Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

slides

advertisement 
The Economic Impact of Cyber
Attacks
The Global Picture
Chapter 10.4
1
NEW: Final Project deadline:
December 7, 2:00 am, 2013
2
Risk Assessment
Threats
RISK
Vulnerabilities
Consequences
3
Risk Management Framework
(Business Context)
Understand Business
Context
Identify Business
and Technical Risks
Carry Out Fixes
and Validate
Synthesize and Rank
Risks
Define Risk
Mitigation Strategy
Measurement and Reporting
4
Allocating Resources
Limited resources
Acceptable level of risk
Tie technical risk to business risk
5
Making a Business Case
Description of the problem
List of possible solutions
Constraints on solving the problem
List of underlying assumptions
Analysis of each alternative, including risks, costs, and
benefits
Summary of why the proposed investment is good
6
Influences on Cyber Security
Investment Strategy
Regulatory requirements
Network history or IT staff knowledge
Client requirements
Results of internal or external audit
Response to current events
Response to compromised internal security
Reaction to external mandate or request
7
Determining Economic Value
Many different ways to determine value
 Internal rate of return
 Return on investment
 Net present value
Investment analysis: best way to allocate capital and
human resources
Accounting measures are inappropriate for evaluating
information security inverstments
8
Quantifying Security
Difficult problem
 Not fully understood
 Limited historical data to estimate likelihood
 Attacks that are possible but haven’t happened
Threat estimation uses:
 Number and types of assets needing protection
 Number and types of vulnerabilities that exist in a
system
 Number and types of likely threats to a system
9
Data to be Protected
National and global data
Enterprise data
Technology data
Social vulnerability
10
Real Cost of Cyber Attack
Damage of the target may not reflect the real amount of
damage
Services may rely on the attacked service, causing a
cascading and escalating damage
Need: support for decision makers to
 Evaluate risk and consequences of cyber attacks
 Support methods to prevent, deter, and mitigate
consequences of attacks
11
Legal and Ethical Issues in
Computer Security
Chapter 11
 Pfleeger:
Chapter 11
13 - Farkas
CSCE 522
Law and Computer Security
International, national, state, and city laws: affect
privacy and secrecy
Laws: regulate the use, development, and ownership of
data and programs
Laws: affect actions that can be taken to protect the
secrecy, integrity, and availability of computing
resources
14 - Farkas
CSCE 522
Lack of Legislation
Reactive procedures
Not addressed improper acts
Lack of technical expertise of legal personnel
15 - Farkas
CSCE 522
Protection of Computer
Systems
Protecting computing systems against criminals
Protecting code and data
Protecting programmers’ and employers’ rights
Protecting users of programs
16 - Farkas
CSCE 522
Protecting Programs and Data
Copyright
Patents
Trade secrets
Protection for computer objects
17 - Farkas
CSCE 522
Copyrights
 Protect the expression of ideas
 1978: U.S. copyright law

Updated in 1998: Digital Millennium Copyright Act (DMCA) – deals with
computers and other electronic media
 Give the copyright holder the exclusive right to make copies of the
expression and sell them to the public
 Simple procedure to register copyright
 U.S. copyright expires 70 years beyond the death of last surviving
holder
18 - Farkas
CSCE 522
Intellectual Property
Copyright
 Does not cover the idea being expressed
 Applies to original work and it must be in some
tangible medium of expression
Originality of work!
19 - Farkas
CSCE 522
Fair Use
The purchaser has the right to use the product in the
manner for which it was intended and in a way that does
not interfere with the author’s right.
Piracy
First sale
Copyright infringement
20 - Farkas
CSCE 522
Copyright for Digital Objects
Digital Millennium Copyright Act
Digital objects can be copyrighted
 It is a crime to circumvent or disable anti-piracy functionality
 It is a crime to manufacture, sell, or distribute devices that
disable anti-piracy functionality or that copy digital objects


Exempt: when used for educational and research purposes
It is legal to make a backup to protect against loss
 Libraries can make three backups

21 - Farkas
CSCE 522
Patent
What can be patented?
http://www.freepatentsonline.com/crazy.html
https://patentimages.storage.googleapis.com/pages/US4344424-1.png
22
Patents
Protects inventions – results of science, technology, and
engineering
Requirement of novelty
Truly novel and unique  only one patent for a given
invention
 Non-obvious

U.S. Patent and Trademark Office: register patent

Patent attorney: verifies that the invention has not been
patented and identifies similar inventions
23 - Farkas
CSCE 522
Patent Infringement
Copyright: holder can decide which violations
prosecute
Patent: all violations must be prosecuted or patent can
be lost
Suing for patent infringement may cause the patent
owner to loose the paten. Infringer may argue that:
This isn’t infringement (different inventions)
 The patent is invalid (a prior infringement was not
opposed)
 The invention is not novel
 The infringer invented the object first

24 - Farkas
CSCE 522
Trade Secret
Information that gives one company a competitive edge
over the others
Must always be kept secret
If someone obtains it improperly, the owner can recover
Profits
 Damages
 Lost revenues
 Legal cost

