security through examples
play

Security Through Examples Exploring Cyber Security in Critical - PowerPoint PPT Presentation

Dec 07, 2023 •280 likes •495 views

Security Through Examples Exploring Cyber Security in Critical Infrastructure Tim Yardley, University of Illinois Urbana-Champaign yardley@illinios.edu Introduction Material September 30, 2016 cred-c.org Se Settin ing T The St Stage 1

  1. Security Through Examples Exploring Cyber Security in Critical Infrastructure Tim Yardley, University of Illinois Urbana-Champaign yardley@illinios.edu Introduction Material September 30, 2016 cred-c.org

  2. Se Settin ing T The St Stage 1 Categories, properties, and constraints

  3. Categories of Information System Adversaries 3

  4. Properties of Interest/Goals • Keep the lights on • Availability • Protect • systems, data equipment/infrastructure • Integrity from damage • Data, control commands, • Very expensive and systems difficult to replace • Confidentiality • Ensure safety of employees/people • Data (especially market influencing data) • Make money • Privacy • Cyber Security • On consumer side 4

  5. Limitations/Constraints • Resource Constrained ‣ Time Scale • Embedded systems Milliseconds to Minutes • CPU and Memory • constraints 4ms for protection - • Low bandwidth messages (LAN) • Serial links common PMU data – a sample • Legacy Integration - every 33ms • Backwards compatibility • 8-bit systems out there ‣ Application of Existing IT • No security features Security Principles Not always suitable • 5

  6. Ethical al A Asse sessm ssment 2 The basics of how to approach a security assessment 6

  7. Introduction to Ethical Assessment • Based on the approaches used by Certified Ethical Hacking (CEH) training. • Focus on the skills for doing professional security work. • This is not complete training; think of it as being like a beginner- to intermediate-level boot camp. 7

  8. Terminology • Asset • Network resource • Threats • Vulnerabilities • Exploits • Target of Evaluation (TOE) http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html/chapter7.html 8

  9. Security Concepts • Confidentiality • Integrity • Availability 9

  10. Classes of “Hackers” • Blackhat • Greyhat • Whitehat 10

  11. Categories of “Hackers” • Script kiddies • Disgruntled employees • Whackers • Phreakers • Software crackers • System crackers • Cyber terrorists • Nation-state attackers 11

  12. Activities Involved in an Assessment • Discovering networks • Using tools • Utilizing insiders • Penetrating networks • Determining network resources • Leveraging vulnerabilities • Providing mitigations for assessment observations • Observations have little value if there are no mitigations for them. 12

  13. Steps of an Assessment • Preparation • Define scope. • Evaluation/conduct • Respect system operators. • Understand consequences of downtime. • Conclusion • Clearly define and explain any noteworthy items. • Suggest mitigations. 13

  14. Legal Approach • Determine needs. • Get permission. • Schedule assessment. • Perform assessment. • Analyze results. • Create report. • Present report. 14

  15. Legality • Dept. of Justice Title 18 (http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf) • Section 1029 (Access Device Fraud) and Section 1030 (Computer Fraud and Abuse) • “Protected Computer” Section 1030(e)(2) defines protected computer as (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a • computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or (B) which is used in or affecting interstate or foreign commerce or communication… • • “ Without Authorization” or “Exceeds Access” The term “without authorization” is not defined by the CFAA. The term “exceeds authorized access” means “to • access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). The legislative history of the CFAA reflects an expectation that persons who “exceed authorized access” will be • insiders (e.g., employees using a victim’s corporate computer network), while persons who access computers “without authorization” will typically be outsiders (e.g., hackers). 15

  16. Phases of an Assessment • Passive and active reconnaissance • Define scope • Scanning • Refine scope • Gain access • Determine mitigations • Maintain access • Draft report • Final report 16

  17. Different Approaches to Assessment • Black box • White box • Grey box 17

  18. Assessments Entry Vectors • Remote networks • Local networks • Dial-up • Stolen equipment • Social engineering • Physical entry 18

  19. Details in Your Report • Results of activities • Types of tasks performed • Actual successful tasks with details of techniques • Disclosure of all security issues discovered • Mitigations for security issues 19

  20. Discussi Di ssion What makes assessing a control system different? 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Jean-Pierre Tual Agenda Introduction to Security Technologiess Examples from the Mobile

