Complete and in-depth notes on ECM2426 Network and Computer Security module, fully covers content on multiple topics such as Symmetric/Asymmetric encryption, NSPK protocol, Dolev Yao Intruder, Threat Modelling, OFMC language, Open Signatures, Cryptography and the Diffie-Hellman key exchange.
Information is beautiful - a website which documents details of past data breaches.
“A hack not only costs a company money, but also its reputation and the trust of its customers. It can take
years and millions of dollars to repair the damage that a single computer hack inflicts.”
Data breaches
LinkedIn, May 2016
164 million email addresses and passwords.
Data on sale was from an attack in 2012 (first time offered for sale: May 2016).
Compromised data:å
Email addresses and passwords.
TalkTalk, October 2015
Nearly 157000 customer records have been leaked.
Nearly 16000 records included bank details.
More than 150,000 customers lost (home services market share fell by 4.4% in terms of new customers).
Costs for TalkTalk: around 60 million.
This is an interesting example, because it is one of the few examples, for which the financial loss can
be quantified.
Ashley Madison, July 2015
More than 30 million email addresses and much more worrisome information:
Dates of birth.
Email addresses.
Ethnicities, Genders.
Sexual preferences.
Home addresses, phone numbers.
Payment histories.
Passwords, usernames, security questions and answers.
Website activity.
Similar Leak: Mate1 in February 2016.
Other Examples:
TJX Company, Inc. (2007) $250 million
Sony (2011) $170 million
TalkTalk (2015) ca. $75 million
, Heartland Payment Systems (2009) $41 million
Note:
Publicly known incidents are usually “Business-to-Customer (B2C)”.
Business-to-Business (B2B) incidents are often not publicly known.
Lecture 2 - Introduction
The 3 Fundamental Concepts of Security: CIA
1. Confidentiality:
Protecting information from disclosure to unauthorised parties.
2. Integrity:
Protecting information from being modified by unauthorised parties.
3. Availability:
Ensuring that information is available (accessible) to authorised parties.
Identity and AAA (Authentication, Authorisation, and
Access Control)
To decide if a subject (e.g. a human person) is a member of an authorise party that can access (i.e.
execute an operation such as read, write, or execute on) an object (resource) (i.e. a physical object, a
function call, data/information), we need to solve:
Identification:
Associating an identity with a subject.
Authentication:
Verifying the validity of something (usually the identity claimed by a system entity).
For example, this could be entering the correct password along with the identifier (typically, this is a
username).
Authorisation:
Granting (or denying) the right or permission of a system entity to access an object.
Access Control:
Controlling access of system entities (on behalf of subjectS) to objects based on an access control policy
(“security policy”).
,Mechanisms for Identity Authentication
The most widely used mechanisms for authentication are:
- Something you know: e.g. a password or PIN.
- Something that you have: e.g. a smart card or a one-time password generator.
- Something that you are: e.g. biometric characteristics e.g. a facial
scan/photograph.
- Context location e.g. your current location: e.g. being physically close to an
object, being in a secure building.
Multi-factor authentication:
Use more than one authentication mechanism together.
Why does a good multifactor authentication system require mechanisms from different categories (e.g.
something you know and something you have)?
Passwords
Are widely used.
Hard to remember.
Good passwords are: long and random.
Good systems:
Allow for passwords of arbitrary length.
Store passwords hashed and salted.
idel
Not so clear, if enforcing users to:
change passwords frequently;
to use a certain struction (e.g. upper and lower case characters, special characters)
… really helps. What could be problems?
Since 2019, Microsoft recommends not to force users to change passwords
regularly.
, Is this a good 2-Factor Authentication?
The password can be changed by the user.
The PIN was sent in a letter.
Example of something that you have: Hardware tokens
Examples something that you have:
Chip cards.
One-time password generators.
Your UniCard.
Today, we see a shift towards soft-tokens, e.g., a one-time password app on your mobile.
Is your UniCard a good hardware token? No. It’s easy to clone its magnetic strips which allow access to
university facilities.
Example of something that you are: Biometric
Biometric:
Uses characteristics of your body, e.g..
fingerprint
retina scan
to authenticate the identity.
Many unsolved problems:
Is a fingerprint a secret protected by the first amendment, i.e., the protection of free speech (ongoing
debate in the US, passwords are protected in the US)?
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller daphneyapjy. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $11.56. You're not tied to anything after your purchase.