Introduction 2
Introduction 2
Contains:
1. Risk management
2. Assets
3. Threats & Vulnerabilities
4. Computer Security Definition
5. Goals of Security/Protection
6. Controls/Safeguards
7. Historical Perspective
1
Risk Management
2
Risk
3
Risk
(Fire = air x heat x fuel)
• For a risk to happen these three,
like the Fire, should be satisfied
4
Risk Assessment
The aim of a risk assessment process is to
provide management with the information
necessary to make reasonable decisions to
prioritize the expenditure of resources on
the protection of an organization
5
Risk Assessment
6
Risk Assessment & Treatment Process
7
Risk Assessment: What
level of risk to accept?
It is virtually impossible to eliminate all type
of risks at all time
There is a need to be selective in the risks
we need to mitigate commensurate with the
potential cost to the organization should that
risk occurs
Acceptable level of risk simply requires
prudence that depends on the available
budget, time and personnel resources
8
Residual Risk
9
Organizational
(information) Assets
An asset is anything that needs to be
protected because it has value to the
organization and contributes to the
successful attainment of the organization’s
objectives.
10
Assets
Hardware
Software
Data (information)
Communication links
People
11
Security Terminology
The Figure shows the relationship among some terminology
12
Security Terminology
13
Security Terminology
14
Security Terminology
15
Security Terminology
16
Security Terminology
17
Threats & Vulnerabilities
18
Major Classes of Threats
Denial of service
Repudiation
20
Example of threats
Malicious logic (virus, worm, Spam
…) Eavesdropping
Password breaking/stealing Buffer overflow
Social engineering ICMP flooding
Spoofing Cross site scripting
Sniffing Power failure
Masquerade Earthquake
Zero-day attack Fire
Illegal use of software
Traffic analysis
Man-in-the-middle
21
Example of Vulnerabilities
Absence of personnel
Insufficient security training
Lack of security awareness
Poorly documented software
Poorly configured system/software
Lack of policies
Poor password management
Lack or poorly implemented security guards
Flaws in the system or software
Lack of effective change control
Unauthorized installation of software
22
Threats to Hardware
Denial of service:
Damage to equipments (accidental or
deliberate)
Power failures
Fire
Flood
Theft
23
Threats to Software
Denial of service
Corruption
Deletion
Unauthorized modification
Corruption
Virus, Trojan horse, worm
24
Threats to Data
Unauthorized disclosure
Unauthorized modification
Denial of service
Repudiation
Traffic analysis
25
Threats to
Communication
Links
Denial of service
26
… Communication Links
27
Denial of Service
while (1)
mkdir x;
cd x;
end
28
Goals of
Security/Protection
29
Information Security
30
Computer Security
31
Goals of Security/Protection
The CIA Triad
These three concepts form what is often referred to
as the CIA triad. The three concepts embody the
fundamental security objectives for both data and for
information and computing services
Confidentiality
Integrity
Availability
32
The CIA Triad
33
The CIA Triad
Confidentiality:
Preserving authorized restrictions on
information access and disclosure, including
means for protecting personal privacy and
proprietary information. A loss of
confidentiality is the unauthorized disclosure
of information.
34
The CIA Triad
Integrity:
Guarding against improper information
modification or destruction, and includes
ensuring information non-repudiation and
authenticity. A loss of integrity is the
unauthorized modification or destruction of
information.
35
The CIA Triad
Availability:
Ensuring timely and reliable access to and
use of information. A loss of availability is
the disruption of access to or use of
information or an information system.
36
The CIA Triad
37
The CIA Triad
Authenticity:
The property of being genuine and being
able to be verified and trusted; confidence in
the validity of a transmission, a message, or
message originator.
Accountability:
The security goal that generates the
requirement for actions of an entity to be
traced uniquely to that entity.
38
Controls/Safeguards
39
Examples of Controls
Authentication
Software patching
Cryptography
Access Control
Fire extinguisher
Backup
Security Policy
ID Badge
40
Security Functional Requirements
41
Security Functional Requirements
42
Security Functional Requirements
43
Security Functional Requirements
44
Controls
Management
Technical
Operational
45
Management
Controls
Focus on security policies, planning,
guidelines, and standards that influence
the selection of operational and technical
controls to protect the organization
46
Management Controls
Security policy
Background checking of employees
Training/awareness
47
Technical Controls
Involve the correct use of hardware and
software security capabilities in systems.
This range from simple to complex
measures that work together to secure
critical and sensitive assets of the
organization
48
Technical Controls
Login
Encryption
Authentication protocol
Access control
Firewall
etc
49
Operational Controls
Address the correct implementation and
use of security policies and standards,
ensuring consistency in security operations
and correcting identified operational
deficiencies. These controls relate to
mechanisms and procedures that are
primarily implemented by people rather
than systems
50
Operational Controls
Backup/Restore
Monitor audit trials
Account/privilege management
Media disposal
Patching
51
Controls/Safeguards
[Directive controls]
Preventive controls
Detective controls
[Corrective/Responsive controls]
Recovery controls
52
Functionality
Moving the ball
towards security
means moving
away from
functionality and
ease of use.
53
You can’t stop a
hacker
The only thing you can do is
make it harder for a hacker to get
into your system!
54
Historical Perspective
55
Mainframes/Mini
Multiuser/multitasking
Each terminal is connected to the
mainframe using a dedicated line
Security threat is mainly internal
External threat was just physical
Once connected to the mainframe, no
serious danger is expected
56
Mainframe/Mini
Physical security
Well guarded computer room
Limited access to personnel
Internal threats
Mainly file protections as typically
provided in the UNIX operating
systems
Centralized control of all resources
No communication to the external
57
world
Personal Computers
Single user and unshared
No internal threats
Physical security
58
Networked Computers
(LAN)
Usually under one organization and under
one or a few “centralized” controls
(domains)
It is possible to impose a uniform security
policy and hence deter malicious activities
Shared and unshared resources
Shared files and applications on servers
Personal files on PCs
The LAN is a shared resource (and not a
dedicated one)
59
Networked Computers
(LAN)
Communication is now peer-to-peer
(no terminal to Mainframe type)
The resources on the servers must be
protected against unauthorized
access
So does those on the individual nodes
(PCs)
60
Internet
61
62
(centralized) OS Security
Authentication (login)
Access control
Memory
File, Printer
Confidentiality/Encryption
Integrity
63
Security Policy
64
“If you think technology can
solve your security problems,
then you don’t understand the
problems and you don’t
understand the technology”
65