Introduction to Information SecurityPowerPoint PresentationOutlineTerminologyWhat is secure?Why Worry?Three Common FailuresThe ChallengeHow do we get there?Understanding SecurityPsychological AcceptabilityPatchesSlide 13Quality as a Market ProblemWhat can we do?Security PlanningPlanning Your Security NeedsCritical Concerns for Various Industries?Risk AssessmentRisk Assessment Step 1: Identify AssetsRisk Assessment Step 2: Identify ThreatsRisk Assessment Step 3: Quantify ThreatsCost Benefit AnalysisCreating PolicyThe Role of PolicyPolicy ExampleStandardsExample: Standard for BackupsGuidelinesKeys to Developing PolicyGoals for Security PoliciesHow to Attain the Goals?Security Policy ContentResponse PolicyFour Easy Steps to a More Secure ComputerThreat CategoriesAttack MethodsSecurity Services - 1Security Services - 2Slide 40User Anxiety & PerceptionsInternet Privacy PoliciesTRUSTeIntroduction to Information SecurityAnnie I. AntónCollege of Engineering{[email protected]}NC STATE UNIVERSITYOutlineTerminologyBrief IntroductionSecurity PlanningCreating a SecurityPolicyThreats, Attacks &ServicesInternet Privacy PoliciesTerminology“A computer is secure if you can depend on it and its software to behave as you expect.”‘Trust describes our level of confidence that a computer system will behave as expected.’[Garfinkel & Spafford]What is secure?Does not disclose informationDoes not allow unauthorized accessDoes not allow unauthorized changeMaintains QoS despite input and loadPreserves audit, authenticity, controlNo surprises![Spafford]Why Worry?Information has value–when combined–when altered–when disclosedResource use has value–unauthorized use–denial of serviceDamage to reputation–damage to your personal reputation–damage to your group–damage to your companyYour system is not alone–other machines on the network–shared resources and files–indirect liability[Spafford]Three Common FailuresOrganization has no formal policy. Thus, personnel cannot consistently make necessary decisions.Organization has no reasonable response plans for violations, incidents, and disasters.Plans don’t work when needed because they haven’t been regularly tested, updated, and rehearsed. (E.g., failure of operational security)[Spafford]The ChallengeWithout assurance that our systems will stay secure, we endanger our economies, our privacy, our personal safety and privacy, and our social institutions.[Spafford]How do we get there?Understand the needs of the users–Narrow focus better than broadUnderstand basic tenets of security–Paucity of programs and expertsCapture requirements for design and validationDesign with care using good tools and methodsValidate & Verify[Spafford]Understanding SecurityGood security means–Limiting what happens–Limiting who can make it happen–Limiting how it happens–Limiting who can change the systemUsers don’t tolerate limits unless there is a paradigm shift–E.g., Palm computers[Spafford]Psychological AcceptabilityEasy to use–Should be as easy to use as to not useFalse alarms should be avoidedFrequent changes and updates are badShould not require great expertise to get correct…Doesn’t match user population[Spafford]PatchesFixes for flaws that require an expert to install are not a good fix.Fixes that break something else are not a good fix.Frequent fixes may be ignored.Goal should be design, not patch[Spafford]Source:Securityfocus.comAbout 30% are buffer overflows or unchecked dataOver 90% are coding/design flaws.[Spafford]Quality as a Market ProblemGood software engineers and security designers are scarceProductivity of coders varies:–Top 10% are at least 10x more productive than average coder. –Organizations should invest inraising skill level.That takes time and money, so there is a disincentive to improving quality[Spafford]What can we do?Understand that there is no “average user”Understand balance between features and securityEmploy better testingManage complexity and changeBuild in security from the startUnderstand policy differences.[Spafford]Security PlanningSecurity needs planningRisk assessmentCost-benefit analysisCreating policies to reflect your needsImplementationAudit and incident response[Garfinkel & Spafford]Planning Your Security NeedsConfidentialityData IntegrityAvailabilityConsistencyControlAudit[Garfinkel & Spafford]Critical Concerns for Various Industries?Banking environment?National defense-related system that processes classified information?University?eCommerce?Risk AssessmentThree questions to answer:–What am I trying to protect?–What do I need to protect against?–How much time, effort and money am I willing to expend to obtain adequate protection?Three key steps:–Identify assets–Identify threats–Calculate risks[Garfinkel & Spafford]Risk Assessment Step 1: Identify AssetsTangibles–Computers, disk drives, proprietary data, backups and archives, manuals, printouts, commercial software distribution media, communications equipment & wiring, personnel records, audit records Intangibles–Safety & health of personnel, privacy of users, personnel passwords, public image & reputation, customer/client goodwill, processing availability, configuration information[Garfinkel & Spafford]Risk Assessment Step 2: Identify ThreatsIllness of key peopleLoss of key personnelLoss of phone/network servicesLoss of utilities (hone water, electricity) for a short or prolonged timeLightening or floodTheft of disks, tapes, key person’s laptop or home computerIntroduction of a virusComputer vendor bankruptcyBugs in softwareSubverted employees or 3rd party personnelLabor unrestPolitical terrorismRandom “hackers”[Garfinkel & Spafford]Risk Assessment Step 3: Quantify ThreatsEstimate likelihood of each threat occurringIf an event happens on a regular basis, you can estimate based on your recordsOther sources:–Power company: official estimate of likelihood for power outage during coming year–Insurance company: actuarial data on probabilities of death of key personnel based on age & health–Etc.Example: Earthquake once in 100 years (1% of your list) vs. discovery of 3 serious bugs in sendmail during next year (300%)[Garfinkel & Spafford]Cost Benefit
View Full Document