1 / 22

Sources of Vulnerabilities

Sources of Vulnerabilities. CSEM02 University of Sunderland. Reference. P. Neumann, 1995, Computer-Related Risks, Addison-Wesley, ISBN: 0-201-55805-X. System conceptualization Miss-assessment of the technology. Requirements definition

jalila
Download Presentation

Sources of Vulnerabilities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sources of Vulnerabilities CSEM02 University of Sunderland

  2. Reference • P. Neumann, 1995, Computer-Related Risks, Addison-Wesley, ISBN: 0-201-55805-X

  3. System conceptualization Miss-assessment of the technology. Requirements definition Erroneous, incomplete, or inconsistent requirements. System design Fundamental misconceptions or flaws. Implementation Various errors. Support systems Faulty or poor tools. System analysis False assumptions or erroneous models. Testing Incomplete or erroneous testing. Evolution Sloppy maintenance and upgrades. Decommission Premature removal; removal of components used elsewhere. Vulnerabilities in Development

  4. Environment Earthquakes, floods, fires, etc. Animals E.g., squirrelcide. Infrastructure Loss of power, air conditioning Hardware Malfunction due to ageing or transients Software Bugs Communications Outages, interference, and jamming Human Limitations Installation or misuse Vulnerabilities in Use

  5. Note Well… • Vulnerabilities are not just security… • However, security vulnerabilities: • Tend to involve insiders • Tend to involve human behavior • Sometimes result from unwarranted assumptions • Often are due to design errors or incomplete understanding of a system or technology

  6. System Conceptualization • Misunderstanding of the technology • Too far • Not far enough • Cost overruns • Schedule overruns • Lack of Feasibility Example—MIFASS (Marine Fire and Air Support System). The agency direction was to use a CPU somewhat slower than a first generation Apple II. There was no recovery.

  7. Requirements Definition • Erroneous requirements • Incomplete requirements • Inconsistent requirements Extremely common and expensive. Missing requirements are the worst problem. Agile methods attempt to address this.

  8. System Design • Fundamentally false assumptions • E.g., infinite speed of light • Erroneous models Example: the FAA’s Advance Automation System. The contractor assumed that the average statement in Ada generated 5 machine instructions (actually it was 10) and that the speed of a 10 MHz machine was (with parallelism) 20 MHz (actually it was 12 MHz). There was no recovery.

  9. Implementation • Various and varied. • Chip fab • Wiring • Programming bugs • Trojan horses • Viruses We will discuss this.

  10. Support Systems • Faulty or poor tools • Language choice • Compiler/debugger • Bad tools • Editting CASE tools never met their expectations… Sometimes reflect failure to meet standards. Sometimes are deliberate on the part of a vendor.

  11. System Analysis • False assumptions about • World • Operating environment • Human behavior • Erroneous models and simulations Prototypes help here.

  12. Testing • Incomplete testing • Erroneous testing • Faulty code verification What is a testable requirement? One way of addressing this is Test-Driven Development (TDD), where you write the unit tests first.

  13. Evolution • Sloppy maintenance and upgrades. • Misconceptions • New flaws • Loss of design coherency Maintenance organizations do not attract the best engineers. Design your system so it can be maintained by entry-level staff.

  14. Decommission • Premature removal. • Removal of components needed elsewhere. • Hidden dependencies • Replacement not done in time • Hardware and software end of life • Vendor profiteering

  15. Environment • Earthquake • Flood • Fire • Temperature extremes • EMI • Etc…

  16. Animals • Sharks (underwater cables) • Squirrels (enjoy fibre and cabling) • Monkeys (inquisitive) • Birds (watch your neighborhood telephone poles) • Horses (enjoy practical jokes) • Cattle • Pigs • Etc.

  17. Infrastructure • Power • Air Conditioning • Physical Security

  18. Hardware • Ageing • Transients • Environmental problems • Errors in Design

  19. Software • Bugs of many sorts • System development • Change implementation • Maintenance

  20. Communications • Outages • Natural interference • Jamming • Intentional • Accidental • Tapping • Other

  21. Human Error • Installation • Misuse • Intentional • Unintentional

  22. Adverse Effects • A myriad Discuss…

More Related