Presentation is loading. Please wait.

Presentation is loading. Please wait.

By Hafez Barghouthi. Agenda Today Attack. Security policy. Measuring Security. Standard. Assest. Vulnerability. Threat. Risk and Risk Mitigation.

Published byDarlene Stokes Modified over 8 years ago

Similar presentations

Presentation on theme: "By Hafez Barghouthi. Agenda Today Attack. Security policy. Measuring Security. Standard. Assest. Vulnerability. Threat. Risk and Risk Mitigation."— Presentation transcript:

1 By Hafez Barghouthi

2 Agenda Today Attack. Security policy. Measuring Security. Standard. Assest. Vulnerability. Threat. Risk and Risk Mitigation.

3 Attack A basic definition is exploiting a vulnerability in a system or attach a specific threat to a vulnerability. A lot of scenarios  Social engineering.  Identity theft.  Denial of service.  Uncountable .

4 Classifications and Motivations Organized crime to gain Money. Terrorists (critical infrastructure). Governments.(inside and outside) The competition.(commercial) Hacktivists: This class of attackers tries to break into your systems to make a political point or demonstrate regarding social issues(political) For fun Attacker Skill Levels: From Script Kiddies to the Elite

5 Main objectives for Managment Security policy. Security awareness should be organized.  Why security is important for them and for organization.  What is expected from each member.  Which good practices they should follow  Comply with rules rather than looking to workaround (Adams and Sasse,1999). Of course secretary is different than developer.

6 Security Policy A statment of intent to protect an identified resource from unauthorized use. Organizational level(organizational security Policy) Laws,rules and practices regulate how an organization manages,protects and distribute resources to achieve security aspects(CIA). Technical level (Automated security Policy) How this will be achieved using computer system. Access controls, firewalls,security protocols... etc

7 Measuring Security We are searching for quantitative not qualitative (or not).???????? Security level is good ???????? Security is 99% (from 1000 employees 10 attackers). Product is 100%secure (definitly you are a lier,-)) but can be deployed in an insecure manner (default password). Then How???? Actually there is no simple answer

8 Ways Number of bugs (statistical approach) Software security Product surface (number of interfaces). Dangerous instructions 1 bug is better than 50 bug ???????? Again quality or what. (it is good believe me I swear) Number of acccounts with week passwords(system). Number of open ports or nodes connectivity (Network). Good measurments or not ?????????

9 Another Way (Attack point of view) The time an attacker has to invest. The expenses.(how many computers to calculate) The knowledge necessary to conduct an attack  cost of discovering an attack for first time >> the cost of mounting an attack(war games). Assest measurment drive us to risk and threat analysis. Lost so search for a standard.

10 Standard (ISO 17799)-1 Security policy Infrastructure Assest classifications Physical and environmental security Personal security(new employees,Backgrounds,keys). Day to day managment communication and operations. Access control, remote access Development and system maintinance.

11 Standard (ISO 17799)-2 Business continuity planning. Compliance with outside.

12 Risk Analysis The possibility that an attack cause damage to your enterprise. Risk = Assests ×Threats ×Vulnerabilities. To have a quantitive values are taken from mathmatical domain (assests replacment, propability of threat.) Qualitative we will mention some principles later

13 Assests Hardware. Software. Data and information. Reputation. Money+customer+competition(how much you will survive) Much better to sell potato

14 Vulnerabilities Accounts with a privileges where the default password for ”Manager” has not been changed. Programs with known flows or unnecessary privileges. Weak access control. Weak firewall configurations. How much is critical.????(admin than guest). Scanners or risk analysis tool.

15 Threats An action by an attacker who try to exploit vulnerabilities to damage the assest. Spoofing identity. Tampering data. Gain a privilege. Denial of service. Repudiation. Disclosure. (Howard and Leblanc,2002).

16 Attack Tree

17 Risk (Quantitative vs Qualititative)- 1 Quantitative Value of assest. Critically of vulnerability Likelihood of Threats Other words statistics and data mining.

18 Risk (Quantitative vs Qualitative)-2 Qualitative scale of assest( very important,important,not imp). Critically of vulnerability(fixed soon,should be fixed,fix if convenient). Likelihood of Threats(very likely, likely, not likely) e.g numerical scale from 1 to 10 guidance on how to assign rating like in war games

19 Countermeasures Risk analysis takes a time so concentrate more on security.(Baseline protection approach). Full risk analysis is Hard to achieve therfore concentrate on defence measurments in similar cases.

Download ppt "By Hafez Barghouthi. Agenda Today Attack. Security policy. Measuring Security. Standard. Assest. Vulnerability. Threat. Risk and Risk Mitigation."

Similar presentations

OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.

OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.
SECURITY EVALUATION OF AN ORGANIZATION TA Md Morshedul Islam.

SECURITY EVALUATION OF AN ORGANIZATION TA Md Morshedul Islam.
Chapter 1.  Security Problem  Virus and Worms  Intruders  Types of Attack  Avenues of Attack 2 Prepared by Mohammed Saher Hasan.

Chapter 1.  Security Problem  Virus and Worms  Intruders  Types of Attack  Avenues of Attack 2 Prepared by Mohammed Saher Hasan.
11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 

11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 
1 Agendas Chapter 5 (Recap) Chapters 6 – Diverse IT Infrastructures Case – The iPremier Company: Denial of Service Attack.

1 Agendas Chapter 5 (Recap) Chapters 6 – Diverse IT Infrastructures Case – The iPremier Company: Denial of Service Attack.
1 CHAPTER 1 POLITICS. 2 Definitions Of The Word Hacker Hacker – someone who has achieved some level of expertise with a computer Hacker – someone who.

1 CHAPTER 1 POLITICS. 2 Definitions Of The Word Hacker Hacker – someone who has achieved some level of expertise with a computer Hacker – someone who.
Security Controls – What Works

Security Controls – What Works
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.

Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
Introducing Computer and Network Security

Introducing Computer and Network Security
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.

SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Security Awareness Challenges of Security No single simple solution to protecting computers and securing information Different types of attacks Difficulties.

Security Awareness Challenges of Security No single simple solution to protecting computers and securing information Different types of attacks Difficulties.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
Introduction to Network Defense

Introduction to Network Defense
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Similar presentations

Ads by Google