Spring 2009 1R. Smith - University of St Thomas - Minnesota CISC 210 - Class Today Making security decisionsMaking security decisions IntroductionsIntroductions.

Slides:



Advertisements
Similar presentations
Context-Based Learning in Physics. “New” processes for students Note: These skills may be new to Physics classes but they are not necessarily new to students.
Advertisements

Chapter 1  Introduction 1 Chapter 1: Introduction.
Good Morning! Announcements Please pick up an Attendance Form. Final Project paper due December 4 th (SafeAssign TM will be used) If you have not picked.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
Is There a Security Problem in Computing? Network Security / G. Steffen1.
March R. Smith - University of St Thomas - Minnesota CISC Class Today Homework: Chapter 5, exercises E6-E17Homework: Chapter 5, exercises E6-E17.
Scripts for Success.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Computers in Principle & Practice I - V Deena Engel Computers in Principle and Practice I V , Sections 1 & 2 Fall, 2009 Deena Engel .
Some things to think about. Assignment 1 is at the end, but read the whole thing. Please!
March R. Smith - University of St Thomas - Minnesota QMCS Class Today Authentication ReduxAuthentication Redux Some more biometrics slidesSome.
March R. Smith - University of St Thomas - Minnesota QMCS Class Today Handing back the examHanding back the exam ProjectsProjects Certificates.
Guide to Network Defense and Countermeasures Second Edition Chapter 2 Security Policy Design: Risk Analysis.
March R. Smith - University of St Thomas - Minnesota QMCS Class Today Homework collect/returnHomework collect/return OS Security/PolicyOS Security/Policy.
Ethics CS351. What are ethics? Dictionary: –1. A system or set of moral principles. –2. The rules of conduct recognized in respect to a particular class.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
Chapter 0 Introductory Comments. Overview Syllabus Detailed power point slides My Web Page –Homework on web page –Readings –Other.
Writing. a faster PC improved disc storage Internet the monitor is smaller used recycled materials a flat screen Make a dialogue according to the situation.
March R. Smith - University of St Thomas - Minnesota CISC Class Today Return Homework; grading recapReturn Homework; grading recap “Enigma”
6/22/2015 1R. Smith - University of St Thomas - Minnesota QMCS Class Today St. Lukes Case StudySt. Lukes Case Study.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
March R. Smith - University of St Thomas - Minnesota QMCS Class Today Cryptography – introductory termsCryptography – introductory terms “Enigma”
CS503: Tenth Lecture, Fall 2008 Review Michael Barnathan.
March R. Smith - University of St Thomas - Minnesota QMCS Class Today Information Security life cycleInformation Security life cycle IntroductionsIntroductions.
March R. Smith - University of St Thomas - Minnesota QMCS Class Today HomeworkHomework Risk assessment processRisk assessment process –Identify.
Lecture 11 Reliability and Security in IT infrastructure.
March R. Smith - University of St Thomas - Minnesota QMCS 130: Today’s Class StatusStatus –Survey –Returning homework ArraysArrays –What are they?
March R. Smith - University of St Thomas - Minnesota Today’s Class Homework NotesHomework Notes –Always try to match the printed output if I give.
Formulating Predictions This work is licensed under the Creative Commons Attribution-No Derivative Works 3.0 United States License. To view a copy of this.
The University of California Strengthening Business Practices: The Language of Our Control Environment Dan Sampson Assistant Vice President Financial Services.
 MODERN DATABASE MANAGEMENT SYSTEMS OVERVIEW BY ENGINEER BILAL AHMAD
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
Identity-Theft is the fastest growing crime in America; 9.9 MILLION victims were reported last year, according to a Federal Trade Commission survey!
E-Safety Quiz Keeping safe online! A guide for parents & children.
Do you know how to keep yourself safe?
DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
G53SEC Computer Security Introduction to G53SEC 1.
March R. Smith - University of St Thomas - Minnesota CISC Class Today Homework RemindersHomework Reminders RecapRecap FirewallsFirewalls Firewall.
Conostix S.A. Sensible defence.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Thomas Jenkins.
DIGITAL SECURITY Information Security and data protection Facilitator: Yvonne Oluoch.
Updated Today's talk should help you to understand better  what your responsibilities for this module  how you will be taught  how you.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Rebecca Pritchard.
A Basic Introduction to Computer Security John H. Porter University of Virginia Department of Environmental Sciences.
CPT 123 Internet Skills Class Notes Internet Security Session A.
Computer Security! Emma Campbell, 8K VirusesHackingBackups.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
How to be Safe Online. Online Access How many of you go online? What are your favorite things to do online? Who accesses the Internet from their smart.
Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.
Alaa Mubaied Risk Management Alaa Mubaied
March R. Smith - University of St Thomas - Minnesota QMCS 130: Today’s Class Grades & Lab 12Grades & Lab 12 Upcoming ExamUpcoming Exam StructuresStructures.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
March R. Smith - University of St Thomas - Minnesota QMCS Class Today “Enigma” recap and finish“Enigma” recap and finish The quiz/surveyThe.
Establishing Healthy Financial Habits Personal Finance.
March R. Smith - University of St Thomas - Minnesota CISC Class Today HomeworkHomework Project ScheduleProject Schedule LabLab RecapRecap Protecting.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
1/28/2016 1R. Smith - University of St Thomas - Minnesota CISC 130: Today’s Class Assignments 7 and 8Assignments 7 and 8 ExamExam History Paper AssignmentHistory.
Role Of Network IDS in Network Perimeter Defense.
March /18R. Smith - University of St Thomas - Minnesota QMCS 230: Today in Class What’s on the Exam Next Week?What’s on the Exam Next Week? Lab 8Lab.
3/21/2016 1R. Smith - University of St Thomas - Minnesota CISC Class Today Rest of SemesterRest of Semester Presentation SchedulePresentation Schedule.
Module 5: Designing Physical Security for Network Resources
Risk management.
Protect Your Computer Against Harmful Attacks!
R. Smith - University of St Thomas - Minnesota
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
ONAP Risk Assessment – Preparation Material - Overview of the Process - Terminology - Assumptions
Presentation transcript:

