Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 5: Beyond Threats

Published byΛουκανός Βλαχόπουλος Modified over 5 years ago

Similar presentations

Presentation on theme: "Lecture 5: Beyond Threats"— Presentation transcript:

1 Lecture 5: Beyond Threats
CS /7/2018

2 The Big Picture Attacks are perpetrated by threats that inflict harm by exploiting vulnerabilities which are controlled by countermeasures.

3 Engineering methodology
Functional requirements Threat analysis Harm analysis Security goals Feasibility analysis Security requirements

4 1. Functional requirements
Security = does what it should + nothing more Should be testable: a 3rd party could determine whether requirement is met User stories: brief description of single kind of interaction user can have with system "As a user I can action so that purpose" Examples from CMS: As a professor, I can create a new assignment by specifying its name, number of possible points, and due date. As a student, I can submit a file as a solution to an assignment. These stories reveal system assets

5 Assets Types of Assets: In computer systems:
physical objects (e.g., money) intangible objects (e.g., bank account balance) In computer systems: information is typically the main asset hardware and software could be assets people are not typically considered to be assets HW and SW typically easily replaceable Can't control or protect people with computers, usually

6 Stakeholders Anything of value to a stakeholder in system could be an asset direct value: damage affects asset itself indirect value: damage affects something else, e.g. reputation An object is not an asset if it doesn't have value to some stakeholder A principal isn't a stakeholder if it doesn't value some system object We won't consider a generic "attacker" to be a stakeholder Cash has direct value to bank. Also indirect: affects reputation when it gets lost Your mobile phone: direct value in HW, in SW configuration, in photos and texts stored on it Some values: credit card numbers: $0.85 to $30, depending on evidence of usability; bank account credentials $15-$850; accounts $1-20; list of addresses $1.70-$15 per thousand [Symantec 2010 global internet threat report]

7 Example: GMS Grade Management System: manages just the final grade for a single course Functional requirements: As a student, I can view my final grade. As a professor, I can view and change final grades for all students. As an administrator, I can add/remove students and professors to/from the course

8 Ex: GMS Asset: a numeric score for each student

9 2. Threat analysis Identify threats of concern to system
Especially malicious, human threats What kinds of attackers will system resist? What are their motivations, resources, and capabilities? Best if analysis is specific to system and its functionality Non threats? Trusted hardware Trusted environment e.g., physically secured machine room reachable only by trustworthy system operators

10 Example: GMS Threat analysis: Students:
Motivations: increase their own grade, lower others' grades, learn others' grades Capabilities: network access to servers, some physical access to others' computers, social engineering; probably not extensive computational or financial resources Out of scope: assume that threats cannot physically access any servers, profs are trusted, system admins

11 3. Harm analysis Harm: a negative consequence to a system asset
Harm to... confidentiality: disclosure, interception integrity: modification, fabrication availability: deprivation, interruption "Performing action on/to/with asset could cause harm" e.g., "stealing money could cause loss of revenue" e.g., "erasing account balances could cause loss of customers" Failure of confidentiality: • An unauthorized person accesses a data item. • An unauthorized process or program accesses a data item. • A person authorized to access certain data accesses other data not authorized (which is a specialized version of an unauthorized person accesses a data item). • An unauthorized person accesses an approximate data value (for example, not knowing someone’s exact salary but knowing that the salary falls in a particular range or exceeds a particular amount). • An unauthorized person learns the existence of a piece of data (for example, knowing that a company is developing a certain new product or that talks are under way about the merger of two companies). Failure of integrity: • imprecise • inaccurate • modified in unacceptable way • modified by unauthorized people • inconsistent • unmeaningful Failure of availability: • Unusable • Insufficient capacity • Insufficiently quick response • Unfair allocation of resources

12 Harm triples <action, asset, harm> Useful methodology:
e.g., <theft, money, loss of revenue> e.g., <erasure, account balance, loss of customer> Useful methodology: start with asset brainstorm actions that could harm asset let brainstorming be guided by CIA triad

13 Ex: GMS Asset: a numeric score for each student
Functional requirements: students view grades, profs view and change grades, admins manage enrollment Threat analysis: students might be malicious or curious; profs are trusted; threats can't access servers physically Harm analysis: performing action on/to/with asset could cause harm Exercise: invent some harm triples <action, asset, harm>

