Presentation is loading. Please wait.

Presentation is loading. Please wait.

Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Why Johnnys' Network got Owned by Evil Hackers Bent on World Domination and Johnny.

Published byNoah Greer Modified over 8 years ago

Similar presentations

Presentation on theme: "Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Why Johnnys' Network got Owned by Evil Hackers Bent on World Domination and Johnny."— Presentation transcript:

1 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Why Johnnys' Network got Owned by Evil Hackers Bent on World Domination and Johnny was Helpless to Stop It: A Study on Project Usability from a Cyber-Security Professionals Perspective John Paul Dunning Rajesh Gangam Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech

2 Agenda Problem Motivation Related Work Usability Study Analysis Usability Attributes Application of Usability Attributes Conclusion and Future Work Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech

3 Problem Security Professionals are in need of usable security tools and applications. Why?  Security is the primary functionality.  Dynamic Environment: Security Tools and App’s always have upgrades and patches.  Collaborative Tools. What do you Gain?  Better Security. Better Support. Faster Solutions.

4 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Motivation Little research has been done on usable security applications for security professionals on a broad scale. Administrators design, configure, troubleshoot, and maintain complex computer system comprised of a multitude of components.

5 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Related Work User End Usability  Kazaa  Johnny  Johnny 2 Problems faced by System Administrators.  Field Studies of Computer System Administrators  I Know My Network: Collaboration and Expertise in Intrusion Detection

6 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Definitions: Administrators  Individuals who are responsible for the well being of systems on a large scale. Project Vs Application Usability.  Usability concerns at a project level where application is only a part. Contains Product Support, Access to Source Code, Environment, Cost, Scale, Target.

7 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Usability Study We have surveyed 50 Administrators. The Participants belonged to  Virginia Tech Technical Listserv  The Army Network Engineering Listserv  University Security Operations Group Listserv of SANS.

8 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Usability Study

9 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Findings From the Survey Popular Security Tools  Nmap A Network Scanner which tries to identify the services and machine configurations on the network.  Nessus A Network Vulnerability Scanner.  Wireshark Network Packet Analyzer used for network troubleshooting.  Snort A Network Intrusion Prevention and Detection System,  TcpDump Network Packet Analyzer.  *----Short Descriptions please

10 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Observations: Preferred Operating System.  The Host Environment of the application.  Windows is the Most Preferred..  It is recognized as the primary attribute.

11 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Observations: Preferred Interface  Identify the popular user interface.  Graphical User Interface and CLI.  Recognized as primary attribute.

12 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Observations: Preferred Openness  Offers Customization to the tools.`  Open Source is Most preferred.  Recognized as primary attribute.

13 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Observations: Preferred OS and UI  Users Preferred Command Line Interface on both Linux and OSX.  Similarly Windows Users would need GUI.  Developers are recommended to provide both GUI and CLI interfaces interchangebly.

14 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Observations: Project Openness vs Supported OS  Availability of Open Projects on all the Operating Systems.  A Higher Range of Openness is expected only in Linux.

15 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Usability Attributes Attribute Primary Attributes Check List  Operating System  User Interface  Community Involvement  Target System

16 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech PUA CheckList

17 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech

18 Secondary Attributes Secondary attributes in the area of interest to administrators. We found 18 distinct attributes from the survey results.

19 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Secondary Attributes Documentation Customer Support Customizable Development Practices Cost Scale of Developed Maintenance Complexity Installation and Setup System Resources Default Settings Code Availability Platform Unique Effectiveness Scope Feedback Demographic

20 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech SUA Framework Documentation: Is the project well documented? This includes information on the purpose of the project, the functionality of the project, instructions on project use, etc? Customer Support: Is project support provided? Does the support come directly from the project developing entity or is it supported by a third party, like a community forum? Customizable: Does the project allow for customization or is it static? Can users change settings, add/remove components, etc? Development Practices: Where adequate coding development enforced during application development to ensure code security, test for correct functionality, minimize side effects, document code, etc? Cost: Is the price reasonable for the intended customer base?

21 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Application to Project Pwntooth is a fully automated "search and destroy" project designed to automate Bluetooth pen-testing. Applying the PUA CheckList. Applying the SUA Framework.

