Presentation is loading. Please wait.

Presentation is loading. Please wait.

SECURITY ENGINEERING 2 April 2013 William W. McMillan.

Published byPosy Skinner Modified over 8 years ago

Similar presentations

Presentation on theme: "SECURITY ENGINEERING 2 April 2013 William W. McMillan."— Presentation transcript:

1 SECURITY ENGINEERING 2 April 2013 William W. McMillan

2 What are the main reinforcements for breaking into software systems? Name three distinct populations of people who do this.

3 Ways People Use the Term “Risk”  Something bad that could happen:  “There’s a risk of brake failure.”  The probability that something bad could happen:  “The risk of brake failure is 0.01%.”  The cost of something bad happening:  “If the brakes fail, we risk passenger deaths.”  We can’t really regulate everyday language.

4 Ways to Mitigate Risk  Identify vulnerabilities, threats, and hazards…  …then head each one off at the pass.  Establish engineering practices that will lead to reliable software.  The first approach by itself can’t keep the bad guys out.  You can’t find every vulnerability or anticipate every attack.

5 List three to five typical kinds of attacks on software.

6 Ways to Attack abc123 Using Users Surprise Packages Picking Locks Faking/Stealing Credentials Stealing Data Observing Behavior Ganging Up As a Customer By Insider

7 What Can Be Attacked  Operating system  Databases  Financial records  Infrastructure  Communications  Dedicated servers  Application code  Application data

8 Describe a recent successful attack on a software system.

9 User Authentication  Who has access to what?  Security policy is defined by client or management.  Need to ensure that you give users the right level of access.  Operational concern.  But there are some design implications.  UI should not lead someone to, e.g., accidentally give a new engineer access to the firm’s personnel records.  Email or other communication to user to report transaction, password change, etc.

10 User Credentials  User name and password  Making 3M rich (they make Post-it Notes)…  … which is where many passwords live.  Physical cards or other object to plug into computer  Security questions  How hard is it to get people’s mother’s maiden name?  Does a friend know what the model of your first car was?  Biometrics  Retinal scans, fingerprints, voice,…

11 Is it a good idea to require users to change passwords every six months or so? Should passwords be required to be like this: fH7*iM(sqjX ?

12 Data Protection  Encryption  Fire walls  Multiple sites  In case someone corrupts databases at one site.  Checksums, consistency, or other integrity tests  Monitoring of access and traffic  User authentication  Validation of inputs  Providing read-only access when you can.

13 Is the client-server model good for protecting data in an organization?

14 Function Protection  Scan for viruses and worms.  Monitor activity.  Prevent “backdoors” and “hooks” in code.  Engineering process issue  Beware of reused software.  “You don’t know where that thing has been…”  Configure carefully when install or change.  Can change access or visibility.

15 A small dental practice has a home- grown information system and they’ve hired you to improve its security. What six or so steps would you take before making changes?

Download ppt "SECURITY ENGINEERING 2 April 2013 William W. McMillan."

Similar presentations

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
Mr C Johnston ICT Teacher

Mr C Johnston ICT Teacher
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.

Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.
Privacy & Security By Martin Perez. Introduction  Information system - People : meaning use, the people who use computers. - Procedures : Guidelines.

Privacy & Security By Martin Perez. Introduction  Information system - People : meaning use, the people who use computers. - Procedures : Guidelines.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.

Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Factors to be taken into account when designing ICT Security Policies

Factors to be taken into account when designing ICT Security Policies
Security Guidelines and Management

Security Guidelines and Management
Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.

Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.
Security. If I get 7.5% interest on $5,349.44, how much do I get in a month? (.075/12) =.00625 * 5,349.44 = $33.434 What happens to the.004?.004+.004+.004=.012.004.

Security. If I get 7.5% interest on $5,349.44, how much do I get in a month? (.075/12) = * 5, = $ What happens to the.004? =
The Impact of Physical Security on Network Security

The Impact of Physical Security on Network Security
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Cameron Simpson.

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Cameron Simpson.
Security of Data. Key Ideas from syllabus Security of data Understand the importance of and the mechanisms for maintaining data security Understand the.

Security of Data. Key Ideas from syllabus Security of data Understand the importance of and the mechanisms for maintaining data security Understand the.

Similar presentations

Ads by Google