Académique Documents
Professionnel Documents
Culture Documents
Lecture 2
Threats,
Attacks, etc.
Computer Criminals
Defense Techniques
Security Planning
Recommended Reading
Recommended:
Database Security Planning Checklist
http://www.sybase.com/content/1024210/Database_security.
pdf
The Risks and Rewards of Information Security Planning
http://www.toptentechs.com/issues/Issue1/
Risk Assessment Tools and Practices
for Information System Security
http://www.fdic.gov/news/news/financial/1999/FIL9968a.HTM
L
Werner Wild
Werner Wild
Types of Threats
Errors of users
Natural/man-made/machine disasters
Dishonest insider
Disgruntled insider
Outsiders
Systems Security - Lecture 2
Werner Wild
Werner Wild
Types of Attacks
Interruption An asset is destroyed, unavailable or
unusable (availability)
Werner Wild
Types of Attacks
Werner Wild
Types of Attacks
Passive attacks
Eavesdropping
Monitoring
Active attacks
Masquerade one entity pretends to be a different entity
Replay passive capture of information and its
retransmission
Modification of messages legitimate message is altered
Denial of service prevents normal use of resources
Werner Wild
Computer Crime
Werner Wild
Computer Criminals
Werner Wild
10
Methods of Defense
Werner Wild
11
Organization Analysis
Risk management
Mitigation approaches and their costs
Security policy
Implementation and testing
Security training and awareness
Werner Wild
12
SystemSecurityEngineering
SpecifySystem
Architecture
IdentifyThreats,
Vulnerabilities,Attacks
Identifyand
InstallSafeguards
Prioritize
Vulnerabilities
Estimate
Risk
Werner Wild
13
RiskManagement
Riskanalysis
Riskreduction
Riskacceptance
Werner Wild
14
Risk Analysis
Werner Wild
15
Assets-ThreatModel
Threatscompromiseassets
Threatshaveaprobabilityofoccurrenceand
severityofeffect
Assetshavevalues
Assetsarevulnerabletothreats
Threats
Assets
Werner Wild
16
Assets-ThreatModel(Cont.)
Risk:expectedlossfromthethreat
againstanasset
R=V*P*S
Rrisk
Vvalueofasset
Pprobabilityofoccurrenceofthreat
Vvulnerabilityoftheassettothethreat
Werner Wild
17
System-FailureModel
Estimateprobabilityofhighlyundesirable
events
Risk:likelihoodofundesirableoutcome
Threat
System
Werner Wild
Undesirable
outcome
18
RiskAcceptance
Certification
Howwellthesystemmeetthesecurity
requirements(technical)
Accreditation
Managementsapprovalofautomatedsystem
(administrative)
Werner Wild
19
Mitigation Approach
Security safeguards
Protection
Assurance
Werner Wild
20