INFO498 Information Security Fall 2004 Lesson 1 Barbara Endicott-Popovsky INFO498.

Slides:



Advertisements
Similar presentations
September 10, 2012Introduction to Computer Security ©2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Advertisements

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.
Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.
1 Telstra in Confidence Managing Security for our Mobile Technology.
Security Controls – What Works
1 Overview CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 8, 2004.
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
Security+ Guide to Network Security Fundamentals
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
22 November Security and Privacy  Security: the protection of data, networks and computing power  Privacy: complying with a person's desires when.
1 An Overview of Computer Security computer security.
6/9/2015Madhumita. Chatterjee1 Overview of Computer Security.
Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
CS 5950/6030 Network Security Class 3 (W, 9/7/05) Leszek Lilien Department of Computer Science Western Michigan University [Using some slides prepared.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
CYBER CRIME AND SECURITY TRENDS
Topics in Information Security Prof. JoAnne Holliday Santa Clara University.
An Introduction to Information Assurance COEN 150 Spring 2007.
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.
Computer Security Fundamentals Chuck Easttom Chapter 1 Introduction to to Computer Security.
PART THREE E-commerce in Action Norton University E-commerce in Action.
© Paradigm Publishing Inc. 8-1 Chapter 8 Security Issues and Strategies.
Computer Science and Engineering 1 Csilla Farkas Associate Professor Center for Information Assurance Engineering Dept. of Computer Science and Engineering.
BUSINESS B1 Information Security.
Prepared by: Dinesh Bajracharya Nepal Security and Control.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #6 Forensics Services September 10, 2007.
1.Too many users 2.Technical factors 3.Organizational factors 4.Environmental factors 5.Poor management decisions Which of the following is not a source.
Computer Security “Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware,
C8- Securing Information Systems
Management Information Systems Chapter Eight Securing Information Systems Md. Golam Kibria Lecturer, Southeast University.
Information Systems Security Operations Security Domain #9.
Communications-Electronics Security Group. Excellence in Infosec.
John Carpenter & lecture & Information Security 2008 Lecture 1: Subject Introduction and Security Fundamentals.
SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,
1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.
Managing Operations Chapter 8 Information Systems Management In Practice 6E McNurlin & Sprague.
Chap1: Is there a Security Problem in Computing?.
Csci5233 computer security & integrity 1 An Overview of Computer Security.
12/18/20151 Computer Security Introduction. 12/18/20152 Basic Components 1.Confidentiality: Concealment of information (prevent unauthorized disclosure.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Foundations of Organizational Information Assurance Fall 2007 Dr. Barbara Endicott-Popovsky IMT551.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University
Securing Information Systems
Computer Security Introduction
CS 395: Topics in Computer Security
Overview CSE 465 – Information Assurance Fall 2017 Adam Doupé
Chapter 1: Introduction
INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.
Securing Information Systems
Chapter 1: Introduction
Computer Security Class 1
Overview CSE 365 – Information Assurance Fall 2018 Adam Doupé
Computer Security Introduction
Chapter # 3 COMPUTER AND INTERNET CRIME
Overview CSE 365 – Information Assurance Fall 2019 Adam Doupé
Presentation transcript:

INFO498 Information Security Fall 2004 Lesson 1 Barbara Endicott-Popovsky INFO498

Introductions and Overview of the Threat Spectrum

Theoretical Basis How should we think about security?…

Security Services Confidentiality Integrity Availability ƒ(context, needs, customs, laws)

CIA Implementation DefinitionToolsDependencies Confidentiality Concealment of info & resources Hide existence of info & resources Encryption Access control Reliance on system Assumptions & trust about reliance Integrity Trustworthiness of info & resources - Authentication Correctness of data - Data integrity Prevention - Block attempts - Unauth. actions Detection - Block attempts - Unauth. actions Assumptions about source Trust of source Availability Ability to use info & resources System design Statistical models of use Accuracy of statistical models ID anomalies

Security Design Threats Vulnerabilities Controls (Threats + Vulnerabilities  Controls)

Disclosure Unauthorized access to info Deception Acceptance of false data Disruption Interruptions/ prevention of correct action Usurpation Unauthorized control of system/part of system Snooping X Wiretapping X Modification/ Alteration XXX Man-in-the- middle XXX Masquerading/ spoofing XX Repudiation of origin X Denial of receipt X Delay SupportsX Denial of Service SupportsX Threats

Threat Spectrum

Vulnerabilities Software Engineering Traceability of requirements Design Programming Buffer overflow Compilers Networks Wi-Fi Anonymity Standards Others?

