Add to collection(s) Add to saved
  1. No category
Uploaded by Veron McLean

Lecture 1 Intro to Computer Security

advertisement 
COMPUTER SECURITY CIT4020
UNIT 1: INTRODUCTION TO COMPUTER SECURITY
OBJECTIVES
• Overview of Computer Security in 2020
• What is Computer Security?
• Goals and Types of Computer Security
• Potential Loss due to security breaches
• Recent Data Breaches and attacks
OVERVIEW OF COMPUTER
SECURITY
• Data breaches are on the rise, costing organizations
around the world millions of dollars in revenue.
• Security in 2021 is NO JOKE.
WHAT IS COMPUTER SECURITY?
Computer Security
• Measures and controls that ensure confidentiality, integrity, and availability of information
system assets including hardware, software, firmware, and information being processed,
stored, and communicated.
• Confidentiality, Integrity, and Availability are the three pillars on which Computer Security is
built and is popularly known as the CIA Triad.
GOALS OF COMPUTER SECURITY
• Confidentiality- is a set of rules that limits access to information.
o Cryptography, Encryption, Physical or Virtual Isolation, Background
Checks are some methods to ensure the confidentiality.
• Integrity- is the assurance that the information is trustworthy and
accurate.
o One type of security attack is to intercept some important data and
make changes to it before sending it on to the intended receiver.
o Hashing can be used to ensure data integrity
• Availability - is a guarantee of reliable access to the information by
authorized people.
o Some types of security attack attempt to deny access to the
appropriate user, either for the sake of inconveniencing them, or
because there is some secondary effect.
o Server Clustering, Load Balancing, RAID, Hot Spear, Cloud can
be used to ensure availability
TYPES OF COMPUTER SECURITY
There are several types of Computer Security;
• Access control
• Hardware / Software
• Email
• Database
• Cloud
• IoT /Mobile
• Web
• Wireless
POTENTIAL LOSS DUE TO SECURITY BREACHES
RECENT DATA BREACHES AND ATTACKS
Microsoft
• January 22, 2020: A customer support database holding over 280 million Microsoft customer records was left
unprotected on the web. Microsoft’s exposed database disclosed email addresses, IP addresses, and support
case details. Microsoft says the database did not include any other personal information.
Zoom
• April 14, 2020: The credentials of over 500,000 Zoom teleconferencing accounts were found for sale on the dark
web and hacker forums for as little as $.02. Email addresses, passwords, personal meeting URLs, and host keys
are said to be collected through a credential stuffing attack.
FireEye
• December 8, 2020: One of the world’s largest security firms, FireEye, disclosed an unauthorized third-party actor
accessed their networks and stole the company’s hacking software tools. The highly sophisticated hacker also
attempted to search and gather information related to the company’s government customers.
RISK MANAGEMENT
RISK MANAGEMENT
• Risk Management - The process of identifying risk, as represented by
vulnerabilities, to an organization’s information assets and infrastructure, and
taking steps to reduce this risk to an acceptable level.
• Risk management involves three major undertakings:
o Risk identification is the examination and documentation of the security posture of an
organization’s information technology and the risks it faces.
o Risk assessment is the determination of the extent to which the organization’s information
assets are exposed or at risk.
o Risk control is the application of controls to reduce the risks to an organization’s data and
information systems.
RISK MANAGEMENT PROCESS
The Risk Management Process consists of the following six(6) steps;
1. Identify Assets – ex. Hardware / Software, Information, Inventory, Website, System Services
2. Identify Threats for each asset – Ex. Buffer Overflow Attack, SQL injection on a website, hard drive
failure, theft
3. Analyze Impact – Loss of revenue or business opportunity, loss of money and time due to cost to fix,
loss of production
4. Prioritize (Triage) Threats – Threats must be prioritized based on impact and probability of occurring
so that the more serious threats are dealt with first.
5. Identify Mitigation Techniques - Ex. Firewall, RAID, Server Clustering, Encryption Access Control
6. Evaluate Residual Risks – Re-evaluate the assets and identify any threats that may still be present
TYPES OF RISK ASSESSMENTS
There are two types of Risk Analysis namely;
1. Qualitative
o Involves assigning a value based on a scale to the threat to ascertain its likelihood and consequence
i.e. uses a scale to determine the seriousness of a given threat
o With Qualitative Risk Analysis the risk and mitigation techniques are determined without calculating
the dollar value of the loss.
