920 likes | 1.26k Views
Ethics and the Law. Computer Ethics. A branch of philosophy that deals with computing-related moral dilemmas and defines ethical principles for computer professionals Plagiarism Software Piracy Proper Email and Internet use Unauthorized Computer Access Computer Crimes. Computer Crime.
E N D
Computer Ethics • A branch of philosophy that deals with computing-related moral dilemmas and defines ethical principles for computer professionals • Plagiarism • Software Piracy • Proper Email and Internet use • Unauthorized Computer Access • Computer Crimes
Computer Crime • Definition: the act of using a computer to commit an illegal act • Authorized and unauthorized computer access • Examples • Stealing time on company computers • Breaking into government Web sites • Stealing credit card information
Computer Crime • Federal and State Laws • Stealing or compromising data • Gaining unauthorized computer access • Violating data belonging to banks • Intercepting communications • Threatening to damage computer systems • Disseminating viruses
Computer Crime • Hacking and Cracking • Hacker – one who gains unauthorized computer access, but without doing damage • Cracker – one who breaks into computer systems for the purpose of doing damage
Computer Crime • Who commits computer crime?
Computer Crime • Types of computer crime • Data diddling: modifying data • Salami slicing: skimming small amounts of money • Phreaking: making free long distance calls • Cloning: cellular phone fraud using scanners • Carding: stealing credit card numbers online • Piggybacking: stealing credit card numbers by spying • Social engineering: tricking employees to gain access • Dumpster diving: finding private info in garbage cans • Spoofing: stealing passwords through a false login page
Computer Crime • Software piracy • North America – 25% • Western Europe – 34% • Asia / Pacific – 51% • Mid East / Africa – 55% • Latin America – 58% • Eastern Europe – 63%
Laws related to Information Security • Privacy Act of 1974 • Makes a blanket statement that no records at an agency can be disclosed without that individual’s written consent. • Electronic Communications Privacy Act of 1988 • Prohibits unauthorized monitoring of electronic communications by individuals businesses and the government.
Laws related to Information Security (II) • Computer Matching and Privacy Protection Act of 1988 • Amends the Privacy Act of 1974 by adding new regulations that deal with computer matching. • Computer matching is the process of linking records together by a common element like a social security number.
Laws related to Information Security (III) • Computer Fraud and Abuse Act 1986 • Passed in 1986 to combat hacking. It primarily applies to four activities: • Knowingly access without authorization (or in excess of authorization) any computer system and in doing so obtaining restricted or classified government information. • Knowingly access without authorization to obtain financial information. • Intentionally and without authorization access any computer of a department or agency of the US. • Knowingly, and with intent to defraud, traffic in any password or similar information without authorization
How the Laws effect you • Knowing the previous laws effects you quite profoundly. • If you were to break into a government computer a release a virus, you are responsible for all of the damage and downtime in addition to the actual breaking in of the computer. This could mean large penalties and jail time even for a simple offense.
Computer Crimes – The people who commit them • Amateurs (Script Kiddies) • Temptation is there if access is available. • You wouldn't ask a stranger to hold your wallet while you went around the corner to move your car. • Disgruntled employees • Oh Yeah! I'll show you! • Crackers and Hackers • Often the challenge or Curiosity • West German group (Cliff Stoll) • Desert Shield / Desert Storm
Computer Crimes – The people who commit them (II) • Corporate Raiders • Trade Secrets • Inside Information • Financial predictions • Terrorists • No major incidents have occurred yet! • This is a potential nightmare waiting to happen. • Potential Economic disaster.
Categories of Computer misuse • Human Error • Hard to control • Abuse of Authority • White collar crime • Direct Probing • Rattling doorknobs • Probing With Malicious Software • Trojan horses • Direct Penetration • Exploiting system bugs • Subversion of Mechanism • Trap doors
Outline for Today’s Class • Basic Definitions • What is Security Risk Management • Generic Security Risk Management Methodology • Security Risk Analysis
What is Security? • Security is a process, not a product. Security products will not save you – Bruce Schneier • Process is composed of technology, people, and tools. This is important because processes involve time and interaction between entities and many of the hard problems in security stem from this inherent interaction.
What is RISK MANAGEMENT? • The process concerned with identification, measurement, control and minimization of security risks in information systems to a level commensurate with the value of the assets protected. (Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug.1997)
RISK • - The likelihood that a particular threat using a specific attack, will exploit a particular vulnerability of a system that results in an undesirable consequence. (Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)
THREAT • Any circumstance or event with the potential to cause harm to an information system in the form of destruction, disclosure, adverse modification of data, and/or the denial of service. (Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)
Definition of Likelihood • LIKELIHOOD of the threat occurring is the estimation of the probability that a threat will succeed in achieving an undesirable event.
