Distance Education Team 2 Security Architectures and Analysis.

Slides:

Advertisements

Similar presentations

Distance Education Team 1 Adrian Sia Xavier Appé Anoop Georges Salvador Gonzales Augustine Ani Zijian Cao Joe Ondercin SNA Step 3 November 14, 2001.

Advertisements

Oracle Financial System Project Team: Aseem Gupta Jeng Toa Lee Jun Lu Kevin Patrick Zhu Thomas Verghese Weicheng Wong Xuegong Wang ( Jeff ) Date : 26 th.

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Student Application System SNA Step 3 Attacker Profiles and Scenarios

Taxonomy of Computer Security Incidents Yashodhan Fadnavis.

1 Intro to Info Tech Computer Jobs Copyright 2007 by Janson Industries This presentation can be viewed on line at:

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Extranet for Security Professionals Intrusion Scenarios Heather T. Kowalski Tong Xu Ying Hao Hui Huang Bill Halpin Nov. 14, 2000.

Distance Education Team 2 Security Architectures and Analysis.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

11/14 SNA Presentation 3 Survivable Network Analysis Oracle Financial System SNA step 3 Ali Ardalan Qianming “Michelle” Chen Yi Hu Jason Milletary Jian.

Earl Crane Hap Huynh Jeongwoo Ko Koichi Tominaga 11/14/2000 Physician Reminder System SNA Step 3.

Distance Education Team 2 Security Architectures and Analysis.

Extranet for Security Professionals (ESP)

Distance Education SNA step 1. Team members Step 1 experts  Adrian Sia  Xavier Appé Step 2 experts  Anoop Georges  Salvador Gonzales Step 3 experts.

Student Application System Essential Services and Assets Timothy Mak - Team Leader James Zujie Shi Dali Wang Maria Stattel Andy Teng Hyoungju Yun John.

Oracle Financial System Project Team: Xuegong Wang Jun Lu ZhengChun Mo Patrick Zhu Thomas Verghese Weicheng Wong Date : 14 th November, 2001 Step 3.

Earl Crane Hap Huynh Jeongwoo Ko Koichi Tominaga 12/12/2000 Physician Reminder System: Survivability Network Analysis Step 4.

Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.

Reducing False-Positives and False-Negatives in Security Event Data Using Context Derek G. Shaw August 2011.

Medical Application Giant Squid Michal Cohen Robet Esho Chris Hogan Kate Kuleva Nisha Makwana Alex Rodrigues Rafal Urbanczyk.

Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

 Prototype for Course on Web Security ETEC 550.  Huge topic covering both system/network architecture and programming techniques.  Identified lack.

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.

Attacks Against Database By: Behnam Hossein Ami RNRN i { }

Computer & Network Security

Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.

Web Site User Management Deborah Lee Soltesz USGS.

Nata Raju Gurrapu Agenda What is Information and Security. Industry Standards Job Profiles Certifications Tips.

Michael McDonnell GIAC Certified Intrusion Analyst Creative Commons License: You are free to share and remix but you must provide.

Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.

© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—1-1 Building a Simple Network Securing the Network.

© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

INTRUDERS BY VISHAKHA RAUT TE COMP OUTLINE INTRODUCTION TYPES OF INTRUDERS INTRUDER BEHAVIOR PATTERNS INTRUSION TECHNIQUES QUESTIONS ON INTRUDERS.

Database Security and Data Protection Suseel Pachalla, CISSP.

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

An Enterprise Computer Architecture ASIG – Sept 12, 2001.

Lesson 2 Computer Security Incidents Taxonomy. Need an accepted taxonomy because... Provides a common frame of reference If no taxonomy, then we: Can’t.

GOAL User Interactive Web Interface Update Pages by Club Officers Two Level of Authentication.

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

CERN IT Department CH-1211 Genève 23 Switzerland t Security Overview Luca Canali, CERN Distributed Database Operations Workshop April

BY SYDNEY FERNANDES T.E COMP ROLL NO: INTRODUCTION Networks are used as a medium inorder to exchange data packets between the server and clients.

Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.

Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.

MVHS Career Night 2015 Information Security. Agenda What is Information and Security. Industry Standards Job Profiles Certifications Tips.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.

Introduction to Security Dr. John P. Abraham Professor UTPA.

Computer Security By Duncan Hall.

Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.

Writing Security Alerts tbird Last modified 2/25/2016 8:55 PM.

