Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.

Published byDelilah Gordon Modified over 9 years ago

Similar presentations

Presentation on theme: "1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University."— Presentation transcript:

1 1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University

2 2 Introduction  Reports of computer break-ins, hacker incidents, and viruses are now common in the public press.  The current direction of computer science is towards more distributed, web-based paradigms.  A number of computer security technologies have been developed to address the security implications introduced by this shift.

3 3 What’s the Problem?  No present technology, whether used by itself or used in conjunction with other mechanisms, fully addresses the computer security problem.

4 4 The Nature of the Problem  Fast-paced change in computer technology  Enormous growth in the size and diversity of computer networks  Neglect of security due to lack of time or skill.

5 5 The Bottom Line  “The odds favor the attacker: defenders have to protect against every possible vulnerability, but an attacker only has to find one security flaw to compromise the whole system.” - Bruce Schneier

6 6 Inherent Problems In Computer Security  Three Inherent Problems –Complexity of the computing environment –Rate of change in computer technology –The people factor

7 7 Complexity of the Computing Environment  Computer technology, both hardware and software, grows more complex each day. –More valid users have access to the system, thus increasing the threat from insiders. –Outside attackers have more opportunities to penetrate a system. –More information is now available than ever before to be compromised.

8 8 Rate of Change in Computer Technology  The rapid change in technology hampers computer security efforts for several reasons: –Product developers often fail to thoroughly research and understand the security implications their products. –Many organizations purchase, install, and integrate these new products into their computing infrastructure with little thought of their effect on security. –Descriptions of new security flaws can be described on the Internet and exploited by thousands much faster than developers can create and disseminate patches.

9 9 The People Factor  It is not possible for people to anticipate all possible failures.  The largest threat is from “insiders”. –Accidents –Lack of training –Frequent personnel changes  “Outsiders” are also a problem. –The Internet is the enabling tool that is almost singularly responsible for the spread of knowledge about vulnerabilities and the distribution of hacking tools worldwide.

10 10 Current Technologies Fall Short  Authentication and access controls  Network technologies  Intrusion detection systems  Cryptography  Other technologies

11 11 Authentication and Access Controls  Standard methods, such as the use of passwords, are woefully inadequate to provide any real security.  What about hand-held authenticators, biometrics, and smart cards? –While these technologies may have some value, they also have their limitations and are all potentially vulnerable to bypass or subversion.

12 12 Network Technologies  The trend in a number of organizations has been to make their systems more open.  The number and significance of network vulnerabilities will continue to grow.  The most common mechanism that has made exaggerated claims of network protection is the firewall.

13 13 Intrusion Detection Systems  Intrusion detection systems have a number of weaknesses: –Distinguishing between normal and intrusive events –Volume of information that needs to be monitored –Very difficult to stop the insider threat –Lack of an appropriate real-time response to perceived attacks

14 14 Cryptography  Smart attackers will just go around the cryptography and target weaker points in the system.  Cryptography can lull the user into a false sense of security.  In practice, most attackers rarely break cryptography through mathematics; other parts of the system are much easier to break.  85% of the CERT advisories over the last 10 years describe vulnerabilities that would still exist because they are beyond the scope of cryptography to fix.

15 15 Other Technologies  Vulnerability scanners  Virus scanners  Secure software  Security policies and standards

16 16 Is it Hopeless?  Three suggestions for improvement: –Designing security into systems from the start –Use of secure operating systems –Security awareness and training

17 17 Conclusion  Good security is very difficult to achieve and total security is impossible.  No single technical security solution can provide an answer because they fail to address the inherent problems in computer security.  Rather, a proper balance of security mechanisms must be achieved that addresses the fundamental problems of increasing complexity, rapid rate of change, and the people factor.

Download ppt "1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University."

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
Chapter 1.  Security Problem  Virus and Worms  Intruders  Types of Attack  Avenues of Attack 2 Prepared by Mohammed Saher Hasan.

Chapter 1.  Security Problem  Virus and Worms  Intruders  Types of Attack  Avenues of Attack 2 Prepared by Mohammed Saher Hasan.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
Computer Security Workshops Security 101 - Introduction, Central Principles and Concepts.

Computer Security Workshops Security Introduction, Central Principles and Concepts.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Bruce Schneier Lanette Dowell November 25, 2009. Introduction  “It is insufficient to protect ourselves with laws; we need to protect ourselves with.

Bruce Schneier Lanette Dowell November 25, Introduction  “It is insufficient to protect ourselves with laws; we need to protect ourselves with.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.

Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
STATE OF THE PRACTICE OF INTRUSION DETECTION TECHNOLOGIES Presented by Hap Huynh Based on content by SEI.

STATE OF THE PRACTICE OF INTRUSION DETECTION TECHNOLOGIES Presented by Hap Huynh Based on content by SEI.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
CSCD 434 Spring 2011 Lecture 1 Course Overview. Contact Information Instructor Carol Taylor 315 CEB Phone: 509-359-6908 Office.

CSCD 434 Spring 2011 Lecture 1 Course Overview. Contact Information Instructor Carol Taylor 315 CEB Phone: Office.
Controls for Information Security

Controls for Information Security
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
NETWORK SECURITY.

NETWORK SECURITY.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

Similar presentations

Ads by Google