230 likes | 363 Views
Security Brief and Terms II. Session 15 YSU Weapons of Mass Destruction. Risk – Attacker’s View. Risk Aversion A measure of what an attacker is willing to lose. What was the risk aversion (low or high)? Timothy McVeigh John Hinkley Scott Peterson Martha Stewart Robert Blake
E N D
Security Brief and Terms II Session 15 YSU Weapons of Mass Destruction
Risk – Attacker’s View • Risk Aversion • A measure of what an attacker is willing to lose. • What was the risk aversion (low or high)? • Timothy McVeigh • John Hinkley • Scott Peterson • Martha Stewart • Robert Blake • 9-11 Hijackers
Risks to The System? • Important to know your attacker and their level of risk aversion • Know the tools available. . . • Public Health Department • Irrational disgruntled client • Disgruntled • Religious fundamentalist bioterrorist aiming to eliminate public health system
Types of Attackers • Opportunistic – Rather risk averse • Speeders • Kids in a candy store • Lady with lottery ticket • Professional – Less risk averse/calculated • Brinks job
Types of Attackers • Emotional • Attacks are statement attacks • Often make no sense to others • 1993 World Trade Center • Embassy bombings • Susan Smith • Richard Reid
Groups of Concern - Emotional • Religious • Hezbollah, IRA, Al Qaida, • Political • FLNC, Red Brigade • Issue • Earth First, ACT UP,
Homicide Bombers • What is Israel’s response to homicide bombers?
“I’m Sorry Attacks” • I have pulled this one at LAX when I realized that my favorite multipurpose tool was still attached to my belt. • I also pulled this at LAX years before trying to bring home fruit on the plane. • Plausible deniability • Weapons to Nicaragua.
Changing the Rules • New form of hijacking – White House Memo • Hijacking – Northwest U.S. • MIT Students – Las Vegas • NORAD – Cobalt Devices • 9-11 Attackers
Security System Issues • In General – Complexity = Vulnerability • In General – Standardization = Vulnerable • Home alarms • Computer firewalls • Combination locks • Car alarms • Airport security • Class Breaks
Security Structure - School • Camera in Parking Lot • Sign on Door • Buzzer and Camera • I.D. and Verification • Accompanying Party
Security Structure • Single-Layer Defense Technique • Store manager with deposit • Sequential – No Link • Mote, Wall, Hot Oil • Sequential – Linked • Motion detector, phone line, monitoring system, dispatch
Security In-Depth • Assures that if one system fails a second can pick up the slack. (how many?) • Bank • House • Airport • Courtroom • Mall
Weakest Link Consideration • Harry Potter • 3-headed dog • Snare plant • Locked door – flying keys • Chess game • Troll • Logic patterns • Magic mirror • All Difficult
Brittle Layers Fail Badly • Concrete Bunker • Computer Systems • Door on HVAC • Nuclear Plant
Dynamic Systems Can Adapt • Static security works great for copycats • When there is only one way to attack • Before submarines • Dynamic • Human immune system • 1 type of potato • Human observation is flexible • Flight 93 before and after phone calls
Flexibility of People • December 14, 1999 • Ahmed Resam • Diana Dean said he was hinky • This flexible system worked but. . • It was a form of profiling (not for Arabs)
Secrets • Security relying on secrets is brittle • Codes for nuclear missile vs. • Secret door
What About Profiling? • Everyone does it daily. • Not always malicious. • The way you dress, tone of voice, the way you “carry yourself”, the car you drive, the language you use, your occupation and certainly your race and ethnicity.
Does Profiling Work Well? • Depends on three factors • The accuracy of the intuition • All Italians love pasta. • All Arabs are Muslims. • How effective it is when it is institutionalized • If you are on 224 on a Saturday night, you might be up to something – DUI. • How commonplace the characteristics are • Men wearing earrings for example 50’s vs. 00’s
Profiling • Often fails – real attackers are few and far between. • True attackers may dye their hair, trim beard etc. • If all attackers are of a single race or ethnicity, it may make sense • El Al Airlines heavily profile Arab men. • But what about Richard Reid?
Three Last Terms • Identification – Who are you? • “Please insert ATM card” • Ticket and photo I.D. • Authentication – Prove it. • “Type in your code” • Answer question or biometric scanners • Authorization – You are allowed to do this. • Withdraw, deposit, get balance, pay loan • Enter the terminal
Summing Up Security • There is much more to learn • Monitor, detect, notify and respond • In general • Flexible systems • Resilient in the face of attack • With security in depth