1 / 11

Review Slides, Security +

Review Slides, Security +. Ted Demopoulos ted@demop.com. Risk Management. Security is all about Risk Management Risk = Vulnerability x Threat Vulnerability – a weakness in a system. All complex systems have vulnerabilities

xaria
Download Presentation

Review Slides, Security +

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Review Slides, Security + Ted Demopoulos ted@demop.com

  2. Risk Management • Security is all about Risk Management • Risk = Vulnerability x Threat • Vulnerability – a weakness in a system. All complex systems have vulnerabilities • Threat – an event that can cause an undesirable outcome. Threat implies potential harm

  3. SLE/ALE • SLE: Single Loss Expectancy – loss from a single event (how bad can it be?) • ALE: Annual Loss Expectancy – loss from a threat over an entire year (can it happen multiple times?)

  4. Quantitative vs. Qualitative • Risk assessment can be Quantitative or Qualitative • Quantitative -- a quantity or number. e.g. if a Katrina strength hurricane hits again the expected loss is 22 billion dollars • Qualitative e.g. if a Katrina strength hurricane hits again it will be extremely bad

  5. Crypto Algorithms

  6. PGP versus PKI PKI – Central authority in change of trust, You MUST trust the central authority PGP – Closer to anarchy. NO central authority. Web of Trust – you trust your friends and many of your friend’s friends.

  7. Access Control • Discretionary Access Control (DAC) • Users control • Mandatory Access Control (MAC) • Not controlled by users, requires matching clearance and classification levels (e.g. top secret, secret, classified, etc.) • Role Based Access Control (RBAC) • Based on group memberships

  8. TCP/IP 3 way Handshake SYN SYN, ACK ACK

  9. Some Common Ports (1) TCP 20, 21 – FTP (file transfer protocol) TCP 22 – SSH (secure shell) TCP 23 – telnet TCP 25 – SMTP (simple mail transfer protocol) TCP and UDP 53 – DNS (domain name system)

  10. Some Common Ports (2) TCP 80 – HTTP (hyper text transfer protocol) TCP 110 POP3 (post office protocol) TCP 143 IMAP (internet message access protocol) TCP 443 SSL, HTTPS (secure sockets layer, HTTP over SSL)

  11. Open Source Tools (not on test) Sniffers: TCPdump, Ethereal (now called Wireshark) 802.11: NetStumbler, Kismet Password Assessment: John the Ripper, Cain and Abel Vulnerability Assessment: Nessus Intrusion Detection: Snort

More Related