Security engineering
This presentation is the property of its rightful owner.
Sponsored Links
1 / 15

Security Engineering PowerPoint PPT Presentation


  • 86 Views
  • Uploaded on
  • Presentation posted in: General

Security Engineering. William W. McMillan. 2 April 2013. What are the main reinforcements for breaking into software systems? Name three distinct populations of people who do this. Ways People Use the Term “Risk”. Something bad that could happen: “There’s a risk of brake failure.”

Download Presentation

Security Engineering

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Security engineering

Security Engineering

William W. McMillan

2 April 2013


Security engineering

What are the main reinforcements for breaking into software systems?Name three distinct populations of people who do this.


Ways people use the term risk

Ways People Use the Term “Risk”

  • Something bad that could happen:

    • “There’s a risk of brake failure.”

  • The probability that something bad could happen:

    • “The risk of brake failure is 0.01%.”

  • The cost of something bad happening:

    • “If the brakes fail, we risk passenger deaths.”

  • We can’t really regulate everyday language.


Ways to mitigate risk

Ways to Mitigate Risk

  • Identify vulnerabilities, threats, and hazards…

    • …then head each one off at the pass.

  • Establish engineering practices that will lead to reliable software.

  • The first approach by itself can’t keep the bad guys out.

    • You can’t find every vulnerability or anticipate every attack.


List three to five typical kinds of attacks on software

List three to five typical kinds of attacks on software.


Ways to attack

Ways to Attack

abc123

As a Customer

Stealing Data

Surprise

Packages

Using Users

Picking Locks

Observing

Behavior

Ganging Up

Faking/Stealing

Credentials

By Insider


What can be attacked

What Can Be Attacked

  • Operating system

  • Databases

  • Financial records

  • Infrastructure

    • Communications

    • Dedicated servers

  • Application code

  • Application data


Describe a recent successful attack on a software system

Describe a recent successful attack on a software system.


User authentication

User Authentication

  • Who has access to what?

    • Security policy is defined by client or management.

  • Need to ensure that you give users the right level of access.

  • Operational concern.

  • But there are some design implications.

    • UI should not lead someone to, e.g., accidentally give a new engineer access to the firm’s personnel records.

  • Email or other communication to user to report transaction, password change, etc.


User credentials

User Credentials

  • User name and password

  • Making 3M rich (they make Post-it Notes)…

  • … which is where many passwords live.

  • Physical cards or other object to plug into computer

  • Security questions

    • How hard is it to get people’s mother’s maiden name?

    • Does a friend know what the model of your first car was?

  • Biometrics

    • Retinal scans, fingerprints, voice,…


Security engineering

Is it a good idea to require users to change passwords every six months or so?Should passwords be required to be like this: fH7*iM(sqjX ?


Data protection

Data Protection

  • Encryption

  • Fire walls

  • Multiple sites

    • In case someone corrupts databases at one site.

  • Checksums, consistency, or other integrity tests

  • Monitoring of access and traffic

  • User authentication

  • Validation of inputs

  • Providing read-only access when you can.


Is the client server model good for protecting data in an organization

Is the client-server model good for protecting data in an organization?


Function protection

Function Protection

  • Scan for viruses and worms.

  • Monitor activity.

  • Prevent “backdoors” and “hooks” in code.

    • Engineering process issue

  • Beware of reused software.

    • “You don’t know where that thing has been…”

  • Configure carefully when install or change.

    • Can change access or visibility.


Security engineering

A small dental practice has a home-grown information system and they’ve hired you to improve its security. What six or so steps would you take before making changes?


  • Login