Cybersecurity: Crash Course Computer Science #31

00:03

Hi, I’m Carrie Anne, and welcome to CrashCourse Computer Science!

00:05

Over the last three episodes, we’ve talked about how computers have become interconnected,

00:10

allowing us to communicate near-instantly across the globe.

00:12

But, not everyone who uses these networks is going to play by the rules, or have our

00:17

best interests at heart.

00:18

Just as how we have physical security like locks, fences and police officers to minimize

00:22

crime in the real world, we need cybersecurity to minimize crime and harm in the virtual

00:27

world.

00:27

Computers don’t have ethics.

00:29

Give them a formally specified problem and they’ll happily pump out an answer at lightning

00:33

speed.

00:34

Running code that takes down a hospital’s computer systems until a ransom is paid is

00:36

no different to a computer than code that keeps a patient's heart beating.

00:40

Like the Force, computers can be pulled to the light side or the dark side.

00:44

Cybersecurity is like the Jedi Order, trying to bring peace and justice to the cyber-verse.

00:48

INTRO

00:57

The scope of cybersecurity evolves as fast as the capabilities of computing, but we can

01:02

think of it as a set of techniques to protect the secrecy, integrity and availability of

01:06

computer systems and data against threats.

01:09

Let’s unpack those three goals:

01:11

Secrecy, or confidentiality, means that only authorized people should be able to access

01:15

or read specific computer systems and data.

01:18

Data breaches, where hackers reveal people’s credit card information, is an attack on secrecy.

01:22

Integrity means that only authorized people should have the ability to use or modify systems

01:27

and data.

01:28

Hackers who learn your password and send e-mails masquerading as you, is an integrity attack.

01:32

And availability means that authorized people should always have access to their systems

01:36

and data.

01:37

Think of Denial of Service Attacks, where hackers overload a website with fake requests

01:42

to make it slow or unreachable for others.

01:44

That’s attacking the service’s availability.

01:46

To achieve these three general goals, security experts start with a specification of who

01:50

your “enemy” is, at an abstract level, called a threat model.

01:54

This profiles attackers: their capabilities, goals, and probable means of attack – what’s

01:58

called, awesomely enough, an attack vector.

02:01

Threat models let you prepare against specific threats, rather than being overwhelmed by

02:04

all the ways hackers could get to your systems and data.

02:07

And there are many, many ways.

02:08

Let’s say you want to “secure” physical access to your laptop.

02:12

Your threat model is a nosy roommate.

02:14

To preserve the secrecy, integrity and availability of your laptop, you could keep it hidden in

02:18

your dirty laundry hamper.

02:20

But, if your threat model is a mischievous younger sibling who knows your hiding spots,

02:24

then you’ll need to do more: maybe lock it in a safe.

02:27

In other words, how a system is secured depends heavily on who it’s being secured against.

02:31

Of course, threat models are typically a bit more formally defined than just “nosy roommate”.

02:36

Often you’ll see threat models specified in terms of technical capabilities.

02:40

For example, “someone who has physical access to your laptop along with unlimited time”.

02:44

With a given threat model, security architects need to come up with a solution that keeps

02:48

a system secure – as long as certain assumptions are met, like no one reveals their password

02:52

to the attacker.

02:53

There are many methods for protecting computer systems, networks and data.

02:56

A lot of security boils down to two questions: who are you, and what should you have access to?

03:02

Clearly, access should be given to the right people, but refused to the wrong people.

03:06

Like, bank employees should be able to open ATMs to restock them, but not me… because

03:10

I’d take it all... all of it!

03:12

That ceramic cat collection doesn’t buy itself!

03:14

So, to differentiate between right and wrong people, we use authentication - the process

03:18

by which a computer understands who it’s interacting with.

03:22

Generally, there are three types, each with their own pros and cons:

03:25

What you know.

03:26

What you have.

03:26

And what you are.

03:27

What you know authentication is based on knowledge of a secret that should be known only by the

03:31

real user and the computer, for example, a username and password.

03:35

This is the most widely used today because it’s the easiest to implement.

03:38

But, it can be compromised if hackers guess or otherwise come to know your secret.

03:42

Some passwords are easy for humans to figure out, like 12356 or q-w-e-r-t-y.

03:48

But, there are also ones that are easy for computers.

03:51

Consider the PIN: 2580.

03:53

This seems pretty difficult to guess – and it is – for a human.