Spring R. Smith - University of St Thomas - Minnesota CISC Class Today Making security decisionsMaking security decisions IntroductionsIntroductions Security perimetersSecurity perimeters AssignmentAssignment

Spring R. Smith - University of St Thomas - Minnesota Making security decisions Do you always lock:Do you always lock: –A car door –A room door –A house door If not always, what decides otherwise?If not always, what decides otherwise?

Spring R. Smith - University of St Thomas - Minnesota Decision Making Strategies Rule basedRule based –I’m told that’s what we do, and I follow that rule (Passwords) RelativisticRelativistic –My friend does it, so I do, too. –My neighbor has a fence and locks his front door. Me, too. –We all use super-strong Kryptonite bike locks “Security Theater”, hunter’s dilemma“Security Theater”, hunter’s dilemma MAD - DeterrenceMAD - Deterrence RationalRational –We look at the risks and choose security measures accordingly –If an incident occurs, it should prove cheaper than the long- term cost of protecting against it –Reassess risks as part of the “life cycle” of the asset

Spring R. Smith - University of St Thomas - Minnesota Decision making in a life cycle Identify your practical goalsIdentify your practical goals –What “real” things do you want to accomplish? –What risks interfere with them? Choose the security that fitsChoose the security that fits –What weaknesses exist? –What security measures might work? –What are the trade-offs against goals? Measure successMeasure success –Monitor for attacks or other failures –Recover from problems –Reassess goals and trade-offs

Spring R. Smith - University of St Thomas - Minnesota So what will the class look at? How to assess security in generalHow to assess security in general Analyzing trade-offs (risk, cost, effectiveness)Analyzing trade-offs (risk, cost, effectiveness) Specific security issues and techniquesSpecific security issues and techniques –Workstations –LANs –Distributed networks –Internet access –E-commerce –If time, DRM and ‘extreme security’ LabsLabs –Some exist, scheduling may be tricky

Spring R. Smith - University of St Thomas - Minnesota Who are you, who am I Ask your neighbor:Ask your neighbor: –Name, major –Why are you taking this class? –Do you “0wn” a computer? I.e. can you log in as admin?I.e. can you log in as admin? –Give a personal, security related fact. Experience, skill, incident, etc.Experience, skill, incident, etc.

