Hi, I’m Carrie Anne, and welcome to CrashCourse
Computer Science! Over the last three episodes, we’ve talked
about how computers have become interconnected, allowing us to communicate near-instantly
across the globe. But, not everyone who uses these networks
is going to play by the rules, or have our best interests at heart. Just as how we have physical security like
locks, fences and police officers to minimize crime in the real world, we need cybersecurity
to minimize crime and harm in the virtual world. Computers don’t have ethics. Give them a formally specified problem and
they’ll happily pump out an answer at lightning speed. Running code that takes down a hospital’s
computer systems until a ransom is paid is no different to a computer than code that
keeps a patient’s heart beating. Like the Force, computers can be pulled to
the light side or the dark side. Cybersecurity is like the Jedi Order, trying
to bring peace and justice to the cyber-verse. INTRO The scope of cybersecurity evolves as fast
as the capabilities of computing, but we can think of it as a set of techniques to protect
the secrecy, integrity and availability of computer systems and data against threats. Let’s unpack those three goals: Secrecy, or confidentiality, means that only
authorized people should be able to access or read specific computer systems and data. Data breaches, where hackers reveal people’s
credit card information, is an attack on secrecy. Integrity means that only authorized people
should have the ability to use or modify systems and data. Hackers who learn your password and send e-mails
masquerading as you, is an integrity attack. And availability means that authorized people
should always have access to their systems and data. Think of Denial of Service Attacks, where
hackers overload a website with fake requests to make it slow or unreachable for others. That’s attacking the service’s availability. To achieve these three general goals, security
experts start with a specification of who your “enemy” is, at an abstract level,
called a threat model. This profiles attackers: their capabilities,
goals, and probable means of attack – what’s called, awesomely enough, an attack vector. Threat models let you prepare against specific
threats, rather than being overwhelmed by all the ways hackers could get to your systems
and data. And there are many, many ways. Let’s say you want to “secure” physical
access to your laptop. Your threat model is a nosy roommate. To preserve the secrecy, integrity and availability
of your laptop, you could keep it hidden in your dirty laundry hamper. But, if your threat model is a mischievous
younger sibling who knows your hiding spots, then you’ll need to do more: maybe lock
it in a safe. In other words, how a system is secured depends
heavily on who it’s being secured against. Of course, threat models are typically a bit
more formally defined than just “nosy roommate”. Often you’ll see threat models specified
in terms of technical capabilities. For example, “someone who has physical access
to your laptop along with unlimited time”. With a given threat model, security architects
need to come up with a solution that keeps a system secure – as long as certain assumptions
are met, like no one reveals their password to the attacker. There are many methods for protecting computer
systems, networks and data. A lot of security boils down to two questions: who are you, and what should you have access to? Clearly, access should be given to the right
people, but refused to the wrong people. Like, bank employees should be able to open
ATMs to restock them, but not me… because I’d take it all… all of it! That ceramic cat collection doesn’t buy
itself! So, to differentiate between right and wrong
people, we use authentication – the process by which a computer understands who it’s
interacting with. Generally, there are three types, each with
their own pros and cons: What you know. What you have. And what you are. What you know authentication is based on knowledge
of a secret that should be known only by the real user and the computer, for example, a
username and password. This is the most widely used today because
it’s the easiest to implement. But, it can be compromised if hackers guess
or otherwise come to know your secret. Some passwords are easy for humans to figure
out, like 12356 or q-w-e-r-t-y. But, there are also ones that are easy for
computers. Consider the PIN: 2580. This seems pretty difficult to guess – and
it is – for a human. But there are only ten thousand possible combinations
of 4-digit PINs. A computer can try entering 0000, then try
0001, and then 0002, all the way up to 9999… in a fraction of a second. This is called a brute force attack, because
it just tries everything. There’s nothing clever to the algorithm. Some computer systems lock you out, or have
you wait a little, after say three wrong attempts. That’s a common and reasonable strategy,
and it does make it harder for less sophisticated attackers. But think about what happens if hackers have
already taken over tens of thousands of computers, forming a botnet. Using all these computers, the same pin – 2580
– can be tried on many tens of thousands of bank accounts simultaneously. Even with just a single attempt per account,
they’ll very likely get into one or more that just happen to use that PIN. In fact, we’ve probably guessed the pin
of someone watching this video! Increasing the length of PINs and passwords
can help, but even 8 digit PINs are pretty easily cracked. This is why so many websites now require you
to use a mix of upper and lowercase letters, special symbols, and so on – it explodes
the number of possible password combinations. An 8-digit numerical PIN only has a hundred
million combinations – computers eat that for breakfast! But an 8-character password with all those
funky things mixed in has more than 600 trillion combinations. Of course, these passwords are hard for us
mere humans to remember, so a better approach is for websites to let us pick something more
memorable, like three words joined together: “green brothers rock” or “pizza tasty
yum”. English has around 100,000 words in use, so
putting three together would give you roughly 1 quadrillion possible passwords. Good luck trying to guess that! I should also note here that using non-dictionary
words is even better against more sophisticated kinds of attacks, but we don’t have time
to get into that here. Computerphile has a great video on choosing
a password – link in the dooblydoo. What you have authentication, on the other
hand, is based on possession of a secret token that only the real user has. An example is a physical key and lock. You can only unlock the door if you have the
key. This escapes this problem of being “guessable”. And they typically require physical presence,
so it’s much harder for remote attackers to gain access. Someone in another country can’t gain access
