SlideShare a Scribd company logo

Overview

Download as PPT, PDF
P
phanleson

The document provides an overview of computer security, outlining key concepts such as threats, policies, mechanisms, and the role of trust and assurance. It notes that computing today is similar to the wild west in terms of security, with some professionals not recognizing the value of resources or investigating security breaches. Various types of security breaches are described such as disclosure, deception, disruption, and usurpation. Components of security including confidentiality, integrity, and availability are also summarized.

Technology
1 of 26
Downloaded 18 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
An Overview of Computer Security
Outline Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues
Status of security in computing In terms of security, computing is very close to the wild west days. Some computing professionals & managers do not even recognize the value of the resources they use or control. In the event of a computing crime, some companies do not investigate or prosecute.
Characteristics of Computer Intrusion A computing system : a collection of hardware, software, data, and people that an organization uses to do computing tasks Any piece of the computing system can become the target of a computing crime. The weakest point is the most serious vulnerability. The principles of easiest penetration
Security Breaches - Terminology Exposure a form of possible loss or harm Vulnerability a weakness in the system Attack Threats Human attacks, natural disasters, errors Control – a protective measure Assets – h/w, s/w, data
Types of Security Breaches Disclosure : unauthorized access to info Snooping Deception : acceptance of false data Modification, spoofing, repudiation of origin, denial of receipt Disruption : prevention of correct operation Modification, man-in-the-middle attack Usurpation : unauthorized control of some part of the system ( usurp : take by force or without right ) Modification, spoofing, delay, denial of service
Security Components Confidentiality : The assets are accessible only by authorized parties. Keeping data and resources hidden Integrity : The assets are modified only by authorized parties, and only in authorized ways. Data integrity (integrity) Origin integrity (authentication) Availability : Assets are accessible to authorized parties. Enabling access to data and resources
Computing System Vulnerabilities Hardware vulnerabilities Software vulnerabilities Data vulnerabilities Human vulnerabilities ?
Software Vulnerabilities Destroyed (deleted) software Stolen (pirated) software Altered (but still run) software Logic bomb Trojan horse Virus Trapdoor Information leaks
Data Security The principle of adequate protection Storage of encryption keys Software versus hardware methods
Other Exposed Assets Storage media Networks Access Key people
People Involved in Computer Crimes Amateurs Crackers Career Criminals
Methods of Defense Encryption Software controls Hardware controls Policies Physical controls
Encryption at the heart of all security methods Confidentiality of data Some protocols rely on encryption to ensure availability of resources. Encryption does not solve all computer security problems.
Software controls Internal program controls OS controls Development controls Software controls are usually the 1 st aspects of computer security that come to mind.
Policies and Mechanisms Policy says what is, and is not, allowed This defines “security” for the site/system/ etc . Mechanisms enforce policies Mechanisms can be simple but effective Example: frequent changes of passwords Composition of policies If policies conflict, discrepancies may create security vulnerabilities Legal and ethical controls Gradually evolving and maturing
Principle of Effectiveness Controls must be used to be effective. Efficient Time, memory space, human activity, … Easy to use appropriate
Overlapping Controls Several different controls may apply to one potential exposure. H/w control + S/w control + Data control
Goals of Security Prevention Prevent attackers from violating security policy Detection Detect attackers’ violation of security policy Recovery Stop attack, assess and repair damage Continue to function correctly even if attack succeeds
Trust and Assumptions Underlie all aspects of security Policies Unambiguously partition system states Correctly capture security requirements Mechanisms Assumed to enforce policy Support mechanisms work correctly
Types of Mechanisms secure precise broad set of reachable states set of secure states
Assurance Specification Requirements analysis Statement of desired functionality Design How system will meet specification Implementation Programs/systems that carry out design
Operational Issues Cost-Benefit Analysis Is it cheaper to prevent or to recover? Risk Analysis Should we protect something? How much should we protect this thing? Laws and Customs Are desired security measures illegal? Will people do them?
Human Issues Organizational Problems Power and responsibility Financial benefits People problems Outsiders and insiders Social engineering
Tying Together Threats Policy Specification Design Implementation Operation
Key Points Policy defines security, and mechanisms enforce security Confidentiality Integrity Availability Trust and knowing assumptions Importance of assurance The human factor

