1 / 23

Distance Education Team 1

Distance Education Team 1. Adrian Sia Xavier Appé Anoop Georges Salvador Gonzales Augustine Ani Zijian Cao Joe Ondercin. SNA Step 3. November 14, 2001. Overview. Project Progress Essential Services & Assets Client Security Concerns

cooper
Download Presentation

Distance Education Team 1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Distance Education Team 1 Adrian Sia Xavier Appé Anoop Georges Salvador Gonzales Augustine Ani Zijian Cao Joe Ondercin SNA Step 3 November 14, 2001

  2. Overview • Project Progress • Essential Services & Assets • Client Security Concerns • Relevant Attacker Profile, Level of Attack, and Probability of Attack • Attack Scenarios • Compromisable Components • Next Step

  3. Project Progress • One meeting every two weeks at 1PM on Saturday • 09/15/01 1st project meeting – step 1 discussion (completed) • 09/20/01 client interview with Mel Rosso (completed) • 09/22/01 2nd project meeting – step 1 presentation dry run (completed) • 09/25/01 client interview with Michael Carriger (completed) • 09/26/01 Step 1 presentation (completed) • 10/13/01 3rd project meeting – step 2 discussion (completed) • 10/27/01 4th project meeting – step 2 presentation dry run (completed) • 10/31/01 Step 2 presentation (completed) • 11/10/01 5th project meeting – step 3 presentation dry run (completed) • 11/14/01 Step 3 presentation • 11/24/01 6th project meeting – step 4 and final report discussion • 12/1/01 7th project meeting – step 4 presentation dry run • 12/5/01 Step 4 presentation • 12/12/01 Project report submittal • Note: additional client interview(s) may be conducted when deemed necessary.

  4. Oracle Admin App Essential Services & Assets CMU Network Admin Server Internet E-Mail Server Hub Essential Assets Apache Web Server Admin Staff MySql • Essential Services • Course Web Site Access • Email • Chat Instructor IMeet Chat Server Product Server Tech Staff CS Network

  5. Potential Attackers • Recreational Hackers • Script Kiddies • Vandals • DE Students • Disgruntled Employee • Current • Former • Intellectual Property Spy • Transit Seeker

  6. Attacker Attributes • Resources • Time • Tools • Risk • Access • Objectives

  7. Attacker Profile • Recreational Hackers • Varied skills, knowledge levels, support • No particular time constraints • Distributed Tool, toolkit, script • Not averse, may not understand risk • External/Internet access • Status, thrills and challenges • Level: Target-of-Opportunity • Probability: High

  8. Attacker Profile • DE Students • Varied skills, knowledge of process • Immediate needs • Distributed tool, toolkit, script • Risk averse • Internal access via Internet • Spy on other students’ homework,modify records and browse unregistered courses • Level: Target-of-opportunity • Probability: Low/Medium

  9. Attacker Profile • Disgruntled Employee • Knowledge of process, depends on personal skills • Very patient and wait for chance • Physical attack, toolkit, self-created program • Risk averse • Internal/external, LAN, dialup, or Internet • Personal gain, get even, embarrass organization • Level: Intermediate • Probability: High

  10. Attacker Profile • Intellectual Property Spy • Medium to expert skills, knowledge and experience • Current desire to access the information • Customized tool, tap • Very risk averse • External, Internet • Measurable gains • Level: Sophisticated • Probability: Low

  11. Attacker Profile • Transit Seekers • Medium to expert skills, knowledge and experience • Patience depends on mission • User commands, customized tool, autonomous tool, social engineering • Risk averse • External, Internet • Gain access to other CMU network • Level: intermediate/Sophisticated • Probability: Low

  12. Client Security Concerns • Web page access to student info • Grades online through blackboard • Work submission online • Student assignments • Billing information

  13. Attack Scenarios

  14. IUS1 – Denial of Service • Component Based Attack • Possible Attackers • Recreational Hacker • Disgruntled employee • Instigating Network Traffic and Connection Request • Distributed denial of service • SYN flood • Ping of death • Compromise the Availability of the System

  15. Oracle Admin App Tracing IUS1 CMU Network Admin Server Internet E-Mail Server Hub Essential Assets Apache Web Server Apache Web Server HACKER Admin Staff MySql Instructor IMeet Chat Server Product Server Tech Staff CS Network

  16. IUS2 – Unauthorized Access • User Access Based Attack • Possible Attackers • DE student • Disgruntled employee • Using Incomplete or Improperly Assigned Access Rights to View or Modify Information • Privilege escalation • Password sniffing • Brute force • Compromise the Privacy and/or Integrity of Information

  17. Oracle Admin App Tracing IUS2 CMU Network Admin Server Internet E-Mail Server Hub Disgruntled Emp Essential Assets Apache Web Server Apache Web Server Student Admin Staff MySql Instructor IMeet Chat Server Product Server Tech Staff CS Network

  18. IUS3 – Data Corruption • User Access/Application Content Based Attack • Possible Attackers • Disgruntled employee • Recreational Hacker • Logic Bombs and Data Corruption • Privilege escalation • Attachment to email • Virus or scripting • Compromise Data Integrity and Availability

  19. Oracle Admin App Tracing IUS3 CMU Network Admin Server Internet E-Mail Server hacker Hub Essential Assets Apache Web Server Former Staff Admin Staff MySql Instructor IMeet Chat Server Product Server Tech Staff CS Network

  20. IUS4 – Backdoor/Trojan Attack • User Access/Application Content Based Attack • Possible Attackers • Disgruntled employee • Recreational hacker • Intellectual property spy • Transit seeker • Possible Upload of Malicious Code • Attachment to email • Virus or scripting • Salami • Buffer overflow • Compromise Privacy, Integrity and Availability

  21. Oracle Admin App Tracing IUS4 CMU Network Admin Server Internet E-Mail Server hacker Hub Essential Assets Apache Web Server Former Staff Admin Staff MySql Instructor IP Spy/Transit IMeet Chat Server Product Server Tech Staff CS Network

  22. Next Step • Identify Softspots • Brief Existing Strategies for 3 R’s • Present Survivability Map • Recommendations

  23. Questions?

More Related