1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system-

Slides:



Advertisements
Similar presentations
Software Process Models
Advertisements

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Is There a Security Problem in Computing? Network Security / G. Steffen1.
Trusted Hardware: Can it be Trustworthy? Design Automation Conference 5 June 2007 Karl Levitt National Science Foundation Cynthia E. Irvine Naval Postgraduate.
Security Issues and Challenges in Cloud Computing
Chapter 1 – Introduction
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
1 An Overview of Computer Security computer security.
1 Steve Chenoweth Tuesday, 10/18/11 Week 7, Day 2 Right – One view of the layers of ingredients to an enterprise security program. From
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Pertemuan 02 Aspek dasar keamanan Jaringan dan ketentuan baku OSI
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
CONTENTS:-  What is Event Log Service ?  Types of event logs and their purpose.  How and when the Event Log is useful?  What is Event Viewer?  Briefing.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.
SEC835 Database and Web application security Information Security Architecture.
Testing for Software Security ECEN5053 Software Engineering of Distributed Systems University of Colorado, Boulder Testing for Software Security, Hebert.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.
Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.
CS 325: Software Engineering April 14, 2015 Software Security Security Requirements Software Security in the Life Cycle.
Misuse and Abuse Cases: Getting Past the Positive.
The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
ACM 511 Introduction to Computer Networks. Computer Networks.
Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013.
CSCE 522 Secure Software Development Best Practices.
What security is about in general? Security is about protection of assets –D. Gollmann, Computer Security, Wiley Prevention –take measures that prevent.
. 1. Computer Security Concepts 2. The OSI Security Architecture 3. Security Attacks 4. Security Services 5. Security Mechanisms 6. A Model for Network.
Information Security What is Information Security?
SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,
1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Vinay Paul. CONTENTS:- What is Event Log Service ? Types of event logs and their purpose. How and when the Event Log is useful? What is Event Viewer?
Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
CSCE 548 Secure Software Development Security Operations.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Computer Security By Duncan Hall.
Presented by: Dr. Munam Ali Shah
Cryptography and Network Security Chapter 1. Background  Information Security requirements have changed in recent times  traditionally provided by physical.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
If it’s not automated, it’s broken!
Security Issues in Information Technology
CS457 Introduction to Information Security Systems
SE-1021 Software Engineering II
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Critical Security Controls
Cybersecurity First Principles
Testing More In CS430.
Configuring Windows Firewall with Advanced Security
Secure Software Confidentiality Integrity Data Security Authentication
Speaker’s Name, SAP Month 00, 2017
Lecture 3: Secure Network Architecture
Intrusion Detection system
PLANNING A SECURE BASELINE INSTALLATION
Security in SDR & cognitive radio
6. Application Software Security
Presentation transcript:

1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system- security-alert/. malware.net/how-to-remove-protection-system- security-alert/ CSSE 477 – More on Security Background – Malta updates its maritime security system. From

2 Today More on security – this  Show security results in class, work on term paper with team

3 Review of Basics Security “quality” means engineering the software so that it continues to function correctly under malicious attack Security issues include: –Attack or threat –Confidentiality –Integrity –Assurance –Availability Review

4 So secure systems have… Nonrepudiation –users can’t deny they did something Confidentiality –No unauthorized usage Integrity –Data and services delivered as intended Assurance –Parties are who they say they are Availability –Denial of service attacks won’t prevent services Auditing –System tracks activities so that they can be reconstructed Review

5 Security tactics include From Ch 5 in Bass: –Resisting attacks –Detecting attacks –Recovering from an attack Under a wide variety of situations All these require careful planning and design –Security can’t be tacked on after a system is built Review

6 Need to know common security threats Plan for these situations to occur Check for in design reviews, code reviews, and various levels of testing Security is a “knowledge intensive” area of endeavor

7 Security problems – like bugs? Traditional non-security bugs -- Defined as non-conformance to a specification. –Security bugs are additional behavior that was not originally intended –System is doing what it is “supposed to do” Inspections tend to look for: –missing behavior and –incorrect behavior. –Neglect to look for undesirable side-effects

8 Not so obvious issues – for any app How do you monitor for things like side effects you never expected? file writes, registry entries, extra network packets with unencrypted data, unauthorized access, privilege escalation, exploitation of incorrect error handling, sabotage via the app –like file corruption

9 Obvious issues – in the large Systems never intended to be online – now have a web interface Systems never intended to be “services” now offered as service oriented architectures (SOAs) Servers communicating with weak authentication / encryption to other servers (like in procedure calls) Rapid deployment, to market of new products Growing size / complexity of exposed systems Security expertise not keeping up with software development –Security is not just the purview of “security people” Mobile devices give even more threat opportunities

10 Important preventive practices Penetration testing – simulate errors in the app, etc. Run tests that involve disk errors, memory failures, and network problems Input filtering (block malicious input) –Access to objects depends on multiple conditions Defect removal filters –Check input at multiple places –Every access attempt must be checked Assume the most hostile environment –Assume an attack if uncertain Default to denying service Simple, understandable design Operate with fewest privileges –Minimize use of shared mechanisms

11 Example best practice – deletion! Why study deletion? –Affects everybody: we all have private or security- critical information that needs to be deleted. –Lots of lore, not a lot of good academic research. –Most deleted files can be recovered! Even disk reformatting doesn’t fix that Delete doesn’t = shred –Browser cache, cookies and history also tend to last –License agreements, like for Flash, allow snooping How many of these agreements do you read carefully?

12

13 Things to do at every step…

14 You should be able to design & audit security in a system Security Must Be a First Class Citizen - Integrated at Early and All Stages of the Lifecycle –Should be visible in UML Security Assured, Synchronized, Convenient Provide Automated Transition from Security Definitions to Security Enforcement Code Integration of Enforcement Code with Application

15 Security Design Principles The Software Design Has Multiple Iterative Phases and The Security Features Should Be Incorporated and Adjusted During Each of and Among Those Phases The Security Assurance is Satisfied Relatively to the Period of Software Design The Security Incorporating Process Should Neither Counter the Intuition nor Decrease the Productivity of the Software Designer. Security Definition via a Unified Perspective that Collects Privileges into a Cohesive Abstraction

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.