Jean-Pierre Tual Agenda Introduction to Security Technologiess Examples from the Mobile

An overview of some security and privacy design challenges in Embedded applications Jean-Pierre Tual Agenda Introduction to Security Technologiess Examples from the Mobile Industry Examples from the automotive Industry Examples from the

1.59k views • 62 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Today Embedded system security General principles Examples Computer Security This

Today Embedded system security General principles Examples Computer Security This

Today Embedded system security General principles Examples Computer Security This is a huge area Prof Kasera teaches a good course on it Today we are not talking about Protocol design (another huge area) Password

447 views • 24 slides
Security Engineering Chester Rebeiro IIT Madras Examples mo<vated from Prof. Nickolai

Security Engineering Chester Rebeiro IIT Madras Examples mo<vated from Prof. Nickolai

Security Engineering Chester Rebeiro IIT Madras Examples mo<vated from Prof. Nickolai Zeldovich lectures; part of MIT Opencourse Work Security Engineering : What is it About? Building systems that work even with adversaries 2 What does it

812 views • 34 slides
Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German

Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German

Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera $ whoami Carlos Holguera [olera] Security Engineer working at ESCRYPT GmbH since 2012 Area of expertise:

790 views • 56 slides
Software Security Smashing the Stack: Real-World Examples Jan Nordholz Prof. Jean-Pierre Seifert

Software Security Smashing the Stack: Real-World Examples Jan Nordholz Prof. Jean-Pierre Seifert

Software Security Smashing the Stack: Real-World Examples Jan Nordholz Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2014 jan (sect) Software Security SoSe 2014 1 / 24 Example 1: the Morris worm (1988) first

695 views • 24 slides
Security Engineering Chester Rebeiro IIT Madras Examples motivated from Prof. Nickolai Zeldovich

Security Engineering Chester Rebeiro IIT Madras Examples motivated from Prof. Nickolai Zeldovich

Security Engineering Chester Rebeiro IIT Madras Examples motivated from Prof. Nickolai Zeldovich lectures; part of MIT Opencourse Work Security Engineering : What is it About? Building systems that work even with adversaries 2 What does it

594 views • 32 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security Seminar, Stanford University, 2017-01-17 In this presentation Intriguing Properties of Neural Networks Szegedy et al, 2013

939 views • 44 slides
Hybrid Cryptography with examples in Ruby and Go Romek Szczesniak Eleanor McHugh security

Hybrid Cryptography with examples in Ruby and Go Romek Szczesniak Eleanor McHugh security

Hybrid Cryptography with examples in Ruby and Go Romek Szczesniak Eleanor McHugh security consultant system architect Hardcore Happy Cat Ltd Games With Brains January 2015 romek an applied cryptographer since 1995 secures systems

725 views • 48 slides
Objectives You should be able to ... Lambda Calculus Examples Here are some examples! Dr.

Objectives You should be able to ... Lambda Calculus Examples Here are some examples! Dr.

Objectives Examples Objectives Examples Objectives You should be able to ... Lambda Calculus Examples Here are some examples! Dr. Mattox Beckman Perform a beta-reduction. Detect -capture and use -renaming to avoid it.

518 views • 6 slides
for hardware or embedded security Erik Poll Digital Security Radboud University Nijmegen 1

for hardware or embedded security Erik Poll Digital Security Radboud University Nijmegen 1

Attacker Models for hardware or embedded security Erik Poll Digital Security Radboud University Nijmegen 1 Security-sensitive hardware: examples 2 Naive attacker model Attacks on communication channels exploiting lousy crypto or insecure

904 views • 45 slides
Course Evaluations 1. More examples Worked examples on whiteboard? Concrete examples of

Course Evaluations 1. More examples Worked examples on whiteboard? Concrete examples of

Course Evaluations 1. More examples Worked examples on whiteboard? Concrete examples of settings 2. Too fast Too much material for time available More time on math parts, proofs Awkwardly placed midterm Too many details,

525 views • 20 slides
CSE 484 / CSE M 584 Computer Security: Cryptography TA:

CSE 484 / CSE M 584 Computer Security: Cryptography TA:

CSE 484 / CSE M 584 Computer Security: Cryptography TA: Adrian Sham adrsham@cs Original slides by Franzi [Examples/Images thanks to Wikipedia.] Lab 1

