Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Good morning!
• Lecture will start at 10:45 (let's wait for everyone).• If you have any question, please ask in the chat.• Note that lecture will be recorded.
• Please write your name and student ID there:https://forms.gle/27SzdTnbd83meTKC8
Information Security and Ethics
Information Literacy I – EN(IL1) Course
Information Security
Information SecurityTokyo Tech Guidelines
Link to these GuidelinesUseful informationbut mostly in Japanese
Wikipedia page
Information Security
Key conceptsSecurity controlsRisk managementTypical objectivesAttack methods
Key conceptsWhat is the CIA (triad)?
ConfidentialityIntegrityAvailability
Non-repudiation
Security controlsAdministrativepolicies, procedures, standards, guidelineslaws, regulations
Logicalauthentication, firewalls, intrusion detection, encryptionprinciple: least privilege
Physicaldoors, locks, alarms, cameras, security guardsprinciple: separation of duties
Risk management
Security in depthAt design time:1. strengthen system A2. “what if?”: strengthen B assuming A is violated3. repeat at each level
Typical dark motives
Destructionattacks of devices/infrastructures, harassment, …
Information / money theftidentity theft, spy activities, account violation, ransomware
Stealing processing powerspambot farms
Attack methods (generic)
Eavesdropping MasqueradingReplay attackMan-in-the-middleSession hijacking
Normal communication
(Charles)
Eavesdropping
Masquerading
Replay attack
Replay attack
Man-in-the-middle
Session hijacking
Session hijacking
Attack vectors
Human“social engineering”, phishing, garbage diving
Hardwarebackdoor, physical attack
Software / Networknext slide…
Program threatsTrapdoorTrojan horseLogic bombVirus / wormDenial of service (DoS)Spyware / monitoringCovert channels
Some countermeasuresFirewallPhishing monitoringAnti-virus softwareBackupCryptographic protection: encryption, authentication, certificationPrivacy mode, adblockTOR…
Information Ethics
Copyright for Digital Technologies
Software copyrightSoftware licenseReverse engineering
class ArbitraryTopologyElection (p: ProcessConfig) extends ReactiveProtocol(p,…){private def isRoot = parent == meprivate var parent = meprivate var maxID = meprivate var color : StateColor = Redprivate var children = neighbors.toListprivate var announced = false
private def visitNextChild() {children match {case next :: tail => SEND (Token(me, next, maxID)) ; children = tail // Rule 1case Nil if ! isRoot => SEND (Token(me, parent, maxID)) // Rule 2case Nil if isRoot => SEND (AnnounceLeader(me, neighbors+me, me)) // End
} }
def onSend = {case Candidate if color == Red => visitNextChild()case Candidate if color == Black => /* IGNORE */
}
listenTo(classOf[Token])listenTo(classOf[AnnounceLeader])def onReceive = {case Token(_,_,pid,_) if pid < maxID => /* DROP */case Token(_,_,pid,_) if pid == maxID => visitNextChild()case Token(from,_,pid,_) =>color = Black ; maxID = pid ; parent = fromchildren = (neighbors - from).toListvisitNextChild()
case AnnounceLeader(_,_,_,_) if announced => /* DROP */case AnnounceLeader(from,_,leader,_) =>announced = trueSEND (AnnounceLeader(me, neighbors-from, leader))DELIVER (Elected(Some(leader)))
} }
Copyrighton Programs
copyrightcopyright on programcopyright on assets
(images, sounds, characters, …)
Copyrighton Programs
“Look-and-feel”pull-down menu vs pop-up menutrash can vs. recycle binlogo vs. start menu
Software license
Free software / Open source“free as in beer” or “free as in freedom”
VariantsBSD, MIT license, ApacheGPL, LGPLCreative commons
Software licenseFreewarefree to userestrictions may apply
Sharewarelimited + pay for unlockpaid content
Commercial licensepersonal licensesite licensefloating license
GDPR ?General Data Protection Regulation“New” regulation in European Union (adopted in 2016, enforced since May 2018)Wikipedia link:
Business processes that handle personal data must be built with data protection […] anduse the highest-possible privacy settings […], so that the data is not available publiclywithout explicit consent, and cannot be used to identify a subject without additionalinformation stored separately.No personal data may be processed unless it is done under a lawful basis specified by theregulation, or if the data controller or processor has received explicit, opt-in consent fromthe data's owner.
Consequences:New terms of contract for many websitesSome websites are not available anymore
Summary of key points
Information securityconcepts: confidentiality, integrity, availability, non-repudiationcontrols: administrative, physical, logicalattack vectors, program threats
Information ethicscopyrightsoftware license
3rd Test – Security and Ethics
Your answers should be submitted via the Google Form:https://forms.gle/zdve3VyDKAAbJQZE7 (link also on the website).
To be completed by June 22, 23:59 (strict deadline).
You can submit your answers multiple time, the last submission before the deadline will be considered final.
This test is mandatory – it is a part of your course evaluation.
Next quarter?Information Literacy II- Data processing (gnuplot or python/matplotlib)- Writing scientific documents (Latex)- How to make nice presentations
Less talking, more doing!First Lecture on June 22 at 10:45
Japanese Website: https://titechcomp.github.io/y20-il2j/
Course Evaluationhttps://www.ks-fdcenter.net/fmane_titech/Ans?ms=t&id=titech&cd=iL3ptEVD