We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byAndrea Hundley
Modified over 2 years ago
VA Course © AZ 2004 upd LM /11/2007 Introduction to security
VA Course © AZ 2004 upd LM /11/2007 Some confusion Safety = Säkerhet = Security ??? Security –measures taken to guard against espionage or sabotage, crime, attack, or escape Miriam Webster Online Dictionary Safety –to protect against failure, breakage, or accident Miriam Webster Online Dictionary
VA Course © AZ 2004 upd LM /11/2007 What is Computer Security? Security is keeping anyone from doing things you do not want them to do to, with, on, or from your computers or any peripheral devices Cheswick and Bellovin The purpose of information security is to ensure business continuity and minimize business damage by preventing and minimizing the impact of security incidents… It has three basic components: confidentiality, integrity, and availability. BS 7799 : 1995, British Standards Institute
VA Course © AZ 2004 upd LM /11/2007 Is information security really a topic ?
VA Course © AZ 2004 upd LM /11/2007 Widely Known Threats Viruses and Worms spreading worldwide in a matter of hours Access Control and Data Theft breaking into computer systems OS, Databases and Applications poor coding and flawed protocol design & implementation
VA Course © AZ 2004 upd LM /11/2007 CERT - Statistics Incidents
VA Course © AZ 2004 upd LM /11/2007 CERT - Statistics Vulnerabilities
VA Course © AZ 2004 upd LM /11/2007 Type of Breaches and Costs Source: DTI, Information Security Breach Survey, 2002
VA Course © AZ 2004 upd LM /11/2007 Is information security really a topic ?
VA Course © AZ 2004 upd LM /11/2007 Security Services Confidentiality means that the assets of a computing system are accessible only by authorized parties Integrity means that assets can be modified only by authorized parties or only in authorized ways Availability means that assets are accessible to authorized parties
VA Course © AZ 2004 upd LM /11/2007 ISO * – OSI** Security Services Confidentiality Integrity Availability Authentication Access Control Non-repudiation *International Organization for Standardization**Open System Interconnection
VA Course © AZ 2004 upd LM /11/2007 Trust Approach Security is about trust. Trust encompasses Correctness Reliability Privacy Safety Survivability Secrecy Availability
VA Course © AZ 2004 upd LM /11/2007 Scope IT security –Dealing with technical parts of security Information System Security –The whole information processing system is of interest Information security –All information is of interest
VA Course © AZ 2004 upd LM /11/2007 Security is Multidimensional
VA Course © AZ 2004 upd LM /11/2007 House of security Standards Standards: Applying standards Technical Standards Evaluation Standards Process Standards
VA Course © AZ 2004 upd LM /11/2007 Standards Management The management process includes: Commitment Control Steering
VA Course © AZ 2004 upd LM /11/2007 Standards Management PolicyPolicy RiskAna.RiskAna. Risk analysis: Learning the risks the information face Policy: Define guidelines regarding security
VA Course © AZ 2004 upd LM /11/2007 Standards Management PolicyPolicy RiskAna.RiskAna. AnalysisAnalysis RealizationRealization Analysis: What kind of security needs to be realized Technical Organizational Realization: Enforce the security mechanisms Implementation Documentation
VA Course © AZ 2004 upd LM /11/2007 Standards Management PolicyPolicy RiskAna.RiskAna. AnalysisAnalysis RealizationRealization MaintenaceMaintenace Maintenance: Keeping the system secure by means of: Improving security Applying patches
VA Course © AZ 2004 upd LM /11/2007 Standards Management PolicyPolicy RiskAna.RiskAna. AnalysisAnalysis AuditAudit RealizationRealization MaintenaceMaintenace Audit: Verification of security: Technical Security Organizational Security Planning Security
VA Course © AZ 2004 upd LM /11/2007 Standards Management PolicyPolicy RiskAna.RiskAna. AnalysisAnalysis AuditAudit RealizationRealization MaintenaceMaintenace But security can only work if all components are working together and an awareness for the problems is given.
VA Course © AZ 2004 upd LM /11/2007 The Big Picture Vulnerabilities Threats Assets Risk Analysis Countermeasures impact these slides are based on USP slides from Cintia B. Margi and Prof. Wilson V. Ruggiero
VA Course © AZ 2004 upd LM /11/2007 Terminology Asset –Anything with value and in need for protection Threat –An action or potential action with the prosperity to cause damage Vulnerability –Circumstances that have the potential of causing loss Countermeasure –Controls protecting for protecting the assets
VA Course © AZ 2004 upd LM /11/2007 Assets What is an asset? tangible assets data hard & floppy disks network equipment tapes, manuals, etc… intangible assets public image reputation, etc… a very broad scope from people to hardware and data these slides are based on USP slides from Cintia B. Margi and Prof. Wilson V. Ruggiero
VA Course © AZ 2004 upd LM /11/2007 Assets Assets may be classified according to: software and hardware assets data assets communication assets administrative assets human resources assets A list of assets that shall be protected is essential for risk analysis these slides are based on USP slides from Cintia B. Margi and Prof. Wilson V. Ruggiero
VA Course © AZ 2004 upd LM /11/2007 Threats Threats to the system may come from: someone e.g. a spy, a hacker, a criminal or an ill-intended employee something e.g. hardware or software failure an event e.g. fire, power shortage, flooding, earthquake Threats can be classified in 3 groups natural or physical threats non-intentional threats intentional threats these slides are based on USP slides from Cintia B. Margi and Prof. Wilson V. Ruggiero
VA Course © AZ 2004 upd LM /11/2007 Natural or Physical Threats Every kind of equipment or facilities are exposed to e.g. fire, flooding, power shortages… Usually very hard to prevent, but easy to detect It is possible to minimize the amount these slides are based on USP slides from Cintia B. Margi and Prof. Wilson V. Ruggiero
VA Course © AZ 2004 upd LM /11/2007 Non-Intentional Threats Threats that are caused by ignorance a user or a system administrator poorly trained someone who hadnt read the system documentation & manuals someone who hadnt understood the importance of security rules damage is caused by ignorance these slides are based on USP slides from Cintia B. Margi and Prof. Wilson V. Ruggiero