Reverse Engineering!
25 - Farkas
CSCE 522
Protection of Computer
Objects
Look at Table 11-1 on page 660 to compare copyright,
patent, and trade secret
Protecting hardware, firmware, object code software,
source code software, documentation, web content,
domain names, etc.
26 - Farkas
CSCE 522
Computer Crime
Least clear area of law in computing
Separate category for computer crime
 No access to the physical object  Is it a serious
crime?
 Rules of evidence  How to prove the
authenticity?
 Threats to integrity and confidentiality  How to
measure loss of privacy?
 Value of data  How to measure it?
27 - Farkas
CSCE 522
Why Computer Crime is
Hard to Prosecute?
Lack of understanding
Lack of physical evidence
Lack of recognition of assets
Lack of political impact
Complexity of case
Age of defendant
28 - Farkas
CSCE 522
Laws for Computer Crime
 U.S. Computer Fraud and Abuse Act
 U.S. Economic Espionage Act
 U.S. Electronic Fund Transfer Act
 U.S. Freedom of Information Act
 U.S. Privacy Act
 U.S. Electronic Communication Privacy Act
 HIPAA
 USA Patriot Act
 CAN SPAM Act
29 - Farkas
CSCE 522
Ethical Issues
Ethic: objectively defined standard of right and wrong
Ultimately, each person is responsible for deciding what
to do in a specific situation
Ethical positions can and often do come into conflict
30 - Farkas
CSCE 522
Ethics vs. Law
Law
Ethics
Formal, written document
Unwritten principles
Interpreted by courts
Interpreted by each individual
Established by legislatures
Presented by philosophers,
religious, professional groups
Applicable to everyone
Personal choice
Priority decided by court
Priority determined by
individual
Court makes final decision
No external decision maker
Enforceable by police and
courts
Limited enforcement
31 - Farkas
CSCE 522
It is a Risky World
Reading List
Pfleeger: Chapter 8
CSCE 522 Farkas
33
Vulnerabilities
Security objectives:
 Prevent attacks
 Detect attacks
 Recover from attacks
Attacks: against weaknesses in the information systems
Need: find weaknesses
CSCE 522 Farkas
34
Identifying and Eliminating
Weaknesses
I.
II.
III.
IV.
Vulnerability monitoring
Secure system development
User training and awareness
Avoiding single point of failure
CSCE 522 Farkas
35
I. Keeping up with Security
Publications
Legal publications: how to remove vulnerabilities
 CERT advisories
 SANS Security Digest
Hacker publications: “how to” exploit known
vulnerabilities
Security mailing lists
CSCE 522 Farkas
36
II. Building Secure Systems
1960s: US Department of Defense (DoD) risk of
unsecured information systems
1981: National Computer Security Center (NCSC)
at the NSA
 DoD Trusted Computer System Evaluation
Criteria (TCSEC) == Orange Book
CSCE 522 Farkas
37
II. Orange Book
Orange Book objectives:
Guidance of what security features to build into new products
 Provide measurement to evaluate security of systems
 Basis for specifying security requirements

Security features and Assurances
Trusted Computing Base (TCB) security components of
the system
CSCE 522 Farkas
38
II. Orange Book Levels
Highest Security
A1 Verified protection
B3 Security Domains
B2 Structured Protection
B1 labeled Security Protections
C2 Controlled Access Protection
C1 Discretionary Security Protection
D Minimal Protection
No Security
CSCE 522 Farkas
39
II. Orange Book Classes
C1, C2: simple enhancement of existing systems.
Does not break applications.
B1: relatively simple enhancement of existing system.
May break some of the applications.
B2: major enhancement of existing systems. Will
break many applications.
B3: failed A1
A1: top-down design and implementation of a new
system from scratch.
(from lecture notes of Jajodia http:www.ise.gmu.edu)
CSCE 522 Farkas
40
II. NCSC Rainbow Series
Orange: Trusted Computer System Evaluation
Criteria
Yellow: Guidance fro applying the Orange Book
Red: Trusted Network Interpretation
Lavender: Trusted Database Interpretation
41
II. European Criteria
 German Information Security Agency: German Green Book
(1988)
 British Department of Trade and Industry and Ministry of
Defense: several volumes of criteria
 Canada, Australia, France: works on evaluation criteria
 1991: Information Technology Security Evaluation Criteria
(ITSEC)
 For European community
 Decoupled features from assurance
 Introduced new functionality requirement classes
 Accommodated commercial security requirements
CSCE 522 Farkas
42
II. United State
January 1996: Common Criteria
Joint work with Canada and Europe
 Separates functionality from assurance
 Nine classes of functionality: audit, communications, user data
protection, identification and authentication, privacy, protection
of trusted functions, resource utilization, establishing user
sessions, and trusted path.
 Seven classes of assurance: configuration management,
delivery and operation, development, guidance documents, life
cycle support, tests, and vulnerability assessment.

CSCE 522 Farkas
43
II. Common Criteria
Evaluation Assurance Levels (EAL)
EAL1: functionally tested
 EAL2: structurally tested
 EAL3: methodologically tested and checked
 EAL4: methodologically designed, tested and reviewed
 EAL5: semi-formally designed and tested
 EAL6: semi-formally verified and tested
 EAL7: formally verified design and tested

CSCE 522 Farkas
44
II. National Information
Assurance Partnership (NIAP)
 1997: National Institute of Standards and Technology
(NIST), National Security Agency (NSA), and Industry
 Aims to improve the efficiency of evaluation
 Transfer methodologies and techniques to private sector
laboratories
 Functions: developing tests, test methods, tools for
evaluating and improving security products, developing
protection profiles and associated tests, establish formal
and international schema for CC.
CSCE 522 Farkas
45
Next Class
Current issues and future trends
 Class discussion
CSCE 522 Farkas
46
Related documents
Guidelines - Grand Valley State University
Guidelines - Grand Valley State University
CSCE 790 * Secure Database Systems
CSCE 790 * Secure Database Systems
CSCE School Director
CSCE School Director
Agenda - Community School for Creative Education
Agenda - Community School for Creative Education
review
review
CSCE 548 Building Secure Software
CSCE 548 Building Secure Software
Lecture notes
Lecture notes
TRANSCENDING BORDERS- GLOBAL MANAGEMENT SINCE THE
TRANSCENDING BORDERS- GLOBAL MANAGEMENT SINCE THE
Summary of TCP/IP layers security
Summary of TCP/IP layers security
Download
advertisement