Presentation is loading. Please wait.

Presentation is loading. Please wait.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Published byJohn Leslie Stafford Modified over 9 years ago

Similar presentations

Presentation on theme: "Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie."— Presentation transcript:

1 Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie Mellon University ® CERT, CERT Coordination Center and Carnegie Mellon are registered in the U.S. Patent and Trademark Office Information Security for Technical Staff Module 1: The Challenge of Survivability

2 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 2 Instructional Objectives Define survivability Compare and contrast security and survivability Describe the layered approach to survivability Identify and define the components of the Information Security Model: Information Security Properties, Information States, and Security Measures Describe strategies for protecting information assets Describe administrative responsibilities of information security professionals List examples for practicing constant vigilance Discuss how Intruders have the means, motive, and opportunity to compromise survivability

3 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 3 Overview What is survivability? Security vs. survivability The layered approach An information security model Protecting your information assets Administrative responsibilities Constant vigilance Means, motive, and opportunity

4 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 4 Survivability Defined The capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents The term “system” is used in the broadest possible sense, and includes networks and large-scale “systems of systems.”

5 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 5 Security vs. Survivability -1 SecuritySurvivability Focus on Protecting Information Focus on Continuity of Operations Systems are seen as bounded and under central administrative control Systems are seen as open, unbounded, with distributed administrative control Considered an overhead expense Considered an investment; essential to the business of the organization Narrow technical specialty with technology- based solutions Part of Enterprise Risk Management; business driven – management based solutions Protect system components No component immune; ensure mission sustained

6 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 6 Security as a component of survivability The postal analogy: The U.S. Postal Service’s system of receiving, transporting, and delivering mail has several survivability components Locked mailboxes Segregated cargo on flights Camera’s in post offices Frequent inspections Extensive security policies Federal laws and strict enforcement etc. Automation Bar codes, optical scanners, web-tracking, computerized parsing, etc. Fault Tolerance Alternate flights/hubs, substitute letter-carriers, inter- post office communication Management Extensive training program, personnel accountability, infusion of pride, etc. Design Zip code system, levels of service, hub and spoke “topology”, etc. Timely delivery of mail MissionSecurity ComponentsOther Key Components Security vs. Survivability -2

7 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 7 The Layered Approach to Survivability -1 Applying synergistic solutions in an attempt to accomplish the mission and mitigate potential failures The Driving Analogy Safely Transport Passengers MissionLayers of Survivability Multiple airbags Seatbelts, bumpers Crush-zones Reinforced cockpit Helmets Driver licensing and education Traffic laws, etc.

8 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 8 The Layered Approach to Survivability -2 The military base analogy: Starts with and is defined by Risk Management Mission Layers of Survivability Secure Military Base Facilities Base Gymnasium: Barbed wire/fence around base perimeter Only 1 entrance to base where armed MP checks everyone’s ID card Locks on doors and windows Barbed wire/fence around base perimeter Only 1 entrance to base where armed MP checks everyone’s ID card Internal perimeter electrified fence around headquarters MPs at internal gate checking special headquarters-only pass and ID card Biometric scan for entry into reinforced door Comprehensive security policies and strict enforcement Quarterly security awareness training to headquarters staff Backup generators, water and food reserves Bomb, fire, biological and chemical-resistant facility Headquarters Layers: Gym HQ

9 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 9 Anticipate Failures and Intrusions You won’t necessarily have warning Plan for the worst: Natural disasters, terrorism, hackers, equipment failure, human-error, disgruntled employees, etc. 1.Evaluate and prioritize assets. 2.Identify risks. 3.Apply appropriate protection strategies.

10 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 10 Information States Security Measures Information Security Properties NSTISSI 4011: National Training Standard for Information Systems Security Professionals, 1994 Information Security Model

11 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 11 Availability Integrity Confidentiality Information Security Properties

12 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 12 Processing Storage Transmission Information States

13 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 13 Policy and Procedures Technology Education, Training, and Awareness Security Measures

14 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 14 Confidentiality Integrity Availability Processing Storage Transmission Policy and Procedures Technology Education, Training, and Awareness Information Security Model

15 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 15 Information Security Concepts

16 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 16 Protecting Information Assets Avoidance Prevention Detection Containment and response Recovery Improvement

17 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 17 Administrative Responsibilities Authorization Authentication Accountability Monitoring Incident response Damage assessment and recovery Analysis System life-cycle management Backups, fault tolerance

18 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 18 Practice Vigilance Test systems before deployment Implement monitoring and logging Check integrity of files and directories Scan for viruses, trojans, and worms Practice readiness Keep patches up to date and keep records Raise user awareness

19 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 19 Intruders—Who Are They? Someone who attempts to breach the security of an information asset Internal vs. external Hackers, crackers, and cyber-criminals Your own IT staff?

20 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 20 Intruders Means Motive Opportunity

21 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 21 Intruder Means Means is the sum of: What they know and can learn - Abundant sources of technical information Information from others who can help them - Mailing lists, conferences, chat rooms Tools they have at their disposal to execute an intrusion - Availability of sophisticated, easy-to-use intruder tools

22 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 22 Attack Sophistication vs. Intruder Technical Knowledge

23 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 23 Intruder Motives Money, profit Access to additional resources Competitive advantage Economic Political Personal grievance, vengeance Curiosity Mischief Attention Terrorism

24 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 24 Opportunities for Intrusion Rapid adoption of computer and network technology in government, industry, and educational organizations Internet explosion and e-commerce Thousands of exploitable vulnerabilities in technology Lack of awareness regarding information security Shortage of qualified system and network administrators and information security staff Lack of applicable laws and means of enforcement International scope

25 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 25 Intruders: Active and Interconnected Telephone/voice message systems E-mail Bulletin board systems Anonymous FTP service Internet Relay Chat (IRC) – #hack channel Web sites Conferences Publications

26 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 26 Review Questions -1 1.What is Survivability? 2.How does security differ from survivability? 3.What is essential and considered first when implementing the layered approach to survivability? 4.Define each of the three properties of information security (IS) as noted in the IS Model 5.Define each of the three states of information as noted in the IS Model

27 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 27 Review Questions -2 6.Define each of the three security measures as noted in the IS Model 7.Identify and describe two strategies for protecting your Information Assets 8.Identify and describe two IS responsibilities of system and network administrators 9.List three examples of practicing vigilance as an IS professional 10.What are some of the means that intruders have for challenging the survivability of a system?

28 © 2002 Carnegie Mellon University Module 1: The Challenge of Survivability – slide 28 Summary What is survivability? Security vs. survivability The layered approach An information security model Protecting your information assets Administrative responsibilities Constant vigilance Means, motive, and opportunity

Download ppt "Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie."

Similar presentations

Mastering Network Security (MNS101)

Mastering Network Security (MNS101)
h Protection from cyber attacks is achieved by acting on several levels: first, at the physical and material, placing the server in a place as safe as.

h Protection from cyber attacks is achieved by acting on several levels: first, at the physical and material, placing the server in a place as safe as.
Ethics, Privacy and Information Security

Ethics, Privacy and Information Security
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University.

Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Security Controls – What Works

Security Controls – What Works
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.

Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Controls for Information Security

Controls for Information Security
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Similar presentations

Ads by Google