Upload
horatio-cummings
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
1
The Economic Impact of The Economic Impact of Cyber AttacksCyber Attacks
The Global PictureThe Global PictureChapter 9Chapter 9
NEW: Final Project deadline: December 7, 2:00 am, 2013
2
3
Risk AssessmentRisk Assessment
RISKRISK
Threats
Vulnerabilities Consequences
4
Risk Management Framework(Business Context)
Understand BusinessContext
Identify Business and Technical Risks
Synthesize and RankRisks
Define RiskMitigation Strategy
Carry Out Fixesand Validate
Measurement and Reporting
5
Allocating ResourcesAllocating Resources
Limited resourcesAcceptable level of riskTie technical risk to business risk
6
Making a Business CaseMaking a Business Case
Description of the problemList of possible solutionsConstraints on solving the problemList of underlying assumptionsAnalysis of each alternative, including risks, costs, and
benefitsSummary of why the proposed investment is good
7
Influences on Cyber Security Influences on Cyber Security Investment StrategyInvestment Strategy
Regulatory requirementsNetwork history or IT staff knowledgeClient requirementsResults of internal or external auditResponse to current eventsResponse to compromised internal securityReaction to external mandate or request
8
Determining Economic Determining Economic ValueValue
Many different ways to determine valueInternal rate of returnReturn on investmentNet present value
Investment analysis: best way to allocate capital and human resources
Accounting measures are inappropriate for evaluating information security inverstments
9
Quantifying SecurityQuantifying Security
Difficult problemNot fully understoodLimited historical data to estimate likelihoodAttacks that are possible but haven’t happened
Threat estimation uses:Number and types of assets needing protectionNumber and types of vulnerabilities that exist in a
systemNumber and types of likely threats to a system
10
Data to be ProtectedData to be Protected
National and global dataEnterprise dataTechnology dataSocial vulnerability
11
Real Cost of Cyber AttackReal Cost of Cyber Attack
Damage of the target may not reflect the real amount of damage
Services may rely on the attacked service, causing a cascading and escalating damage
Need: support for decision makers to Evaluate risk and consequences of cyber attacksSupport methods to prevent, deter, and mitigate
consequences of attacks
Legal and Ethical Issues in Legal and Ethical Issues in Computer SecurityComputer Security
CSCE 522 - Farkas13
Pfleeger: Chapter 11
CSCE 522 - Farkas14
Law and Computer Law and Computer SecuritySecurity
International, national, state, and city laws: affect privacy and secrecy
Laws: regulate the use, development, and ownership of data and programs
Laws: affect actions that can be taken to protect the secrecy, integrity, and availability of computing resources
CSCE 522 - Farkas15
Lack of LegislationLack of Legislation
Reactive proceduresNot addressed improper actsLack of technical expertise of legal personnel
CSCE 522 - Farkas16
Protection of Computer Protection of Computer SystemsSystems
Protecting computing systems against criminalsProtecting code and dataProtecting programmers’ and employers’ rightsProtecting users of programs
CSCE 522 - Farkas17
Protecting Programs and Protecting Programs and DataData
CopyrightPatentsTrade secretsProtection for computer objects
CSCE 522 - Farkas18
CopyrightsCopyrights
Protect the expression of ideas 1978: U.S. copyright law
Updated in 1998: Digital Millennium Copyright Act (DMCA) – deals with computers and other electronic media
Give the copyright holder the exclusive right to make copies of the expression and sell them to the public
Simple procedure to register copyright U.S. copyright expires 70 years beyond the death of last surviving
holder
CSCE 522 - Farkas19
Intellectual PropertyIntellectual Property
Copyright Does not cover the idea being expressedApplies to original work and it must be in some
tangible medium of expressionOriginality of work!
CSCE 522 - Farkas20
Fair UseFair Use
The purchaser has the right to use the product in the manner for which it was intended and in a way that does not interfere with the author’s right.
PiracyFirst saleCopyright infringement
CSCE 522 - Farkas21
Copyright for Digital Copyright for Digital ObjectsObjects
Digital Millennium Copyright Act Digital objects can be copyrighted It is a crime to circumvent or disable anti-piracy functionality It is a crime to manufacture, sell, or distribute devices that
disable anti-piracy functionality or that copy digital objects Exempt: when used for educational and research purposes
It is legal to make a backup to protect against loss Libraries can make three backups
PatentPatent
What can be patented?
22
http://www.freepatentsonline.com/crazy.html
https://patentimages.storage.googleapis.com/pages/US4344424-1.png
CSCE 522 - Farkas23
PatentsPatents
Protects inventions – results of science, technology, and engineering
Requirement of novelty Truly novel and unique only one patent for a given
invention Non-obvious
U.S. Patent and Trademark Office: register patent Patent attorney: verifies that the invention has not been
patented and identifies similar inventions
CSCE 522 - Farkas24
Patent InfringementPatent Infringement
Copyright: holder can decide which violations prosecute
Patent: all violations must be prosecuted or patent can be lost
Suing for patent infringement may cause the patent owner to loose the paten. Infringer may argue that: This isn’t infringement (different inventions) The patent is invalid (a prior infringement was not
opposed) The invention is not novel The infringer invented the object first
CSCE 522 - Farkas25
Trade SecretTrade Secret
Information that gives one company a competitive edge over the others
Must always be kept secretIf someone obtains it improperly, the owner can recover
Profits Damages Lost revenues Legal cost
Reverse Engineering!
CSCE 522 - Farkas26
Protection of Computer Protection of Computer ObjectsObjects
Look at Table 11-1 on page 660 to compare copyright, patent, and trade secret
Protecting hardware, firmware, object code software, source code software, documentation, web content, domain names, etc.