to your front door in Florida without getting to Florida first. But, what you have authentication can be compromised
if an attacker is physically close. Keys can be copied, smartphones stolen, and
locks picked. Finally, what you are authentication is based
on… you! You authenticate by presenting yourself to
the computer. Biometric authenticators, like fingerprint
readers and iris scanners are classic examples. These can be very secure, but the best technologies
are still quite expensive. Furthermore, data from sensors varies over
time. What you know and what you have authentication
have the nice property of being deterministic – either correct or incorrect. If you know the secret, or have the key, you’re
granted access 100% of the time. If you don’t, you get access zero percent
of the time. Biometric authentication, however, is probabilistic.There’s some chance the system won’t recognize you… maybe you’re wearing a hat or the lighting
is bad. Worse, there’s some chance the system will
recognize the wrong person as you – like your evil twin! Of course, in production systems, these chances
are low, but not zero. Another issue with biometric authentication
is it can’t be reset. You only have so many fingers, so what happens if an attacker compromises your fingerprint data? This could be a big problem for life. And, recently, researchers showed it’s possible
to forge your iris just by capturing a photo of you, so that’s not promising either. Basically, all forms of authentication have
strengths and weaknesses, and all can be compromised in one way or another. So, security experts suggest using two or
more forms of authentication for important accounts. This is known as two-factor or multi-factor
authentication. An attacker may be able to guess your password
or steal your phone: but it’s much harder to do both. After authentication comes Access Control. Once a system knows who you are, it needs
to know what you should be able to access, and for that there’s a specification of
who should be able to see, modify and use what. This is done through Permissions or Access
Control Lists (ACL), which describe what access each user has for every file, folder and program
on a computer. “Read” permission allows a user to see
the contents of a file, “write” permission allows a user to modify the contents, and
“execute” permission allows a user to run a file, like a program. For organizations with users at different
levels of access privilege – like a spy agency – it’s especially important for
Access Control Lists to be configured correctly to ensure secrecy, integrity and availability. Let’s say we have three levels of access:
public, secret and top secret. The first general rule of thumb is that people
shouldn’t be able to “read up”. If a user is only cleared to read secret files,
they shouldn’t be able to read top secret files, but should be able to access secret
and public ones. The second general rule of thumb is that people
shouldn’t be able to “write down”. If a member has top secret clearance, then
they should be able to write or modify top secret files, but not secret or public files. It may seem weird that even with the highest clearance, you can’t modify less secret files. But, it guarantees that there’s no accidental
leakage of top secret information into secret or public files. This “no read up, no write down” approach
is called the Bell-LaPadula model. It was formulated for the U.S. Department
of Defense’s Multi-Level Security policy. There are many other models for access control
– like the Chinese Wall model and Biba model. Which model is best depends on your use-case. Authentication and access control help a computer
determine who you are and what you should access, but depend on being able to trust
the hardware and software that run the authentication and access control programs. That’s a big dependence. If an attacker installs malicious software
– called malware – compromising the host computer’s operating system, how can we
be sure security programs don’t have a backdoor that let attackers in? The short answer is… we can’t. We still have no way to guarantee the security
of a program or computing system. That’s because even while security software
might be “secure” in theory, implementation bugs can still result in vulnerabilities. But, we do have techniques to reduce the likelihood
of bugs, quickly find and patch bugs when they do occur, and mitigate damage when a
program is compromised. Most security errors come from implementation
error. To reduce implementation error, reduce implementation. One of the holy grails of system level security
is a “security kernel” or a “trusted computing base”: a minimal set of operating system software that’s close to provably secure. A challenge in constructing these security
kernels is deciding what should go into it. Remember, the less code, the better! Even after minimizing code bloat, it would
be great to “guarantee” that code as written is secure. Formally verifying the security of code is
an active area of research. The best we have right now is a process called
Independent Verification and Validation. This works by having code audited by a crowd
of security-minded developers. This is why security code is almost always
open-sourced. It’s often difficult for people who wrote
the original code to find bugs, but external developers, with fresh eyes and different
expertise, can spot problems. There are also conferences where like-minded
hackers and security experts can mingle and share ideas, the biggest of which is DEF CON,
held annually in Las Vegas. Finally, even after reducing code and auditing
it, clever attackers are bound to find tricks that let them in. With this in mind, good developers should
take the approach that, not if, but when their programs are compromised, the damage should
be limited and contained, and not let it compromise other things running on the computer. This principle is called isolation. To achieve isolation, we can “sandbox”
applications. This is like placing an angry kid in a sandbox;
when the kid goes ballistic, they only destroy the sandcastle in their own box, but other
kids in the playground continue having fun. Operating Systems attempt to sandbox applications
by giving each their own block of memory that others programs can’t touch. It’s also possible for a single computer
to run multiple Virtual Machines, essentially simulated computers, that each live in their
own sandbox. If a program goes awry, worst case is that
it crashes or compromises only the virtual machine on which it’s running. All other Virtual Machines running on the
computer are isolated and unaffected. Ok, that’s a broad overview of some key
computer security topics. And I didn’t even get to network security,
like firewalls. Next episode, we’ll discuss some specific
example methods hackers use to get into computer systems. After that, we’ll touch on encryption. Until then, make your passwords stronger,
turn on 2-factor authentication, and NEVER click links in unsolicited emails! I’ll see you next week.

