Lecture II : Security Analysis and Planning

1. Lecture II : Security Analysis and Planning Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University Fall 2005

2. 2 Internet Security - System Analysis & Planning Theme Objectives Highlight objectives of security system design & implementation Introduce procedure of security system planning & operation Motto Security/Safety is a relative measure NO system is absolutely secure ! Users’ sense of security is usually a fuzzy warm feeling Security specialists must specify & quantify security measures Security systems only offer measured protection (safeguards) over selected resources (assets) against identified dangers (threats) Security protection is a perpetual practice consisting of planning, deployment, monitoring & improvement

3. 3 Internet Security - System Analysis & Planning Security System, Planning & Operation Vulnerability Analysis Service Selection Mechanism Implementation

4. 4 Internet Security - System Analysis & Planning Security System, Concepts Assets – system resources to be valued & protected Vulnerability – system weakness exposes assets to threats Threats – persons/things/events pose dangers to assets Attacks – actual realizations of security threats Risks – cost measures of realized vulnerability (considering probability of successful attacks Countermeasures/Safeguards – structures/policies/mechanisms protect assets from threats

5. 5 Internet Security - System Analysis & Planning Threats, Categorization Fundamental Threats Confidentiality Violation – leakage of information Integrity Violation – compromise of information consistency Denial of Services – service unavailability to legitimate users Illegitimate Use – service availability to illegitimate users Enabling Threats Penetration Threats Masquerade – identity falsification Control/Protection Bypass – system flaw exploitation Authorization Violation – insider violation of usage authorization Planting Threats Trojan Horse Trapdoor/Backdoor

6. 6 Internet Security - System Analysis & Planning Threats, Categorization [Cont’d] Underlying Threats Eavesdropping Traffic Analysis Personnel Indiscretion/Misconducts Media Scavenging … They are application & environment specific

7. 7 Internet Security - System Analysis & Planning Countermeasures/Safeguards Physical Security Physical Security Operational Security Personnel Security Administrative Security Information Lifecycle Control Technical Security Communication Security Computation Security Media Security Emanation Security

8. Example: Use of IPsec & IKE in Universal Mobile Telecommunication System Dr. John K. Zao Sr. Scientist, Information Security Verizon Communications / BBN Technologies