CSCE 522 - Farkas27
Computer CrimeComputer Crime
Least clear area of law in computingSeparate category for computer crime
No access to the physical object Is it a serious crime?
Rules of evidence How to prove the authenticity?
Threats to integrity and confidentiality How to measure loss of privacy?
Value of data How to measure it?
CSCE 522 - Farkas28
Why Computer Crime is Why Computer Crime is Hard to Prosecute? Hard to Prosecute?
Lack of understandingLack of physical evidenceLack of recognition of assetsLack of political impactComplexity of caseAge of defendant
CSCE 522 - Farkas29
Laws for Computer CrimeLaws for Computer Crime
U.S. Computer Fraud and Abuse Act U.S. Economic Espionage Act U.S. Electronic Fund Transfer Act U.S. Freedom of Information Act U.S. Privacy Act U.S. Electronic Communication Privacy Act HIPAA USA Patriot Act CAN SPAM Act
CSCE 522 - Farkas30
Ethical IssuesEthical Issues
Ethic: objectively defined standard of right and wrongUltimately, each person is responsible for deciding what
to do in a specific situationEthical positions can and often do come into conflict
CSCE 522 - Farkas31
Ethics vs. LawEthics vs. LawLaw Ethics
Formal, written document Unwritten principles
Interpreted by courts Interpreted by each individual
Established by legislatures Presented by philosophers, religious, professional groups
Applicable to everyone Personal choice
Priority decided by court Priority determined by individual
Court makes final decision No external decision maker
Enforceable by police and courts
Limited enforcement
It is a Risky WorldIt is a Risky World
CSCE 522 - Farkas
33
Reading ListReading List
Pfleeger: Chapter 8
CSCE 522 - Farkas
34
VulnerabilitiesVulnerabilities
Security objectives:Prevent attacksDetect attacksRecover from attacks
Attacks: against weaknesses in the information systemsNeed: find weaknesses
CSCE 522 - Farkas
35
Identifying and Eliminating Identifying and Eliminating WeaknessesWeaknesses
I. Vulnerability monitoring
II. Secure system development
III. User training and awareness
IV. Avoiding single point of failure
CSCE 522 - Farkas
36
I. Keeping up with Security I. Keeping up with Security PublicationsPublications
Legal publications: how to remove vulnerabilitiesCERT advisories SANS Security Digest
Hacker publications: “how to” exploit known vulnerabilities
Security mailing lists
CSCE 522 - Farkas
37
II. Building Secure SystemsII. Building Secure Systems
1960s: US Department of Defense (DoD) risk of unsecured information systems
1981: National Computer Security Center (NCSC) at the NSADoD Trusted Computer System Evaluation
Criteria (TCSEC) == Orange Book
CSCE 522 - Farkas
38
II. Orange BookII. Orange Book
Orange Book objectives: Guidance of what security features to build into new products Provide measurement to evaluate security of systems Basis for specifying security requirements
Security features and AssurancesTrusted Computing Base (TCB) security components of
the system
CSCE 522 - Farkas
39
II. Orange Book LevelsII. Orange Book Levels
Highest SecurityA1 Verified protectionB3 Security DomainsB2 Structured ProtectionB1 labeled Security ProtectionsC2 Controlled Access ProtectionC1 Discretionary Security ProtectionD Minimal Protection
No Security
CSCE 522 - Farkas
40
II. Orange Book Classes II. Orange Book Classes
C1, C2: simple enhancement of existing systems. Does not break applications.
B1: relatively simple enhancement of existing system. May break some of the applications.
B2: major enhancement of existing systems. Will break many applications.
B3: failed A1A1: top-down design and implementation of a new
system from scratch.(from lecture notes of Jajodia http:www.ise.gmu.edu)
41
II. NCSC Rainbow SeriesII. NCSC Rainbow Series
Orange: Trusted Computer System Evaluation Criteria
Yellow: Guidance fro applying the Orange BookRed: Trusted Network InterpretationLavender: Trusted Database Interpretation
CSCE 522 - Farkas
42
II. European CriteriaII. European Criteria
German Information Security Agency: German Green Book (1988)
British Department of Trade and Industry and Ministry of Defense: several volumes of criteria
Canada, Australia, France: works on evaluation criteria 1991: Information Technology Security Evaluation Criteria
(ITSEC) For European community Decoupled features from assurance Introduced new functionality requirement classes Accommodated commercial security requirements
CSCE 522 - Farkas
43
II. United StateII. United State
January 1996: Common Criteria Joint work with Canada and Europe Separates functionality from assurance Nine classes of functionality: audit, communications, user data
protection, identification and authentication, privacy, protection of trusted functions, resource utilization, establishing user sessions, and trusted path.
Seven classes of assurance: configuration management, delivery and operation, development, guidance documents, life cycle support, tests, and vulnerability assessment.
CSCE 522 - Farkas
44
II. Common CriteriaII. Common Criteria
Evaluation Assurance Levels (EAL) EAL1: functionally tested EAL2: structurally tested EAL3: methodologically tested and checked EAL4: methodologically designed, tested and reviewed EAL5: semi-formally designed and tested EAL6: semi-formally verified and tested EAL7: formally verified design and tested
CSCE 522 - Farkas
45
II. National Information II. National Information Assurance Partnership Assurance Partnership
(NIAP)(NIAP)
1997: National Institute of Standards and Technology (NIST), National Security Agency (NSA), and Industry
Aims to improve the efficiency of evaluation Transfer methodologies and techniques to private sector
laboratories Functions: developing tests, test methods, tools for
evaluating and improving security products, developing protection profiles and associated tests, establish formal and international schema for CC.
Next ClassNext Class
Current issues and future trendsClass discussion
CSCE 522 - Farkas
46