Presentation on theme: "SECURITY EVALUATION OF AN ORGANIZATION TA Md Morshedul Islam."— Presentation transcript:
SECURITY EVALUATION OF AN ORGANIZATION TA Md Morshedul Islam
Process of Security Evaluation Identify the security goal Perform a threat assessment Do a security analysis
Identify the security goal It directly related with integrity, confidentiality and availability of the resources(assets) Assents of an organization: Hardware: computer system, data storage, data communication devices Software: Operating system, application program Data: file, database, password file Communication and network facility: Local communication, global communication, router and so on
Identify the security goal Security goal of U of C- 1. Student’s point of view: Keep result private (confidentiality) No one can alter or temper my assignment(integrity) I like to see my result from my home (availability) ………………………………………….. 2. TA’s point of view: ----------------------------------------- 3. Instructor’s point of view ……………………………………………... 4. In Administrator points of view ------------------------------------------- All are related with- 1.Confidentiality 2.Integrity 3.Availability
Perform a threat assessment What is threat?: In computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm. Example: Vulnerability: A weakness of system’s design, implementation or operation that could be exploited to violate the system policy and increase risk. Example: System Policy: Risk:
Perform a threat assessment We need t find out the answer of those following question- Whom am I trying to protect against?(adversary) How they motivated?(curiosity, revenge, financial gain) What capability and adversary have? (tool, skill, knowledge, etc.) What threat might I face?
Security analysis What kind of attack is possible? Active attack: : Denial-of-service attack, Spoofing, Network: Man in the middle, ARP poisoning, Ping flood, Ping of death, Smurf attack Host: Buffer overflow, Heap overflow,Stack overflow,Format string attack Passive attack: Passive Network : wiretapping, Port scanner, Idle scan Origin of the attack Inside attack Outside attack
Security, Access & Accounts of UofC Latest Threats & Vulnerabilities Information Security Policies Anti-Virus Protection Access Management Security Awareness Program Systems Security Security Advisories Vulnerability Assessment Program SecurID More Details
Information Security Awareness Program of UofC http://www.ucalgary.ca/it/infosecurity/awareness/posters
Some Observation….. Select a password for your system and then justify your selection. What can you do to protect your laptop? How to identify a pirated software? How can you avoid spam? Give an example of identity theft. Give some examples of Malware. Which kind of information is highly confidential for UofC? What kind of the social networking technique you can use to know the id of your classmate? What is the most potential threat to your smart phone? Consider, some of your resources are in security risk. What kind of initiative you have to take to protect them?