Reliability and Security

1
Reliability and Security
2
Security

• How big a problem is security?
• Perfect security is unattainable
• Security in the context of a socio-technical
  system
• Disaster planning
• Security is a process, not a product

3
Internet Security

• Whats different about the Internet and
  computerized attacks?
• Complexity
• Automation
• Action at a distance
• Propagation of techniques
• Class breaks

4
Is IT Security a Technical Problem?

• Socio-technical systems view of IT security
• Technical system includes hardware software,
  networks, data
• Social system includes people, processes,
  organization, work design, objectives
• Socio-technical solution is the best total
  solution, may not optimize either social or
  technical solution

5
Is IT Security a Technical Problem?

• Schneier security is provided within a context.
• An asset is secured from a particular type of
  attack from a particular type of attacker
• Assets and attacks exist in contexts
• Context (especially the social part) matters more
  than technology

6
Types of Attack

• Whats the same
• Theft
• Embezzlement
• Vandalism
• Exploitation

• Fraud
• Extortion
• Threat of harm
• Privacy violations

7
Attack Types

• Schneiers classification
• Criminal attacks
• Privacy violations
• Publicity attacks
• By attacker motive
• Financial or other gain
• To damage others
• Privacy violations

8
Gain Motivated Attacks

• Fraud
• Intellectual Property Theft
• Identity Theft
• Brand Theft
• Publicity Attacks

9
Privacy Violations

• Stalking
• Surveillance
• Databases
• Traffic Analysis
• Broad Scale Electronic Monitoring

10
Attacks aimed at damaging others

• Denial-of Service attacks
• Defacing web sites
• Viruses and their ilk

11
Adversaries

• Those classified as criminals
• Hackers
• Lone Criminals
• Malicious Insiders
• Organized Crime
• Terrorists

12
Adversaries

• Those with claims of legitimacy
• Industrial spies
• The press
• The police
• National Intelligence Organizations
• Infowarriors

13
Phishing
14
Antiphishing.org
15
Microsoft Vulnerabilities

• Sharp increase in attacks on Windows based PCs in
  1st half of 2004
• 1237 new vulnerabilities or 48/week
• Increase in number of bot networks
• 30,000 from 2,000 in previous 6 months
• Increase in percent of e-commerce attacks from 4
  to 16
• 450 increase in new Windows viruses 4,496

16
(No Transcript)
17
(No Transcript)
18
(No Transcript)
19
Risk Components

• Magnitude of loss
• Likelihood of loss
• Exposure to loss

20
Management of Risk

• Control
• Information
• Time

21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25
Miscellaneous Defensive Measures

• Security policies
• Firewalls
• Intrusion detection
• Encryption
• Authentication

26
Liability Argument

• Who should be held liable?
• Software vendors, e.g. Microsoft
• Network owner, e.g. ISP (Comcast)
• Person who wrote the attack tool
• Person who used the attack tool
• The public
• The ATM example

27
Three Steps to Improving IT Security

1. Enforce liability
2. Permit parties to transfer liability
3. Provide mechanisms to reduce risk