Reliability and Security Security How big a problem

Reliability and Security

Security • How big a problem is security? • Perfect security is unattainable • Security in the context of a sociotechnical system • Disaster planning • Security is a process, not a product

Internet Security What’s different about the Internet and computerized attacks? • Complexity • Automation • Action at a distance • Propagation of techniques • Class breaks

Is IT Security a Technical Problem? • Socio-technical systems view of IT security – Technical system includes hardware software, networks, data – Social system includes people, processes, organization, work design, objectives – Socio-technical solution is the best total solution, may not optimize either social or technical solution

Is IT Security a Technical Problem? • Schneier – security is provided within a context. – An asset is secured from a particular type of attacker – Assets and attacks exist in contexts – Context (especially the social part) matters more than technology

Types of Attack What’s the same • Theft • Embezzlement • Vandalism • Exploitation • • Fraud Extortion Threat of harm Privacy violations

Attack Types • Schneier’s classification – Criminal attacks – Privacy violations – Publicity attacks • By attacker motive – Financial or other gain – To damage others – Privacy violations

Gain Motivated Attacks • • • Fraud Intellectual Property Theft Identity Theft Brand Theft Publicity Attacks

Privacy Violations • • • Stalking Surveillance Databases Traffic Analysis Broad Scale Electronic Monitoring

Attacks aimed at damaging others • Denial-of Service attacks • Defacing web sites • Viruses and their ilk

Adversaries Those classified as criminals • Hackers • Lone Criminals • Malicious Insiders • Organized Crime • Terrorists

Adversaries Those with claims of legitimacy • Industrial spies • The press • The police • National Intelligence Organizations • Infowarriors

Phishing

Antiphishing. org

Microsoft Vulnerabilities • Sharp increase in attacks on Windows based PCs in 1 st half of 2004 – 1237 new vulnerabilities or 48/week • Increase in number of bot networks – 30, 000 from 2, 000 in previous 6 months • Increase in percent of e-commerce attacks from 4% to 16% • 450% increase in new Windows viruses – 4, 496

Risk Components • Magnitude of loss • Likelihood of loss • Exposure to loss

Management of Risk • Control • Information • Time

Miscellaneous Defensive Measures • • • Security policies Firewalls Intrusion detection Encryption Authentication

Liability Argument • Who should be held liable? – Software vendors, e. g. Microsoft – Network owner, e. g. ISP (Comcast) – Person who wrote the attack tool – Person who used the attack tool – The public • The ATM example

Three Steps to Improving IT Security 1) Enforce liability 2) Permit parties to transfer liability 3) Provide mechanisms to reduce risk