Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Eval er K
General methodology comparisons betweenalternatives
simple chart
D DoDd dempty half fullI d does
does not achieves auhe.veactive engerty with caveats
Define every Cr terraDefine what D mean for
each
Phrase enter a in such a waythat a fall is desirable
best
tastes
PasswordsBiometrics
Hardware Token e.g RSA
Google 2 FA e g SMS one time password
Password Managers
CI ent certificate certificates
Single Sign On Facebook connect
Graph nl Passwords e g Android
Evaluation Criteria
securityusabilityDeployability
UL Physically Effortless
Ii oneNever typerdraw
Us Nothing to Memorize Memory w.seeffortless
X pas words for X webs te
t.tnjssiitn.n.i exwebsites
Us Nothing to carry
iii iii m
Nothing to carry
51852 Resilent to Guessing
6S2 Throttled Guessing 2 Unthrottlet
Guessing112 bits
Ifbbfs Habits
TDt.isios
S3 Res.l.cat to Observation
TyeelDraw Something
Nothing entered
St Resilient to Physical Theft
Stay ay Somnath ng issufficient to log in
insuff c e H
Dl Negligible cost
Buy new equipment per user const
works in existing eiijiiif.mecost
Chart
Jasswords0
Be Be
Ba q O
O
Notes
RIA
At i
S.me eL oy.ni
ElDie
pasc.no sab.l.ty
Human chosen weak
System chosen strong
05691_LOVE Olxx
07777µ
Omgµ
x
1234 LABAB
gmmDD
04231gyp mush
20 JDDMM Jr g r J
Recaps
STRIDE evaluating a solution
Evaluation Frameworks 3 evaluating a
set of solutions
Attack Trees evaluating a
single threat on a solution
Ata Te Threat Tree
structured brainstorming for attackinga systeminclude all potent.nl threats not
just attacks that work
objective think about alternative
and think broadly about securityCan use STRIDE
Requires expertiseStructure is easy execution is
hard
E
TT7T d rRobotech etLsTunpeksl
ailsntiIuy.ieLscormntIgfeitJbDo.sDI aI I
Inos when ffbIa
fty.LI7IDr.vehr.TL µ.wTrcITent
fweightseisItf B
lsou y I µ nIYlS
tot