Basic Security Concepts Lecture 2 - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

Basic Security Concepts Lecture 2

Description:

Computer Crime. Any crime that involves computers or aided by the use of computers. U.S. Federal Bureau of Investigation: reports uniform crime statistics. CSCE ... – PowerPoint PPT presentation

Number of Views:28
Avg rating:3.0/5.0
Slides: 21
Provided by: far1
Category:

less

Transcript and Presenter's Notes

Title: Basic Security Concepts Lecture 2


1
Basic Security ConceptsLecture 2
  • Threats, Attacks, etc.
  • Computer Criminals
  • Defense Techniques
  • Security Planning

2
Reading Assignment
  • Reading assignments for lecture 2
  • Pfleeger Ch 1.4, 1.5, 1.6, 1.7
  • Recommended 
  • Database Security Planning Checklist
    http//www.sybase.com/content/1024210/Database_sec
    urity.pdf
  • The Risks and Rewards of Information Security
    Planning http//www.toptentechs.com/issues/Issue1/
  • Risk Assessment Tools and Practices for
    Information System Security http//www.fdic.gov/ne
    ws/news/financial/1999/FIL9968a.HTML
  • Reading assignments for next class
  • Required
  • Pfleeger 2.1, 2.2

3
Threat, Vulnerability, Risk
  • Threat potential occurrence that can have an
    undesired effect on the system
  • Vulnerability characteristics of the system that
    makes is possible for a threat to potentially
    occur
  • Attack action of malicious intruder that
    exploits vulnerabilities of the system to cause a
    threat to occur
  • Risk measure of the possibility of security
    breaches and severity of the damage

4
Types of Threats (1)
  • Errors of users
  • Natural/man-made.machine disasters
  • Dishonest insider
  • Disgruntled insider
  • Outsiders

5
Types of Threats (2)
  • Disclosure threat dissemination of unauthorized
    information
  • Integrity threat incorrect modification of
    information
  • Denial of service threat access to a system
    resource is blocked

6
Types of Attacks (1)
  • Interruption an asset is destroyed, unavailable
    or unusable (availability)
  • Interception unauthorized party gains access to
    an asset (confidentiality)
  • Modification unauthorized party tampers with
    asset (integrity)
  • Fabrication unauthorized party inserts
    counterfeit object into the system (authenticity)
  • Denial person denies taking an action
    (authenticity)

7
Types of Attacks (2)
  • Passive attacks
  • Eavesdropping
  • Monitoring
  • Active attacks
  • Masquerade one entity pretends to be a
    different entity
  • Replay passive capture of information and its
    retransmission
  • Modification of messages legitimate message is
    altered
  • Denial of service prevents normal use of
    resources

8
Computer Crime
  • Any crime that involves computers or aided by the
    use of computers
  • U.S. Federal Bureau of Investigation reports
    uniform crime statistics

9
Computer Criminals
  • Amateurs regular users, who exploit the
    vulnerabilities of the computer system
  • Motivation easy access to vulnerable resources
  • Crackers attempt to access computing facilities
    for which they do not have the authorization
  • Motivation enjoy challenge, curiosity
  • Career criminals professionals who understand
    the computer system and its vulnerabilities
  • Motivation personal gain (e.g., financial)

10
Methods of Defense
  • Prevent block attack
  • Deter make the attack harder
  • Deflect make other targets more attractive
  • Detect identify misuse
  • Tolerate function under attack
  • Recover restore to correct state

11
Information Security Planning
  • Organization Analysis
  • Risk management
  • Mitigation approaches and their costs
  • Security policy
  • Implementation and testing
  • Security training and awareness

12
System Security Engineering
Specify System Architecture
Identify and Install Safeguards
Identify Threats, Vulnerabilities, Attacks
Prioritize Vulnerabilities
Estimate Risk
Risk is acceptably low
13
Risk Management
  • Risk analysis
  • Risk reduction
  • Risk acceptance

14
Risk Analysis Methods
  • Risk Analysis
  • Threats and relevance
  • Potential for damage
  • Likelihood of exploit

15
Assets-Threat Model (1)
  • Threats compromise assets
  • Threats have a probability of occurrence and
    severity of effect
  • Assets have values
  • Assets are vulnerable to threats

Threats
Assets
16
Assets-Threat Model (2)
  • Risk expected loss from the threat against an
    asset
  • RVPS
  • R risk
  • V value of asset
  • P probability of occurrence of threat
  • V vulnerability of the asset to the threat

17
System-Failure Model
  • Estimate probability of highly undesirable events
  • Risk likelihood of undesirable outcome

Threat
Undesirable outcome
System
18
Risk Acceptance
  • Certification
  • How well the system meet the security
    requirements (technical)
  • Accreditation
  • Managements approval of automated system
    (administrative)

19
Mitigation Approach
  • Security safeguards
  • Protection
  • Assurance

20
Next Class
Cryptography The science and study of secret
writing
Write a Comment
User Comments (0)
About PowerShow.com