Cybersecurity: Crash Course Computer Science #31
Summary
TLDR本视频是CrashCourse计算机科学系列的一部分,由Carrie Anne主讲。视频讨论了计算机互联互通带来的安全问题,并强调了网络安全的重要性。网络安全的目标是保护计算机系统和数据的保密性、完整性和可用性。视频介绍了威胁模型的概念,以及如何通过认证和访问控制来保护系统。讲解了三种主要的认证方法:知识认证、拥有认证和生物认证,以及它们的优缺点。此外,还介绍了访问控制列表(ACL)和Bell-LaPadula模型等概念。最后,视频强调了代码审计、隔离和沙箱技术在提高系统安全性方面的作用,并鼓励观众加强密码安全,开启双因素认证,并避免点击未经请求的电子邮件中的链接。
Takeaways
- 🌐 网络安全是保护计算机系统和数据免受威胁的一系列技术,目标是保密性、完整性和可用性。
- 🔒 保密性指只有授权的人才能访问特定计算机系统和数据,例如防止数据泄露。
- 🛠️ 完整性意味着只有授权的人才能使用或修改系统和数据,如防止黑客冒充他人发送电子邮件。
- 🚫 可用性指授权的人应始终能够访问他们的系统和数据,如防止拒绝服务攻击(DoS)。
- 🎯 威胁模型是安全专家制定的,用于描述攻击者的能力、目标和可能的攻击手段。
- 🔑 认证是确定用户身份的过程,分为三种类型:知识认证(如密码)、拥有认证(如密钥)、生物认证(如指纹)。
- 🔐 使用强密码和多因素认证可以提高安全性,防止密码被猜测或窃取。
- 📋 访问控制通过权限或访问控制列表(ACL)来指定用户对文件、文件夹和程序的访问权限。
- 🏛 Bell-LaPadula模型是一种“不读上,不写下”的访问控制方法,用于保护不同级别的信息。
- 🛡️ 安全内核或可信计算基础是操作系统中一小组接近可证明安全的软件。
- 👀 独立验证和验证是一种通过安全意识开发者群体审计代码的过程,开源代码更易接受这种审计。
- 🏗️ 隔离原则意味着即使程序被攻击者入侵,损害也应被限制和控制,不会影响计算机上其他程序的运行。
Q & A
什么是网络安全的主要目的?
-网络安全的主要目的是保护计算机系统和数据的保密性、完整性和可用性,以抵御威胁。
如何定义保密性在网络安全中的含义?
-在网络安全中,保密性或称为信息保密,意味着只有授权的人才能访问或读取特定的计算机系统和数据。
完整性攻击的一个例子是什么?
-完整性攻击的一个例子是黑客获取你的密码并发送伪装成你的电子邮件。
什么是拒绝服务攻击(DoS Attack)?
-拒绝服务攻击是一种攻击手段,黑客通过发送大量虚假请求来超载网站,使其变慢或对其他人无法访问,从而攻击服务的可用性。
威胁模型在网络安全中扮演什么角色?
-威胁模型是一种抽象层面上的“敌人”规范,它描述攻击者的能力、目标和可能的攻击手段,帮助安全专家准备对抗特定威胁。
什么是“你知道的”认证方式?
-“你知道的”认证方式基于只有真实用户和计算机知道的秘密知识,例如用户名和密码。
暴力破解攻击是如何工作的?
-暴力破解攻击是通过尝试所有可能的组合来猜测密码或PIN码,这是一种不涉及任何巧妙算法的直接尝试方法。
为什么许多网站现在要求用户使用混合大小写字母、特殊符号等的密码组合?
-使用混合大小写字母、特殊符号等的密码组合可以大大增加可能的密码组合数量,从而提高密码的安全性,使其更难被破解。
什么是“你有的”认证方式?
-“你有的”认证方式基于持有一个只有真实用户拥有的秘密令牌,例如物理钥匙和锁。
生物识别认证有哪些优点和缺点?
-生物识别认证(如指纹和虹膜扫描)可以非常安全,但成本较高,且数据随时间变化具有概率性,可能无法每次都准确识别或错误识别他人。此外,一旦生物识别数据被攻击者获取,将很难重置。
什么是双因素或多因素认证?
