Presentation is loading. Please wait.

Presentation is loading. Please wait.

Basic Security Concepts University of Sunderland CIT304 Harry R Erwin, PhD.

Published byDylan Cunningham Modified over 8 years ago

Similar presentations

Presentation on theme: "Basic Security Concepts University of Sunderland CIT304 Harry R Erwin, PhD."— Presentation transcript:

1 Basic Security Concepts University of Sunderland CIT304 Harry R Erwin, PhD

2 Analyzing Security (from Schneier, 2003, Beyond Fear) These are the questions we must usually answer. 1.What assets are you trying to protect? 2.What are the risks to those assets? 3.How are you trying to protect them? 4.How well does your solution work? 5.What other risks does your solution introduce? 6.What are the costs and trade-offs of your solution? (I often ask this as an exam question.)

3 Systems Security involves systems, and systems are not simple. They’re complex, elusive, and maddening. ‘A collection of simpler components that interact to form a greater whole.’ Hardware, software, people, and procedures. Systems also interact with other systems. Unexpected interactions are called ‘emergent properties’ or ‘unintended consequences.’ These are our concern.

4 Security Systems Most systems do something. Security systems are different—they prevent things from happening. You will care about how systems fail and how they can be made to fail. It’s ‘applied paranoia.’

5 The Roles of People in Security Decision-makers—choose what mechanisms and policies to follow, often to further their own agendas. Users—cooperative or uncooperative. Basic to making security work. Innocent bystanders—but still often affected. Attackers—sometimes not malicious, but usually intending to do what they did.

6 Bruce Schneier’s Three Rules of Understanding Security Schneier Risk Demystification: Numbers matter and are not that hard to understand. Schneier Secrecy Demystification: Secrecy is anathema to security: –It’s brittle –It conceals abuse –It prevents sensible trade-offs Schneier Agenda Demystification: Know the agendas of the people involved in a security decision. They usually drive the decision in certain directions.

7 Basic Terminology Vulnerability Threat Risk Trust Reliability Security Integrity (Know these definitions cold!)

8 Vulnerability ‘A weakness that may lead to undesirable consequences.’ Typical vulnerabilities include –Hardware –Software –Procedure –External or environmental

9 Threat ‘The danger that a vulnerability will actually occur.’ Describes how the vulnerability would be attacked: –E.g., buffer overflow is the vulnerability, and the threat would be transmission of a TCP/IP packet to cause buffer overflow. Should be quantified by a rate of attack—i.e., how frequently an effective attack can be expected to occur.

10 Risk ‘A potential problem’, consisting of a –Vulnerability –Threat (expected attack rate) –Expected extent of the consequences. Hence risk in this sense is cost per unit of time (although the elements may be very hard to estimate) You can also think about the capital cost of risk. To convert between the two, you use the cost of money (i.e., interest). These are what managers must evaluate against the costs of mitigating the risk.

11 Trust ‘A relationship between two entities where one entity allows the other to perform certain actions.’ In traditional security, based on need to know, and can be managed by security level and authorizations. In e-commerce, becomes very complex. Currently a leading-edge research area.

12 Reliability ‘The system performs functionally as expected.’ Related to availability. Availability (a fraction) can be computed numerically as time the system is actually functional divided by the time the system is supposed to be functional. Related terminology include: –MTTF—mean time to failure (time) –MTTR—mean time to repair (time)

13 Security ‘Freedom from undesirable events’—hence much broader than the usual concept. In the UK, there are three elements to security (in a narrow sense) often listed: –Confidentiality—‘protection of data from unauthorized access.’ –Integrity—‘protection of data from unauthorized modification.’ More generally, certain desirable conditions are maintained over time –Availability—‘the system is usable by authorized users.’

14 Summary A security analyst, a safety analyst, and a risk analyst have very similar job descriptions—all are concerned with managing risk. Risk is expensive. The distinctive character of the security analyst’s job reflects a primary concern with malicious and intelligent threats. The US security analysis community was unsurprised by the events of 11/9/2001—we had already thought about the scenario (and worse ones).

15 Assignment Over the next two weeks, read Schneier (2003) Beyond Fear. We’ll pick up security again in two weeks.

Download ppt "Basic Security Concepts University of Sunderland CIT304 Harry R Erwin, PhD."

Similar presentations

OCTAVESM Process 4 Create Threat Profiles

OCTAVESM Process 4 Create Threat Profiles
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Auditing Concepts.

Auditing Concepts.
The Security Analysis Process University of Sunderland CIT304 Harry R. Erwin, PhD.

The Security Analysis Process University of Sunderland CIT304 Harry R. Erwin, PhD.
A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.

A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
How to Prepare for the Fall Exam COM380/CIT304 Harry Erwin, PhD University of Sunderland.

How to Prepare for the Fall Exam COM380/CIT304 Harry Erwin, PhD University of Sunderland.
Introducing Computer and Network Security

Introducing Computer and Network Security
The Architecture Design Process

The Architecture Design Process
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering.
Pertemuan 02 Aspek dasar keamanan Jaringan dan ketentuan baku OSI

Pertemuan 02 Aspek dasar keamanan Jaringan dan ketentuan baku OSI
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Software Process and Product Metrics

Software Process and Product Metrics
©Ian Sommerville 2006Critical Systems Slide 1 Critical Systems Engineering l Processes and techniques for developing critical systems.

©Ian Sommerville 2006Critical Systems Slide 1 Critical Systems Engineering l Processes and techniques for developing critical systems.

Similar presentations

Ads by Google