1 / 60

Which is the Cuckoo's Egg?

Which is the Cuckoo's Egg?. $45 million Quebec Drug arrest Hacking scam Poland, Brazil, Manitoba, and the United States Age 17 to 26 Computer network. Cuckoo's Egg. Drug arrest Canada: police have broken up a major international computer-hacking network

kyne
Download Presentation

Which is the Cuckoo's Egg?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Which is the Cuckoo's Egg? • $45 million • Quebec • Drug arrest • Hacking scam • Poland, Brazil, Manitoba, and the United States • Age 17 to 26 • Computer network Computer Science and Engineering

  2. Cuckoo's Egg • Drug arrest • Canada: police have broken up a major international computer-hacking network • Target: unprotected personal computers around the world • Police arrested 16 people – age between 17 and 26 • Online to attack and gain control of as many as one million computers worldwide Computer Science and Engineering

  3. Csilla Farkas Associate Professor Dept. of Computer Science and Engineering University of South Carolina farkas@cse.sc.edu http://www.cse.sc.edu/~farkas Computer Science and Engineering

  4. Financial Loss Dollar Amount Losses by Type Total Loss (2006): $53,494,290 CSI/FBI Computer Crime and Security Survey Computer Security Institute Computer Science and Engineering

  5. Percentage of IT Budget Spent on Security Percentage of Organizations Using ROI, NPV, or IRR Metrics CSI/FBI Computer Crime and Security Survey Computer Security Institute Security Protection Computer Science and Engineering

  6. What is Wrong with the Following Specification? • The CEO of ReallySecure Inc. instructed the system administrator of the organization’s computing resources to implement security mechanisms, including • Hardware firewall • Authentication mechanisms • Access control • Secure communication • Encryption capabilities Computer Science and Engineering

  7. Understand Business Context Carry Out Fixes and Validate Identify Business and Technical Risks Define Risk Mitigation Strategy Synthesize and Rank Risks Measurement and Reporting Risk Management Framework (Business Context) Computer Science and Engineering

  8. Understand the Business Context • “Who cares?” • Identify business goals, priorities and circumstances, e.g., • Increasing revenue • Meeting service-level agreements • Reducing development cost • Generating high return investment • Identify security risk to consider Computer Science and Engineering

  9. Identify Business and Technical Risks • “Why should business care?” • Business risk • Direct threat • Indirect threat • Consequences • Financial loss • Loss of reputation • Violation of customer or regulatory constraints • Liability • Tying technical risks to the business context in a meaningful way Computer Science and Engineering

  10. Synthesize and Rank the Risks • “What should be done first?” • Prioritization of identified risks based on business goals • Allocating resources • Risk metrics: • Risk likelihood • Risk impact • Risk severity • Number of emerging risks Computer Science and Engineering

  11. Define the Risk Mitigation Strategy • “How to mitigate risks?” • Available technology and resources • Constrained by the business context: what can the organization afford, integrate, and understand • Need validation techniques Computer Science and Engineering

  12. Carry Out Fixes and Validate • Perform actions defined in the previous stage • Measure “completeness” against the risk mitigation strategy • Progress against risk • Remaining risks • Assurance of mechanisms • Testing Computer Science and Engineering

  13. Measuring and Reporting • Continuous and consistent identification and storage of risk information over time • Maintain risk information at all stages of risk management • Establish measurements, e.g., • Number of risks, severity of risks, cost of mitigation, etc. Computer Science and Engineering

  14. Threats RISK Vulnerabilities Consequences What is Being Protected, Why, and How? • Risk assessment Computer Science and Engineering

  15. Prevent/detect/deter improper Disclosure of information Secrecy Prevent/detect/deter Improper modification of information Integrity Availability Prevent/detect/deter improper Denial of access to services Security Objectives Computer Science and Engineering

  16. Security Tradeoffs Security Functionality COST Ease of Use Computer Science and Engineering

  17. Achieving Security • Policy • What to protect? • Mechanism • How to protect? • Assurance • How good is the protection? Computer Science and Engineering

  18. Policy Organizational policy Information systems policy Computer Science and Engineering

  19. Security by Obscurity • Hide inner working of the system • Bad idea! • Vendor independent open standard • Widespread computer knowledge Computer Science and Engineering

  20. Security by Legislation • Instruct users how to behave • Not good enough! • Important • Only enhance security • Targets only some of the security problems Computer Science and Engineering

  21. Security Mechanism • Prevention • Detection • Tolerance and Recovery Computer Science and Engineering

  22. IdentificationAuthentication Computer Science and Engineering

  23. Authentication • Allows an entity (a user or a system) to prove its identity to another entity • Typically, the entity whose identity is verified reveals knowledge of some secret S to the verifier • Strong authentication: the entity reveals knowledge of S to the verifier without revealing S to the verifier Computer Science and Engineering

  24. User Authentication • What the user knows • Password, personal information • What the user possesses • Physical key, ticket, passport, token, smart card • What the user is (biometrics) • Fingerprints, voiceprint, signature dynamics Computer Science and Engineering

