Introduction

 Contains:
1. Risk management
2. Assets
3. Threats & Vulnerabilities
4. Computer Security Definition
5. Goals of Security/Protection
6. Controls/Safeguards
7. Historical Perspective

1
Risk Management

It deals with the process of

identifying, assessing and treating
risk.

2
Risk

 The likelihood of a given threat

exploiting the vulnerability of an asset
(or assets) to cause harm or loss to
the organization
 Risk is probabilistic

 It can be qualitative (Low, Medium,

High)
 … or quantitative

3
Risk
(Fire = air x heat x fuel)
• For a risk to happen these three,
like the Fire, should be satisfied

Risk = threat x vulnerability x asset

4
Risk Assessment
The aim of a risk assessment process is to
provide management with the information
necessary to make reasonable decisions to
prioritize the expenditure of resources on
the protection of an organization

5
Risk Assessment

 An expensive and time consuming

undertaking
 The rapid growth of changes in IT and
thus in assets and corresponding
threats and controls makes RA a
cyclic process and discourages many
in the industry

6
Risk Assessment & Treatment Process

1. Asset identification and valuation

2. Identification of threats & vulnerabilities (to those
assets)
3. Determination of the likelihood of the threats and
frequency
4. Determine the potential loss to the organization
5. Identify and evaluate risk treatment options
6. Selection of security controls (safeguards) or
acceptance of risks

7
Risk Assessment: What
level of risk to accept?
 It is virtually impossible to eliminate all type
of risks at all time
 There is a need to be selective in the risks
we need to mitigate commensurate with the
potential cost to the organization should that
risk occurs
 Acceptable level of risk simply requires
prudence that depends on the available
budget, time and personnel resources

8
Residual Risk

A risk that an organization is willing to

take due to one or more of the
following reasons:
 The risk treatment is too expensive or
simply unavailable
 The risk is considered to be infrequent
enough or its impact is tolerable

9
Organizational
(information) Assets
An asset is anything that needs to be
protected because it has value to the
organization and contributes to the
successful attainment of the organization’s
objectives.

10
Assets

 Hardware
 Software

 Data (information)

 Communication links

 People

11
Security Terminology
 The Figure shows the relationship among some terminology

12
Security Terminology

 Adversary (threat agent) - An entity that

attacks, or is a threat to, a system.
 Attack -An assault on system security
that derives from an intelligent threat; a
deliberate attempt to evade security
services and violate security policy of a
system.

13
Security Terminology

 Countermeasure - An action, device,

procedure, or technique that reduces a
threat, a vulnerability, or an attack by
eliminating or preventing it, by
minimizing the harm it can cause, or by
discovering andreporting it so that
corrective action can be taken.

14
Security Terminology

 Risk - An expectation of loss expressed

as the probability that a particular threat
will exploit a particular vulnerability with
a particular harmful result.
 Security Policy - A set of rules and
practices that specify how a system or org
provides security services to protect
sensitive and critical system resources.

15
 Security Terminology

 System Resource (Asset) - Data; a service

provided by a system; a system capability;
an item of system equipment; a facility that
houses system operations and equipment.
 Threat - A potential for violation of
security, which exists when there is a
circumstance, capability, action, or event
that could breach security and cause harm.

16
Security Terminology

 Vulnerability - Flaw or weakness in a

system's design, implementation, or
operation and management that could be
exploited to violate the system's security
policy.

