CSA 223 network and web security Chapter one

Slides:

Advertisements

Similar presentations

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Advertisements

Is There a Security Problem in Computing? Network Security / G. Steffen1.

Mr C Johnston ICT Teacher

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Lecture 1: Overview modified from slides of Lawrie Brown.

Hackers They can u Read the data files u Run the application programs u Modify some files which may cause damages Individuals who gain unauthorized access.

Security+ Guide to Network Security Fundamentals

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Security Awareness: Applying Practical Security in Your World

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 1-What Is Information Security?. Overview History of security. Security as a process.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Network Security PHILADELPHIA UNIVERSITY Ahmad Alghoul Module 1 Introduction: To Information & Security  Modified by :Ahmad Al Ghoul  Philadelphia.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

The Impact of Physical Security on Network Security

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.

PART THREE E-commerce in Action Norton University E-commerce in Action.

BUSINESS B1 Information Security.

Information Security Rabie A. Ramadan GUC, Cairo Room C Lecture 2.

What does “secure” mean? Protecting Valuables

1 Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.

Wireless Network Security. What is a Wireless Network Wireless networks serve as the transport mechanism between devices and among devices and the traditional.

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

Computer Security “Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware,

C8- Securing Information Systems

G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.

Information Systems Security

Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.

HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

What security is about in general? Security is about protection of assets –D. Gollmann, Computer Security, Wiley Prevention –take measures that prevent.

. 1. Computer Security Concepts 2. The OSI Security Architecture 3. Security Attacks 4. Security Services 5. Security Mechanisms 6. A Model for Network.

Information Security What is Information Security?

1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.

1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.

Topic 5: Basic Security.

Module 11: Designing Security for Network Perimeters.

Lecture 24 Wireless Network Security

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

Chap1: Is there a Security Problem in Computing?.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Module 2: Designing Network Security

14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Protection.

Network Security Introduction

INTRODUCTION TO COMPUTER & NETWORK SECURITY INSTRUCTOR: DANIA ALOMAR.

Computer threats, Attacks and Assets upasana pandit T.E comp.

C OMPUTER THREATS, ATTACKS AND ASSETS DONE BY NISHANT NARVEKAR TE COMP

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

Threats, Attacks And Assets… By: Rachael L. Fernandes Roll no:

SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Keimyung University 1 Network Control Hong Taek Ju College of Information and Communication Keimyung University Tel:

Security Issues in Information Technology

Network security Vlasov Illia

CS457 Introduction to Information Security Systems

Threat Modeling for Cloud Computing

Network Security Presented by: JAISURYA BANERJEA MBA, 2ND Semester.

Working at a Small-to-Medium Business or ISP – Chapter 8

Security network management

Protection Mechanisms in Security Management

Presentation transcript:

CSA 223 network and web security Chapter one What is information security. Look at: Define information security Define security as process , not point product.

Define information security Information is a knowledge obtained from investigation , study ,instruction ,news or facts . Security is freedom from danger , safety ;freedom from fear. Information security measures adopted to prevent the unauthorized use ,misuse ,modification, or denial of use of knowledge , facts ,data , or capability. Or it is the steps you take to guard your information.

Define information security People are the weakest link in securing the organization information. Information security will not guarantee the safety of the organization , information ,or computer systems. Security is a process , not a product A single layer of security cannot ensure good security .effective security is achieved by combination of all security disciplines. Do not rely on a single product for all security you must use layered approach.

Define information security Information security is mindset; examine the threats to the organization .with this mindset, the user of information should feel confident and comfortable with the security process used by an organization. There is currently no effective process to certify computer system.

History of security Physical security : all assets and important information were physical. to protect these assets , physical security was used, such as walls , moats , and guards. Communication security : Use of encryption system (cipher) to allowed to send messages that could not be read if they were interception. Emissions security. Computer security. Network security. Information security.

Define security as process Many different products and types of products are necessary to fully protect an organization some of these technologies and products include : Anti-virus software. Access controls. policy management Firewalls. Biometrics Vulnerability scanning. Encryption.

Anti-virus the goal of anti-virus is to reduce the exposure of the organization to malicious code. anti-virus software will not protect organization from an intruder who misuses a legitimate program to gain access to the system .

Access control Capability to restrict access to files based on the ID of the user. Access control can restrict legitimate users from accessing files they should not have access to. Authenticating a user’s access is accomplished by using any combination of something you know , something you have , or something you are.

