Khandker M Qaiduzzaman

Presented Lecturer, Department of Swe

By Daffodil International University

Cell no.: +8801685679768

Email: [email protected]
 • Something of value which has to be protected.
The asset may be the software system itself or
data used by that system.
• Asset must come from a transaction
ASSET • Asset must give benefits
• People, property, and information
• An asset is what we’re trying to protect.
 • People may include employees and customers
along with other invited persons such as
contractors or guests
• Property assets consist of both tangible and
intangible items that can be assigned a
value. Intangible assets include reputation and
proprietary information.
ASSET (CONT.)
• Information may include databases, software
code, critical company records, and many
other intangible items.
 • An exploitation of a system's vulnerability.
Generally, this is from outside the system and is
a deliberate attempt to cause some damage.
ATTACK
 • An exploit is the way or tool by which an
attacker uses a vulnerability to cause damage
EXPLOIT to the target system.
 • Possible loss or harm to a computing system.

•This can be loss or damage to data, or can be a

EXPOSURE loss of time and effort if recovery is necessary
after a security breach.
 • Criminals
• Terrorists
• Subversive or secret groups, state
sponsored, disgruntled employees
• Hackers
THREAT AGENTS
• Pressure groups
• Commercial groups
 • Anything that can exploit a vulnerability,
intentionally or accidentally, and obtain,
damage, or destroy an asset.
THREAT
•A potential cause of an incident that may result
in harm to a system or organization
 • Weaknesses or gaps in a security program
that can be exploited by threats to gain
unauthorized access to an asset.
VULNERABILITY
 • The potential for loss, damage or destruction
of an asset as a result of a threat exploiting a
vulnerability

RISK • When conducting a risk assessment, the

formula used to determine risk is:
A+T+V=R
That is, Asset + Threat + Vulnerability = Risk.
 • A threat is what we’re trying to protect
against.
DIFFERENCES
• A vulnerability is a weakness or gap in our
BETWEEN THREAT, protection efforts.
VULNERABILITY AND • Risk is the intersection of assets, threats,
RISK and vulnerabilities.
A PICTURE OF
THREAT, RISK
AND
VULNERABILITY
 TEST YOUR SKILL
business change competitor
Business disruption
Angry Employee
nature
terrorist hardware flaws

impaired growth financial loss

legal penalties
the press ineffective control

damage to reputation
human error
broken process loss of confidence

software bug dishonest employee

criminals
loss of life
government legacy system
loss of privacy hacker
MATCH YOUR RESULT
RISK THREAT VULNERABILITY

Business disruption Angry Employee software bug

dishonest employee
financial loss broken process
criminals
loss of privacy ineffective control
government
damage to reputation
terrorist hardware flaws
loss of confidence The press business change
legal penalties competitor
legacy system
impaired growth hacker

nature human error

loss of life
FUNCTIONALITY VS. SECURITY
 SECURITY CONCEPTS [AS USED IN COMMON CRITERIA]
want to maximize availability/
owners
usefulness
want to minimise
impose reduce
countermeasures
may have increase
require
vulnerabilities
of
attackers lead to
exploit risks
give
rise to increase
threats assets
to

want to abuse
16
 • Confidentiality
• Information about system or its users cannot be
learned by an attacker

• Integrity
• The system continues to operate properly, only
SECURITY reaching states that would occur if there were
no attacker
PROPERTIES
• Availability
• Actions by an attacker do not prevent users
from having access to use of the system
GENERAL PICTURE

System

Alice Attacker

• Security is about
• Honest user (e.g., Alice, Bob, …)
• Dishonest Attacker
• How the Attacker
• Disrupts honest user’s use of the system (Integrity, Availability)
• Learns information intended for Alice only (Confidentiality)
NETWORK SECURITY

Network Attacker
System Intercepts and
controls network
communication

Alice
WEB SECURITY

System

Web Attacker

Sets up malicious site

visited by victim; no
control of network

Alice
OPERATING SYSTEM SECURITY

OS Attacker

Controls malicious
files and applications

Alice
 System

Alice Attacker

Confidentiality: Attacker does not learn Alice’s secrets

Integrity: Attacker does not undetectably corrupt system’s function for Alice
Availability: Attacker does not keep system from being useful to Alice
SOME FAMOUS HACKERS
JOHN DRAPER AKA CAPTAIN CRUNCH
JOHN DRAPER AKA CAPTAIN CRUNCH
• KNOWN AS FATHER OF MODERN HACKING
• ORIGINALLY RADAR TECHNICIAN
• SUPPOSDLY CALLED NIXON
• HACKED PHONE WITH THE USE OF A CAPTAIN CRUNCH CEREAL WHISTLE
• TAUGHT STE
• 70’S SERVED TWO STINTS IN PRISON
• CURRENTLY UNEMPLOYED
• HACKED FOR THE FUN OF IT, NOT FOR $$$
• VE WOZNIAK AND STEVE JOBS HOW TO MAKE “BLUE BOXES”
STEVE WOZNIAK
 STEVE WOZNIAK

• CO-FOUNDER OF APPLE
• 1970’S WAS A STUDENT AT BERKLEY & MEMBER OF “CALIFORNIA’S HOMEBREW
COMPUTER CLUB”
• MASS PRODUCED “BLUE BOXES” FOR TWO REASONS

• 1) GENERATE ENOUGH CASH FOR THEIR STARTUP COMPANY “APPLE”

• 2) FASCINATION BEHIND “THE POWER OF IDEAS” “THAT TWO TEENAGERS COULD BUILD A SMALL BOX FOR A
HUNDRED DOLLARS AND CONTROL HUNDRED MILLIONS OF DOLLARS OF PHONE INFRASTRUCTURE
KEVIN MITNIK
 KEVIN MITNIK
• STARTED AT AGE 12
• HACKED:
• LA’s BUS PUNCH CARD SYSTEM
• CELL PHONES
• FAST FOOD SPEAKER SYSTEMS
• DEC COMPUTER SYSTEM

• WENT ON TWO AND A HALF YEAR HACKING SPREE ACROSS THE COUNTRY
• CAUGHT BY “CELLULAR FREQUENCY DIRECTION-FINDING ANTENNA HOOKED UP TO A
LAPTOP TO NARROW THE SEARCH TO AN APARTMENT COMPLEX”
• SENTENCED TO FIVE YEARS OF PRISON AND EIGHT MONTHS OF SOLITARY
• OWNS HIS OWN COMPUTER SECURITY CONSULTING COMPANY (MITNIK SECURITY
CONSULTING, LLC)
• NOW CAN LEGALLY HACK INTO SERVERS

• STATED “IF I HAD PERFORMED THE SAME HACKS THAT I HAD DONE IN THE PAST TODAY, I
WOULD MOST LIKELY BE IN GUANTANAMO BAY, CONSIDERING ALL THE SECURITY LAWS
PASSED AFTER 9/11
THANK YOU