Risk = Probability (Likelihood)* Loss (Impact)
2. Quantitative
o Involves calculating the dollar figure associated with each risk
o With Quantitative Risk Analysis we need to calculate the dollar amounts for each risk and determine
what the impact of the threat will be to the asset.
QUALITATIVE VS QUANTITATIVE RISK ASSESSMENT
QUALITATIVE ASSESSMENT
Risk Matrix
• A Risk Matrix is a matrix that is used during a risk assessment to define the level of risk by considering
the category of probability or likelihood against the category of consequence severity.
• We begin by identifying the various threats to organization and then create tables for the Probability
and Impact.
• Appropriate scale are chosen to describe the events and values are assigned.
• These two tables will later merge into the matrix for further analysis.
QUALITATIVE RISK ASSESSMENT
• Create a table of the Probability using a predefined scale or a custom scale
•
QUALITATIVE RISK ASSESSMENT
• Create a table of the Impact using a predefined scale or a custom scale
QUALITATIVE RISK ASSESSMENT
QUALITATIVE RISK ASSESSMENT - RISK MATRIX
QUANTITATIVE RISK ASSESSMENT
Calculating Risk
• Exposure Factor (EF) –percentage of the asset’s value that you expect to lose if the threat
occurs.
• Single Loss Expectancy (SLE) –How much money the company will lose each time the threat
occurs.
SLE = Value ($) * Exposure Factor (EF)
• Annual Rate of Occurrence (ARO) –How many time per year the loss will occur
• Annual Loss Expectancy (ALE) –A measure of how much money the company will lose per year
with each threat.
ALE = SLE * ARO
QUANTITATIVE RISK ASSESSMENT
• An ecommerce website has a value of $200,000 and each time the web server has a hard drive failure, you lose 8%
of the asset value. What would be the single loss expectancy? What would be the Annual loss expectancy if this
threat occurs three(3) times a year? What if the hard drive fails once every five(5) years, what would be the annual
loss expectancy?
Solution
• SLE = Value * EF(%)
= $200,000 * 0.08
= $16,000
• ALE = SLE * ARO
= $16000 * 3 = $48,000
• Once every five years;
ALE = $16,000 * 1/5
= $3200
CALCULATING RISK REDUCTION - ROI
Lets say that the hard drive in the webserver hosting the ecommerce site goes down 6 times in a
year and each time it goes down the company loses $60,000 and the cost to replace the hard drive
is $24,000.
What would be the return on the investment (ROI) if the reduction in probability of the risk
occurrence with implemented control is 82%?
Solution:
• Annual Rate of Occurrence (ARO) = 6 times per year
• Expected monetary loss for a single event (SLE) = $60,000
• Cost of control = $24,000
• Reduction in probability of the risk occurrence with implemented control is 82%
CALCULATING RISK REDUCTION -ROI
• Reduction in Risk ($) = Annualized rate of occurrence * Expected monetary loss for a single
event * Reduction in probability of occurrence with implemented control
= 6 * $60,000 * .82 = $295,200
• [Please note: The implemented control would not stop risk from occurring but it would reduce
the amount of money you would lose if it occurred]
• ROI = (Reduction in Risk ($) – Cost of Control) / Cost of Control
= ($295,200 - $24,000) / $24,000 = $271,200 /$24,000
= 11.3
• Savings per year = 11.3 * $24,000 = $271,200
RISK CONTROL STRATEGIES
Related documents
Classwork 1 Solution - Department of Computer Science and
Classwork 1 Solution - Department of Computer Science and
OWASP_ISACA_Hartford_Secure_Coding_v2
OWASP_ISACA_Hartford_Secure_Coding_v2
A. Explain the nature of marketing plans. B. Explain the role of
A. Explain the nature of marketing plans. B. Explain the role of
Apocalypse Assignment
Apocalypse Assignment
Risk Analysis - Information Systems and Internet Security
Risk Analysis - Information Systems and Internet Security
Download
advertisement