Presentation is loading. Please wait.

Presentation is loading. Please wait.

Student Application System SNA Step 3 Attacker Profiles and Scenarios 11.14.2001.

Published byRodger Godwin Warren Modified over 9 years ago

Similar presentations

Presentation on theme: "Student Application System SNA Step 3 Attacker Profiles and Scenarios 11.14.2001."— Presentation transcript:

1 Student Application System SNA Step 3 Attacker Profiles and Scenarios 11.14.2001

2 Student Application System F F Timothy Mak (Team Leader) F F James Zujie Chi F F Dali Wang F F Maria Stattel F F Andy Teng F F Hyoungju Yun F F John Rinderie F F Ron Urwongse

3 Weekly Team Meeting Recurring meetings Every Wednesday, 1-2pm (as necessary) Team Meetings to Date 9.19.2001 First Team Meeting, assigned project roles 9.22.2001 Presentation discussion and layout 10.3.2001 Discussed requirements for part II 10.10.2001 Reviewed current status of part II 10.25.2001 Discussed contents of Presentation II 10.31.2001Discussed requirements for part III 11.2.2001Discussed contents for part III 11.7.2001Reviewed current status of part III 11.12.2001Discussed contents of Presentation III Team Activities

4 Client Meeting 9.21.2001 Meeting with Martha Baron (Director of Information Services) 10.4.2001 Meeting with Martha Baron 10.25.2001 11.9.2001Meeting with Martha Baron, & Brian Gallew (Principal Software Engineer, ACIS) Class Presentations 9.26.2001 Project Briefing 1: James Zujie Shi & Timothy Mak 10.31.2001 Project Briefing 2: Dali Wang & Maria Stattel 11.14.2001Project Briefing 3: Andy Teng & Hyoungju Yun 12.5.2001 Project Briefing 4: John Rinderle & Ron Urwongse Project Timeline

5 Team Leader: Timothy Mak Discussion Leader: Andy Teng Scribe: Hyoungju Yun Reviewers: All team members Roles played for Part III

6 Essential Services and Assets  Marketing and Recruiting  Student Application for Admission  Acceptance Notification  Financial Aid  Billing  E-Grades  Graduation Eligibility Verification  Degree Certification  Academic Audit

7 Attacker Profiles (1 of 2) Attacker InsiderOutsider Employee CMU Student Hacker Non-CMU Student Resources High level of experience on systems & processes High level of experience on systems & processes Diversity Diversity Expert knowledge Expert knowledge Professional skills Professional skills Diversified knowledge Diversified knowledge Tools Readily available tools Readily available tools Social engineering Social engineering Customized tool Customized tool Social engineering Social engineering Readily available tools Readily available tools Customized tool Customized tool Social engineering Social engineering Risk Risk adverse Risk adverse Not risk adverse Not risk adverse Somewhat risk adverse Somewhat risk adverse Access Internal Internal External External Internal Internal External External

8 Attacker Profiles (2 of 2) Attacker InsiderOutsider Employee CMU Student Hacker Non-CMU Student Objectives Personal gain Personal gain Embarrass CMU Embarrass CMU Personal gain Personal gain Embarrass CMU Embarrass CMU Personal Gain Personal Gain Curiosity Curiosity Practicing hacking skills Practicing hacking skills Personal gain Personal gain Embarrass CMU Embarrass CMU Curiosity Curiosity Level of attack Sophisticated Attack Sophisticated Attack Intermediate Attack Intermediate Attack Sophisticated Attack Sophisticated Attack Target-of- Opportunity Attack Target-of- Opportunity Attack Probability Low probability because of good security policy Low probability because of good security policy Medium probability Medium probability High probability High probability Low probability Low probability

9 Intrusion Usage Scenarios 1.Legal login by unauthorized user 2.Unauthorized access by insider 3.Unauthenticated access by outsider 4.Malicious code attack

10 IUS1: Legal Login by unauthorized user   How to attack An unauthorized user logins using password by sniffing or social engineering and then views, modifies or deletes private student dataAn unauthorized user logins using password by sniffing or social engineering and then views, modifies or deletes private student data   Who is the attacker Employees, CMU students, Hackers, Non-CMU studentsEmployees, CMU students, Hackers, Non-CMU students   What are their objectives View, modify or delete private student dataView, modify or delete private student data   Category of attack pattern User accessUser access

11 IUS1: Legal Login by unauthorized user Web browser Graduation Eligibility Verification Acceptance Notification Financial Aid Web server 1 Degree Certification Academic Audit Billing Web server 2 Marketing and Recruiting Student Application E-Grades Database server Firewall Authentication Server Terminal Compromised Component Attacker Trace Communication Link Architecture Node Database server

12 IUS2: Unauthorized access by insider   How to attack Inside intruder accesses servers (Web/Database) physically to view, modify or delete the dataInside intruder accesses servers (Web/Database) physically to view, modify or delete the data Inside intruder accesses servers via system administrator access rights to view, modify or delete dataInside intruder accesses servers via system administrator access rights to view, modify or delete data   Who is the attacker Insider (employees, specifically those holding system administrator rights)Insider (employees, specifically those holding system administrator rights)   What are their objectives View, modify or delete private student dataView, modify or delete private student data   Category of attack pattern User accessUser access