22 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Applying the PUA CheckList

23 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Applying the PUA CheckList

24 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Applying SUA Framework AttributeDescription DocumentationDocumentation is provided through execution of the application with the -h flag. The documentation includes a brief description of the tool as well as a description the functionality availably thought invoking various flags. The project is also accompanied by a changelog and installation instructions. Customer SupportCustomer support is mainly by the developer, but also through the user community. CustomizableUsers can customize which exploits are conducted and in what manner. The project is also customizable through the addition and removal of other Bluetooth auditing command line projects. Development Practices The project testing was done on a small scale by a single individual. Testing was expected of the community. CostFree of charge.

25 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Conclusions and Future Work We have Identify Primary and Secondary attributes of a Security Project and Application. We Have applied this Attributes to the Security Application (PwnTooth). One-on-One Guided Interview. More Study on Day-to-Day issues.

26 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Thank You!

Download ppt "Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Why Johnnys' Network got Owned by Evil Hackers Bent on World Domination and Johnny."

Similar presentations

1 Computational Asset Description for Cyber Experiment Support using OWL Telcordia Contact: Marian Nodine Telcordia Technologies Applied Research

1 Computational Asset Description for Cyber Experiment Support using OWL Telcordia Contact: Marian Nodine Telcordia Technologies Applied Research
New Security Issues Raised by Open Cards Pierre GirardJean-Louis Lanet GERMPLUS R&D.

New Security Issues Raised by Open Cards Pierre GirardJean-Louis Lanet GERMPLUS R&D.
Addressing IPv6 Vulnerabilities on Small Business Networks Bradley HainesVincent Pullano University of Cincinnati College of Education, Criminal Justice,

Addressing IPv6 Vulnerabilities on Small Business Networks Bradley HainesVincent Pullano University of Cincinnati College of Education, Criminal Justice,
Penetration Testing & Countermeasures Paul Fong & Cai Yu CS691 5 May 2003.

Penetration Testing & Countermeasures Paul Fong & Cai Yu CS691 5 May 2003.
Ch 4 The Process page 1CS 368 Building Software is Difficult often delivered late often over budget always with errors must be a custom solution complexity.

Ch 4 The Process page 1CS 368 Building Software is Difficult often delivered late often over budget always with errors must be a custom solution complexity.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 1 Slide 1 An Introduction to Software Engineering.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 1 Slide 1 An Introduction to Software Engineering.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
ITIS3100 By Fei Xu. Acknowledge This document is basically a digest from “Wireshark User's Guide 25114 for Wireshark 1.0.0” You can download the software.

ITIS3100 By Fei Xu. Acknowledge This document is basically a digest from “Wireshark User's Guide for Wireshark 1.0.0” You can download the software.
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
Introduction to Software Testing

Introduction to Software Testing
Installing software on personal computer

Installing software on personal computer
Software Verification and Validation (V&V) By Roger U. Fujii Presented by Donovan Faustino.

Software Verification and Validation (V&V) By Roger U. Fujii Presented by Donovan Faustino.
Database Administration Chapter 16. Need for Databases  Data is used by different people, in different departments, for different reasons  Interpretation.

Database Administration Chapter 16. Need for Databases  Data is used by different people, in different departments, for different reasons  Interpretation.
Software Construction and Evolution - CSSE 375 Software Documentation 1 Shawn & Steve Right – For programmers, it’s a cultural perspective. He’d feel almost.

Software Construction and Evolution - CSSE 375 Software Documentation 1 Shawn & Steve Right – For programmers, it’s a cultural perspective. He’d feel almost.
 Advantages  Easy to learn  Graphical Advantages  Help and Support  Widely used  Software compatibility  Customisable  Customisable Hardware 

 Advantages  Easy to learn  Graphical Advantages  Help and Support  Widely used  Software compatibility  Customisable  Customisable Hardware 
The Business of Penetration Testing

The Business of Penetration Testing
IT:Network:Microsoft Applications

IT:Network:Microsoft Applications
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Privacy Preferences Edgardo Vega Usable Security – CS 6204 – Fall, 2009 – Dennis.

Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Privacy Preferences Edgardo Vega Usable Security – CS 6204 – Fall, 2009 – Dennis.
Name: Abdullah Mohammed Alhatmi ID:86497 Course: Quality &Assurance Name: Abdullah Mohammed Alhatmi ID:86497 Course: Quality &Assurance Start.

Name: Abdullah Mohammed Alhatmi ID:86497 Course: Quality &Assurance Name: Abdullah Mohammed Alhatmi ID:86497 Course: Quality &Assurance Start.

Similar presentations

Ads by Google