14 4. Security goals "The system shall prevent/detect action on/to/with asset." e.g., "The system shall prevent theft of money" e.g., "The system shall prevent erasure of account balances" Specify what not how Poor goals: "the system shall use encryption to prevent reading of messages" "the system shall use authentication to verify user identities" "the system shall resist attacks"

15 Ex: GMS Exercise: transform harm triples <action, asset, harm> into security goals the system shall prevent/detect action on/to/with asset

16 5. Feasibility analysis Not all goals are feasible to achieve
Relax goals: "prevent theft of items from a vault" to "resist penetration for 30 minutes" or to "detect theft of items from a vault"

17 From goals to requirements
Goals: what should never happen in any situation not testable Requirements: what should happen in specific situations testable

18 6. Security requirements
Constraints on functional requirements, in service of security goals Example: Functional requirement: allow people to cash checks Security goal: prevent loss of revenue through bad checks Security requirement: check must be drawn on bank where it's being cashed (so funds can be verified), or customer must be account holder at bank and depositing funds in account (so funds could be reversed)

19 Security requirements
Constraints on functional requirements, in service of security goals Another example: Functional requirement: allow two users to chat using IM Security goal: prevent disclosure of message contents to other users (Poor) security requirement: contents of message cannot be read by anyone other than the two users (Improved) security requirement: message is encrypted by key shared with the two users doesn't over-commit to encryption algorithm, key size, etc.

20 Goals vs. requirements Goals Requirements Broad scope Narrow scope
Apply to system Apply to individual functional requirements State desires State constraints Not testable Testable Not about design/implementation details Provide some details

21 Example: GMS Functional requirements: students view grades, profs view and change grades, admins manage enrollment Security goals: ... Security requirements: combine functional requirements with goals to invent constraints on system

22 Engineering methodology
Functional requirements Threat analysis Harm analysis Security goals Feasibility analysis Security requirements

23 Iteration Inventing new functional requirements
Introducing new assets Inventing new security requirements Inventing new security goals

24 No, this is not my real address.

25 Example: Eleanor's Place
New restaurant in Ithaca Contracts with opentable.com to make online reservations possible What are the functionality requirements for this reservation system? What is the threat model? What confidentiality, integrity, and availability harms does Eleanor's Place face? What security goals should it have? Are they feasible? How could these be refined to security requirements? What vulnerabilities might there be? What countermeasures could be employed to control those vulnerabilities?

26 Countermeasures A defense that protects against attacks by neutralizing either the threat or vulnerability involved Strategy: Prevent: block attack or close vulnerability Deter: make attack harder but not impossible Deflect: make other targets more attractive Mitigate: make harm less severe Detect: as it happens or after the fact Recover: undo harm

Download ppt "Lecture 5: Beyond Threats"

Similar presentations

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.
ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.

ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.
Introduction to Security in Computing 01204427 Computer and Network Security Semester 1, 2011 Lecture #01.

Introduction to Security in Computing Computer and Network Security Semester 1, 2011 Lecture #01.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Introducing Computer and Network Security

Introducing Computer and Network Security
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Lecture 1 Page 1 CS 236, Spring 2008 What Are Our Security Goals? Confidentiality –If it’s supposed to be a secret, be careful who hears it Integrity –Don’t.

Lecture 1 Page 1 CS 236, Spring 2008 What Are Our Security Goals? Confidentiality –If it’s supposed to be a secret, be careful who hears it Integrity –Don’t.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering.
CPSC 6126 Computer Security Information Assurance.

CPSC 6126 Computer Security Information Assurance.
Topics in Information Security Prof. JoAnne Holliday Santa Clara University.

Topics in Information Security Prof. JoAnne Holliday Santa Clara University.
SECURITY REQUIREMENT FROM PROBLEM FRAMES PERPECTIVE Fabricio Braz 01/25/08.

SECURITY REQUIREMENT FROM PROBLEM FRAMES PERPECTIVE Fabricio Braz 01/25/08.
PART THREE E-commerce in Action Norton University E-commerce in Action.

PART THREE E-commerce in Action Norton University E-commerce in Action.
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
BUSINESS B1 Information Security.

BUSINESS B1 Information Security.

Similar presentations

Ads by Google