Embed Size (px)
Citation preview
DAD Triad
Complement of CIA Triad
• Disclosure
• Alteration, and
• Denial
2
DAD Triad
Disclosure
• Unauthorized individuals gain access to confidential
information
Alteration
• Data is modified through some unauthorized
mechanism
Denial
• Authorized users cannot gain access to a system for
legitimate purposes
DAD activities may be malicious or accidental
Network Security
Security considerations include:
• Physical security
• Operating System security
• Windows, Linux, UNIX
• Communication security
• Encryption
• Firewalls
• Intrusion detection systems
Threats , vulnerability, Risk , and
Attacks
5
Crossing the water to the right is a Threat
to the man.
• Ex. The existence of a particular virus
for example
Crossing the water through the wall crack
is a Vulnerability.
• Ex. (Computer) Open ports
Threats , vulnerability, Risk , and
Attacks
Risk
• Occurs when a threat and a
corresponding vulnerability both
exist
Somebody or another system destroyed
the wall is an Attack
• Ex. (Computer) sending an
overwhelming set of messages to
another system to block it.
6
Threats , vulnerability, Risk ,
and Attacks
Threats
7
Threats to Security
Hacker
• Anyone who attempts to penetrate the security of an
information system, regardless of intent
• Early definition included anyone very proficient in computer
use
Malicious insider
• Someone from within the organization that attempts to go
beyond the rights and permissions that they legitimately hold
• Security professionals and system administrators are
particularly dangerous
Threats to Security
Malicious code object
• Virus, a program that attaches itself to a program or file so it can
spread from one computer to another, leaving infections as it travels.
• Worm, a program that takes advantage of file or information transport
features on your system, which allows it to travel unaided. The biggest
danger with a worm is its capability to replicate itself on your system.
e.g. sending itself to all of the e-mail list in your computer.
• Trojan horse, a program that at first glance will appear to be useful
software but will actually do damage once installed or run on your
computer. It usually appears that is coming from a trusted source
A computer program that carries out malicious actions
when run on a system
Threat + Vulnerability = Risk
Risk analysis, assessment , and managing are
required
10
Risk Analysis
Actions involved in risk analysis:
• Determine which assets are most valuable
• Identify risks to assets
• Determine the likelihood of each risk occurring
• Take action to manage the risk
Security professionals formalize the risk
analysis process
Asset Valuation
Step 1 in risk analysis process: Asset valuation
• Identify the information assets in the organization
• Hardware, software, and data
• Assign value to those assets using a valuation method
Asset Valuation
Common Valuation Methods
• Replacement cost valuation
• Replacement cost (also called current cost accounting or
CCA) values assets based on what it would cost to replace
them if they were acquired today.
• For example, if Utility Company were placing this same
plant today, the materials would cost $530,000 and the
installation would cost $56,000. The replacement cost value
is $586,000.
Asset Valuation
• Original cost valuation
• Original cost (also called historic cost accounting or
HCA) values assets based on what the company actually
spent for the assets when they were acquired.
• Example: In 1990, Utility Company spent $500,000 to
purchase the materials for its fixed lines and $50,000 to
install them. The original cost value of these assets is
$550,000 before depreciation.
14
Asset Valuation
• Depreciated valuation
• Uses the original cost less an allowance for value
deterioration (original value – how much drop in its
price since purchased)
• Qualitative valuation
• Assigns priorities to assets without using dollar values
15
Risk Assessment
Step 2 in risk analysis process: Risk assessment
Risk assessment techniques:
• Qualitative
• Quantitative
Risk Assessment
Qualitative Risk Assessment:
• Focuses on analyzing intangible properties of an asset
rather than financial value
• Prioritizes risks to aid in the assignment of security
resources
• Relatively easy to conduct
Risk Assessment
Quantitative Risk Assessment
• Assigns dollar values to each risk based on measures such as:
• asset value (AV),
• exposure factor (EF), expected portion (%) that can be destroyed by a
given risk
• annualized rate of occurrence(ARO), number of times you expect the risk
to occur
• single loss expectancy (SLE), amount of damage each time the risk occur
(AV* EF)
• annualized loss expectancy (ALE) amount of damage each year from a
given risk (ARO * SLE)
Uses potential loss amount to decide if it is worth
implementing a security measure
Managing Risks
Risk Avoidance• Used when a risk overwhelms the benefits gained from
having a particular mechanism available
• Avoid any possibility of risk by disabling the mechanism that is vulnerable
• Disabling e-mail is an example of risk avoidance
Risk Mitigation• Used when a threat poses a great risk to a system
• Takes preventative measures to reduce the risk
• A firewall is an example of risk mitigation
Managing Risk
Risk Acceptance• Do nothing to prevent or avoid the risk
• Useful when risk or potential damage is small
Risk Transference• Ensure that someone else is liable if damage occurs
• Buy insurance for example
Combinations of the above techniques are often used
Security Tradeoffs
Security can be seen as a tradeoff between risks and benefits
• Cost of implementing the security mechanism and the amount of damage it may prevent
Tradeoff considerations:
• user convenience
• business goals
• expenses
Threats , vulnerability, Risk , and
Attacks
Attacks
22
Attacks
23
Passive Attacks
• Attempts to learn or make use of information from the system
but does not affect system resources.
• Eavesdropping or monitoring of transmissions
Active Attacks
• Attempts to alter system resources or affect their operation.
Passive Attacks
24
Release of message contents / snooping
Passive Attacks (Cont.)
25
Traffic Analysis/ spoofing
Passive Attacks are hard to be detected
Active Attacks
26
Masquerade
• One entity pretends to be a different entity
Active Attacks (Cont.)
27
Replay Attack
• Passive capture of a data unit and its subsequent retransmission
to produce an unauthorized effect.
Active Attacks (Cont.)
28
Modification Attack
• Some portion of a legitimate message is altered, or that messages
are reordered, to produce an unauthorized effect
Active Attacks (Cont.)
29
Denial of Service
• Prevents or inhibits the normal use or management of
communications facilities
