1 / 9

The Big Picture Practical, Economic, Legal Considerations

The Big Picture Practical, Economic, Legal Considerations. CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk. Prudent Practices for Info.Sec. Compartmentalize Not everyone should have access to everything e.g. root vs. user accounts, kernel vs. user mode

havard
Télécharger la présentation

The Big Picture Practical, Economic, Legal Considerations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Big PicturePractical, Economic, Legal Considerations CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk The Big Picture

  2. Prudent Practices for Info.Sec. • Compartmentalize • Not everyone should have access to everything • e.g. root vs. user accounts, kernel vs. user mode • “least privilege” principle • need-to-know basis • Secure the weakest link (10,000 bit symmetric key doesn’t make sense) • Use chock points • Constrain access to the system (gateways, firewalls, etc.) The Big Picture

  3. Prudent Practices (cont’d) • Provide “defense in depth” E.g., in bank security: door lock – alarm – safe E.g., firewall – IDS – an internal firewall • Don’t release unnecessary information E.g., version of the OS, of the program running, etc. • Embrace simplicity • Educate & convince users • Question your assumptions constantly The Big Picture

  4. 80/20 Rule of InfoSec Pareto principle: Top 20% owns 80% of the land. 80/20 Rule of InfoSec (according to Symantec): • Remove unneeded services • remove components, programs, services from your system until the minimum "business needed" remain. • Keep Patch Levels Current (helped by Item 1) • use automation whenever possible • priority to public and internal servers • Enforce Strong Passwords • long, mixed-character passwords • periodic changes The Big Picture

  5. Economic Drawbacks • Ordinary users don’t care much about security(care more about fancy features) • First mover advantage • Ship the product now; get it right by v3.(e.g., Microsoft IE) • Asymmetric information • There is no easy way to tell a good security product from a bad one • which pulls prices & quality down The Big Picture

  6. Economic Drawbacks(of lesser significance) • Differentiated pricing • To keep low-cost alternatives poorer in quality (on purpose) • any security-product applications? • Network effects • Number of users determine the value of product • E.g., telephone, fax, the Internet, E-bay, etc. • Security: not-so-tight security helps attracting developers & users (any practical cases?) The Big Picture

  7. Legal Drawbacks • Who is liable (in addition to the attacker)? • the faulty software manufacturer? • the attack origin ISP? • the victim’s system administrator? • the network operators? • Involved parties can help to reduce the potential of an attack, but don’t have much incentive to do so. The Big Picture

  8. Other Drawbacks • Lack of information sharing • Market forces discourage revealing past incidents(for consumer confidence) • e.g., Citibank, 1995 (“Don’t publicize”) • Result: No reliable information or estimates(Sol’n attempt: CERTs, “Center for Internet Security”) • Position of the interior • Attacker has the initiative of when & where to hit • Potential Solution (partial): • UL model, pushed by the insurance industry (may solve the problem of product evaluation) • Limitation: Hard to evaluate software security The Big Picture

  9. Detection, Response, Risk Management • Prevention alone is not sufficient. Detection & response mechanisms are also needed. (E.g., no door lock can alone prevent burglaries) • Risk management • Risks will always be with us; it’s important to know how to manage them. • Every security system must answer: • Defense against what kind of adversary, with what resources? • What is the potential loss? The Big Picture

More Related