Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introducing Computer and Network Security

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Introducing Computer and Network Security"— Presentation transcript:

1 Introducing Computer and Network Security
Chapter 1

2 Computer Security Basics
What is computer security? Answer depends upon the perspective of the person you’re asking Network administrator has a different perspective than an end user or a security professional “A computer is secure if you can depend on it and its software to behave as you expect” [Garfinkel,Spafford]

3 Computer Security Basics (continued)
CIA Triad Goals for implementing security practices Confidentiality, Integrity, and Availability DAD Triad Goals for defeating the security of an organization Disclosure, Alteration, and Denial

4 CIA Triad

5 CIA Triad (continued) Confidentiality Integrity Availability
Confidential information should not be accessible to unauthorized users Integrity Data may only be modified through an authorized mechanism Availability Authorized users should be able to access data for legitimate purposes as necessary

6 DAD Triad

7 DAD Triad (continued) Disclosure Alteration Denial
Unauthorized individuals gain access to confidential information Alteration Data is modified through some unauthorized mechanism Denial Authorized users cannot gain access to a system for legitimate purposes DAD activities may be malicious or accidental

8 Introducing Networks In early days, computer security focused on protecting individual systems Advent of Local Area Networks (LANS) and Internet make the job much more difficult Security considerations include: Protecting TCP/IP protocol Firewalls Intrusion detection systems

9 Threats to Security Hacker Malicious code object
Anyone who attempts to penetrate the security of an information system, regardless of intent Early definition included anyone very proficient in computer use Malicious code object Virus, worm, Trojan horse A computer program that carries out malicious actions when run on a system

10 Threats to Security (continued)
Malicious insider Someone from within the organization that attempts to go beyond the rights and permissions that they legitimately hold Security professionals and system administrators are particularly dangerous

11 Risk Analysis Actions involved in risk analysis:
Determine which assets are most valuable Identify risks to assets Determine the likelihood of each risk occurring Take action to manage the risk Security professionals formalize the risk analysis process

12 Identifying and Valuing Assets
First step of risk analysis process Identify the information assets in the organization Hardware, software, and data Assign value to those assets using a valuation method Assigning value to assets is the foundation for decisions about cost/benefit tradeoffs

13 Identifying and Valuing Assets (continued)
Common valuation methods Replacement cost valuation Uses the replacement cost as the value of an asset Original cost valuation Uses the original purchase price as the value of an asset Depreciated valuation Uses the original cost less an allowance for value deterioration Qualitative valuation Assigns priorities to assets without using dollar values

14 Identifying and Assessing Risks
Second step in risk analysis process Two major classifications of risk assessment techniques Qualitative Quantitative Vulnerability An internal weakness in a system that may potentially be exploited Not having antivirus software is an example

15 Identifying and Assessing Risks (continued)
Threat A set of external circumstances that may allow a vulnerability to be exploited The existence of a particular virus for example Risk occurs when a threat and a corresponding vulnerability both exist

16 Identifying and Assessing Risks (continued)

17 Identifying and Assessing Risk (continued)
Qualitative Risk Assessment Focuses on analyzing intangible properties of an asset rather than monetary value Prioritizes risks to aid in the assignment of security resources Relatively easy to conduct

18 Identifying and Assessing Risk (continued)
Quantitative Risk Assessment Assigns dollar values to each risk based on measures such as asset value, exposure factor, annualized rate of occurrence, single loss expectancy, and annualized loss expectancy Uses potential loss amount to decide if it is worth implementing a security measure

19 Managing Risks Risk Avoidance Risk Mitigation
Used when a risk overwhelms the benefits gained from having a particular mechanism available Avoid any possibility of risk by disabling the mechanism that is vulnerable Disabling is an example of risk avoidance Risk Mitigation Used when a threat poses a great risk to a system Takes preventative measures to reduce the risk A firewall is an example of risk mitigation

20 Managing Risk (continued)
Risk Acceptance Do nothing to prevent or avoid the risk Useful when risk or potential damage is small Risk Transference Ensure that someone else is liable if damage occurs Buy insurance for example Combinations of the above techniques are often used

21 Considering Security Tradeoffs
Security can be looked at as a tradeoff between risks and benefits Cost of implementing the security mechanism and the amount of damage it may prevent Tradeoff considerations are security, user convenience, business goals, and expenses

22 Considering Security Tradeoffs (continued)
An important tradeoff involves user convenience Between difficulty of use and willingness of users If users won’t use a system because of cumbersome security mechanisms, there is no benefit to having security If users go out of their way to circumvent security, the system may be even more vulnerable

23 Policy and Education Cornerstone of a security effort is to
Implement proper policies Educate users about those policies Information security policies should be Flexible enough not to require frequent rewrites Comprehensive enough to ensure coverage of situations Available to all members of the organization Readable and understandable

24 Summary CIA Triad summarizes the goals of security professionals (confidentiality, integrity, and availability) DAD Triad summarizes the goals of those who seek to evade security measures (disclosure, alteration, and denial) The explosion of networking has shifted focus from protecting individual computers to protecting interconnected computers

25 Summary (continued) Threats to security include hackers, malicious code objects, malicious insiders Risk analysis is used to determine the cost/benefit tradeoffs of implementing specific security measures Valuation of assets Identifying and assessing risks Determining the likelihood and potential costs of risks Determining how to manage risks given this information Setting effective policies and educating users about policies is key

Download ppt "Introducing Computer and Network Security"

Similar presentations

Security+ All-In-One Edition Chapter 17 – Risk Management

Security+ All-In-One Edition Chapter 17 – Risk Management
COMP6005 An Introduction to Computing Session One: An Introduction to Computing Security Issues.

COMP6005 An Introduction to Computing Session One: An Introduction to Computing Security Issues.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.

The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.

Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.

Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.

Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
Network Security PHILADELPHIA UNIVERSITY Ahmad Alghoul 2010-2011 Module 1 Introduction: To Information & Security  Modified by :Ahmad Al Ghoul  Philadelphia.

Network Security PHILADELPHIA UNIVERSITY Ahmad Alghoul Module 1 Introduction: To Information & Security  Modified by :Ahmad Al Ghoul  Philadelphia.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Storage Security and Management: Security Framework

Storage Security and Management: Security Framework
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Similar presentations

Ads by Google