Presentation is loading. Please wait.

Presentation is loading. Please wait.

(c) 2006 Carnegie Mellon University95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. 412-268-7611 Office.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "(c) 2006 Carnegie Mellon University95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. 412-268-7611 Office."— Presentation transcript:

1 (c) 2006 Carnegie Mellon University95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website: http://www.andrew.cmu.edu/course/95-752

2 (c) 2006 Carnegie Mellon University95752:1-2 Course Covers Introduction/Definitions Physical security Access control Data security Operating system security Application security Network security

3 (c) 2006 Carnegie Mellon University95752:1-3 Student Expectations Grading: –2 Homeworks –Midterm –Paper/project All submitted work is sole effort of student Students are interested in subject area Students have varied backgrounds

4 (c) 2006 Carnegie Mellon University95752:1-4 Why Should You Be Concerned Personal data Credit information Medical information Purchasing history Corporate information Political information Societal infrastructure

5 (c) 2006 Carnegie Mellon University95752:1-5 A Different Internet Armies may cease to march Stock may lose a hundred points Businesses may be bankrupted Individuals may lose their social identity Threats not from novice teenagers, but purposeful military, political, and criminal organizations

6 (c) 2006 Carnegie Mellon University95752:1-6 Computer Terms (1) Computer – A collection of the following: Central Processing Unit (CPU): Instruction- processing Memory(RAM) : Transient storage for data Disk: More permanent storage for data Monitor: Display device Printer: Hard copy production Network card: communication circuitry

7 (c) 2006 Carnegie Mellon University95752:1-7 Computer Terms (2) Software: Instructions for a computer Operating System: interaction among components of computer Application software: common tasks (e.g., email, word processing, program construction, etc.) API/Libraries: Support for common tasks

8 (c) 2006 Carnegie Mellon University95752:1-8 Vulnerability (2001) Out-of-the-box Linux PC hooked to Internet, not announced: [30 seconds] First service probes/scans detected [1 hour] First compromise attempts detected [12 hours] PC fully compromised: – Administrative access obtained – Event logging selectively disabled – System software modified to suit intruder – Attack software installed – PC actively probing for new hosts to intrude Clear the disk and try again!

9 (c) 2006 Carnegie Mellon University95752:1-9 Why is Security Difficult Managers unaware of value of computing resources Damage to public image Legal definitions often vague or non- existent Legal prosecution is difficult Many subtle technical issues

10 (c) 2006 Carnegie Mellon University95752:1-10 Objectives of Security Privacy – Information only available to authorized users Integrity – Information retains intended content and semantics Availability – Information retains access and presence Importance of these is shifting, depends on organization

11 (c) 2006 Carnegie Mellon University95752:1-11 Security Terms Exposure - “actual harm or possible harm” Vulnerability - “weakness that may be exploited” Attack - “human originated perpetration” Threat - “potential for exposure” Control - “preventative measure”

12 (c) 2006 Carnegie Mellon University95752:1-12 Classes of Threat Interception Modification Masquerade Interruption Most Security Problems Are People Related

13 (c) 2006 Carnegie Mellon University95752:1-13 Software Security Concerns Theft Modification Deletion Misplacement

14 (c) 2006 Carnegie Mellon University95752:1-14 Data Security Concerns Vector for attack Modification Disclosure Deletion “If you have a $50 head, buy a $50 helmet”

15 (c) 2006 Carnegie Mellon University95752:1-15 Network Security Concerns Basis for Attack Publicity Theft of Service Theft of Information Network is only as strong as its weakest link Problems multiply with number of nodes

16 (c) 2006 Carnegie Mellon University95752:1-16 Motivations to Violate Security Ego Curiosity Greed Revenge Competition Political/Idiological

