csc 386 – computer security scott heggen. agenda security management
TRANSCRIPT
CSC 386 – Computer Security
Scott Heggen
Agenda
• Security Management
Security Management
• What goes in a security policy?
• Examples: http://www.sans.org/security-resources/policies
Security Management• Scenario 1:
– Company XYZ is a new company devoted to developing a social networking platform
– The company will house their own servers which will provide its users with content
– The company will have an in-house IT team to manage their networks, but connect their servers to the Internet through the local ISP
– There will be three main teams working in the company: Administrators (CEOs, HR, Financial, etc.), Developers (software engineers, electrical engineers, graphic designers, etc.), and IT (network engineers, network operations experts, customer service)
– They expect their software to serve at least one million users in the next five years
Measuring Security
• Once a policy is in place, how do you know if it’s working?
• How do you quantify “secure”?
Security Management
• Scenario 2:– You are a contractor for the U.S. government who
develops missile control modules– You have regular communications with 3 other
government contractor companies regarding the integration of your modules with their parts of the system
Risk and Threat Analysis
Risk and Threat Analysis
• Identify the assets valuable to your company• Identify the threats that exist to each asset• Determine the impact a threat can potentially
have on an asset• Monitor your assets for vulnerabilities• Prepare for attacks
Risk and Threat Analysis
Risk and Threat Analysis
Risk and Threat Analysis
Risk = Assets x Threats x Vulnerabilities
Trivial – Important - Critical
Very unlikely - Likely
Fix when convenient – Fix now!
Risk Analysis
• Scenario 1 revisited:– Company XYZ is a new company devoted to developing a social
networking platform– The company will house their own servers which will provide its users
with content use cloud-based servers to host content– The company will have an in-house IT team to manage their networks,
but connect their servers to the Internet through the local ISP– There will be three main teams working in the company:
Administrators (CEOs, HR, Financial, etc.), Developers (software engineers, electrical engineers, graphic designers, etc.), and IT (network engineers, network operations experts, customer service)
– They expect their software to serve at least one million users in the next five years
Risk Mitigation
• Now have a prioritized list of risks/threats• Can develop countermeasures to mitigate
those risks
• Remember, this is an on-going process; IT is constantly changing!
Next Class
• Due:– Have a good weekend
• Agenda:– Foundations of Computer Security (Chapter 3 of
your text)