1 / 11

Vulnerability Analysis

Vulnerability Analysis. Stefanie Wilcox. Vulnerabilities. Hardware Software Data. Hardware Vulnerabilities. Devices-adding, removing Traffic-interrupting, flooding Physical Attacks Involuntary machine slaughter Machinicide Theft

derick
Download Presentation

Vulnerability Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Vulnerability Analysis Stefanie Wilcox

  2. Vulnerabilities • Hardware • Software • Data

  3. Hardware Vulnerabilities • Devices-adding, removing • Traffic-interrupting, flooding • Physical Attacks • Involuntary machine slaughter • Machinicide • Theft • “. . .thousands of dollars worth of equipment sits unattended on desks. Curiously, the supply cabinet, containing only a few hundred dollars worth of pens, pencils and paper clips is often locked.. . .”

  4. Software Vulnerabilities • Software Deletion • Software Modification • Logic Bombs • Trojan Horse • Virus • Trapdoor • Information Leaks • Software Theft • Unauthorized copying

  5. Data Vulnerabilities • Confidentiality • unauthorized disclosure of a data item • Integrity • unauthorized modification • Availability • denial of authorized access

  6. Penetration Studies • Also called tiger team attack or red team attack • Tests the system once it is in place. • Goal is toviolate the site security policy. • Type 1 • Authorized attempt to violate specific constraints stated in the for of a security or integrity policy. • Penetration Test Example. • Type 2 • No specific target. Find some number of vulnerabilities in a set period of time. • Penetration Test Example.

  7. Penetration Studies cont’ • Layering of tests • 1) External attacker with no knowledge of the system • 2) External attacker with access to the system. • 3) Internal attacker with access to the system.

  8. Flaw Hypothesis Methodology • 1) Information Gathering • 2)Flaw Hypothesis • 3)Flaw Testing • 4)Flaw Generalization • 5)Flaw Elimination

  9. Vulnerability Classification • 1)The ability to specify, design, and implement a computer system without vulnerabilities. • 2)The ability to analyze a computer system to detect vulnerabilities. • 3)The ability to address any vulnerabilities introduced during the operation of the computer system. • 4)The ability to detect attempted exploitation's of vulnerabilities

  10. Frameworks • The RISOS Study • Protection Analysis Model • NRL Taxonomy • Aslam’s Model

  11. Bibliography • Bishop, Matt. Computer Security

More Related