17 (c) 2006 Carnegie Mellon University95752:1-17 People and Computer Crime Most damage not due to attacks “Oops!” “What was that?” No clear profile of computer criminal Law and ethics may be unclear “Attempting to apply established law in the fast developing world of the Internet is somewhat like trying to board a moving bus” (Second Circuit, US Court of Appeals, 1997)

18 (c) 2006 Carnegie Mellon University95752:1-18 Types of Attackers Script Kiddies Old-line hackers Disgruntled Employees Organized Crime Corporate Espionage Foreign Espionage Terrorists

19 (c) 2006 Carnegie Mellon University95752:1-19 Theory of Technology Law Jurisdiction: –subject matter – power to hear a type of case –Personal – power to enforce a judgment on a defendant Between states: Federal subject matter Within state: State/local subject matter Criminal or Civil –Privacy/obscenity covered now –intellectual property covered later

20 (c) 2006 Carnegie Mellon University95752:1-20 Privacy Law Common law: –Person’s name or likeness –Intrusion –Disclosure –False light State/Local law: Most states have computer crime laws, varying content International law: patchy, varying content

21 (c) 2006 Carnegie Mellon University95752:1-21 Federal Privacy Statutes ECPA (communication) Privacy Act of 1974 (Federal collection/use) Family Educational Rights & Privacy Act (school records) Fair Credit Reporting Act (credit information) Federal Cable Communications Privacy Act (cable subscriber info) Video Privacy Act (video rental information) HIPAA (health cared information) Sarbanes-Oxley Act (corporate accounting) Patriot Act (counter-terrorism)

22 (c) 2006 Carnegie Mellon University95752:1-22 Federal Obscenity Statues Miller tests (Miller v. California, 1973): –Average person applying contemporary community standards find appeals prurient interest –Sexual content –Lack of literary, artistic, political or scientific value Statues: –Communications Decency Act (struck down) –Child Online Protection Act (struck down) –Child Pornography Protection Act (struck down – virtual child porn; live children still protected)

23 (c) 2006 Carnegie Mellon University95752:1-23 Indian Trust Funds Large, developing, case: Cobell vs. Norton –http://www.indiantrust.com/ Insecure handling of entrusted funds Legal Internet disruption Criminal contempt proceedings Judicial overstepping

24 (c) 2006 Carnegie Mellon University95752:1-24 Methods of Defense Overlapping controls –Authentication –Encryption –Integrity control –Firewalls –Network configuration –Application configuration –Policy

Download ppt "(c) 2006 Carnegie Mellon University95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. 412-268-7611 Office."

Similar presentations

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
Computer Security and Authentication CS 5352 Spring 06.

Computer Security and Authentication CS 5352 Spring 06.
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
CERT Centers, Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 SEI is sponsored by the U.S. Department of Defense ©

CERT Centers, Software Engineering Institute Carnegie Mellon University Pittsburgh, PA SEI is sponsored by the U.S. Department of Defense ©
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL.

Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL.
EXAMINING CYBER/COMPUTER LAW BUSINESS LAW. EXPLAIN CYBER LAW AND THE VARIOUS TYPES OF CYBER CRIMES.

EXAMINING CYBER/COMPUTER LAW BUSINESS LAW. EXPLAIN CYBER LAW AND THE VARIOUS TYPES OF CYBER CRIMES.
IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002.

IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002.
Information Security Policies and Standards

Information Security Policies and Standards
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.

Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.

Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Chapter 1 Introduction to Security

Chapter 1 Introduction to Security
95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. 412-268-7611 Office Hours by Appointment Course website:

95752: Introduction to Information Security Management Tim Shimeall, Ph.D Office Hours by Appointment Course website:
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Information Technology for the Health Professions, 2/e By Lillian Burke and Barbara Weill ©2005 Pearson Education, Inc. Pearson Prentice Hall Upper Saddle.

Information Technology for the Health Professions, 2/e By Lillian Burke and Barbara Weill ©2005 Pearson Education, Inc. Pearson Prentice Hall Upper Saddle.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.

Similar presentations

Ads by Google