17
Threats & Vulnerabilities

 Threat: A potential cause of an

unwanted incident which may result in
harm to a system or organization

 Vulnerability: A weakness in an asset

or a group of assets (or a system)
which can be exploited by a threat

18
Major Classes of Threats

 Disclosure: Interception, Listening,

Wiretapping, Inference
 Deception: Masquerade, Fabrication,
Repudiation
 Disruption: Interruption, Corruption,
Obstruction
 Usurpation: “Unauthorized control of a
part of a system”
19
These Major Classes of
Threats Results into
 Masquerade/Impersonation
 Unauthorized modification/alteration

 Unauthorized disclosure of data

 Unauthorized disclosure of traffic

 Denial of service

 Repudiation

20
 Example of threats
 Malicious logic (virus, worm,  Spam
…)  Eavesdropping
 Password breaking/stealing  Buffer overflow
 Social engineering  ICMP flooding
 Spoofing  Cross site scripting
 Sniffing  Power failure
 Masquerade  Earthquake
 Zero-day attack  Fire
 Illegal use of software
 Traffic analysis
 Man-in-the-middle

21
Example of Vulnerabilities
 Absence of personnel
 Insufficient security training
 Lack of security awareness
 Poorly documented software
 Poorly configured system/software
 Lack of policies
 Poor password management
 Lack or poorly implemented security guards
 Flaws in the system or software
 Lack of effective change control
 Unauthorized installation of software

22
Threats to Hardware

 Denial of service:
 Damage to equipments (accidental or
deliberate)
 Power failures
 Fire
 Flood
 Theft

23
Threats to Software

 Denial of service
 Corruption
 Deletion

 Unauthorized modification
 Corruption
 Virus, Trojan horse, worm

24
Threats to Data

 Unauthorized disclosure
 Unauthorized modification

 Denial of service

 Repudiation

 Traffic analysis

25
Threats to
Communication
Links
Denial of service

26
… Communication Links

Networks are primary targets for hackers

mainly b/c
 Provides connectivity to a wide number of
sites (without a geographical barrier)
 Strong physical security measures at
computer sites
 Growing number of valuable info transiting
on the networks (eCommerce, ATM, POS,
Application servers, Cloud computing, etc)
 Some network technologies are easy targets
(wireless, satellite)

27
Denial of Service
while (1)
mkdir x;
cd x;
end

1. What is the effect of the above code snippet?

2. What existing OS do have a mechanism to counter
such an attack?
3. How do enhance the security model of an OS (of
your choice) in order to counter such an attack?

28
Goals of
Security/Protection

29
Information Security

Information security is the collection of

technologies, standards, policies and
management practices that are
applied to information system to keep
it secure.

30
Computer Security

The protection afforded to an

automated information system in
order to attain the applicable
objectives of preserving the
confidentiality, integrity and availability
of information system resources
[Stalling & Brown].

31
 Goals of Security/Protection
 The CIA Triad
These three concepts form what is often referred to
as the CIA triad. The three concepts embody the
fundamental security objectives for both data and for
information and computing services
 Confidentiality
 Integrity
 Availability

32
The CIA Triad

 A useful characterization of these three

objectives in terms of requirements and
the definition of a loss of security in each
category follows on the next slides.

33
The CIA Triad

 Confidentiality:
Preserving authorized restrictions on
information access and disclosure, including
means for protecting personal privacy and
proprietary information. A loss of
confidentiality is the unauthorized disclosure
of information.

34
The CIA Triad

 Integrity:
Guarding against improper information
modification or destruction, and includes
ensuring information non-repudiation and
authenticity. A loss of integrity is the
unauthorized modification or destruction of
information.

35
The CIA Triad

 Availability:
Ensuring timely and reliable access to and
use of information. A loss of availability is
the disruption of access to or use of
information or an information system.

36
The CIA Triad

 Although the use of the CIA triad to

define security objectives is well
established, some in the security field
feel that additional concepts are needed
to present a complete picture. Two of
the most commonly mentioned are:

37
The CIA Triad
 Authenticity:
The property of being genuine and being
able to be verified and trusted; confidence in
the validity of a transmission, a message, or
message originator.
 Accountability:
The security goal that generates the
requirement for actions of an entity to be
traced uniquely to that entity.

38
Controls/Safeguards

Practices, procedures, or mechanisms

which may protect against a threat, reduce
a vulnerability, limit the impact of an
unwanted incident, detect unwanted
incidents and facilitate recovery

39
Examples of Controls

 Authentication
 Software patching
 Cryptography
 Access Control
 Fire extinguisher
 Backup
 Security Policy
 ID Badge

40
Security Functional Requirements

 The requirements encompass a wide

range of countermeasures to security
vulnerabilities and threats.
 Each of the functional areas may involve
both computer security technical
measures and management measures.

