Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distance Education Team 2 Security Architectures and Analysis.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Distance Education Team 2 Security Architectures and Analysis."— Presentation transcript:

1 Distance Education Team 2 Security Architectures and Analysis

2 Distance Education Team Members Chris Rush – Team Leader, Step 1 Mike Gazdus – A/V Expert, Step 1 Ron Banerjee – Tech Analyst, Step 2 Russ Griffith – Tech Analyst, Step 2 Scott Currie – Scribe, Step 3 Chris Ameter – Tech Analyst, Step 3 Jack Pickett – Tech Analyst, Step 3 Raman Rangswamy – Tech Analyst, Step 4 Ayman Lugman – Tech Analyst, Step 4

3 Topics for Discussion Step 1 Recap Step 1 Recap – DE User Categories – DE Architecture Step 2 Recap Step 2 Recap – Essential Services and Assets – Essential Scenarios Trace – Essential Components Step 3 Goals Step 3 Goals – Relevant Attacker Profiles – Likely Levels of Attack – Representative Attack Scenarios – Identify Compromisable Components Step 4 Next Step 4 Next

4 Step 1 Recap DE Organization Mission DE Organization Mission “To offer the same high quality MSE courses currently available to resident students, through the use of on-line, Computer Based Training (CBT), and two-way audio two-way video through Distance Education”. Mel Rosso-Llopart Director, Distance Education

5 DE User Categories Student Student Admin Staff Admin Staff Technical Support Staff Technical Support Staff Web Support Staff Web Support Staff Director & Associate Director Director & Associate Director

6 DE Architecture Admin DB (Oracle) Product DB (MySQL) Web App (Perl Scripts) DE Student Client (browser) DE Admin Client (Win32) Admin App (VB) Admin Server (Win NT) Product Server (Linux) Tech Support Admin Staff Student Web Support Director & AssocDirector Apache Server E-mail

7 Step 2 Recap Essential services and assets Essential services and assets Essential scenarios trace Essential scenarios trace Essential components Essential components

8 Essential Services & Assets Essential Services: Essential Assets: Tech support updates My SQL database Student access to web application Web support(Courseware specialist) perform maintenance on web applications. Student data Web contents: Calendars Class assignments Files Assigned readings

9 Admin DB (Oracle) Product DB (MySQL) Web App (Perl Scripts) DE Student Client (browser) DE Admin Client (Win32) Admin App (VB) Admin Server (Win NT) Product Server (Linux) Tech Support Admin Staff Student Web Support Director & AssocDirector Apache Server Essential Scenarios Trace E-mail

10 Essential Components My SQL database My SQL database Web Application Web Application Apache Server Product Server

11 Step 3 Goals Attacker Profiles - Internal Threat - External Threat Levels of Attack - “Target of opportunity” - “Intermediate” - “Sophisticated”

12 Step 3 Goals Cont. Describe intrusion scenarios - steps in attacker usage scenarios Identify compromisable components Identify compromisable components - parts of architecture accessible by intrusion scenarios

13 General Attacker Profiles Recreational Hacker – Current/Past Students – Current/Past Admin & Support Staff – External Hacker Disgruntled Employee / User – Current/Past Students – Current/Past Admin & Support Staff Activist –Not Likely Industrial Spy –Not Likely Nation State –Not Likely

14 Attacker Attributes AttackerResourcesTimeToolsRiskAccessObjectives Recreational Hacker - External (i.e.. Script Kiddie) -Range, but generally limited. -Lots of time, very patient. -Generally available scripts and tools. -Little knowledge of potential risks. -Likely to be risk averse. -Little knowledge of potential risks. -Likely to be risk averse. -External web access. -Fun, status. Disgruntled Employee/User - Current or past Admin & Support staff - Current or past students -Moderate. CS students, and skilled support staff. -Varies, but generally cannot devote long hours. -Existing access, knowledge of programming and system architecture. -Likely to be risk averse. Jobs and/or enrollment status at risk. -Internal, or external with a knowledge of internal network structure. -Payback, revenge, havoc, chaos. -Theft of financial info. Activists Not Likely Industrial Spy Not Likely Nation State Not Likely