More Related Content

PPTX
Network Security: Physical security
lalithambiga kamaraj
 
PDF
Computer security priciple and practice
YUSRA FERNANDO
 
PPTX
Physical Security Assessment
Faheem Ul Hasan
 
PPT
Physical Security Assessment
Gary Bahadur
 
PPT
Physical Security Assessments
Tom Eston
 
PPT
Integrating Physical And Logical Security
Jorge Sebastiao
 
PPTX
Information Security Management
EC-Council
 
PPT
1. security management practices
7wounders
 
Network Security: Physical security
lalithambiga kamaraj
 
Computer security priciple and practice
YUSRA FERNANDO
 
Physical Security Assessment
Faheem Ul Hasan
 
Physical Security Assessment
Gary Bahadur
 
Physical Security Assessments
Tom Eston
 
Integrating Physical And Logical Security
Jorge Sebastiao
 
Information Security Management
EC-Council
 
1. security management practices
7wounders
 

What's hot (20)

PPT
Security Lifecycle Management
Barry Caplin
 
PPT
Security Site Surveys and Risk Assessments
Enterprise Security Risk Management
 
PPTX
Become CISSP Certified
Hamed Moghaddam
 
PDF
Equilibrium Security Methodology 030414 Final v2
marchharvey
 
PPTX
Importance Of A Security Policy
charlesgarrett
 
PDF
Physical Security Management System
Daniel Suchy, CPP, MSyI
 
PPT
Information Security
chenpingling
 
PPTX
Business information security requirements
gurneyhal
 
PPT
Information Risk Management Overview
elvinchan
 
PPTX
Information risk management
Akash Saraswat
 
PPT
Information Security Background
Nicholas Davis
 
PDF
Understanding security operation.pptx
Piyush Jain
 
PPT
Chapter 3: Information Security Framework
Nada G.Youssef
 
PPTX
Logging, monitoring and auditing
Piyush Jain
 
PPTX
Risk Management and Security in Strategic Planning
Keyaan Williams
 
PPTX
SECURITY AND CONTROL
shinydey
 
PDF
How to Build an Insider Threat Program in 30 Minutes
ObserveIT
 
PPTX
information security (Audit mechanism, intrusion detection, password manageme...
Zara Nawaz
 
PPT
Ethical hacking a licence to hack
amrutharam
 
PPTX
insider threat research
Asma Al-maskaria
 
Security Lifecycle Management
Barry Caplin
 
Security Site Surveys and Risk Assessments
Enterprise Security Risk Management
 
Become CISSP Certified
Hamed Moghaddam
 
Equilibrium Security Methodology 030414 Final v2
marchharvey
 
Importance Of A Security Policy
charlesgarrett
 
Physical Security Management System
Daniel Suchy, CPP, MSyI
 
Information Security
chenpingling
 
Business information security requirements
gurneyhal
 
Information Risk Management Overview
elvinchan
 
Information risk management
Akash Saraswat
 
Information Security Background
Nicholas Davis
 
Understanding security operation.pptx
Piyush Jain
 
Chapter 3: Information Security Framework
Nada G.Youssef
 
Logging, monitoring and auditing
Piyush Jain
 
Risk Management and Security in Strategic Planning
Keyaan Williams
 
SECURITY AND CONTROL
shinydey
 
How to Build an Insider Threat Program in 30 Minutes
ObserveIT
 
information security (Audit mechanism, intrusion detection, password manageme...
Zara Nawaz
 
Ethical hacking a licence to hack
amrutharam
 
insider threat research
Asma Al-maskaria
 
Ad

Viewers also liked (6)

