Basic Security Concepts

Slides:



Advertisements
Similar presentations
OCTAVESM Process 4 Create Threat Profiles
Advertisements

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
K. Salah1 Introduction to Security Overview of Computer Security.
Is There a Security Problem in Computing? Network Security / G. Steffen1.
CSCE 201 Introduction to Information Security Fall 2010.
Cryptography and Network Security Chapter 1
Lecture 1: Overview modified from slides of Lawrie Brown.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.
1 An Overview of Computer Security computer security.
Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.
Introducing Computer and Network Security
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.
1 Introduction to Security Dr.Talal Alkharobi. 2 Why is security important? Computers and networks are the nerves of the basic services and critical infrastructures.
Lecture 8: Risk Management Controlling Risk
Network Security PHILADELPHIA UNIVERSITY Ahmad Alghoul Module 1 Introduction: To Information & Security  Modified by :Ahmad Al Ghoul  Philadelphia.
Introduction (Pendahuluan)  Information Security.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
CPSC 6126 Computer Security Information Assurance.
Computer Science and Engineering 1 Csilla Farkas Associate Professor Center for Information Assurance Engineering Dept. of Computer Science and Engineering.
Information Security Rabie A. Ramadan GUC, Cairo Room C Lecture 2.
Lecture 1 Introduction Basic Security Concepts
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
What does “secure” mean? Protecting Valuables
Lecture 1: Overview modified from slides of Lawrie Brown.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 1 – Overview.
Computer Security: Principles and Practice
Lecture 1 1. Introduction 2. Basic Security Concepts.
What does secure mean? You have been assigned a task of finding a cloud provider who can provide a secure environment for the launch of a new web application.
Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Lecture 3 Basic Security Concepts cont.. Homework 1. Score: 10 points Due: September 12, :00 am via dropbox Last day to submit with 4%/day penalty:
Risk Assessment Richard Newman. Six Phases of Security Process 1. Identify assets 2. Analyze risk of attack 3. Establish security policy 4. Implement.
1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Chap1: Is there a Security Problem in Computing?.
CSCE 548 Secure Software Development Security Operations.
Csci5233 computer security & integrity 1 An Overview of Computer Security.
T.A 2013/2014. Wake Up Call! Malware hijacks your , sends death threats. Found in Japan (Oct 2012) Standford University Recent Network Hack May Cost.
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
Introduction to Computer Security
INTRODUCTION TO COMPUTER & NETWORK SECURITY INSTRUCTOR: DANIA ALOMAR.
Computer threats, Attacks and Assets upasana pandit T.E comp.
C OMPUTER THREATS, ATTACKS AND ASSETS DONE BY NISHANT NARVEKAR TE COMP
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
CSCE 548 Introduction Basic Security Concepts. APOGEE Students Download recorded lectures Contact instructor if needed via – Phone: during office hours.
CST 312 Pablo Breuer. measures to deter, prevent, detect, and correct security violations that involve the transmission of information.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
1 Network Security Maaz bin ahmad.. 2 Outline Attacks, services and mechanisms Security attacks Security services Security Mechanisms A model for Internetwork.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Lecture 1 Introduction Dr. nermin hamza 1. Aim of Course Overview Cryptography Symmetric and Asymmetric Key management Researches topics 2.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
CS457 Introduction to Information Security Systems
Lecture 1 Introduction Basic Security Concepts
Chapter 8 – Administering Security
Information System and Network Security
CS 450/650 Fundamentals of Integrated Computer Security
Chapter 13 – Security Engineering
Security Threats Severity Analysis
INFORMATION SYSTEMS SECURITY and CONTROL
Cybersecurity Threat Assessment
Introduction to Cryptography
Cyber Security For Civil Engineering
Presentation transcript:

Basic Security Concepts Threats and Attacks Computer Criminals Defense Techniques Security Planning

An Example School district employee uses disk with student names and SSNs in a student computer lab Student later removes information from the lab Anderson District 5 – T. L. Hanna HS The State, August 26, 2004 7/18/2019 CSCE 522 - Eastman - Fall 2006

Security Terminology Threat: potential occurrence that can have an undesired effect on the system Vulnerability: characteristics of the system that makes it possible for a threat to potentially occur Attack: action of malicious intruder that exploits vulnerabilities of the system Risk: measure of the possibility of security breaches and severity of the damage Control: protective measure that reduces a vulnerability 7/18/2019 CSCE 522 - Eastman - Fall 2006

Threat or Menace? Hackers: Threat or Menace? Instant Messaging: Threat or Menace? SUVs: Threat or Menace? Colons: Threat or Menace? Mary Worth: Threat or Menace? 7/18/2019 CSCE 522 - Eastman - Fall 2006

Superman Vulnerability Threat Attack Control Lead shielding Kryptonite Possible exposure to kryptonite Attack Use of kryptonite by villain Control Lead shielding 7/18/2019 CSCE 522 - Eastman - Fall 2006

Roadkill Vulnerability Threat Attack Control Various Animals on road Possible collision with animal Attack Unwise road crossing by animal Control Various 7/18/2019 CSCE 522 - Eastman - Fall 2006

