Presentation is loading. Please wait.

Presentation is loading. Please wait.

Assuring Reliable and Secure IT Services Chapter 6.

Published byTheodora Barrett Modified over 8 years ago

Similar presentations

Presentation on theme: "Assuring Reliable and Secure IT Services Chapter 6."— Presentation transcript:

1 Assuring Reliable and Secure IT Services Chapter 6

2 Key Learning Objectives Understand factors that drive IT availability and how to provision high-availability systems Recognize sources of IT systems risk and how to secure IT systems Recognize trade-offs involved in IT risk management and the inevitability of incidents Understand management approaches to contain and recover from such incidents

3 Redundancy: key to reliable systems – Internet robust enough to withstand military attack Exceptionally large number of potential paths – Buying extra equipment to guard against failures – More complex, more difficult to manage

4 Agenda Availability math High-availability facilities Securing infrastructure against malicious threats Risk management of availability and security Incident management and disaster recovery

5 Availability Math Reliability and availability – 98% available = running and ready to be used 98 present of the time – Outage tolerance varies by system and situation Tasks Planned or unplanned outage – E.g. shut down for data backup

6 Availability of components in series Five Components in Series (Each 98 percent available)

7 Combining Components in Series Decreases Overall Availability 15 devices  downtime exceed 25%

8 The effect of redundancy on availability Five identical components in parallel (each 98 percent available) 99.99999968% available  eight nines of availability

9 High-availability facilities Redundancy Increase Overall Availability

10 Uninterruptible electric power delivery – Two or more power cables for each computer – Uninterruptible power supplies (UPSs) Physical security – Security guards, closed-circuit television monitors (CCTVs), biometric access control systems… – Building “hardened” against external explosions, earthquakes, and other disaster

11 Climate control and fire suppression – Heating, ventilating, and air-conditioning (HVAC) equipment – Smoke detecting, alarming and gas-based fire suppression Network connectivity – 24x7network operation centre (NOC) – Three or more backbone providers Help desk and incident response procedures – Responding to unplanned incidents N+1 and N+N redundancy – For each type of critical component there should be at least one unit standing by (N+1) – Twice as many mission-critical components as are necessary (N+N)

12 A Representative E-Commerce Infrastructure

13 Securing infrastructure against malicious threats Spending less on information security than on coffee 2007 US 1/5 have been “targeted attack” Threat is evolving Classification of threats – External attacks – Intrusion – Viruses and worms Defensive measures – Security policies – Firewalls – Authentication – Encryption – Patching and change management – Intrusion detection and network monitoring

14 External attacks Actions against computer infrastructures that harm it or degrade its services without actually gaining access to it Denial of service (DoS) attacks – Customers standing in line interacting with the cashier and deciding not to buy anything – Filter out flood traffic based on the IP address Won’t work on distributed denial of service (DDoS) or spoofing – Patterns of attack can be very similar to legitimate e- commerce traffic

15 Denial of service (DoS) attacks

16 A Distributed Denial-of-Service Attack

17 “Spoofing”

18 Intrusion Gain access to a company’s internal IT infrastructure by a variety of methods – Social engineering Low-tech but highly effective techniques for getting people to freely divulge information – Telephone – Sniffer software – Port scanned: probed for vulnerability to intrusion – Time bombs Figuring out what exactly intruders might have done is difficult – Not knowing the consequences  high PR penalty

19 TJX companies https://www.youtube.com/watch?v=uLaiKWVI 56I https://www.youtube.com/watch?v=uLaiKWVI 56I https://www.youtube.com/watch?v=GRNimxiR xQ4 https://www.youtube.com/watch?v=GRNimxiR xQ4

20 Viruses and worms Malicious software programs that replicate, spreading themselves to other computers – Could be used to launch a DoS attack Stuxnet – Targeting Iran’s nuclear program – https://www.youtube.com/watch?v=cf0jlzVCyOI – https://www.youtube.com/watch?v=v4CAc_zGtoY https://www.youtube.com/watch?v=v4CAc_zGtoY – https://www.youtube.com/watch?v=IfcYVgRXWdY

21 Defensive measures Security  A matter of degree rather than absolutes Security policies – Define what is “inappropriate use” – Complexity of password – Who can have accounts – What are allowed to download Firewalls – A collection of HW and SW designed to prevent unauthorized access Source: Glanceword.com

22 Authentication – Control who accesses elements of computing infrastructure – Host authentication, network authentication, data authentication – Strong authentication Passwords expire regularly Encryption Patching and change management – Patches (fixes) – Detecting a change in size, or files should not exist Keeping detailed records of all files that are supposed to be on production computers Intrusion detection and network monitoring – Combination of hardware probes and software diagnostic systems E.g. honeypot

23 Source: http://searchsecurity.techtarget.com/feature/Honeypot-technology-How-honeypots-work-in-the-enterprise

24 A security management framework Make deliberate security decisions Consider security a moving target Practice disciplined change management Educate Users Deploy multilevel technical measures, as many as you can afford

25 Risk management of availability and security Prioritising involves computing the expected loss associated with incidents in these quadrants by multiplying the probability of an incident and its cost if it occurs

26 Incident management and disaster recovery Managing incidents before they occur – Sound infrastructure design – Disciplined execution of operating procedures – Careful documentation – Established crisis management procedures – Rehearsing incident response Managing during an incident – Obstacles when handling a crisis Emotional responses Wishful thinking and groupthink Political manoeuvring Leaping to conclusion – Public relations inhibition Managing after an incident

27 Summary How available do our systems need to be? Are we taking security threats seriously enough? Do we have a solid security policy in place Do we have plans for responding to infrastructure incidents? Do we practice risk management in availability and security decisions?

Download ppt "Assuring Reliable and Secure IT Services Chapter 6."

Similar presentations

Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.

Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.
1 MODULE 10 : Assuring Reliable and Secure IT Services Matakuliah: J0422 / Manajemen E-Corporation Tahun: 2005 Versi: 1 / 2.

1 MODULE 10 : Assuring Reliable and Secure IT Services Matakuliah: J0422 / Manajemen E-Corporation Tahun: 2005 Versi: 1 / 2.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.

N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.
Lecture 10 Security and Control.

Lecture 10 Security and Control.
Lecture 10 Security and Control.

Lecture 10 Security and Control.
10.1 © 2006 by Prentice Hall 10 Chapter Security and Control.

10.1 © 2006 by Prentice Hall 10 Chapter Security and Control.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc. 15-1 Introduction to Information Technology.

Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc Introduction to Information Technology.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.

Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Applegate, L.M., Austin, R.D, and Soule, D.L., Corporate Information Strategy and Management, 8 th edition, Burr Ridge, IL: McGraw-Hill/Irwin, 2009 Instructor’s.

Applegate, L.M., Austin, R.D, and Soule, D.L., Corporate Information Strategy and Management, 8 th edition, Burr Ridge, IL: McGraw-Hill/Irwin, 2009 Instructor’s.

Similar presentations

Ads by Google