  25. Access Control Computer Science and Engineering

  26. Access Control • Protection objects: system resources for which protection is desirable • Memory, file, directory, hardware resource, software resources, etc. • Subjects: active entities requesting accesses to resources • User, owner, program, etc. • Access mode: type of access • Read, write, execute Computer Science and Engineering

  27. Access Control • Access control components: • Access control policy: specifies the authorized accesses of a system • Access control mechanism: implements and enforces the policy • Separation of components allows to: • Define access requirements independently from implementation • Compare different policies • Implement mechanisms that can enforce a wide range of policies Computer Science and Engineering

  28. Closed v.s. Open Systems Closed system Open System (minimum privilege) (maximum privilege) Access requ. Access requ. Allowed accesses Disallowed accesses Exists Rule? Exists Rule? yes no no yes Access permitted Access denied Access permitted Access denied Computer Science and Engineering

  29. Firewalls Computer Science and Engineering

  30. Private Network security wall between private (protected) network and outside word Firewall Traffic Control – Firewall External Network Computer Science and Engineering

  31. Private Network External Network Firewall Objectives Keep intruders, malicious code and unwanted traffic or information out • Keep proprietary and sensitive information in Proprietary data External attacks Computer Science and Engineering

  32. Cryptography - Secret-Key Encryption - Public-Key Encryption - Cryptographic Protocols Computer Science and Engineering

  33. Snooper Insecure channel Recipient Sender Insecure communications Confidential Computer Science and Engineering

  34. Encryption and Decryption Plaintext Ciphertext Plaintext Encryption Decryption Computer Science and Engineering

  35. Conventional (Secret Key) Cryptosystem Plaintext Ciphertext Plaintext Encryption Decryption Sender Recipient K C=E(K,M) M=D(K,C) K needs secure channel Computer Science and Engineering

  36. Public Key Cryptosystem Recipient’s public Key (Kpub) Recipient’s private Key (Kpriv) Plaintext Ciphertext Plaintext Encryption Decryption Sender Recipient C=E(Kpub,M) M=D(Kpriv,C) Kpubneeds reliable channel Computer Science and Engineering

  37. Cryptographic Protocols • Messages should be transmitted to destination • Only the recipient should see it • Only the recipient should get it • Proof of the sender’s identity • Message shouldn’t be corrupted in transit • Message should be sent/received once only Computer Science and Engineering

  38. Detection/Response Computer Science and Engineering

  39. Misuse Prevention • Prevention techniques: first line of defense • Secure local and network resources • Techniques: cryptography, identification, authentication, authorization, access control, security filters, etc. Problem: Losses occur! Computer Science and Engineering

  40. Intrusion Management • Intrusion Prevention: protect system resources • Intrusion Detection: (second line of defense) discriminate intrusion attempts from normal system usage • Intrusion Recovery: cost effective recovery models Computer Science and Engineering

  41. Anomaly versus Misuse Non-intrusive use Intrusive use Looks like NORMAL behavior False negative Non-anomalous but Intrusive activities Does NOT look Like NORMAL behavior False positive Non-intrusive but Anomalous activities like Computer Science and Engineering

  42. Malicious Code Detection • Virus and Worm • Programming Flaws • Application Specific Code • Distributed, heterogeneous platforms • Complex applications • Security Applications vs. Secure Applications • Build security into the system Computer Science and Engineering

  43. Response/Tolerance Computer Science and Engineering

  44. Incident Response • Federal Communications Commission: Computer Security Incident Response Guide, 2001, http://csrc.nist.gov/fasp/FASPDocs/incident-response/Incident-Response-Guide.pdf • Incident Response Team, R. Nellis, http://www.rochissa.org/downloads/presentations/Incidence%20Response%20Teams.ppt • NIST special publications, http://csrc.nist.gov/publications/nistpubs/index.html Computer Science and Engineering

  45. Intrusion Recovery • Actions to avoid further loss from intrusion • Terminate intrusion and protect against reoccurrence • Law enforcement • Enhance defensive security • Reconstructive methods based on: • Time period of intrusion • Changes made by legitimate users during the effected period • Regular backups, audit trail based detection of effected components, semantic based recovery, minimal roll-back for recovery Computer Science and Engineering

  46. What is “Survivability”? To decide whether a computer system is “survivable”, you must first decide what “survivable” means. Computer Science and Engineering

  47. Effect Modeling and Vulnerability Detection Seriously effected components Weakly effected component Cascading effects Not effected components Computer Science and Engineering

  48. Due Care and Liability • Organizational liability for misuse • US Federal Sentencing Guidelines: chief executive officer and top management are responsible for fraud, theft, and antivirus violations committed by insiders or outsiders using the company’s resources. • Fines and penalties • Base fine • Culpability score (95%-400%) • Good faith efforts: written policies, procedures, security awareness program, disciplinary standards, monitoring and auditing, reporting, and cooperation with investigations Computer Science and Engineering

  49. How to Respond? Computer Science and Engineering

  50. How to Respond? Computer Science and Engineering

More Related