1 / 36

Security and the System Administrator

Security and the System Administrator. William Hugh Murray 24 East Avenue Suite 1362 New Canaan, CT 06840 (203)966-4769 WHMurray@sprynet.com. Bio. William Hugh Murray Bill Murray is information system security consultant to

cfosdick
Download Presentation

Security and the System Administrator

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security and the System Administrator William Hugh Murray 24 East Avenue Suite 1362 New Canaan, CT 06840 (203)966-4769 WHMurray@sprynet.com

  2. Bio William Hugh Murray Bill Murray is information system security consultant to Deloitte & Touche. He has more than thirty-five years experience in data processing and more than twenty in security. During more than twenty-five years with IBM his management responsibilities included development of access control programs, advising IBM customers on security, and the articulation of the security product plan. In 1987 he received the Fitzgerald Memorial Award for leadership in data security. In 1989 he received the Joseph J. Wasserman Award for contributions to security, audit and control. Mr. Murray holds the Bachelor of Science degree in Business Administration from Louisiana State University, and is a graduate of the Jesuit Preparatory High School of New Orleans.

  3. Abstract Everything that business or government does with computers or communications becomes part of the social and economic infra-structure of the twenty-first century. Much of the configuration and operation of this novel and critical infrastructure will be in the hands of the system and network administrators. They are often the first to be called when the infrastructure is stressed or breaks, but their training is often on-the-job, remedial, and late. Although they understand the weaknesses and limitations of their materials all too well, they are rarely taught how to compensate for those weaknesses. Out of necessity, their security approach tends to be reactive and remedial. This presentation will provide system and network administrators with a set of broadly applicable strategies and proactive approaches they can use to protect systems from outside interference and contamination, provide appropriate application con-trols, and protect their networks from undesired traffic. Among other things, it will address policy and service-level agreements; when to plan and for what; effective use of access controls; strong network perimeters and how to compensate for leaks; and how to use weak materials to build strong systems.

  4. Protect Applications from Interference or Contamination Preserve Confidentiality, Integrity, and Availability of Data Protect employees from temptation and suspicion Preserve the continuity of the business Protect Management from Charges of Imprudence Security Objectives

  5. Cost of Losses $ Security

  6. Cost of Losses $ Cost of Security Security

  7. Cost of Losses $ Cost of Security Total Cost Security

  8. Cost of Losses: infrequent irregular uncertain unexpected threatening Cost of Security: frequent regular certain budgeted cost of doing business Character of Costs

  9. Sources of loss

  10. Other sources of loss • All acts by outsiders • malicious programs • Trojan Horses • Viruses • Logic bombs • Worms • Other • espionage

  11. Jacobson’s Window

  12. Jacobson’s Window

  13. Jacobson’s Window

  14. Jacobson’s Window

  15. Jacobson’s Window

  16. Jacobson’s Window

  17. Jacobson’s Window

  18. natural v. accidental v. insiders v. passive v. manual v. trial and error v. local v. man-made intentional outsiders active automatic systematic global Characterization of Threats and Vulnerabilities

  19. Attacks & Attackers • “social engineering” • guessing • short dictionary or sweet list • long dictionary • exhaustive • browsing • eavesdropping • spoofing • password grabbers • Trojan Horses

  20. Targets • Targets of Opportunity • highly visible • low cost of attack • unknown value of success

  21. Cost of Attack • Work • Access • Indifference to detection • Special Knowledge • Time to corrective action Any one can reduce the requirements for any of the others; there is enough of these in the world to break any system.

  22. Cost of Attack • Work • Access • Indifference to detection • Special Knowledge • Time to corrective action Any one can reduce the requirements for any of the others; there is enough of these in the world to break any system.

  23. Cost of Attack • Work • Access • Indifference to detection • Special Knowledge • Time to corrective action Any one can reduce the requirements for any of the others; there is enough of these in the world to break any system.

  24. Targets • Targets of Opportunity • highly visible • low cost of attack • unknown value of success • Targets of Choice • expected value of success • greater than expected cost of attack

  25. Value of Success • Computer time • Data, information, knowledge, application value • Access to other networks • Identity • Anonymity • Trust or confidence

  26. Cost to Victim • Loss of confidentiality • Loss of integrity • Loss of reliability and trust • Loss of use • Liability to third parties • Loss of resources for restoration

  27. Cost of System Security is measured in : • Generality • Flexibility • Performance • And Functionality Get used to it!

  28. Courtney’s Laws • Nothing useful can be said about security except in the context of an application and an environment. • Never spend more money eliminating a vulnerability than tolerating it will cost you. • There are management solutions to technical problems but there are no technical solutions to management problems.

  29. Efficient Security Measures: • safe environment • management direction • supervision • accountability • copies of the data • access control • secret codes (crypto) • contingency planning

  30. Policy • A statement of management’s intent • Expressed as objectives or practices • Translated to access control policy • Mapped to a system policy

  31. Poor Design Inadequate Materials Poor Fabrication Poor Maintenance Improper Operation Abuse and Misuse Why Systems Fail?

  32. Sufficient Conditions for the Success of a Virus • Large population of similar machines • Sharing within the population • A place for the virus to store the replica • A way for it to get itself executed • (Creates replicas faster than they are destroyed)

  33. Enterprise Security in the 90s • Inadequate expression of management intent • Multiple signons, ids, and passwords • Multiple points of control • Unsafe defaults • Complex administration • Late recognition of problems We are being overwhelmed once more!

  34. Prefer single application or single user system to multi-application multi-user (think servers) Hide operating systems from the network Restrict write access…. ….to a single process per object Restrict read access to mutable objects….. …. to those who can change them Application end-to-end encryption (PPTP, L2TP, other) Scan for viruses in and out Scan for viruses on desktop and servers. Scan for viruses Layer your defenses. Prefer application-aware composed firewalls between layers. Man the walls! Economy of Logon Client-side strong authentication Recommendations

  35. Strong Authentication • Two kinds of evidence from list of • something one person knows (e.g., pass-phrase) • has, (token) • is, (biometric, e.g., visage) • or can do (e.g., speech) • At least one of which is resistant to replay

  36. “We are not building toy systems anymore.”

More Related