By Hafez Barghouthi. Agenda Today Attack. Security policy. Measuring Security. Standard. Assest. Vulnerability. Threat. Risk and Risk Mitigation.

Slides:

Advertisements

Similar presentations

OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.

Advertisements

SECURITY EVALUATION OF AN ORGANIZATION TA Md Morshedul Islam.

Chapter 1.  Security Problem  Virus and Worms  Intruders  Types of Attack  Avenues of Attack 2 Prepared by Mohammed Saher Hasan.

11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 

1 Agendas Chapter 5 (Recap) Chapters 6 – Diverse IT Infrastructures Case – The iPremier Company: Denial of Service Attack.

1 CHAPTER 1 POLITICS. 2 Definitions Of The Word Hacker Hacker – someone who has achieved some level of expertise with a computer Hacker – someone who.

Security Controls – What Works

Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.

Introducing Computer and Network Security

Network Security Testing Techniques Presented By:- Sachin Vador.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.

Lecture 11 Reliability and Security in IT infrastructure.

SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Security Awareness Challenges of Security No single simple solution to protecting computers and securing information Different types of attacks Difficulties.

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Security+ Guide to Network Security Fundamentals, Fourth Edition

Introduction to Network Defense

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

SEC835 Database and Web application security Information Security Architecture.

Storage Security and Management: Security Framework

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

G53SEC Computer Security Introduction to G53SEC 1.

Computer Science and Engineering 1 Csilla Farkas Associate Professor Center for Information Assurance Engineering Dept. of Computer Science and Engineering.

Software Assurance Session 15 INFM 603. Bug hunting vs. vulnerability spotting Bugs are your code not behaving as you designed it. Many can be found by.

Risk Management Company name Prepared By Mahmoud elmadhoun Supervised By Ms : eman elagrami.

Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.

Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.

Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.

Module 14: Configuring Server Security Compliance

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks.

What does secure mean? You have been assigned a task of finding a cloud provider who can provide a secure environment for the launch of a new web application.

Sensitive Metric Collection and Reporting System Michael Aiello Hanning Gao Martin Goldberg Michael Sosonkin Jason Woloz.

© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—1-1 Building a Simple Network Securing the Network.

Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

Information Security What is Information Security?

Module 6: Designing Security for Network Hosts

Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

Risk Assessment Richard Newman. Six Phases of Security Process 1. Identify assets 2. Analyze risk of attack 3. Establish security policy 4. Implement.

Securing Your Enterprise with Enterprise Manager 10g Amir Najmi Principal Member of Technical Staff System Management Products Oracle Corporation Session.

Chapter 1 COMPUTER AND NETWORK SECURITY PRINCIPLES.

Module 11: Designing Security for Network Perimeters.

Module 9: Designing Security for Data. Overview Creating a Security Plan for Data Creating a Design for Security of Data.

HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.

CSCE 548 Secure Software Development Security Operations.

1 Figure 11-3: Risk Analysis Financially Sensible Protections  Risk analysis: Balance risks and countermeasture costs Enumeration of Assets  Assets:

Security fundamentals Topic 2 Establishing and maintaining baseline security.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

The Digital Crime Scene: A Software Perspective Written By: David Aucsmith Presented By: Maria Baron.

Introduction to Security Dr. John P. Abraham Professor UTPA.

Computer Security By Duncan Hall.

Module 7: Designing Security for Accounts and Services.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Denial of Service Attack Pornography Phising Spoofing Salami Attack Forgery Hackers: enjoy intellectual challenges of overcoming software limitations.

Threat Modeling: Employing the 5 Ws Security Series, December 13, 2013 Jeff Minelli Penn State ITS

By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

Module 5: Designing Physical Security for Network Resources

CS457 Introduction to Information Security Systems

Risk management.