Spring R. Smith - University of St Thomas - Minnesota The Class On-Line Web home pageWeb home page –courseweb.stthomas.edu/resmith links to it –Course schedule with homework assignments –Links to lecture notes BlackboardBlackboard –Link to course home page –Grades –Links to copyrighted material Draft book chaptersDraft book chapters

Spring R. Smith - University of St Thomas - Minnesota The Syllabus Concepts we’ll coverConcepts we’ll cover –“Practical” security planning and assessment –Risk trade offs - the concept –Role of security policies Environments - in order of breadthEnvironments - in order of breadth –Personal desktop/laptop –Access control on shared computer –Desktop encryption –Local network –Internet access from LAN –Distributed LANs –E-commerce

Spring R. Smith - University of St Thomas - Minnesota Textbook(s) The main text is Internet CryptographyThe main text is Internet Cryptography –We don’t need it yet, probably not till March –Buy a cheap copy The initial readings are draft chaptersThe initial readings are draft chapters –I’m writing a security text book –3 chapters are all finished –3-5 more chapters may be used in this class –Draft Chapters are posted on Blackboard Print them, or read on-line, as you preferPrint them, or read on-line, as you prefer

Spring R. Smith - University of St Thomas - Minnesota Reading the Draft Chapters Usually starts with a ‘scenario’Usually starts with a ‘scenario’ –People involved in a security relevant activity “Body” of the chapter“Body” of the chapter –Concepts and techniques –What to do - How to do it - How things are related –Examples of things to do in exercises Process examplesProcess examples –Follow a security situation through the 6-step process –Sometimes computer-related, sometimes not Resources, Review and ExercisesResources, Review and Exercises –Study the review questions –source of quiz/exam questions –Exercises – numbered with ‘E’ – typical homework

Spring R. Smith - University of St Thomas - Minnesota Personal Computer Security Share a dorm room?Share a dorm room? Share an apartment?Share an apartment? Share a home?Share a home? “My” computer - a security objective“My” computer - a security objective “I’ll kill you if you touch it”“I’ll kill you if you touch it” –a policy statement?

Spring R. Smith - University of St Thomas - Minnesota Extreme Workstation Security Does this achieve our goals?

Spring R. Smith - University of St Thomas - Minnesota A real world example There is a companyThere is a company Thieves walk into their buildings every dayThieves walk into their buildings every day The front door is unlocked all day longThe front door is unlocked all day long Valuable company property is just lying aroundValuable company property is just lying around The thieves pick it up and carry it awayThe thieves pick it up and carry it away Most thieves, but not all, get away!Most thieves, but not all, get away! WHAT IS THIS STUPID COMPANY?WHAT IS THIS STUPID COMPANY? Why don’t they lock the door, at least?Why don’t they lock the door, at least?

Spring R. Smith - University of St Thomas - Minnesota The Security Process 1.Identify your assets What assets and capabilities do you require?What assets and capabilities do you require? 2.Analyze the risks of attack What can happen to damage your assets?What can happen to damage your assets? What is the likelihood of damage?What is the likelihood of damage? 3.Establish your security policy Trade off of risks, cost of damage, cost of protectionTrade off of risks, cost of damage, cost of protection Identify the protections you intend to useIdentify the protections you intend to use 4.Implement your defenses 5.Monitor your defenses 6.Recover from attacks

Spring R. Smith - University of St Thomas - Minnesota The Process Itself Based on industrial modelsBased on industrial models –“System engineering” process We can apply it at a high levelWe can apply it at a high level –Examples sprinkled through the text: Bob, 9/11, Troy, etc. We also apply steps in detailWe also apply steps in detail –Numerical risk assessments –Policy planning –Security implementation plans

Spring R. Smith - University of St Thomas - Minnesota Security analysis: your PC The PC itself isn’t the assetThe PC itself isn’t the asset –Most often, we value what it does, not what it is Hardware is interchangeableHardware is interchangeable Assets: resources, things that empower usAssets: resources, things that empower us –Focus on what the assets empower us to achieve: –Get homework done, socialize, manage finances, etc. Risks: things that interfere with assetsRisks: things that interfere with assets –What can interfere with our achievements? –Assess likelihood and impact We identify risks by looking at threats and vulnerabilitiesWe identify risks by looking at threats and vulnerabilities

Spring R. Smith - University of St Thomas - Minnesota Asset Threats & Vulnerabilities ThreatDefense, Safeguard, or “Countermeasure ” attack An attempt to steal or harm the asset is an attack Vulnerability

Spring R. Smith - University of St Thomas - Minnesota Simple risk analysis: your PC Threats?Threats? –Who, why? Vulnerabilities?Vulnerabilities? –What bad can happen? –What allows the badness to happen? Can we just lock it up?Can we just lock it up? –Put it in a room –Put a lock on the door. –Don’t share the key Does this work?Does this work?