374 views • 22 slides
1 Some Old Examples Some Recent Examples Western Digital House Keys Compromise went

1 Some Old Examples Some Recent Examples Western Digital House Keys Compromise went

Administrivia P561: Network Systems Fishnet Assignment #4 Week 9: Network Security Due next Monday, Dec 1 Final Exam Tom Anderson Handed out next Monday night (and by email) Ratul Mahajan Due Monday, 12/8, 11:59pm, no extensions

393 views • 11 slides
Ground-Truth Driven Cyber Security Research: Some Examples Mustaque Ahamad, Georgia Tech, NYU Abu

Ground-Truth Driven Cyber Security Research: Some Examples Mustaque Ahamad, Georgia Tech, NYU Abu

Ground-Truth Driven Cyber Security Research: Some Examples Mustaque Ahamad, Georgia Tech, NYU Abu Dhabi and Pindrop Paul Royal, Georgia Tech Terry Nelms, Georgia Tech & Damballa Roberto Perdisci, University of Georgia Page 1 Background

554 views • 42 slides
Today Computer Security Embedded system security This is a huge area General

Today Computer Security Embedded system security This is a huge area General

Today Computer Security Embedded system security This is a huge area General principles Prof Kasera teaches a good course on it Examples Today we are not talking about Protocol design (another huge area) Password

403 views • 4 slides
Probabilistic Reasoning; Network-based reasoning COMPSCI 276, Spring 2017 Set 1: Introduction

Probabilistic Reasoning; Network-based reasoning COMPSCI 276, Spring 2017 Set 1: Introduction

Probabilistic Reasoning; Network-based reasoning COMPSCI 276, Spring 2017 Set 1: Introduction and Background Rina Dechter (Reading: Pearl chapter 1-2, Darwiche chapters 1,3) 1 Example of Common Sense Reasoning Zebra on Pajama : (7:30 pm): I

626 views • 47 slides
In collabora*on with IDPF and BISG Session 4: DRM Moderator: Oliver

In collabora*on with IDPF and BISG Session 4: DRM Moderator: Oliver

In collabora*on with IDPF and BISG Session 4: DRM Moderator: Oliver Brooks Gerardo Capiel Minhyung Ko Jim Dovey Valobox Benetech Samsung Kobo Ill talk about general

642 views • 28 slides
Denial of Service A/acks Cunsheng Ding Department of CSE HKUST, Hong Kong Acknowledgements:

Denial of Service A/acks Cunsheng Ding Department of CSE HKUST, Hong Kong Acknowledgements:

Denial of Service A/acks Cunsheng Ding Department of CSE HKUST, Hong Kong Acknowledgements: Materials are taken from the Internet COMP4631 1 Agenda of this lecture Zombie computers, bots, botnets Denial of service (DoS) a/acks

630 views • 45 slides
Password Cracking Prof. Tom Austin San Jos State University How should you store users'

Password Cracking Prof. Tom Austin San Jos State University How should you store users'

CS 166: Information Security Password Cracking Prof. Tom Austin San Jos State University How should you store users' passwords? Reverse-lookup tables A cryptographic hash is irreversible. However, you can make a table of common hashes.

359 views • 11 slides
Protection Disclaimer: some slides are adopted from book authors slides with permission 1

Protection Disclaimer: some slides are adopted from book authors slides with permission 1

Protection Disclaimer: some slides are adopted from book authors slides with permission 1 Recap Distributed computing Sharing, performance, reliability Terminology Network Packet Protocol DNS A distributed

554 views • 24 slides
Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &

Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &

15th USENIX Security Symposium | July 31st August 4th 2006 | Vancouver, B.C. - Canada Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun & profit Ivn Arce Core Security Technologies Humboldt

767 views • 41 slides
Using Math Talk to Support Learning Melissa Hedges DPI Math Consultant Wisconsin Mathematics

Using Math Talk to Support Learning Melissa Hedges DPI Math Consultant Wisconsin Mathematics

Using Math Talk to Support Learning Melissa Hedges DPI Math Consultant Wisconsin Mathematics Council Annual Meeting May 3, 2017 Agenda Using Math Talk to Support Learning Developing Math Talk Through Number Talks Number Talks for

392 views • 25 slides
Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by benign purposes Hacktivism Counterhacking Case Studies Site defacement Network exploration / Port scanning / SQL injection / . . .

522 views • 18 slides

More recommend