1 / 28

Security Architectures and Analysis in Distance Education

Explore the security architectures and analysis required for distance education, including user categories, essential services and components, likely levels of attack, and attacker profiles.

evansc
Download Presentation

Security Architectures and Analysis in Distance Education

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Distance EducationTeam 2 Security Architectures and Analysis

  2. Distance Education Team Members Chris Rush – Team Leader, Step 1 Mike Gazdus – A/V Expert, Step 1 Ron Banerjee – Tech Analyst, Step 2 Russ Griffith – Tech Analyst, Step 2 Scott Currie – Scribe, Step 3 Chris Ameter – Tech Analyst, Step 3 Jack Pickett – Tech Analyst, Step 3 Raman Rangswamy – Tech Analyst, Step 4 Ayman Lugman – Tech Analyst, Step 4

  3. Topics for Discussion • Step 1 Recap • DE User Categories • DE Architecture • Step 2 Recap • Essential Services and Assets • Essential Scenarios Trace • Essential Components • Step 3 Goals • Relevant Attacker Profiles • Likely Levels of Attack • Representative Attack Scenarios • Identify Compromisable Components • Step 4 Next

  4. Step 1 Recap • DE Organization Mission “To offer the same high quality MSE courses currently available to resident students, through the use of on-line, Computer Based Training (CBT), and two-way audio two-way video through Distance Education”. Mel Rosso-Llopart Director, Distance Education

  5. DE User Categories • Student • Admin Staff • Technical Support Staff • Web Support Staff • Director & Associate Director

  6. DE Architecture Director & AssocDirector Student DE Admin Client (Win32) DE Student Client (browser) Admin Staff Admin App (VB) Web App (Perl Scripts) E-mail Apache Server Web Support Admin DB (Oracle) Product DB (MySQL) Admin Server (Win NT) Product Server (Linux) Tech Support

  7. Step 2 Recap • Essential services and assets • Essential scenarios trace • Essential components

  8. Essential Services & Assets Essential Services: • Tech support updates My SQL database • Student access to web application • Web support(Courseware specialist) perform maintenance • on web applications. Essential Assets: • Student data • Web contents: • Calendars • Class assignments • Files • Assigned readings

  9. Essential Scenarios Trace Director & AssocDirector Student DE Admin Client (Win32) DE Student Client (browser) Admin Staff Admin App (VB) Web App (Perl Scripts) E-mail Apache Server Web Support Admin DB (Oracle) Product DB (MySQL) Admin Server (Win NT) Product Server (Linux) Tech Support

  10. Essential Components • My SQL database • Web Application • Apache Server • Product Server

  11. Step 3 Goals • Attacker Profiles - Internal Threat - External Threat • Levels of Attack - “Target of opportunity” - “Intermediate” - “Sophisticated”

  12. Step 3 Goals Cont. • Describe intrusion scenarios - steps in attacker usage scenarios • Identify compromisable components - parts of architecture accessible by intrusion scenarios

  13. General Attacker Profiles • Recreational Hacker • Current/Past Students • Current/Past Admin & Support Staff • External Hacker • Disgruntled Employee / User • Current/Past Students • Current/Past Admin & Support Staff • Activist • Not Likely • Industrial Spy • Not Likely • Nation State • Not Likely

  14. Attacker Attributes

  15. Attack Patterns • User Access • Current Student Privilege Escalation • Current Access to Damage the Database • External Attacker Gaining Account Level Access Through a Remote Exploit • Component Access • Port Flood / DOS Attack • Application Content • PERL Script Exploits • Buffer Overflows • OS / Application Vulnerabilities

  16. Potential Attacker Profiles • Internal Threat – Existing DE Student • Privilege Escalation • Modification of registration/payment info • Internal Threat – Administrators/Student Support • Read/Write Access to DB’s • Accidental/Intentional DB Corruption • Theft of Financial Information • Co-opt System resources (game/file server, DDOS) • External Attacker • Vandalism • Theft of course material • Theft of student financial information • DDOS Platform

  17. Levels of Attack • Target of Opportunity • External Attacker – Script Kiddie • Intermediate • Existing Student • Admin/Support Staff • External Attacker • Sophisticated • Existing Student • Admin/Support Staff • External Attacker

  18. Potential Attacker Profiles • Internal Threat – Existing DE Student • Privilege Escalation • Modification of registration/payment info • Internal Threat – Administrators/Student Support • Read/Write Access to DB’s • Accidental/Intentional DB Corruption • Theft of Financial Information • Co-opt System resources (game/file server, DDOS) • External Attacker • Vandalism • Theft of course material • Theft of student financial information • DDOS Platform

  19. Attack ScenariosPrivilege Escalation Director & AssocDirector Student DE Admin Client (Win32) DE Student Client (browser) Admin Staff Admin App (VB) Web App (Perl Scripts) E-mail Apache Server Web Support Admin DB (Oracle) Product DB (MySQL) Admin Server (Win NT) Product Server (Linux) Tech Support

  20. Potential Attacker Profiles • Internal Threat – Existing DE Student • Privilege Escalation • Modification of registration/payment info • Internal Threat – Administrators/Student Support • Read/Write Access to DB’s • Accidental/Intentional DB Corruption • Theft of Financial Information • Co-opt System resources (game/file server, DDOS) • External Attacker • Vandalism • Theft of course material • Theft of student financial information • DDOS Platform

  21. Attack ScenariosTheft of Financial Information Director & AssocDirector Student DE Admin Client (Win32) DE Student Client (browser) Admin Staff Admin App (VB) Web App (Perl Scripts) E-mail Apache Server Web Support Admin DB (Oracle) Product DB (MySQL) Admin Server (Win NT) Product Server (Linux) Tech Support

  22. Potential Attacker Profiles • Internal Threat – Existing DE Student • Privilege Escalation • Modification of registration/payment info • Internal Threat – Administrators/Student Support • Read/Write Access to DB’s • Accidental/Intentional DB Corruption • Theft of Financial Information • Co-opt System resources (game/file server, DDOS) • External Attacker • Vandalism • Theft of course material • Theft of student financial information • DDOS Platform

  23. Attack ScenariosDDOS Platform Director & AssocDirector Attacker Student DE Admin Client (Win32) DE Student Client (browser) Admin Staff Admin App (VB) Web App (Perl Scripts) E-mail Apache Server Web Support DDOS Application DDOS Application Admin DB (Oracle) Product DB (MySQL) Admin Server (Win NT) Product Server (Linux) Tech Support

  24. Compromisable Components • Admin Server • Possible DDOS platform • DB Contains Student Financial Info. • Production Server • Web Server • No encrypted Authentication • Password Lists in DB

  25. CompromisableComponents Director & AssocDirector Student DE Admin Client (Win32) DE Student Client (browser) Admin Staff Admin App (VB) Web App (Perl Scripts) E-mail Apache Server Web Support Admin DB (Oracle) Product DB (MySQL) Admin Server (Win NT) Product Server (Linux) Tech Support

  26. What’s Next • Step 4 • Identify “softspots” • Existing Mitigation Strategies • Recommended Mitigation Strategies • Survivability Map & Suggested Changes

  27. Conclusion Reviewed the DE Architecture Reviewed the user categories Reviewed the architecture Reviewed the essential services and assets Reviewed the essential usage scenarios Reviewed the essential components Discussed Relevant Attacker Profiles Discussed Likely Levels of Attack Discussed Possible Attack Scenarios Identified Compromisable Components Briefly showed where we are going next.

  28. Questions?

More Related