41
Security Functional Requirements

 Functional areas that are primarily require

computer security technical measures
include access control; identification and
authentication; system and
communication protection; and system
and information integrity.

42
Security Functional Requirements

 Functional areas that primarily involve

management controls and procedures
include awareness and training; audit and
accountability; certification, accreditation,
and security assessments; contingency
planning; maintenance; physical and
environmental protection; planning;
personnel security; risk assessment; and
systems and services acquisition.

43
Security Functional Requirements

 Functional areas that overlap computer

security technical measures and
management controls include
configuration management; incident
response; and media protection.

44
Controls

 Management
 Technical

 Operational

45
Management
Controls
Focus on security policies, planning,
guidelines, and standards that influence
the selection of operational and technical
controls to protect the organization

46
Management Controls

 Security policy
 Background checking of employees

 Training/awareness

 Physical and environmental protection

 Security risk assessment

47
 Technical Controls
Involve the correct use of hardware and
software security capabilities in systems.
This range from simple to complex
measures that work together to secure
critical and sensitive assets of the
organization

48
Technical Controls

 Login
 Encryption

 Authentication protocol

 Access control

 Firewall

 Intrusion detection system

 etc

49
Operational Controls
Address the correct implementation and
use of security policies and standards,
ensuring consistency in security operations
and correcting identified operational
deficiencies. These controls relate to
mechanisms and procedures that are
primarily implemented by people rather
than systems

50
Operational Controls
 Backup/Restore
 Monitor audit trials

 Account/privilege management

 Monitoring and adjusting firewall

 Media disposal

 Patching

51
Controls/Safeguards

 [Directive controls]
 Preventive controls

 Detective controls

 [Corrective/Responsive controls]

 Recovery controls

52
 Functionality
Moving the ball
towards security
means moving
away from
functionality and
ease of use.

Security Ease of Use

53
You can’t stop a
hacker
The only thing you can do is
make it harder for a hacker to get
into your system!

54
Historical Perspective

55
Mainframes/Mini

 Multiuser/multitasking
 Each terminal is connected to the
mainframe using a dedicated line
 Security threat is mainly internal
 External threat was just physical
 Once connected to the mainframe, no
serious danger is expected

56
Mainframe/Mini

 Physical security
 Well guarded computer room
 Limited access to personnel
 Internal threats
 Mainly file protections as typically
provided in the UNIX operating
systems
 Centralized control of all resources
 No communication to the external
57
world
 Personal Computers
 Single user and unshared
 No internal threats

 No login request on most PCs

 Physical security

58
Networked Computers
(LAN)
 Usually under one organization and under
one or a few “centralized” controls
(domains)
 It is possible to impose a uniform security
policy and hence deter malicious activities
 Shared and unshared resources
 Shared files and applications on servers
 Personal files on PCs
 The LAN is a shared resource (and not a
dedicated one)

59
Networked Computers
(LAN)
 Communication is now peer-to-peer
(no terminal to Mainframe type)
 The resources on the servers must be
protected against unauthorized
access
 So does those on the individual nodes
(PCs)

60
Internet

 Blows up the LAN to the global

 A big untrusted zone (or domains)

 Virtually difficult not to get probed

 The danger is now exponential

 No owner and “centralized” control

 There can not be a single “security

policy”

61
62
(centralized) OS Security

 Authentication (login)
 Access control
 Memory
 File, Printer

 Confidentiality/Encryption
 Integrity

63
Security Policy

 A high level management document

that describes the management’s
expectation of the employees’ security
practice and responsibilities.
 It sets a clear direction and
demonstrate the management’s
support for and commitment to
information security.

64
“If you think technology can
solve your security problems,
then you don’t understand the
problems and you don’t
understand the technology”

65