va course © az 2004 upd lm 2007 01/11/2007 introduction to security
TRANSCRIPT
VA Course© AZ 2004upd LM 2007
01/11/2007
Introduction to security
VA Course© AZ 2004upd LM 2007
01/11/2007
Some confusion
Safety = Säkerhet = Security???
• Security– measures taken to guard against espionage or sabotage, crime,
attack, or escape Miriam Webster Online Dictionary
• Safety– to protect against failure, breakage, or accident
Miriam Webster Online Dictionary
VA Course© AZ 2004upd LM 2007
01/11/2007
What is Computer Security?
• “Security is keeping anyone from doing things you do not want them to do to, with, on, or from your computers or any peripheral devices”
Cheswick and Bellovin
• “The purpose of information security is to ensure business continuity and minimize business damage by preventing and minimizing the impact of security incidents… It has three basic components: confidentiality, integrity, and availability.”
BS 7799 : 1995, British Standards Institute
VA Course© AZ 2004upd LM 2007
01/11/2007
Is information security really a topic ?
VA Course© AZ 2004upd LM 2007
01/11/2007
Widely Known Threats
• Viruses and Worms• spreading worldwide in a matter of hours
• Access Control and Data Theft• breaking into computer systems
• OS, Databases and Applications• poor coding and flawed protocol design & implementation
VA Course© AZ 2004upd LM 2007
01/11/2007
CERT - Statistics
0
20000
40000
60000
80000
100000
120000
140000
1988 1990 1992 1994 1996 1998 2000 2002
Incidents
VA Course© AZ 2004upd LM 2007
01/11/2007
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
CERT - Statistics
Vulnerabilities
VA Course© AZ 2004upd LM 2007
01/11/2007
Type of Breaches and Costs
Source: DTI, Information Security Breach Survey, 2002
VA Course© AZ 2004upd LM 2007
01/11/2007
Is information security really a topic ?
VA Course© AZ 2004upd LM 2007
01/11/2007
Security Services
Confidentialitymeans that the assets of a computing system are accessible only by authorized parties
Integritymeans that assets can be modified only by authorized parties or only in authorized ways
Availabilitymeans that assets are accessible to authorized parties
VA Course© AZ 2004upd LM 2007
01/11/2007
ISO 13335-1* – OSI** Security Services
• Confidentiality• Integrity• Availability• Authentication• Access Control• Non-repudiation
*International Organization for Standardization **Open System Interconnection
VA Course© AZ 2004upd LM 2007
01/11/2007
Trust Approach
• Security is about trust.• Trust encompasses
• Correctness• Reliability• Privacy• Safety• Survivability• Secrecy• Availability
VA Course© AZ 2004upd LM 2007
01/11/2007
Scope
• IT security– Dealing with technical parts of security
• Information System Security– The whole information processing system is of interest
• Information security– All information is of interest
VA Course© AZ 2004upd LM 2007
01/11/2007
Security is Multidimensional
VA Course© AZ 2004upd LM 2007
01/11/2007
House of security
Standards
Standards: Applying standards
•Technical Standards•Evaluation Standards•Process Standards
VA Course© AZ 2004upd LM 2007
01/11/2007
Standards
Management
The management processincludes:
•Commitment•Control•Steering
VA Course© AZ 2004upd LM 2007
01/11/2007
Standards
Management
Policy
Risk
Ana.
Risk analysis: Learning the risks the information face
Policy: Define guidelines regarding security
VA Course© AZ 2004upd LM 2007
01/11/2007
Standards
Management
Policy
Risk
Ana.
Analysis
Realization
Analysis: What kind of security needs to be realized
•Technical•Organizational
Realization: Enforce the security mechanisms
•Implementation•Documentation
VA Course© AZ 2004upd LM 2007
01/11/2007
Standards
Management
Policy
Risk
Ana.
Analysis
Realization
Maintenace
Maintenance: Keeping the system secure by means of:
•Improving security•Applying patches
VA Course© AZ 2004upd LM 2007
01/11/2007
Standards
Management
Policy
Risk
Ana.
Analysis
Audit
Realization
Maintenace
Audit: Verification of security:
•Technical Security•Organizational Security•Planning Security
VA Course© AZ 2004upd LM 2007
01/11/2007
Standards
Management
Policy
Risk
Ana.
Analysis
Audit
Realization
Maintenace
But security can only work if all components are working together and an awareness for the problems is given.
