Security Concepts
Security Concepts
Architecture
Security Concepts
(chapter 6)
Computer crimes & Risk management
• Reasons for committing crime against IT infrastructures:
Personal exposure and prestige
Creating damage
Financial gain
Terrorism
Warfare
• Risk (Probability × Impact) is calculated based on:
Asset name - component that needs to be protected
Vulnerability - weakness, process or physical exposure that makes the asset
susceptible to exploits
Exploit - a way to use one or more vulnerabilities to attack an asset
Probability - an estimation of the likelihood of the occurrence of an exploit (5:
Frequent, 4: Likely, 3: Occasional, 2: Seldom, 1: Unlikely)
Impact - the severity of the damage when the vulnerability is exploited (4:
Catastrophic: Complete mission failure, death, bankruptcy; 3: Critical: Major
mission degradation, major system damage, exposure of sensitive data; 2:
Moderate: Minor mission degradation, minor system damage, exposure of data; 1:
Negligible: Some mission degradation)
• There four risk responses:
Acceptance of the risk
Avoidance of the risk - do not perform actions that impose risk
Transfer of the risk - for instance transfer the risk to an insurance company
Mitigation of the risk and accepting the residual risk
• Worms
Self-replicating programs that spread from one computer to another, leaving
infections as they travel
• Virus
Self-replicating program fragment that attaches itself to a program or file
enabling it to spread from one computer to another, leaving infections as it travels
• Trojan Horse
Appears to be useful software but will actually do damage once installed or run on
your computer
• Social engineering
Social skills are used to manipulate people to obtain information which can be used in
an attack
Like passwords or other sensitive information
By nature, people want to help other people
• Phishing
A technique of obtaining sensitive information
The phisher sends an e-mail that appears to come from a legitimate source, like a bank
or credit card company, requesting "verification" of information
The e-mail usually contains a link to a fraudulent web page
• Baiting
Baiting uses physical media, like an USB flash drive, left to be found
It relies on the curiosity of people to find out what is on it
The attacker hopes some employee picks up the device and brings it inside the
organization
When the device is put into an organization owned PC, malicious software is installed
automatically
Security Patterns: Identity and Access
Management (IAM)
• The IAM process follows three steps:
Users or systems claim who they are: identification (LDAP, Kerberos, Microsoft Active
Directory)
The claimed identity is checked: authentication (password or PIN, bank card, a
token or a smartphone, iris scan)
Permissions are granted related to the identity and the groups it belongs to:
authorization (granting permissions to individual identities, groups are granted
permissions)
• Least privilege:
Users of a system should have the lowest level of privileges necessary to perform
their work
• Diffie–Hellman and RSA algorithms are the most widely used algorithms
• Disadvantage: slow
About 1000 to 10,000 times slower than symmetric key encryption