Basic Security Concepts University of Sunderland CSEM02 Harry R Erwin, PhD.

Slides:

Advertisements

Similar presentations

OCTAVESM Process 4 Create Threat Profiles

Advertisements

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

Auditing Concepts.

The Security Analysis Process University of Sunderland CIT304 Harry R. Erwin, PhD.

A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

How to Prepare for the Fall Exam COM380/CIT304 Harry Erwin, PhD University of Sunderland.

Introducing Computer and Network Security

The Architecture Design Process

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

Critical Infrastructure Protection (and Policy) H. Scott Matthews March 25, 2004.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Lecture 11 Reliability and Security in IT infrastructure.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Pertemuan 02 Aspek dasar keamanan Jaringan dan ketentuan baku OSI

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

Software Process and Product Metrics

©Ian Sommerville 2006Critical Systems Slide 1 Critical Systems Engineering l Processes and techniques for developing critical systems.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 2 Slide 1 Systems engineering 1.

Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

© Pearson Education Limited, Chapter 5 Database Administration and Security Transparencies.

1 Chapter 2 Socio-technical Systems (Computer-based System Engineering)

Conostix S.A. Sensible defence.

Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.

The Security Analysis Process University of Sunderland CSEM02 Harry R. Erwin, PhD.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Computer Security “Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware,

Computer & Network Security

Topic (1)Software Engineering (601321)1 Introduction Complex and large SW. SW crises Expensive HW. Custom SW. Batch execution.

Socio-technical Systems (Computer-based System Engineering)

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

1 ITGD 2202 Supervision:- Assistant Professor Dr. Sana’a Wafa Al-Sayegh Dr. Sana’a Wafa Al-SayeghStudent: Anwaar Ahmed Abu-AlQumboz.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Decision making. Types of decision Programmed decisions Non-programmed decisions.

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.

IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

12/18/20151 Computer Security Introduction. 12/18/20152 Basic Components 1.Confidentiality: Concealment of information (prevent unauthorized disclosure.

Security Vulnerabilities in A Virtual Environment

T.A 2013/2014. Wake Up Call! Malware hijacks your , sends death threats. Found in Japan (Oct 2012) Standford University Recent Network Hack May Cost.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.

Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University

Role Of Network IDS in Network Perimeter Defense.

Basic Security Concepts University of Sunderland CIT304 Harry R Erwin, PhD.

IS3220 Information Technology Infrastructure Security

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.

Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University

By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

Database Security Threats. Database An essential corporate resource Data is a valuable resource Must be strictly controlled, managed and secured May have.

Headquarters U.S. Air Force

Computer Security Introduction

CS457 Introduction to Information Security Systems

Auditing Concepts.

Outline Basic concepts in computer security

Server Upgrade HA/DR Integration

Computer Data Security & Privacy

CS 450/650 Fundamentals of Integrated Computer Security

Security Engineering.

Chapter 19: Building Systems with Assurance

GROUP MEMBERS NAME ROLL NO SHAUBAN ALI 17-ARID-5650 UMAIR MUSHTAQ 17-ARID-5656 TARIQ SAEED 17-ARID-5657 MUSKAN WADOOD 17-ARID-5641.

Computer Security Introduction

Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Chapter 1 Key Security Terms.

Presentation transcript:

Basic Security Concepts University of Sunderland CSEM02 Harry R Erwin, PhD

Analyzing Security (from Schneier, 2003, Beyond Fear) These are the questions we must usually answer. 1.What assets are you trying to protect? 2.What are the risks to those assets? 3.How are you trying to protect them? 4.How well does your solution work? 5.What other risks does your solution introduce? 6.What are the costs and trade-offs of your solution? (I have asked this as an exam question.)

Systems Security involves systems, and systems are not simple. They’re complex, elusive, and maddening. ‘A collection of simpler components that interact to form a greater whole.’ Hardware, software, people, and procedures. Systems also interact with other systems. Unexpected interactions are called ‘emergent properties’ or ‘unintended consequences.’ These are our concern.

Security Systems Most systems do something. Security systems are different—they prevent things from happening. You will care about how systems fail and how they can be made to fail. It’s ‘applied paranoia.’

The Roles of People in Security Decision-makers—choose what mechanisms and policies to follow, often to further their own agendas. Users—cooperative or uncooperative. Basic to making security work. Innocent bystanders—but still often affected. Attackers—sometimes not malicious, but usually intending to do what they did.

Bruce Schneier’s Three Rules of Understanding Security Schneier Risk Demystification: Numbers matter and are not that hard to understand. Schneier Secrecy Demystification: Secrecy is anathema to security: –It’s brittle –It conceals abuse –It prevents sensible trade-offs Schneier Agenda Demystification: Know the agendas of the people involved in a security decision. They usually drive the decision in certain directions.

Basic Terminology Vulnerability Threat Risk Trust Reliability Security Integrity (Know these definitions cold!)

Vulnerability ‘A weakness that may lead to undesirable consequences.’ Typical vulnerabilities include –Hardware –Software –Procedure –External or environmental

Threat ‘The danger that a vulnerability will actually occur.’ Describes how the vulnerability would be attacked: –E.g., buffer overflow is the vulnerability, and the threat would be transmission of a TCP/IP packet to cause buffer overflow. Should be quantified by a rate of attack—i.e., how frequently an effective attack can be expected to occur.

Risk ‘A potential problem’, consisting of a –Vulnerability –Threat (expected attack rate) –Expected extent of the consequences. Hence risk is cost per unit of time (although the elements may be very hard to estimate) This is what managers must evaluate against the cost of mitigating the risk.

Computing Risk We usually use a logarithmic or decibel scale. –1 translates to 0 –10 translates to 10 –100 translates to 20 –Etc. And the reverse. This is because the uncertainty in the components of risk (rate of attack and extent of consequences) is multiplicative. Log and decibel scales represent multiplication by addition.

An Example Hackers probe my office workstation about once every 10 minutes, or 144 times a day. This translates to a value of about 22 dB on a daily scale. 365 days per year increases this to 47 dB on a yearly scale. If they broke in, the cost could be the loss of about $10,000 of work. This translates to a value of 40 dB per attack. The raw risk rate is about = 87 dB, or about $500,000,000 per year. Note that a good firewall reduces this vulnerability by many orders of magnitude. I use a locked-down Macintosh dual G4 running BSD UNIX. This reduces my risk to perhaps $100/year. If I used a firewalled Wintel machine, my risk would be more like $1000/year.

Trust ‘A relationship between two entities where one entity allows the other to perform certain actions.’ In traditional security, based on need to know, and can be managed by security level and authorizations. In e-commerce, becomes very complex. Currently a leading-edge research area.

Reliability ‘The system performs functionally as expected.’ Related to availability. Availability (a fraction) can be computed numerically as time the system is actually functional divided by the time the system is supposed to be functional. Related terminology include: –MTTF—mean time to failure (time) –MTTR—mean time to repair (time)

Security ‘Freedom from undesirable events’—hence much broader than the usual concept. In the UK, there are three elements to security (in a narrow sense) often listed: –Confidentiality—‘protection of data from unauthorized access.’ –Integrity—‘protection of data from unauthorized modification.’ More generally, certain desirable conditions are maintained over time –Availability—‘the system is usable by authorized users.’

Summary A security analyst, a safety analyst, and a risk analyst have very similar job descriptions—all are concerned with managing risk. Risk is expensive. The distinctive character of the security analyst’s job reflects a primary concern with malicious and intelligent threats. The US security analysis community was unsurprised by the events of 11/9/2001—we had already thought about the scenario (and worse ones).