the big picture practical economic legal considerations n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
The Big Picture Practical, Economic, Legal Considerations PowerPoint Presentation
Download Presentation
The Big Picture Practical, Economic, Legal Considerations

Loading in 2 Seconds...

play fullscreen
1 / 9

The Big Picture Practical, Economic, Legal Considerations - PowerPoint PPT Presentation


  • 121 Views
  • Uploaded on

The Big Picture Practical, Economic, Legal Considerations. CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk. Prudent Practices for Info.Sec. Compartmentalize Not everyone should have access to everything e.g. root vs. user accounts, kernel vs. user mode

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'The Big Picture Practical, Economic, Legal Considerations' - havard


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the big picture practical economic legal considerations

The Big PicturePractical, Economic, Legal Considerations

CS 519

Cryptography and Network Security

Instructor: Ali Aydin Selcuk

The Big Picture

prudent practices for info sec
Prudent Practices for Info.Sec.
  • Compartmentalize
    • Not everyone should have access to everything
    • e.g. root vs. user accounts, kernel vs. user mode
    • “least privilege” principle
    • need-to-know basis
  • Secure the weakest link

(10,000 bit symmetric key doesn’t make sense)

  • Use chock points
    • Constrain access to the system (gateways, firewalls, etc.)

The Big Picture

prudent practices cont d
Prudent Practices (cont’d)
  • Provide “defense in depth”

E.g., in bank security: door lock – alarm – safe

E.g., firewall – IDS – an internal firewall

  • Don’t release unnecessary information

E.g., version of the OS, of the program running, etc.

  • Embrace simplicity
  • Educate & convince users
  • Question your assumptions constantly

The Big Picture

80 20 rule of infosec
80/20 Rule of InfoSec

Pareto principle: Top 20% owns 80% of the land.

80/20 Rule of InfoSec (according to Symantec):

  • Remove unneeded services
    • remove components, programs, services from your system until the minimum "business needed" remain.
  • Keep Patch Levels Current (helped by Item 1)
    • use automation whenever possible
    • priority to public and internal servers
  • Enforce Strong Passwords
    • long, mixed-character passwords
    • periodic changes

The Big Picture

economic drawbacks
Economic Drawbacks
  • Ordinary users don’t care much about security(care more about fancy features)
  • First mover advantage
    • Ship the product now; get it right by v3.(e.g., Microsoft IE)
  • Asymmetric information
    • There is no easy way to tell a good security product from a bad one
    • which pulls prices & quality down

The Big Picture

economic drawbacks of lesser significance
Economic Drawbacks(of lesser significance)
  • Differentiated pricing
    • To keep low-cost alternatives poorer in quality (on purpose)
    • any security-product applications?
  • Network effects
    • Number of users determine the value of product
    • E.g., telephone, fax, the Internet, E-bay, etc.
    • Security: not-so-tight security helps attracting developers & users (any practical cases?)

The Big Picture

legal drawbacks
Legal Drawbacks
  • Who is liable (in addition to the attacker)?
    • the faulty software manufacturer?
    • the attack origin ISP?
    • the victim’s system administrator?
    • the network operators?
  • Involved parties can help to reduce the potential of an attack, but don’t have much incentive to do so.

The Big Picture

other drawbacks
Other Drawbacks
  • Lack of information sharing
    • Market forces discourage revealing past incidents(for consumer confidence)
    • e.g., Citibank, 1995 (“Don’t publicize”)
    • Result: No reliable information or estimates(Sol’n attempt: CERTs, “Center for Internet Security”)
  • Position of the interior
    • Attacker has the initiative of when & where to hit
  • Potential Solution (partial):
    • UL model, pushed by the insurance industry (may solve the problem of product evaluation)
    • Limitation: Hard to evaluate software security

The Big Picture

detection response risk management
Detection, Response, Risk Management
  • Prevention alone is not sufficient. Detection & response mechanisms are also needed.

(E.g., no door lock can alone prevent burglaries)

  • Risk management
    • Risks will always be with us; it’s important to know how to manage them.
  • Every security system must answer:
    • Defense against what kind of adversary, with what resources?
    • What is the potential loss?

The Big Picture