System security and u
This presentation is the property of its rightful owner.
Sponsored Links
1 / 27

System Security and U. PowerPoint PPT Presentation


  • 40 Views
  • Uploaded on
  • Presentation posted in: General

System Security and U. Rich Pethia Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 This work is sponsored by the U.S. Department of Defense. CERT Coordination Center. The SEI established the Computer Emergency Response Team Coordination Center in 1988.

Download Presentation

System Security and U.

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


System security and u

System Security and U.

  • Rich PethiaSoftware Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213

  • This work is sponsored by the U.S. Department of Defense.


Cert coordination center

CERT Coordination Center

  • The SEI established the Computer Emergency Response Team Coordination Center in 1988.

  • The CERT/CC’s mission is to respond to security emergencies on the Internet, serve as a focal point for reporting and resolving security vulnerabilities, serve as a model to help others establish incident response

  • teams, and raise awareness of security issues.


Activity

Activity

  • Since 1988, the CERT/CC has responded to over 100,000 security incidents that have affected hundreds of thousands of Internet sites; has worked over 5000 reported vulnerabilities, and has issued hundreds of advisories and bulletins. In addition, the CERT/CC has helped foster the creation of over 90 other incident response teams.


The internet has become indispensable to business government universities

The Internet has Become Indispensable to Business, Government, Universities

  • The Internet allows organizations to:

    • conduct electronic commerce

    • provide better customer service

    • collaborate with business & research partners

    • reduce communications costs

    • improve internal communication

    • access needed information rapidly


The risks

The Risks

  • While computer networks revolutionize the way you do business, the risks computer networks introduce can be fatal to a business.

  • Network attacks lead to lost:

    • money

    • time

    • products

    • reputation

    • lives

    • sensitive information


System security and u

Incidents Reported to CERT/CC


System security and u

Vulnerabilities Reports are Increasing


System security and u

Surveyed Companies Identify Risks -1

Attacks

Source - Computer Security Institute/FBI Survey


System security and u

Surveyed Companies Identify Risks -2

Attacks

Source - Computer Security Institute/FBI Survey


System security and u

How Did We Get Here?


System security and u

The Problem

  • In the rush to benefit from using the Internet, organizations often overlook significant risks.

    • the engineering practices and technology used by system providers do not produce systems that are immune to attack

    • network and system operators do not have the people and practices to defend against attacks and minimize damage

    • policy and law in cyber-space are immature and lag the pace of change


System security and u

Strain on System Administrators - 1

  • There is continued movement to complex,client-server, peer to peer, and heterogeneous configurations with distributed management.

  • There is little evidence of security improvements in most products; new vulnerabilities are found routinely.

  • Comprehensive security solutions are lacking; current tools address only parts of the problem.


System security and u

Strain on System Administrators - 2

  • Engineering for ease of use has not been matched by engineering for ease of secure administration

    • ease of use and increased utility are driving a dramatic explosion in use

    • system administration and security administration are more difficult than a decade ago

    • this growing gap brings increased vulnerability


System security and u

Other Reasons for Concern

  • Many security audits and evaluations only skim the surface of the organization and its technology; major risks are often overlooked.

  • Lack of understanding leads to reliance on partial solutions.


System security and u

More Sophisticated Intruders

  • Intruders are

    • growing in number and type

    • building technical knowledge and skills

    • gaining leverage through automation

    • building skills in vulnerability discovery

    • becoming more skilled at masking their behavior


System security and u

Attack Sophistication vs. Intruder Technical Knowledge

network worms

Tools

“stealth” / advanced scanning techniques

High

packet spoofing

denial of service

DDOS attacks

sniffers

www attacks

Intruder

Knowledge

sweepers

automated probes/scans

GUI

back doors

network mgmt. diagnostics

disabling audits

hijacking

sessions

burglaries

Attack

Sophistication

exploiting known vulnerabilities

password cracking

self-replicating code

Attackers

password guessing

Low

1980

1985

1990

1995

2000


System security and u

So What?


Its going to get worse 1

Its going to get worse - 1

  • Explosive growth of the Internet continues

    • where will all the capable system administrators come from?

  • Market growth will drive vendors

    • time to market, features, performance, cost are primary

    • “invisible” quality features such as security are secondary


Its going to get worse 2

Its going to get worse - 2

  • More sensitive applications connected to the Internet

    • low cost of communications, ease of connection, and power of products engineered for the Internet will drive out other forms of networking

    • hunger for connectivity, data and benefits of electronic interaction will continue to push widespread use of Internet technology


Its going to get worse 3

Its going to get worse - 3

  • The death of the firewall

    • traditional approaches depend on complete administrative control and strong perimeter controls

    • today’s business practices and wide area networks violate these basic principles

      • no central point of network control

      • more interconnections with customers, suppliers, partners

      • more network applications

        • “the network is the computer”

      • who’s an “insider”and who’s an “outsider”


System security and u

What Can You Do Now?


System security and u

Establish a Context-Sensitive Risk Management Process

-Critical assets

-Organization

Issues

-Technology

Issues

Security Requirements

Applications of Technology

Security Incidents

Environment

Technology Staffing

Threats

Identify

Self-Directed Assessment

Vulnerabilities

MitigationPlans

Analyze and Prioritize

Mitigate

Prioritized Risks

Technology

Practices

Organization Improvements

Mission & Asset Value Data

Threat Data


System security and u

Assessment & Planning

Need

Effective security management programs must be sensitive to organizations’ goals and constraints.

Key Ideas

Identify critical assets (data, software, services, reputation) and protection requirements

Identify solution constraints: policy, regulation

Assess organization and technology against requirements

Develop strategy and plan to address deficiencies

How

Match responsibility with authority

Identify a core group to facilitate the process

Systematically walk through the steps with participation from all parts of organization

Develop actionable plan


System security and u

Implementation

Need

Pervasive understanding of

security policy, management

practices and technical practices

Key Ideas

Organizations can improve the security & survivability of networked systems by adopting security policies and practices

Its simple, but its not easy

How

Translate actionable plan into policies and practices

  • borrow heavily from published work

  • assign roles & responsibilities

    Document, train, refresh

    Check up, measure, enforce


System security and u

Crisis Management

Need

Organizations need to build and mature a computer security incident response capability

How

Establish organizational focal point

Identify action plans for likely scenarios

Capture lessons learned & update plans

Key Ideas

Anticipate problems and desired outcomes

Pre-plan actions

Maintain ongoing awareness of evolving threats & vulnerabilities – adjust action plan accordingly


System security and u

Get Plugged In

Need

Many of today’s solutions won’t work tomorrow.

Key Ideas

Structured networking helps organizations stay on top of a dynamic and rapidly changing problem

Sharing lessons learned leads to better practices and policies

How

Identify networking opportunities (ISA, ISACs, ISSA, InfraGuard, I4, FIRST, etc.)

Plug in to group(s) of choice

Participate!


System security and u

CERT Contact Information

24-hour hotline: +1 412 268 7090

CERT personnel answer 8:30 a.m. —

8:00 p.m. EST(GMT-5) / EDT(GMT-4),

and are on call for emergencies

during other hours.

Fax:+1 412 268 6989

Web site:http://www.cert.org/

Electronic mail:[email protected]

US mail:CERT Coordination Center

Software Engineering Institute

Carnegie Mellon University

4500 Fifth Avenue

Pittsburgh PA 15213-3890

USA


  • Login