VA Course© AZ 2004upd LM 2007
01/11/2007
The Big Picture
VulnerabilitiesThreats Assets
Risk Analysis
Countermeasures
impact
these slides are based on USP slides from Cintia B. Margi and Prof. Wilson V. Ruggiero
VA Course© AZ 2004upd LM 2007
01/11/2007
Terminology• Asset
– Anything with value and in need for protection
• Threat– An action or potential action with the prosperity to cause damage
• Vulnerability– Circumstances that have the potential of causing loss
• Countermeasure– Controls protecting for protecting the assets
VA Course© AZ 2004upd LM 2007
01/11/2007
Assets
• What is an asset?• tangible assets
datahard & floppy disksnetwork equipmenttapes, manuals, etc…
• intangible assetspublic imagereputation, etc…
• a very broad scope from people to hardware and datathese slides are based on USP slides from Cintia B. Margi and Prof. Wilson V. Ruggiero
VA Course© AZ 2004upd LM 2007
01/11/2007
Assets
• Assets may be classified according to:• software and hardware assets• data assets• communication assets• administrative assets• human resources assets
• A list of assets that shall be protected is essential for risk analysis
these slides are based on USP slides from Cintia B. Margi and Prof. Wilson V. Ruggiero
VA Course© AZ 2004upd LM 2007
01/11/2007
Threats
• Threats to the system may come from:• someone
e.g. a spy, a hacker, a criminal or an ill-intended employee
• somethinge.g. hardware or software failure
• an evente.g. fire, power shortage, flooding, earthquake
• Threats can be classified in 3 groups• natural or physical threats• non-intentional threats• intentional threats these slides are based on USP slides from Cintia B. Margi and Prof. Wilson V. Ruggiero
VA Course© AZ 2004upd LM 2007
01/11/2007
Natural or Physical Threats
• Every kind of equipment or facilities are exposed to• e.g. fire, flooding, power shortages…
• Usually very hard to prevent, but easy to detect
• It is possible to minimize the amount
these slides are based on USP slides from Cintia B. Margi and Prof. Wilson V. Ruggiero
VA Course© AZ 2004upd LM 2007
01/11/2007
Non-Intentional Threats
• Threats that are caused by ignorance• a user or a system administrator poorly trained• someone who hadn’t read the system documentation & manuals• someone who hadn’t understood the importance of security rules
• damage is caused by ignorance
these slides are based on USP slides from Cintia B. Margi and Prof. Wilson V. Ruggiero
VA Course© AZ 2004upd LM 2007
01/11/2007
Intentional Threats
• Security products are designed to prevent intentional threats those are the ones that make news
• Two types of adversaries: internal and external• external villains include:
criminalshackersterroristsother enterprises
these slides are based on USP slides from Cintia B. Margi and Prof. Wilson V. Ruggiero
VA Course© AZ 2004upd LM 2007
01/11/2007
Intentional Threats
• External villains can try to have access to a system by:• breaking in, forging ID cards, through networks or even bribery
and/or coercion of internal staff
• The focus of security tools is usually external villains, but a great part of security problems is due to internal villains
“the enemy is already inside - and we hired them!”
these slides are based on USP slides from Cintia B. Margi and Prof. Wilson V. Ruggiero
VA Course© AZ 2004upd LM 2007
01/11/2007
Impact groups
VA Course© AZ 2004upd LM 2007
01/11/2007
People
Organization
Information security – Layer model
Technology
Physical
Information
VA Course© AZ 2004upd LM 2007
01/11/2007
Some Countermeasures
• Security techniques• Cryptography• Firewalls
• Software mechanisms• Secure development• Operating system protection• Internal program mechanism
• Hardware mechanisms
VA Course© AZ 2004upd LM 2007
01/11/2007
Countermeasures
• Management Activities• Rules and Routines for Awareness• Policy• Security Management
• Physical Security
VA Course© AZ 2004upd LM 2007
01/11/2007
Malicious Who?
• Misbehaving Users• mostly unintentional damage – out of curiosity
• Amateurs• reading about computer abuse and want to experience
• Hackers• proving that it is possible and earning popularity/acceptance• usually divided into Black Hats and White Hats
• Criminals• earn money with computer abuse (theft, espionage, ...)
worse
likelihood
VA Course© AZ 2004upd LM 2007
01/11/2007
Method, Opportunity, Motivewhat must a malicious attacker have?
• Method:• means to conduct the attack – skills, knowledge, tools ...
• Opportunity:• time and access to accomplish the attack
• Motive:• a reason to do it
VA Course© AZ 2004upd LM 2007
01/11/2007
Stakeholder• Regular Users
– They want to use the system• IT Staff & Security Manager
– They want to supply a working system• Business Manager
– They want productivity because of IT use• Asset Owner
– Their resources are in danger or they want to earn money• Public bodies
– Want orderly behavior and a prospering economy• ...
VA Course© AZ 2004upd LM 2007
01/11/2007
Remark
”Information Security is a parasit on the profits”Gerald Kovachic
• Information Security is– a business enabler – it can be sold or enalbes the business– an insurance – resources under risk and downtime means not
realized profit
VA Course© AZ 2004upd LM 2007
01/11/2007
Questions ?