Controls Policies Statement of what is/ what is not allowed Document Algorithm Mathematical expression Mechanisms Method, tool, procedure for policy enforcement Technical Non-technical

Controls Software Engineering Applying disciplines Formal methods Programming Encryption Access control Networks Firewalls IDS Access control Others?

3 R Goals DefinitionTools Resistance Prevention Firewalls Authentication Recognition Detection IDS’s Internal integrity checks Recovery Assess & repair Essential services continue to function Incident response SNA analysis Active defense

Trusting Controls Each mechanism designed to implement policies Sum total of mechanisms implement all policy aspects Mechanisms are implemented correctly Mechanisms installed/administered correctly

Software Engineering to the Rescue! Information Assurance Develop detailed specifications of desired behavior Design conforms to specification Proofs that implementation produces desired behavior (procedures/maintenance) Requirements SpecificationDesignImplementation   Prove each line of code ?

Bottom line: You Will Never Own a Perfectly Secure System!!!

Operational View Looking at the practical issues…

What is “Security? Decide what “secure” means to you, Then identify the threats you care about. Virus Identity Theft Denial of Service Espionage Stolen Customer Data Modified Databases Cyberterrorism Equipment Theft Operational view

Costs: Solution Value of asset Potential losses Risks: Likelihood Potential impacts Balance Risk vs. Cost Operational view

Take into Account…. Laws and customs Organization issues Security-a non-earning asset Budget constraints Responsibility vs. power People issues Education & awareness Insider abuse Misuse Operational view

Current Concerns Dynamic nature of threats…

From CSI/FBI Report % detected computer security breaches within the last year 80% acknowledged financial losses 44% were willing and/or able to quantify their financial losses. These 223 respondents reported $455M in financial losses. The most serious financial losses occurred through theft of proprietary information and financial fraud 26 respondents: $170M 25 respondents: $115M For the fifth year in a row, more respondents (74%) cited their Internet connection as a frequent point of attack than cited their internal systems as a frequent point of attack (33%). 34% reported the intrusions to law enforcement. (In 1996, only 16% acknowledged reporting intrusions to law enforcement.)

More from CSI/FBI % detected external penetration 40% detected denial of service attacks. 78% detected employee abuse of Internet access privileges 85% percent detected computer viruses. 38% suffered unauthorized access or misuse on their Web sites within the last twelve months. 21% didn’t know. 12% reported theft of transaction information. 6% percent reported financial fraud (only 3% in 2000).

Legislation and Regulation Govt. Requirements for better security –HIPAA: Health Insurance Portability & Accountability Act –Sarbanes Oxley –US Patriot Act And more are coming….

Critical Infrastructure … gas and oil, telecommunications, water supply systems, emergency services, government services, electrical power systems, transportation, banking and finance.

Interdependence of Critical Infrastructure

Cyber Terrorism Internet Black Tigers’ successful DOS attack on Sri Lankan embassy servers Italian sympathizers of Mexican Zapatista rebels attacked Mexican bank web pages. Rise of “Hack-tivism” Freeh, Testimony before Senate, 2000.

Hacking Improvement High Technical Knowledge Required Sophistication of Hacker Tools Password Guessing Password Cracking Exploiting Known Vulnerabilities Disabling Audits TIME Self-Replicating Code Back Doors Hijacking Sessions Sweepers Sniffers Stealth Diagnotics DDOS Packet Forging & Spoofing New Internet Attacks

MALICIOUS CODE Backdoors Trojan Horses Bacterium Logic Bombs WormsVirus X Files

Warchalking, Wardriving, Warwalking, Originated in UK… Warchalking-- making series of chalk markings showing presence & vulnerabilities of wireless networks nearby. Ex: Circled "W" indicates WLAN protected by Wired Equivalent Privacy (WEP) Wardriving, Warwalking– driving/walking around with wireless notebook looking for unsecured wireless LANs.

Threats to Personal Privacy Buying / selling confidential Social Security info. Browsing IRS files. Buying / selling bank account name lists. E-commerce credit card #s, names, passwords House Ways and Means Committee, 102nd Congress, , Washington Post, S. Barr, 2 Aug (4) Freeh, Testimoney 2000

Identity Theft Fed Trade Com: Cases under “recent”: –$7M loss: cr cards stolen from Florida restaurants –Credit card skimmers plus drivers license, Florida –Fake soc security & INS cards $150-$250 –24 aliases –false id’s secures credit cards, open mail boxes & bank accounts, fraudulently obtained federal income tax refunds, & laundered proceeds –Bank Employee Indicted for Stealing Depositors' Information to Apply Over the Internet for LoansBank Employee Indicted for Stealing Depositors' Information to Apply Over the Internet for Loans

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.