Presentation is loading. Please wait.

Presentation is loading. Please wait.

Basic Security Concepts

Published byἸφιγένεια Αυγερινός Modified over 5 years ago

Similar presentations

Presentation on theme: "Basic Security Concepts"— Presentation transcript:

1 Basic Security Concepts
Threats and Attacks Computer Criminals Defense Techniques Security Planning

2 An Example School district employee uses disk with student names and SSNs in a student computer lab Student later removes information from the lab Anderson District 5 – T. L. Hanna HS The State, August 26, 2004 7/18/2019 CSCE Eastman - Fall 2006

3 Security Terminology Threat: potential occurrence that can have an undesired effect on the system Vulnerability: characteristics of the system that makes it possible for a threat to potentially occur Attack: action of malicious intruder that exploits vulnerabilities of the system Risk: measure of the possibility of security breaches and severity of the damage Control: protective measure that reduces a vulnerability 7/18/2019 CSCE Eastman - Fall 2006

4 Threat or Menace? Hackers: Threat or Menace?
Instant Messaging: Threat or Menace? SUVs: Threat or Menace? Colons: Threat or Menace? Mary Worth: Threat or Menace? 7/18/2019 CSCE Eastman - Fall 2006

5 Superman Vulnerability Threat Attack Control Lead shielding Kryptonite
Possible exposure to kryptonite Attack Use of kryptonite by villain Control Lead shielding 7/18/2019 CSCE Eastman - Fall 2006

6 Roadkill Vulnerability Threat Attack Control Various Animals on road
Possible collision with animal Attack Unwise road crossing by animal Control Various 7/18/2019 CSCE Eastman - Fall 2006

7 Assessment of Risk Probability of Collision Damage to car/occupants
Species of animal Location Time and date Damage to car/occupants Minor or none Total destruction/death Damage to animal Minor scratches Death 7/18/2019 CSCE Eastman - Fall 2006

8 Different Animals Moose Deer Frog
Possible high damage to car/occupants Low probability in South Carolina Deer High probability in South Carolina Frog Little or no damage to car/occupants 7/18/2019 CSCE Eastman - Fall 2006

9 Possible Controls for Deer
Defensive driving Knowledge of deer behavior Deer crossing signs Fences Diversionary feeding areas Expanded hunting seasons Roadside reflectors Whistles and other noisemakers Deer activated flashing lights 7/18/2019 CSCE Eastman - Fall 2006

10 Back to Computer Security
And Now ... Back to Computer Security

11 Sources of Threats Errors of users Dishonest insider
Disgruntled insider Outsiders Natural disasters Computer system failure 7/18/2019 CSCE Eastman - Fall 2006

12 Types of Threats Disclosure threat – dissemination of unauthorized information Alteration threat – incorrect modification of information Denial of service threat – access to a system resource is blocked 7/18/2019 CSCE Eastman - Fall 2006

13 Impact of Attack: What? Interruption – an asset is destroyed, unavailable or unusable (availability) Interception – unauthorized party gains access to an asset (confidentiality) Modification – unauthorized party tampers with asset (integrity) Fabrication – unauthorized party inserts counterfeit object into the system (integrity) 7/18/2019 CSCE Eastman - Fall 2006

14 Methods of Attack: How? Passive attacks: Active attacks: Eavesdropping
Monitoring Active attacks: Masquerade – one entity pretends to be a different entity Replay – passive capture of information and its retransmission Modification of messages – legitimate message is altered Denial of service – prevents normal use of resources 7/18/2019 CSCE Eastman - Fall 2006

15 Computer Crime Any crime that involves computers or aided by the use of computers U.S. Federal Bureau of Investigation: reports uniform crime statistics 7/18/2019 CSCE Eastman - Fall 2006

16 Computer Criminals Amateurs: regular users, who exploit the vulnerabilities of the computer system Motivation: easy access to vulnerable resources Crackers: attempt to access computing facilities for which they do not have the authorization Motivation: enjoy challenge, curiosity Career criminals: professionals who understand the computer system and its vulnerabilities Motivation: personal gain (e.g., financial) 7/18/2019 CSCE Eastman - Fall 2006

