reliability and security. security how big a problem is security? perfect security is unattainable...
Post on 21-Dec-2015
216 views
TRANSCRIPT
![Page 1: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/1.jpg)
Reliability and Security
![Page 2: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/2.jpg)
Security
• How big a problem is security?• Perfect security is unattainable• Security in the context of a socio-
technical system• Disaster planning• Security is a process, not a product
![Page 3: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/3.jpg)
Internet Security
What’s different about the Internet and computerized attacks?
• Complexity• Automation• Action at a distance• Propagation of techniques• Class breaks
![Page 4: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/4.jpg)
Is IT Security a Technical Problem?
• Socio-technical systems view of IT security– Technical system includes hardware
software, networks, data– Social system includes people,
processes, organization, work design, objectives
– Socio-technical solution is the best total solution, may not optimize either social or technical solution
![Page 5: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/5.jpg)
Is IT Security a Technical Problem?
• Schneier – security is provided within a context.– An asset is secured from a particular
type of attack from a particular type of attacker
– Assets and attacks exist in contexts– Context (especially the social part)
matters more than technology
![Page 6: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/6.jpg)
Types of Attack
What’s the same• Theft• Embezzlement• Vandalism• Exploitation
• Fraud• Extortion• Threat of harm• Privacy
violations
![Page 7: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/7.jpg)
Attack Types
• Schneier’s classification– Criminal attacks– Privacy violations– Publicity attacks
• By attacker motive– Financial or other gain– To damage others– Privacy violations
![Page 8: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/8.jpg)
Gain Motivated Attacks
• Fraud• Intellectual Property Theft• Identity Theft• Brand Theft• Publicity Attacks
![Page 9: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/9.jpg)
Privacy Violations
• Stalking• Surveillance• Databases• Traffic Analysis• Broad Scale Electronic Monitoring
![Page 10: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/10.jpg)
Attacks aimed at damaging others
• Denial-of Service attacks• Defacing web sites• Viruses and their ilk
![Page 11: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/11.jpg)
Adversaries
Those classified as criminals• Hackers• Lone Criminals• Malicious Insiders• Organized Crime• Terrorists
![Page 12: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/12.jpg)
Adversaries
Those with claims of legitimacy• Industrial spies• The press• The police• National Intelligence Organizations• Infowarriors
![Page 13: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/13.jpg)
Phishing
![Page 14: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/14.jpg)
Antiphishing.org
![Page 15: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/15.jpg)
Microsoft Vulnerabilities
• Sharp increase in attacks on Windows based PCs in 1st half of 2004– 1237 new vulnerabilities or 48/week
• Increase in number of bot networks– 30,000 from 2,000 in previous 6 months
• Increase in percent of e-commerce attacks from 4% to 16%
• 450% increase in new Windows viruses – 4,496
![Page 16: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/16.jpg)
Chapter 6 Figure 6-6
Normal and DoS Handshakes
WebUser’s PC
WebsiteServer
WebsiteServer
WebUser’s PC
SYN: User’s PC says “hello”
ACK-SYN: Server says “Do you want to talk”
ACK: User’s PC says “Yes, let’s talk”
Normal Handshake
DoS Handshake
SYN: User’s PC says “hello” repeatedly
ACK-SYN: Server says “Do you want to talk” repeatedly
No Response: User’s PC waits for server to “timeout”
Source: Austin, Robert D. "The iPremier Company, The (A), (B), and (C): Denial of Service Attack." Harvard Business School Teaching Note 602-033.
![Page 17: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/17.jpg)
Chapter 6 Figure 6-7
A Distributed Denial of Service Attack
Source: Austin, Robert D. "The iPremier Company, The (A), (B), and (C): Denial of Service Attack." Harvard Business School Teaching Note 602-033.
W ebsiteServer
Attacker 1
Attacker 3
Attacker 2
Attacker 5
Attacker 4
Attacker 6
Attacker 7
Attacker 8
Attack Leader
Attack Leader facilitates SYN floods from multiple sources.
![Page 18: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/18.jpg)
Chapter 6 Figure 6-8
“Spoofing”
Source: Austin, Robert D. "The iPremier Company, The (A), (B), and (C): Denial of Service Attack." Harvard Business School Teaching Note 602-033.
A ttacker
A ddress: 12345
T arget
A ddress: 54321
Inform ation Packets
N orm al
“Spoofing”
90817 54321
5432112345
SenderA ddress
D estinationA ddress
Target server correctly interprets sender address
Target server incorrectly interprets sender address
![Page 19: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/19.jpg)
Risk Components
• Magnitude of loss• Likelihood of loss• Exposure to loss
![Page 20: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/20.jpg)
Management of Risk
• Control• Information• Time
![Page 21: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/21.jpg)
C h a p t e r 6 F i g u r e 6 - 1
F i v e C o m p o n e n t s i n S e r i e s ( e a c h 9 8 % A v a i l a b l e )
C o m p o n e n t 1
9 8 %a v a i l a b i l i t y
C o m p o n e n t 2
9 8 %a v a i l a b i l i t y
C o m p o n e n t 3
9 8 %a v a i l a b i l i t y
C o m p o n e n t 4
9 8 %a v a i l a b i l i t y
C o m p o n e n t 5
9 8 %a v a i l a b i l i t y
. 9 8 x . 9 8 x . 9 8 x . 9 8 x . 9 8 = s e r v i c e a v a i l a b i l i t y o f 9 0 %
S o u r c e : A p p l e g a t e , L y n d a M . , R o b e r t D . A u s t i n , a n d F . W a r r e n M c F a r l a n , C o r p o r a t e I n f o r m a t i o n S t r a t e g y a n d M a n a g e m e n t . B u r r R i d g e , I L : M c G r a w - H i l l / I r w i n , 2 0 0 2 .
![Page 22: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/22.jpg)
Chapter 6 Figure 6-2
Combining Components in Series Decreases Overall Availability
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Number of Components In Series (each 98% available)
Av
ail
ab
ilit
y
Source: Applegate, Lynda M., Robert D. Austin, and F. Warren McFarlan, Corporate Information Strategy and Management. Burr Ridge, IL: McGraw-Hill/Irwin, 2002.
![Page 23: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/23.jpg)
Five Components in Parallel (each 98% Available)
Chapter 6 Figure 6-3
Source: Applegate, Lynda M., Robert D. Austin, and F. Warren McFarlan, Corporate Information Strategy and Management . Burr Ridge, IL: McGraw-Hill/Irwin, 2002.
![Page 24: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/24.jpg)
Chapter 6 Figure 6-4
Redundancy Increases Overall Availability
98.0%
98.5%
99.0%
99.5%
100.0%
1 2 3 4 5 6 7 8 9 10
Number of Components In Parallel (each 98% available)
Av
ail
ab
ilit
y
Source: Applegate, Lynda M., Robert D. Austin, and F. Warren McFarlan, Corporate Information Strategy and Management. Burr Ridge, IL: McGraw-Hill/Irwin, 2002.
![Page 25: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/25.jpg)
Miscellaneous Defensive Measures
• Security policies• Firewalls• Intrusion detection • Encryption• Authentication
![Page 26: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/26.jpg)
Liability Argument
• Who should be held liable? – Software vendors, e.g. Microsoft– Network owner, e.g. ISP (Comcast)– Person who wrote the attack tool– Person who used the attack tool– The public
• The ATM example
![Page 27: Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42d8b/html5/thumbnails/27.jpg)
Three Steps to Improving IT Security
1) Enforce liability2) Permit parties to transfer liability3) Provide mechanisms to reduce
risk