Advanced Accounting Information Systems Day 23 Operating Systems Security October 16, 2009.

Slides:



Advertisements
Similar presentations
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Advertisements

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
System and Network Security Practices COEN 351 E-Commerce Security.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Network Redesign and Palette 2.0. The Mission of GCIS* Provide all of our users optimal access to GCC’s technology resources. *(GCC Information Services:
Chapter 7 HARDENING SERVERS.
CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:
Homework 3.2 Clients Hub What’s wrong with this picture? Clients Using 100TX.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 2 Operating System Security Fundamentals.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Chapter 5 File and Printer Services
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Cameron Simpson.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
CERN’s Computer Security Challenge
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 5: Managing File Access.
CIS 450 – Network Security Chapter 8 – Password Security.
User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.
Security Planning and Administrative Delegation Lesson 6.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Operating System Security. OS manages and controls access to hardware components Older OSs focused on ensuring data confidentiality Modern operating systems.
Computer Security and Penetration Testing Chapter 16 Windows Vulnerabilities.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
Operating Systems Security Chapter Seven Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Operating System Security Fundamentals Dr. Gabriel.
Advanced Accounting Information Systems
Small Business Security Keith Slagle April 24, 2007.
Security Planning and Administrative Delegation Lesson 6.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Chapter 9: Networking with Unix and Linux. Objectives: Describe the origins and history of the UNIX operating system Identify similarities and differences.
Trusted Operating Systems
Privilege Management Chapter 22.
CHAPTER 5 MANAGING USER ACCOUNTS & GROUPS. User Accounts Windows 95, 98 & Me do not need a user account like Windows XP Professional to access computer.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Module 7: Designing Security for Accounts and Services.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Advanced Accounting Information Systems Day 24 Application Security October 19, 2009.
Appendix A: Designing an Acceptable Use Policy. Overview Analyzing Risks That Users Introduce Designing Security for Computer Use.
Security Architecture and Design Chapter 4 Part 4 Pages 377 to 416.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
CS457 Introduction to Information Security Systems
Operating System Security
Secure Software Confidentiality Integrity Data Security Authentication
Chapter 3: Windows7 Part 4.
Services Provided by Network Operating Systems
OWASP Secure Coding Practices Quick Reference Guide
Chapter 27: System Security
Chapter 2: System Structures
IS3440 Linux Security Unit 8 Software Management
Brute force attacks, DDOS, Botnet, Exploit, SQL injection
Operating System Security
PLANNING A SECURE BASELINE INSTALLATION
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

Advanced Accounting Information Systems Day 23 Operating Systems Security October 16, 2009

Announcements –Quiz 5 –Assignment 4 – due today Task as IT auditor is to identify potential problems new owner may encounter with Threadchic –Midterm In class – systems documentation, sql queries Out of class – four essay questions, you pick the two to write on, maximum of two double-spaced pages per essay question –Covers systems development, IT auditing, internal controls

Objectives – Operating Systems Security Understand the core components of operating systems Understand the common implmentations of the main operating system components as well as the associated risk and control considerations Apply security principles and concepts to effectively secure operating systems

Blaster Worm Remote procedure call –Core operating system component implemented in the Windows family of products Allows a computer to invoke and execute programs from remote computers Present on every Windows computer and has highest level of privileges July 16, 2003 announcement of critical vulnerability that allowed attackers to send specially crafted malformed messages and thereby run any code of their choice on a computer with no restrictions –Attackers could then install any software on a machine Capture keystrokes to get passwords Impersonate users Read or delete any s

Blaster Worm Department of Homeland Security issued high[profile alerts but many businesses and end users did not install patch August 11, 2003, MSBlaster worm was released in the wild –Within 204 hours, over 330,000 computers were infected –Resulted in denial of service for Windows users as infected computers frequently rebooted –Caused CSX Transportation Corporation to stop trains causing serious delays for commuter rail service near Washington DC –Caused Air Canada to delay flights –forced Maryland’s motor vehicle agency to close for a day –Kicked Swedish Internet users offline –Contributed to the major power blackout on the East Coast

Goal of Chapter For each environment – operating systems, applications, databases, telecommunication networks, data networks, and Web systems, we look at the risks that affect these environments and learn about controls to mitigate the risks Breach in one environment may affect other environments given that these environments depend on each other Most important environment that needs to be secured – operating system

Common Operating Systems Every command entered on a computer is managed and processed by the operating system –All data files, applications, and databases reside on the operating system Operating system – house that contains various safes ( applications and databases) – if someone breaks into the house, they can just pick up the safe and run, no matter how strong the security lock is on the safe –Thus compromise of operating system almost always leads to compromise of its contents including various applications and database

Operating Systems Operating system – software that controls the operation of a computer and directs the processing of programs by assigning storage space in memory and controlling input and out functions Interface between end user and various applications Must also manage the hardware present in the computer API – application programming interface Rainbow series books –Orange book – trusted computer system evaluation criteria – seven classes – see table 7.1

Orange Book summary chart Division D – minimum security –D systems that aren’t rated higher Division C – discretionary protection –C1 discretionary security protection –C2 – controlled access protection Division B Division A –A verified design

Common Operating Systems Windows Linux z/OS NetWare

Common Risks and Controls - Authentication Passwords Risks Controls Other authentication technologies

Common Risks and Controls - Authorization Permissions Risks Controls

Common Risks and Controls – Trust Relationships Why establish trust? –Data exchange between two systems without requiring user intervention to first authenticate and authorize the transaction –User movement across multiple systems without having to re-authenticate Risks Controls

Common Risks and Controls – Job Scheduling Risks Controls

Common Risks and Controls – File Systems Local File Systems Remote File Systems File and Directory Permissions Risks Controls

Common Risks and Controls – Software Updates Risks Controls

Assurance Considerations Number of workstations and servers on system Number of different operating systems used Criticality of the computers or data stored on the system Types of tools available for collection and analysis of data detailing the security controls

Vocabulary Review Access control list Active directory Application programming interface Authentication Authorization Baseline Biometrics brute-force attacks Common internet file system (CIFS) Dictionary attacks File system Jobs Malware netWare directory service (NDS) Network file system (NFS)

Vocabulary Review One-time password (OTP) One-way hash algorithms Operating system Password file Password hash Permissions piggybacking Root Salt Samba Secure shell (SSH) Server message block (SMB) Shadow file Smart card Tripwire Trust relationship

Questions for Monday Identify common risks to application security and suggest at least one control to mitigate each risk

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.