ASHRAY PATEL Securing Public Web Servers. Roadmap Web server security problems Steps to secure public web servers Securing web servers and contents Implementing.

General Information: This document was created for use in the "Bridges to Computing" project of Brooklyn College. You are invited and encouraged to use.

DCE Deployment at PSU Steven Kellogg Director, Advanced Information Technologies Center for Academic Computing

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Intro to Info Tech Computer Jobs

ISSeG Integrated Site Security for Grids WP2 - Methodology

Manuel Brugnoli, Elisa Heymann UAB

Security Engineering.

Security Essentials for Small Businesses

AppExchange Security Certification

Impact Of A Security Breach

Presentation transcript:

Distance Education Team 2 Security Architectures and Analysis

Distance Education Team Members Chris Rush – Team Leader, Step 1 Mike Gazdus – A/V Expert, Step 1 Ron Banerjee – Tech Analyst, Step 2 Russ Griffith – Tech Analyst, Step 2 Scott Currie – Scribe, Step 3 Chris Ameter – Tech Analyst, Step 3 Jack Pickett – Tech Analyst, Step 3 Raman Rangswamy – Tech Analyst, Step 4 Ayman Lugman – Tech Analyst, Step 4

Topics for Discussion Step 1 Recap Step 1 Recap – DE User Categories – DE Architecture Step 2 Recap Step 2 Recap – Essential Services and Assets – Essential Scenarios Trace – Essential Components Step 3 Goals Step 3 Goals – Relevant Attacker Profiles – Likely Levels of Attack – Representative Attack Scenarios – Identify Compromisable Components Step 4 Next Step 4 Next

Step 1 Recap DE Organization Mission DE Organization Mission “To offer the same high quality MSE courses currently available to resident students, through the use of on-line, Computer Based Training (CBT), and two-way audio two-way video through Distance Education”. Mel Rosso-Llopart Director, Distance Education

DE User Categories Student Student Admin Staff Admin Staff Technical Support Staff Technical Support Staff Web Support Staff Web Support Staff Director & Associate Director Director & Associate Director

DE Architecture Admin DB (Oracle) Product DB (MySQL) Web App (Perl Scripts) DE Student Client (browser) DE Admin Client (Win32) Admin App (VB) Admin Server (Win NT) Product Server (Linux) Tech Support Admin Staff Student Web Support Director & AssocDirector Apache Server

Step 2 Recap Essential services and assets Essential services and assets Essential scenarios trace Essential scenarios trace Essential components Essential components

Essential Services & Assets Essential Services: Essential Assets: Tech support updates My SQL database Student access to web application Web support(Courseware specialist) perform maintenance on web applications. Student data Web contents: Calendars Class assignments Files Assigned readings

Admin DB (Oracle) Product DB (MySQL) Web App (Perl Scripts) DE Student Client (browser) DE Admin Client (Win32) Admin App (VB) Admin Server (Win NT) Product Server (Linux) Tech Support Admin Staff Student Web Support Director & AssocDirector Apache Server Essential Scenarios Trace

Essential Components My SQL database My SQL database Web Application Web Application Apache Server Product Server

Step 3 Goals Attacker Profiles - Internal Threat - External Threat Levels of Attack - “Target of opportunity” - “Intermediate” - “Sophisticated”

Step 3 Goals Cont. Describe intrusion scenarios - steps in attacker usage scenarios Identify compromisable components Identify compromisable components - parts of architecture accessible by intrusion scenarios

General Attacker Profiles Recreational Hacker – Current/Past Students – Current/Past Admin & Support Staff – External Hacker Disgruntled Employee / User – Current/Past Students – Current/Past Admin & Support Staff Activist –Not Likely Industrial Spy –Not Likely Nation State –Not Likely

Attacker Attributes AttackerResourcesTimeToolsRiskAccessObjectives Recreational Hacker - External (i.e.. Script Kiddie) -Range, but generally limited. -Lots of time, very patient. -Generally available scripts and tools. -Little knowledge of potential risks. -Likely to be risk averse. -Little knowledge of potential risks. -Likely to be risk averse. -External web access. -Fun, status. Disgruntled Employee/User - Current or past Admin & Support staff - Current or past students -Moderate. CS students, and skilled support staff. -Varies, but generally cannot devote long hours. -Existing access, knowledge of programming and system architecture. -Likely to be risk averse. Jobs and/or enrollment status at risk. -Internal, or external with a knowledge of internal network structure. -Payback, revenge, havoc, chaos. -Theft of financial info. Activists Not Likely Industrial Spy Not Likely Nation State Not Likely

