security engineering

By: Paul Anderson
March 19, 2008
Dr. Charles Shubra
Computer Science 480
Due to the large widespread use of the internet in the 1990’s introduced a new
challenge for software engineers-designing and implementing systems that were secure.
With the more and more systems were connected to the internet, a variety of different
external and internal attacks were devised to threaten these system. Security engineering is
concerned with how to develop and maintain system or its data. Security engineering is
part of the more general field of computer security. This is become a priority for
businesses and individuals as more and more criminal try to exploit network system for
illegal purpose. The majority of attacks focus on system infrastructures because the
components (e.g. web browsers) are well known and widely available. In this reaction
paper I will give an overview of the articles (On the Anatomy of Human Hacking and A
Basic Firewall Configuration Strategy for the Protection of Development- related
Computer Networks and Sub networks) and Ian Sommerville (Software Engineering
book). Then ask the questions which we weren’t able to answer at the end of class.
The first article “On the Anatomy of Human Hacking” was from Information
Security Journal: A global perspective. This article just mainly covers the area of social
engineering and how a hacker can use human manipulation to gain access to systems or its
data. This kind of hacking has impacted the technology field greatly because these
techniques are widely used to infiltrate networks using the so called “weak link” of the
group. The weak link is normally someone who is unsuspected and completely ignorant to
the security policies of the company or firm. This article also gives strategies for
developing and implementing a successful information security awareness programs. With
a policy in placed this will lower the risks of an employee being exploited in relation to
protecting the information asset.
The second article “A Basic Firewall Configuration Strategy for the Protection of
Development- related Computer Networks and Sub networks” was from the Information
Security Journal: A global perspective. While developing new software, the developers
must implement security features such as username and password, security locks, firewalls
and bio-tech. In this article they discuss how important the basic configuration of a
firewall, when it protects a network of computers. From this article they developed a case
study in which was based on four different modules containing one or more sections:
environmental, forward rules, allow ping, and post-routing rules.
Ian Sommerville’s book Software Engineering Concepts gave the general outline of
security engineering, from the security concepts to the deployment of the software. The
first step Sommerville discuss was the security concepts, such as; Asset, Exposure,
Vulnerability, Attack, Threats and Control.
A system resource that has a value and has to be protected
The possible loss or harm that could result from a successful attack
A weakness in a computer-based system that may be exploited to cause
loss or harm
An exploitation of a system’s vulnerability
Circumstances that have potential to cause loss or harm
A protective measure that reduces a system’s vulnerability
The second step which he discusses was security risk management. When developing new
software its best before deployment you test it against types of attacks which may occur.
For example, a hacker breaks in a change/corrupt data files. That is a risk which the
developers must test and make a recovery plan. There are two types of risk management:
Preliminary and Life-cycle risk assessment. After the risk management is complete the
next step is to Design for Security. The design of the software is a crucial step because
you have to think about the security of each of the components which makes up the
system. The architectural design should complement the security of the system with
consideration to protection and distribution. Sommerville gives a basic overview the
general design guidelines that have wide applicability when designing system security
solutions and which encapsulate good design for a secure system. Finally, System
Survivability is the final step to security engineering. In this step they do the intense
testing (system understanding, critical service identification, attack simulation and the
survivability analysis).
1. Why do corporations put confidential information on internet-enabled computers?
The corporations don’t really put confidential information on internet-enabled
computers. The information is stored on secure database or servers. The
computers/workstation within the network is just able to access the internet and the
data. But some corporations only give the employees the ability to access limited
or certain sites.
2. What part is easier to protect against physical or software based attacks?
Each one as its own advantages, but if I was suppose to choose, I would choose
physical. When it comes to the physical security we could place more physical
barriers, such as: cameras, locks, security clearance and etc.
3. What can be done to better secure electronic devices that we use everyday?
Many things can be done to secure our electronic devices. For example, people
could protect their physical private information (social security card, state id, bank
and credit card statements, and other information) and to be more aware of their
situation and who is around them. Overall, people just need to be more protective
of there information and who they hand it out to.
4. As technology advance do you think things like cell phones will have a security
I do think there will need to be some type of security feature will be added on to
cell phones. As technology advances the memory on the phones increase with their
ability to access the internet, there is a possibility that they can be used for denial of
service attacks.
5. Is key encryption through the use of matrices and multiplication and inverse still used
today, if so is there any advances?
Now, some software has there own algorithm which implements key encryption, so
many of them are never the same.
6. What type of privacy mechanisms are being used in security engineering?
RC5 for symmetric key encryption
RSAREF 2.0 for the public/private key encryption
7. What industries or nations still use a methodology where customers are at fault for
security failures? Do they spend more or less money on security related issues?
I’m not really certain if companies or governments blame the customers for a
security failure. Normally, the employee’s of the company would be responsible
for security failures. Companies would normally put more money into there
networks and security policy.
8. The appearance of a system as less secure than it actually is seems to be accepted as
bad because it acts like a reverse deterrence. Could this perception actually be
beneficial? In a real world example; a thief underestimates a bank’s security features
and attempts to rob a bank. In the process he sets off an alarm and is caught. His
capture reveals that he used some backdoor to the bank had not thought to protect.
Could this also be applicable to a distributed system? Possibly acting as a sort of honey
Well that type of deterrence will not work out so well because if someone have a
layout of your system or network they could possibly devise a plan which may
easily crack your defenses. Not everybody view and take a problem in the same
way. Now with your real world example is more gear towards the physical as
aspect of the bank security feature. But either way physical or data that break in
will more likely to send a message of we have to protect the information all around.
If it can be open, then there is a threat. A company may produce a false copy of
their system design, so that if someone does hack into the system they will make a
mistake (which will set off an alarm).