Information System Security Engineering and Management Risk Analysis and System Security Engineering Homework (#2, #3) Dr. William Hery

Slides:



Advertisements
Similar presentations
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
Advertisements

1 Network Security Ola Flygt Växjö University
Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.
Hacking. Learning Objectives: At the end of this lesson you should be able to:
Security+ Guide to Network Security Fundamentals
SECURITY What does this word mean to you? The sum of all measures taken to prevent loss of any kind.
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
1 Network Security Derived from original slides by Henric Johnson Blekinge Institute of Technology, Sweden From the book by William Stallings.
Information System Security Engineering and Management Additional slides for INFORMATION SECURITY RISK MANAGEMENT Dr. William Hery
MJ10/07041 Session 10 Accounting, Security Management Adapted from Network Management: Principles and Practice © Mani Subramanian 2000 and solely used.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Bazara Barry1 Security on Networks and Information Systems Bazara I. A. Barry Department of Computer Science – University of Khartoum
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
 ENGR 1110 Introduction to Engineering – Cyber Security Allison Holt, Adam Brown Auburn University.
The Study of Security and Privacy in Mobile Applications Name: Liang Wei
Kittiphan Techakittiroj (04/09/58 19:56 น. 04/09/58 19:56 น. 04/09/58 19:56 น.) Network Security (the Internet Security) Kittiphan Techakittiroj
CHAPTER 3 Information Privacy and Security. CHAPTER OUTLINE  Ethical Issues in Information Systems  Threats to Information Security  Protecting Information.
Session 11: Security with ASP.NET
Thomas Levy. Agenda 1.Aims: CIAN 2.Common Business Attacks 3.Information Security & Risk Management 4.Access Control 5.Cryptography 6.Physical Security.
Wireless and Security CSCI 5857: Encoding and Encryption.
Internet Security for Small & Medium Business Week 6
V 0.1Slide 1 Security – System Configuration How to configure WebSAMS? Access Control Other Information Configuration  system customization  system configuration.
Security and Privacy Strategic Global Partners, LLC.
1.Too many users 2.Technical factors 3.Organizational factors 4.Environmental factors 5.Poor management decisions Which of the following is not a source.
Computer Security “Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware,
Systems Analysis and Design in a Changing World, 6th Edition 1 Chapter 12 - Databases, Controls, and Security.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Chapter 21 Distributed System Security Copyright © 2008.
Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Lecture 24 Wireless Network Security
MIS 7003 MIS Core Course The MBA Program The University of Tulsa Professor: Akhilesh Bajaj Security: Personal & Business © Akhilesh Bajaj 2004,2005, 2007,
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
CCCognos Connection RSReport Studio ASAnalysis Studio QSQuery Studio ESEvent Studio CSContent Store FWM Framework.
MANAGING RISK. CYBER CRIME The use of the internet and developments in IT bring with it a risk of cyber crime. Credit card details are stolen, hackers.
Chapter 40 Network Security (Access Control, Encryption, Firewalls)
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
Network Security and Cryptography
Lecture1.1(Chapter 1) Prepared by Dr. Lamiaa M. Elshenawy 1.
3/30/04Sergio Caltagirone Human/Computer Interaction Security and Privacy in the Digital Age Sergio Caltagirone University of Idaho 3/30/04.
Sources of Network Intrusion Security threats from network intruders can come from both internal and external sources.  External Threats - External threats.
M2 Encryption techniques Gladys Nzita-Mak. What is encryption? Encryption is the method of having information such as text being converted into a format.
Cisco Exam Questions IMPLEMENTING CISCO IOS NETWORK SECURITY (IINS V2.0) VERSION: Presents: 1.
Firewalls and Tunneling Firewalls –Acts as a barrier against unwanted network traffic –Blocks many communication channels –Can change the design space.
POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.
Why Does The Site Need an SSL Certification?. Security should always be a high concern for your website, but do you need an SSL certificate? A secure.
8 – Protecting Data and Security
CS457 Introduction to Information Security Systems
Architecture Review 10/11/2004
Threat Modeling for Cloud Computing
Network Security (the Internet Security)
VIRTUALIZATION & CLOUD COMPUTING
USAGE OF CRYPTOGRAPHY IN NETWORK SECURITY
Chapter 17 Risks, Security and Disaster Recovery
BY GAWARE S.R. DEPT.OF COMP.SCI
CS 465 Secure Last Updated: Nov 30, 2017.
Kerberos Kerberos is an authentication protocol for trusted hosts on untrusted networks.
How to Mitigate the Consequences What are the Countermeasures?
Process flow Kindly note: This presentation is automated – please do not click any of your mouse buttons or keyboard keys.
Unit # 1: Overview of the Course Dr. Bhavani Thuraisingham
ONAP Risk Assessment – Preparation Material - Overview of the Process - Terminology - Assumptions
Presentation transcript:

Information System Security Engineering and Management Risk Analysis and System Security Engineering Homework (#2, #3) Dr. William Hery

GTS System Description Poly is going to set up a new, streamlined grade and transcript server (GTS). There is already a grade database on a secure server (SGDB) that is used for entering and maintaining grade records. The new server will allow students to  view grades without directly accessing the SGDB  generate full transcripts to be sent to grad schools and potential employers from Poly in such a manner as to have the recipients of the transcripts trust that they are authentic. For the homework, assume that SGDB is already secure, but there will now be a new application/server accessing it. Also assume that students can access GTS from the Poly intranet, or from the Internet.

GTS Architecture SGDB GTS Student Employer Or Grad School InternetPoly Intranet

Assets at Risk (HW 2) Integrity of the grade database (but this is assumed to be a secure system for our purposes) Privacy of the student grades Integrity of the grades presented to the student Integrity of the transcripts sent out (and the trust the recipients have in that integrity) Availability of the GTS service Poly's reputation as a premier institution in information security and an NSA COE in IA

Threats (HW 2) Students who want to do general mischief or target specific students Outsiders who want to do general mischief or target specific students Students who want to send a fake transcript

Risk Management Approach (HW 2) Integrity of the grade database: transfer risk to SGDB owner privacy of the student grades: mitigate with technology (authentication of user via password); accept some risk of stolen password integrity of the grades presented to the student: mitigate with technology (protect GTS system) integrity of the transcripts sent out: mitigate by digitally signing transcripts availability of the GTS service: mitigate with firewall; accept some risk of breaking through firewall Poly's reputation as a premier institution in information security: mitigate with all of the above

Systems Engineering: First Steps Mission Needs Statement:  A system to allow students to securely access their grades, and to allow them to have authenticated transcripts ed to prospective employers and grad schools. CONOPS: A student logs into the GTS Server over the Internet or Poly’s Intranet. A user friendly GUI allows the student to see which courses they have taken and what their grades have been. The student can also request a complete transcript be ed to prospective employers and grad schools. For security reasons, the GTS will be a separate server from the existing, secure grade database, the SGDB.

System Architecture and Functional Requirements Architecture: see first slide GTS Functional Requirements:  User (student) interface: must authenticate user, accept user query, format response  SGDB interface: must format grade query, send to SGDB, accept response  Individual grade request  Complete transcript request  GTS must be able to create and send authenticated transcripts via

Hig Level Security Requirements Authentication of Students Protect SGDB from attack at SGDB/GTS interface (preserve integrity and privacy of the grade database) Protect all networks from snooping (privacy of grades) Protect confidentiality and integrity of all processing on the GTS server Provide a digital signature service to sign ed transcripts from GTS Protect GTS from denial of service attacks

Revised GTS Architecture With External Security Components SGDB GTS Student Employer Or Grad School InternetPoly Intranet MyPoly user Password auth. Poly Signing Service

Security Requirements Allocation: Authentication of Students: MyPoly User ID/Password authentication Protect SGDB from attack at SGDB/GTS interface: Custom interface to prevent attack (“application firewall”) Protect all networks from snooping: Encrypted network links Protect confidentiality and integrity of all processing on the GTS server: Server security Provide a digital signature service to sign ed transcripts from GTS: Poly Digital Signature Service Protect GTS from denial of service attacks: firewalls, secured server

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.