15 Attack Patterns User Access –Current Student Privilege Escalation –Current Access to Damage the Database –External Attacker Gaining Account Level Access Through a Remote Exploit Component Access –Port Flood / DOS Attack Application Content –PERL Script Exploits –Buffer Overflows –OS / Application Vulnerabilities

16 Potential Attacker Profiles Internal Threat – Existing DE Student –Privilege Escalation –Modification of registration/payment info Internal Threat – Administrators/Student Support –Read/Write Access to DB’s –Accidental/Intentional DB Corruption –Theft of Financial Information –Co-opt System resources (game/file server, DDOS) External Attacker –Vandalism –Theft of course material –Theft of student financial information – DDOS Platform

17 Levels of Attack Target of Opportunity –External Attacker – Script Kiddie Intermediate –Existing Student –Admin/Support Staff –External Attacker Sophisticated –Existing Student –Admin/Support Staff –External Attacker

18 Potential Attacker Profiles Internal Threat – Existing DE Student –Privilege Escalation –Modification of registration/payment info Internal Threat – Administrators/Student Support –Read/Write Access to DB’s –Accidental/Intentional DB Corruption –Theft of Financial Information –Co-opt System resources (game/file server, DDOS) External Attacker –Vandalism –Theft of course material –Theft of student financial information – DDOS Platform

19 Attack Scenarios Privilege Escalation Admin DB (Oracle) Product DB (MySQL) Web App (Perl Scripts) DE Student Client (browser) DE Admin Client (Win32) Admin App (VB) Admin Server (Win NT) Product Server (Linux) Tech Support Admin Staff Student Web Support Director & AssocDirector Apache Server E-mail

20 Potential Attacker Profiles Internal Threat – Existing DE Student –Privilege Escalation –Modification of registration/payment info Internal Threat – Administrators/Student Support –Read/Write Access to DB’s –Accidental/Intentional DB Corruption –Theft of Financial Information –Co-opt System resources (game/file server, DDOS) External Attacker –Vandalism –Theft of course material –Theft of student financial information – DDOS Platform

21 Attack Scenarios Theft of Financial Information Admin DB (Oracle) Product DB (MySQL) Web App (Perl Scripts) DE Student Client (browser) DE Admin Client (Win32) Admin App (VB) Admin Server (Win NT) Product Server (Linux) Tech Support Admin Staff Student Web Support Director & AssocDirector Apache Server E-mail

22 Potential Attacker Profiles Internal Threat – Existing DE Student –Privilege Escalation –Modification of registration/payment info Internal Threat – Administrators/Student Support –Read/Write Access to DB’s –Accidental/Intentional DB Corruption –Theft of Financial Information –Co-opt System resources (game/file server, DDOS) External Attacker –Vandalism –Theft of course material –Theft of student financial information – DDOS Platform

23 Attack Scenarios DDOS Platform Admin DB (Oracle) Product DB (MySQL) Web App (Perl Scripts) DE Student Client (browser) DE Admin Client (Win32) Admin App (VB) Admin Server (Win NT) Product Server (Linux) Tech Support Admin Staff Student Web Support Director & AssocDirector Apache Server E-mail Attacker DDOS Application DDOS Application

24 Compromisable Components Admin Server –Possible DDOS platform –DB Contains Student Financial Info. Production Server –Web Server –No encrypted Authentication –Password Lists in DB

25 Compromisable Components Admin DB (Oracle) Product DB (MySQL) Web App (Perl Scripts) DE Student Client (browser) DE Admin Client (Win32) Admin App (VB) Admin Server (Win NT) Product Server (Linux) Tech Support Admin Staff Student Web Support Director & AssocDirector Apache Server E-mail

26 What’s Next Step 4 –Identify “softspots” –Existing Mitigation Strategies –Recommended Mitigation Strategies –Survivability Map & Suggested Changes

27 Conclusion Reviewed the DE Architecture Reviewed the user categories Reviewed the architecture Reviewed the essential services and assets Reviewed the essential usage scenarios Reviewed the essential components Discussed Relevant Attacker Profiles Discussed Likely Levels of Attack Discussed Possible Attack Scenarios Identified Compromisable Components Briefly showed where we are going next.

28 Questions?

Download ppt "Distance Education Team 2 Security Architectures and Analysis."

