1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.

Slides:

Advertisements

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.

Chapter 1.  Security Problem  Virus and Worms  Intruders  Types of Attack  Avenues of Attack 2 Prepared by Mohammed Saher Hasan.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Is There a Security Problem in Computing? Network Security / G. Steffen1.

Computer Security Workshops Security Introduction, Central Principles and Concepts.

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

Bruce Schneier Lanette Dowell November 25, Introduction  “It is insufficient to protect ourselves with laws; we need to protect ourselves with.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

STATE OF THE PRACTICE OF INTRUSION DETECTION TECHNOLOGIES Presented by Hap Huynh Based on content by SEI.

Lecture 11 Reliability and Security in IT infrastructure.

CSCD 434 Spring 2011 Lecture 1 Course Overview. Contact Information Instructor Carol Taylor 315 CEB Phone: Office.

Controls for Information Security

Stephen S. Yau CSE , Fall Security Strategies.

NETWORK SECURITY.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

CYBER CRIME AND SECURITY TRENDS

Security Awareness Challenges of Security No single simple solution to protecting computers and securing information Different types of attacks Difficulties.

Introduction to Network Defense

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

SEC835 Database and Web application security Information Security Architecture.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

PART THREE E-commerce in Action Norton University E-commerce in Action.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

“Assuring Reliable and Secure IT Services”. IT Redundancy: Its Value How much reliability to buy? Customer Service impacted as a result of 15 minutes.

What does “secure” mean? Protecting Valuables

PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.

Chapter 8 Technology and Auditing Systems: Hardware and Software Defenses.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks.

Malicious Attacks By Katya, Grace, Lachlan, Sairus and Eric!

August Mr. Mike Finley, CISSP Senior Security Engineer Computer Science Corporation.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

Auditing IT Vulnerabilities IT vulnerabilities are weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.

Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.

What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.

Scott Charney Cybercrime and Risk Management PwC.

IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.

Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

Chapter 7 1Artificial Intelligent. OBJECTIVES Explain why information systems need special protection from destruction, error, and abuse Assess the business.

The Digital Crime Scene: A Software Perspective Written By: David Aucsmith Presented By: Maria Baron.

Computer Security By Duncan Hall.

INTRODUCTION TO COMPUTER & NETWORK SECURITY INSTRUCTOR: DANIA ALOMAR.

By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.

1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.

Microsoft NDA Material Adwait Joshi Sr. Technical Product Manager Microsoft Corporation.

ASHRAY PATEL Securing Public Web Servers. Roadmap Web server security problems Steps to secure public web servers Securing web servers and contents Implementing.

Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Prof. I. J. Chung Dept. of Computer & Information Science, Korea Univ. 컴퓨터와 인터넷 윤리 Professor I. J. Chung.

Securing Information Systems

Design for Security Pepper.

Data and database administration

Network Security Fundamentals

Software Security Testing

Secure Software Confidentiality Integrity Data Security Authentication

Security in Networking

Using An Isolated Network to Teach Advanced Networks and Security

PLANNING A SECURE BASELINE INSTALLATION

Challenges Of Network Security

Network Security in Academia: an Oxymoron?

Presentation transcript:

1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University

2 Introduction  Reports of computer break-ins, hacker incidents, and viruses are now common in the public press.  The current direction of computer science is towards more distributed, web-based paradigms.  A number of computer security technologies have been developed to address the security implications introduced by this shift.

3 What’s the Problem?  No present technology, whether used by itself or used in conjunction with other mechanisms, fully addresses the computer security problem.

4 The Nature of the Problem  Fast-paced change in computer technology  Enormous growth in the size and diversity of computer networks  Neglect of security due to lack of time or skill.

5 The Bottom Line  “The odds favor the attacker: defenders have to protect against every possible vulnerability, but an attacker only has to find one security flaw to compromise the whole system.” - Bruce Schneier

6 Inherent Problems In Computer Security  Three Inherent Problems –Complexity of the computing environment –Rate of change in computer technology –The people factor

7 Complexity of the Computing Environment  Computer technology, both hardware and software, grows more complex each day. –More valid users have access to the system, thus increasing the threat from insiders. –Outside attackers have more opportunities to penetrate a system. –More information is now available than ever before to be compromised.

8 Rate of Change in Computer Technology  The rapid change in technology hampers computer security efforts for several reasons: –Product developers often fail to thoroughly research and understand the security implications their products. –Many organizations purchase, install, and integrate these new products into their computing infrastructure with little thought of their effect on security. –Descriptions of new security flaws can be described on the Internet and exploited by thousands much faster than developers can create and disseminate patches.

9 The People Factor  It is not possible for people to anticipate all possible failures.  The largest threat is from “insiders”. –Accidents –Lack of training –Frequent personnel changes  “Outsiders” are also a problem. –The Internet is the enabling tool that is almost singularly responsible for the spread of knowledge about vulnerabilities and the distribution of hacking tools worldwide.

10 Current Technologies Fall Short  Authentication and access controls  Network technologies  Intrusion detection systems  Cryptography  Other technologies

11 Authentication and Access Controls  Standard methods, such as the use of passwords, are woefully inadequate to provide any real security.  What about hand-held authenticators, biometrics, and smart cards? –While these technologies may have some value, they also have their limitations and are all potentially vulnerable to bypass or subversion.

12 Network Technologies  The trend in a number of organizations has been to make their systems more open.  The number and significance of network vulnerabilities will continue to grow.  The most common mechanism that has made exaggerated claims of network protection is the firewall.

13 Intrusion Detection Systems  Intrusion detection systems have a number of weaknesses: –Distinguishing between normal and intrusive events –Volume of information that needs to be monitored –Very difficult to stop the insider threat –Lack of an appropriate real-time response to perceived attacks

14 Cryptography  Smart attackers will just go around the cryptography and target weaker points in the system.  Cryptography can lull the user into a false sense of security.  In practice, most attackers rarely break cryptography through mathematics; other parts of the system are much easier to break.  85% of the CERT advisories over the last 10 years describe vulnerabilities that would still exist because they are beyond the scope of cryptography to fix.

15 Other Technologies  Vulnerability scanners  Virus scanners  Secure software  Security policies and standards

16 Is it Hopeless?  Three suggestions for improvement: –Designing security into systems from the start –Use of secure operating systems –Security awareness and training

17 Conclusion  Good security is very difficult to achieve and total security is impossible.  No single technical security solution can provide an answer because they fail to address the inherent problems in computer security.  Rather, a proper balance of security mechanisms must be achieved that addresses the fundamental problems of increasing complexity, rapid rate of change, and the people factor.