Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.

Slides:

Advertisements

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Security Controls – What Works

Information Security Policies and Standards

Chapter 12 Network Security.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Payment Card Industry (PCI) Data Security Standard

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.

LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.

1 Kyung Hee University Prof. Choong Seon HONG Network Control.

SEC835 Database and Web application security Information Security Architecture.

Intranet, Extranet, Firewall. Intranet and Extranet.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

1.1 System Performance Security Module 1 Version 5.

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Module 14: Configuring Server Security Compliance

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

1 Chapter 20: Firewalls Fourth Edition by William Stallings Lecture slides by Lawrie Brown(modified by Prof. M. Singhal, U of Kentucky)

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

INTRODUCTION. The security system is used as in various fields, particularly the internet, communications data storage, identification and authentication.

© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.

An Approach To Automate a Process of Detecting Unauthorised Accesses M. Chmielewski, A. Gowdiak, N. Meyer, T. Ostwald, M. Stroiński

ACM 511 Introduction to Computer Networks. Computer Networks.

Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013.

Note1 (Admi1) Overview of administering security.

Network Perimeter Defense Josef Pojsl, Martin Macháček, Trusted Network Solutions, Inc.

Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.

Chapter 2 Securing Network Server and User Workstations.

Scott Teeters, Jr. MicroSolved, Inc. in partnership with Sogeti USA How to Fail A Penetration Test Concepts in Securing a Network.

Module 11: Designing Security for Network Perimeters.

Network Security & Accounting

Introduction to Information Security

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

Statistics Canada1 Statistics Canada’s strategic approach to IT Security OECD Conference on IT Security Paris, April 19th and 20th, 2001 Dave Venables.

ICC Module 3 Lesson 5 – IT Security 1 / 4 © 2015 Ph. Janson Information, Computing & Communication Security – Clip 0 – Introduction School of Computer.

Security fundamentals Topic 10 Securing the network perimeter.

Security fundamentals Topic 2 Establishing and maintaining baseline security.

Csci5233 Computer Security & Integrity 1 Overview of Security & Java (based on GS: Ch. 1)

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Workshop 2 Tutor: William Yeoh School of Computer and Information Science Secure and High Integrity System (INFT 3002)

Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University

Cryptography and Network Security

Lecture 6 (Chapter 16,17,18) Network and Internet Security Prepared by Dr. Lamiaa M. Elshenawy 1.

By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Documents. Process. Data. Payables

Security fundamentals

Principles Identified - UK DfT -

CS457 Introduction to Information Security Systems

The University of Adelaide, School of Computer Science

Firewalls Types of Firewalls Inspection Methods Firewall Architecture

Intrusion Detection system

PLANNING A SECURE BASELINE INSTALLATION

Protection Mechanisms in Security Management

Presentation transcript:

Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University of Technology Poznań, Poland Parts of presentation 1. Introduction 2. Minimum necessary functionality 3. Integration and cooperation 4. Internal versus external threats 5. Other important principles

1. Introduction  Diversity of security tools anti-virus software, firewalls, intrusion detection systems, port scanners, dial-up connection scanners, system log analysers, access control list analysers, password analysers, secure file deletion software, source code vulnerabilities scanners, deception toolkits, packet generators for security testing and so on The security tools should be recognised as only one part of the complex security system.  Some foundations of computer security  security models (such as Bell-LaPadula model, access matrix model, take-grant model, Biba model, Dion model, Sea View model, Jajodia- Sandhu model)  security standards (such as Trusted Computer System Evaluation Criteria, Information Technology Security Evaluation Criteria, Common Criteria for Information Technology Security Evaluation) Are the models and standards well known to security practitioners?

2. Minimum necessary functionality Increase of the computer system functionality decreases its security.  Higher functionality means:  greater complexity of the system  more access points to resources  possibility of new threats  higher probability of software errors  Inconsistency between different security aspects The availability protection methods are potential threats to confidentiality and integrity. Some relations between new functions and new threats Added functionality featureNew threat remote access and controlremote unauthorised access and control script language and macro command in application macro virus Internet connectionattack from Internet Java in WWWhostile applet

3. Integration and co-operation  Security features (such as confidentiality, integrity and availability) should be integrated with system from a starting point. They shouldn’t be the features that are added at some final step. First of all the concept of the system should be based on a proper security model and then one must keep in mind security during all other phases (design, testing, implementation, configuration, employment, maintaining) of computer system life.  The lack of security features in foundations of modern computer networks. The unsecured protocols on every layer of the protocol stack should be replaced as quickly as possible by secure versions. The security mechanisms should be integrated with other modules of information systems and should maintain and tighten co- operation. There is a need of tools, data formats, exchange procedures and other standards for such co-operation.  Many levels of co-operation:  tool level  system level  corporation and international level New security applications should be compatible with the existing and the emerging standards in the area of mutual co-operation. In testing the different aspects of security information systems it is very important to check if the many protection tools implemented in the system are able to communicate and to co-operate with each other.

4. Internal versus external threats  The majority of computer security incidents originate within organisation itself. Some sources indicate that up to 85% of all threats to security come from the inside of the company.  Some steps may and must be taken in order to change current, intolerable situation. These steps comprise: definition and incorporation of security policy, greater awareness of threats among users, automation of security procedures, improved systems for user identification and authentication, wider use of cryptography, audit and intrusion detection systems, internal firewalls.

5. Other important principles  it should be memorised that there aren’t 100% secure systems, achieving full security is not possible  security mechanisms and methods of their usage must be accepted by users  the mechanisms should be effective but simple, standardised, user- friendly and should not be time consuming  as much as possible, security mechanisms should be automated and made invisible to users  the security tools should be periodically and automatically updated  high security should be a default system attribute, not the one that is manually chosen  the system protection should be complete, redundant, periodically tested  strong encryption is necessary but not sufficient to secure information confidentiality  redundancy should be incorporated on many levels: from chip level to complete system level  each organisation should have defined and implemented security policy with essential rules of procedure