Basic Security Concepts

Lecture 2
Threats,

Attacks, etc.
Computer Criminals
Defense Techniques
Security Planning

Recommended Reading

Recommended:
Database Security Planning Checklist
http://www.sybase.com/content/1024210/Database_security.
pdf
The Risks and Rewards of Information Security Planning
http://www.toptentechs.com/issues/Issue1/
Risk Assessment Tools and Practices
for Information System Security
http://www.fdic.gov/news/news/financial/1999/FIL9968a.HTM
L

Systems Security - Lecture 2

Werner Wild

Threat, Vulnerability, Risk

Threat: potential occurrence that can have an

undesired effect on the system

Vulnerability: characteristics of the system that

makes is possible for a threat to potentially occur

Attack: action of malicious intruder that exploits

vulnerabilities of the system to cause a threat to
occur

Risk: measure of the possibility of security breaches

and severity of the damage

Systems Security - Lecture 2

Werner Wild

Types of Threats

Errors of users
Natural/man-made/machine disasters
Dishonest insider
Disgruntled insider
Outsiders
Systems Security - Lecture 2

Werner Wild

Types of Threats (Cont.)

Disclosure threat dissemination of unauthorized

information

Integrity threat incorrect modification of information

Denial of service threat access to a system

resource is blocked

Systems Security - Lecture 2

Werner Wild

Types of Attacks
Interruption An asset is destroyed, unavailable or
unusable (availability)

Interception An unauthorized party gains access to an

asset (confidentiality)

Modification An unauthorized party not only gain

access to but tampers with an asset (integrity)

Fabrication An unauthorized party inserts counterfeit

object into the system (authenticity)

Denial person denies taking an action (authenticity)

Systems Security - Lecture 2

Werner Wild

Types of Attacks

Systems Security - Lecture 2

Werner Wild

Types of Attacks
Passive attacks
Eavesdropping
Monitoring
Active attacks
Masquerade one entity pretends to be a different entity
Replay passive capture of information and its
retransmission
Modification of messages legitimate message is altered
Denial of service prevents normal use of resources

Systems Security - Lecture 2

Werner Wild

Computer Crime

Any crime that involves computers or

aided by the use of computers
U.S. Federal Bureau of Investigation:
reports uniform crime statistics

Systems Security - Lecture 2

Werner Wild

Computer Criminals

Amateurs: regular users, who exploit the vulnerabilities

of the computer system
Motivation: easy access to vulnerable resources

Crackers: attempt to access computing facilities for

which they do not have the authorization
Motivation: enjoy challenge, curiosity

Career criminals: professionals who understand the

computer system and its vulnerabilities
Motivation: personal gain (e.g., financial)

Systems Security - Lecture 2

Werner Wild

10

Methods of Defense

Prevent: block attack

Deter: make the attack harder
Deflect: make other targets more attractive
Detect: identify misuse
Tolerate: function under attack
Recover: restore to correct state

Systems Security - Lecture 2

Werner Wild

11

Information Security Planning

Organization Analysis
Risk management
Mitigation approaches and their costs
Security policy
Implementation and testing
Security training and awareness

Systems Security - Lecture 2

Werner Wild

12

SystemSecurityEngineering
SpecifySystem
Architecture
IdentifyThreats,
Vulnerabilities,Attacks

Identifyand
InstallSafeguards
Prioritize
Vulnerabilities

Estimate
Risk

Risk is acceptably low

Systems Security - Lecture 2

Werner Wild

13

RiskManagement
Riskanalysis
Riskreduction
Riskacceptance

Systems Security - Lecture 2

Werner Wild

14

Risk Analysis Methods

Risk Analysis

Threats and relevance

Potential for damage
Likelihood of exploit

Systems Security - Lecture 2

Werner Wild

15

Assets-ThreatModel
Threatscompromiseassets
Threatshaveaprobabilityofoccurrenceand

severityofeffect
Assetshavevalues
Assetsarevulnerabletothreats
Threats

Systems Security - Lecture 2

Assets

Werner Wild

16

Assets-ThreatModel(Cont.)
Risk:expectedlossfromthethreat

againstanasset
R=V*P*S

Rrisk
Vvalueofasset
Pprobabilityofoccurrenceofthreat
Vvulnerabilityoftheassettothethreat

Systems Security - Lecture 2

Werner Wild

17

System-FailureModel
Estimateprobabilityofhighlyundesirable

events
Risk:likelihoodofundesirableoutcome
Threat

Systems Security - Lecture 2

System

Werner Wild

Undesirable
outcome

18

RiskAcceptance
Certification

Howwellthesystemmeetthesecurity
requirements(technical)

Accreditation

Managementsapprovalofautomatedsystem
(administrative)

Systems Security - Lecture 2

Werner Wild

19

Mitigation Approach

Security safeguards

Protection
Assurance

Systems Security - Lecture 2

Werner Wild

20