1 / 10

Security From 30,000 Feet

Security From 30,000 Feet. CPIS 210 John Beckett. Who Is This?. Security is always about proxies What you say (username) What you know (password) What you have (key device of some sort) How you “look” (biometrics) How you behave (time/date/amount restrictions)

caine
Download Presentation

Security From 30,000 Feet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security From 30,000 Feet CPIS 210 John Beckett

  2. Who Is This? • Security is always about proxies • What you say (username) • What you know (password) • What you have (key device of some sort) • How you “look” (biometrics) • How you behave (time/date/amount restrictions) • We can never really, really know “who you are”

  3. How Much Technology?Case: Avoiding the Reef Modern Navigation Traditional Navigation We sense the effects of the reef Not as precise as GPS Our measurement method gets more accurate as we are closer to danger • We know exactly where we are and where the reef is • GPS is very precise • Therefore we know how far we are away from the reef! • If all of our technology is working correctly • If the reef hasn’t moved in a typhoon The traditional method could in this case produce as much success as a lot of technology

  4. The “Foolproof” Myth • Theory: Put all your eggs in one basket, and take very good care of that basket • Luke 12:20 “Thou fool, tonight thy soul will be required of thee.” • Send your grain across the seas, and in time, profits will flow back to you. But divide your investments among many places, for you do not know what risks might lie ahead. Ecclesiastes 11:1-2 (NLT)

  5. The Consequence Gradient • False negative: person can’t get in when they should • Lost business • The “good guys” can’t get in to protect • False positive: person can get in when they should not • Fraud • Damage • Information disclosure

  6. The Cost of Single Methods • As you increase the reliability of one method of authentication, its cost ($ & time) goes up sharply • Consider simple biometrics versus DNA • Questions about false positives in DNA evidence • Deut 19:15: One witness is not enough to convict

  7. Two Evidences • If you have two sources of the same evidence, you should pre-compile the decision if they differ: • Strike an average • What’s the average of “bad guy” and “good guy”? • Re-evaluate the whole situation to determine which is wrong • And wait… • Give one of them priority • In which case, why bother with the other one? • Give one priority, but evaluate later • Are you going to track the results of those decisions?

  8. How Multiple Evidences Help(if the question is single-sided) For Example: • 70% likelihood that we allow a legitimate person • If that fails, we test again and using 60% method • Combination is 88% • If that fails, we test again using 50% method • Combination is 94%

  9. Combining Excludes Errors…if false positives can be ignored

  10. Downsides of Cascading Tests • If we are really measuring the same thing it doesn’t help – but it costs us anyhow • If the purpose is to test for permission, we have multiplied our false-positive rate • So it must be very small or cascading is inappropriate • If damaging consequences of false positives and negatives are equal or nearly so: • We should do consider doing all tests each time and adding the results (voting method) • Good for quantitative results, but not binary? • If damaging consequences are unequal: • Cascade tests (ie, use further tests to avoid error)

More Related