1 / 29

Basic Security Concepts

Basic Security Concepts. Threats and Attacks Computer Criminals Defense Techniques Security Planning. An Example. School district employee uses disk with student names and SSNs in a student computer lab Student later removes information from the lab Anderson District 5 – T. L. Hanna HS

nishan
Download Presentation

Basic Security Concepts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Basic Security Concepts Threats and Attacks Computer Criminals Defense Techniques Security Planning

  2. An Example • School district employee uses disk with student names and SSNs in a student computer lab • Student later removes information from the lab • Anderson District 5 – T. L. Hanna HS • The State, August 26, 2004 CSCE 522 - Eastman - Fall 2006

  3. Security Terminology • Threat: potential occurrence that can have an undesired effect on the system • Vulnerability: characteristics of the system that makes it possible for a threat to potentially occur • Attack: action of malicious intruder that exploits vulnerabilities of the system • Risk: measure of the possibility of security breaches and severity of the damage • Control: protective measure that reduces a vulnerability CSCE 522 - Eastman - Fall 2006

  4. Threat or Menace? • Hackers: Threat or Menace? • Instant Messaging: Threat or Menace? • SUVs: Threat or Menace? • Colons: Threat or Menace? • Mary Worth: Threat or Menace? CSCE 522 - Eastman - Fall 2006

  5. Superman • Vulnerability • Kryptonite • Threat • Possible exposure to kryptonite • Attack • Use of kryptonite by villain • Control • Lead shielding CSCE 522 - Eastman - Fall 2006

  6. Roadkill • Vulnerability • Animals on road • Threat • Possible collision with animal • Attack • Unwise road crossing by animal • Control • Various CSCE 522 - Eastman - Fall 2006

  7. Assessment of Risk • Probability of Collision • Species of animal • Location • Time and date • Damage to car/occupants • Minor or none • Total destruction/death • Damage to animal • Minor scratches • Death CSCE 522 - Eastman - Fall 2006

  8. Different Animals • Moose • Possible high damage to car/occupants • Low probability in South Carolina • Deer • Possible high damage to car/occupants • High probability in South Carolina • Frog • Little or no damage to car/occupants • High probability in South Carolina CSCE 522 - Eastman - Fall 2006

  9. Possible Controls for Deer • Defensive driving • Knowledge of deer behavior • Deer crossing signs • Fences • Diversionary feeding areas • Expanded hunting seasons • Roadside reflectors • Whistles and other noisemakers • Deer activated flashing lights CSCE 522 - Eastman - Fall 2006

  10. And Now ... Back to Computer Security

  11. Sources of Threats • Errors of users • Dishonest insider • Disgruntled insider • Outsiders • Natural disasters • Computer system failure CSCE 522 - Eastman - Fall 2006

  12. Types of Threats • Disclosure threat – dissemination of unauthorized information • Alteration threat – incorrect modification of information • Denial of service threat – access to a system resource is blocked CSCE 522 - Eastman - Fall 2006

  13. Impact of Attack: What? • Interruption – an asset is destroyed, unavailable or unusable (availability) • Interception – unauthorized party gains access to an asset (confidentiality) • Modification – unauthorized party tampers with asset (integrity) • Fabrication – unauthorized party inserts counterfeit object into the system (integrity) CSCE 522 - Eastman - Fall 2006

  14. Methods of Attack: How? • Passive attacks: • Eavesdropping • Monitoring • Active attacks: • Masquerade – one entity pretends to be a different entity • Replay – passive capture of information and its retransmission • Modification of messages – legitimate message is altered • Denial of service – prevents normal use of resources CSCE 522 - Eastman - Fall 2006

  15. Computer Crime • Any crime that involves computers or aided by the use of computers • U.S. Federal Bureau of Investigation: reports uniform crime statistics CSCE 522 - Eastman - Fall 2006

  16. Computer Criminals • Amateurs: regular users, who exploit the vulnerabilities of the computer system • Motivation: easy access to vulnerable resources • Crackers: attempt to access computing facilities for which they do not have the authorization • Motivation: enjoy challenge, curiosity • Career criminals: professionals who understand the computer system and its vulnerabilities • Motivation: personal gain (e.g., financial) CSCE 522 - Eastman - Fall 2006

  17. Methods of Defense • Prevent: block attack • Deter: make the attack harder • Deflect: make other targets more attractive • Detect: identify misuse • Tolerate: function under attack • Recover: restore to correct state CSCE 522 - Eastman - Fall 2006

  18. Information Security Planning • Organization analysis • Risk management • Mitigation approaches and their costs • Security policy • Implementation and testing • Security training and awareness CSCE 522 - Eastman - Fall 2006

  19. System Security Engineering Specify System Architecture Identify and Install Safeguards Threats, Attacks, Vulnerabilities?? Prioritize Vulnerabilities Estimate Risk Risk is acceptably low CSCE 522 - Eastman - Fall 2006

  20. Risk Management • Risk analysis • Risk avoidance • Risk mitigation • Risk acceptance • Risk transference CSCE 522 - Eastman - Fall 2006

  21. Risk Analysis Methods • Risk Analysis • Threats and relevance • Potential for damage • Likelihood of exploit CSCE 522 - Eastman - Fall 2006

  22. Assets-Threat Model • Threats compromise assets • Threats have a probability of occurrence and severity of effect • Assets have values • Assets are vulnerable to threats Threats Assets CSCE 522 - Eastman - Fall 2006

  23. Computing Risks • Risk: expected loss from the threat against an asset • ALE = AV*EF*ARO • ALE – annualized loss expectancy • AV -- value of asset • EF -- exposure factor (fraction lost) • ARO – annualized rate of occurrence CSCE 522 - Eastman - Fall 2006

  24. A Simple Example • Threat: Power surge • Vulnerability: Power supply • AV – computer valued at $1,000 • EF – 10% loss if power surge • SLE -- $100 (AV*EF) • ARO – 2 (twice a year) • ALE -- $200 (SLE*ARO) CSCE 522 - Eastman - Fall 2006

  25. Cost/Benefit Analysis • Benefit = (ALE * Life) - Cost • Assume • Surge protector costs $25 • Surge protector lasts 5 years • ALE = $200 • Benefit = ($200 * 5) - $25 = $975 • Buy the surge protector!!! CSCE 522 - Eastman - Fall 2006

  26. System-Failure Model • Estimate probability of highly undesirable events • Risk: likelihood of undesirable outcome Threat Undesirable outcome System CSCE 522 - Eastman - Fall 2006

  27. Risk Acceptance • Certification • How well the system meets the security requirements (technical) • Accreditation • Management’s approval of automated system (administrative) CSCE 522 - Eastman - Fall 2006

  28. Mitigation Approach • Security safeguards • Protection • Assurance CSCE 522 - Eastman - Fall 2006

  29. Next Class Access Control Methodologies Who? What? When? How? CSCE 522 - Eastman - Fall 2006

More Related