Cybersecurity: Crash Course Computer Science #31
Tagged on:                                                                                                                                     

100 thoughts on “Cybersecurity: Crash Course Computer Science #31

  • January 29, 2018 at 4:11 pm
    Permalink

    For someone who is complete new to the field of I.T/cybersecurity is it a bad idea to start off with a Cyber security proficiency 1 class?

    Reply
  • January 30, 2018 at 4:59 am
    Permalink

    When did cyber security become computer science?

    Reply
  • February 7, 2018 at 7:29 pm
    Permalink

    You'd think biometric security should use parts of your body that are typically hidden under clothing or don't usually touch things.

    Reply
  • February 11, 2018 at 8:55 pm
    Permalink

    Of there were not nlack hat hackes they would lose jobs.

    Reply
  • February 23, 2018 at 11:39 am
    Permalink

    This gonna help a lot… Thanks a lot

    Reply
  • February 24, 2018 at 12:31 pm
    Permalink

    friggin a defcon

    Reply
  • March 2, 2018 at 8:17 pm
    Permalink

    I want pono sex

    Reply
  • March 6, 2018 at 9:02 pm
    Permalink

    While this video is very educational, I found the cyber security videos posted by Chris Moschovitis, author of Cyber Security Program Development for Business, to be completely informative, valuable, and comprehensive.

    Reply
  • March 11, 2018 at 9:14 pm
    Permalink

    Hi, I appreciate you. I needed the information you gave as a seo and digital marketing specialist. I did not come across a channel or person who described terms like Internet, TCIP as simple as you. Thanks again…

    Reply
  • March 12, 2018 at 6:28 am
    Permalink

    who saw the creeper and the ghost virus book like if you did

    Reply
  • March 15, 2018 at 6:06 am
    Permalink

    and i am

    Reply
  • March 23, 2018 at 3:57 pm
    Permalink

    Learned a lot thanks .