Attack Patterns User Access –Current Student Privilege Escalation –Current Access to Damage the Database –External Attacker Gaining Account Level Access Through a Remote Exploit Component Access –Port Flood / DOS Attack Application Content –PERL Script Exploits –Buffer Overflows –OS / Application Vulnerabilities

Potential Attacker Profiles Internal Threat – Existing DE Student –Privilege Escalation –Modification of registration/payment info Internal Threat – Administrators/Student Support –Read/Write Access to DB’s –Accidental/Intentional DB Corruption –Theft of Financial Information –Co-opt System resources (game/file server, DDOS) External Attacker –Vandalism –Theft of course material –Theft of student financial information – DDOS Platform

Levels of Attack Target of Opportunity –External Attacker – Script Kiddie Intermediate –Existing Student –Admin/Support Staff –External Attacker Sophisticated –Existing Student –Admin/Support Staff –External Attacker

Potential Attacker Profiles Internal Threat – Existing DE Student –Privilege Escalation –Modification of registration/payment info Internal Threat – Administrators/Student Support –Read/Write Access to DB’s –Accidental/Intentional DB Corruption –Theft of Financial Information –Co-opt System resources (game/file server, DDOS) External Attacker –Vandalism –Theft of course material –Theft of student financial information – DDOS Platform

Attack Scenarios Privilege Escalation Admin DB (Oracle) Product DB (MySQL) Web App (Perl Scripts) DE Student Client (browser) DE Admin Client (Win32) Admin App (VB) Admin Server (Win NT) Product Server (Linux) Tech Support Admin Staff Student Web Support Director & AssocDirector Apache Server

Potential Attacker Profiles Internal Threat – Existing DE Student –Privilege Escalation –Modification of registration/payment info Internal Threat – Administrators/Student Support –Read/Write Access to DB’s –Accidental/Intentional DB Corruption –Theft of Financial Information –Co-opt System resources (game/file server, DDOS) External Attacker –Vandalism –Theft of course material –Theft of student financial information – DDOS Platform

Attack Scenarios Theft of Financial Information Admin DB (Oracle) Product DB (MySQL) Web App (Perl Scripts) DE Student Client (browser) DE Admin Client (Win32) Admin App (VB) Admin Server (Win NT) Product Server (Linux) Tech Support Admin Staff Student Web Support Director & AssocDirector Apache Server

Potential Attacker Profiles Internal Threat – Existing DE Student –Privilege Escalation –Modification of registration/payment info Internal Threat – Administrators/Student Support –Read/Write Access to DB’s –Accidental/Intentional DB Corruption –Theft of Financial Information –Co-opt System resources (game/file server, DDOS) External Attacker –Vandalism –Theft of course material –Theft of student financial information – DDOS Platform

Attack Scenarios DDOS Platform Admin DB (Oracle) Product DB (MySQL) Web App (Perl Scripts) DE Student Client (browser) DE Admin Client (Win32) Admin App (VB) Admin Server (Win NT) Product Server (Linux) Tech Support Admin Staff Student Web Support Director & AssocDirector Apache Server Attacker DDOS Application DDOS Application

Compromisable Components Admin Server –Possible DDOS platform –DB Contains Student Financial Info. Production Server –Web Server –No encrypted Authentication –Password Lists in DB

Compromisable Components Admin DB (Oracle) Product DB (MySQL) Web App (Perl Scripts) DE Student Client (browser) DE Admin Client (Win32) Admin App (VB) Admin Server (Win NT) Product Server (Linux) Tech Support Admin Staff Student Web Support Director & AssocDirector Apache Server

What’s Next Step 4 –Identify “softspots” –Existing Mitigation Strategies –Recommended Mitigation Strategies –Survivability Map & Suggested Changes

Conclusion Reviewed the DE Architecture Reviewed the user categories Reviewed the architecture Reviewed the essential services and assets Reviewed the essential usage scenarios Reviewed the essential components Discussed Relevant Attacker Profiles Discussed Likely Levels of Attack Discussed Possible Attack Scenarios Identified Compromisable Components Briefly showed where we are going next.

Questions?