Spring R. Smith - University of St Thomas - Minnesota Deciding on Protection Policy: what protections we needPolicy: what protections we need –If possible, identify defensive perimeters –Identify other defenses to reduce impact of risks –Balance against how we use the asset –Balance against cost of protection

Spring R. Smith - University of St Thomas - Minnesota Physically securing an area What is a secure perimeter?What is a secure perimeter? –Contiguous - no breaks –A barrier - actually blocks some attacks –Minimal number of openings –Access restrictions on the openings Example: my houseExample: my house –Wooden frame building - keeps out wild dogs –Glass windows with storms - ditto –Locked doors - ditto –Metal fence - ditto –Gates in the fence - ditto

Spring R. Smith - University of St Thomas - Minnesota Security Analysis What are the threats?What are the threats? –Wild dogs –Burglars –People collecting for nasty charities What are the defenses?What are the defenses? Are there effective attacks on them?Are there effective attacks on them? –Effective = threats might use them

Spring R. Smith - University of St Thomas - Minnesota Is this a complete list of threats? Of course not.Of course not. –Study history, the news, experience, introspection –Generate a ‘better’ list A notion of “threats”A notion of “threats” –Threat = anyone with strongly different goals –Example: Burger King vs McDonald’s Both “sort of” have the same goal: sell burgersBoth “sort of” have the same goal: sell burgers In fact, BK wants to sell BK burgers, while Mac wants to sell Mac burgersIn fact, BK wants to sell BK burgers, while Mac wants to sell Mac burgers BK people are not trusted in McDonald’s placesBK people are not trusted in McDonald’s places

Spring R. Smith - University of St Thomas - Minnesota Potential vs Real Threats Potential Threat = strongly different goalsPotential Threat = strongly different goals –Not a member of the family, company, community –Member of competing entity –But not necessarily motivated to do you harm Real Threat = history of attacksReal Threat = history of attacks –“Good” neighborhood = neighbors not a threat –“Bad” neighborhood = neighbors have caused trouble in the past

Spring R. Smith - University of St Thomas - Minnesota Now, the Defenses Physical worldPhysical world –Physical barriers, slows them down a lot –Locks - slow them down, restricts access –Alarms - calls for help –Warnings - shows you care Computer worldComputer world –Examples?

Spring R. Smith - University of St Thomas - Minnesota What defenses are “effective”? Concept of “work factor”Concept of “work factor” –How hard does the attacker have to work to overcome the defense? –May be computed in hours –May be computed in likelihood over time Example: average of 3 days, $.25M to crack DESExample: average of 3 days, $.25M to crack DES Effective =Effective = –Work Factor > threat’s motivation or skill –My Home Example Wild dogs motivated but not resourcefulWild dogs motivated but not resourceful Charity people resourceful but not motivatedCharity people resourceful but not motivated Burglars may be both, but hopefully not too much soBurglars may be both, but hopefully not too much so –Or, deterred by the alarm, and the large dog

Spring R. Smith - University of St Thomas - Minnesota How does this relate to computers? Defenses are always a trade offDefenses are always a trade off The same reasoning applies to bothThe same reasoning applies to both All security begins with physical securityAll security begins with physical security

Spring R. Smith - University of St Thomas - Minnesota Evolution of Attacks and Defenses AttacksDefenses Remote TerminalsMasquerade PasswordsSteal the Password File Password HashingGuessing Guess DetectionKeystroke Sniffing Memory ProtectionPassword Sharing Password TokensNetwork Sniffing One-Time Passwords ?? Example: Passwords on Computers

Spring R. Smith - University of St Thomas - Minnesota The homework assignment First, Read Draft Chapter 1First, Read Draft Chapter 1 –Posted on Blackboard Second, do Exercise E5 at the end of the chapter: analyze the perimeter of some commercial or other business location.Second, do Exercise E5 at the end of the chapter: analyze the perimeter of some commercial or other business location.

Spring R. Smith - University of St Thomas - Minnesota Creative Commons License This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.