03:56

But there are only ten thousand possible combinations of 4-digit PINs.

04:00

A computer can try entering 0000, then try 0001, and then 0002, all the way up to 9999...

04:08

in a fraction of a second.

04:10

This is called a brute force attack, because it just tries everything.

04:14

There’s nothing clever to the algorithm.

04:16

Some computer systems lock you out, or have you wait a little, after say three wrong attempts.

04:20

That’s a common and reasonable strategy, and it does make it harder for less sophisticated

04:25

attackers.

04:25

But think about what happens if hackers have already taken over tens of thousands of computers,

04:29

forming a botnet.

04:30

Using all these computers, the same pin – 2580 – can be tried on many tens of thousands

04:35

of bank accounts simultaneously.

04:37

Even with just a single attempt per account, they’ll very likely get into one or more

04:41

that just happen to use that PIN.

04:43

In fact, we’ve probably guessed the pin of someone watching this video!

04:46

Increasing the length of PINs and passwords can help, but even 8 digit PINs are pretty

04:50

easily cracked.

04:51

This is why so many websites now require you to use a mix of upper and lowercase letters,

04:55

special symbols, and so on – it explodes the number of possible password combinations.

05:00

An 8-digit numerical PIN only has a hundred million combinations – computers eat that

05:04

for breakfast!

05:05

But an 8-character password with all those funky things mixed in has more than 600 trillion

05:10

combinations.

05:11

Of course, these passwords are hard for us mere humans to remember, so a better approach

05:15

is for websites to let us pick something more memorable, like three words joined together:

05:19

“green brothers rock” or “pizza tasty yum”.

05:22

English has around 100,000 words in use, so putting three together would give you roughly

05:27

1 quadrillion possible passwords. Good luck trying to guess that!

05:31

I should also note here that using non-dictionary words is even better against more sophisticated

05:35

kinds of attacks, but we don’t have time to get into that here.

05:38

Computerphile has a great video on choosing a password - link in the dooblydoo.

05:42

What you have authentication, on the other hand, is based on possession of a secret token

05:45

that only the real user has.

05:47

An example is a physical key and lock.

05:49

You can only unlock the door if you have the key.

05:52

This escapes this problem of being “guessable”.

05:54

And they typically require physical presence, so it’s much harder for remote attackers

05:58

to gain access.

05:59

Someone in another country can’t gain access to your front door in Florida without getting

06:02

to Florida first.

06:03

But, what you have authentication can be compromised if an attacker is physically close.

06:08

Keys can be copied, smartphones stolen, and locks picked.

06:11

Finally, what you are authentication is based on... you!

06:14

You authenticate by presenting yourself to the computer.

06:17

Biometric authenticators, like fingerprint readers and iris scanners are classic examples.

06:22

These can be very secure, but the best technologies are still quite expensive.

06:26

Furthermore, data from sensors varies over time.

06:29

What you know and what you have authentication have the nice property of being deterministic

06:33

– either correct or incorrect.

06:35

If you know the secret, or have the key, you’re granted access 100% of the time.

06:40

If you don’t, you get access zero percent of the time.

06:42

Biometric authentication, however, is probabilistic.There’s some chance the system won’t recognize you…

06:48

maybe you’re wearing a hat or the lighting is bad.

06:50

Worse, there’s some chance the system will recognize the wrong person as you – like

06:54

your evil twin!

06:55

Of course, in production systems, these chances are low, but not zero.

06:59

Another issue with biometric authentication is it can’t be reset.

07:02

You only have so many fingers, so what happens if an attacker compromises your fingerprint data?

07:07

This could be a big problem for life.

07:09

And, recently, researchers showed it’s possible to forge your iris just by capturing a photo

07:13

of you, so that’s not promising either.

07:15

Basically, all forms of authentication have strengths and weaknesses, and all can be compromised

07:20

in one way or another.

07:21

So, security experts suggest using two or more forms of authentication for important

07:26

accounts.

07:27

This is known as two-factor or multi-factor authentication.

07:29

An attacker may be able to guess your password or steal your phone: but it’s much harder

07:33

to do both.

07:34

After authentication comes Access Control.

07:36

Once a system knows who you are, it needs to know what you should be able to access,

07:40

and for that there’s a specification of who should be able to see, modify and use what.

07:45

This is done through Permissions or Access Control Lists (ACL), which describe what access

07:49

each user has for every file, folder and program on a computer.

