CS 4394 Information Security and Management PDF

CS 4394 Information Security and Management Introduction Dr. Qingchuan Zhao Portions of the slides adapted from lecture notes by Dr. L.F. Kwok, Dr. W.D. Young from UT Austin, Prof. M. Bishop from UC Davis, Prof. V. Shmatikov from CornellTech, A. Kanagala et al. from Google LLC, Prof. V. Paxson from Berkeley, and Prof. N. Li from Purdue. Introduction What does SECURITY mean? What does security mean? The term security is used in a variety of contexts. Personal security Corporate security Personnel security Energy security Homeland security What's the common thread? Operational security Communication security Network security System security What does security mean? Something like " assets threats". What assets? What kinds of threats? What does security mean? Something like "protection ". What assets? What kinds of threats? What does "protection" mean? Does the nature of protection vary depending on the threat? Security on a Personal Level Security on a Personal Level If an online retailer asks for your personal information what protections do you want? against what threats? Authentication (protection from phishing) Authorization Privacy of your data Integrity of your data Availability Non-repudiation What else? Security on an Institutional Level Security on an institutional level Consider the following scenarios: A large corporation's computer systems are penetrated and data on thousands of customers is stolen. A student hacks into university registrar's system and changes his grade in several classes he has taken. An online retailer's website is overwhelmed by malicious traffic, making it unavailable for legitimate customer purchases. Does this imply the difficulty to define security in the context of digital systems? Meanwhile, attacks are becoming more prevalent Meanwhile, attacks are becoming more prevalent Increased connectivity Many valuable assets online Low threshold to access Sophisticated attack tools and strategies available Others? Lessons learned: security awareness Enhance your own protection Contribute to security in your workplace Enhance the quality and safety of interpersonal and business transactions Improve overall security in cyberspace Why is cyber security hard? More difficult than most technological problems Most technology-related efforts are ensuring that something good happens. Security is all about ensuring that bad things never happen. In security, not only do you have to find "bugs" that make the system behave differently than expected, you have to identify any features of the system that are susceptible to misuse and abuse, even if your programs behave exactly as you expect them to. What bad things? If security is all about ensuring that bad things never happen, that means we have to know what those bad things are. The hardest thing about security is convincing yourself that you’ve thought of all possible attack scenarios, before the attacker thinks of them. "A good attack is one that the engineers never thought of." – Bruce Schneier Programming Satan's computer Unlike most technology problems, you have to defeat one or more actively malicious adversaries. The environment in which your program is deployed works with malice and intelligence to defeat your every effort. The defender has to find and eliminate all exploitable vulnerabilities. The attacker only needs to find one! Principle of easiest penetration Information management systems are a complex "target-rich" environment hardware, software, storage media, peripheral devices, data, people. An intruder will use any available means to subvert the security of a system Principle of easiest penetration Information management systems are a complex "target-rich" environment hardware, software, storage media, peripheral devices, data, people. An intruder will use any available means to subvert the security of a system "If one overlooks the basement windows while assessing the risks to one's house, it does not matter how many alarms are put on the doors and upstairs window." – Melissa Danforth Security is not the only point Security is often an afterthought. No-one builds a digital system for the purpose of being secure. They build digital systems to do something useful. Security mechanisms may be viewed as a nuisance to be subverted, bypassed, or disabled Perfect security is impossible in any useful system "The three golden rules to ensure computer security are: do not own a computer; do not power it on; and do not use it." -Robert H. Morris former Chief Scientist of the National Computer Security Center (early 1980's) Perfect security is impossible in any useful system "Unfortunately the only way to really protect [your computer] right now is to turn it off, disconnect it from the Internet, encase it in cement and bury it 100 feet below the ground." - Prof. Fred Chang former director of research at NSA (2009) If security gets in the way Security is meant to prevent bad things from happening; one side-effect is often to prevent useful things