Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Week 10 Lecture 1. Why do we need security? Identify and authenticate people wanting to use the system Prevent unauthorised persons from accessing.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Week 10 Lecture 1. Why do we need security? Identify and authenticate people wanting to use the system Prevent unauthorised persons from accessing."— Presentation transcript:

1 Security Week 10 Lecture 1

2 Why do we need security? Identify and authenticate people wanting to use the system Prevent unauthorised persons from accessing the system Stealing information Doing malicious damage Prevent authorised persons from Doing things they ought not Seeing data they ought not

3 Security in perspective Read the preface from Schneier’s book –it is on the web “Security is a chain; it's only as secure as the weakest link.” "Security is a process, not a product." “If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.”

4 Or Computer system security is NOT Network security and Network Security is not Cryptography

5 And Like Reliability and Performance Security starts in design and continues for the life of the system

6 Common misconceptions – The Economist - October 26 th 2002 Security can be fixed with technology Security can be left to the specialists Security is about virus outbreaks and malicious hackers Security is very boring This article is up on the web.

7 Access WAN Communications LAN Physical Data Where is the risk?

8 Another quote Mathematics (cryptography) are impeccable Computers are vincible Networks are lousy People are abysmal

9 Three key elements Prevention Detection Reaction

10 Security risks are within Most books concentrate on network security, but most DIS are of little interest to people outside Most security breaches are from within the organisation and by relatively technically illiterate people (one survey suggests 70% of attacks are from inside) They are people who want something they ought not have – like your medical records, your pay details, your exam marks – perhaps next month’s DIS exam!

11 Security is in the hands of: System architect Analysts & Programmers System administrator Database administrator Network manager Risk manager According to @Stake, 70% of security defects are due to flaws In software design.

12 Risk assessment Identify the risk before determining the solution We used to secure the perimeter, now there is no door to lock

13 Security starts with policies Hardware and software implement policies (the police and the law courts would be of little use without legislation) The policy statement will: State that security is important to the organisation Define the principles underlying the organisation’s security Define what constitutes acceptable use Give notice that security is monitored State what the procedure is when security is breached The aim is to make security everyone’s business

14 Publicity is important A policy is of little use if all staff do not know about it In some organisations new staff are required to read and sign the security policy Reminders are necessary It needs to be kept up to date It helps to have the odd public execution

15 Policies, Standards & Procedures Policy Password access is required to all key systems Standard defines how the policy is to be achieved Passwords are to be changed every 3 months Passwords must not be repeats of previous passwords Passwords will have a minimum of 6 characters Etc Procedure implements the standard A temporary password is allocated by personnel, as part of the user account creation process The temporary password has a currency of 1 week and must be changed by the user within that period etc

16 Access level Staff are grouped according to the rights and responsibilities they have on the system For example the policy on access to the HR system may be: Staff can view their own records Staff have access to the telephone and office/location list for all staff Staff can change own home contact and next of kin details Other staff details may only be changed by HR staff Managers have access to the records of staff reporting to them

17 This gives a matrix of rights Staff can see full list of staff but showing limited details Managers can see all details of staff they are responsible for Staff can change some details of own record HR can change all details Managers can change no details

18 We have three access levels Staff Managers HR people But we also need to know: The ID of the person accessing the system The staff that report to a manager The department a person is in

19 How do we implement this? Within the application because we know the functions of the system Within the database, users can be restricted Not allowed to use DBA functions May see some tables but not update them May be restricted to see or update a “view” of a table

20 What is a view? A view can be a subset of the records and/or a subset of the attributes of those records Example –Create view STAFF_LIST as –Select STAFF_RECORD where STAFF_ID is equal to USER_ID This view might be appropriate for staff looking at their own records

21 Identification & authentication Identification – “Who are you” Authentication – “Prove it” Its aim is to –Let authorised persons in –Keep unauthorised persons out –Keep a record of what happens

22 Authentication is based on Something you know – password Something you are – biometrics Something you have – card or token And often two of these –Your Mastercard & –PIN number

23 Authentication of the user The whole mechanism is dependent on a reliable authentication of the person accessing the system In most systems this is done by password But passwords can be easily misused KPMG auditor quoted as saying most passwords can be broken within 30 seconds Canadian police reckon the key to a person’s password is within 2 metres of his or her PC But we are asked to remember so many passwords and then change them every three months

24 People often give their password to others Usually because they need that person to do their job System should allow a person to give another a proxy to act on their behalf, but where they can use their own password People with high access levels have to be very careful

25 People who leave are sometimes a security risk A client list may be handy in their next job Restrict people to what they need to know Restrict physical access to servers, tape drives, back-up tapes etc Limit the quantity of data that can be listed – in pages of printout Restrict access to DBMS tools

26 There are other means of authentication Keyboards can accept swiped ID cards Tokens that generate random numbers in synch with the operating system Modems generate password or require call back Physical access via electronic key Thumb, voice or retina scan

27 Identity management systems Software that sits in front of an organisation’s applications Identifies and authenticates Determines users privileges One point of control, so that things don’t get missed Can be maintained by managers not technical staff.

Download ppt "Security Week 10 Lecture 1. Why do we need security? Identify and authenticate people wanting to use the system Prevent unauthorised persons from accessing."

Similar presentations

Organizing Information Technology Resources

Organizing Information Technology Resources
POSSIBLE THREATS TO DATA

POSSIBLE THREATS TO DATA
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Computer Science and Computer Engineering. parts of the computer.

Computer Science and Computer Engineering. parts of the computer.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility. Simplify authentication.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility. Simplify authentication.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Distributed Information Systems - The Client server model

Distributed Information Systems - The Client server model
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Factors to be taken into account when designing ICT Security Policies

Factors to be taken into account when designing ICT Security Policies
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Client Server Security. Introduction Although client/server architecture is the most popular and widely used computing environment, it the most vulnerable.

Client Server Security. Introduction Although client/server architecture is the most popular and widely used computing environment, it the most vulnerable.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Client Server Security DeSiaMorePowered by DeSiaMore1.

Client Server Security DeSiaMorePowered by DeSiaMore1.
Threats to I.T Internet security By Cameron Mundy.

Threats to I.T Internet security By Cameron Mundy.

Similar presentations

Ads by Google