Presentation is loading. Please wait.

Presentation is loading. Please wait.

11/14 SNA Presentation 3 Survivable Network Analysis Oracle Financial System SNA step 3 Ali Ardalan Qianming “Michelle” Chen Yi Hu Jason Milletary Jian.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "11/14 SNA Presentation 3 Survivable Network Analysis Oracle Financial System SNA step 3 Ali Ardalan Qianming “Michelle” Chen Yi Hu Jason Milletary Jian."— Presentation transcript:

1 11/14 SNA Presentation 3 Survivable Network Analysis Oracle Financial System SNA step 3 Ali Ardalan Qianming “Michelle” Chen Yi Hu Jason Milletary Jian Song

2 11/14 SNA Presentation 3 Overview Review Essential Components Attacker profiles Attack Patterns Intrusion Usage Scenarios Compromisable Components Diagram Next Steps

3 11/14 SNA Presentation 3 Essential Services Users must have access to financial service applications Core Financial Applications Application Desktop Integrator Applications Feeder systems must integrate with financial applications Primary actions performed by users are: Billing, reporting & reconciliation of budgets and expenses

4 11/14 SNA Presentation 3 Essential Components Diagram Kerberos SCP HTTPS … Oracle Connection Mgr. Kerberos Domain Contriller Acis.as. cmu.edu (Sun Sparc Cluster) LPR (print) SSH SMTP (e-mail) Tandem O. DB HTTP … O. Listener Mistral (Development) SQL Net O. Forms CITRIX FTP LPR (print) SSH SMTP (e-mail) O. DB HTTP … O. Listener Chinook (Backup) SQL Net O. Forms CITRIX FTP LPR (print) SSH SMTP (e-mail) CAMPUS NETWORK Cyert Computer Center 6555 Penn Ave FIBER Secure Directory

5 11/14 SNA Presentation 3 Potential Attacker Profiles Curious Student Hacker Student Employee Disgruntled Full-Time Employee Academic Spy

6 11/14 SNA Presentation 3 Attacker Profile #1 Curious Student Hacker Member of CMU campus community Low to Medium level of expertise: Possible CS, IDS, ECE or other technical background Accesses system from internal campus LAN Student attacks system in order to learn from experimentation with hacking tools & concepts Student’s motivation is for disclosure or modification rather than deletion of data Level: Target-of Opportunity Attack

7 11/14 SNA Presentation 3 Attacker Profile #2 Student Employee Objective is to steal financial funds Student employed by department at some point Has access to passwords & has experience using system interface Accesses system when superiors are not around Attack may occur in small increments over a long period of time Level: Intermediate Attack

8 11/14 SNA Presentation 3 Attacker Profile #3 Disgruntled Full-Time Employee Objective is to wreak havoc upon the system via deletion or modification of data Low to medium level of technical expertise High level of experience with system User has account and password with access to the system User is trusted and therefore is able to cause damage to mission critical system elements Level: Intermediate Attack

9 11/14 SNA Presentation 3 Attacker Profile #4 Academic Spy Objective is to steal sensitive information on grants from the University Medium to High level of technical expertise Accesses System internally or externally Primary motivation is disclosure of sensitive information rather than modification or deletion Level: Sophisticated attack

10 11/14 SNA Presentation 3 Attack Patterns Trojan Horse Application content pattern Possible upload of malicious code Feeder system Excel files Possible attackers Disgruntled employees Academic spies

11 11/14 SNA Presentation 3 Trojan Horse Gather information Identify external applications which integrate into system (Excel, etc) Evaluate processing of uploaded files via feeder system or application server Exploit Attach Visual Basic macro to Excel file Attach executable code to feeder file Damage Possible installation of back door code Denial-of-serve by insertion of malformed input

12 11/14 SNA Presentation 3 Attack Patterns Disclosure of sensitive information User access attack pattern Using incomplete or improperly assigned access rights to view information Potential attackers Students Disgruntled employees Academic spies

13 11/14 SNA Presentation 3 Disclosure of information Gather information Identify components with incomplete access control Use social engineering to acquire passwords Identify Exploit Normal system use with unauthorized access Damage Disclosure of information

14 11/14 SNA Presentation 3 Intrusion Usage Scenario IUS1 (Data integrity and Spoofing Attack) Unauthorized user(part-time worker/student ) Illegitimately obtain password View, modify confidential data and steal financial funds

15 11/14 SNA Presentation 3 Example of IUS1

16 11/14 SNA Presentation 3 Example of IUS1

17 11/14 SNA Presentation 3 Intrusion Usage Scenario IUS2 (Data integrity and insider attack) Authorized Employee (Disgruntled) Legitimate access right Modify data or issue illegal check

18 11/14 SNA Presentation 3 Example of IUS2

19 11/14 SNA Presentation 3 Example of IUS2

20 11/14 SNA Presentation 3 Intrusion Usage Scenario IUS3 (Availability attack) Student Hacker Possible upload of malicious code Feeder system Excel files Destroy or limit access to applications of OFS.

