Computer Security Set of slides 1 Dr Alexei Vernitski.

Slides:

Advertisements

Similar presentations

By Andy Scott, Michael Murray and Adam Kanopa

Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

Section C Threats to Data.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Ethics, Privacy and Information Security

Online Safety. Introduction The Internet is a very public place Need to be cautious Minimize your personal risk while online Exposure to: viruses, worms,

Security Strategy. You will need to be able to explain:  Data Security  Data Integrity and  Data Privacy  Risks  Hacking  Denial of Service DOS.

Legislation & ICT By Savannah Inkster. By Savannah Computer Laws 1.Data Protection ActData Protection Act 2.Computer Misuse ActComputer Misuse Act 3.Copyright,

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.

Greg Lamb. Introduction It is clear that we as consumers and entrepreneurs cannot expect complete privacy when discussing business matters. However… There.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

Security & Encryption Thomas Fenske & Joseph Minter.

DHS SECURITY INCIDENT REPORTING AND RESPONSE SECURITY INCIDENT REPORTING AND RESPONSE DHS managers, employees, and other authorized information users.

Chapter 1 Introduction to Security

Factors to be taken into account when designing ICT Security Policies

Security Awareness Challenges of Security No single simple solution to protecting computers and securing information Different types of attacks Difficulties.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Privacy and Encryption The threat of privacy due to the sale of sensitive personal information on the internet Definition of anonymity and how it is abused.

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Chapter 19 Security Transparencies. 2 Chapter 19 - Objectives Scope of database security. Why database security is a serious concern for an organization.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

Security. Introduction to Security Why do we need security? What happens if data is lost? –Wrong business decisions through lack of information –Long-term.

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Cameron Simpson.

Defining Security Issues

PART THREE E-commerce in Action Norton University E-commerce in Action.

Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Thomas Jenkins.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks.

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Rebecca Pritchard.

NET 311 Information Security

G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.

Introduction to Computer Security PA Turnpike Commission.

Information Systems Security

Security, Social and Legal Issues Regarding Software and Internet.

Customer Interface for wuw.com 1.Context. Customer Interface for wuw.com 2. Content Our web-site can be classified as an service-dominant website. 3.

SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,

COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.

Internet Safety Internet Safety LPM

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Introduction.

Chap1: Is there a Security Problem in Computing?.

Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?

Cyber Safety Mohammad Abbas Alamdar Teacher of ICT STS Ajman – Boys School.

Computer Security By Duncan Hall.

LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.

Cybersecurity Test Review Introduction to Digital Technology.

Computer Security Set of slides 6 Dr Alexei Vernitski.

Web Database Security Session 12 & 13 Matakuliah: Web Database Tahun: 2008.

Computer Security Sample security policy Dr Alexei Vernitski.

St Bernadette RC Primary School WELCOME.

Security, Ethics and the Law. Vocabulary Terms Copyright laws -software cannot be copied or sold without the software company’s permission. Copyright.

2015Computer Services – Information Security| Information Security Training Budget Officers.

Welcome to the ICT Department Unit 3_5 Security Policies.

How to Make Yourself More Secure Using Public Computers and Free Public Wi-Fi.

By: Taysha Johnson. What is an insider threat? 1.A current or former employee, contractor, or other business partner who has or had authorized access.

Intro to Digital Technology Review for Final Introduction to Digital Technology Finals Seniors Monday, 5/16 – 2 nd Tuesday 5/17 – 1 st,3 rd Underclassmen.

Security, Social and Legal Issues Regarding Software and Internet

Chapter 5 Electronic Commerce | Security

Chapter 5 Electronic Commerce | Security

Security of Data

Move this to online module slides 11-56

Module 4 System and Application Security

G061 - Network Security.

Presentation transcript:

Computer Security Set of slides 1 Dr Alexei Vernitski

Information security In this module, we concentrate on information security We speak less about physical security – for example: (Millfields Primary School laptop thefts) We do not speak about bugs in computer software – for example: (Bug in Post Office computer system)

Example from a web site Your password is stored securely using RSA Encryption with a 1024-bit key, which is the standard used for secure online bank account access. We use industry-standard 128 bit secure socket layer SSL encryption to protect data transmissions between your browser and our servers, such as your personal information.