from happening. Typical tradeoffs necessary between security and other important goals: functionality, usability, efficiency, time-to-market, and simplicity Some lessons learned Security is difficult for several reasons. No perfect security; always a tradeoff between security and other system goals. He who defends everything defends nothing. –old military adage Security as risk management If perfect security is not possible, what can be done? Viega and McGraw (Building Secure Software) assert that software and system security really is "all about managing risk." Risk is the possibility that a particular threat will adversely impact an information system by exploiting a particular vulnerability. The assessment of risk must take into account the consequences of an exploit. Risk management Normally, risk management procedure includes: Assess assets Assess threats Assess vulnerabilities Assess risks Prioritize countermeasure options Make risk management decisions Risk management Coping with risk Once the risk has been identified and assessed managing the risk may involve Risk acceptance: risks are tolerated by the organization. e.g., sometimes the cost of insurance is greater than the potential loss. Risk avoidance: not performing an activity that would incur risk. e.g., disallow remote login. Risk mitigation: taking actions to reduce the losses due to a risk most technical countermeasures fall into this category. Risk transfer: shift the risk to someone else. e.g., most insurance contracts, home security systems. Risk management Annualized loss expectancy (ALE) One common tool for risk assessment A table of possible losses their likelihood potential cost for an average year. Risk management Where should the bank spend scarce security dollars? Loss Type Amount Incidence ALE SWIFT* fraud $50,000,000 0.005 $250,000 ATM fraud (large) $250,000 0.2 $50,000 ATM fraud (small) $20,000 0.5 $10,000 Teller theft $3,240 200 $648,000 *large scale transfer of funds Risk management ALE effectively computes the "expected value" of any security expenditure. Is ALE the right model? Risk management Consider the following two scenarios: 1. I give you one dollar. 2. We flip a coin. Heads: I give you $1000. Tails: you give me $998. Note that the expected values are the same in both cases ($1) but the risks seem quite different Risk management Lessons learned Perfect security is impossible, realistic security is really about managing risk. Systematic techniques are available for assessing risk. Assessing risk is important, but difficult and depends on a number of factors technical economic psychological... Case Study: The Infamous Ford Pinto Adapted from the Ford Pinto Case Study slides initially developed by Luke Casotti, Nick Lafler, & Jeff Lindaman, Fall 2004 Background 1971-1980 The worst cars of all time "You don't want to talk about the Pinto," said a Ford official. "Leave that one in the cemetery." When people talk about how bad American small cars created an opportunity for the Japanese to come in and clean house in the 1970s and '80s, they are referring to vehicles like this. Background Background Ford mission statement We are a global, diverse family with a proud heritage, passionately committed to providing outstanding products and services that improve people's lives. Background Lee Iacocca 1946 - Started at Ford as a student engineer 1956 - A major breakthrough Sales of Fords were poor, and Iacocca's district, Philadelphia had the worst performance of all, but he introduced a novel idea: A new ’56 Ford for $56 down and $56 a month! Within three months Philadelphia's figures moved from worst to best. Iacocca was promoted to district manager of Washington, D.C Background Lee Iacocca 1976 - President of the Ford Motor Division Oversaw design and introduction of the Mustang, Cougar, and Mark III 1978 - Forced to Leave Ford in 1978 -- conflict with Henry Ford II Picked up by Chrysler Corporation Rebuilt the failing corporation 1979 - Went before Congress asking for money 1980 - Chrysler turnaround K-Car, Minivan, Jeep Division at Chrysler Background "I have found that being honest is the best technique I can use. Right up front, tell people what you’re trying to accomplish and what you’re willing to sacrifice to accomplish it." Lee was honest and up front about what he wanted from the Ford Pinto "Lee's Car": 2000 lbs for $2000 Nothing else would compete with Datsun & VW Background 23 months to roll-out (not 45) PRODUCT OBJECTIVES TRUE SUBCOMPACT: Size & Weight LOW COST OF OWNERSHIP Initial price, Fuel consumption, Reliability, Serviceability CLEAR PRODUCT SUPERIORITY Appearance, Comfort, Features, Ride and Handling, Performance Lee Iacocca was fond of saying, "Safety doesn't sell." Background Behind-the-rear-axle tank Pros: More Luggage space; Industry standard (felt it was safer) Cons: Not as safe as in rear-end collisions Over-the-rear-axle tank Pros: Performed well in rear-end collisions Cons: Long "round-about" filler pipe Closer to passengers in back seat Higher center of gravity