Grid Security Risks Mike Surridge

Slides:

Advertisements

Similar presentations

Information Security Domains Computer Operations Security By: Shafi Alassmi Instructor: Francis G. Date: Sep 22, 2010.

Advertisements

Chapter 1 We’ve Got Problems…. Four Horsemen  … of the electronic apocalypse  Spam --- unsolicited bulk o Over 70% of traffic  Bugs ---

OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.

Is There a Security Problem in Computing? Network Security / G. Steffen1.

Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.

Fine Tuned Machines Building a Strong Brand Image by Securing External Data Transmission A Review of Information Security in the Debt Collections World.

Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Comb-e-Chem PKI Mike Surridge, Steve Taylor IT Innovation.

Computer Security: Principles and Practice

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

R-1 Project Risk Management. R-2  Qualitative Risk Analysis  Quantitative Risk Analysis  Risk Response Planning  Sticky note technique  Risk matrix.

SEC835 Database and Web application security Information Security Architecture.

Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.

Thomas Levy. Agenda 1.Aims: CIAN 2.Common Business Attacks 3.Information Security & Risk Management 4.Access Control 5.Cryptography 6.Physical Security.

Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.

FIVE STEPS TO REDUCE THE RISK OF CYBERCRIME TO YOUR BUSINESS.

 Protect customers with more secure software  Reduce the number of vulnerabilities  Reduce the severity of vulnerabilities  Address compliance requirements.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 1 – Overview.

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

1 University of Palestine Information Security Principles ITGD 2202 Ms. Eman Alajrami 2 nd Semester

1.1 1 Purpose of firewall : –Control access to or from a protected network; –Implements network access policy connections pass through firewall and are.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 9 Slide 1 Critical Systems Specification 1.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Introduction.

Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.

1 Figure 11-3: Risk Analysis Financially Sensible Protections  Risk analysis: Balance risks and countermeasture costs Enumeration of Assets  Assets:

What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling  OCTAVE Risk/Threat.

IT Security CS5493(74293). IT Security Q: Why do you need security? A: To protect assets.

Presented by Mike Sues, Ethical Hack Specialist Threat Modeling.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

Cyber Security – Client View Peter Gibbons | Head of Cyber Security, Group Business Services Suppliers’ Summer Conference 15/07/2015.

ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)

Articulate the major security risks and legal compliance issues for a Fire and Rescue Service. Identify and justify technical controls for securing remote.

Information Security Management Goes Global

Chapter 40 Internet Security.

IT Threat and Risk Assessment Overview

An Overview on Risk Management

Information Security, Theory and Practice.

ISSeG Integrated Site Security for Grids WP2 - Methodology

Chapter 8 – Administering Security

Design for Security Pepper.

4th SG13 Regional Workshop for Africa on “Future Networks for a better Africa: IMT-2020, Trust, Cloud Computing and Big Data” (Accra, Ghana, March.

Lessons Learned in Managing IT Risk

Understand mechanisms to control organisational IT security

COMP3357 Managing Cyber Risk

OSG Computer Security Plans

Security Engineering.

Quality Risk Management

Unit 7 – Organisational Systems Security

Security Threats Severity Analysis

Security Essentials for Small Businesses

Chapter 27 Security Engineering

Specification of Countermeasures for CYRAIL

Must cost less than possible Impact

The MobileIron® Threat Detection difference:

When and how to best consider the provision of the Habitats directive

Effective Risk Management in Decision Making Process

Today’s Agenda Dealing with Vendors Consultants Contracts

Presentation transcript:

Grid Security Risks Mike Surridge ms@it-innovation.soton.ac.uk GGF12, 20 Sep 2004, Brussels

Grid Security Risks Connecting to Grids is a risky business your machine could be cracked your data may be intercepted or corrupted your credentials may be compromised to protect against all this may be too expensive On the other hand using any computer network is risky using Grids can be very advantageous How can we benefit while managing risks?

Asset-Based Security Risk Analysis Risk Management Identify and value assets Define risk management approach Identify threats and risks Implement defences Identify and cost defences

Risk Analysis Value assets based on impact of compromise high: likely to cause total business failure med: serious but not fatal impact low: irritating but not serious Threats based on likelihood of attack high: attacks will definitely take place med: attacks may occur from time to time low: attacks are unlikely Analyse risks based on likelihood of success taking account of existing defences

Risk Management Determine appropriate response to threats acceptance: live with the potential consequences reduction: introduce defences avoidance: don’t use the system Leads to cost-effective security as much security as you need not more than you can afford Application to Grids pioneered by UK STF A.Sasse, H.Chivers, M.Surridge, etc

Case Study: Comb-e-Chem National Crystallography Service providing access to experimental steering delivering data for Grid-based computations Assets: medium or high value campus system and network integrity (high) sample tracking data (med) experimental result data (low/med) Threats: high likelyhood system attacks from outside campus (high) system attacks from inside campus (med) compromise of remote user credentials (med)

Security Threats

Case Study: GEMSS Grid-enabled Medical Simulation Services for clinical and non-clinical applications Assets: high or medium value hospital network and system integrity (high) privacy of personal data - cf EU D 95/46 or D 2002/58 (high) hospital reputation (med) Threats: high or medium likelyhood compromise of remote systems (high) interception of personal data (high) Defences: operate in accordance with legal constraints architect against too much dependency

Grid Proxies and Trust

Conclusion Grid risks can be managed at reasonable cost asset-based risk assessment appropriate defences (sometimes risk acceptance) Most security compromises are not Grid-specific systems compromised by other means failure to use best practice in network management Some problems are Grid-related risk propagation and inter-site dependencies Mitigation often involves conservative Grid architecture conventional defences response planning and user training

Grid Security Risks Mike Surridge ms@it-innovation.soton.ac.uk GGF12, 20 Sep 2004, Brussels