Presentation is loading. Please wait.

Presentation is loading. Please wait.

VA Course © AZ 2004 upd LM 2007 01/11/2007 Introduction to security.

Similar presentations


Presentation on theme: "VA Course © AZ 2004 upd LM 2007 01/11/2007 Introduction to security."— Presentation transcript:

1 VA Course © AZ 2004 upd LM /11/2007 Introduction to security

2 VA Course © AZ 2004 upd LM /11/2007 Some confusion Safety = Säkerhet = Security ??? Security –measures taken to guard against espionage or sabotage, crime, attack, or escape Miriam Webster Online Dictionary Safety –to protect against failure, breakage, or accident Miriam Webster Online Dictionary

3 VA Course © AZ 2004 upd LM /11/2007 What is Computer Security? Security is keeping anyone from doing things you do not want them to do to, with, on, or from your computers or any peripheral devices Cheswick and Bellovin The purpose of information security is to ensure business continuity and minimize business damage by preventing and minimizing the impact of security incidents… It has three basic components: confidentiality, integrity, and availability. BS 7799 : 1995, British Standards Institute

4 VA Course © AZ 2004 upd LM /11/2007 Is information security really a topic ?

5 VA Course © AZ 2004 upd LM /11/2007 Widely Known Threats Viruses and Worms spreading worldwide in a matter of hours Access Control and Data Theft breaking into computer systems OS, Databases and Applications poor coding and flawed protocol design & implementation

6 VA Course © AZ 2004 upd LM /11/2007 CERT - Statistics Incidents

7 VA Course © AZ 2004 upd LM /11/2007 CERT - Statistics Vulnerabilities

8 VA Course © AZ 2004 upd LM /11/2007 Type of Breaches and Costs Source: DTI, Information Security Breach Survey, 2002

9 VA Course © AZ 2004 upd LM /11/2007 Is information security really a topic ?

10 VA Course © AZ 2004 upd LM /11/2007 Security Services Confidentiality means that the assets of a computing system are accessible only by authorized parties Integrity means that assets can be modified only by authorized parties or only in authorized ways Availability means that assets are accessible to authorized parties

11 VA Course © AZ 2004 upd LM /11/2007 ISO * – OSI** Security Services Confidentiality Integrity Availability Authentication Access Control Non-repudiation *International Organization for Standardization**Open System Interconnection

12 VA Course © AZ 2004 upd LM /11/2007 Trust Approach Security is about trust. Trust encompasses Correctness Reliability Privacy Safety Survivability Secrecy Availability

13 VA Course © AZ 2004 upd LM /11/2007 Scope IT security –Dealing with technical parts of security Information System Security –The whole information processing system is of interest Information security –All information is of interest

14 VA Course © AZ 2004 upd LM /11/2007 Security is Multidimensional

15 VA Course © AZ 2004 upd LM /11/2007 House of security Standards Standards: Applying standards Technical Standards Evaluation Standards Process Standards

16 VA Course © AZ 2004 upd LM /11/2007 Standards Management The management process includes: Commitment Control Steering

17 VA Course © AZ 2004 upd LM /11/2007 Standards Management PolicyPolicy RiskAna.RiskAna. Risk analysis: Learning the risks the information face Policy: Define guidelines regarding security

18 VA Course © AZ 2004 upd LM /11/2007 Standards Management PolicyPolicy RiskAna.RiskAna. AnalysisAnalysis RealizationRealization Analysis: What kind of security needs to be realized Technical Organizational Realization: Enforce the security mechanisms Implementation Documentation

19 VA Course © AZ 2004 upd LM /11/2007 Standards Management PolicyPolicy RiskAna.RiskAna. AnalysisAnalysis RealizationRealization MaintenaceMaintenace Maintenance: Keeping the system secure by means of: Improving security Applying patches

20 VA Course © AZ 2004 upd LM /11/2007 Standards Management PolicyPolicy RiskAna.RiskAna. AnalysisAnalysis AuditAudit RealizationRealization MaintenaceMaintenace Audit: Verification of security: Technical Security Organizational Security Planning Security

21 VA Course © AZ 2004 upd LM /11/2007 Standards Management PolicyPolicy RiskAna.RiskAna. AnalysisAnalysis AuditAudit RealizationRealization MaintenaceMaintenace But security can only work if all components are working together and an awareness for the problems is given.

