1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Integrated Site Security.

Slides:



Advertisements
Similar presentations
Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
Advertisements

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
4 Information Security.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Security Controls – What Works
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Computer Security: Advice for computer.
Lecture 11 Reliability and Security in IT infrastructure.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Computer Security 1 Keeping your computer safe. Computer Security 1 Computer Security 1 includes two lessons:  Lesson 1: An overview of computer security.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.
Information Security Information Technology and Computing Services Information Technology and Computing Services
SEC835 Database and Web application security Information Security Architecture.
CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
CHAPTER 3 Information Privacy and Security. CHAPTER OUTLINE  Ethical Issues in Information Systems  Threats to Information Security  Protecting Information.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
Prepared by: Dinesh Bajracharya Nepal Security and Control.
Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.
Computer & Network Security
Information Security Awareness Training. Why Information Security? Information is a valuable asset for all kinds of business More and more information.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Rebecca Pritchard.
G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.
Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
How can IT help you today?. Agenda Why Do You Care? What Are The Risks? What Can You Do? Questions? How can IT help you today? 2.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
CPS ® and CAP ® Examination Review OFFICE SYTEMS AND TECHNOLOGY, Fifth Edition By Schroeder and Graf ©2005 Pearson Education, Inc. Pearson Prentice Hall.
Topic 5: Basic Security.
9-Oct-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) FNAL 9 October 2003 David Kelsey CCLRC/RAL, UK
Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISS e G Integrated Site Security for.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISS e G Integrated Site Security for.
Cyber Safety Mohammad Abbas Alamdar Teacher of ICT STS Ajman – Boys School.
Computer Security By Duncan Hall.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Integrated Site Security.
LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Integrated Site Security.
1 I ntegrated S ite S ecurity for G rids WP2 – Site Assessment Methodology, 20 June 2007 WP2 - Methodology ISS e G Integrated Site Security.
Cybersecurity Test Review Introduction to Digital Technology.
Security Issues and Ethics in Education Chapter 8 Brooke Blanscet, Morgan Chatman, Lynsey Turner, Bryan Howerton.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.
PCs ENVIRONMENT and PERIPHERALS Lecture 10. Computer Threats: - Computer threats: - It means anything that has the potential to cause serious harm to.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISS e G Integrated Site Security for.
Security, Ethics and the Law. Vocabulary Terms Copyright laws -software cannot be copied or sold without the software company’s permission. Copyright.
Todays’ Agenda Private vs. Personal Information Take out your notebook and copy the following information. Private information – information that can be.
Computer Security Keeping you and your computer safe in the digital world.
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISS e G Integrated.
Information Security Management Goes Global
CompTIA Security+ Study Guide (SY0-401)
Risk management.
ISSeG Integrated Site Security for Grids WP2 - Methodology
Common Methods Used to Commit Computer Crimes
Level 2 Diploma Unit 11 IT Security
Year 10 ICT ECDL/ICDL IT Security.
Teaching Computing to GCSE
Cybersecurity Awareness
I have many checklists: how do I get started with cyber security?
Risk of the Internet At Home
Malware, Phishing and Network Policies
Chapter 9 E-Commerce Security and Fraud Protection
LO1 - Know about aspects of cyber security
In the attack index…what number is your Company?
Presentation transcript:

1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Integrated Site Security for Grids EU-FP6 Project What is a ‘risk’? David Jackson, STFC CHEP 07, Victoria BC, 4 September 2007

2 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: Content 1. What is a ‘risk’? 2. Is risk static? 3. Are there Grid-specific risks? 4. Emerging risks

3 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: What is a risk?  A risk is the potential that some threat may use or exploit a vulnerability to compromise your site and cause you harm. “the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organisation. It is measured in terms of a combination of the probability of an event and its consequence.” (Section 2.19, ISO/IEC :2004)

4 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: What is a risk?  For a risk to exist, three things need to be present:  Threat  Vulnerability  An impact on an asset (or group of assets)

5 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: What is a risk?  A threat is a person (or event) with the motivation and capability to cause harm to an asset (or group of assets).

6 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: What is a risk?  A vulnerability is a weakness within the infrastructure or a management process that can be exploited to expose an asset (or group of assets) to possible compromise or damage.

7 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: What is a risk?  The impact is the effect on your business.

8 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: What is a risk?  If you remove any one of the three components of risk, you have removed the risk.

9 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: What is a risk?  Example: An external attacker used a weak password to gain access to your finance system.

10 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: What is a risk?  A threat is “a potential cause of an incident that may result in harm to a system or organisation.” (Section 2.25, ISO/IEC :2004) “a person (or event) with the motivation and capability to cause harm to an asset (or group of assets).” (Slide 5) “something or someone that has the potential to cause you harm”

11 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: What is a risk? HumanEnvironmental DeliberateAccidental Flood Fire Heating Power EavesdroppingErrors HackingFile deletion SpamOmissions PhishingAccidents Theft Social engineering Example threats

12 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: What is a risk? Removing a threat - Human, Deliberate  Threats can be from individuals who have the motivation and capability to attack you. If you remove their capability to attack you (e.g. make it more difficult), you are likely to reduce the threat. Example: Use a firewall to restrict access to your site.

13 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: What is a risk? Removing a threat - Human, Accidental  Individuals are not motivated to cause accidental damage. If you remove their capability to cause an accident (e.g. make it more difficult), you are likely to reduce the threat. Example: Users to not need to use Root or administrative privilege to access the Internet.

