Introduccion A La Seguridad

Information Security:
Principles and Management
Information Security
Notas:
Como aprovechar mejor este curso
• Esta reunión le pertenece y el éxito de la misma

depende en gran medida de Usted.
• Participe en las sesiones con entusiasmo,
• Comente sus experiencias. Compartir es
enriquecerse.
• Diga lo que piensa, procurando siempre mantenerse
dentro del tema,
• Escuche con atención a los otros participantes, evite
la conversación privada mientras habla otra
persona.
• Recuerde que existen puntos de vista tan valiosos
como el suyo.
Notas:
Copyright CyberTech de Colombia, 2002-2009 Pág. 1
Notas:
Notas:
Notas:
Notas:
Notas:
Example: SQL Slammer
In 1st minute of life it doubled the # of machines it

infected every 8.5 seconds
376 bytes
of code
within a
single
packet
moving
through
UDP port
1434
Peaked in just 3 minutes, at which point it was

scanning 55 million targets per second
CSO Magazine – “Patch & Pray” – August 2003
Notas:
Worldwide Security Incidents
(www.cert.org)
140000
120000
100000
137,529 incidents of high
80000 severity reported in 2003
60000
40000
20000
0
1988 1991 1994 1997 2000 2003
Notas:
The Opportunity: market stats
• Global Security services spending
•3
•3
•3
•3
Source: IDC 2003
Notas:
The Opportunity: market stats (.)
• US Security services spending
•3
•3
•3
•3
•3
Source: IDC 2003
Notas:
The Opportunity: market stats (..)
• Security Spending - % of IT Budget
Source: ISM 2003
Notas:
The Opportunity: market stats (..)
• Total IT security market spending
Source: CIO Magazine April 2003
Notas:
Las tecnologías de seguridad son complejas
• Criptografía,
– Firmas digitales,
– XML- DSig, XML-Enc…
• Técnicas biométricas,
• Firewalls,
• IDS,
• Honeypots
Notas:
Security Principles
• All security involves trade-offs,

• Security trade-offs are subjective,
• Security trade-offs depend on power and agenda,
• Security is a weakest-link problem,
• Do you know about a security countermeasure that

actually increases the exposed risk for an asset?
– v.g. a mandatory fire extinguisher
Notas:
A fire extinguisher? What is the use?
Notas:
A fire extinguisher? What is the use?
Notas:
Criteria for Countermeasures
1. What assets are you trying to protect?

2. What are the risks to these assets?
3. How well does the security system mitigate those
risks?
4. What other risks does the security system cause?
5. What costs and trade-offs does the security solution
impose?
Notas:
Two alternative visions for information
security
• Auditor,
– The classical “Doctor No”,
• Technology,
– “FX”,
Notas:
Information Security for Auditors
Notas:
Information Security for Technologists
MAIN SHAPES:
ARCH WHORL LOOP
MINUTIAE:
BIFURCATION ISLAND LAKE DOT

END
EACH PERSON HAS A UNIQUE

ARRANGEMENT OF MINUTIAE:
SOURCE: C3i
Notas:
Information Security for Technologists (.)
Fuente: Tsutomu Matsumoto – Yokohama National University
Notas:
Information Security for Technologists (..)
VERY BAD BAD
SOURCE: IDEX
Notas:
The rational approach

(risk management)
Daño
causado
Alto
daño 5
1
Poco
daño 4 Chance
de ser
Poco Muy atacado
factible posible
Notas:
PINes y vulnerabilidades
PIN HSM: Hardware

Security Module
yes/no
Tomado de “Decimalisation table attacks for PIN cracking” Mike Bond et al.
Notas:
Grandes Catástrofes en Ingeniería

(Firth of Tay bridge construido en 1877)
En 1879 durante una tormenta colapsó al paso de un tren. Murieron

75 pasajeros.
Notas:
Firth of Forth bridge
(construido en 1890)
“The strongest and most expensive bridge on the world”
Notas:
Grandes Catástrofes en Ingeniería

(Tacoma Narrows bridge)
Tomado de http://www.civeng.carleton.ca/Exhibits/Tacoma_Narrows/
Notas:
El ciclo de desarrollo de software
(super-simplificado)
Construir
Probar
“Ad Nauseum”
Arreglar
Notas:
El ciclo de desarrollo de software