Reduced trunk space Background Crash Tests In a relatively low MPH rear-end collision, the gas tank is easily punctured by bolts on the differential. Was Iacocca told? "Hell no," replied an engineer who worked on the Pinto. "That person would have been fired. Safety wasn't a popular subject around Ford. Whenever a problem was raised that meant a delay on the Pinto, Lee would chomp on his cigar, look out the window and say 'Read the product objectives and get back to work.'" Background Crash Tests Of 40 tests, 37 resulted in ruptured gas tanks. The three that succeeded had: a plastic baffle between the tank and the differential bolts a piece of steel between tank and bumper a rubber "bladder" inside the gas tank Background Crash Tests More crash tests showed that a one-pound, one-dollar piece of plastic stopped the puncture of the gas tank. The idea was thrown out as extra cost and extra weight. Besides, tooling was already well under way. Background Crash Tests If you ran into that Pinto you were following at over 30 miles per hour, the rear end of the car would buckle like an accordion, right up to the back seat. The tube leading to the gas-tank cap would be ripped away from the tank itself, and gas would immediately begin sloshing onto the road around the car. The buckled gas tank would be jammed up against the differential housing (that big bulge in the middle of your rear axle), which contains four sharp, protruding bolts likely to gash holes in the tank and spill still more gas. Background Crash Tests Now all you need is a spark from a cigarette, ignition, or scraping metal, and both cars would be engulfed in flames. If you gave that Pinto a really good whack—say, at 40 mph—chances are excellent that its doors would jam and you would have to stand by and watch its trapped passengers burn to death. Background Meanwhile, Federal Motor Vehicle Safety Standard 301 Meant to require vehicles to withstand rear-end collision of 28 mph Henry Ford II lobbied relentlessly against Official auto industry line cars don't cause accidents; people and road conditions do Tactics last-minute documents; challenges to test results; lawsuits; private negotiating The standard was delayed for 8 years Background The Ford Cost-Benefit Analysis (What was life worth in 1971) Component 1971 Costs Future productivity Losses Direct $132,000 Indirect $41,300 Medical Costs Hospital $700 Other $425 Total $1,125 Property Damage $1,500 Background The Ford Cost-Benefit Analysis (What was life worth in 1971) Component 1971 Costs Insurance Administration $1,500 Legal and Court $3,000 Employer Losses $1,000 Victim's Pain and Suffering $10,000 Funeral $900 Assets (lost Consumption) $5,000 Miscellaneous $200 Total cost per fatality: $200,725 Cost vs. Benefit: Recall? Benefit analysis Savings 180 burn deaths, 180 serious burn injuries, 2100 burned vehicles Unit cost $200,000 per death, $67,000 per injury, $700 per vehicle Total benefit (180 * $200,000) + (180 * $67,000) + (2,100 * $700) $49.5 million Cost vs. Benefit: Recall? Cost analysis Sales 11 million cars, 1.5 million light trucks Unit cost $11 per car, $11 per truck Total cost 12.5 million * $11 = $137.5 million Cost vs. Benefit: Recall? Cost vs. Benefit: Recall? Costs: $137.5 million Benefits: $49.5 million Difference: $137.5 million - $49.5 million = $88.0 million Grimshaw v. Ford Motor Co. Richard Grimshaw 13-year old passenger in 1971 Pinto Struck from behind; exploded; badly burned over 90% of his body; 20 years reconstructive surgery. Awarded $125 million in punitive damages $124 million profits made since Ford Pinto's introduction Judge reduced to $3.5 million https://en.wikipedia.org/wiki/Grimshaw_v._Ford_Motor_Co. Grimshaw v. Ford Motor Co. After Grimshaw v. Ford Motor Co. On January 15, 1980, the Ford Motor Company went on trial on charges of reckless homicide in the 1978 death of three Indiana teenagers who burned to death after their 1973 Fort Pinto was hit from behind by a van. Indiana state prosecutors alleged that Ford knew Pinto gasoline tanks were prone to catch fire during rear-end collisions but failed to warn the public or fix the problem out of concern for profits. The trial marked the first time that an American corporation was prosecuted on criminal charges—in this case, reckless homicide. Ford was acquitted in March; the case was too complex. The Pinto was discontinued in fall 1980. Pinto recall Ford was first urged to recall the Pinto in 1974, by the nonprofit Center for Auto Safety. Late in 1978, Ford recalled all 1971-1976 Pinto models (1.5 million cars) Modifications Longer fuel filler neck Plastic shields Protected from rear differential Protected from rear shock absorber For consideration Would you want to be the one to tell Iacocca the Pinto needed a gas-tank fix? What if he fired you? How do you think the employees of Ford felt about their company when the lawsuits began? What if you were Ford's recall manager? End

CS 4394 Information Security and Management PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue