Data Security Principles

Security Goals

Are the principles like the CIA (Central Intelligence Agency)?

The CIA acronym stands for Confidentiality, Integrity, and Availability.

Confidentiality - Restricted access to authorized persons.
Integrity - Restricted changes to authorized persons.
Availability - Available when needed.

Rumor has it that a sales team from IBM in the 1960s trying to persuade the DoD to buy their computers, scrambled to find a “catchy” phrase that will highlight the need for secrecy. They picked the CIA as a synonym for secrecy and worked backwards to match confidentiality, integrity, and availability [credit to prof. Eugene Spafford for this story]

Who can access your bank account?

You are the only person with access to your bank account besides your bank. This represents the idea of confidentiality.

Who can authorize transfers on your bank account?

Only you are able to authorize transactions and transfers within you bank account this represents the idea of integrity.

Are there times when you cannot access your bank account?

You can always access your bank account with connection to the internet given you have the right software and device to use said banking software with you. This represents the idea of availability.

Active Learning Activity: Guess the Password

These are hashes of two commonly used passwords:

4813494D137E1631BBA301D5ACAB6E7BB7AA74CE1185D456565EF51D737677B2
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

To crack these passwords I am using a website called CrackStation.

https://crackstation.net/

Was this easy or hard to figure out?

This was very easy to crack this because it is a commonly known hash. Hashes of unique phrases would be harder to crack then common ones.

Active Learning Activity: Examine hashes

Visit the following website for this activity.

https://md5calc.com/hash

String	Hash
thequickbrownfox	bd484b82d7875e115c7273e9c6102ca4946b7c55fe905012be9152b87fe09568
theQuickbrownfox	4e49ede85e4ef4dbddd0ed8601583b81ff21124975377e77c222c684fd91c4d3
thequickbrownfoX	15a741a20b8c1b27aac3fa0fad397efe8ca65161a2634463831064d96d529746

String

Hash

thequickbrownfox

bd484b82d7875e115c7273e9c6102ca4946b7c55fe905012be9152b87fe09568

theQuickbrownfox

4e49ede85e4ef4dbddd0ed8601583b81ff21124975377e77c222c684fd91c4d3

thequickbrownfoX

15a741a20b8c1b27aac3fa0fad397efe8ca65161a2634463831064d96d529746

Is there a pattern in the hashes?

There are no noticeable patterns in hashes.

Does a small change make a big difference in the hash?

A small change can make a huge difference in the hash. This is because the hash encoding is based on the file and each bit changes the entire hash output. This is referred to the avalanche effect.

Active Learning Activity: Generate a hash on your own

The term I choose to encode was flabbergasted.

09d02e13a7febc8cb444bc5b2ffbd2b20cd4686463955c25ff955569cee896e5

My neighbor was unable to crack the password. However crackstation was able to crack my hash as flabbergasted is a common English term.

Active Learning Activity: Has your password leaked?

My password for github has not been leaked before.

Can two passwords have the same hash? Yes - it is called hash collision Passwords with the same hash - compromise of integrity Hash collision attacks: find a password that will result in the same hash from a reported breach and try to use that password to login

Can you guess a password from just looking at a hash? No. Hashes are designed to prevent guessing. Hashing algorithms are a one-way process. Adversaries may check a hash in a pre-computed list, also known as a rainbow table.

Does hashing provide confidentiality, integrity, or availability?

Hashing provides integrity. This is because, if the file is changed then the hash is completely changed therefore it provides integrity.

Information States

Scenario 1

Accessing personal documents on Google Drive using a personal laptop at a local coffee shop over their free wireless hotspot.

This first scenario would be a compromise of confidentiality because attackers can access your private data over an unsecure network. Since you are accessing this data on the cloud it would be considered data in use.

Scenario 2

Accessing report cards on the school website using a mobile phone during a summer vacation in Europe.

This to me doesn't seem like a breach of confidentiality, integrity, or accessibility unless the person is accessing their grades on an unsecure device or network. If report card grades are stored in the cloud then the data would be in use.

Pick a breach and talk about it.

I choose the ancestry data breach from 2015. An attacker was able to gain access to a service known as RootsWeb and was able to extract emails and passwords linked to accounts on the platform. This would be an example of a confidentiality breach as the data of user accounts were leaked. Since the accounts themselves weren't deleted then integrity was maintained however, it could of easily not been. Furthermore Ancestry should have encoded the usernames and passwords into a hash to minimize the damage an attacker can do with all the credentials.

Is it possible to completely delete our data in cyberspace from every state?

Can we remove our data from Instagram forever?

No it is not possible to completely delete our data in cyberspace. As soon as you share or give your data to a company that data is duplicated and stored somewhere within that companies database. Your data can also be given to 3rd parties if you agree to it in the terms and conditions. Log files also exist that typically are not deleted and can be considered a fingerprint of your digital activity.

Notes Activity Continued here...

SEC 110_Assignment_3 1

PreviousWeek 7 NextSEC 110_Assignment_3 1

Last updated 1 year ago