Basic Security Concepts University of Sunderland CIT304 Harry R Erwin, PhD.

Slides:

Advertisements

Similar presentations

OCTAVESM Process 4 Create Threat Profiles

Advertisements

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

Auditing Concepts.

The Security Analysis Process University of Sunderland CIT304 Harry R. Erwin, PhD.

A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

How to Prepare for the Fall Exam COM380/CIT304 Harry Erwin, PhD University of Sunderland.

Introducing Computer and Network Security

The Architecture Design Process

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Lecture 11 Reliability and Security in IT infrastructure.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering.

Pertemuan 02 Aspek dasar keamanan Jaringan dan ketentuan baku OSI

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

Software Process and Product Metrics

©Ian Sommerville 2006Critical Systems Slide 1 Critical Systems Engineering l Processes and techniques for developing critical systems.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 2 Slide 1 Systems engineering 1.

Information Systems Controls for System Reliability -Information Security-

Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.

© Pearson Education Limited, Chapter 5 Database Administration and Security Transparencies.

1 Chapter 2 Socio-technical Systems (Computer-based System Engineering)

Conostix S.A. Sensible defence.

Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.

The Security Analysis Process University of Sunderland CSEM02 Harry R. Erwin, PhD.

©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 2Slide 1 Chapter 2 Computer-Based System Engineering As modified by Randy Smith.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Computer Security “Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware,

Security Architecture

Computer & Network Security

Topic (1)Software Engineering (601321)1 Introduction Complex and large SW. SW crises Expensive HW. Custom SW. Batch execution.

Socio-technical Systems (Computer-based System Engineering)

John Carpenter & lecture & Information Security 2008 Lecture 1: Subject Introduction and Security Fundamentals.

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

1 ITGD 2202 Supervision:- Assistant Professor Dr. Sana’a Wafa Al-Sayegh Dr. Sana’a Wafa Al-SayeghStudent: Anwaar Ahmed Abu-AlQumboz.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.

Alaa Mubaied Risk Management Alaa Mubaied

1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.

12/18/20151 Computer Security Introduction. 12/18/20152 Basic Components 1.Confidentiality: Concealment of information (prevent unauthorized disclosure.

T.A 2013/2014. Wake Up Call! Malware hijacks your , sends death threats. Found in Japan (Oct 2012) Standford University Recent Network Hack May Cost.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.

Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University

Basic Security Concepts University of Sunderland CSEM02 Harry R Erwin, PhD.

E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.

Risk management. Definition and Aim  Risk management is examine systematically all risks and react on them, taking into account all the effects of.

PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.

Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.

Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University

By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

Computer Security Introduction

Auditing Concepts.

Outline Basic concepts in computer security

Chapter 1: Introduction

Software Security ITGD 2202 Supervision:- Assistant Professor

CS 450/650 Fundamentals of Integrated Computer Security

Security Engineering.

Chapter 19: Building Systems with Assurance

GROUP MEMBERS NAME ROLL NO SHAUBAN ALI 17-ARID-5650 UMAIR MUSHTAQ 17-ARID-5656 TARIQ SAEED 17-ARID-5657 MUSKAN WADOOD 17-ARID-5641.

Operations Security (OPSEC)

IS4680 Security Auditing for Compliance

Computer Security Introduction

Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.

Chapter 1 Key Security Terms.

Presentation transcript:

Basic Security Concepts University of Sunderland CIT304 Harry R Erwin, PhD

Analyzing Security (from Schneier, 2003, Beyond Fear) These are the questions we must usually answer. 1.What assets are you trying to protect? 2.What are the risks to those assets? 3.How are you trying to protect them? 4.How well does your solution work? 5.What other risks does your solution introduce? 6.What are the costs and trade-offs of your solution? (I often ask this as an exam question.)

Systems Security involves systems, and systems are not simple. They’re complex, elusive, and maddening. ‘A collection of simpler components that interact to form a greater whole.’ Hardware, software, people, and procedures. Systems also interact with other systems. Unexpected interactions are called ‘emergent properties’ or ‘unintended consequences.’ These are our concern.

Security Systems Most systems do something. Security systems are different—they prevent things from happening. You will care about how systems fail and how they can be made to fail. It’s ‘applied paranoia.’

The Roles of People in Security Decision-makers—choose what mechanisms and policies to follow, often to further their own agendas. Users—cooperative or uncooperative. Basic to making security work. Innocent bystanders—but still often affected. Attackers—sometimes not malicious, but usually intending to do what they did.

Bruce Schneier’s Three Rules of Understanding Security Schneier Risk Demystification: Numbers matter and are not that hard to understand. Schneier Secrecy Demystification: Secrecy is anathema to security: –It’s brittle –It conceals abuse –It prevents sensible trade-offs Schneier Agenda Demystification: Know the agendas of the people involved in a security decision. They usually drive the decision in certain directions.

Basic Terminology Vulnerability Threat Risk Trust Reliability Security Integrity (Know these definitions cold!)

Vulnerability ‘A weakness that may lead to undesirable consequences.’ Typical vulnerabilities include –Hardware –Software –Procedure –External or environmental

Threat ‘The danger that a vulnerability will actually occur.’ Describes how the vulnerability would be attacked: –E.g., buffer overflow is the vulnerability, and the threat would be transmission of a TCP/IP packet to cause buffer overflow. Should be quantified by a rate of attack—i.e., how frequently an effective attack can be expected to occur.

Risk ‘A potential problem’, consisting of a –Vulnerability –Threat (expected attack rate) –Expected extent of the consequences. Hence risk in this sense is cost per unit of time (although the elements may be very hard to estimate) You can also think about the capital cost of risk. To convert between the two, you use the cost of money (i.e., interest). These are what managers must evaluate against the costs of mitigating the risk.

Trust ‘A relationship between two entities where one entity allows the other to perform certain actions.’ In traditional security, based on need to know, and can be managed by security level and authorizations. In e-commerce, becomes very complex. Currently a leading-edge research area.

Reliability ‘The system performs functionally as expected.’ Related to availability. Availability (a fraction) can be computed numerically as time the system is actually functional divided by the time the system is supposed to be functional. Related terminology include: –MTTF—mean time to failure (time) –MTTR—mean time to repair (time)

Security ‘Freedom from undesirable events’—hence much broader than the usual concept. In the UK, there are three elements to security (in a narrow sense) often listed: –Confidentiality—‘protection of data from unauthorized access.’ –Integrity—‘protection of data from unauthorized modification.’ More generally, certain desirable conditions are maintained over time –Availability—‘the system is usable by authorized users.’

Summary A security analyst, a safety analyst, and a risk analyst have very similar job descriptions—all are concerned with managing risk. Risk is expensive. The distinctive character of the security analyst’s job reflects a primary concern with malicious and intelligent threats. The US security analysis community was unsurprised by the events of 11/9/2001—we had already thought about the scenario (and worse ones).

Assignment Over the next two weeks, read Schneier (2003) Beyond Fear. We’ll pick up security again in two weeks.