Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advanced Accounting Information Systems Day 23 Operating Systems Security October 16, 2009.

Published byCorey Blake Modified over 8 years ago

Similar presentations

Presentation on theme: "Advanced Accounting Information Systems Day 23 Operating Systems Security October 16, 2009."— Presentation transcript:

1 Advanced Accounting Information Systems Day 23 Operating Systems Security October 16, 2009

2 Announcements –Quiz 5 –Assignment 4 – due today Task as IT auditor is to identify potential problems new owner may encounter with Threadchic –Midterm In class – systems documentation, sql queries Out of class – four essay questions, you pick the two to write on, maximum of two double-spaced pages per essay question –Covers systems development, IT auditing, internal controls

3 Objectives – Operating Systems Security Understand the core components of operating systems Understand the common implmentations of the main operating system components as well as the associated risk and control considerations Apply security principles and concepts to effectively secure operating systems

4 Blaster Worm Remote procedure call –Core operating system component implemented in the Windows family of products Allows a computer to invoke and execute programs from remote computers Present on every Windows computer and has highest level of privileges July 16, 2003 announcement of critical vulnerability that allowed attackers to send specially crafted malformed messages and thereby run any code of their choice on a computer with no restrictions –Attackers could then install any software on a machine Capture keystrokes to get passwords Impersonate users Read or delete any emails

5 Blaster Worm Department of Homeland Security issued high[profile alerts but many businesses and end users did not install patch August 11, 2003, MSBlaster worm was released in the wild –Within 204 hours, over 330,000 computers were infected –Resulted in denial of service for Windows users as infected computers frequently rebooted –Caused CSX Transportation Corporation to stop trains causing serious delays for commuter rail service near Washington DC –Caused Air Canada to delay flights –forced Maryland’s motor vehicle agency to close for a day –Kicked Swedish Internet users offline –Contributed to the major power blackout on the East Coast

6 Goal of Chapter For each environment – operating systems, applications, databases, telecommunication networks, data networks, and Web systems, we look at the risks that affect these environments and learn about controls to mitigate the risks Breach in one environment may affect other environments given that these environments depend on each other Most important environment that needs to be secured – operating system

7 Common Operating Systems Every command entered on a computer is managed and processed by the operating system –All data files, applications, and databases reside on the operating system Operating system – house that contains various safes ( applications and databases) – if someone breaks into the house, they can just pick up the safe and run, no matter how strong the security lock is on the safe –Thus compromise of operating system almost always leads to compromise of its contents including various applications and database

8 Operating Systems Operating system – software that controls the operation of a computer and directs the processing of programs by assigning storage space in memory and controlling input and out functions Interface between end user and various applications Must also manage the hardware present in the computer API – application programming interface Rainbow series books –Orange book – trusted computer system evaluation criteria – seven classes – see table 7.1

9 Orange Book summary chart Division D – minimum security –D systems that aren’t rated higher Division C – discretionary protection –C1 discretionary security protection –C2 – controlled access protection Division B Division A –A verified design

10 Common Operating Systems Windows Linux z/OS NetWare

11 Common Risks and Controls - Authentication Passwords Risks Controls Other authentication technologies

12 Common Risks and Controls - Authorization Permissions Risks Controls

13 Common Risks and Controls – Trust Relationships Why establish trust? –Data exchange between two systems without requiring user intervention to first authenticate and authorize the transaction –User movement across multiple systems without having to re-authenticate Risks Controls

14 Common Risks and Controls – Job Scheduling Risks Controls

15 Common Risks and Controls – File Systems Local File Systems Remote File Systems File and Directory Permissions Risks Controls

16 Common Risks and Controls – Software Updates Risks Controls

17 Assurance Considerations Number of workstations and servers on system Number of different operating systems used Criticality of the computers or data stored on the system Types of tools available for collection and analysis of data detailing the security controls

18 Vocabulary Review Access control list Active directory Application programming interface Authentication Authorization Baseline Biometrics brute-force attacks Common internet file system (CIFS) Dictionary attacks File system Jobs Malware netWare directory service (NDS) Network file system (NFS)

19 Vocabulary Review One-time password (OTP) One-way hash algorithms Operating system Password file Password hash Permissions piggybacking Root Salt Samba Secure shell (SSH) Server message block (SMB) Shadow file Smart card Tripwire Trust relationship

20 Questions for Monday Identify common risks to application security and suggest at least one control to mitigate each risk

Download ppt "Advanced Accounting Information Systems Day 23 Operating Systems Security October 16, 2009."

Similar presentations

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Network Redesign and Palette 2.0. The Mission of GCIS* Provide all of our users optimal access to GCC’s technology resources. *(GCC Information Services:

Network Redesign and Palette 2.0. The Mission of GCIS* Provide all of our users optimal access to GCC’s technology resources. *(GCC Information Services:
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:

CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:
Homework 3.2 Clients Hub What’s wrong with this picture? Clients Using 100TX.

Homework 3.2 Clients Hub What’s wrong with this picture? Clients Using 100TX.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 2 Operating System Security Fundamentals.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 2 Operating System Security Fundamentals.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.

Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

Similar presentations

Ads by Google