    Reply
  • April 10, 2018 at 7:49 am
    Permalink

    Am i a security professional now?

    Reply
  • April 11, 2018 at 2:51 am
    Permalink

    Stop telling everyone my PIN!

    Reply
  • April 16, 2018 at 10:10 am
    Permalink

    i just enjoy this cors..hahhahah

    Reply
  • April 17, 2018 at 2:28 pm
    Permalink

    It would have been nice to mention seL4, where the authors have formally verified correctness of the kernel.

    Reply
  • April 18, 2018 at 2:55 am
    Permalink

    I JUST LEARNED HOW THIS CYBERSECURITY WORKS

    Reply
  • April 21, 2018 at 11:41 am
    Permalink

    Confidentiality – data that only authorised people can read
    Integrity – data that only authorised people can modify
    Availability – data which authorised people should have access to

    Reply
  • May 3, 2018 at 6:56 am
    Permalink

    Wow! Please make more videos like this. I'm coming from a background of minimal computer knowledge, and this video made it really understandable. Great video.

    Reply
  • May 3, 2018 at 1:01 pm
    Permalink

    A girl talking about computers and having 7,5 million subscribers is not so common to see.

    Reply
  • May 19, 2018 at 6:59 pm
    Permalink

    Confidentiality. Integrity. Availability…. What About N? Non-repudiation?

    Reply
  • May 29, 2018 at 9:43 am
    Permalink

    Dictionary Attacks?

    Reply
  • May 31, 2018 at 3:36 pm
    Permalink

    Boooooooring

    Reply
  • June 2, 2018 at 9:16 pm
    Permalink

    Using ur password to send emails is not an integrity attack.

    Reply
  • June 8, 2018 at 8:18 pm
    Permalink

    So so wrong, turned it off after 1 minute 33 seconds.

    Reply
  • June 19, 2018 at 5:13 am
    Permalink

    she guessed my pin

    Reply
  • June 19, 2018 at 3:51 pm
    Permalink

    Thanks for mentioning compartmentalization and Qubes

    Reply
  • July 9, 2018 at 5:49 pm
    Permalink

    BIBA!! I appreciated that

    Reply
  • July 13, 2018 at 9:00 pm
    Permalink

    Biometric's are not good authentication. not only can fingerprints, retina patterns, etc, be duplicated but computers only read 1's and 0's and the biometric readers are fairly simple in their conversion. It would be fairly simply to duplicate their output once the make and model of the reader is known….which is easily figured out if you can get the MAC address of the reader…

    Reply
  • July 14, 2018 at 7:22 am
    Permalink

    What if just saying you had a laundry basket and in side your laundry basket you have a safe and inside that safe you have another safe and i don't know inside that you have another safe each one with a different process when access is granted you have a box permission is only grainted when manually pressing the button generating a random code that has to be entered once obtained permission grainted your in. But its emty you left it in the second draw in the kitchen;) sorry for wasting you time. Rock on.

    Reply
  • July 23, 2018 at 1:44 pm
    Permalink

    Need to change my 4 digit pins :/

    Reply
  • July 26, 2018 at 9:04 pm
    Permalink

    Only came for Malware

    Reply
  • July 27, 2018 at 1:19 am
    Permalink

    Awesome video !

    Reply
  • July 31, 2018 at 1:20 pm
    Permalink

    This is a great video, it's more difficult to do these animated vids than to just have a talking head spitting a script. Nice job guys

    Reply
  • August 9, 2018 at 11:45 am
    Permalink

    Biometrical identification.. now if someone steals your phone he has to cut off your finger too :00

    Reply
  • August 9, 2018 at 6:53 pm
    Permalink

    Enrolling into school for this next year.

    Reply
  • August 10, 2018 at 4:14 pm
    Permalink

    u speak too fast.

    Reply
  • August 15, 2018 at 5:44 pm
    Permalink

    i love you haha

    Reply
  • August 18, 2018 at 2:45 pm
    Permalink

    NOTHING IS TOTALLY SAFE!!GOOD VIDEO!!😀😊

    Reply
  • August 18, 2018 at 3:53 pm
    Permalink

    Is that a mothafuqin BEN-10 REFRENCE??

