Presentation is loading. Please wait.

Presentation is loading. Please wait.

Spring 2009 1R. Smith - University of St Thomas - Minnesota CISC 210 - Class Today Making security decisionsMaking security decisions IntroductionsIntroductions.

Published byDominic Edwards Modified over 9 years ago

Similar presentations

Presentation on theme: "Spring 2009 1R. Smith - University of St Thomas - Minnesota CISC 210 - Class Today Making security decisionsMaking security decisions IntroductionsIntroductions."— Presentation transcript:

1 Spring 2009 1R. Smith - University of St Thomas - Minnesota CISC 210 - Class Today Making security decisionsMaking security decisions IntroductionsIntroductions Security perimetersSecurity perimeters AssignmentAssignment

2 Spring 2009 2R. Smith - University of St Thomas - Minnesota Making security decisions Do you always lock:Do you always lock: –A car door –A room door –A house door If not always, what decides otherwise?If not always, what decides otherwise?

3 Spring 2009 3R. Smith - University of St Thomas - Minnesota Decision Making Strategies Rule basedRule based –I’m told that’s what we do, and I follow that rule (Passwords) RelativisticRelativistic –My friend does it, so I do, too. –My neighbor has a fence and locks his front door. Me, too. –We all use super-strong Kryptonite bike locks “Security Theater”, hunter’s dilemma“Security Theater”, hunter’s dilemma MAD - DeterrenceMAD - Deterrence RationalRational –We look at the risks and choose security measures accordingly –If an incident occurs, it should prove cheaper than the long- term cost of protecting against it –Reassess risks as part of the “life cycle” of the asset

4 Spring 2009 4R. Smith - University of St Thomas - Minnesota Decision making in a life cycle Identify your practical goalsIdentify your practical goals –What “real” things do you want to accomplish? –What risks interfere with them? Choose the security that fitsChoose the security that fits –What weaknesses exist? –What security measures might work? –What are the trade-offs against goals? Measure successMeasure success –Monitor for attacks or other failures –Recover from problems –Reassess goals and trade-offs

5 Spring 2009 5R. Smith - University of St Thomas - Minnesota So what will the class look at? How to assess security in generalHow to assess security in general Analyzing trade-offs (risk, cost, effectiveness)Analyzing trade-offs (risk, cost, effectiveness) Specific security issues and techniquesSpecific security issues and techniques –Workstations –LANs –Distributed networks –Internet access –E-commerce –If time, DRM and ‘extreme security’ LabsLabs –Some exist, scheduling may be tricky

6 Spring 2009 6R. Smith - University of St Thomas - Minnesota Who are you, who am I Ask your neighbor:Ask your neighbor: –Name, major –Why are you taking this class? –Do you “0wn” a computer? I.e. can you log in as admin?I.e. can you log in as admin? –Give a personal, security related fact. Experience, skill, incident, etc.Experience, skill, incident, etc.

7 Spring 2009 7R. Smith - University of St Thomas - Minnesota The Class On-Line Web home pageWeb home page –courseweb.stthomas.edu/resmith links to it –Course schedule with homework assignments –Links to lecture notes BlackboardBlackboard –Link to course home page –Grades –Links to copyrighted material Draft book chaptersDraft book chapters

8 Spring 2009 8R. Smith - University of St Thomas - Minnesota The Syllabus Concepts we’ll coverConcepts we’ll cover –“Practical” security planning and assessment –Risk trade offs - the concept –Role of security policies Environments - in order of breadthEnvironments - in order of breadth –Personal desktop/laptop –Access control on shared computer –Desktop encryption –Local network –Internet access from LAN –Distributed LANs –E-commerce

9 Spring 2009 9R. Smith - University of St Thomas - Minnesota Textbook(s) The main text is Internet CryptographyThe main text is Internet Cryptography –We don’t need it yet, probably not till March –Buy a cheap copy The initial readings are draft chaptersThe initial readings are draft chapters –I’m writing a security text book –3 chapters are all finished –3-5 more chapters may be used in this class –Draft Chapters are posted on Blackboard Print them, or read on-line, as you preferPrint them, or read on-line, as you prefer