21 11/14 SNA Presentation 3 Intrusion Usage Scenario IUS4 (Recovery attack) Professional Hacker Directly access database, bypassing the firewall Corrupt major portions of the DB

22 11/14 SNA Presentation 3 Intrusion Usage Scenario IUS5 (Spoofing Attack) Unauthorized user(Academic Spy) Spoofing legitimate user View, modify confidential data and marketable information

23 11/14 SNA Presentation 3 Compromisable Components Diagram Kerberos SCP HTTPS … Oracle Connection Mgr. Kerberos Domain Contriller Acis.as. cmu.edu (Sun Sparc Cluster) LPR (print) SSH SMTP (e-mail) Tandem O. DB HTTP … O. Listener Mistral (Development) SQL Net O. Forms CITRIX FTP LPR (print) SSH SMTP (e-mail) O. DB HTTP … O. Listener Chinook (Backup) SQL Net O. Forms CITRIX FTP LPR (print) SSH SMTP (e-mail) CAMPUS NETWORK Cyert Computer Center 6555 Penn Ave FIBER Secure Directory

24 11/14 SNA Presentation 3 Other Potential Issues Password expiration Availability: Cross department Worker information Confidentiality: Remove User Access Right when employee leave

25 11/14 SNA Presentation 3 Ongoing Steps Client & Users 4 th client meeting to verify compromisable components More user meetings to verify IUS.b Discuss application of SNA method. Within Our Group Site visit to 6555 Penn Ave. Backup facility Describe existing and recommended strategies for resistance, recognition, and recovery Present the survivability map for the architecture

Download ppt "11/14 SNA Presentation 3 Survivable Network Analysis Oracle Financial System SNA step 3 Ali Ardalan Qianming “Michelle” Chen Yi Hu Jason Milletary Jian."

Similar presentations

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
Distance Education Team 1 Adrian Sia Xavier Appé Anoop Georges Salvador Gonzales Augustine Ani Zijian Cao Joe Ondercin SNA Step 3 November 14, 2001.

Distance Education Team 1 Adrian Sia Xavier Appé Anoop Georges Salvador Gonzales Augustine Ani Zijian Cao Joe Ondercin SNA Step 3 November 14, 2001.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
Oracle Financial System Project Team: Aseem Gupta Jeng Toa Lee Jun Lu Kevin Patrick Zhu Thomas Verghese Weicheng Wong Xuegong Wang ( Jeff ) Date : 26 th.

Oracle Financial System Project Team: Aseem Gupta Jeng Toa Lee Jun Lu Kevin Patrick Zhu Thomas Verghese Weicheng Wong Xuegong Wang ( Jeff ) Date : 26 th.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Student Application System SNA Step 3 Attacker Profiles and Scenarios 11.14.2001.

Student Application System SNA Step 3 Attacker Profiles and Scenarios
Using Your Knowledge – Security Threats

Using Your Knowledge – Security Threats
1 Oracle Financial System Mary Ann Carr September 14, 2000.

1 Oracle Financial System Mary Ann Carr September 14, 2000.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 

11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
CSA 223 network and web security Chapter one

CSA 223 network and web security Chapter one
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.

Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Introduction to Firewall Technologies. Objectives Upon completion of this course, you will be able to: Understand basic concepts of network security Master.

Introduction to Firewall Technologies. Objectives Upon completion of this course, you will be able to: Understand basic concepts of network security Master.
Extranet for Security Professionals Intrusion Scenarios Heather T. Kowalski Tong Xu Ying Hao Hui Huang Bill Halpin Nov. 14, 2000.

Extranet for Security Professionals Intrusion Scenarios Heather T. Kowalski Tong Xu Ying Hao Hui Huang Bill Halpin Nov. 14, 2000.
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Similar presentations

Ads by Google