    Reply
  • August 30, 2018 at 9:33 am
    Permalink

    good vid

    Reply
  • August 30, 2018 at 9:35 am
    Permalink

    good vid bro

    Reply
  • August 30, 2018 at 9:45 am
    Permalink

    bad vid

    Reply
  • September 3, 2018 at 12:06 pm
    Permalink

    used this in school for a lesson. very helpful. I'd like to insight you with some knowledge. Did you know that Bush did 9/11 and Tedcruz is the zodiac killer? it's true yahoo it

    Reply
  • September 3, 2018 at 10:30 pm
    Permalink

    Problemistic? you mean problematic haha!

    Reply
  • September 10, 2018 at 9:26 am
    Permalink

    4:08 you have to remember, it doesn't just have to generate those numbers, it also has to enter them in, for example even python, a really freaking slow language, can count from 0 to 10000 in 0.0009965896606445312 seconds, pretty freaking fast! But if you want python to print each individual number, it will take about 4.403296709060669 seconds, although entering the numbers might not take as long as printing each one, it would still take at least a second

    Reply
  • September 15, 2018 at 2:57 am
    Permalink

    Link in the doobeedoo 😀

    Reply
  • September 25, 2018 at 9:10 pm
    Permalink

    DOBLE DO

    Reply
  • October 19, 2018 at 5:27 am
    Permalink

    Secrecy = Confidentiality, the CIA triad.

    Reply
  • October 22, 2018 at 2:37 pm
    Permalink

    Hi, working as a network security engineer and interested for cyber security certification/course…, which program should I follow?
    Plz suggest me the best and easiest one.

    Reply
  • October 27, 2018 at 6:01 am
    Permalink

    What about dna-based authentication?

    Reply
  • November 19, 2018 at 5:26 pm
    Permalink

    I receive so many call indicating "I'm with your computer security and your computer has been compromised, I am looking at your computer security systems and we need to fix it right away" I call BS and almost always the line goes dead. Can even the companies that are legitimate see into your computer without your knowledge?

    Reply
  • November 27, 2018 at 3:21 am
    Permalink

    Oh no the hackers took all of my information! Quick you can help me! All I need is your mum's credit card number, the magic code on the back and the expiration date please you'll be my hero!!!

    Reply
  • November 28, 2018 at 4:53 pm
    Permalink

    1, 2, 3, 4, 5? That's amazing! I've got the same combination on my luggage!

    Reply
  • December 1, 2018 at 3:35 pm
    Permalink

    I am biggest fan of u .Can u make more videos on cyber security cryptography etc

    Reply
  • December 24, 2018 at 6:25 pm
    Permalink

    Great information thanks.May you live long.

    Reply
  • January 4, 2019 at 4:51 pm
    Permalink

    she's a Trekkie, likes Star Wars, and cats i think im in love

    Reply
  • January 11, 2019 at 9:20 am
    Permalink

    Searches infosec crash course to cram for exam, sees 7hr Google one or this one – real head-scratcher.

    Reply
  • January 13, 2019 at 8:31 pm
    Permalink

    It was my pin

    Reply
  • January 14, 2019 at 6:43 pm
    Permalink

    I love your video thank you

    Reply
  • January 16, 2019 at 4:40 am
    Permalink

    Speaking to me like I'm an idiot

    Reply
  • January 30, 2019 at 9:20 am
    Permalink

    you either died a hero or live long enough to see yourself become a villain .

    Reply
  • February 12, 2019 at 5:05 am
    Permalink

    I love this video and I love that lady teaching it everything about this is good

    Reply
  • February 26, 2019 at 12:22 pm
    Permalink

    Brilliant and easy to understand! Thank you! Even the jokes are funny. XD

    Reply
  • March 13, 2019 at 5:05 pm
    Permalink

    I work in security and I approve this message. Excellent video!

    Reply
  • March 13, 2019 at 6:40 pm
    Permalink

    Democrats don't want security!

    Reply
  • March 16, 2019 at 10:17 pm
    Permalink

    Lol I just mentioned brute force hacking in a earlier video were you were describing brute coding XD

    Reply
  • March 19, 2019 at 12:55 am
    Permalink

    That’s why you use rainbow tables and not brute forcing.

