Bruce Schneier Lanette Dowell November 25, 2009. Introduction “It is insufficient to protect...
-
date post
19-Dec-2015 -
Category
Documents
-
view
218 -
download
0
Transcript of Bruce Schneier Lanette Dowell November 25, 2009. Introduction “It is insufficient to protect...
Introduction
“It is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics” – Bruce Schneier in Applied Cryptography 1996
Security is a chainIt's only as secure as the weakest link.
Security is a process, not a product.
Part 1: The Landscape
Who are the attackers? What do they want? What do we need to deal with threats?
Part 1: The Landscape
Real life vs Digital World Criminal Attacks
“How can I acquire the maximum financial return by attacking the system?”
Privacy Violations Publicity Attacks Legal Attacks
Part 1: The Landscape
Who are the bad guys?HackersCriminals / Organized CrimeInsidersIndustrial EspionagePressTerroristsNational Intelligent OrganizationsInfowarriors
Part 2: Technologies
Networked-Computer SecurityMalicious Software
○ Viruses○ Worms○ Trojan Horses
Websites○ URL hacking○ Cookies
Etc…
Part 2: Technologies
Network DefencesFirewallsDMZ (Demilitarized Zones)VPN (Virtual Private Networks)Honey Pots and Burglar ZonesVulnerability ScannersEmail Security
Part 2: Technologies
Software ReliabilityFaulty codeBuffer overflows“Computers are stupid”
Secure HardwarePutting a $100K lock on a cardboard house
Part 3: Strategies
Given the requirements of landscape, and the limitations of the technology, what do we do now?
Part 3: Strategies
Threat Modeling and Risk AssessmentAttack Trees
Product testingVerification
More software complexity = more security risks (next slide, Windows…)
Part 3: Strategies
Lines of code in Windows: Windows 3.1: 3 million Windows NT: 4 million Windows 95: 15 million Windows NT 4.0: 16.5 million Windows 98: 18 million Windows 2000: 35-60 million