Professional Documents
Culture Documents
SECURITY
Profiling Adversaries
Adversaries that target corporate system are numerous:
(enemies)
Hackers
Terrorists groups
Governments
Opposing Industries
Security
Are they ?
Consider
some cases :
The terrorist attack on the twin towers (in USA) had as a result many
corporations to close. Why ?
What
The
is Information Security ?
Any system is most vulnerable at its weakest point - Any system is most
vulnerable at its weakest point. A robber intent on stealing from a house will not
attempt to penetrate a two-inch-thick metal door if a window gives easier access
This principle implies that computer security specialists must consider - All the
means of penetration, penetration analysis must be repeated especially whenever
the system or its security change, do not underestimate the attacker/think like an
attacker, strengthening one aspect of a system might weaken another
Threats
Threats
Method, Opportunity,
and Motive
Security Goals
Security Goals
Secrecy or privacy
Security Goals
(Contd)
Vulnerabilities of Computing
Systems
Hardware Vulnerabilities
Software Vulnerabilities
Vulnerabilities of Computing
Systems (Contd.)
Data Vulnerabilities
Vulnerabilities of Computing
Systems (Contd.)
Networks
Key People
Methods of Defense
Deflect it, by making another target more attractive (or this one less so)
Example Honey Pots
Methods of Defense
A sample log file (to detect)
Controls Available
Simple or Difficulty
Inexpensive or Expensive
Type of Control
1.
Cleartext
Ciphertext
Protocols
Controls Available
2)
3)
(Contd)
Software Controls
Program Controls:
Smart card implementations, locks, devices to verify user ID, firewalls, intrusion
detection systems, circuitry control that control access to storage media
Controls Available
4)
5)
(Contd)
Physical Controls
Effectiveness of Controls
depends on.
Awareness of Problem
People using controls must be convinced of the need for
security. That people will willingly cooperate with security
requirements only if they understand why security is
appropriate in a given situation,
Effectiveness of Controls
(Contd) on.
depends
Likelihood of Use
Of course, no control is effective unless it is used.
Principle
of Effectiveness:
Effectiveness of Controls
(Contd) on.
depends
Periodic Review
Just when the security specialist finds a way to secure assets
against certain kinds of attacks, the opposition doubles its
efforts in an attempt to defeat the security mechanisms.
Thus, judging the effectiveness of a control is an ongoing
task.
Social Engineering
The victims of social engineering are tricked into releasing information that
they do not realize will be used to attack a computer network.
Social Engineering....
Often the weakest link in security is not technology, but the people who
use it.
Other Examples.