14 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: What is a risk? Removing a threat - Environmental  Environmental threats have are not motivated to cause damage and are difficult to remove. It is possible to avoid some but not all such threats. Example: Do build data centres in flood plains near rivers.

15 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: What is a risk? Removing a threat  It is difficult to change the motivation of external attackers. Policies, guidance and training can motivate users to be less of a threat.

16 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: What is a risk? Removing a vulnerability  Once you know the vulnerabilities within your site, you can remove them. Example: Keep IT software updated.

17 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: What is a risk? Reducing the imapct  Reduce the impact that the potential risk could have on your organization. Example: Have more than one connection to the Internet.

18 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: What is a risk? You can reduce risk down to an acceptable limit (residual risk) and then you just need to deal with it. Example: Have more that one connection to the Internet.

19 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: What is risk?

20 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: What is risk? So how do you implement security controls? Technical controls: Site implements a firewall to stop external attackers but allow academic collaboration. Education: Explain to users why there is a firewall (to stop attackers) and how to ask for exceptions (to allow collaboration). Administrative controls: The Security Policy states that Internet services must be used safely.

21 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: What is risk?  Risk is part of everyday life  It gives us opportunities for development  We need to accept some level of risk – you cannot get rid of it all

22 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: Is risk static? 1. What is a “risk”? 2. Is risk static? 3. Are there Grid-specific risks? 4. Emerging risks

23 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: Is risk static? Once you know the risks, are they static?  Administrative changes  e.g. merge with another organization OR join a Virtual Organisation  Technical changes  e.g. new patches for PCs/Grid nodes  Educational changes  e.g. new users

24 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: Is risk static?  New opportunities for science often result in changes at your site.  Sites should use a management process to assess any risk associated with the change. Once you know what you have, you can gauge how much risk you will accept. Commonly called “risk analysis” Identify Implement Analyse Monitor Continuous process

25 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: Is risk static?  Q: Once done, are you “safe”?  A: No. Risk is not static and evolves with time. As such, you must continually (or at least regularly) reassess how much risk you are prepared to accept. Identify Implement Analyse Monitor Continuous process

26 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: Is risk static? As a natural consequence of your activates (and life) risk levels change, giving opportunities for improvement. Some individuals and organisations accept more risk, some less. If risk is managed, it can be a positive driver for improvement. If not, it can be disruptive. Identify Implement Analyse Monitor Continuous process

27 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: Grid-specific risks 1. What is a “risk”? 2. Is risk static? 3. Are there Grid-specific risks? 4. Emerging risks

28 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: Grid specific risks?  Question: Are there Grid specific risks?

29 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: Grid specific risks?  Threats: Some attackers are more motivated to attack Grid sites due to large resources.

30 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: Grid specific risks?  Threats: There is at least one new class of Threat that can cause you harm, the VO (Virtual Organisation). VOs have the capacity but NO motivation to harm you. VO’s control there own membership Researchers join VOs. As a site, you no longer know who is using the resources that you host for the VO. Researchers can offer resources to VOs As a site, do you know what VOs you have in your network?

31 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: Grid specific risks?  Vulnerabilities: There are new Grid specific vulnerabilities.

32 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: Grid specific risks?  Vulnerabilities: There are new Grid specific vulnerabilities. Sites use homogenous IT resources Break in to one site => break in to many sites One flaw on one node = X flaws on X similar nodes Middleware Any new component of a system introduces new vulnerabilities Users and Activity The numbers of both are up. This is increases the probability of an password/pass phrase compromise.

33 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: Grid specific risks?  Impact: Turning off the Grid at a site is a measure of last resort. Not impossible, just not probable.

34 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: Grid-specific risks  At present, only one Grid specific threats has been identified.  By participating in Grid activity, you increase the probability of some risks, but they are not necessary new risks.  Attractiveness of site as a target  Number of vulnerabilities  Number of users  Level of activity Increased

35 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: Emerging risks 1. What is a “risk”? 2. Is risk static? 3. Are there Grid-specific risks? 4. Emerging risks

36 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: Emerging risks  Emerging risks are new risks that are likely to arise within the next 3 years. These are in addition to the current risks.

37 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: Emerging risks Current risks - SPAM - Botnets - Phishing - Identity theft - Route hijacking - Instant Messaging - Peer-to-peer systems - Malware on Cell Phones - Hackers in Stock Market - Software vulnerabilities - No protection (e.g. antivirus) in some devices Emerging risks  SCADA (Supervisory Control and Data Acquisition)  Increased home automation  Turning home appliances on/off  Massive collections of personal data  Invisible data collection in public places  Invisible data collection in private premises  Security is more an art than a science  DoS attack on the home telephone  Hacking home heat and/or air-conditioning system  Internet users are younger, less experienced and more prone to subtle attacks  Internet users may not have strong motives to clean up their compromised computers  Malware over multiple networks (GSM, GPRS, Internet, Bluetooth)

38 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: Summary  Risk is a fact of life. Each site has to set and agree what level of residual risk it is able to accept.  By being part of a Grid service, you are at risk from electronic attack and compromise.  By managing your risks you improve your site security and protect yourself.

39 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISSeG resources  ISSeG resources:  Training materials  Recommendations  Generic slides/resources All available from the web sitewww.isseg.eu

40 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: Questions  Questions

41 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: Copyright © Members of the ISSeG Collaboration, 2008.Members of the ISSeG Collaboration Licensed under the Apache License, Version 2.0 (the "License"); you may not use this material except in compliance with the License. You may obtain a copy of the License at Unless required by applicable law or agreed to in writing, Work distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.