17 Methods of Defense Prevent: block attack Deter: make the attack harder
Deflect: make other targets more attractive Detect: identify misuse Tolerate: function under attack Recover: restore to correct state 7/18/2019 CSCE Eastman - Fall 2006

18 Information Security Planning
Organization analysis Risk management Mitigation approaches and their costs Security policy Implementation and testing Security training and awareness 7/18/2019 CSCE Eastman - Fall 2006

19 System Security Engineering
Specify System Architecture Identify and Install Safeguards Threats, Attacks, Vulnerabilities?? Prioritize Vulnerabilities Estimate Risk Risk is acceptably low 7/18/2019 CSCE Eastman - Fall 2006

20 Risk Management Risk analysis Risk avoidance Risk mitigation
Risk acceptance Risk transference 7/18/2019 CSCE Eastman - Fall 2006

21 Risk Analysis Methods Risk Analysis Threats and relevance
Potential for damage Likelihood of exploit 7/18/2019 CSCE Eastman - Fall 2006

22 Assets-Threat Model Threats compromise assets
Threats have a probability of occurrence and severity of effect Assets have values Assets are vulnerable to threats Threats Assets 7/18/2019 CSCE Eastman - Fall 2006

23 Computing Risks Risk: expected loss from the threat against an asset
ALE = AV*EF*ARO ALE – annualized loss expectancy AV -- value of asset EF -- exposure factor (fraction lost) ARO – annualized rate of occurrence 7/18/2019 CSCE Eastman - Fall 2006

24 A Simple Example Threat: Power surge Vulnerability: Power supply
AV – computer valued at $1,000 EF – 10% loss if power surge SLE -- $100 (AV*EF) ARO – 2 (twice a year) ALE -- $200 (SLE*ARO) 7/18/2019 CSCE Eastman - Fall 2006

25 Cost/Benefit Analysis
Benefit = (ALE * Life) - Cost Assume Surge protector costs $25 Surge protector lasts 5 years ALE = $200 Benefit = ($200 * 5) - $25 = $975 Buy the surge protector!!! 7/18/2019 CSCE Eastman - Fall 2006

26 System-Failure Model Estimate probability of highly undesirable events
Risk: likelihood of undesirable outcome Threat Undesirable outcome System 7/18/2019 CSCE Eastman - Fall 2006

27 Risk Acceptance Certification Accreditation
How well the system meets the security requirements (technical) Accreditation Management’s approval of automated system (administrative) 7/18/2019 CSCE Eastman - Fall 2006

28 Mitigation Approach Security safeguards Protection Assurance 7/18/2019
CSCE Eastman - Fall 2006

29 Access Control Methodologies
Next Class Access Control Methodologies Who? What? When? How? 7/18/2019 CSCE Eastman - Fall 2006

Download ppt "Basic Security Concepts"

Similar presentations

OCTAVESM Process 4 Create Threat Profiles

OCTAVESM Process 4 Create Threat Profiles
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
K. Salah1 Introduction to Security Overview of Computer Security.

K. Salah1 Introduction to Security Overview of Computer Security.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
CSCE 201 Introduction to Information Security Fall 2010.

CSCE 201 Introduction to Information Security Fall 2010.
Cryptography and Network Security Chapter 1

Cryptography and Network Security Chapter 1
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002.

IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.

Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.

Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.
Introducing Computer and Network Security

Introducing Computer and Network Security
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.

23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.
1 Introduction to Security Dr.Talal Alkharobi. 2 Why is security important? Computers and networks are the nerves of the basic services and critical infrastructures.

1 Introduction to Security Dr.Talal Alkharobi. 2 Why is security important? Computers and networks are the nerves of the basic services and critical infrastructures.
Lecture 8: Risk Management Controlling Risk

Lecture 8: Risk Management Controlling Risk
Network Security PHILADELPHIA UNIVERSITY Ahmad Alghoul 2010-2011 Module 1 Introduction: To Information & Security  Modified by :Ahmad Al Ghoul  Philadelphia.

Network Security PHILADELPHIA UNIVERSITY Ahmad Alghoul Module 1 Introduction: To Information & Security  Modified by :Ahmad Al Ghoul  Philadelphia.

Similar presentations

Ads by Google