10 Spring 2009 10R. Smith - University of St Thomas - Minnesota Reading the Draft Chapters Usually starts with a ‘scenario’Usually starts with a ‘scenario’ –People involved in a security relevant activity “Body” of the chapter“Body” of the chapter –Concepts and techniques –What to do - How to do it - How things are related –Examples of things to do in exercises Process examplesProcess examples –Follow a security situation through the 6-step process –Sometimes computer-related, sometimes not Resources, Review and ExercisesResources, Review and Exercises –Study the review questions –source of quiz/exam questions –Exercises – numbered with ‘E’ – typical homework

11 Spring 2009 11R. Smith - University of St Thomas - Minnesota Personal Computer Security Share a dorm room?Share a dorm room? Share an apartment?Share an apartment? Share a home?Share a home? “My” computer - a security objective“My” computer - a security objective “I’ll kill you if you touch it”“I’ll kill you if you touch it” –a policy statement?

12 Spring 2009 12R. Smith - University of St Thomas - Minnesota Extreme Workstation Security Does this achieve our goals?

13 Spring 2009 13R. Smith - University of St Thomas - Minnesota A real world example There is a companyThere is a company Thieves walk into their buildings every dayThieves walk into their buildings every day The front door is unlocked all day longThe front door is unlocked all day long Valuable company property is just lying aroundValuable company property is just lying around The thieves pick it up and carry it awayThe thieves pick it up and carry it away Most thieves, but not all, get away!Most thieves, but not all, get away! WHAT IS THIS STUPID COMPANY?WHAT IS THIS STUPID COMPANY? Why don’t they lock the door, at least?Why don’t they lock the door, at least?

14 Spring 2009 14R. Smith - University of St Thomas - Minnesota The Security Process 1.Identify your assets What assets and capabilities do you require?What assets and capabilities do you require? 2.Analyze the risks of attack What can happen to damage your assets?What can happen to damage your assets? What is the likelihood of damage?What is the likelihood of damage? 3.Establish your security policy Trade off of risks, cost of damage, cost of protectionTrade off of risks, cost of damage, cost of protection Identify the protections you intend to useIdentify the protections you intend to use 4.Implement your defenses 5.Monitor your defenses 6.Recover from attacks

15 Spring 2009 15R. Smith - University of St Thomas - Minnesota The Process Itself Based on industrial modelsBased on industrial models –“System engineering” process We can apply it at a high levelWe can apply it at a high level –Examples sprinkled through the text: Bob, 9/11, Troy, etc. We also apply steps in detailWe also apply steps in detail –Numerical risk assessments –Policy planning –Security implementation plans

16 Spring 2009 16R. Smith - University of St Thomas - Minnesota Security analysis: your PC The PC itself isn’t the assetThe PC itself isn’t the asset –Most often, we value what it does, not what it is Hardware is interchangeableHardware is interchangeable Assets: resources, things that empower usAssets: resources, things that empower us –Focus on what the assets empower us to achieve: –Get homework done, socialize, manage finances, etc. Risks: things that interfere with assetsRisks: things that interfere with assets –What can interfere with our achievements? –Assess likelihood and impact We identify risks by looking at threats and vulnerabilitiesWe identify risks by looking at threats and vulnerabilities

17 Spring 2009 17R. Smith - University of St Thomas - Minnesota Asset Threats & Vulnerabilities ThreatDefense, Safeguard, or “Countermeasure ” attack An attempt to steal or harm the asset is an attack Vulnerability

18 Spring 2009 18R. Smith - University of St Thomas - Minnesota Simple risk analysis: your PC Threats?Threats? –Who, why? Vulnerabilities?Vulnerabilities? –What bad can happen? –What allows the badness to happen? Can we just lock it up?Can we just lock it up? –Put it in a room –Put a lock on the door. –Don’t share the key Does this work?Does this work?