22 VA Course © AZ 2004 upd LM /11/2007 The Big Picture Vulnerabilities Threats Assets Risk Analysis Countermeasures impact these slides are based on USP slides from Cintia B. Margi and Prof. Wilson V. Ruggiero

23 VA Course © AZ 2004 upd LM /11/2007 Terminology Asset –Anything with value and in need for protection Threat –An action or potential action with the prosperity to cause damage Vulnerability –Circumstances that have the potential of causing loss Countermeasure –Controls protecting for protecting the assets

24 VA Course © AZ 2004 upd LM /11/2007 Assets What is an asset? tangible assets data hard & floppy disks network equipment tapes, manuals, etc… intangible assets public image reputation, etc… a very broad scope from people to hardware and data these slides are based on USP slides from Cintia B. Margi and Prof. Wilson V. Ruggiero

25 VA Course © AZ 2004 upd LM /11/2007 Assets Assets may be classified according to: software and hardware assets data assets communication assets administrative assets human resources assets A list of assets that shall be protected is essential for risk analysis these slides are based on USP slides from Cintia B. Margi and Prof. Wilson V. Ruggiero

26 VA Course © AZ 2004 upd LM /11/2007 Threats Threats to the system may come from: someone e.g. a spy, a hacker, a criminal or an ill-intended employee something e.g. hardware or software failure an event e.g. fire, power shortage, flooding, earthquake Threats can be classified in 3 groups natural or physical threats non-intentional threats intentional threats these slides are based on USP slides from Cintia B. Margi and Prof. Wilson V. Ruggiero

27 VA Course © AZ 2004 upd LM /11/2007 Natural or Physical Threats Every kind of equipment or facilities are exposed to e.g. fire, flooding, power shortages… Usually very hard to prevent, but easy to detect It is possible to minimize the amount these slides are based on USP slides from Cintia B. Margi and Prof. Wilson V. Ruggiero

28 VA Course © AZ 2004 upd LM /11/2007 Non-Intentional Threats Threats that are caused by ignorance a user or a system administrator poorly trained someone who hadnt read the system documentation & manuals someone who hadnt understood the importance of security rules damage is caused by ignorance these slides are based on USP slides from Cintia B. Margi and Prof. Wilson V. Ruggiero

29 VA Course © AZ 2004 upd LM /11/2007 Intentional Threats Security products are designed to prevent intentional threats those are the ones that make news Two types of adversaries: internal and external external villains include: criminals hackers terrorists other enterprises these slides are based on USP slides from Cintia B. Margi and Prof. Wilson V. Ruggiero

30 VA Course © AZ 2004 upd LM /11/2007 Intentional Threats External villains can try to have access to a system by: breaking in, forging ID cards, through networks or even bribery and/or coercion of internal staff The focus of security tools is usually external villains, but a great part of security problems is due to internal villains the enemy is already inside - and we hired them! these slides are based on USP slides from Cintia B. Margi and Prof. Wilson V. Ruggiero

31 VA Course © AZ 2004 upd LM /11/2007 Impact groups

32 VA Course © AZ 2004 upd LM /11/2007 People Organization Information security – Layer model Technology Physical Information

33 VA Course © AZ 2004 upd LM /11/2007 Some Countermeasures Security techniques Cryptography Firewalls Software mechanisms Secure development Operating system protection Internal program mechanism Hardware mechanisms

34 VA Course © AZ 2004 upd LM /11/2007 Countermeasures Management Activities Rules and Routines for Awareness Policy Security Management Physical Security

35 VA Course © AZ 2004 upd LM /11/2007 Malicious Who? Misbehaving Users mostly unintentional damage – out of curiosity Amateurs reading about computer abuse and want to experience Hackers proving that it is possible and earning popularity/acceptance usually divided into Black Hats and White Hats Criminals earn money with computer abuse (theft, espionage,...) worse likelihood

36 VA Course © AZ 2004 upd LM /11/2007 Method, Opportunity, Motive what must a malicious attacker have? Method: means to conduct the attack – skills, knowledge, tools... Opportunity: time and access to accomplish the attack Motive: a reason to do it

37 VA Course © AZ 2004 upd LM /11/2007 Stakeholder Regular Users –They want to use the system IT Staff & Security Manager –They want to supply a working system Business Manager –They want productivity because of IT use Asset Owner –Their resources are in danger or they want to earn money Public bodies –Want orderly behavior and a prospering economy...

38 VA Course © AZ 2004 upd LM /11/2007 Remark Information Security is a parasit on the profits Gerald Kovachic Information Security is –a business enabler – it can be sold or enalbes the business –an insurance – resources under risk and downtime means not realized profit

39 VA Course © AZ 2004 upd LM /11/2007 Questions ?


Download ppt "VA Course © AZ 2004 upd LM 2007 01/11/2007 Introduction to security."

Similar presentations


Ads by Google