Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security policy and its implementation 1WUCM1. What is security? Security broadly means three things: – Confidentiality - information is not made accessible.

Published by Modified over 10 years ago

Similar presentations

Presentation on theme: "Security policy and its implementation 1WUCM1. What is security? Security broadly means three things: – Confidentiality - information is not made accessible."— Presentation transcript:

1 Security policy and its implementation 1WUCM1

2 What is security? Security broadly means three things: – Confidentiality - information is not made accessible to people who are not authorised to see it – Integrity - information is protected from unauthorised modification and that it is complete and can be relied upon – Availability - information is available when you need it WUCM12

3 Security aspects Non-technical (e.g. physical) threats: – Fire – Flood, etc. – Staff absence – Not really a part of this unit, but … Not all security threats are malicious or intentional More information is lost by accident than stolen WUCM13

4 Risk assessment Identify threats For each threat, determine/estimate: – Probability of occurrence – Cost of event: value of data, lost business – Cost of prevention and/or recovery Where predicted loss is greater than predicted cost, you need to do something about it WUCM14

5 Types of threat Illustration: – Alec is providing information for Bert – Charlie is someone who shouldn't have access to that information Interception – unauthorised access Denial of service Impersonation Hijack Repudiation WUCM15

6 Malicious code Often a part of a security threat Type of malicious code – Viruses – Worms – Trojan horses – Back doors WUCM16

7 Web specific examples 1 Web content with malicious intent, e.g. – Sexygirls.com, (Tiwana, 1999) – Download a custom "web viewer" that dials a long distance ISP and connects – and displays images – Phone bill at the end of the month difficult to contest Example of virus and Trojan downloads WUCM17

8 Web specific examples 2 IP or website spoofing – machine-machine trust violated – spoofed site usually to gather data: credit card details personal address or contact details Usually a close mock-up of the real website, e.g. for e-commerce WUCM18

9 Web specific examples 3 Denial of service, e.g. – DDoS attacks on Microsoft, Amazon, E-Bay, etc. – Attacks on Estonian systems 2007 – Timed assault launched by a virus JavaScript security problems, e.g. – "Freilburg Attack" – Uses a 1x1 pixel wide invisible frame – JavaScript to scan PC and upload files – What files would be targeted? WUCM19

10 Security policy 1 Identify in appropriate detail: – Protected items: What needs protection? What type of protection does each item need? – Authorisation: Who needs authorisation? What types of authorisation are needed? Who authorises such access? Normally based on roles, e.g.: – General public – General employee of organisation – Employee with specific function - e.g. managerial – Updater – System administrator WUCM110

11 Security policy 2 Implementation of access control: – How to implement access control? – What monitoring of accesses is going to be done? – Who is going to refer to the logs? Management of changes: – How are new users to be added and old ones deleted? – How are new items to be protected? WUCM111

12 Security policy 3 How are complaints and requests about the server and page content to be handled? How and when should the policy itself be updated? How should the organisation react to security issues? Who is allowed to speak to members of the press, police, etc. in the event of questions or an incident? How much information about a successful penetration should be made public? WUCM112

13 Policy architecture Security policy issues often split: – Privacy policy e.g. http://privacy.yahoo.com/ – Acceptable use policy e.g. http://www.ja.net/documents/use.html – Site security policy e.g. http://secinf.net/info/policy/AusCERT.html – Web access policy http://medlib.med.utah.edu/hug/basic/hugwebaccesspolicy.html WUCM113

14 Implementation Costs of implementing security: – Need to be analysed – Compared with the predicted costs of not doing anything Business decision: what security to implement? = what is cost-effective? Need a formal backup and recovery procedure to support security WUCM114

15 After intrusion Ascertain cause – Pre-requisite for recovery action – Do we know how the attackers got in? – Were we let down by someone else's failing or our own mistakes? Assess damage – How do you know what they accessed/changed? Plan recovery – Do you have a pre-prepared plan to implement? – What do you need to do to get your systems running normally again? – What do you need to do to reassure/appease/reimburse your customers/users? Plan avoidance of repeat – What do we need to do to prevent it happening again? WUCM115

16 Types of protection Security is always a trade off against convenience There are four broad areas of concern: – Physical security – Operating system and platform security – Network security – User security and user awareness WUCM116

