Student Application System SNA Step 3 Attacker Profiles and Scenarios 11.14.2001.

Slides:

Advertisements

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

Advertisements

Distance Education Team 1 Adrian Sia Xavier Appé Anoop Georges Salvador Gonzales Augustine Ani Zijian Cao Joe Ondercin SNA Step 3 November 14, 2001.

Oracle Financial System Project Team: Aseem Gupta Jeng Toa Lee Jun Lu Kevin Patrick Zhu Thomas Verghese Weicheng Wong Xuegong Wang ( Jeff ) Date : 26 th.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

IS Network and Telecommunications Risks

Extranet for Security Professionals Intrusion Scenarios Heather T. Kowalski Tong Xu Ying Hao Hui Huang Bill Halpin Nov. 14, 2000.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

Distance Education Team 2 Security Architectures and Analysis.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

Distance Education Team 2 Security Architectures and Analysis.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Student Application System Andy Teng Dali Wang Hyoungju Yun James Zujie Shi John Rinderle Maria Stattel Ron Urwongse Timothy Mak

11/14 SNA Presentation 3 Survivable Network Analysis Oracle Financial System SNA step 3 Ali Ardalan Qianming “Michelle” Chen Yi Hu Jason Milletary Jian.

Earl Crane Hap Huynh Jeongwoo Ko Koichi Tominaga 11/14/2000 Physician Reminder System SNA Step 3.

Privacy & Security By Martin Perez. Introduction  Information system - People : meaning use, the people who use computers. - Procedures : Guidelines.

Distance Education SNA step 1. Team members Step 1 experts  Adrian Sia  Xavier Appé Step 2 experts  Anoop Georges  Salvador Gonzales Step 3 experts.

Student Application System Essential Services and Assets Timothy Mak - Team Leader James Zujie Shi Dali Wang Maria Stattel Andy Teng Hyoungju Yun John.

Oracle Financial System Project Team: Xuegong Wang Jun Lu ZhengChun Mo Patrick Zhu Thomas Verghese Weicheng Wong Date : 14 th November, 2001 Step 3.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Earl Crane Hap Huynh Jeongwoo Ko Koichi Tominaga 12/12/2000 Physician Reminder System: Survivability Network Analysis Step 4.

Survivable Network Analysis Oracle Financial Management Services Ali Ardalan Qianming “Michelle” Chen Yi Hu Jason Milletary Jian Song.

OV Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.

CS 325: Software Engineering April 14, 2015 Software Security Security Requirements Software Security in the Life Cycle.

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

BUSINESS B1 Information Security.

Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.

Tutorial Chapter 5. 2 Question 1: What are some information technology tools that can affect privacy? How are these tools used to commit computer crimes?

Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.

Prepared by: Dinesh Bajracharya Nepal Security and Control.

Chapter 12 by Lisa Reeves Bertin Securing Information in a Network.

Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Business Plug-In B6 Information Security.

C8- Securing Information Systems

Systems Analysis and Design in a Changing World, 6th Edition 1 Chapter 12 - Databases, Controls, and Security.

INTRODUCTION. The security system is used as in various fields, particularly the internet, communications data storage, identification and authentication.

What does secure mean? You have been assigned a task of finding a cloud provider who can provide a secure environment for the launch of a new web application.

Information Assurance Policy Tim Shimeall

Denial of Service (DoS) DoS attacks are aggressive attacks on an individual computer or groups of computers with the intent to deny services to intended.

IS Network and Telecommunications Risks Chapter Six.

Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 2000 by Carnegie Mellon.

Topic 5: Basic Security.

Unit 22 People in Computing

Chap1: Is there a Security Problem in Computing?.

Security Discussion IST Retreat June IT Security Statement definition In the context of computer science, security is the prevention of, or protection.

Matt Broman Kodiac Gamble Devin Nichol SECTION 4.2 INFORMATION SECURITY.

Carnegie Mellon University Software Engineering Institute Lecture 3a The Survivable Network Analysis Method: Evaluating Survivability of Critical Systems.

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

Policies and Security for Internet Access

Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()

Information Systems CS-507 Lecture 32. Physical Intrusion The intruder could physically enter an organization to steal information system assets or carry.

IBM Academic Initiative JazzHub Overview John Schilt Lead, IBM Academic Initiative Australia / New Zealand UNSW and IET (Young Professionals)

Computer Security Sample security policy Dr Alexei Vernitski.

Securing Information Systems

Instructor Materials Chapter 7 Network Security

INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.

Answer the questions to reveal the blocks and guess the picture.

Securing Information Systems

Security in Networking

INFORMATION SYSTEMS SECURITY and CONTROL

Faculty of Science IT Department By Raz Dara MA.

Computer Security By: Muhammed Anwar.

Chapter # 3 COMPUTER AND INTERNET CRIME

1.2.2 Security aspects • Show understanding of the security aspects of using the Internet and understand what methods are available to help minimise the.