PPT
Lecture one
Ayebazibwe Kenneth
 
PPT
Introduction to computer security syllabus
Ayebazibwe Kenneth
 
PDF
Computer Security and Risks
Miguel Rebollo
 
PPTX
Operating Systems: Computer Security
Damian T. Gordon
 
PPT
Network Security 1st Lecture
babak danyal
 
PDF
Computer Security
Frederik Questier
 
Lecture one
Ayebazibwe Kenneth
 
Introduction to computer security syllabus
Ayebazibwe Kenneth
 
Computer Security and Risks
Miguel Rebollo
 
Operating Systems: Computer Security
Damian T. Gordon
 
Network Security 1st Lecture
babak danyal
 
Computer Security
Frederik Questier
 
Ad

Similar to Overview (20)

PPT
Challenges in implementating cyber security
Inderjeet Singh
 
PPT
Information security background
Nicholas Davis
 
PPT
CompTIA Security+ Module1: Security fundamentals
Ganbayar Sukhbaatar
 
PPTX
Unit-I PPT.pptx
PRALHAD MAGADUM
 
PPT
ch01.ppt
ROHITCHHOKER3
 
PDF
01-introductiontosecurity-111122004432-phpapp02.pdf
RiyaSonawane
 
PPTX
Advanced Operating System Principles.pptx
yuvapapa26
 
PPT
Bis Chapter15
Chun Hoi Lam
 
PPTX
Introduction to Network Security
John Ely Masculino
 
PPT
Introduction Network security
IGZ Software house
 
PPT
Information Leakage - A knowledge Based Approach
Global Business Events - the Heart of your Network.
 
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
PPTX
Infosec
Ismaila Gassama
 
PPTX
Infosec
Ismaila Gassama
 
PPT
Risk Assessment Methodologies
Philippe A. R. Schaeffer
 
PDF
Mis presentation by suraj vaidya
Suraj Vaidya
 
PPTX
Enterprise security management II
zapp0
 
PPT
Cobit 2
Securelogy
 
PPT
Main Menu
Securelogy
 
PDF
Fundamentals of-information-security
madunix
 
Challenges in implementating cyber security
Inderjeet Singh
 
Information security background
Nicholas Davis
 
CompTIA Security+ Module1: Security fundamentals
Ganbayar Sukhbaatar
 
Unit-I PPT.pptx
PRALHAD MAGADUM
 
ch01.ppt
ROHITCHHOKER3
 
01-introductiontosecurity-111122004432-phpapp02.pdf
RiyaSonawane
 
Advanced Operating System Principles.pptx
yuvapapa26
 
Bis Chapter15
Chun Hoi Lam
 
Introduction to Network Security
John Ely Masculino
 
Introduction Network security
IGZ Software house
 
Information Leakage - A knowledge Based Approach
Global Business Events - the Heart of your Network.
 
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
Infosec
Ismaila Gassama
 
Infosec
Ismaila Gassama
 
Risk Assessment Methodologies
Philippe A. R. Schaeffer
 
Mis presentation by suraj vaidya
Suraj Vaidya
 
Enterprise security management II
zapp0
 
Cobit 2
Securelogy
 
Main Menu
Securelogy
 
Fundamentals of-information-security
madunix
 

More from phanleson (20)