Questions Your password is stored securely using RSA Encryption with a 1024-bit key, which is the standard used for secure online bank account access. We use industry-standard 128 bit secure socket layer SSL encryption to protect data transmissions between your browser and our servers, such as your personal information. What is more secure: 1024 bits or 128 bits? Is either of these two encodings secure? Or are they both secure? In this case, why use both? What is RSA? Which security goals are achieved by these measures?

Security goals Confidentiality Integrity Availability Some others, such as non-repudiation (read more in the textbooks)

Example: electronic voting system

For discussion Confidentiality Integrity Availability Some others, such as non-repudiation Consider an electronic voting system How can these goals be achieved or not achieved?

Questions Your password is stored securely using RSA Encryption with a 1024-bit key, which is the standard used for secure online bank account access. We use industry-standard 128 bit secure socket layer SSL encryption to protect data transmissions between your browser and our servers, such as your personal information. What is more secure: 1024 bits or 128 bits? Is either of these two encodings secure? Or are they both secure? In this case, why use both? What is RSA? Which security goals are achieved by these measures?

Example from a web site We have industry standard and proprietary network monitoring tools constantly running in our system in order to prevent security breaches and protect the security of your data. In addition, our secure page employs industry standard encryption.

Questions We have industry standard and proprietary network monitoring tools constantly running in our system in order to prevent security breaches and protect the security of your data. In addition, our secure page employs industry standard encryption. Which security goals are important for Facebook? Which security goals are achieved by the described measures?

Example from a news item Sony has admitted that the personal data of PSN users, which may have been illegally accessed in a recent attack on the system, was not encrypted. Thankfully, credit card information was stored separately to the personal data and was encrypted.

Questions Sony has admitted that the personal data of PSN users, which may have been illegally accessed in a recent attack on the system, was not encrypted. Thankfully, credit card information was stored separately to the personal data and was encrypted. Which security goals were not achieved by Sony? Would encryption help to achieve these goals?

From recent research Firms using encryption software are more careless about controlling internal access to encrypted data and their employees are more careless about computer equipment containing encrypted data.

For discussion Firms using encryption software are more careless about controlling internal access to encrypted data and their employees are more careless about computer equipment containing encrypted data. Do you agree with these research findings? Does this mean that encryption should not be used?

Example from a web site iCloud is built with industry-standard security practices and employs strict policies to protect your data. Apple takes precautions — including administrative, technical and physical measures — to safeguard your personal information against loss, theft and misuse, as well as against unauthorised access, disclosure, alteration and destruction.

Attack analysis Threat Vulnerability Attack Control (read more in the textbooks)

Attack analysis It is important to remember that in this context, words such as ‘threat’ and ‘control’ are used in special meanings A threat describes what can be stolen or damaged A control describes how a vulnerability can be stopped or repaired

An informal example

For discussion Sony has admitted that the personal data of PSN users, which may have been illegally accessed in a recent attack on the system, was not encrypted. Analyse this news item using the terms – Threat – Vulnerability – Attack – Control

Example from a news item MI6 and the CIA have been warned that intelligence may have been compromised by an agent in Switzerland who downloaded vast quantities of data onto portable hard drives and carried it out of a secure building. data.html The sources say that he downloaded "terabytes" of classified material from the Swiss intelligence service's servers onto portable hard drives. He then left the government building with a backpack containing the hard drives.