19 Spring 2009 19R. Smith - University of St Thomas - Minnesota Deciding on Protection Policy: what protections we needPolicy: what protections we need –If possible, identify defensive perimeters –Identify other defenses to reduce impact of risks –Balance against how we use the asset –Balance against cost of protection

20 Spring 2009 20R. Smith - University of St Thomas - Minnesota Physically securing an area What is a secure perimeter?What is a secure perimeter? –Contiguous - no breaks –A barrier - actually blocks some attacks –Minimal number of openings –Access restrictions on the openings Example: my houseExample: my house –Wooden frame building - keeps out wild dogs –Glass windows with storms - ditto –Locked doors - ditto –Metal fence - ditto –Gates in the fence - ditto

21 Spring 2009 21R. Smith - University of St Thomas - Minnesota Security Analysis What are the threats?What are the threats? –Wild dogs –Burglars –People collecting for nasty charities What are the defenses?What are the defenses? Are there effective attacks on them?Are there effective attacks on them? –Effective = threats might use them

22 Spring 2009 22R. Smith - University of St Thomas - Minnesota Is this a complete list of threats? Of course not.Of course not. –Study history, the news, experience, introspection –Generate a ‘better’ list A notion of “threats”A notion of “threats” –Threat = anyone with strongly different goals –Example: Burger King vs McDonald’s Both “sort of” have the same goal: sell burgersBoth “sort of” have the same goal: sell burgers In fact, BK wants to sell BK burgers, while Mac wants to sell Mac burgersIn fact, BK wants to sell BK burgers, while Mac wants to sell Mac burgers BK people are not trusted in McDonald’s placesBK people are not trusted in McDonald’s places

23 Spring 2009 23R. Smith - University of St Thomas - Minnesota Potential vs Real Threats Potential Threat = strongly different goalsPotential Threat = strongly different goals –Not a member of the family, company, community –Member of competing entity –But not necessarily motivated to do you harm Real Threat = history of attacksReal Threat = history of attacks –“Good” neighborhood = neighbors not a threat –“Bad” neighborhood = neighbors have caused trouble in the past

24 Spring 2009 24R. Smith - University of St Thomas - Minnesota Now, the Defenses Physical worldPhysical world –Physical barriers, slows them down a lot –Locks - slow them down, restricts access –Alarms - calls for help –Warnings - shows you care Computer worldComputer world –Examples?

25 Spring 2009 25R. Smith - University of St Thomas - Minnesota What defenses are “effective”? Concept of “work factor”Concept of “work factor” –How hard does the attacker have to work to overcome the defense? –May be computed in hours –May be computed in likelihood over time Example: average of 3 days, $.25M to crack DESExample: average of 3 days, $.25M to crack DES Effective =Effective = –Work Factor > threat’s motivation or skill –My Home Example Wild dogs motivated but not resourcefulWild dogs motivated but not resourceful Charity people resourceful but not motivatedCharity people resourceful but not motivated Burglars may be both, but hopefully not too much soBurglars may be both, but hopefully not too much so –Or, deterred by the alarm, and the large dog

26 Spring 2009 26R. Smith - University of St Thomas - Minnesota How does this relate to computers? Defenses are always a trade offDefenses are always a trade off The same reasoning applies to bothThe same reasoning applies to both All security begins with physical securityAll security begins with physical security

27 Spring 2009 27R. Smith - University of St Thomas - Minnesota Evolution of Attacks and Defenses AttacksDefenses Remote TerminalsMasquerade PasswordsSteal the Password File Password HashingGuessing Guess DetectionKeystroke Sniffing Memory ProtectionPassword Sharing Password TokensNetwork Sniffing One-Time Passwords ?? Example: Passwords on Computers

28 Spring 2009 28R. Smith - University of St Thomas - Minnesota The homework assignment First, Read Draft Chapter 1First, Read Draft Chapter 1 –Posted on Blackboard Second, do Exercise E5 at the end of the chapter: analyze the perimeter of some commercial or other business location.Second, do Exercise E5 at the end of the chapter: analyze the perimeter of some commercial or other business location.

29 Spring 2009 29R. Smith - University of St Thomas - Minnesota Creative Commons License This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by- sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.