17 Physical security Threat: with physical access to the computer, an attacker could: – Switch if off (pull the plug) – Physically destroy data (e.g. by applying hammer to disk) – Gain privileged access via a console – Introduce new software Response: – access controls – locks and keys – keep under observation WUCM117

18 Platform security Threats: – Bugs in software – Known back doors – Unused/unnecessary features – Accidental misuse Responses: – Monitor security alerts – Install patches – Make someone responsible for this – Harden your operating system: Only mount essential components. Document need and protection in security policy WUCM118

19 Network security Threats: – Unauthorised access – Misuse by authorised people – Excessive access – Denial of service Responses: – Firewalls, to filter the packets that are permitted to reach the web server – Network address translation schemes, to hide the internal network addresses – Use of proxy servers to filter and moderate requests – Security self tests (white hat intrusion) WUCM119

20 User security Threats: – Many users are just too trusting – Social engineering ("phishing") can push users to willingly break known safety rules, e.g. "There is a problem with your account. Please change your password to NowSafe and await further instructions..." "There is a problem with your account and we are unable to bill your credit card. Please enter your credit card number and expiry date in the spaces below and click the SUBMIT button." AOL reminder on every page about passwords – Smooth-tongued callers Responses: – Well-defined company policies – Educate users on risks – Train users in good practice Role-play training helpful in establishing good employee habits – Monitor users WUCM120

21 Server configuration A web server can be set up to restrict access to its site(s) Restrictions can be applied to part of the site (called a "realm") There are two types of restriction: – Restrict access by identified users or groups of users – Restrict access by identified host or group of hosts Restrictions can be mixed – but be aware of errors hidden in complex solutions WUCM121

22 Access by user 1.If the server receives request for a restricted URL, it sends back to the browser a challenge (stating the realm) 2.The browser invites its user to enter a username and password for the realm 3.Browser resubmits request with the credentials, i.e. username/password 4.Server checks – if OK, serve page; if not, back to step 2 or fail "unauthorised" WUCM122

23 User authentication Two forms of authentication: – Basic – username and password in clear text – not good unless hidden in a SSL transaction – Digest – uses an MD5 cryptographic checksum and a random “nonce” value Browsers normally retain username and password for reuse when other challenges come from the same realm WUCM123

24 Access by host Access restrictions by host can be specified by: – IP address (e.g. 204.255.230.13) – Domain name (e.g. port.ac.uk) Partial addresses/domains be used: – e.g. 204.255. can be used to specify a restriction to all hosts whose IP address starts with 204.255. – e.g. ac.uk would specify a restriction for all hosts from an academic UK domain WUCM124

25 Cautions Browsers cache credentials – In memory for the session – On disc if so configured WUCM125

26 More information The security tutorials listed at http://httpd.apache.org/docs/misc/tutorials.h tml http://httpd.apache.org/docs/misc/tutorials.h tml The Apache documentation at http://httpd.apache.org/docs/ http://httpd.apache.org/docs/ The Computer Emergency Response Team (CERT) at http://www.cert.orghttp://www.cert.org Centre for the Protection of National Infrastructure (CPNI) http://www.cpni.gov.uk/http://www.cpni.gov.uk/ WUCM126

27 More information NetworkIce is a company dealing with network security software and services at http://advice.networkice.com/Advice/default. htm http://advice.networkice.com/Advice/default. htm SecurityFocus, for discussion and news at http://www.securityfocus.com http://www.securityfocus.com WUCM127

Download ppt "Security policy and its implementation 1WUCM1. What is security? Security broadly means three things: – Confidentiality - information is not made accessible."

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
®® Microsoft Windows 7 for Power Users Tutorial 7 Enhancing Your Computers Security.

®® Microsoft Windows 7 for Power Users Tutorial 7 Enhancing Your Computers Security.
Computer Systems Networking. What is a Network A network can be described as a number of computers that are interconnected, allowing the sharing of data.

Computer Systems Networking. What is a Network A network can be described as a number of computers that are interconnected, allowing the sharing of data.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Mr C Johnston ICT Teacher

Mr C Johnston ICT Teacher
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Configuring Windows Vista Security Lesson 8. Skills Matrix Technology SkillObjective DomainObjective # Setting Up Users Configure and troubleshoot parental.

Configuring Windows Vista Security Lesson 8. Skills Matrix Technology SkillObjective DomainObjective # Setting Up Users Configure and troubleshoot parental.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.

N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.

Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall

Similar presentations

Ads by Google