PDF
Learning spark ch01 - Introduction to Data Analysis with Spark
phanleson
 
PPT
Firewall - Network Defense in Depth Firewalls
phanleson
 
PPT
Mobile Security - Wireless hacking
phanleson
 
PPT
Authentication in wireless - Security in Wireless Protocols
phanleson
 
PPT
E-Commerce Security - Application attacks - Server Attacks
phanleson
 
PPT
Hacking web applications
phanleson
 
PPTX
HBase In Action - Chapter 04: HBase table design
phanleson
 
PPT
HBase In Action - Chapter 10 - Operations
phanleson
 
PPT
Hbase in action - Chapter 09: Deploying HBase
phanleson
 
PPTX
Learning spark ch11 - Machine Learning with MLlib
phanleson
 
PPTX
Learning spark ch10 - Spark Streaming
phanleson
 
PPTX
Learning spark ch09 - Spark SQL
phanleson
 
PPT
Learning spark ch07 - Running on a Cluster
phanleson
 
PPTX
Learning spark ch06 - Advanced Spark Programming
phanleson
 
PPTX
Learning spark ch05 - Loading and Saving Your Data
phanleson
 
PPTX
Learning spark ch04 - Working with Key/Value Pairs
phanleson
 
PPTX
Learning spark ch01 - Introduction to Data Analysis with Spark
phanleson
 
PPT
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
phanleson
 
PPT
Lecture 1 - Getting to know XML
phanleson
 
PPTX
Lecture 4 - Adding XTHML for the Web
phanleson
 
Learning spark ch01 - Introduction to Data Analysis with Spark
phanleson
 
Firewall - Network Defense in Depth Firewalls
phanleson
 
Mobile Security - Wireless hacking
phanleson
 
Authentication in wireless - Security in Wireless Protocols
phanleson
 
E-Commerce Security - Application attacks - Server Attacks
phanleson
 
Hacking web applications
phanleson
 
HBase In Action - Chapter 04: HBase table design
phanleson
 
HBase In Action - Chapter 10 - Operations
phanleson
 
Hbase in action - Chapter 09: Deploying HBase
phanleson
 
Learning spark ch11 - Machine Learning with MLlib
phanleson
 
Learning spark ch10 - Spark Streaming
phanleson
 
Learning spark ch09 - Spark SQL
phanleson
 
Learning spark ch07 - Running on a Cluster
phanleson
 
Learning spark ch06 - Advanced Spark Programming
phanleson
 
Learning spark ch05 - Loading and Saving Your Data
phanleson
 
Learning spark ch04 - Working with Key/Value Pairs
phanleson
 
Learning spark ch01 - Introduction to Data Analysis with Spark
phanleson
 
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
phanleson
 
Lecture 1 - Getting to know XML
phanleson
 
Lecture 4 - Adding XTHML for the Web
phanleson
 

Recently uploaded (20)

PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PDF
August Patch Tuesday
Ivanti
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
Encapsulation theory and applications.pdf
gurumoop
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
August Patch Tuesday
Ivanti
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
project resource management chapter-09.pdf
ssuser00e6e21
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Approach and Philosophy of On baking technology
30anthuong17
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 