VA Course © AZ 2004 upd LM /11/2007 Intentional Threats Security products are designed to prevent intentional threats those are the ones that make news Two types of adversaries: internal and external external villains include: criminals hackers terrorists other enterprises these slides are based on USP slides from Cintia B. Margi and Prof. Wilson V. Ruggiero
VA Course © AZ 2004 upd LM /11/2007 Intentional Threats External villains can try to have access to a system by: breaking in, forging ID cards, through networks or even bribery and/or coercion of internal staff The focus of security tools is usually external villains, but a great part of security problems is due to internal villains the enemy is already inside - and we hired them! these slides are based on USP slides from Cintia B. Margi and Prof. Wilson V. Ruggiero
VA Course © AZ 2004 upd LM /11/2007 Impact groups
VA Course © AZ 2004 upd LM /11/2007 People Organization Information security – Layer model Technology Physical Information
VA Course © AZ 2004 upd LM /11/2007 Some Countermeasures Security techniques Cryptography Firewalls Software mechanisms Secure development Operating system protection Internal program mechanism Hardware mechanisms
VA Course © AZ 2004 upd LM /11/2007 Countermeasures Management Activities Rules and Routines for Awareness Policy Security Management Physical Security
VA Course © AZ 2004 upd LM /11/2007 Malicious Who? Misbehaving Users mostly unintentional damage – out of curiosity Amateurs reading about computer abuse and want to experience Hackers proving that it is possible and earning popularity/acceptance usually divided into Black Hats and White Hats Criminals earn money with computer abuse (theft, espionage,...) worse likelihood
VA Course © AZ 2004 upd LM /11/2007 Method, Opportunity, Motive what must a malicious attacker have? Method: means to conduct the attack – skills, knowledge, tools... Opportunity: time and access to accomplish the attack Motive: a reason to do it
VA Course © AZ 2004 upd LM /11/2007 Stakeholder Regular Users –They want to use the system IT Staff & Security Manager –They want to supply a working system Business Manager –They want productivity because of IT use Asset Owner –Their resources are in danger or they want to earn money Public bodies –Want orderly behavior and a prospering economy...
VA Course © AZ 2004 upd LM /11/2007 Remark Information Security is a parasit on the profits Gerald Kovachic Information Security is –a business enabler – it can be sold or enalbes the business –an insurance – resources under risk and downtime means not realized profit
VA Course © AZ 2004 upd LM /11/2007 Questions ?
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
What does secure mean? You have been assigned a task of finding a cloud provider who can provide a secure environment for the launch of a new web application.
SEC835 Database and Web application security Information Security Architecture.
Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.
1 What does “secure” mean? Protecting Valuables A computer based system has three separate valuable component: Hardware, Software and Data Attacks When.
Visual 1. 1 Lesson 1 Overview and and Risk Management Terminology.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Is There a Security Problem in Computing? Network Security / G. Steffen1.
Computer Security By Duncan Hall. Three protections of information Confidentiality: Ensures that only authorized parties can view the information and.
Chap1: Is there a Security Problem in Computing?.
Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
1 Session 3 – Information Security Policies. 2 General - background How to establish security requirements –Risk assessments –Legal, statutory requirements.
Chapter 01: Introduction to Network Security. Network A Network is the inter-connection of communications media, connectivity equipment, and electronic.
Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system.
BUSINESS B1 Information Security. 2 Learning Outcomes Describe the relationship between information security policies and an information security plan.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 1 Introduction to Security.
Introducing Computer and Network Security Chapter 1.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Csci5233 computer security & integrity 1 An Overview of Computer Security.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
G53SEC 1 Introduction to G53SEC Computer Security.
Lecture 1: Overview modified from slides of Lawrie Brown.
Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University
Chapter 9: Privacy, Crime, and Security. Privacy in Cyberspace Privacy: an individual’s ability to restrict or eliminate the collection, use and sale.
Welcome to the ICT Department Unit 3_5 Security Policies.
CONTROLLING INFORMATION SYSTEMS. Reasons Errors do occur in computer-based systems Computers have been used for fraudulent purpose Computer systems and.
Introduction to Network Defense INFSCI 1075: Network Security – Spring 2013 Amir Masoumzadeh.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Database Security Threats. Database An essential corporate resource Data is a valuable resource Must be strictly controlled, managed and secured May have.
Security Policies. Threats to security and integrity Threats to information systems include Human error –keying errors, program errors, operator errors,
Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
1 Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Topic Outline Information security? Security Why? Security approach Vocabulary The weakest link Real life security sample.
IT Risks and Controls Revised on Content Internal Control What is internal control? Objectives of internal controls Types of internal controls.
Database Security Security Architecture. 2 Objectives Define security Describe an information system and its components Define database management system.
1 An Overview of Computer Security computer security.
CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability.
CHAPTER 7: PRIVACY, CRIME, AND SECURITY. Privacy in Cyberspace Privacy: an individual’s ability to restrict or eliminate the collection, use and sale.
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
By: Mark Reed. Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Security fundamentals Topic 1 Addressing security threats and vulnerabilities.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Business Plug-In B6 Information Security.
Safe’n’Sec IT security solutions for enterprises of any size.
© 2017 SlidePlayer.com Inc. All rights reserved.