyday behavior. How do you choose and store your passwords? What precautions do you take to ensure that links you click on are legitimate and software you download is what it says it is? Do you check the security of applications before you download?

Software can present many security issues. Developers must be aware of possible security vulnerabilities and test their code thoroughly to ensure it is safe. Users must also be aware of security issues related to software and use good judgement when using software. For every benefit a user gains in having open access to a networked resource, they sacrifice some security because potential adversaries may also gain access to those resources. With wireless networks, clouds, and so many devices connecting to information, it is more and more crucial that people be aware of security issues. One major type of software is the computer’s operating system. The operating system is a complex program that is the focus of many attacks. A major key to these attacks is in getting access to the super user or administrator account. This provides the enemy with many options for continuing the pursuit of the system’s various information assets.

From a coding standpoint, it is important to discuss with programmers the ways in which they can test their code for both correctness and potential exploitable weaknesses. Weaknesses change over time, but there are several common attacks that a programmer should be aware of.

1. The first strategy related to Python programming comes from dealing with the raw_input() or input() functions. All input is read into a buffer, and so it can be easily overflowed by a malicious user. There can also be ways that unexpected input can be used to disrupt a program.
2. Another strategy used is to submit an unexpected file to a program that is looking for file input using open(), urlopen() or other related code. This should be addressed via a rigorous approach to input validation. This can include the idea of logging information about interactions with a program using whitelists and blacklists.
3. Sometimes, code segments are dynamically generated (for example, a database request using SQL). This can provide an opportunity for a malicious user to disrupt the intended code and insert their own dangerous segments. This kind of attack is known as SQL Injection and is discussed in further detail in the Web and Network Security post.

Ultimately, it can be an interesting and valuable exercise for students to attempt to break each other’s code in a way that gives them an advantage. Introducing the idea of buffer overflow and input/output piping can be an effective way to inspire students to look more seriously at their code from a security standpoint.