07:52

“Read” permission allows a user to see the contents of a file, “write” permission

07:57

allows a user to modify the contents, and “execute” permission allows a user to

08:00

run a file, like a program.

08:02

For organizations with users at different levels of access privilege – like a spy

08:05

agency – it’s especially important for Access Control Lists to be configured correctly

08:10

to ensure secrecy, integrity and availability.

08:13

Let’s say we have three levels of access: public, secret and top secret.

08:17

The first general rule of thumb is that people shouldn’t be able to “read up”.

08:20

If a user is only cleared to read secret files, they shouldn’t be able to read top secret

08:24

files, but should be able to access secret and public ones.

08:28

The second general rule of thumb is that people shouldn’t be able to “write down”.

08:31

If a member has top secret clearance, then they should be able to write or modify top

08:35

secret files, but not secret or public files.

08:38

It may seem weird that even with the highest clearance, you can’t modify less secret files.

08:42

But, it guarantees that there’s no accidental leakage of top secret information into secret

08:47

or public files.

08:48

This “no read up, no write down” approach is called the Bell-LaPadula model.

08:52

It was formulated for the U.S. Department of Defense’s Multi-Level Security policy.

08:57

There are many other models for access control – like the Chinese Wall model and Biba model.

09:01

Which model is best depends on your use-case.

09:03

Authentication and access control help a computer determine who you are and what you should

09:08

access, but depend on being able to trust the hardware and software that run the authentication

09:12

and access control programs.

09:14

That’s a big dependence.

09:15

If an attacker installs malicious software – called malware – compromising the host

09:20

computer’s operating system, how can we be sure security programs don’t have a backdoor

09:24

that let attackers in?

09:25

The short answer is… we can’t.

09:27

We still have no way to guarantee the security of a program or computing system.

09:31

That’s because even while security software might be “secure” in theory, implementation

09:35

bugs can still result in vulnerabilities.

09:37

But, we do have techniques to reduce the likelihood of bugs, quickly find and patch bugs when

09:42

they do occur, and mitigate damage when a program is compromised.

09:46

Most security errors come from implementation error.

09:49

To reduce implementation error, reduce implementation.

09:52

One of the holy grails of system level security is a “security kernel” or a “trusted

09:57

computing base”: a minimal set of operating system software that’s close to provably secure.

10:02

A challenge in constructing these security kernels is deciding what should go into it.

10:06

Remember, the less code, the better!

10:08

Even after minimizing code bloat, it would be great to “guarantee” that code as written

10:12

is secure.

10:13

Formally verifying the security of code is an active area of research.

10:17

The best we have right now is a process called Independent Verification and Validation.

10:22

This works by having code audited by a crowd of security-minded developers.

10:26

This is why security code is almost always open-sourced.

10:28

It’s often difficult for people who wrote the original code to find bugs, but external

10:32

developers, with fresh eyes and different expertise, can spot problems.

10:36

There are also conferences where like-minded hackers and security experts can mingle and

10:40

share ideas, the biggest of which is DEF CON, held annually in Las Vegas.

10:44

Finally, even after reducing code and auditing it, clever attackers are bound to find tricks

10:48

that let them in.

10:49

With this in mind, good developers should take the approach that, not if, but when their

10:53

programs are compromised, the damage should be limited and contained, and not let it compromise

10:57

other things running on the computer.

11:00

This principle is called isolation.

11:01

To achieve isolation, we can “sandbox” applications.

11:04

This is like placing an angry kid in a sandbox; when the kid goes ballistic, they only destroy

11:09

the sandcastle in their own box, but other kids in the playground continue having fun.

11:14

Operating Systems attempt to sandbox applications by giving each their own block of memory that

11:19

others programs can’t touch.

11:20

It’s also possible for a single computer to run multiple Virtual Machines, essentially

11:24

simulated computers, that each live in their own sandbox.

11:27

If a program goes awry, worst case is that it crashes or compromises only the virtual

11:31

machine on which it’s running.

11:33

All other Virtual Machines running on the computer are isolated and unaffected.

11:37

Ok, that’s a broad overview of some key computer security topics.

11:41

And I didn’t even get to network security, like firewalls.

11:43

Next episode, we’ll discuss some specific example methods hackers use to get into computer

11:46

systems.

11:47

After that, we’ll touch on encryption.

11:49

Until then, make your passwords stronger, turn on 2-factor authentication, and NEVER

11:53

click links in unsolicited emails!

11:56

I’ll see you next week.