Computer Security Workshops

1
Computer Security Workshops

• Security 101 - Introduction, Central Principles
  and Concepts

2
Why Study Computer Security?

• Increasingly important issue for
• Computer system and network administrators
• Application programmers
• Security issues follow technology
• Desktop systems, wireless networks, handheld
  devices
• Security issues affect software, laws, profits
  and businesses

3
Computer Security

• Definition ensuring the security of resources
  in a computing environment
• ensuring work to make it so a process
• resources data, network, hardware,
  applications,
• computing environment mix of hardware,
  software and people

4
Information Assurance

• A broader category than computer security,
  information security, etc.
• Concerned with the
• Security of information in system
• Quality/Reliability of information in system

5
Core Security Concepts

• Vulnerability, Exploit, Threat
• Vulnerability a weakness in some aspect of a
  system
• Exploit a known method for taking advantage of
  a vulnerability
• Threat the likelihood of some agent using an
  exploit to compromise security
• Note not all users/groups are equal threats to
  various systems
• Hackers more of a threat to popular web sites,
  businesses
• Disgruntled employees more of a threat to
  isolated businesses

6
Interesting Security Email Lists

• Cryptogram Newsletter, Bruce Schneier
• http//www.counterpane.com Library, Crypto-gram
• US/CERT Advisory List (Dept. of Homeland
  Security)
• http//www.us-cert.gov Advisories by Email
• Bugtraq List
• http//seclists.org/about/bugtraq.txt ,
  subscription information about 2/3 down the page

7
Principles To Consider

• Security is a very difficult topic to comprehend
• No silver bullets
• However, consideration of major principles will
  help develop a good set of security processes and
  policies

8
1st Principle

• Security is a process, not a product
  attributed to Bruce Schneier of Counterpane
  Security Systems, others
• Not something you purchase
• Rather, a set of processes (approved set of
  steps) and policies (rules for behavior) you
  create and enforce in your environment
• Must be dealt with continually

9
2nd Principle

• Computer Security is not just about computer
  systems
• Three major aspects to computer security
• Technology
• Hardware (systems, networks, any connected
  equipment)
• Software (programming, configuration)
• People, in many different roles
• Legitimate users, disgruntled users, hackers
• Insiders vs. outsiders fuzzy line!
• Social engineering is a large concern
• Best technological security is worthless is
  someone is tricked into turning it off / allowing
  access through it
• Physical environment
• Surroundings, access, proximity

10
3rd Principle

• Security and convenience are inversely
  proportional
• Lack of security generally makes it easier to get
  work done
• Addition of security may interfere with the ease
  of getting a job done
• Goal find the balance point that supports both

11
4th Principle

• Security succeeds or fails based on the weakest
  link
• All aspects (technology, people, environment)
  must be attended to equally
• Must remain current with each aspect
• E.g. software patches should be applied as they
  come out, not when you get around to it
• Corollary People are the weakest link Kevin
  Mitnick

12
5th Principle

• Hackers are generally technologists (as opposed
  to programmers)
• Smaller group of hackers program exploits,
  viruses
• More hackers apply technology already available,
  sometimes in creative ways
• Poor configuration of systems is a major security
  problem
• Corollary good programming skills arent
  sufficient to make a good security professional
• Add understanding of networks technology,
  attention to detail, creativity,

13
6th Principle

• Utilize Multiple Layers of Defense
• E.g. Network hardware
• Router initial line of defense
• Bastion host(s) system(s) visible/available to
  outside world (e.g. web server)
• Firewall second line of defense
• Secure intranet internally available systems
• Can anyone bypass one or more layers?

14
7th Principle

• Focus your security energy on dealing with the
  most likely threats
• Consider what is most relevant to your
  environment
• Which vulnerabilities do you have?
• Which of these have known exploits?
• What users are likely to cause problems?
• What is the likelihood of a given threat?

15
8th Principle

• One aspect of security is obscurity
• Dont set yourself up as a target
• Maintain a low network profile for your business,
  computer system, etc.
• Problem contradicts marketing principles if
  youre a business
• Examples
• Windows is attacked more than MacOS/OS X
• Those who claim their systems cant be hacked
  will have lots of people trying

16
Putting It Together

• Computer Security is balancing of a number of
  interrelated factors
• Considering Security Goals
• Developing Layered Protection (Vertically,Horizont
  ally)
• Utilizing Available Resources
• Developing and Enforcing Policies and Processes
• Minimizing Interference With Functionality
• Weighing of Risks
• Maintaining Constant Vigilance