CIT 380: Securing Computer Systems Security Solutions.

Slides:



Advertisements
Similar presentations
The Whole/Hole of Security A Consultants Perspective August 25, 2004 Potomac Consulting Group Don Philmlee, CISSP.
Advertisements

Chapter 1 We’ve Got Problems…. Four Horsemen  … of the electronic apocalypse  Spam --- unsolicited bulk o Over 70% of traffic  Bugs ---
September 10, 2012Introduction to Computer Security ©2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.
Reflections on Trusting Trust Ken Thompson. Communication of the ACM, Vol. 27, No. 8, August 1984, pp Copyright 1984, Association for Computing.
11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
1 Overview CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 8, 2004.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Policies.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Bruce Schneier Lanette Dowell November 25, Introduction  “It is insufficient to protect ourselves with laws; we need to protect ourselves with.
1 An Overview of Computer Security computer security.
Security: Attacks. 2 Trojan Horse Malicious program disguised as an innocent one –Could modify/delete user’s file, send important info to cracker, etc.
Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.
1 Emulab Security. 2 Current Security Model Threat model: No malicious authenticated users, Bad Guys are all “outside” –Protect against accidents on the.
Introducing Computer and Network Security
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Chapter 1 Introduction. Art of War  If you know the enemy and know yourself, you need not fear the result of a hundred battles.  If you know yourself.
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Enterprise Resource Planning ERP Systems
April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.
Risk Management Vs Risk avoidance William Gillette.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Chapter Nine Maintaining a Computer Part III: Malware.
Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.
The Purchasing Function
SEC835 Database and Web application security Information Security Architecture.
G53SEC Computer Security Introduction to G53SEC 1.
Information Systems Security Computer System Life Cycle Security.
Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
Information Security Rabie A. Ramadan GUC, Cairo Room C Lecture 2.
Computer Security “Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware,
1 Precise Enforcement of Policies After we have a policy, is there always a mechanism to enforce it? If so, can we devise a generic procedure for developing.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
IT Staffing Solutions Presented by MicroAge May 22, 2008.
CSC 682: Advanced Computer SecuritySlide #1 CSC 682: Advanced Computer Security Introduction.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Policies CIT 380: Securing Computer SystemsSlide #1.
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
Csci5233 computer security & integrity 1 An Overview of Computer Security.
CIT 380: Securing Computer Systems Security Solutions Part 2.
The Digital Crime Scene: A Software Perspective Written By: David Aucsmith Presented By: Maria Baron.
CIT 380: Securing Computer SystemsSlide #1 CIT 380 Securing Computer Systems Threats.
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Introduction.
Basic Security Concepts University of Sunderland CIT304 Harry R Erwin, PhD.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Current risk and compliance priorities for law firms PETER SCOTT CONSULTING.
Risk Assessment and Risk Management James Taylor COSC 316 Spring 2008.
BASIC SECURITY THREATS TO INFORMATION SYSTEMS. All information systems linked up in networks are prone to security violations. All information systems.
Chapter 8 : Management of Security Lecture #1-Week 13 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.
Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
CIT 480: Securing Computer Systems
CSC 482/582: Computer Security
Securing Network Servers
CSC 482/582: Computer Security
Chapter 1: Introduction
Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Presentation transcript:

CIT 380: Securing Computer Systems Security Solutions

Threat: Your Adversaries Youthful attackers Organized crime Terrorists Governments The competition Hacktivists Hired guns

Threat: Your Adversaries Disgruntled employees Clueless employees Customers Suppliers Vendors Business partners Contracts, temps, consultants

Threat Perspective “However, just as you don’t want to underestimate the threats that you face, neither do you want to overestimate them.” Counter Hack Reloaded page 10

Threat Assessment “You must sit down and carefully evaluate which threats would be motivated to go after your organization, tally the tangible and intangible value of the assets you have to protect, and then deploy security commensurate with the threat and the value of your systems and information.” Counter Hack Reloaded page 11

CIT 380: Securing Computer Systems Slide #6 How to evaluate security solutions? 1.What assets are you trying to protect? 2.What are the risks to those assets? 3.How well does the security solution mitigate those risks? 4.What other risks does the security solution cause? 5.What costs and trade-offs does the security solution impose?

CIT 380: Securing Computer Systems Slide #7 Aspects of Risks To evaluate a risk, we need to evaluate both: – Probability of risk occurring. – Cost incurred by risk if it occurs. Minimize product of probability and cost.

