CS5032 L9 security engineering 1 2013
Download as PPTX, PDF1 like1,877 views
This document summarizes the topics covered in the first lecture of a security engineering course. It discusses security engineering and management, security risk assessment, and designing systems for security. The lecture covers tools and techniques for developing secure systems, assessing security risks, and designing system architectures to protect assets and distribute them for redundancy.
CS5032 L9 security engineering 1 2013
- 1. Security Engineering Lecture 1 Security Engineering 1, 2013 Slide 1
- 2. Topics covered • Security engineering and security management – Security engineering concerned with applications; security management with infrastructure. • Security risk assessment – Designing a system based on the assessment of security risks. • Design for security – How system architectures have to be designed for security. Security Engineering 1, 2013 Slide 2
- 3. Security engineering • Tools, techniques and methods to support the development and maintenance of systems that can resist malicious attacks that are intended to damage a computer-based system or its data. • A sub-field of the broader field of computer security. • Assumes background knowledge of dependability and security concepts (Chapter 10) and security requirements specification (Chapter 12) Security Engineering 1, 2013 Slide 3
- 4. Security concerns • Confidentiality – Ensuring that data is only accessible to authorised people and organisations • Integrity – Ensuring that external attacks cannot damage data and programs • Availability – Ensuring that external attacks do not compromise the availability of data and programs Security Engineering 1, 2013 Slide 4
- 5. Application/infrastructure security Build • Application security is Application a software engineering problem where the system is designed to Purchased infrastructure resist attacks. Middleware • Infrastructure security is a systems Platform management problem where the purchased Network infrastructure is configured to resist attacks. Security Engineering 1, 2013 Slide 5
- 6. System layers where security may be compromised Security Engineering 1, 2013 Slide 6
- 7. System security management • User and permission management – Adding and removing users from the system and setting up appropriate permissions for users • Software deployment and maintenance – Installing application software and middleware and configuring these systems so that vulnerabilities are avoided. • Attack monitoring, detection and recovery – Monitoring the system for unauthorized access, design strategies for resisting attacks and develop backup and recovery strategies. Security Engineering 1, 2013 Slide 7
- 8. Security risk management • Risk management is concerned with assessing the possible losses that might ensue from attacks on the system and balancing these losses against the costs of security procedures that may reduce these losses. • Risk management should be driven by an organisational security policy. • Risk management involves – Preliminary risk assessment – Life cycle risk assessment – Operational risk assessment Security Engineering 1, 2013 Slide 8
- 9. Preliminary risk assessment Security Engineering 1, 2013 Slide 9
- 10. Misuse cases • Misuse cases are instances of threats to a system • Interception threats – Attacker gains access to an asset • Interruption threats – Attacker makes part of a system unavailable • Modification threats – A system asset if tampered with • Fabrication threats – False information is added to a system Security Engineering 1, 2013 Slide 10
- 11. Security Engineering 1, 2013 Slide 11
- 12. Asset analysis Asset Value Exposure The information system High. Required to support all High. Financial loss as clinics clinical consultations. Potentially may have to be canceled. Costs safety-critical. of restoring system. Possible patient harm if treatment cannot be prescribed. The patient database High. Required to support all High. Financial loss as clinics clinical consultations. Potentially may have to be canceled. Costs safety-critical. of restoring system. Possible patient harm if treatment cannot be prescribed. An individual patient record Normally low although may be Low direct losses but possible high for specific high-profile loss of reputation. patients. Security Engineering 1, 2013 Slide 12
- 13. Threat and control analysis Threat Probability Control Feasibility Unauthorized user Low Only allow system Low cost of gains access as system management from implementation but care manager and makes specific locations that must be taken with key system unavailable are physically secure. distribution and to ensure that keys are available in the event of an emergency. Unauthorized user High Require all users to Technically feasible but gains access as system authenticate themselves high-cost solution. user and accesses using a biometric Possible user confidential information mechanism. resistance. Log all changes to Simple and transparent patient information to to implement and also track system usage. supports recovery. Security Engineering 1, 2013 Slide 13
- 14. Security requirements • Patient information must be downloaded at the start of a clinic session to a secure area on the system client that is used by clinical staff. • Patient information must not be maintained on system clients after a clinic session has finished. • A log on a separate computer from the database server must be maintained of all changes made to the system database. Security Engineering 1, 2013 Slide 14
- 15. Life cycle risk assessment • Risk assessment while the system is being developed and after it has been deployed • More information is available - system platform, middleware and the system architecture and data organisation. • Vulnerabilities that arise from design choices may therefore be identified. Security Engineering 1, 2013 Slide 15
- 16. Life-cycle risk analysis Security Engineering 1, 2013 Slide 16
- 17. Design decisions from use of off-the-shelf system • System users are authenticated using a name/password combination. • The system architecture is client-server with clients accessing the system through a standard web browser. • Information is presented as an editable web form. Security Engineering 1, 2013 Slide 17
- 18. Vulnerabilities associated with technology choices Security Engineering 1, 2013 Slide 18
- 19. Security requirements • A password checker shall be made available and shall be run daily. Weak passwords shall be reported to system administrators. • Access to the system shall only be allowed by approved client computers. • All client computers shall have a single, approved web browser installed by system administrators. Security Engineering 1, 2013 Slide 19
- 20. Operational risk assessment • Environment characteristics can lead to new system risks – Risk of interruption means that logged in computers are left unattended. Security Engineering 1, 2013 Slide 20
- 21. Design for security • Architectural design – how do architectural design decisions affect the security of a system? • Good practice – what is accepted good practice when designing secure systems? • Design for deployment – what support should be designed into a system to avoid the introduction of vulnerabilities when a system is deployed for use? Security Engineering 1, 2013 Slide 21
- 22. Architectural design • Two fundamental issues have to be considered when designing an architecture for security. – Protection • How should the system be organised so that critical assets can be protected against external attack? – Distribution • How should system assets be distributed so that the effects of a successful attack are minimized? • These are potentially conflicting – If assets are distributed, then they are more expensive to protect. If assets are protected, then usability and performance requirements may be compromised. Security Engineering 1, 2013 Slide 22
- 23. Protection – defence in depth Security Engineering 1, 2013 Slide 23
- 24. Layered protection model • Platform-level protection – Top-level controls on the platform on which a system runs. • Application-level protection – Specific protection mechanisms built into the application itself e.g. additional password protection. • Record-level protection – Protection that is invoked when access to specific information is requested Security Engineering 1, 2013 Slide 24
- 25. A layered protection architecture Security Engineering 1, 2013 Slide 25
- 26. Distribute assets to reduce losses Security Engineering 1, 2013 Slide 26
- 27. Distributed assets • Distributing assets means that attacks on one system do not necessarily lead to complete loss of system service • Each platform has separate protection features and may be different from other platforms so that they do not share a common vulnerability • Distribution is particularly important if the risk of denial of service attacks is high Security Engineering 1, 2013 Slide 27
- 28. Distributed assets in an equity trading system Security Engineering 1, 2013 Slide 28
- 29. Key points • Security engineering is concerned with how to develop systems that can resist malicious attacks • Security threats can be threats to confidentiality, integrity or availability of a system or its data • Security risk management is concerned with assessing possible losses from attacks and deriving security requirements to minimise losses • Design for security involves architectural design, following good design practice and minimising the introduction of system vulnerabilities Security Engineering 1, 2013 Slide 29