Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information System Security Engineering and Management Risk Analysis and System Security Engineering Homework (#2, #3) Dr. William Hery

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Information System Security Engineering and Management Risk Analysis and System Security Engineering Homework (#2, #3) Dr. William Hery"— Presentation transcript:

1 Information System Security Engineering and Management Risk Analysis and System Security Engineering Homework (#2, #3) Dr. William Hery hery@isis.poly.edu

2 GTS System Description Poly is going to set up a new, streamlined grade and transcript server (GTS). There is already a grade database on a secure server (SGDB) that is used for entering and maintaining grade records. The new server will allow students to  view grades without directly accessing the SGDB  generate full transcripts to be sent to grad schools and potential employers from Poly in such a manner as to have the recipients of the transcripts trust that they are authentic. For the homework, assume that SGDB is already secure, but there will now be a new application/server accessing it. Also assume that students can access GTS from the Poly intranet, or from the Internet.

3 GTS Architecture SGDB GTS Student Employer Or Grad School email InternetPoly Intranet

4 Assets at Risk (HW 2) Integrity of the grade database (but this is assumed to be a secure system for our purposes) Privacy of the student grades Integrity of the grades presented to the student Integrity of the transcripts sent out (and the trust the recipients have in that integrity) Availability of the GTS service Poly's reputation as a premier institution in information security and an NSA COE in IA

5 Threats (HW 2) Students who want to do general mischief or target specific students Outsiders who want to do general mischief or target specific students Students who want to send a fake transcript

6 Risk Management Approach (HW 2) Integrity of the grade database: transfer risk to SGDB owner privacy of the student grades: mitigate with technology (authentication of user via password); accept some risk of stolen password integrity of the grades presented to the student: mitigate with technology (protect GTS system) integrity of the transcripts sent out: mitigate by digitally signing transcripts availability of the GTS service: mitigate with firewall; accept some risk of breaking through firewall Poly's reputation as a premier institution in information security: mitigate with all of the above

7 Systems Engineering: First Steps Mission Needs Statement:  A system to allow students to securely access their grades, and to allow them to have authenticated transcripts emailed to prospective employers and grad schools. CONOPS: A student logs into the GTS Server over the Internet or Poly’s Intranet. A user friendly GUI allows the student to see which courses they have taken and what their grades have been. The student can also request a complete transcript be emailed to prospective employers and grad schools. For security reasons, the GTS will be a separate server from the existing, secure grade database, the SGDB.

8 System Architecture and Functional Requirements Architecture: see first slide GTS Functional Requirements:  User (student) interface: must authenticate user, accept user query, format response  SGDB interface: must format grade query, send to SGDB, accept response  Individual grade request  Complete transcript request  GTS must be able to create and send authenticated transcripts via email

9 Hig Level Security Requirements Authentication of Students Protect SGDB from attack at SGDB/GTS interface (preserve integrity and privacy of the grade database) Protect all networks from snooping (privacy of grades) Protect confidentiality and integrity of all processing on the GTS server Provide a digital signature service to sign emailed transcripts from GTS Protect GTS from denial of service attacks

10 Revised GTS Architecture With External Security Components SGDB GTS Student Employer Or Grad School email InternetPoly Intranet MyPoly user Password auth. Poly Signing Service

11 Security Requirements Allocation: Authentication of Students: MyPoly User ID/Password authentication Protect SGDB from attack at SGDB/GTS interface: Custom interface to prevent attack (“application firewall”) Protect all networks from snooping: Encrypted network links Protect confidentiality and integrity of all processing on the GTS server: Server security Provide a digital signature service to sign emailed transcripts from GTS: Poly Digital Signature Service Protect GTS from denial of service attacks: firewalls, secured server

Download ppt "Information System Security Engineering and Management Risk Analysis and System Security Engineering Homework (#2, #3) Dr. William Hery"

Similar presentations

By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.

By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
1 Network Security Ola Flygt Växjö University +46 470 70 86 49.

1 Network Security Ola Flygt Växjö University
Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.

Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.
Hacking. Learning Objectives: At the end of this lesson you should be able to:

Hacking. Learning Objectives: At the end of this lesson you should be able to:
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
SECURITY What does this word mean to you? The sum of all measures taken to prevent loss of any kind.

SECURITY What does this word mean to you? The sum of all measures taken to prevent loss of any kind.
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
1 Network Security Derived from original slides by Henric Johnson Blekinge Institute of Technology, Sweden From the book by William Stallings.

1 Network Security Derived from original slides by Henric Johnson Blekinge Institute of Technology, Sweden From the book by William Stallings.
Information System Security Engineering and Management Additional slides for INFORMATION SECURITY RISK MANAGEMENT Dr. William Hery

Information System Security Engineering and Management Additional slides for INFORMATION SECURITY RISK MANAGEMENT Dr. William Hery
MJ10/07041 Session 10 Accounting, Security Management Adapted from Network Management: Principles and Practice © Mani Subramanian 2000 and solely used.

MJ10/07041 Session 10 Accounting, Security Management Adapted from Network Management: Principles and Practice © Mani Subramanian 2000 and solely used.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Bazara Barry1 Security on Networks and Information Systems Bazara I. A. Barry Department of Computer Science – University of Khartoum www.itrc.sd/staff/bazara.html.

Bazara Barry1 Security on Networks and Information Systems Bazara I. A. Barry Department of Computer Science – University of Khartoum
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
 ENGR 1110 Introduction to Engineering – Cyber Security Allison Holt, Adam Brown Auburn University.

 ENGR 1110 Introduction to Engineering – Cyber Security Allison Holt, Adam Brown Auburn University.

Similar presentations

Ads by Google