Presentation transcript:

Student Application System SNA Step 3 Attacker Profiles and Scenarios

Student Application System F F Timothy Mak (Team Leader) F F James Zujie Chi F F Dali Wang F F Maria Stattel F F Andy Teng F F Hyoungju Yun F F John Rinderie F F Ron Urwongse

Weekly Team Meeting Recurring meetings Every Wednesday, 1-2pm (as necessary) Team Meetings to Date First Team Meeting, assigned project roles Presentation discussion and layout Discussed requirements for part II Reviewed current status of part II Discussed contents of Presentation II Discussed requirements for part III Discussed contents for part III Reviewed current status of part III Discussed contents of Presentation III Team Activities

Client Meeting Meeting with Martha Baron (Director of Information Services) Meeting with Martha Baron Meeting with Martha Baron, & Brian Gallew (Principal Software Engineer, ACIS) Class Presentations Project Briefing 1: James Zujie Shi & Timothy Mak Project Briefing 2: Dali Wang & Maria Stattel Project Briefing 3: Andy Teng & Hyoungju Yun Project Briefing 4: John Rinderle & Ron Urwongse Project Timeline

Team Leader: Timothy Mak Discussion Leader: Andy Teng Scribe: Hyoungju Yun Reviewers: All team members Roles played for Part III

Essential Services and Assets  Marketing and Recruiting  Student Application for Admission  Acceptance Notification  Financial Aid  Billing  E-Grades  Graduation Eligibility Verification  Degree Certification  Academic Audit

Attacker Profiles (1 of 2) Attacker InsiderOutsider Employee CMU Student Hacker Non-CMU Student Resources High level of experience on systems & processes High level of experience on systems & processes Diversity Diversity Expert knowledge Expert knowledge Professional skills Professional skills Diversified knowledge Diversified knowledge Tools Readily available tools Readily available tools Social engineering Social engineering Customized tool Customized tool Social engineering Social engineering Readily available tools Readily available tools Customized tool Customized tool Social engineering Social engineering Risk Risk adverse Risk adverse Not risk adverse Not risk adverse Somewhat risk adverse Somewhat risk adverse Access Internal Internal External External Internal Internal External External

Attacker Profiles (2 of 2) Attacker InsiderOutsider Employee CMU Student Hacker Non-CMU Student Objectives Personal gain Personal gain Embarrass CMU Embarrass CMU Personal gain Personal gain Embarrass CMU Embarrass CMU Personal Gain Personal Gain Curiosity Curiosity Practicing hacking skills Practicing hacking skills Personal gain Personal gain Embarrass CMU Embarrass CMU Curiosity Curiosity Level of attack Sophisticated Attack Sophisticated Attack Intermediate Attack Intermediate Attack Sophisticated Attack Sophisticated Attack Target-of- Opportunity Attack Target-of- Opportunity Attack Probability Low probability because of good security policy Low probability because of good security policy Medium probability Medium probability High probability High probability Low probability Low probability

Intrusion Usage Scenarios 1.Legal login by unauthorized user 2.Unauthorized access by insider 3.Unauthenticated access by outsider 4.Malicious code attack

IUS1: Legal Login by unauthorized user   How to attack An unauthorized user logins using password by sniffing or social engineering and then views, modifies or deletes private student dataAn unauthorized user logins using password by sniffing or social engineering and then views, modifies or deletes private student data   Who is the attacker Employees, CMU students, Hackers, Non-CMU studentsEmployees, CMU students, Hackers, Non-CMU students   What are their objectives View, modify or delete private student dataView, modify or delete private student data   Category of attack pattern User accessUser access

IUS1: Legal Login by unauthorized user Web browser Graduation Eligibility Verification Acceptance Notification Financial Aid Web server 1 Degree Certification Academic Audit Billing Web server 2 Marketing and Recruiting Student Application E-Grades Database server Firewall Authentication Server Terminal Compromised Component Attacker Trace Communication Link Architecture Node Database server

IUS2: Unauthorized access by insider   How to attack Inside intruder accesses servers (Web/Database) physically to view, modify or delete the dataInside intruder accesses servers (Web/Database) physically to view, modify or delete the data Inside intruder accesses servers via system administrator access rights to view, modify or delete dataInside intruder accesses servers via system administrator access rights to view, modify or delete data   Who is the attacker Insider (employees, specifically those holding system administrator rights)Insider (employees, specifically those holding system administrator rights)   What are their objectives View, modify or delete private student dataView, modify or delete private student data   Category of attack pattern User accessUser access

IUS2: Unauthorized access by insider Web browser Graduation Eligibility Verification Acceptance Notification Financial Aid Web server 1 Degree Certification Academic Audit Billing Web server 2 Marketing and Recruiting Student Application E-Grades Database server Firewall Authentication Server Terminal Compromised Component Attacker Trace Communication Link Architecture Node Database server

IUS3: Unauthenticated access by outsider   How to attack An outsider intruder accesses SA servers by sending loads of improper requestsAn outsider intruder accesses SA servers by sending loads of improper requests   Who is the attacker Outsider (hackers, students from competitive universities)Outsider (hackers, students from competitive universities)   What are their objectives To bring down the servers and applications via overloading them and crashing themTo bring down the servers and applications via overloading them and crashing them Disclose private student data to embarrass and obtain the personal gainDisclose private student data to embarrass and obtain the personal gain   Category of attack pattern Component accessComponent access

IUS3: Unauthenticated access by outsider Web browser Graduation Eligibility Verification Acceptance Notification Financial Aid Web server 1 Degree Certification Academic Audit Billing Web server 2 Marketing and Recruiting Student Application E-Grades Database server Firewall Authentication Server Terminal Compromised Component Attacker Trace Communication Link Architecture Node Web server 1 Web server 2 Authentication Server

IUS4: Malicious code attack   How to attack Users download malicious code (e.g. trojan horses, viruses, worms) from outside the network accidentally or intentionallyUsers download malicious code (e.g. trojan horses, viruses, worms) from outside the network accidentally or intentionally Intruder installs malicious code directlyIntruder installs malicious code directly   Who is the attacker Employees, CMU students, Hackers, Non-CMU studentsEmployees, CMU students, Hackers, Non-CMU students   What are their objectives Break data integrity, privacy and availabilityBreak data integrity, privacy and availability   Category of attack pattern Application contentApplication content

Coming up next… F SNA Step 4 –Softspots –Resistance, Recognition, Recovery –Survivability Map