Considerations in Assessing the Likelihood of Threat • Presence of threats • Tenacity of threats • Strengths of threats • Effectiveness of safeguards
Two Schools of Thought on Likelihood Calculation Assume Don’t Assume
ATTACK • An attempt to gain unauthorized access to an information system’s services, resources, or information, or the attempt to compromise an information system’s integrity, availability, or confidentiality, as applicable. (Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)
VULNERABILITY • Weakness in an information system, cryptographic system, or other components (e.g... , system security procedures, hardware design, internal controls) that could be exploited by a threat. (Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)
RM/RA RISK MANAGEMENT RISK ASSESSMENT RISK MITIGATION
RISK ASSESSMENT • A process of analyzing THREATS to and VULNERABILITIES of an information system and the POTENTIAL IMPACT the loss of information or capabilities of a system would have. The resulting analysis is used as a basis for identifying appropriate and cost-effective counter-measures. (Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)
Benefits of Risk Assessment • Increased awareness • Assets, vulnerabilities, and controls • Improved basis for decisions • Justification of expenditures
Risk Assessment Process • Identify assets • Determine vulnerabilities • Estimate likelihood of exploitation • Compute expected loss
What is a risk (generic) • A definable event • Probability of Occurrence • Consequence (impact) of occurrence • A risk is not a problem …. A problem is a risk whose time has come
What is a security risk • Threat – is any potential danger to information, or systems (e.g. fire) • Vulnerability – is a software, hardware, or procedural weakness that may provide an attacker the open door to enter a system. (e.g. lack of water) • Risk – loss potential (probability) that a threat will exploit a vulnerability.
The CIA Triad Confidentiality Availability Security Objectives Integrity
CIA Model • Confidentiality- The protection of information assets from unauthorized access, leakage or copying. (losing trade secrets, unauthorized access, etc.) • Integrity- The protection of information from unauthorized modification. (accuracy of data, sensitivity to fraud, etc.) • Availability- Ensuring that information assets are available to authorized users when they need and expect them.
Technical Controls Logical access controls, encryption, security devices, identification and authentication Administrative Controls Policies, standards, guidelines, screening personnel, security awareness training Physical Controls Facility protection, security guards, locks, monitoring, environmental controls, intrusion detection Physical Controls Technical Controls Administrative controls Company data and assets Controls to protect Assets
Gives rise to Exploits Vulnerability Threat Leads to Threat Agent Asset Directly affects RISK Exposure Can damage And causes an Can be counter measured by a Safeguard Relationship among different security components
Security Risk Management • Risk Management is the process of identifying, assessing, and reducing a risk(s) to an acceptable level and implementing the right mechanisms to maintain that level of risk. (e.g acceptable risk) • Risk management reduces risks by defining and controlling threats and vulnerabilities.
Identify Baseline Or New Risks Classify Risks Evaluate Risks Prioritize Risks Identify Assign Responsibility Determine Response Strategy Determine Action Plan Analyze Plan Track Risks Control Risks Tracking & Control Generic Security Risk Management Methodology Project Start Communicate Risks Inside and Outside The Project Team Communication
Primary Risk Calculation Methodologies Quantitative & Qualitative
Risk Analysis • Risk Analysis is a method of identifying and assessing the possible damage that could be caused on order to justify security safeguards. • Two types of risk analysis: • Quantitative – attempts to assign real numbers to the costs of safeguards and the amount of damage that can take place • Qualitative – An analysis that judges an organization’s risk to threats, which is based on judgment, intuition, and the experience versus assigning real numbers to this possible risks and their potential loss
Steps of Quantitative Risk Analysis • Assign value to information and assets (tangible and intangible) • Estimate potential loss per risk • Perform a threat analysis • Derive the overall loss potential per risk • Choose safeguards / countermeasure for each risk • Determine Risk Response (e.g. mitigation, avoidance, acceptance)
Formula for Risk mkt/40 = 9j*X dv + zqm/ {2a} bc = wxyz lm +op * dz = tgm\bvd 2b or n2b
Quantitative Risk Analysis • Exposure Factor (EF) = Percentage of asset loss caused by identified threat; ranges from 0 to 100% • Single Loss Expectancy (SLE) = Asset Value x Exposure factor; 1,000,000 @ 10% likelihood = $100,000 • Annualized Rate of Occurrence (ARO) = Estimated frequency a threat will occur with in a year and is charterized on a annual basis. A threat occurring once in 10 years has an ARO of 0.1; a threat occurring 50 times in a year has an ARO of 50 • Annualized Loss Expectancy (ALE) = Single Loss Expectancy x Annualized Rate of Occurrence • Safeguard cost/benefit analysis = (ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard) == value of safeguard to the company
Pros Uses probability concepts – the likelihood that an risk will occur or will not occur The value of information is expressed in monetary terms with supporting rationale Risk assessment results are derived and expressed in management speak Cons Purely quantitative risk analysis not possible because quantitative measures must be applied to qualitative elements Can be less ambiguous but using numbers can give appearance of specificity that does not really exist Huge amount of data must be gathered and managed Quantitative Risk Summary