Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Security Workshops Security 101 - Introduction, Central Principles and Concepts.

Published byMarshall Mark Williamson Modified over 9 years ago

Similar presentations

Presentation on theme: "Computer Security Workshops Security 101 - Introduction, Central Principles and Concepts."— Presentation transcript:

1 Computer Security Workshops Security 101 - Introduction, Central Principles and Concepts

2 Why Study Computer Security? Increasingly important issue for: Computer system and network administrators Computer system and network administrators Application programmers Application programmers Security issues follow technology Desktop systems, wireless networks, handheld devices Desktop systems, wireless networks, handheld devices Security issues affect software, laws, profits and businesses

3 Computer Security Definition – ensuring the security of resources in a computing environment “ensuring” – work to make it so – a process “ensuring” – work to make it so – a process “resources” – data, network, hardware, applications, … “resources” – data, network, hardware, applications, … “computing environment” – mix of hardware, software and people “computing environment” – mix of hardware, software and people

4 Information Assurance A broader category than computer security, information security, etc. Concerned with the Security of information in system Security of information in system Quality/Reliability of information in system Quality/Reliability of information in system

5 Core Security Concepts Vulnerability, Exploit, Threat Vulnerability – a weakness in some aspect of a system Vulnerability – a weakness in some aspect of a system Exploit – a known method for taking advantage of a vulnerability Exploit – a known method for taking advantage of a vulnerability Threat – the likelihood of some agent using an exploit to compromise security Threat – the likelihood of some agent using an exploit to compromise security Note: not all users/groups are equal threats to various systems “Hackers” more of a threat to popular web sites, businesses “Hackers” more of a threat to popular web sites, businesses Disgruntled employees more of a threat to isolated businesses Disgruntled employees more of a threat to isolated businesses

6 Interesting Security Email Lists Cryptogram Newsletter, Bruce Schneier http://www.counterpane.com; Library, Crypto-gram http://www.counterpane.com; Library, Crypto-gram http://www.counterpane.com US/CERT Advisory List (Dept. of Homeland Security) http://www.us-cert.gov ; Advisories by Email http://www.us-cert.gov ; Advisories by Email http://www.us-cert.gov Bugtraq List http://seclists.org/about/bugtraq.txt, subscription information about 2/3 down the page http://seclists.org/about/bugtraq.txt, subscription information about 2/3 down the page http://seclists.org/about/bugtraq.txt

7 Principles To Consider Security is a very difficult topic to comprehend No silver bullets However, consideration of major principles will help develop a good set of security processes and policies

8 1 st Principle “Security is a process, not a product” – attributed to Bruce Schneier of Counterpane Security Systems, others Not something you purchase Not something you purchase Rather, a set of processes (approved set of steps) and policies (rules for behavior) you create and enforce in your environment Rather, a set of processes (approved set of steps) and policies (rules for behavior) you create and enforce in your environment Must be dealt with continually Must be dealt with continually

9 2 nd Principle Computer Security is not just about computer systems Three major aspects to computer security Three major aspects to computer securityTechnology Hardware (systems, networks, any connected equipment) Hardware (systems, networks, any connected equipment) Software (programming, configuration) Software (programming, configuration) People, in many different roles Legitimate users, disgruntled users, hackers Legitimate users, disgruntled users, hackers Insiders vs. outsiders – fuzzy line! Insiders vs. outsiders – fuzzy line! Social engineering is a large concern Social engineering is a large concern Best technological security is worthless is someone is tricked into turning it off / allowing access through it Physical environment Surroundings, access, proximity Surroundings, access, proximity

10 3 rd Principle Security and convenience are inversely proportional Lack of security generally makes it easier to get work done Lack of security generally makes it easier to get work done Addition of security may interfere with the ease of getting a job done Addition of security may interfere with the ease of getting a job done Goal: find the balance point that supports both Goal: find the balance point that supports both

11 4 th Principle Security succeeds or fails based on the weakest link All aspects (technology, people, environment) must be attended to equally All aspects (technology, people, environment) must be attended to equally Must remain current with each aspect Must remain current with each aspect E.g. software patches should be applied as they come out, not when you “get around to it” Corollary: “People are the weakest link” – Kevin Mitnick

12 5 th Principle Hackers are generally technologists (as opposed to programmers) Smaller group of hackers program exploits, viruses Smaller group of hackers program exploits, viruses More hackers apply technology already available, sometimes in creative ways More hackers apply technology already available, sometimes in creative ways Poor configuration of systems is a major security problem Poor configuration of systems is a major security problem Corollary – good programming skills aren’t sufficient to make a good security professional Corollary – good programming skills aren’t sufficient to make a good security professional Add understanding of networks & technology, attention to detail, creativity, …

13 6 th Principle Utilize Multiple Layers of Defense E.g. Network hardware E.g. Network hardware Router – initial line of defense Bastion host(s) – system(s) visible/available to outside world (e.g. web server) Firewall – second line of defense Secure intranet – internally available systems Can anyone bypass one or more layers? Can anyone bypass one or more layers?

14 7 th Principle Focus your security energy on dealing with the most likely threats Consider what is most relevant to your environment Consider what is most relevant to your environment Which vulnerabilities do you have? Which of these have known exploits? What users are likely to cause problems? What is the likelihood of a given threat?

15 8 th Principle One aspect of security is obscurity Don’t set yourself up as a target Don’t set yourself up as a target Maintain a low network profile for your business, computer system, etc. Maintain a low network profile for your business, computer system, etc. Problem: contradicts marketing principles if you’re a business Examples Examples Windows is attacked more than MacOS/OS X Those who claim their systems can’t be hacked will have lots of people trying…

16 Putting It Together Computer Security is balancing of a number of interrelated factors Considering Security Goals Considering Security Goals Developing Layered Protection (Vertically,Horizontally) Developing Layered Protection (Vertically,Horizontally) Utilizing Available Resources Utilizing Available Resources Developing and Enforcing Policies and Processes Developing and Enforcing Policies and Processes Minimizing Interference With Functionality Minimizing Interference With Functionality Weighing of Risks Weighing of Risks Maintaining Constant Vigilance Maintaining Constant Vigilance

Download ppt "Computer Security Workshops Security 101 - Introduction, Central Principles and Concepts."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
Ethics, Privacy and Information Security

Ethics, Privacy and Information Security
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.

1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
PHYSICAL SECURITY Attacker. Physical Security Not all attacks on your organization's data come across the network. Many companies focus on an “iron-clad”

PHYSICAL SECURITY Attacker. Physical Security Not all attacks on your organization's data come across the network. Many companies focus on an “iron-clad”
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 

11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Firewall Ercan Sancar & Caner Sahin. Index History of Firewall Why Do You Need A Firewall Working Principle Of Firewalls Can a Firewall Really Protect.

Firewall Ercan Sancar & Caner Sahin. Index History of Firewall Why Do You Need A Firewall Working Principle Of Firewalls Can a Firewall Really Protect.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.

SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.
A Network Security Overview Thomas Kernes November 1, 2000.

A Network Security Overview Thomas Kernes November 1, 2000.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Computer Security Fundamentals

Computer Security Fundamentals
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.

Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.

Similar presentations

Ads by Google