Critical Security Controls

COMP3357 Managing Cyber Risk

Risk Assessment Richard Newman

IS4680 Security Auditing for Compliance

6. Application Software Security

Unit # 1: Overview of the Course Dr. Bhavani Thuraisingham

Presentation transcript:

By Hafez Barghouthi

Agenda Today Attack. Security policy. Measuring Security. Standard. Assest. Vulnerability. Threat. Risk and Risk Mitigation.

Attack A basic definition is exploiting a vulnerability in a system or attach a specific threat to a vulnerability. A lot of scenarios  Social engineering.  Identity theft.  Denial of service.  Uncountable .

Classifications and Motivations Organized crime to gain Money. Terrorists (critical infrastructure). Governments.(inside and outside) The competition.(commercial) Hacktivists: This class of attackers tries to break into your systems to make a political point or demonstrate regarding social issues(political) For fun Attacker Skill Levels: From Script Kiddies to the Elite

Main objectives for Managment Security policy. Security awareness should be organized.  Why security is important for them and for organization.  What is expected from each member.  Which good practices they should follow  Comply with rules rather than looking to workaround (Adams and Sasse,1999). Of course secretary is different than developer.

Security Policy A statment of intent to protect an identified resource from unauthorized use. Organizational level(organizational security Policy) Laws,rules and practices regulate how an organization manages,protects and distribute resources to achieve security aspects(CIA). Technical level (Automated security Policy) How this will be achieved using computer system. Access controls, firewalls,security protocols... etc

Measuring Security We are searching for quantitative not qualitative (or not).???????? Security level is good ???????? Security is 99% (from 1000 employees 10 attackers). Product is 100%secure (definitly you are a lier,-)) but can be deployed in an insecure manner (default password). Then How???? Actually there is no simple answer

Ways Number of bugs (statistical approach) Software security Product surface (number of interfaces). Dangerous instructions 1 bug is better than 50 bug ???????? Again quality or what. (it is good believe me I swear) Number of acccounts with week passwords(system). Number of open ports or nodes connectivity (Network). Good measurments or not ?????????

Another Way (Attack point of view) The time an attacker has to invest. The expenses.(how many computers to calculate) The knowledge necessary to conduct an attack  cost of discovering an attack for first time >> the cost of mounting an attack(war games). Assest measurment drive us to risk and threat analysis. Lost so search for a standard.

Standard (ISO 17799)-1 Security policy Infrastructure Assest classifications Physical and environmental security Personal security(new employees,Backgrounds,keys). Day to day managment communication and operations. Access control, remote access Development and system maintinance.

Standard (ISO 17799)-2 Business continuity planning. Compliance with outside.

Risk Analysis The possibility that an attack cause damage to your enterprise. Risk = Assests ×Threats ×Vulnerabilities. To have a quantitive values are taken from mathmatical domain (assests replacment, propability of threat.) Qualitative we will mention some principles later

Assests Hardware. Software. Data and information. Reputation. Money+customer+competition(how much you will survive) Much better to sell potato

Vulnerabilities Accounts with a privileges where the default password for ”Manager” has not been changed. Programs with known flows or unnecessary privileges. Weak access control. Weak firewall configurations. How much is critical.????(admin than guest). Scanners or risk analysis tool.

Threats An action by an attacker who try to exploit vulnerabilities to damage the assest. Spoofing identity. Tampering data. Gain a privilege. Denial of service. Repudiation. Disclosure. (Howard and Leblanc,2002).

Attack Tree

Risk (Quantitative vs Qualititative)- 1 Quantitative Value of assest. Critically of vulnerability Likelihood of Threats Other words statistics and data mining.

Risk (Quantitative vs Qualitative)-2 Qualitative scale of assest( very important,important,not imp). Critically of vulnerability(fixed soon,should be fixed,fix if convenient). Likelihood of Threats(very likely, likely, not likely) e.g numerical scale from 1 to 10 guidance on how to assign rating like in war games

Countermeasures Risk analysis takes a time so concentrate more on security.(Baseline protection approach). Full risk analysis is Hard to achieve therfore concentrate on defence measurments in similar cases.