Aspects of Risks Risks are impacted by environment. – Building a house in a flood plain incurs additional risks beyond that of house itself. – Similarly, installation and configuration options impact risk of software systems. CIT 380: Securing Computer Systems Slide #8

CIT 380: Securing Computer Systems Slide #9 Security is a matter of Trade-offs Security is only one of many system goals: Functionality Ease of Use Efficiency Time to market Cost Security

CIT 380: Securing Computer Systems Slide #10 Cost-Benefit Analysis Is it cheaper to prevent violation or recover? – Cost of good network security: Money, time, reduced functionality, annoyed users. Large and ongoing. – Risks of bad network security: Angry customers, bad press, network downtime. Small and temporary.

CIT 380: Securing Computer Systems Slide #11 Airport Security Let’s consider the issue of airport security again from the standpoint of what we’ve learned. Develop a solution, keeping the 5 questions in mind:

Airport Security 1.What assets are you trying to protect? 2.What are the risks to those assets? 3.How well does the security solution mitigate those risks? 4.What other risks does the security solution cause? 5.What costs and trade-offs does the security solution impose? CIT 380: Securing Computer Systems Slide #12

CIT 380: Securing Computer Systems Slide #13 Human Issues: People Problems Social engineering – Kevin Mitnick testified before Congress “I was so successful in that line of attack that I rarely had to resort to a technical attack.” Circumvention – Users write down passwords, leave screens unlocked. Insider attacks

CIT 380: Securing Computer Systems Slide #14 Human Issues: Organizations Low priority – Security costs, but doesn’t produce income. – Lack of liability reduces costs of bad security. Variable impact – Cost of security violation highly variable. – Insurance converts variable risk to fixed cost, but risk too variable for much involvement so far.

Human Issues: Organizations Power and responsibility – Personnel responsible for security often don’t have power to enforce security. CIT 380: Securing Computer Systems Slide #15

CIT 380: Securing Computer Systems Slide #16 Security: Laws and Customs Are desired security measures illegal? – cryptography export before 2000 – is it legal to monitor security breakins? – international commerce Will users circumvent them? – writing down passwords – removing file ACLs

CIT 380: Securing Computer Systems Slide #17 Security Liability Product liability: – Tires: Continental recalled Ford SUV tires in 2002 due to wire and vibration problems. – Software: Manufacturer not liable for security flaws. Since Microsoft isn’t liable for Windows security failures, why would they want to sacrifice money, time, functionality, and ease of use for security?

CIT 380: Securing Computer Systems Slide #18 Assumptions Security rests on assumptions specific to type of security required and environment.

Assumptions Example: – TCP/IP designed for pre-commercial Internet. Assumed only legitimate administrators had root access. Trusted IP addresses, since only root can set IP address. What happens to network when Windows 95 systems added to network, where desktop user has all privileges? CIT 380: Securing Computer Systems Slide #19

CIT 380: Securing Computer Systems Slide #20 Assurance How much can you trust a system? Example: – Purchasing aspirin from a drugstore. – Bases for trust: Certification of drug by FDA. Reputation of manufacturer. Safety seal on bottle.

CIT 380: Securing Computer Systems Slide #21 How much do you trust? Ken Thompson’s compiler hack from “Reflections on Trusting Trust.” – Modified C compiler does two things: If compiling a compiler, inserts the self-replicating code into the executable of the new compiler. If compiling login, inserts code to allow a backdoor password.

How much do you trust? – After recompiling and installing old C compiler: Source code for Trojan horse does not appear anywhere in login or C compiler. Only method of finding Trojan is analyzing binary. CIT 380: Securing Computer Systems Slide #22

CIT 380: Securing Computer Systems Slide #23 Key Points Components of security – Confidentiality – Integrity – Availability States of information – Storage, Processing, Transmission Evaluating risk and security solutions. – Security is a matter of trade-offs. Security is a human problem.

Discussion: Gas Drive Away Without Paying What measures can be imposed? What are the costs for the merchant and the customer? Do the benefits outweigh the costs?

CIT 380: Securing Computer Systems Slide #25 References 1.Ross Anderson, Security Engineering, Wiley, Matt Bishop, Introduction to Computer Security, Addison-Wesley, Peter Neumann, (moderator), Risks Digest, 4.Bruce Schneier, Beyond Fear, Copernicus Books, Ken Thompson, “Reflections on Trusting Trust”, Communication of the ACM, Vol. 27, No. 8, August 1984, pp (

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.