-双因素或多因素认证是一种安全措施,要求用户提供两种或以上的认证方式,比如密码和手机验证码,以增加安全性。
访问控制列表(ACL)是如何工作的?
-访问控制列表(ACL)通过指定每个用户对计算机上每个文件、文件夹和程序的访问权限来工作,包括读取、写入和执行权限。
什么是Bell-LaPadula模型?
-Bell-LaPadula模型是一种访问控制模型,它遵循“不读上,不写下”的原则,即用户不能读取高于其权限级别的文件,也不能向低于其权限级别的文件写入数据。
如何减少安全漏洞的可能性?
-减少安全漏洞的可能性可以通过减少实现错误、减少代码量、进行独立验证和确认、开源代码以供安全开发者审计、以及采取隔离原则如沙箱技术来实现。
Outlines
😀 网络安全简介
Carrie Anne在CrashCourse计算机科学课程中介绍了网络安全的重要性。她指出,就像现实世界中需要物理安全措施一样,虚拟世界中也需要网络安全来减少犯罪和伤害。计算机本身没有道德观念,它们会根据给定的问题快速输出答案,无论是好是坏。网络安全的目标是保护计算机系统和数据的保密性、完整性和可用性。为了实现这些目标,安全专家首先需要建立一个威胁模型,了解攻击者的能力、目标和可能的攻击手段。此外,还介绍了保护计算机系统和数据的多种方法,包括认证和访问控制,以及如何通过权限或访问控制列表(ACL)来管理用户对文件、文件夹和程序的访问权限。
🔐 认证与访问控制
本段深入探讨了认证的三种类型:知识认证(如用户名和密码)、拥有认证(如物理钥匙和锁)和生物认证(如指纹和虹膜扫描)。每种认证方式都有其优缺点,例如知识认证易受猜测攻击,拥有认证可能在物理接近时受到威胁,而生物认证则存在误识和不可重置的问题。为了提高安全性,专家建议使用双重或多重认证。接下来,讨论了访问控制,包括权限和访问控制列表(ACL),它们定义了用户对计算机上每个文件、文件夹和程序的访问权限。此外,还介绍了Bell-LaPadula模型,这是一种用于确保保密性、完整性和可用性的访问控制策略。
🛡️ 安全性实现与隔离
在这段视频中,讨论了如何减少实现错误,提高代码安全性。提出了“安全内核”或“可信计算基础”的概念,即操作系统软件的最小集合,接近于可证明的安全性。为了减少代码膨胀,建议减少实现的代码量。此外,还介绍了独立验证和验证过程,通过安全意识开发者群体对代码进行审计,这也是为什么安全代码几乎总是开源的原因。即使在减少代码和审计之后,攻击者仍可能找到入侵的方法。因此,开发者应该采取隔离原则,即使程序被攻破,损害也应被限制和控制。介绍了沙箱技术和虚拟机,它们可以隔离应用程序,即使一个程序出现问题,也不会影响到计算机上的其他程序或虚拟机。
Mindmap
Keywords
💡网络安全
💡保密性
💡完整性
💡可用性
💡威胁模型
💡认证
💡访问控制
💡Bell-LaPadula模型
💡多因素认证
💡沙箱
💡独立验证和确认
Highlights
网络安全的作用是保护计算机系统和数据免受威胁,其重要性与现实世界中的物理安全相当。
计算机本身没有道德观念,它们会根据给定的指令快速执行任务,不论是好是坏。
网络安全的目标是保护信息的保密性、完整性和可用性。
保密性(或称为机密性)意味着只有授权的人才能访问特定的计算机系统和数据。
完整性确保只有授权的人才能使用或修改系统和数据。
可用性指授权的人应始终能够访问他们的系统和数据。
安全专家通过构建威胁模型来准备对抗特定威胁。
威胁模型定义了攻击者的能力和可能的攻击手段,即攻击向量。
物理安全可以通过隐藏、锁定或其他方式来保护,取决于威胁模型。
认证是确定计算机与之交互对象身份的过程,通常有三种类型:知识、拥有和生物特征。
密码认证是最广泛使用的方法,但易受到猜测或泄露的风险。
使用更长、更复杂的密码可以增加安全性,但难以记忆。
拥有认证依赖于持有唯一的秘密令牌,如物理钥匙或智能卡。
生物特征认证基于个人特征,如指纹或虹膜扫描,虽然安全但存在误识风险。
为了提高安全性,建议使用双因素或多因素认证。
访问控制通过权限或访问控制列表(ACL)来规定用户对文件、文件夹和程序的访问权限。
Bell-LaPadula模型是一种确保信息保密性的访问控制策略,遵循“不读上,不写下”的原则。
安全内核或可信计算基础是操作系统中一小组接近可证明安全的软件。
独立验证和验证是一种通过安全意识开发者群体审计代码的过程。
隔离原则意味着即使程序被攻破,损害也应被限制和控制,不影响计算机上其他程序的运行。
Transcripts
Hi, I’m Carrie Anne, and welcome to CrashCourse Computer Science!