    Reply
  • March 19, 2019 at 12:57 am
    Permalink

    I have a 9 digit ascii Rainbow table. Special characters don’t matter to me… 🤓

    Reply
  • March 30, 2019 at 11:19 pm
    Permalink

    Carrie Anne keep it real. No access to ATMs or she'll take all of it xD

    Reply
  • April 10, 2019 at 10:54 pm
    Permalink

    20176117

    Reply
  • April 12, 2019 at 9:26 am
    Permalink

    What is the website she is using 2:04?

    Reply
  • April 13, 2019 at 11:17 am
    Permalink

    Thank you.

    Reply
  • April 16, 2019 at 10:36 am
    Permalink

    light side?

    Reply
  • April 30, 2019 at 8:11 pm
    Permalink

    Just love going back from time to time to watch some of this amazing course episodes!

    Reply
  • May 4, 2019 at 6:27 am
    Permalink

    The hot how to Alta or study my other upset upset

    Reply
  • May 6, 2019 at 11:01 pm
    Permalink

    I cant believe they guessed my pin

    Reply
  • May 27, 2019 at 10:47 am
    Permalink

    Maybe using chinese symbols for the password would be a nice improvement. There are thousands of them, they are shorter then western words and you can't misspell them. Say something like 'GoatHeart老王Apricot'

    Reply
  • June 15, 2019 at 6:18 pm
    Permalink

    1:50 “that shows who your enemy is.” shows a little girl on her computer

    A formidable foe.

    Reply
  • July 10, 2019 at 6:22 am
    Permalink

    9:52 – If you're interested in security kernels, look up seL4. It's a microkernel with formal proofs of implementation correctness and certain security features.

    Reply
  • July 11, 2019 at 7:09 pm
    Permalink

    Except the Jedi were evil. They let Darth Vader rise

    Reply
  • July 13, 2019 at 1:29 pm
    Permalink

    Thank you

    Reply
  • July 17, 2019 at 1:13 pm
    Permalink

    This was really well done. Thanks!

    Reply
  • August 6, 2019 at 2:58 am
    Permalink

    You're killing me with the "I'd take it ALL" ATM comment. I'm sitting here dying!

    Reply
  • August 21, 2019 at 4:06 am
    Permalink

    She speaks too fast and then she's British

    Reply
  • August 21, 2019 at 4:25 pm
    Permalink

    thanks. Very useful

    Reply
  • August 24, 2019 at 2:06 pm
    Permalink

    a damn now i have to change my pin code

    Reply
  • August 25, 2019 at 1:47 am
    Permalink

    And like jedi and Republic the cyber security are bad guys

    Reply
  • August 26, 2019 at 5:44 pm
    Permalink

    Interesting

    Reply
  • September 6, 2019 at 5:11 pm
    Permalink

    “What happens if a hacker compromises your fingerprint data.” Who else thought she was gonna say “what happens if a hacker cuts your finger off.”

    Reply
  • September 8, 2019 at 1:38 am
    Permalink

    1ghz processor needing 10clock cycles per try needs 1/10000s to bruteforce ALL 4digit Pins!

    Reply
  • September 12, 2019 at 10:06 am
    Permalink

    kid John went BAZUKA.. Kid hank is kwl.

    Reply
  • September 18, 2019 at 2:17 pm
    Permalink

    5:09 she looks hella cute

    Reply
  • October 8, 2019 at 4:00 pm
    Permalink

    Damn, now I have to change my PIN…

    Reply
  • October 13, 2019 at 1:24 am
    Permalink

    Talking Too Fast…

    Reply
  • October 17, 2019 at 3:38 pm
    Permalink

    I am watching this because it support Korean subtitle

    Reply
  • October 31, 2019 at 1:16 pm
    Permalink

    You just lifted a riddle to me: Jedis are the protectors of peace and justice, the warriors of light. Whats the only condition in which you'll ever experience peace and justice? Yup, you got it. Warriors of death, thats what they are. Thats why Anakin was too old, he had already had his taste of life when he was introduced to the order.

    Reply
  • November 4, 2019 at 8:36 am
    Permalink

    Good topic explanation

    Reply
  • November 4, 2019 at 2:32 pm
    Permalink

    i LOVE CARRIE ANN HER REFERENCES ARE SO COOL FROM GAMING TO PETS TO MOVIES EVERYTHING!!!!!!!!!!!!!!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *