Presentation is loading. Please wait.

Presentation is loading. Please wait.

11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 

Published bySara Reeves Modified over 9 years ago

Similar presentations

Presentation on theme: "11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts "— Presentation transcript:

1 11 ASSESSING THE NEED FOR SECURITY Chapter 1

2 Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts  Assets  Threats  Vulnerabilities  Countermeasures  Historical compromises  Security design concepts  Assets  Threats  Vulnerabilities  Countermeasures  Historical compromises

3 Chapter 1: Assessing the Need for Security3 SECURITY DESIGN INFLUENCES  Legal requirements  Business risk tolerance  Finance  Current events  Technology  Legal requirements  Business risk tolerance  Finance  Current events  Technology

4 Chapter 1: Assessing the Need for Security4 THE THREE PILLARS OF INFORMATION SECURITY  Confidentiality  Integrity  Availability  Confidentiality  Integrity  Availability

5 Chapter 1: Assessing the Need for Security5 DEFENSE-IN-DEPTH  Use multiple layers of defense. For example:  Security guards and security cameras  Network firewalls and host-based firewalls  Log on as a non-administrator and use antivirus software  Protects against any single vulnerability  Gives you time to test critical updates  Use multiple layers of defense. For example:  Security guards and security cameras  Network firewalls and host-based firewalls  Log on as a non-administrator and use antivirus software  Protects against any single vulnerability  Gives you time to test critical updates

6 Chapter 1: Assessing the Need for Security6 THE SCOPE OF SECURITY  Security architecture  Physical security  Cryptography  Access control  Network security  Security architecture  Physical security  Cryptography  Access control  Network security

7 Chapter 1: Assessing the Need for Security7 THE SCOPE OF SECURITY (CONT.)  Applications and systems development  Operations security  Security management practices  Law, investigations, and ethics  Business continuity planning  Applications and systems development  Operations security  Security management practices  Law, investigations, and ethics  Business continuity planning

8 Chapter 1: Assessing the Need for Security8 ATTACK COMPONENTS  Asset  Threat agent  Threat  Vulnerability  Compromise  Countermeasure  Asset  Threat agent  Threat  Vulnerability  Compromise  Countermeasure

9 Chapter 1: Assessing the Need for Security9 ASSET  Items that you have purchased:  Software  Hardware  Facilities  People  Information  Anything else deserving protection  Items that you have purchased:  Software  Hardware  Facilities  People  Information  Anything else deserving protection

10 Chapter 1: Assessing the Need for Security10 THREAT AGENT  The attacker:  Malicious attackers  Nonmalicious attackers  Mechanical failures  Catastrophic events  The attacker:  Malicious attackers  Nonmalicious attackers  Mechanical failures  Catastrophic events

11 Chapter 1: Assessing the Need for Security11 THREAT AGENT: MALICIOUS ATTACKERS  The classic hacker attacking from outside  Disgruntled employees attacking from inside  Likely to have specific goals and objectives  To anticipate their attacks, study their motivations  The classic hacker attacking from outside  Disgruntled employees attacking from inside  Likely to have specific goals and objectives  To anticipate their attacks, study their motivations

12 Chapter 1: Assessing the Need for Security12 THREAT AGENT: NONMALICIOUS ATTACKERS  People make mistakes that can cause damage such as invalid data or failed services  Examples: programming bugs, data-entry errors  Mitigate with:  Thorough testing procedures  Backups  Business continuity plans  People make mistakes that can cause damage such as invalid data or failed services  Examples: programming bugs, data-entry errors  Mitigate with:  Thorough testing procedures  Backups  Business continuity plans

13 Chapter 1: Assessing the Need for Security13 THREAT AGENT: MECHANICAL FAILURES  Power outages, hardware failures, network outages  Mitigate with:  Business continuity plans  Network redundancy  Server clustering  Service level guarantees  Power outages, hardware failures, network outages  Mitigate with:  Business continuity plans  Network redundancy  Server clustering  Service level guarantees

14 Chapter 1: Assessing the Need for Security14 THREAT AGENT: CATASTROPHIC EVENTS  Extreme weather: tornadoes, hurricanes, earthquakes, tsunami  Fire  Acts of war  Catastrophic events are rare, but the damage is tremendous. Therefore, the total risk is often high.  Extreme weather: tornadoes, hurricanes, earthquakes, tsunami  Fire  Acts of war  Catastrophic events are rare, but the damage is tremendous. Therefore, the total risk is often high.

15 Chapter 1: Assessing the Need for Security15 THREAT  Threat agent is the attacker, threat is the attack  Use STRIDE to remember the six main types of threat:  Spoofing identity  Tampering with data  Repudiation  Information disclosure  Denial-of-service  Elevation of Privilege  Threat agent is the attacker, threat is the attack  Use STRIDE to remember the six main types of threat:  Spoofing identity  Tampering with data  Repudiation  Information disclosure  Denial-of-service  Elevation of Privilege

16 Chapter 1: Assessing the Need for Security16 VULNERABILITY  Also known as a weakness  Has the potential to be a compromise when combined with a threat  Common vulnerability types:  Physical  Natural  Hardware and software  Media  Communications  Human  Also known as a weakness  Has the potential to be a compromise when combined with a threat  Common vulnerability types:  Physical  Natural  Hardware and software  Media  Communications  Human

17 Chapter 1: Assessing the Need for Security17 COMPROMISE  A successful attack, often called an exploit  Occurs when a threat agent creates a threat for an unprotected vulnerability  If the threat does not penetrate your defenses, you were merely attacked. Attacks are not a problem; compromises are a problem.  A successful attack, often called an exploit  Occurs when a threat agent creates a threat for an unprotected vulnerability  If the threat does not penetrate your defenses, you were merely attacked. Attacks are not a problem; compromises are a problem.

18 Chapter 1: Assessing the Need for Security18 COUNTERMEASURE  Also known as a safeguard  Reduce the likelihood of a vulnerability  Does not eliminate a vulnerability  Three main types:  Preventative  Detective  Reactive  Also known as a safeguard  Reduce the likelihood of a vulnerability  Does not eliminate a vulnerability  Three main types:  Preventative  Detective  Reactive

19 Chapter 1: Assessing the Need for Security19 PREVENTATIVE COUNTERMEASURES  Prevent threats from exploiting a vulnerability  Examples:  Firewalls  Software updates  Antivirus software  Employee security training  Prevent threats from exploiting a vulnerability  Examples:  Firewalls  Software updates  Antivirus software  Employee security training

20 Chapter 1: Assessing the Need for Security20 DETECTIVE COUNTERMEASURES  Used to detect an attack or a compromise  Can enable you to respond after an attack begins, but before a compromise occurs  Can also be used to detect a successful attack  Examples:  Intrusion-detection system  Security logs  Used to detect an attack or a compromise  Can enable you to respond after an attack begins, but before a compromise occurs  Can also be used to detect a successful attack  Examples:  Intrusion-detection system  Security logs

21 Chapter 1: Assessing the Need for Security21 REACTIVE COUNTERMEASURES  Used after a compromise  Examples:  On-site or off-site backups  Disaster recovery plans  Law enforcement  Used after a compromise  Examples:  On-site or off-site backups  Disaster recovery plans  Law enforcement

22 Chapter 1: Assessing the Need for Security22 ATTACK COMPONENTS

23 Chapter 1: Assessing the Need for Security23 HISTORICAL COMPROMISES  The fundamentals of security design remain constant throughout history  A Windows network will be subject to the same types of attack that were used before computers even existed  “Those who cannot learn from history are doomed to repeat it”  The fundamentals of security design remain constant throughout history  A Windows network will be subject to the same types of attack that were used before computers even existed  “Those who cannot learn from history are doomed to repeat it”