Over the last three episodes, we’ve talked about how computers have become interconnected,
allowing us to communicate near-instantly across the globe.
But, not everyone who uses these networks is going to play by the rules, or have our
best interests at heart.
Just as how we have physical security like locks, fences and police officers to minimize
crime in the real world, we need cybersecurity to minimize crime and harm in the virtual
world.
Computers don’t have ethics.
Give them a formally specified problem and they’ll happily pump out an answer at lightning
speed.
Running code that takes down a hospital’s computer systems until a ransom is paid is
no different to a computer than code that keeps a patient's heart beating.
Like the Force, computers can be pulled to the light side or the dark side.
Cybersecurity is like the Jedi Order, trying to bring peace and justice to the cyber-verse.
INTRO
The scope of cybersecurity evolves as fast as the capabilities of computing, but we can
think of it as a set of techniques to protect the secrecy, integrity and availability of
computer systems and data against threats.
Let’s unpack those three goals:
Secrecy, or confidentiality, means that only authorized people should be able to access
or read specific computer systems and data.
Data breaches, where hackers reveal people’s credit card information, is an attack on secrecy.
Integrity means that only authorized people should have the ability to use or modify systems
and data.
Hackers who learn your password and send e-mails masquerading as you, is an integrity attack.
And availability means that authorized people should always have access to their systems
and data.
Think of Denial of Service Attacks, where hackers overload a website with fake requests
to make it slow or unreachable for others.
That’s attacking the service’s availability.
To achieve these three general goals, security experts start with a specification of who
your “enemy” is, at an abstract level, called a threat model.
This profiles attackers: their capabilities, goals, and probable means of attack – what’s
called, awesomely enough, an attack vector.
Threat models let you prepare against specific threats, rather than being overwhelmed by
all the ways hackers could get to your systems and data.
And there are many, many ways.
Let’s say you want to “secure” physical access to your laptop.
Your threat model is a nosy roommate.
To preserve the secrecy, integrity and availability of your laptop, you could keep it hidden in
your dirty laundry hamper.
But, if your threat model is a mischievous younger sibling who knows your hiding spots,
then you’ll need to do more: maybe lock it in a safe.
In other words, how a system is secured depends heavily on who it’s being secured against.
Of course, threat models are typically a bit more formally defined than just “nosy roommate”.
Often you’ll see threat models specified in terms of technical capabilities.
For example, “someone who has physical access to your laptop along with unlimited time”.
With a given threat model, security architects need to come up with a solution that keeps
a system secure – as long as certain assumptions are met, like no one reveals their password
to the attacker.
There are many methods for protecting computer systems, networks and data.
A lot of security boils down to two questions: who are you, and what should you have access to?
Clearly, access should be given to the right people, but refused to the wrong people.
Like, bank employees should be able to open ATMs to restock them, but not me… because
I’d take it all... all of it!
That ceramic cat collection doesn’t buy itself!
So, to differentiate between right and wrong people, we use authentication - the process
by which a computer understands who it’s interacting with.
Generally, there are three types, each with their own pros and cons:
What you know.
What you have.
And what you are.
What you know authentication is based on knowledge of a secret that should be known only by the
real user and the computer, for example, a username and password.