Assessment of Risk Probability of Collision Damage to car/occupants Species of animal Location Time and date Damage to car/occupants Minor or none Total destruction/death Damage to animal Minor scratches Death 7/18/2019 CSCE 522 - Eastman - Fall 2006

Different Animals Moose Deer Frog Possible high damage to car/occupants Low probability in South Carolina Deer High probability in South Carolina Frog Little or no damage to car/occupants 7/18/2019 CSCE 522 - Eastman - Fall 2006

Possible Controls for Deer Defensive driving Knowledge of deer behavior Deer crossing signs Fences Diversionary feeding areas Expanded hunting seasons Roadside reflectors Whistles and other noisemakers Deer activated flashing lights 7/18/2019 CSCE 522 - Eastman - Fall 2006

Back to Computer Security And Now ... Back to Computer Security

Sources of Threats Errors of users Dishonest insider Disgruntled insider Outsiders Natural disasters Computer system failure 7/18/2019 CSCE 522 - Eastman - Fall 2006

Types of Threats Disclosure threat – dissemination of unauthorized information Alteration threat – incorrect modification of information Denial of service threat – access to a system resource is blocked 7/18/2019 CSCE 522 - Eastman - Fall 2006

Impact of Attack: What? Interruption – an asset is destroyed, unavailable or unusable (availability) Interception – unauthorized party gains access to an asset (confidentiality) Modification – unauthorized party tampers with asset (integrity) Fabrication – unauthorized party inserts counterfeit object into the system (integrity) 7/18/2019 CSCE 522 - Eastman - Fall 2006

Methods of Attack: How? Passive attacks: Active attacks: Eavesdropping Monitoring Active attacks: Masquerade – one entity pretends to be a different entity Replay – passive capture of information and its retransmission Modification of messages – legitimate message is altered Denial of service – prevents normal use of resources 7/18/2019 CSCE 522 - Eastman - Fall 2006

Computer Crime Any crime that involves computers or aided by the use of computers U.S. Federal Bureau of Investigation: reports uniform crime statistics 7/18/2019 CSCE 522 - Eastman - Fall 2006

Computer Criminals Amateurs: regular users, who exploit the vulnerabilities of the computer system Motivation: easy access to vulnerable resources Crackers: attempt to access computing facilities for which they do not have the authorization Motivation: enjoy challenge, curiosity Career criminals: professionals who understand the computer system and its vulnerabilities Motivation: personal gain (e.g., financial) 7/18/2019 CSCE 522 - Eastman - Fall 2006

Methods of Defense Prevent: block attack Deter: make the attack harder Deflect: make other targets more attractive Detect: identify misuse Tolerate: function under attack Recover: restore to correct state 7/18/2019 CSCE 522 - Eastman - Fall 2006

Information Security Planning Organization analysis Risk management Mitigation approaches and their costs Security policy Implementation and testing Security training and awareness 7/18/2019 CSCE 522 - Eastman - Fall 2006

System Security Engineering Specify System Architecture Identify and Install Safeguards Threats, Attacks, Vulnerabilities?? Prioritize Vulnerabilities Estimate Risk Risk is acceptably low 7/18/2019 CSCE 522 - Eastman - Fall 2006

Risk Management Risk analysis Risk avoidance Risk mitigation Risk acceptance Risk transference 7/18/2019 CSCE 522 - Eastman - Fall 2006

Risk Analysis Methods Risk Analysis Threats and relevance Potential for damage Likelihood of exploit 7/18/2019 CSCE 522 - Eastman - Fall 2006

Assets-Threat Model Threats compromise assets Threats have a probability of occurrence and severity of effect Assets have values Assets are vulnerable to threats Threats Assets 7/18/2019 CSCE 522 - Eastman - Fall 2006

Computing Risks Risk: expected loss from the threat against an asset ALE = AV*EF*ARO ALE – annualized loss expectancy AV -- value of asset EF -- exposure factor (fraction lost) ARO – annualized rate of occurrence 7/18/2019 CSCE 522 - Eastman - Fall 2006

A Simple Example Threat: Power surge Vulnerability: Power supply AV – computer valued at $1,000 EF – 10% loss if power surge SLE -- $100 (AV*EF) ARO – 2 (twice a year) ALE -- $200 (SLE*ARO) 7/18/2019 CSCE 522 - Eastman - Fall 2006

Cost/Benefit Analysis Benefit = (ALE * Life) - Cost Assume Surge protector costs $25 Surge protector lasts 5 years ALE = $200 Benefit = ($200 * 5) - $25 = $975 Buy the surge protector!!! 7/18/2019 CSCE 522 - Eastman - Fall 2006

System-Failure Model Estimate probability of highly undesirable events Risk: likelihood of undesirable outcome Threat Undesirable outcome System 7/18/2019 CSCE 522 - Eastman - Fall 2006

Risk Acceptance Certification Accreditation How well the system meets the security requirements (technical) Accreditation Management’s approval of automated system (administrative) 7/18/2019 CSCE 522 - Eastman - Fall 2006

Mitigation Approach Security safeguards Protection Assurance 7/18/2019 CSCE 522 - Eastman - Fall 2006

Access Control Methodologies Next Class Access Control Methodologies Who? What? When? How? 7/18/2019 CSCE 522 - Eastman - Fall 2006

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.