Policy management and intrusion detection Policies and procedures are important components of a good security program , and the management of policies across computer systems is equally important. Using of a policy management system , an organization can be made aware of any system that does not confirm to policy. Intrusion detection identify when someone doing something wrong and stop them. Intrusion detection systems are not foolprof and cannot replace security practices

Firewalls Firewalls are access control devices for the network and can assist in protecting an organization’s internal network from external attacks. By their nature , firewalls are border security products ,meaning that they exist on the border between the internal network and the external network Although firewalls provide protection from attackers , they cannot prevent an attack from using an allowed connection.

Biometrics Biometrics uses a biological elements to authenticate the user’s access. Biometrics are yet another authentication mechanism and they too can reduce the risk of someone guessing a password. Types of Biometrics scanners include fingerprints ,face recognition and voice. Each method usually required some type of device to identify human characteristics.

Encryption Encryption is the primary mechanism for communications security. Encryption might even protect information that is in storage by encrypting files. The encryption system will not differentiate between legitimate and illegitimate users if both present the same keys to the encryption algorithm . Therefore ,encryption by itself will not provide security. Encryption need to controls on the Encryption keys and the system at hole.

Vulnerability scanning and Physical security Scanning computer system for vulnerabilities is an important part of a good security program. Vulnerability scanning will not detect legitimate users who may have inappropriate access . Physical security is the one product category that could provide complete protection to computer systems and information employees must have access to computers and information in order for the organization to function therefore, the physical security must allow some people to gain access in this case physical security will not protect system from attacks that use legitimate access.

Chapter two types of attacks Look at : Access attacks. Modification attacks Denial-of-service attacks Repudiation attacks

Types of attacks There are four primary categories of attacks: Access attacks. Modification attacks Denial-of-service attacks Repudiation attacks

2.1 Access attack An access is an attempt to gain information that the attacker is not authorized to see. This attack can occur wherever the information resides or may exist during transmission. This type of attack is an attack against the confidentiality of the information. There are three kinds of these attack: Snooping Eavesdropping interception

2.1.1Snooping Snooping is looking through information files in the hopes Something interesting. If the files are on a computer system , an attacker may attempt to open one file after another until information is found. information stored on media Information on local hard drive and left in the office or on backups taken off-site desktop computer

2.1.2 Eavesdropping When someone listens in on a conversation that they are not a part of , that is Eavesdropping. To gain unauthorized access to information , an attacker must position himself at a location where information of interest is likely to pass by. Wireless networks has increased the opportunity to perform Eavesdropping. Mainframe attacker’s computer Traffic from the desktop to The mainframe travels over The local area network. the attacker can listen on the session from the desktop by attaching to the same local area network

2.1.3 Interception Interception is an active attack against the information. When an attacker Interception information he is inserting him self in the path of the information and capturing it before it reaches its destination. Attacker may allow the information to continue to its destination or not. Information access using Interception is the most difficult option for an attacker.

How access attacks are accomplished If access control permission are set properly , the unauthorized individual should be denied access . Correct permissions will prevent most casual snooping. There are many vulnerabilities in that let attacker to success on access to the unauthorized data. Attacker used a sniffer to Eavesdropping on the transmission. A sniffer is a computer that is configured to capture all the traffic on the network. A sniffer can be installed after an attacker has increased his privileges on a system or if the attacker is allowed to connect his own system to the network.

2.2 modification attack A modification attack is an attempt to modify information that an attacker is not authorized to modify. Attacker may do one of the following : Changes: one type of modification attack is to change existing information , such as an attacker changing an existing employee’s salary. Insertion : when an insertion attack is made , information that did not previously exist is added. For example , an attacker might choose to add transaction in a banking system that moves funds from customer’s account to his own. Deleting : a delete attack is the removal of existing information

How modification attacks are accomplished If the attacker has access to files , modification can be made. If the attacker does not have authorized access to files the attacker would first have to increase his access to the system or remove the permission on the file. Attacker use vulnerability on the computer system to access the system or files. Then attacker can modify the file data. The attacker exploits vulnerability on the server and replace homepage with something new.

Define Denial-of-Service Attacks Define Denial-of-Service (DoS)Attacks are attacks that deny the use of resources to legitimate users of the system , information , or capabilities. (DoS) nothing more than vandalism . Denial of Access may occurs on: Information : Denial of Access to information causes the information to be unavailable. Application : Denial of Access to applications normally an attack against a computer system running the application. Systems : Denial of Access to systems cause all information that stored on the system become unavailable.

How Denial-of-Service Attacks are accomplished DoS attacks against the information can be made by simply turning off the system turning of system will also cause an attack against system. DoS attacks against the application attacker send a predefined set of commands to the application that the application is not able to process properly . The application will likely crash.

Repudiation Repudiation attack is an attempt to give false information or to deny that real event or transaction should have occurred. An attacker may masquerade as another person to collect information or interrupt normal operations.