Download ppt "Spring 2009 1R. Smith - University of St Thomas - Minnesota CISC 210 - Class Today Making security decisionsMaking security decisions IntroductionsIntroductions."

Similar presentations

Context-Based Learning in Physics. “New” processes for students Note: These skills may be new to Physics classes but they are not necessarily new to students.

Context-Based Learning in Physics. “New” processes for students Note: These skills may be new to Physics classes but they are not necessarily new to students.
Chapter 1  Introduction 1 Chapter 1: Introduction.

Chapter 1  Introduction 1 Chapter 1: Introduction.
Good Morning! Announcements Please pick up an Attendance Form. Final Project paper due December 4 th (SafeAssign TM will be used) If you have not picked.

Good Morning! Announcements Please pick up an Attendance Form. Final Project paper due December 4 th (SafeAssign TM will be used) If you have not picked.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
March 2005 1R. Smith - University of St Thomas - Minnesota CISC 210 - Class Today Homework: Chapter 5, exercises E6-E17Homework: Chapter 5, exercises E6-E17.

March R. Smith - University of St Thomas - Minnesota CISC Class Today Homework: Chapter 5, exercises E6-E17Homework: Chapter 5, exercises E6-E17.
Scripts for Success.

Scripts for Success.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Computers in Principle & Practice I - V22.0004 - Deena Engel Computers in Principle and Practice I V22.0004, Sections 1 & 2 Fall, 2009 Deena Engel Email.

Computers in Principle & Practice I - V Deena Engel Computers in Principle and Practice I V , Sections 1 & 2 Fall, 2009 Deena Engel .
Some things to think about. Assignment 1 is at the end, but read the whole thing. Please!

Some things to think about. Assignment 1 is at the end, but read the whole thing. Please!
March 2005 1R. Smith - University of St Thomas - Minnesota QMCS 490 - Class Today Authentication ReduxAuthentication Redux Some more biometrics slidesSome.

March R. Smith - University of St Thomas - Minnesota QMCS Class Today Authentication ReduxAuthentication Redux Some more biometrics slidesSome.
March 2005 1R. Smith - University of St Thomas - Minnesota QMCS 490 - Class Today Handing back the examHanding back the exam ProjectsProjects Certificates.

March R. Smith - University of St Thomas - Minnesota QMCS Class Today Handing back the examHanding back the exam ProjectsProjects Certificates.
Guide to Network Defense and Countermeasures Second Edition Chapter 2 Security Policy Design: Risk Analysis.

Guide to Network Defense and Countermeasures Second Edition Chapter 2 Security Policy Design: Risk Analysis.
March 2005 1R. Smith - University of St Thomas - Minnesota QMCS 490 - Class Today Homework collect/returnHomework collect/return OS Security/PolicyOS Security/Policy.

March R. Smith - University of St Thomas - Minnesota QMCS Class Today Homework collect/returnHomework collect/return OS Security/PolicyOS Security/Policy.
Ethics CS351. What are ethics? Dictionary: –1. A system or set of moral principles. –2. The rules of conduct recognized in respect to a particular class.

Ethics CS351. What are ethics? Dictionary: –1. A system or set of moral principles. –2. The rules of conduct recognized in respect to a particular class.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
Chapter 0 Introductory Comments. Overview Syllabus Detailed power point slides My Web Page –Homework on web page –Readings –Other.

Chapter 0 Introductory Comments. Overview Syllabus Detailed power point slides My Web Page –Homework on web page –Readings –Other.
Writing. a faster PC improved disc storage Internet the monitor is smaller used recycled materials a flat screen Make a dialogue according to the situation.

Writing. a faster PC improved disc storage Internet the monitor is smaller used recycled materials a flat screen Make a dialogue according to the situation.
March 2005 1R. Smith - University of St Thomas - Minnesota CISC 210 - Class Today Return Homework; grading recapReturn Homework; grading recap “Enigma”

March R. Smith - University of St Thomas - Minnesota CISC Class Today Return Homework; grading recapReturn Homework; grading recap “Enigma”

Similar presentations

Ads by Google