Similar presentations

Distance Education Team 1 Adrian Sia Xavier Appé Anoop Georges Salvador Gonzales Augustine Ani Zijian Cao Joe Ondercin SNA Step 3 November 14, 2001.

Distance Education Team 1 Adrian Sia Xavier Appé Anoop Georges Salvador Gonzales Augustine Ani Zijian Cao Joe Ondercin SNA Step 3 November 14, 2001.
Oracle Financial System Project Team: Aseem Gupta Jeng Toa Lee Jun Lu Kevin Patrick Zhu Thomas Verghese Weicheng Wong Xuegong Wang ( Jeff ) Date : 26 th.

Oracle Financial System Project Team: Aseem Gupta Jeng Toa Lee Jun Lu Kevin Patrick Zhu Thomas Verghese Weicheng Wong Xuegong Wang ( Jeff ) Date : 26 th.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.

OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Student Application System SNA Step 3 Attacker Profiles and Scenarios 11.14.2001.

Student Application System SNA Step 3 Attacker Profiles and Scenarios
Taxonomy of Computer Security Incidents Yashodhan Fadnavis.

Taxonomy of Computer Security Incidents Yashodhan Fadnavis.
1 Intro to Info Tech Computer Jobs Copyright 2007 by Janson Industries This presentation can be viewed on line at:

1 Intro to Info Tech Computer Jobs Copyright 2007 by Janson Industries This presentation can be viewed on line at:
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Extranet for Security Professionals Intrusion Scenarios Heather T. Kowalski Tong Xu Ying Hao Hui Huang Bill Halpin Nov. 14, 2000.

Extranet for Security Professionals Intrusion Scenarios Heather T. Kowalski Tong Xu Ying Hao Hui Huang Bill Halpin Nov. 14, 2000.
Distance Education Team 2 Security Architectures and Analysis.

Distance Education Team 2 Security Architectures and Analysis.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
11/14 SNA Presentation 3 Survivable Network Analysis Oracle Financial System SNA step 3 Ali Ardalan Qianming “Michelle” Chen Yi Hu Jason Milletary Jian.

11/14 SNA Presentation 3 Survivable Network Analysis Oracle Financial System SNA step 3 Ali Ardalan Qianming “Michelle” Chen Yi Hu Jason Milletary Jian.
Earl Crane Hap Huynh Jeongwoo Ko Koichi Tominaga 11/14/2000 Physician Reminder System SNA Step 3.

Earl Crane Hap Huynh Jeongwoo Ko Koichi Tominaga 11/14/2000 Physician Reminder System SNA Step 3.
Distance Education Team 2 Security Architectures and Analysis.

Distance Education Team 2 Security Architectures and Analysis.
Extranet for Security Professionals (ESP)

Extranet for Security Professionals (ESP)
Distance Education SNA step 1. Team members Step 1 experts  Adrian Sia  Xavier Appé Step 2 experts  Anoop Georges  Salvador Gonzales Step 3 experts.

Distance Education SNA step 1. Team members Step 1 experts  Adrian Sia  Xavier Appé Step 2 experts  Anoop Georges  Salvador Gonzales Step 3 experts.
Student Application System Essential Services and Assets Timothy Mak - Team Leader James Zujie Shi Dali Wang Maria Stattel Andy Teng Hyoungju Yun John.

Student Application System Essential Services and Assets Timothy Mak - Team Leader James Zujie Shi Dali Wang Maria Stattel Andy Teng Hyoungju Yun John.
Oracle Financial System Project Team: Xuegong Wang Jun Lu ZhengChun Mo Patrick Zhu Thomas Verghese Weicheng Wong Date : 14 th November, 2001 Step 3.

Oracle Financial System Project Team: Xuegong Wang Jun Lu ZhengChun Mo Patrick Zhu Thomas Verghese Weicheng Wong Date : 14 th November, 2001 Step 3.
Earl Crane Hap Huynh Jeongwoo Ko Koichi Tominaga 12/12/2000 Physician Reminder System: Survivability Network Analysis Step 4.

Earl Crane Hap Huynh Jeongwoo Ko Koichi Tominaga 12/12/2000 Physician Reminder System: Survivability Network Analysis Step 4.

Similar presentations

Ads by Google