Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Policies.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Policies."— Presentation transcript:

1 CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Policies

2 CIT 380: Securing Computer SystemsSlide #2 Security Planning 1.Planning to address security needs. 2.Risk assessment. 3.Crafting policies to reflect risks and needs. 4.Implementing security. 5.Audit and incident response.

3 CIT 380: Securing Computer SystemsSlide #3 Which Aspects are Important: CIA?

4 CIT 380: Securing Computer SystemsSlide #4 Risk Assessment 1.What assets are you trying to protect? 2.What are the risks to those assets? 3.How well does each potential security solution mitigate those risks? 4.What other risks does the security solutions impose on me? 5.What costs and trade-offs do the security solutions create?

5 CIT 380: Securing Computer SystemsSlide #5 Identifying Assets Tangibles Computers Data Backups Printouts Software media HR records Intangibles Privacy Passwords Reputation Goodwill Performance

6 CIT 380: Securing Computer SystemsSlide #6 Identifying Risks Loss of key personnel Loss of key vendor or service provider Loss of power Loss of phone / network Theft of laptops, USB keys, backups Introduction of malware Hardware failure Software bugs Network attacks

7 CIT 380: Securing Computer SystemsSlide #7 Risk Analysis Notes Update your risks regularly –Business, technology changes alter risks. Too many risks to defend against. –Rank risks to decide which ones to mitigate. –Insure against some risks. –Accept other risks.

8 CIT 380: Securing Computer SystemsSlide #8 Cost-Benefit Analysis Cost of a Loss –Direct cost of lost hardware. –Cost of idle labor during outage. –Cost of time to recover. –Cost to reputation. Probability of a Loss –Insurance/power companies have some stats. –Records of past experience. Cost of Prevention –Remember that most risks cannot be eliminated.

9 CIT 380: Securing Computer SystemsSlide #9 Best Practices Risk Analysis is difficult and uncertain. Follow best practices or due care –Firewall require as insurance co. due care. –Update patches, anti-virus. –Organizations differ in what they need. Combine best practices + risk analysis.

10 CIT 380: Securing Computer SystemsSlide #10 Security Policy Security policy partitions system states into: –Authorized (secure) These are states the system is allowed to enter. –Unauthorized (nonsecure) If the system enters any of these states, it’s a security violation. Secure system –Starts in authorized state. –Never enters unauthorized state.

11 CIT 380: Securing Computer SystemsSlide #11 Role of Policy 1.Identifies what is being protected and why. 2.States responsibility for protection. 3.Provides ground on which to interpret and resolve later conflicts.

12 CIT 380: Securing Computer SystemsSlide #12 Policy vs. Mechanism Security Policy –Statement that divides system into authorized and unauthorized states. Mechanism –Entity or procedure that enforces some part of a security policy.

13 CIT 380: Securing Computer SystemsSlide #13 Dirty Politics Republican Senate staffers gained access to Democrat computer files 2002-2003. –Both parties share computer server. –2001 misconfiguration allowed access w/o pw. –Defence: "The bottom line here is that the technology staff of the Democrats was negligent. They put these memos in a shared hard drive. It was like putting the memos on our desk.” – Manuel Miranda

14 CIT 380: Securing Computer SystemsSlide #14 Developing a Policy Assign responsibility –Need to know who is responsible for protecting what, i.e. users for their own accounts. –Authority needs to accompany responsibility. Be positive –People respond better to do than don’t. Consider user needs –Privacy, protecting PII Need to educate users.

15 CIT 380: Securing Computer SystemsSlide #15 Security Perimeter Perimeter defines what is within your control. Historically –Within walls of building or fences of campus. –Within router that connects to ISP. Modern perimeters are more complex –Laptops, PDAs. –USB keys, CDs, DVDs, portable HDs. –Wireless networks. –Home PCs that connect to your network.

16 CIT 380: Securing Computer SystemsSlide #16 Defense in Depth Firewall/IDS protect perimeter. Perimeter security is not sufficient. –What if someone brings infected laptop to work? –What if home user bridges your net to Internet? Defense in Depth –Multiple, independent layers of protection. –Network firewall + personal firewall + IDS

17 CIT 380: Securing Computer SystemsSlide #17 Compliance Audits Your policy is great, but is it being followed? Audit your systems and personnel regularly. Audit failures may result from –Personnel shortcomings Insufficient education or overwork –Material shortcomings Insufficient resources or maintenance –Organizational shortcomings Lack of authority, conflicting responsibilities –Policy shortcomings Unforseen risks, missing or conflicting policies

18 CIT 380: Securing Computer SystemsSlide #18 Key Points Policy divides system into –Authorized (secure) states. –Unauthorized (insecure) states. Policy vs Mechanism –Policy: describes what security is. –Mechanism: how security policy is enforced. Written policy and enforced policy will differ. –Compliance audits look for those differences. Security Perimeter –Describes what is within your control. –Defense in depth: defend perimeter and inside.

19 CIT 380: Securing Computer SystemsSlide #19 References 1.Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. 2.Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3/e O’Reilly, 2003. 3.NKU, Acceptable Use Policy, http://it.nku.edu/pdf/AcceptableUsePolicy- rv51.pdf, 2002. http://it.nku.edu/pdf/AcceptableUsePolicy- rv51.pdf 4.SANS, SANS Security Policy Project, http://www.sans.org/resources/policies/

Download ppt "CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Policies."

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd.

Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd.
PHYSICAL SECURITY Attacker. Physical Security Not all attacks on your organization's data come across the network. Many companies focus on an “iron-clad”

PHYSICAL SECURITY Attacker. Physical Security Not all attacks on your organization's data come across the network. Many companies focus on an “iron-clad”
Separate Domains of IT Infrastructure

Separate Domains of IT Infrastructure
9/20/07 STLSecurity is Everyone's Responsibility 1 FHDA Technology Security Awareness.

9/20/07 STLSecurity is Everyone's Responsibility 1 FHDA Technology Security Awareness.
Security Controls – What Works

Security Controls – What Works
Chapter 17 Controls and Security Measures

Chapter 17 Controls and Security Measures
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Ensuring Continuing Operations and Disaster Recovery By: Alyssa Gatrell Mike Harker Amy Shumway.

Ensuring Continuing Operations and Disaster Recovery By: Alyssa Gatrell Mike Harker Amy Shumway.
Introducing Computer and Network Security

Introducing Computer and Network Security
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Similar presentations

Ads by Google