13 IUS2: Unauthorized access by insider Web browser Graduation Eligibility Verification Acceptance Notification Financial Aid Web server 1 Degree Certification Academic Audit Billing Web server 2 Marketing and Recruiting Student Application E-Grades Database server Firewall Authentication Server Terminal Compromised Component Attacker Trace Communication Link Architecture Node Database server

14 IUS3: Unauthenticated access by outsider   How to attack An outsider intruder accesses SA servers by sending loads of improper requestsAn outsider intruder accesses SA servers by sending loads of improper requests   Who is the attacker Outsider (hackers, students from competitive universities)Outsider (hackers, students from competitive universities)   What are their objectives To bring down the servers and applications via overloading them and crashing themTo bring down the servers and applications via overloading them and crashing them Disclose private student data to embarrass and obtain the personal gainDisclose private student data to embarrass and obtain the personal gain   Category of attack pattern Component accessComponent access

15 IUS3: Unauthenticated access by outsider Web browser Graduation Eligibility Verification Acceptance Notification Financial Aid Web server 1 Degree Certification Academic Audit Billing Web server 2 Marketing and Recruiting Student Application E-Grades Database server Firewall Authentication Server Terminal Compromised Component Attacker Trace Communication Link Architecture Node Web server 1 Web server 2 Authentication Server

16 IUS4: Malicious code attack   How to attack Users download malicious code (e.g. trojan horses, viruses, worms) from outside the network accidentally or intentionallyUsers download malicious code (e.g. trojan horses, viruses, worms) from outside the network accidentally or intentionally Intruder installs malicious code directlyIntruder installs malicious code directly   Who is the attacker Employees, CMU students, Hackers, Non-CMU studentsEmployees, CMU students, Hackers, Non-CMU students   What are their objectives Break data integrity, privacy and availabilityBreak data integrity, privacy and availability   Category of attack pattern Application contentApplication content

17 Coming up next… F SNA Step 4 –Softspots –Resistance, Recognition, Recovery –Survivability Map

18

Download ppt "Student Application System SNA Step 3 Attacker Profiles and Scenarios 11.14.2001."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
Distance Education Team 1 Adrian Sia Xavier Appé Anoop Georges Salvador Gonzales Augustine Ani Zijian Cao Joe Ondercin SNA Step 3 November 14, 2001.

Distance Education Team 1 Adrian Sia Xavier Appé Anoop Georges Salvador Gonzales Augustine Ani Zijian Cao Joe Ondercin SNA Step 3 November 14, 2001.
Oracle Financial System Project Team: Aseem Gupta Jeng Toa Lee Jun Lu Kevin Patrick Zhu Thomas Verghese Weicheng Wong Xuegong Wang ( Jeff ) Date : 26 th.

Oracle Financial System Project Team: Aseem Gupta Jeng Toa Lee Jun Lu Kevin Patrick Zhu Thomas Verghese Weicheng Wong Xuegong Wang ( Jeff ) Date : 26 th.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.

Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.

Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
IS Network and Telecommunications Risks

IS Network and Telecommunications Risks
Extranet for Security Professionals Intrusion Scenarios Heather T. Kowalski Tong Xu Ying Hao Hui Huang Bill Halpin Nov. 14, 2000.

Extranet for Security Professionals Intrusion Scenarios Heather T. Kowalski Tong Xu Ying Hao Hui Huang Bill Halpin Nov. 14, 2000.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Distance Education Team 2 Security Architectures and Analysis.

Distance Education Team 2 Security Architectures and Analysis.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Distance Education Team 2 Security Architectures and Analysis.

Distance Education Team 2 Security Architectures and Analysis.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Student Application System Andy Teng Dali Wang Hyoungju Yun James Zujie Shi John Rinderle Maria Stattel Ron Urwongse Timothy Mak 9.26.2001.

Student Application System Andy Teng Dali Wang Hyoungju Yun James Zujie Shi John Rinderle Maria Stattel Ron Urwongse Timothy Mak
11/14 SNA Presentation 3 Survivable Network Analysis Oracle Financial System SNA step 3 Ali Ardalan Qianming “Michelle” Chen Yi Hu Jason Milletary Jian.

11/14 SNA Presentation 3 Survivable Network Analysis Oracle Financial System SNA step 3 Ali Ardalan Qianming “Michelle” Chen Yi Hu Jason Milletary Jian.
Earl Crane Hap Huynh Jeongwoo Ko Koichi Tominaga 11/14/2000 Physician Reminder System SNA Step 3.

Earl Crane Hap Huynh Jeongwoo Ko Koichi Tominaga 11/14/2000 Physician Reminder System SNA Step 3.
Privacy & Security By Martin Perez. Introduction  Information system - People : meaning use, the people who use computers. - Procedures : Guidelines.

Privacy & Security By Martin Perez. Introduction  Information system - People : meaning use, the people who use computers. - Procedures : Guidelines.

Similar presentations

Ads by Google