In this chapter, the following content will be discussed security tradeoffs; protection, detection and reaction; how to test security. After studying this chapter you will be able to describe the security tradeoffs, to understand why is it difficult to achieve full security, to understand how different security tools be used. | Network Security Lecture 3 Presented by: Dr. Munam Ali Shah Summary of the previous lecture Hackers and Attackers Threats, Risks, Vulnerabilities and Attacks Why is Security difficult to achieve Threat Modelling and Risk Assessment Outlines Security tradeoffs Protection, Detection and Reaction How to Test Security Objectives To describe the security tradeoffs. To understand why is it difficult to achieve full security. To understand how different security tools be used. Why security is difficult to achieve? Security in computer systems – even harder: great complexity dependency on the Operating System, File System, network, physical access etc. Software/system security is difficult to measure there are no security metrics How to test security? Deadline pressure Clients don’t demand security and can’t sue a vendor 5 Secure against what and from whom? who will be using the application? what does the user (and the admin) care about? where will the application run? (on a local system . | Network Security Lecture 3 Presented by: Dr. Munam Ali Shah Summary of the previous lecture Hackers and Attackers Threats, Risks, Vulnerabilities and Attacks Why is Security difficult to achieve Threat Modelling and Risk Assessment Outlines Security tradeoffs Protection, Detection and Reaction How to Test Security Objectives To describe the security tradeoffs. To understand why is it difficult to achieve full security. To understand how different security tools be used. Why security is difficult to achieve? Security in computer systems – even harder: great complexity dependency on the Operating System, File System, network, physical access etc. Software/system security is difficult to measure there are no security metrics How to test security? Deadline pressure Clients don’t demand security and can’t sue a vendor 5 Secure against what and from whom? who will be using the application? what does the user (and the admin) care about? where will the application run? (on a local system as Administrator/root? An intranet application? As a web service available to the public? On a mobile phone?) what are you trying to protect and against whom? Steps to take Evaluate threats, risks and consequences Address the threats and mitigate the risks Threat Modeling and Risk Assessment 6 How much security? Total security is unachievable A trade-off: more security often means higher cost less convenience / productivity / functionality Security measures should be as invisible as possible cannot irritate users or slow down the software (too much) example: forcing a password change everyday users will find a workaround, or just stop using it Choose security level relevant to your needs 7 Testing Security Penetration Testing: Penetration test is a proactive and authorized attempt to evaluate the security of an IT infrastructure by safely attempting to exploit system vulnerabilities, including OS, service and application flaws, improper configurations, and even risky end-user behavior.