what does secure mean?

Download What does secure mean?

Post on 06-Jan-2016

41 views

Category:

Documents

1 download

Embed Size (px)

DESCRIPTION

What does secure mean?. You have been assigned a task of finding a cloud provider who can provide a secure environment for the launch of a new web application. What does secure imply?. Vulnerabilities, Threats & Controls. What is a vulnerability? What is a threat? What is a control?. - PowerPoint PPT Presentation

TRANSCRIPT

  • What does secure mean?You have been assigned a task of finding a cloud provider who can provide a secure environment for the launch of a new web application.What does secure imply?

  • What is a vulnerability?What is a threat?What is a control? Vulnerabilities, Threats & Controls

  • Vulnerabilities, Threats & ControlsA vulnerability is a weakness in a systemAllows a threat to cause harm.A threat is a potential negative harmful occurrenceEarthquake, worm, virus, hackers.A control/Safeguard is a protective measureReduce risk to protect an asset.

  • Vulnerabilities, Threats & ControlsVulnerability = a weakness in a systemAllows a threat to cause harmThreat = a potential negative harmful occurrenceEarthquake, worm, virus, hackers.Control/Safeguard = a protective measureReduce risk to protect an asset.

  • Figure 1-1Threats, Controls, and Vulnerabilities.

  • Goals of SecurityWhat are the 3 goals of security?

  • CIA Triad*ConfidentialityIntegrityAvailabilityInformation SecurityNote: From Information Security Illuminated(p.3), by Solomon and Chapple, 2005, Sudbury, MA: Jones and Bartlett.Information kept must be available only to authorized individualsUnauthorized changes must be preventedAuthorized users must have access to their information for legitimate purposes

  • Threats**ConfidentialityIntegrityAvailabilityInformation SecurityNote: From Information Security Illuminated(p.5), by Solomon and Chapple, 2005, Sudbury, MA: Jones and Bartlett.DisclosureAlterationDenialLive Chat 4

  • Goals of SecurityWhat are the 3 goals of security?

  • Figure 1-3Relationship Between Confidentiality, Integrity, and Availability.Secure

  • CIA Triad

  • ThreatsWhat types of threats were discussed by the book?Hint: defined by their impact.

  • ThreatsInterception: gained access to an asset.Wireless network, hacked system, etc.Impacts confidentiality.InterruptionUnavailability, reduced availability.ModificationTamper with data, impacts integrity.FabricationSpurious transactions, impacts integrity.

  • Figure 1-2System Security Threats.

  • Figure 1-4 Vulnerabilities of Computing Systems.

  • Figure 1-5Security of Data.

  • Attacker NeedsWhat 3 things must an attacker have?

  • An Attacker Must Have:Method: skills, knowledge, tools.Capability to conduct an attackOpportunity: time and access to accomplish attackMotive: a reason to want to attack

  • Software VulnerabilitiesDefine some different types.There are many to chose from.

  • Software VulnerabilitiesLogic Bomb: employee modification.Trojan Horse: Overtly does one thing and another covertly.Virus: malware which requires a carrierTrapdoor: secret entry points.Information Leak: makes information accessible to unauthorized people.Worm: malware that self-propagates.

  • CriminalsDefine different types of computer criminals and their motive or motives?

  • Computer CriminalsScript Kiddies: AmateursCrackers/Malicious Hackers: Black HatsCareer Criminals: botnets, bank thefts.Terrorists: local and remote.Hacktivists: politically motivatedInsiders: employeesPhishers/Spear Phishers

  • MotivesFinancial gain: make money.Competitive advantage: steal information.Curiosity: test skills.Political: achieve a political goal.Cause Harm/damage: reputation or financialVendetta/Disgruntled: fired employees.

  • Risk What are the different ways a company can deal with risk?

  • How to deal with RiskAccept it: cheaper to leave it unprotected.Mitigate it: lowering the risk to an acceptable level e.g. (laptop encryption).Transfer it: insurance model.Avoid it: sometimes it is better not to do something that creates a great risk.Book lists alternatives.

  • ControlsEncryption: confidentiality, integrityVPN, SSH, Hashes, data at rest, laptops.Software: operating system, development.Hardware: Firewall, locks, IDS, 2-factor.Policies and Procedures: password changesPhysical: gates, guards, site planning.

  • Types of ControlsPreventive: prevent actions.Detective: notice & alert.Corrective: correcting a damaged system.Recovery: restore functionality after incident.Deterrent: deter users from performing actions.Compensating: compensate for weakness in another control.

  • Figure 1-6Multiple Controls.

  • PrinciplesEasiest Penetration: attackers use any means available to attack.Adequate Protection: protect computers/data until they lose their value.Effectiveness: controls must be used properly to be effective. Efficiency key.Weakest Link: only as strong as weakest link.

    Confidentiality: authorized access, Integrity : accurate unmodified consistent, Availability: get when needed. Security implies trust.*Vulnerability = weakness Threat = potential negative harmful occurrence, Control = protective measure

    *Vulnerability = weakness Threat = potential negative harmful occurrence, Control = protective measure*Flood is Threat, Crack is vulnerability, finger is the control*Confidentiality: authorized access, Integrity : accurate unmodified consistent, Availability: get when needed.***Confidentiality: authorized access, Integrity : accurate unmodified consistent, Availability: get when needed.*Combine all 3 equally and get a secure environment*CIA Triad, Note as we move away from Disclosure we move towards confidentiality, etc. Reference: CISSP Study Guide by Conrad, Misenar, Feldman.*Interception, interruption, Modification, Fabrication

    *Interception, interruption, Modification, Fabrication*Confidentiality protect access, Integrity: protect change, Availability keep accessible*Method (skill), opportunity, motive

    *bomb, trojans, virus, trapdoor, information leak, worm

    *Script kiddies, crackers, professional criminals, hacktivists, terrorist, phishers, insiders*70% of attacks internal? Still relevant?*CISSP ways to deal with risk, accept, mitigate, transfer, avoid. Book: prevent it, deter it, deflect it, detect it, recover

    *CISSP ways to deal with risk. Book: prevent it by fixing vulnerability, deter it making it harder, deflect it by making other targets more attractive, detect it as it happens, recover from its effects.Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide

    *Encrypt data at rest and communication channels. Policies must be easy to follow and understandable.*Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide

    *Defense in Depth. Is it still valuable? Attackers now leverage email, social engineering, viruses to get inside access.*4 principles mentioned in chapter 1.*