Sources of Vulnerabilities - PowerPoint PPT Presentation

1 / 22
About This Presentation
Title:

Sources of Vulnerabilities

Description:

Often are due to design errors or incomplete understanding of a ... Horses (enjoy practical jokes) Cattle. Pigs. Etc. Infrastructure. Power. Air Conditioning ... – PowerPoint PPT presentation

Number of Views:51
Avg rating:3.0/5.0
Slides: 23
Provided by: harry8
Category:

less

Transcript and Presenter's Notes

Title: Sources of Vulnerabilities


1
Sources of Vulnerabilities
  • CSEM02
  • University of Sunderland

2
Reference
  • P. Neumann, 1995, Computer-Related Risks,
    Addison-Wesley, ISBN 0-201-55805-X

3
Vulnerabilities in Development
  • System conceptualization
  • Miss-assessment of the technology.
  • Requirements definition
  • Erroneous, incomplete, or inconsistent
    requirements.
  • System design
  • Fundamental misconceptions or flaws.
  • Implementation
  • Various errors.
  • Support systems
  • Faulty or poor tools.
  • System analysis
  • False assumptions or erroneous models.
  • Testing
  • Incomplete or erroneous testing.
  • Evolution
  • Sloppy maintenance and upgrades.
  • Decommission
  • Premature removal removal of components used
    elsewhere.

4
Vulnerabilities in Use
  • Environment
  • Earthquakes, floods, fires, etc.
  • Animals
  • E.g., squirrelcide.
  • Infrastructure
  • Loss of power, air conditioning
  • Hardware
  • Malfunction due to ageing or transients
  • Software
  • Bugs
  • Communications
  • Outages, interference, and jamming
  • Human Limitations
  • Installation or misuse

5
Note Well
  • Vulnerabilities are not just security
  • However, security vulnerabilities
  • Tend to involve insiders
  • Tend to involve human behavior
  • Sometimes result from unwarranted assumptions
  • Often are due to design errors or incomplete
    understanding of a system or technology

6
System Conceptualization
  • Misunderstanding of the technology
  • Too far
  • Not far enough
  • Cost overruns
  • Schedule overruns
  • Lack of Feasibility
  • ExampleMIFASS (Marine Fire and Air Support
    System). The agency direction was to use a CPU
    somewhat slower than a first generation Apple II.
    There was no recovery.

7
Requirements Definition
  • Erroneous requirements
  • Incomplete requirements
  • Inconsistent requirements
  • Extremely common and expensive. Missing
    requirements are the worst problem. Agile methods
    attempt to address this.

8
System Design
  • Fundamentally false assumptions
  • E.g., infinite speed of light
  • Erroneous models
  • Example the FAAs Advance Automation System.
    The contractor assumed that the average statement
    in Ada generated 5 machine instructions (actually
    it was 10) and that the speed of a 10 MHz machine
    was (with parallelism) 20 MHz (actually it was 12
    MHz). There was no recovery.

9
Implementation
  • Various and varied.
  • Chip fab
  • Wiring
  • Programming bugs
  • Trojan horses
  • Viruses
  • We will discuss this.

10
Support Systems
  • Faulty or poor tools
  • Language choice
  • Compiler/debugger
  • Bad tools
  • Editting
  • CASE tools never met their expectations
  • Sometimes reflect failure to meet standards.
  • Sometimes are deliberate on the part of a vendor.

11
System Analysis
  • False assumptions about
  • World
  • Operating environment
  • Human behavior
  • Erroneous models and simulations
  • Prototypes help here.

12
Testing
  • Incomplete testing
  • Erroneous testing
  • Faulty code verification
  • What is a testable requirement? One way of
    addressing this is Test-Driven Development (TDD),
    where you write the unit tests first.

13
Evolution
  • Sloppy maintenance and upgrades.
  • Misconceptions
  • New flaws
  • Loss of design coherency
  • Maintenance organizations do not attract the
    best engineers. Design your system so it can be
    maintained by entry-level staff.

14
Decommission
  • Premature removal.
  • Removal of components needed elsewhere.
  • Hidden dependencies
  • Replacement not done in time
  • Hardware and software end of life
  • Vendor profiteering

15
Environment
  • Earthquake
  • Flood
  • Fire
  • Temperature extremes
  • EMI
  • Etc

16
Animals
  • Sharks (underwater cables)
  • Squirrels (enjoy fibre and cabling)
  • Monkeys (inquisitive)
  • Birds (watch your neighborhood telephone poles)
  • Horses (enjoy practical jokes)
  • Cattle
  • Pigs
  • Etc.

17
Infrastructure
  • Power
  • Air Conditioning
  • Physical Security

18
Hardware
  • Ageing
  • Transients
  • Environmental problems
  • Errors in Design

19
Software
  • Bugs of many sorts
  • System development
  • Change implementation
  • Maintenance

20
Communications
  • Outages
  • Natural interference
  • Jamming
  • Intentional
  • Accidental
  • Tapping
  • Other

21
Human Error
  • Installation
  • Misuse
  • Intentional
  • Unintentional

22
Adverse Effects
  • A myriad
  • Discuss
Write a Comment
User Comments (0)
About PowerShow.com