24 Chapter 1: Assessing the Need for Security24 1938: POLES BREAK NAZI ENCRYPTION  Nazis use encryption to communicate privately over public radio communications  Poles spend many years studying the communications  Poles break the encryption because of Nazi mistakes  Lesson: Humans make mistakes  Nazis use encryption to communicate privately over public radio communications  Poles spend many years studying the communications  Poles break the encryption because of Nazi mistakes  Lesson: Humans make mistakes

25 Chapter 1: Assessing the Need for Security25 1972: CAP’N CRUNCH CRACKS PHONE SYSTEM  Blind children discover that a whistle in a Cap’n Crunch cereal box makes a 2600- hertz (Hz) tone also used by telephone equipment  Blow the whistle and get free long-distance calls  Telephone company’s services are stolen, but catch John Draper (a threat agent) by monitoring usage logs  Lesson: Do not rely on security by obscurity and use detective countermeasures  Blind children discover that a whistle in a Cap’n Crunch cereal box makes a 2600- hertz (Hz) tone also used by telephone equipment  Blow the whistle and get free long-distance calls  Telephone company’s services are stolen, but catch John Draper (a threat agent) by monitoring usage logs  Lesson: Do not rely on security by obscurity and use detective countermeasures

26 Chapter 1: Assessing the Need for Security26 1988: MITNICK STEALS CODE FROM DEC  Kevin Mitnick uses social engineering to gain access to user credentials  Abuses credentials to access internal network  FBI monitors, arrests, and convicts Mitnick of multiple computer crimes  Lesson: Sophisticated attackers use unconventional attacks  Kevin Mitnick uses social engineering to gain access to user credentials  Abuses credentials to access internal network  FBI monitors, arrests, and convicts Mitnick of multiple computer crimes  Lesson: Sophisticated attackers use unconventional attacks

27 Chapter 1: Assessing the Need for Security27 2000: ATTACKER STEALS MICROSOFT SOURCE CODE  Microsoft employee runs Trojan horse received in e-mail  Trojan horse opens a back door that contacts threat agents  Threat agents use access to collect passwords and steal source code  Damage limited because credentials gave threat agents access to limited portions of the source code  Microsoft’s tarnished security reputation caused immeasurable damage  Lesson: Valuable data deserves expensive countermeasures  Microsoft employee runs Trojan horse received in e-mail  Trojan horse opens a back door that contacts threat agents  Threat agents use access to collect passwords and steal source code  Damage limited because credentials gave threat agents access to limited portions of the source code  Microsoft’s tarnished security reputation caused immeasurable damage  Lesson: Valuable data deserves expensive countermeasures

28 Chapter 1: Assessing the Need for Security28 SUMMARY  Technology is the least important of the influences to security design  Important assets deserve multiple layers of protection  Understand the components of an attack  Learn from the mistakes of other security designers  Technology is the least important of the influences to security design  Important assets deserve multiple layers of protection  Understand the components of an attack  Learn from the mistakes of other security designers

Download ppt "11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts "

Similar presentations

Chapter 1 - 1 ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.

Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.

OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.

Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.
Ch.5 It Security, Crime, Compliance, and Continuity

Ch.5 It Security, Crime, Compliance, and Continuity
Physical and Environmental Security Chapter 5 Part 1 Pages 427 to 456.

Physical and Environmental Security Chapter 5 Part 1 Pages 427 to 456.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Introducing Computer and Network Security

Introducing Computer and Network Security
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
1010 CHAPTER PRIVACY AND SECURITY. © 2005 The McGraw-Hill Companies, Inc. All Rights Reserved. 10-2 Competencies Describe concerns associated with computer.

1010 CHAPTER PRIVACY AND SECURITY. © 2005 The McGraw-Hill Companies, Inc. All Rights Reserved Competencies Describe concerns associated with computer.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Threats and Attacks Principles of Information Security, 2nd Edition

Threats and Attacks Principles of Information Security, 2nd Edition
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Similar presentations

Ads by Google