CSE 227: Lecture 2

The topics covered in this lecture are security model, continued, threat model/assessment.

Security / Threat Model, continued

Security Goals, continued

In earlier discussion of security identified the assets to be protected and in what ways. Next we estimate what happens if security becomes violated. Note we are not yet figuring out the cost of trying to provide the desired security properties or the likelihood that security may be violated. The goal of this is to estimate the amount of effort (or money) to be spent on security measures.

Potential Damage

Here we are concerned with what is the potential damage if security is violated. If the confidentiality of battle plans is violated, more lives might be lost. If a new product plan is leaked to a competitor, they may obtain critical patents (possibly based on leaked information) that block our products or quickly work on and release a similar competing product.

The earlier secret Coke formula example discussed the damage that might result from integrity loss. The damage that would occur if ICBM targetting software is modified is also pretty obvious. News stories on DDOS damage often cite millions of dollars of loss revenue when ecommerce web servers are flooded, even for a couple of hours.

The key here is to accurately estimate the loss that would be incurred if security measures fail. This information will be used later to help us decide which of possibly many different security measures to employ. In a way, security models are easier in the Cold War days: security failures would lead to catastrophic losses (the west being overrun by the Soviet Union / nuclear armageddon / etc), and so it makes sense to deploy even rather expensive security measures. In the post Cold War era -- or for commercial computer security -- the trade-offs are less stark.

Threat Model / Assessment

Having determined what we want to protect, the next step is to look at what the threats are to the security assets.

Security Assumptions

The next step in the building of our security model is determining what the fundamental assumptions upon which the security system design will rely.
[ search CSE | CSE | bsy's home page | links | webster | MRQE | google | yahoo | citeseer | certserver ]
picture of bsy

bsy+cse227w02@cs.ucsd.edu, last updated Mon Apr 8 20:19:51 PDT 2002. Copyright 2002 Bennet Yee.
email bsy.

Don't make me hand over my privacy keys!