Overview

  • 1. An Overview of Computer Security
  • 2. Outline Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues
  • 3. Status of security in computing In terms of security, computing is very close to the wild west days. Some computing professionals & managers do not even recognize the value of the resources they use or control. In the event of a computing crime, some companies do not investigate or prosecute.
  • 4. Characteristics of Computer Intrusion A computing system : a collection of hardware, software, data, and people that an organization uses to do computing tasks Any piece of the computing system can become the target of a computing crime. The weakest point is the most serious vulnerability. The principles of easiest penetration
  • 5. Security Breaches - Terminology Exposure a form of possible loss or harm Vulnerability a weakness in the system Attack Threats Human attacks, natural disasters, errors Control – a protective measure Assets – h/w, s/w, data
  • 6. Types of Security Breaches Disclosure : unauthorized access to info Snooping Deception : acceptance of false data Modification, spoofing, repudiation of origin, denial of receipt Disruption : prevention of correct operation Modification, man-in-the-middle attack Usurpation : unauthorized control of some part of the system ( usurp : take by force or without right ) Modification, spoofing, delay, denial of service
  • 7. Security Components Confidentiality : The assets are accessible only by authorized parties. Keeping data and resources hidden Integrity : The assets are modified only by authorized parties, and only in authorized ways. Data integrity (integrity) Origin integrity (authentication) Availability : Assets are accessible to authorized parties. Enabling access to data and resources
  • 8. Computing System Vulnerabilities Hardware vulnerabilities Software vulnerabilities Data vulnerabilities Human vulnerabilities ?
  • 9. Software Vulnerabilities Destroyed (deleted) software Stolen (pirated) software Altered (but still run) software Logic bomb Trojan horse Virus Trapdoor Information leaks
  • 10. Data Security The principle of adequate protection Storage of encryption keys Software versus hardware methods
  • 11. Other Exposed Assets Storage media Networks Access Key people
  • 12. People Involved in Computer Crimes Amateurs Crackers Career Criminals
  • 13. Methods of Defense Encryption Software controls Hardware controls Policies Physical controls
  • 14. Encryption at the heart of all security methods Confidentiality of data Some protocols rely on encryption to ensure availability of resources. Encryption does not solve all computer security problems.
  • 15. Software controls Internal program controls OS controls Development controls Software controls are usually the 1 st aspects of computer security that come to mind.
  • 16. Policies and Mechanisms Policy says what is, and is not, allowed This defines “security” for the site/system/ etc . Mechanisms enforce policies Mechanisms can be simple but effective Example: frequent changes of passwords Composition of policies If policies conflict, discrepancies may create security vulnerabilities Legal and ethical controls Gradually evolving and maturing
  • 17. Principle of Effectiveness Controls must be used to be effective. Efficient Time, memory space, human activity, … Easy to use appropriate
  • 18. Overlapping Controls Several different controls may apply to one potential exposure. H/w control + S/w control + Data control
  • 19. Goals of Security Prevention Prevent attackers from violating security policy Detection Detect attackers’ violation of security policy Recovery Stop attack, assess and repair damage Continue to function correctly even if attack succeeds
  • 20. Trust and Assumptions Underlie all aspects of security Policies Unambiguously partition system states Correctly capture security requirements Mechanisms Assumed to enforce policy Support mechanisms work correctly
  • 21. Types of Mechanisms secure precise broad set of reachable states set of secure states
  • 22. Assurance Specification Requirements analysis Statement of desired functionality Design How system will meet specification Implementation Programs/systems that carry out design
  • 23. Operational Issues Cost-Benefit Analysis Is it cheaper to prevent or to recover? Risk Analysis Should we protect something? How much should we protect this thing? Laws and Customs Are desired security measures illegal? Will people do them?
  • 24. Human Issues Organizational Problems Power and responsibility Financial benefits People problems Outsiders and insiders Social engineering
  • 25. Tying Together Threats Policy Specification Design Implementation Operation
  • 26. Key Points Policy defines security, and mechanisms enforce security Confidentiality Integrity Availability Trust and knowing assumptions Importance of assurance The human factor

