Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Information Systems Security Presentation

A Threat Methodology for Security Evaluation and Enhancement Planning

anne-sophie omarjee

on 15 April 2012

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Information Systems Security Presentation

Thank you for your attention
A Threat Methodology for Security Evaluation and Enhancement Planning
Information Systems Security Presentation
Vritti Jagroo 0913117
Simitabye Sonea 0913567
Obrian Ah-Tong 0912808
BSc Computer Applications
Overview of Paper
Threat Analysis
Steps in Threat Analysis
Brief Overview
Need for security
Due to the huge diffusion of new technologies and internet, there is a need to increase security.
Aim of paper
To improve existing techniques by proposing a generic methodology for threat analysis and security metrics for both personal networks and applications.
Use of UML diagrams
Use of use case diagram to express users’ views and sequence diagram to explain technical aspects of a system.
Attack Tree Example
Example:Stealing computer
Consider Classroom computers which are secured to the desks. The steps to steal one are:
To steal one, the securing cable must be cut or the lock unlocked
Companies using CVSS
Threat Analysis
Attack Trees
CVSS-based Attack Trees
The proposal make use of a user-centric approach which:
What is Threat Analysis?
It is the attempt to identify types of threats in an organisation that might be exposed to and the harm they could do to an organisation.
Steps in Threat Analysis
The different steps carried out in threat analysis are:
Example of threats:
Some example of threats that can be avoided, reduced or control by using threat analysis:
Information Disclosure
Denial of Service
Elevation of Privilege
Reduces complexity
Focuses on user actions rather than the network and system components.
Focus on Personal Networks (PNs):
A person-centric network that provides access to personal resources, services, and contents.
Difficult to prioritize threats and vulnerabilities.
Lack of effective metrics.
Has complex nature of security.
Therefore, to tackle this issue, a CVSS-based attack trees is used to evaluate and rank vulnerabilities
Description of the system
Analyse technical background of the use cases
Identify assets
Determining threats
Asset mapping
Risk management
Mitigation plan
Attack Tree
An additional tool used to identify potential threats and vulnerabilities in a system.
Breaks down potential attacks against system in a tree structure
Measures optimal paths for attackers and underline security enhancement priorities.
Its disadvantages:
Cannot model cycles.
Too complex and unmanageable for complicated system.
The lock may be unlocked by picking or by obtaining the key
The key may be obtained by threatening or bribing a keyholder or taking it from where it is stored (e.g under a mousemat)
Salami attack by obtaining information from multiple sources including vendor.
( Common Vulnerability Scoring System)
An open framework for communicating the characteristics and impacts of IT vulnerabilities. (E.g.: vulnerability identification, threat assessment, priority ranking via manual or automated methods)
It is composed of three metric groups:
1. Base: It represents the basic and fundamental characteristics of vulnerability that are constant over time and user environments.

2. Temporal: It represents the characteristics of vulnerability that change over time but not among user environments.

3. Environmental: It represents the characteristics of vulnerability that are relevant and unique to a specific system.
How does CVSS works?
Each group discussed above produces a numeric score that range from 0 to 10, and a vector is deduced as shown in the figure.
The vector facilitates the open nature of the framework. It contains the values assigned to each metric and is used to exactly communicate how the score for each vulnerability is derived.
Benefits of CVSS
Standardized Vulnerability Scores:
It can influence a single vulnerability management policy. E.g.: A policy which may be similar to a Service Level Agreement (SLA)
Open Framework:
With CVSS, anyone can see the individual characteristics used to derive a score.
Prioritized Risk:
While computing environmental score, vulnerability becomes relative.
Vulnerability scores are representative of the actual risk to an organization.
Users know how important a given vulnerability is, in relation to other vulnerabilities.
Companies adopting cvss
The NIAC Vulnerability Disclosure Working Group incorporates input from companies such as:
CVSS-based attack trees
Combine the benefits from all features belonging to CVSS and attack trees.
CVSS fills in values for each node on the attack trees
Provides an integrated view of the security of the system rather than case specific one.(N/W only security, software and OS security)
CVSS - based attack trees
Proposed approach supports every system in order to accomplish threat analysis and evaluation of threat and vulnerabilities.
Future work focuses on confirming the proposed solution and develop a proof of concept for stand alone system.
Benefits of Attack Trees
Offer a clear representation of interdependencies of states reached
Focus analysis on measurable goals that can be translated into specific tests against real world devices.
Provide an ideal systematic approach for security assessment
Full transcript