ASSESSING THE NEED FOR SECURITY - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

ASSESSING THE NEED FOR SECURITY

Description:

Network firewalls and host ... to communicate privately over public radio communications ... Kevin Mitnick uses social engineering to gain access to ... – PowerPoint PPT presentation

Number of Views:36
Avg rating:3.0/5.0
Slides: 29
Provided by: york5
Category:
Tags: assessing | for | need | security | the

less

Transcript and Presenter's Notes

Title: ASSESSING THE NEED FOR SECURITY


1
ASSESSING THE NEED FOR SECURITY
  • Chapter 1

2
ASSESSING THE NEED FOR SECURITY
  • Security design concepts
  • Assets
  • Threats
  • Vulnerabilities
  • Countermeasures
  • Historical compromises

3
SECURITY DESIGN INFLUENCES
  • Legal requirements
  • Business risk tolerance
  • Finance
  • Current events
  • Technology

4
THE THREE PILLARS OF INFORMATION SECURITY
  • Confidentiality
  • Integrity
  • Availability

5
DEFENSE-IN-DEPTH
  • Use multiple layers of defense. For example
  • Security guards and security cameras
  • Network firewalls and host-based firewalls
  • Log on as a non-administrator and use antivirus
    software
  • Protects against any single vulnerability
  • Gives you time to test critical updates

6
THE SCOPE OF SECURITY
  • Security architecture
  • Physical security
  • Cryptography
  • Access control
  • Network security

7
THE SCOPE OF SECURITY (CONT.)
  • Applications and systems development
  • Operations security
  • Security management practices
  • Law, investigations, and ethics
  • Business continuity planning

8
ATTACK COMPONENTS
  • Asset
  • Threat agent
  • Threat
  • Vulnerability
  • Compromise
  • Countermeasure

9
ASSET
  • Items that you have purchased
  • Software
  • Hardware
  • Facilities
  • People
  • Information
  • Anything else deserving protection

10
THREAT AGENT
  • The attacker
  • Malicious attackers
  • Nonmalicious attackers
  • Mechanical failures
  • Catastrophic events

11
THREAT AGENT MALICIOUS ATTACKERS
  • The classic hacker attacking from outside
  • Disgruntled employees attacking from inside
  • Likely to have specific goals and objectives
  • To anticipate their attacks, study their
    motivations

12
THREAT AGENT NONMALICIOUS ATTACKERS
  • People make mistakes that can cause damage such
    as invalid data or failed services
  • Examples programming bugs, data-entry errors
  • Mitigate with
  • Thorough testing procedures
  • Backups
  • Business continuity plans

13
THREAT AGENT MECHANICAL FAILURES
  • Power outages, hardware failures, network outages
  • Mitigate with
  • Business continuity plans
  • Network redundancy
  • Server clustering
  • Service level guarantees

14
THREAT AGENT CATASTROPHIC EVENTS
  • Extreme weather tornadoes, hurricanes,
    earthquakes, tsunami
  • Fire
  • Acts of war
  • Catastrophic events are rare, but the damage is
    tremendous. Therefore, the total risk is often
    high.

15
THREAT
  • Threat agent is the attacker, threat is the
    attack
  • Use STRIDE to remember the six main types of
    threat
  • Spoofing identity
  • Tampering with data
  • Repudiation
  • Information disclosure
  • Denial-of-service
  • Elevation of Privilege

16
VULNERABILITY
  • Also known as a weakness
  • Has the potential to be a compromise when
    combined with a threat
  • Common vulnerability types
  • Physical
  • Natural
  • Hardware and software
  • Media
  • Communications
  • Human

17
COMPROMISE
  • A successful attack, often called an exploit
  • Occurs when a threat agent creates a threat for
    an unprotected vulnerability
  • If the threat does not penetrate your defenses,
    you were merely attacked. Attacks are not a
    problem compromises are a problem.

18
COUNTERMEASURE
  • Also known as a safeguard
  • Reduce the likelihood of a vulnerability
  • Does not eliminate a vulnerability
  • Three main types
  • Preventative
  • Detective
  • Reactive

19
PREVENTATIVE COUNTERMEASURES
  • Prevent threats from exploiting a vulnerability
  • Examples
  • Firewalls
  • Software updates
  • Antivirus software
  • Employee security training

20
DETECTIVE COUNTERMEASURES
  • Used to detect an attack or a compromise
  • Can enable you to respond after an attack begins,
    but before a compromise occurs
  • Can also be used to detect a successful attack
  • Examples
  • Intrusion-detection system
  • Security logs

21
REACTIVE COUNTERMEASURES
  • Used after a compromise
  • Examples
  • On-site or off-site backups
  • Disaster recovery plans
  • Law enforcement

22
ATTACK COMPONENTS
23
HISTORICAL COMPROMISES
  • The fundamentals of security design remain
    constant throughout history
  • A Windows network will be subject to the same
    types of attack that were used before computers
    even existed
  • Those who cannot learn from history are doomed
    to repeat it

24
1938 POLES BREAK NAZI ENCRYPTION
  • Nazis use encryption to communicate privately
    over public radio communications
  • Poles spend many years studying the
    communications
  • Poles break the encryption because of Nazi
    mistakes
  • Lesson Humans make mistakes

25
1972 CAPN CRUNCH CRACKS PHONE SYSTEM
  • Blind children discover that a whistle in a Capn
    Crunch cereal box makes a 2600-hertz (Hz) tone
    also used by telephone equipment
  • Blow the whistle and get free long-distance calls
  • Telephone companys services are stolen, but
    catch John Draper (a threat agent) by monitoring
    usage logs
  • Lesson Do not rely on security by obscurity and
    use detective countermeasures

26
1988 MITNICK STEALS CODE FROM DEC
  • Kevin Mitnick uses social engineering to gain
    access to user credentials
  • Abuses credentials to access internal network
  • FBI monitors, arrests, and convicts Mitnick of
    multiple computer crimes
  • Lesson Sophisticated attackers use
    unconventional attacks

27
2000 ATTACKER STEALS MICROSOFT SOURCE CODE
  • Microsoft employee runs Trojan horse received in
    e-mail
  • Trojan horse opens a back door that contacts
    threat agents
  • Threat agents use access to collect passwords and
    steal source code
  • Damage limited because credentials gave threat
    agents access to limited portions of the source
    code
  • Microsofts tarnished security reputation caused
    immeasurable damage
  • Lesson Valuable data deserves expensive
    countermeasures

28
SUMMARY
  • Technology is the least important of the
    influences to security design
  • Important assets deserve multiple layers of
    protection
  • Understand the components of an attack
  • Learn from the mistakes of other security
    designers
Write a Comment
User Comments (0)
About PowerShow.com