This is the most widely used today because it’s the easiest to implement.
But, it can be compromised if hackers guess or otherwise come to know your secret.
Some passwords are easy for humans to figure out, like 12356 or q-w-e-r-t-y.
But, there are also ones that are easy for computers.
Consider the PIN: 2580.
This seems pretty difficult to guess – and it is – for a human.
But there are only ten thousand possible combinations of 4-digit PINs.
A computer can try entering 0000, then try 0001, and then 0002, all the way up to 9999...
in a fraction of a second.
This is called a brute force attack, because it just tries everything.
There’s nothing clever to the algorithm.
Some computer systems lock you out, or have you wait a little, after say three wrong attempts.
That’s a common and reasonable strategy, and it does make it harder for less sophisticated
attackers.
But think about what happens if hackers have already taken over tens of thousands of computers,
forming a botnet.
Using all these computers, the same pin – 2580 – can be tried on many tens of thousands
of bank accounts simultaneously.
Even with just a single attempt per account, they’ll very likely get into one or more
that just happen to use that PIN.
In fact, we’ve probably guessed the pin of someone watching this video!
Increasing the length of PINs and passwords can help, but even 8 digit PINs are pretty
easily cracked.
This is why so many websites now require you to use a mix of upper and lowercase letters,
special symbols, and so on – it explodes the number of possible password combinations.
An 8-digit numerical PIN only has a hundred million combinations – computers eat that
for breakfast!
But an 8-character password with all those funky things mixed in has more than 600 trillion
combinations.
Of course, these passwords are hard for us mere humans to remember, so a better approach
is for websites to let us pick something more memorable, like three words joined together:
“green brothers rock” or “pizza tasty yum”.
English has around 100,000 words in use, so putting three together would give you roughly
1 quadrillion possible passwords. Good luck trying to guess that!
I should also note here that using non-dictionary words is even better against more sophisticated
kinds of attacks, but we don’t have time to get into that here.
Computerphile has a great video on choosing a password - link in the dooblydoo.
What you have authentication, on the other hand, is based on possession of a secret token
that only the real user has.
An example is a physical key and lock.
You can only unlock the door if you have the key.
This escapes this problem of being “guessable”.
And they typically require physical presence, so it’s much harder for remote attackers
to gain access.
Someone in another country can’t gain access to your front door in Florida without getting
to Florida first.
But, what you have authentication can be compromised if an attacker is physically close.
Keys can be copied, smartphones stolen, and locks picked.
Finally, what you are authentication is based on... you!
You authenticate by presenting yourself to the computer.
Biometric authenticators, like fingerprint readers and iris scanners are classic examples.
These can be very secure, but the best technologies are still quite expensive.
Furthermore, data from sensors varies over time.
What you know and what you have authentication have the nice property of being deterministic
– either correct or incorrect.
If you know the secret, or have the key, you’re granted access 100% of the time.
If you don’t, you get access zero percent of the time.
Biometric authentication, however, is probabilistic.There’s some chance the system won’t recognize you…
maybe you’re wearing a hat or the lighting is bad.
Worse, there’s some chance the system will recognize the wrong person as you – like
your evil twin!
Of course, in production systems, these chances are low, but not zero.
Another issue with biometric authentication is it can’t be reset.
You only have so many fingers, so what happens if an attacker compromises your fingerprint data?
This could be a big problem for life.
And, recently, researchers showed it’s possible to forge your iris just by capturing a photo
of you, so that’s not promising either.
Basically, all forms of authentication have strengths and weaknesses, and all can be compromised
in one way or another.
So, security experts suggest using two or more forms of authentication for important
accounts.
This is known as two-factor or multi-factor authentication.
An attacker may be able to guess your password or steal your phone: but it’s much harder
to do both.
After authentication comes Access Control.
Once a system knows who you are, it needs to know what you should be able to access,
and for that there’s a specification of who should be able to see, modify and use what.
This is done through Permissions or Access Control Lists (ACL), which describe what access
each user has for every file, folder and program on a computer.
“Read” permission allows a user to see the contents of a file, “write” permission
allows a user to modify the contents, and “execute” permission allows a user to
run a file, like a program.
