Reliability and Security
Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system Disaster planning Security is a process, not a product
Internet Security What’s different about the Internet and computerized attacks? Complexity Automation Action at a distance Propagation of techniques Class breaks
Is IT Security a Technical Problem? Socio-technical systems view of IT security –Technical system includes hardware software, networks, data –Social system includes people, processes, organization, work design, objectives –Socio-technical solution is the best total solution, may not optimize either social or technical solution
Is IT Security a Technical Problem? Schneier – security is provided within a context. –An asset is secured from a particular type of attack from a particular type of attacker –Assets and attacks exist in contexts –Context (especially the social part) matters more than technology
Types of Attack What’s the same Theft Embezzlement Vandalism Exploitation Fraud Extortion Threat of harm Privacy violations
Attack Types Schneier’s classification –Criminal attacks –Privacy violations –Publicity attacks By attacker motive –Financial or other gain –To damage others –Privacy violations
Gain Motivated Attacks Fraud Intellectual Property Theft Identity Theft Brand Theft Publicity Attacks
Privacy Violations Stalking Surveillance Databases Traffic Analysis Broad Scale Electronic Monitoring
Attacks aimed at damaging others Denial-of Service attacks Defacing web sites Viruses and their ilk
Adversaries Those classified as criminals Hackers Lone Criminals Malicious Insiders Organized Crime Terrorists
Adversaries Those with claims of legitimacy Industrial spies The press The police National Intelligence Organizations Infowarriors
Phishing
Antiphishing.org
Microsoft Vulnerabilities Sharp increase in attacks on Windows based PCs in 1 st half of 2004 –1237 new vulnerabilities or 48/week Increase in number of bot networks –30,000 from 2,000 in previous 6 months Increase in percent of e-commerce attacks from 4% to 16% 450% increase in new Windows viruses – 4,496
Risk Components Magnitude of loss Likelihood of loss Exposure to loss
Management of Risk Control Information Time
Miscellaneous Defensive Measures Security policies Firewalls Intrusion detection Encryption Authentication
Liability Argument Who should be held liable? –Software vendors, e.g. Microsoft –Network owner, e.g. ISP (Comcast) –Person who wrote the attack tool –Person who used the attack tool –The public The ATM example
Three Steps to Improving IT Security 1)Enforce liability 2)Permit parties to transfer liability 3)Provide mechanisms to reduce risk