(super-simplificado) (.)
• Es ideal para iterar hasta alcanzar la funcionalidad

deseada,
• Muestra la presencia de errores,
– Solo aquellos errores que los programadores están
buscando,
• Los atacantes no comparten el mismo “esquema
mental” de los programadores:
– Con frecuencia son sustancialmente mas divertidos,
Notas:
Detalles de Implementación
(buffer overflows)
• Grosso-modo, la mitad de los problemas de

seguridad en Internet,
• Problema conocido desde la década de los 50s,
– Algol-60 (1957) incluía “mandatory array bounds checking”,
• Revise http://www.masswerk.at/algol60/report.htm
• Evite usar cualquier lenguaje de programación que
permita buffer overflows,
– v.g. C, C++
Notas:
Code Red
(a typical buffer overflow attack)
GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u68
58%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u819
0%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Notas:
Defining usability for security
• Security software is usable if the people who are

expected to use it:
– Are reliably made aware of the security tasks they need to
perform,
– Are able to figure out how to successfully perform those
tasks;
– Don’t make dangerous errors,
– Are sufficiently comfortable with the interface to continue
using it,
• Why Johnny can’t encrypt: A usability evaluation of
PGP. Alma Whitten – J.D. Tygar
Notas:
Problematic properties of security
• The unmotivated user property,

– La seguridad es un objetivo secundario para los usuarios,
• The abstraction property,
– El software implementa unas políticas de seguridad que con
frecuencia son complejas,
• The lack of feedback property,
– Para evitar que el usuario cometa errores peligrosos es muy
importante darle retroalimentación adecuada,
• The barn door property,
– Una vez un secreto se ha dejado accidentalmente sin
proteger, no hay forma de asegurar que no ha sido leído por
alguien,
• The weakest link property,
Notas:
The weakest-link property
Notas:
Seguridad sin las debidas precauciones
And we can save 700 lira by not taking soil tests…
Notas:
Course Contents
• Mejores practicas en la gestión de la seguridad,

– Análisis de riesgos, …
• Desarrollo seguro de aplicaciones,
– Modelos de desarrollo de software,
– Gestión de mantenimiento,
– Gestión de configuración,
– CMM, SSE-CMM,
– Cobit / Itil,
• Modelos y Arquitecturas de Seguridad,
– ...
– Posiblemente un invitado,
• BCP / DRP,
– …
– Invitado: Gabriel S
Notas:
Q&A
Notas:

Introduccion A La Seguridad

Uploaded by

Copyright:

Available Formats

You might also like

Introduccion A La Seguridad

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Introduccion A La Seguridad

Uploaded by

Copyright:

Available Formats

Information Security:

Principles and Management

Como aprovechar mejor este curso

• Esta reunión le pertenece y el éxito de la misma

Example: SQL Slammer

In 1st minute of life it doubled the # of machines it

Peaked in just 3 minutes, at which point it was

The Opportunity: market stats

• Global Security services spending

Source: IDC 2003

The Opportunity: market stats (.)

• US Security services spending

Source: IDC 2003

The Opportunity: market stats (..)

• Security Spending - % of IT Budget

Source: ISM 2003

The Opportunity: market stats (..)

• Total IT security market spending

Source: CIO Magazine April 2003

Las tecnologías de seguridad son complejas

• All security involves trade-offs,

• Do you know about a security countermeasure that

A fire extinguisher? What is the use?

A fire extinguisher? What is the use?

Criteria for Countermeasures

1. What assets are you trying to protect?

Information Security for Auditors

Information Security for Technologists

ARCH WHORL LOOP

BIFURCATION ISLAND LAKE DOT

EACH PERSON HAS A UNIQUE

Information Security for Technologists (.)

Fuente: Tsutomu Matsumoto – Yokohama National University

VERY BAD BAD

The rational approach

PIN HSM: Hardware

Grandes Catástrofes en Ingeniería

En 1879 durante una tormenta colapsó al paso de un tren. Murieron

“The strongest and most expensive bridge on the world”

Grandes Catástrofes en Ingeniería

El ciclo de desarrollo de software

• Es ideal para iterar hasta alcanzar la funcionalidad

• Grosso-modo, la mitad de los problemas de

Defining usability for security

• Security software is usable if the people who are

Problematic properties of security

• The unmotivated user property,

The weakest-link property

Seguridad sin las debidas precauciones

And we can save 700 lira by not taking soil tests…

• Mejores practicas en la gestión de la seguridad,

You might also like