Editor's Notes

  • #20: Prevention is ideal, because then there are no successful attacks. Detection occurs after someone violates the policy. The mechanism determines that a violation of the policy has occurred (or is underway), and reports it. The system (or system security officer) must then respond appropriately. Recovery means that the system continues to function correctly, possibly after a period during which it fails to function correctly. If the system functions correctly always, but possibly with degraded services, it is said to be intrusion tolerant. This is very difficult to do correctly; usually, recovery means that the attack is stopped, the system fixed (which may involve shutting down the system for some time, or making it unavailable to all users except the system security officers), and then the system resumes correct operations.
  • #21: All security policies and mechanisms rest on assumptions; we’ll examine some in later chapters, most notably Chapter 22, Malicious Logic. Here is a taste of the assumptions. Policies: as these define security, they have to define security correctly for the particular site. For example, a web site has to be available, but if the security policy does not mention availability, the definition of security is inappropriate for the site. Also, a policy may not specify whether a particular state is “secure” or “non-secure.” This ambiguity causes problems. Mechanisms: as these enforce policy, they must be appropriate. For example, cryptography does not assure availability, so using cryptography in the above situation won’t work. Further, security mechanisms rely on supporting infrastructure, such as compilers, libraries, the hardware, and networks to work correctly. Ken Thompson’s modified C preprocessor (see the example on p. 615) illustrates this point very well.
  • #22: A reachable state is one that the computer can enter. A secure state is a state defined as allowed by the security policy. The left figure shows a secure system: all reachable states are in the set of secure states. The system can never enter (reach) a non-secure state, but there are secure states that the system cannot reach. The middle figure shows a precise system: all reachable states are secure, and all secure states are reachable. Only the non-secure states are unreachable. The right figure shows a broad system. Some non-secure states are reachable. This system is also not secure.
  • #23: Assurance is a measure of how well the system meets its requirements; more informally, how much you can trust the system to do what it is supposed to do. It does not say what the system is to do; rather, it only covers how well the system does it. Specifications arise from requirements analysis, in which the goals of the system are determined. The specification says what the system must do to meet those requirements. It is a statement of functionality, not assurance, and can be very formal (mathematical) or informal (natural language). The specification can be high-level or low-level (for example, describing what the system as a whole is to do vs. what specific modules of code are to do). The design architects the system to satisfy, or meet, the specifications. Typically, the design is layered by breaking the system into abstractions, and then refining the abstractions as you work your way down to the hardware. An analyst also must show the design matches the specification. The implementation is the actual coding of the modules and software components. These must be correct (perform as specified), and their aggregation must satisfy the design. Note the assumptions of correct compilers, hardware, etc .
  • #24: Security does not end when the system is completed. Its operation affects security. A “secure” system can be breached by improper operation (for example, when accounts with no passwords are created). The question is how to assess the effect of operational issues on security. Cost-Benefit Analysis: this weighs the cost of protecting data and resources with the costs associated with losing the data. Among the considerations are the overlap of mechanisms’ effects (one mechanism may protect multiple services, so its cost is amortized), the non-technical aspects of the mechanism (will it be impossible to enforce), and the ease of use (if a mechanism is too cumbersome, it may cost more to retrofit a decent user interface than the benefits would warrant). Risk Analysis: what happens if the data and resources are compromised? This tells you what you need to protect and to what level. Cost-benefit analyses help determine the risk here, but there may be other metrics involved (such as customs). Laws and Customs: these constrain what you can do. Encryption used to be the biggie here, as the text indicates. How much that has changed is anybody’s guess. Customs involve non-legislated things, like the use of urine specimens to determine identity. That is legal, at least in the US in some cases; but it would never be widely accepted as an alternative to a password.
  • #25: Organizations: the key here is that those responsible for security have the power to enforce security. Otherwise there is confusion, and the architects need not worry if the system is secure because they won’t be blamed if someone gets in. This arises when system administrators, for example, are responsible for security, but only security officers can make the rules. Preventing this problem (power without responsibility, or vice versa) is tricky and requires capable management. What’s worse is that security is not a direct financial incentive for most companies because it doesn’t bring in revenue. It merely prevents the loss of revenue obtained from other sources. People problems are by far the main source of security problems. Outsiders are attackers from without the organization; insiders are people who have authorized access to the system and, possibly, are authorized to access data and resources, but use the data or resources in unauthorized ways. It is speculated that insiders account for 80-90% of all security problems, but the studies generally do not disclose their methodology in detail, so it is hard to know how accurate they are. (Worse, there are many slightly different definitions of the term “insider,” causing the studies to measure slightly different things!) Social engineering, or lying, is quite effective, especially if the people gulled are inexperienced in security (possibly because they are new, or because they are tired).
  • #26: The point to this slide is that each step feeds into the earlier steps. In theory, each of these should only affect the one before it, and the one after it. In practice, each affects all the ones that come before it. Feedback from operation and maintenance is critical, and often overlooked. It allows one to validate the threats and the legitimacy of the policy.