Download presentation
Presentation is loading. Please wait.
Published byEugenia Edwards Modified over 8 years ago
1
Security Discussion IST Retreat June 2008
2
IT Security Statement definition In the context of computer science, security is the prevention of, or protection against: access to information by unauthorized recipients, and intentional but unauthorized destruction or alteration of that information terminology Confidentiality - Ensuring that information is not accessed by unauthorized persons Integrity - Ensuring that information is not altered by unauthorized persons in a way that is not detectable by authorized users Authentication - Ensuring that users are the persons they claim to be
3
Components
4
Some New(er) Concerns Privacy of Information (e.g. PIPEDA, Health Services) Electronic Commerce (e.g. donations) Hosted Applications (e.g. Patriot Act) Email and Phishing Scams Identity theft
5
Top 7 (All Systems) - SANS 1.Default installs of operating systems and applications 2.Accounts with No Passwords or Weak Passwords 3.Non-existent or Incomplete Backups 4.Large number of open ports 5.Not filtering packets for correct incoming and outgoing addresses 6.Non-existent or incomplete logging 7.Vulnerable CGI Programs
6
Top 10 - HIPAA 1.Firewall and System Probing 2.Network File Systems (NFS) 3.Electronic Mail Attacks 4.Vendor Default Password Attacks 5.Spoofing, Sniffing, Fragmentation and Splicing 6.Social Engineering Attacks 7.Easy-To-Guess Password Compromise 8.Destructive Computer Viruses 9.Prefix Scanning 10.Trojan Horses
7
Recent Events C&PA - “events” application JobMine – resume PeopleSoft - URLs UW-ACE – “admin” privileges
8
What We’re Doing – Part I security working group passkey depot server hardening and/or review anti-virus software distribution machine room firewall internal audits patches for server and desktop
9
What We’re Doing – Part II campus advisories monitoring/scanning (ongoing, monthly) e-commerce verification external information (SANS, CERT) authorization/roles (ERP, Sharepoint) wireless access (Minuwet) networks (residence)
10
What We’re Doing – Part III certificates (Thawte) authentication (ADS, CAS) password rules and checks
11
Problems & Challenges – Part I Public security policy/statement for web sites Education & Training Reliance on vendors Keeping up to date on patches Laptops
12
Problems & Challenges – Part II Web applications architecture “academic” & “computing” institution Increases in attacks, trends
13
Physical Security Overlap with Key Control Hardcopy documents (internal, UW, academic) Overlap with Police Services (Emergency) IST and wired/physical security
14
Moving Forward New roles for all? More external/outsource testing? Testing protocols for applications/services?
15
Links http://ist.uwaterloo.ca/security/ http://security.uwo.ca/ http://www.uoguelph.ca/ccs/security/index.shtml http://www.wlu.ca/page.php?grp_id=47&p=1128 http://www.usask.ca/its/services/itsecurity/ http://www.cse-cst.gc.ca/training/ http://www.cert.org/ http://www.sans.org/ http://en.wikipedia.org/wiki/Security
16
Discussion
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.