For discussion MI6 and the CIA have been warned that intelligence may have been compromised by an agent in Switzerland who downloaded vast quantities of data onto portable hard drives and carried it out of a secure building. The sources say that he downloaded "terabytes" of classified material from the Swiss intelligence service's servers onto portable hard drives. He then left the government building with a backpack containing the hard drives. Analyse this news item using the terms – Threat – Vulnerability – Attack – Control

Defence against attack: types of control You may use the following verbs to describe the action of controls: Preempt Prevent Deter Detect Deflect Recover (read more in the textbooks)

For discussion Student Rachel Hyndman, 20, from Glasgow, believes she was the victim of webcam hacking. She spotted the camera on her laptop had switched itself on while she was watching a DVD in the bath. She says: "I was sitting in the bath, trying to relax, and suddenly someone potentially has access to me in this incredibly private moment and it's horrifying. To have it happen to you without your consent is horribly violating.“

For discussion She spotted the camera on her laptop had switched itself on while she was watching a DVD in the bath. She says: "I was sitting in the bath, trying to relax, and suddenly someone potentially has access to me in this incredibly private moment and it's horrifying. Discuss which types of control could have been used to defend against the attack – Preemption – Prevention – Deterrence – Detection – Deflection – Recovery

For discussion Sony has admitted that the personal data of PSN users, which may have been illegally accessed in a recent attack on the system, was not encrypted. Discuss which types of control could have been used to defend against the attack – Preemption – Prevention – Deterrence – Detection – Deflection – Recovery

Example: online shop

For discussion: online shop Confidentiality Integrity Availability (also non-repudiation) Threat Vulnerability Attack Control – Preemption – Prevention – Deterrence – Detection – Deflection – Recovery

Security policy Example: an excerpt from Amazon security policy We work to protect the security of your information during transmission by using Secure Sockets Layer (SSL) software, which encrypts information you input. We reveal only the last four digits of your credit card numbers when confirming an order. Of course, we transmit the entire credit card number to the appropriate credit card company during order processing. We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of personally identifiable customer information. Our security procedures mean that we may occasionally request proof of identity before we disclose personal information to you. It is important for you to protect against unauthorised access to your password and to your computer. Be sure to sign off when you finish using a shared computer.

Homework Find the security policy of the University of Essex. Read it, paying attention to security goals, attack analysis and controls.

Sample exam questions List three main types of security goals Apple’s security policy says that Apple takes measures ‘against unauthorised access, disclosure, alteration and destruction’. Explain precisely which security goals would be compromised by each of the following: unauthorised access, disclosure, alteration and destruction.

Sample exam questions Read the news item: – A former Sun newspaper reporter Ben Ashford has been charged with an offence of unauthorised access to computer material. The charge alleges that he "caused a computer to perform a function with intent to secure unauthorised access to a program or data held in a computer, knowing that such access was unauthorised". Explain precisely which security goals could be compromised by Ben Ashford’s alleged actions

Sample exam questions Explain in your own words what the terms threat and vulnerability mean Read the news item: Social networking website LinkedIn has said some of its members' passwords have been "compromised" after reports that more than six million passwords had been leaked onto the internet. Comment on this news item using all the necessary terms for attack analysis

Sample exam questions Read the news item: – Sony has admitted that the personal data of PSN users, which may have been illegally accessed in a recent attack on the system, was not encrypted. – Thankfully, credit card information was stored separately to the personal data and was encrypted. Comment on this news item using your knowledge of the types of controls

Sample exam questions Read the news item: – MI6 and the CIA have been warned that intelligence may have been compromised by an agent in Switzerland who downloaded vast quantities of data onto portable hard drives and carried it out of a secure building. – The sources say that he downloaded "terabytes" of classified material from the Swiss intelligence service's servers onto portable hard drives. He then left the government building with a backpack containing the hard drives. Comment on this news item, using the correct terms related to security goals, attack analysis and control types.

Sample exam questions The web site of a company claims: – We have industry standard and proprietary network monitoring tools constantly running in our system in order to prevent security breaches and protect the security of your data. – In addition, our secure page employs industry standard encryption. Improve this fragment of the company’s security policy, using the correct terms related to security goals, attack analysis and control types.

Sample exam questions The web site of a company claims: – Your password is stored securely using RSA Encryption with a 1024-bit key – We use industry-standard 128 bit secure socket layer SSL encryption Defend this security policy, explaining why a 1024-bit encryption is used in one case, and a 128-bit encryption in the other.