For organizations with users at different levels of access privilege – like a spy
agency – it’s especially important for Access Control Lists to be configured correctly
to ensure secrecy, integrity and availability.
Let’s say we have three levels of access: public, secret and top secret.
The first general rule of thumb is that people shouldn’t be able to “read up”.
If a user is only cleared to read secret files, they shouldn’t be able to read top secret
files, but should be able to access secret and public ones.
The second general rule of thumb is that people shouldn’t be able to “write down”.
If a member has top secret clearance, then they should be able to write or modify top
secret files, but not secret or public files.
It may seem weird that even with the highest clearance, you can’t modify less secret files.
But, it guarantees that there’s no accidental leakage of top secret information into secret
or public files.
This “no read up, no write down” approach is called the Bell-LaPadula model.
It was formulated for the U.S. Department of Defense’s Multi-Level Security policy.
There are many other models for access control – like the Chinese Wall model and Biba model.
Which model is best depends on your use-case.
Authentication and access control help a computer determine who you are and what you should
access, but depend on being able to trust the hardware and software that run the authentication
and access control programs.
That’s a big dependence.
If an attacker installs malicious software – called malware – compromising the host
computer’s operating system, how can we be sure security programs don’t have a backdoor
that let attackers in?
The short answer is… we can’t.
We still have no way to guarantee the security of a program or computing system.
That’s because even while security software might be “secure” in theory, implementation
bugs can still result in vulnerabilities.
But, we do have techniques to reduce the likelihood of bugs, quickly find and patch bugs when
they do occur, and mitigate damage when a program is compromised.
Most security errors come from implementation error.
To reduce implementation error, reduce implementation.
One of the holy grails of system level security is a “security kernel” or a “trusted
computing base”: a minimal set of operating system software that’s close to provably secure.
A challenge in constructing these security kernels is deciding what should go into it.
Remember, the less code, the better!
Even after minimizing code bloat, it would be great to “guarantee” that code as written
is secure.
Formally verifying the security of code is an active area of research.
The best we have right now is a process called Independent Verification and Validation.
This works by having code audited by a crowd of security-minded developers.
This is why security code is almost always open-sourced.
It’s often difficult for people who wrote the original code to find bugs, but external
developers, with fresh eyes and different expertise, can spot problems.
There are also conferences where like-minded hackers and security experts can mingle and
share ideas, the biggest of which is DEF CON, held annually in Las Vegas.
Finally, even after reducing code and auditing it, clever attackers are bound to find tricks
that let them in.
With this in mind, good developers should take the approach that, not if, but when their
programs are compromised, the damage should be limited and contained, and not let it compromise
other things running on the computer.
This principle is called isolation.
To achieve isolation, we can “sandbox” applications.
This is like placing an angry kid in a sandbox; when the kid goes ballistic, they only destroy
the sandcastle in their own box, but other kids in the playground continue having fun.
Operating Systems attempt to sandbox applications by giving each their own block of memory that
others programs can’t touch.
It’s also possible for a single computer to run multiple Virtual Machines, essentially
simulated computers, that each live in their own sandbox.
If a program goes awry, worst case is that it crashes or compromises only the virtual
machine on which it’s running.
All other Virtual Machines running on the computer are isolated and unaffected.
Ok, that’s a broad overview of some key computer security topics.
And I didn’t even get to network security, like firewalls.
Next episode, we’ll discuss some specific example methods hackers use to get into computer
systems.
After that, we’ll touch on encryption.
Until then, make your passwords stronger, turn on 2-factor authentication, and NEVER
click links in unsolicited emails!
I’ll see you next week.
浏览更多相关视频
Psychology of Computing: Crash Course Computer Science #38
AWS re:Inforce 2024 - Explorations of cryptography research (SEC204-INT)
Seguridad en la Cadena de Suministro
The Internet: Crash Course Computer Science #29
How to write more flexible game code
无敌的Xray - Reality协议!无须域名和证书的Reality协议+Vision流控,是否能够摆平一切顾虑!Reality指向网站寻找,Reality客户端推荐(关联节点搭建/科学上网)
5.0 / 5 (0 votes)