what does secure mean?
Post on 06-Jan-2016
Embed Size (px)
DESCRIPTIONWhat does secure mean?. You have been assigned a task of finding a cloud provider who can provide a secure environment for the launch of a new web application. What does secure imply?. Vulnerabilities, Threats & Controls. What is a vulnerability? What is a threat? What is a control?. - PowerPoint PPT Presentation
What does secure mean?You have been assigned a task of finding a cloud provider who can provide a secure environment for the launch of a new web application.What does secure imply?
What is a vulnerability?What is a threat?What is a control? Vulnerabilities, Threats & Controls
Vulnerabilities, Threats & ControlsA vulnerability is a weakness in a systemAllows a threat to cause harm.A threat is a potential negative harmful occurrenceEarthquake, worm, virus, hackers.A control/Safeguard is a protective measureReduce risk to protect an asset.
Vulnerabilities, Threats & ControlsVulnerability = a weakness in a systemAllows a threat to cause harmThreat = a potential negative harmful occurrenceEarthquake, worm, virus, hackers.Control/Safeguard = a protective measureReduce risk to protect an asset.
Figure 1-1Threats, Controls, and Vulnerabilities.
Goals of SecurityWhat are the 3 goals of security?
CIA Triad*ConfidentialityIntegrityAvailabilityInformation SecurityNote: From Information Security Illuminated(p.3), by Solomon and Chapple, 2005, Sudbury, MA: Jones and Bartlett.Information kept must be available only to authorized individualsUnauthorized changes must be preventedAuthorized users must have access to their information for legitimate purposes
Threats**ConfidentialityIntegrityAvailabilityInformation SecurityNote: From Information Security Illuminated(p.5), by Solomon and Chapple, 2005, Sudbury, MA: Jones and Bartlett.DisclosureAlterationDenialLive Chat 4
Goals of SecurityWhat are the 3 goals of security?
Figure 1-3Relationship Between Confidentiality, Integrity, and Availability.Secure
ThreatsWhat types of threats were discussed by the book?Hint: defined by their impact.
ThreatsInterception: gained access to an asset.Wireless network, hacked system, etc.Impacts confidentiality.InterruptionUnavailability, reduced availability.ModificationTamper with data, impacts integrity.FabricationSpurious transactions, impacts integrity.
Figure 1-2System Security Threats.
Figure 1-4 Vulnerabilities of Computing Systems.
Figure 1-5Security of Data.
Attacker NeedsWhat 3 things must an attacker have?
An Attacker Must Have:Method: skills, knowledge, tools.Capability to conduct an attackOpportunity: time and access to accomplish attackMotive: a reason to want to attack
Software VulnerabilitiesDefine some different types.There are many to chose from.
Software VulnerabilitiesLogic Bomb: employee modification.Trojan Horse: Overtly does one thing and another covertly.Virus: malware which requires a carrierTrapdoor: secret entry points.Information Leak: makes information accessible to unauthorized people.Worm: malware that self-propagates.
CriminalsDefine different types of computer criminals and their motive or motives?
Computer CriminalsScript Kiddies: AmateursCrackers/Malicious Hackers: Black HatsCareer Criminals: botnets, bank thefts.Terrorists: local and remote.Hacktivists: politically motivatedInsiders: employeesPhishers/Spear Phishers
MotivesFinancial gain: make money.Competitive advantage: steal information.Curiosity: test skills.Political: achieve a political goal.Cause Harm/damage: reputation or financialVendetta/Disgruntled: fired employees.
Risk What are the different ways a company can deal with risk?
How to deal with RiskAccept it: cheaper to leave it unprotected.Mitigate it: lowering the risk to an acceptable level e.g. (laptop encryption).Transfer it: insurance model.Avoid it: sometimes it is better not to do something that creates a great risk.Book lists alternatives.
ControlsEncryption: confidentiality, integrityVPN, SSH, Hashes, data at rest, laptops.Software: operating system, development.Hardware: Firewall, locks, IDS, 2-factor.Policies and Procedures: password changesPhysical: gates, guards, site planning.
Types of ControlsPreventive: prevent actions.Detective: notice & alert.Corrective: correcting a damaged system.Recovery: restore functionality after incident.Deterrent: deter users from performing actions.Compensating: compensate for weakness in another control.
Figure 1-6Multiple Controls.
PrinciplesEasiest Penetration: attackers use any means available to attack.Adequate Protection: protect computers/data until they lose their value.Effectiveness: controls must be used properly to be effective. Efficiency key.Weakest Link: only as strong as weakest link.
Confidentiality: authorized access, Integrity : accurate unmodified consistent, Availability: get when needed. Security implies trust.*Vulnerability = weakness Threat = potential negative harmful occurrence, Control = protective measure
*Vulnerability = weakness Threat = potential negative harmful occurrence, Control = protective measure*Flood is Threat, Crack is vulnerability, finger is the control*Confidentiality: authorized access, Integrity : accurate unmodified consistent, Availability: get when needed.***Confidentiality: authorized access, Integrity : accurate unmodified consistent, Availability: get when needed.*Combine all 3 equally and get a secure environment*CIA Triad, Note as we move away from Disclosure we move towards confidentiality, etc. Reference: CISSP Study Guide by Conrad, Misenar, Feldman.*Interception, interruption, Modification, Fabrication
*Interception, interruption, Modification, Fabrication*Confidentiality protect access, Integrity: protect change, Availability keep accessible*Method (skill), opportunity, motive
*bomb, trojans, virus, trapdoor, information leak, worm
*Script kiddies, crackers, professional criminals, hacktivists, terrorist, phishers, insiders*70% of attacks internal? Still relevant?*CISSP ways to deal with risk, accept, mitigate, transfer, avoid. Book: prevent it, deter it, deflect it, detect it, recover
*CISSP ways to deal with risk. Book: prevent it by fixing vulnerability, deter it making it harder, deflect it by making other targets more attractive, detect it as it happens, recover from its effects.Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide
*Encrypt data at rest and communication channels. Policies must be easy to follow and understandable.*Reference: Conrad, E., Misenar, S., Feldman, J. (2010) CISSP Study Guide
*Defense in Depth. Is it still valuable? Attackers now leverage email, social engineering, viruses to get inside access.*4 principles mentioned in chapter 1.*