S.S. Yau 1CSE465-591 Fall 2006 Administrative Security Procedural Controls.

Slides:



Advertisements
Similar presentations
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
Advertisements

Lecture 6 User Authentication (cont)
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Access Control Chapter 3 Part 5 Pages 248 to 252.
Cryptography and Network Security Chapter 20 Intruders
Input to the Computer * Input * Keyboard * Pointing Devices
S.S. Yau CSE Fall Classified Systems.
Silberschatz, Galvin and Gagne  Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.
Security Controls – What Works
Information Security Policies and Standards
1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
IT Security Auditing Martin Goldberg.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Stephen S. Yau 1CSE Fall 2006 IA Policies.
Stephen S. Yau CSE , Fall Security Strategies.
Security-Authentication
Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.
Security Equipment Equipment for preventing unauthorised access to data & information.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.
Information Security Technological Security Implementation and Privacy Protection.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.
GRAPHICAL PASSWORD AUTHENTICATION PRESENTED BY SUDEEP KUMAR PATRA REGD NO Under the guidance of Mrs. Chinmayee Behera.
BUSINESS B1 Information Security.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Tutorial Chapter 5. 2 Question 1: What are some information technology tools that can affect privacy? How are these tools used to commit computer crimes?
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
10/8/20151 Computer Security Authentication. 10/8/20152 Entity Authentication Entity Authentication is the process of verifying a claimed identity It.
29.1 Lecture 29 Security I Based on the Silberschatz & Galvin’s slides And Stallings’ slides.
1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,
Breno de MedeirosFlorida State University Fall 2005 Windows servers The NT security model.
Operating system Security By Murtaza K. Madraswala.
G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
G53SEC 1 Authentication and Identification Who? What? Where?
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Authentication What you know? What you have? What you are?
INTRODUCTION TO BIOMATRICS ACCESS CONTROL SYSTEM Prepared by: Jagruti Shrimali Guided by : Prof. Chirag Patel.
Access Control / Authenticity Michael Sheppard 11/10/10.
Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.
CSCE 201 Identification and Authentication Fall 2015.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
My topic is…………. - It is the fundamental building block and the primary lines of defense in computer security. - It is a basic for access control and.
Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.
ANNUAL HIPAA AND INFORMATION SECURITY EDUCATION. KEY TERMS  HIPAA - Health Insurance Portability and Accountability Act. The primary goal of the law.
Unit 32 – Networked Systems Security
CSEN 1001 Computer and Network Security Amr El Mougy Mouaz ElAbsawi.
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
 At the end of the class students should:  distinguish between data and information.  explain the characteristics and forms of Information Processing.
7/10/20161 Computer Security Protection in general purpose Operating Systems.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Access control techniques
Controlling Computer-Based Information Systems, Part II
Operating system Security
INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.
The Security Problem Security must consider external environment of the system, and protect it from: unauthorized access. malicious modification or destruction.
Lesson 16-Windows NT Security Issues
County HIPAA Review All Rights Reserved 2002.
Operating System Security
Computer Security Protection in general purpose Operating Systems
Introduction to the PACS Security
G061 - Network Security.
Presentation transcript:

S.S. Yau 1CSE Fall 2006 Administrative Security Procedural Controls

S.S. Yau 2CSE Fall 2006 Contents Information Storage Information Storage Passwords Passwords Password introduction Password introduction Biometric passwords Biometric passwords Password attack methods Password attack methods Managing passwords Managing passwords Auditing Auditing Auditing systems Auditing systems Audit process Audit process

S.S. Yau 3CSE Fall 2006 Information Storage Information can be stored in various format on various storage media: Information can be stored in various format on various storage media: Written documents and images on papers or negatives Written documents and images on papers or negatives Voice records on tapes Voice records on tapes Digital format information on Digital format information on Floppy disc Floppy disc Zip disk Zip disk Flash memory (e.g. USB key drive, CF card, SD card) Flash memory (e.g. USB key drive, CF card, SD card) Hard drive Hard drive CD - (R, RW) CD - (R, RW) DVD (+R, -R, -RW, +RW) DVD (+R, -R, -RW, +RW) Tape Tape

S.S. Yau 4CSE Fall 2006 Information Storage (Cont.) Information storage management includes Information storage management includes External marking of media External marking of media Destruction of media Destruction of media Sanitization of media Sanitization of media Transportation of media Transportation of media Emergency destruction Emergency destruction

S.S. Yau 5CSE Fall 2006 Passwords A password is information associated with an entity that confirms the entity’s identity. A password is information associated with an entity that confirms the entity’s identity. Has been widely used for long time Has been widely used for long time Bank card PIN Bank card PIN SSN associated with your mother’s maiden name SSN associated with your mother’s maiden name Computer account login, … Computer account login, … T1: ch11.2, T2: ch12.2

S.S. Yau 6CSE Fall 2006 Biometric Passwords Face recognition Face recognition Voice recognition Voice recognition Iris codes Iris codes Fingerprints Fingerprints Handwritten signatures Handwritten signatures Keystroke Keystroke Combinations Combinations T1: ch11.4, T2: ch12.4

S.S. Yau 7CSE Fall 2006 Biometric Passwords (cont.) Advantages: Advantages: Automatic identification of an individual Automatic identification of an individual Better results than token or pin Better results than token or pin Problems: Problems: Performance: Performance: Take large computing resources Take large computing resources Public acceptance Public acceptance People are afraid of giving their fingerprints or iris patterns for security records People are afraid of giving their fingerprints or iris patterns for security records

S.S. Yau 8CSE Fall 2006 Password Attack Methods Password Guessing Password Guessing Most common attack Most common attack Attacker knows a login (from /web page, etc) Attacker knows a login (from /web page, etc) Attempts to guess password Attempts to guess password Success of attack depends on password chosen by user Success of attack depends on password chosen by user Some categories of passwords that are easy to guess:  Based on account names  Based on user names  Based on computer names  Dictionary words  Reversed dictionary words  Dictionary words with some or all letters capitalized

S.S. Yau 9CSE Fall 2006 Password Attack Methods (cont.) Password Capture Password Capture Watching over shoulder as password is entered Watching over shoulder as password is entered Using Trojan horse (virus-infected) program Using Trojan horse (virus-infected) program Attacks on password entry due to faulty system design Attacks on password entry due to faulty system design Eavesdropping: The password characters are plaintext Eavesdropping: The password characters are plaintext The login screen is faked The login screen is faked Unlimited password retries Unlimited password retries Storage Attack Storage Attack Analyze un-encrypted audit trails Analyze un-encrypted audit trails Password is stored as plain text Password is stored as plain text

S.S. Yau 10CSE Fall 2006 Managing Passwords Need password policies and good user education Need password policies and good user education Ensure every account has a default password Ensure every account has a default password Ensure users change the default passwords to something they can remember Ensure users change the default passwords to something they can remember Protect password file from general access Protect password file from general access Set technical policies to enforce good passwords Set technical policies to enforce good passwords Minimum length (>6) Minimum length (>6) Require a mix of upper & lower case letters, numbers, punctuation Require a mix of upper & lower case letters, numbers, punctuation Block known dictionary words Block known dictionary words Require change of password periodically Require change of password periodically

S.S. Yau 11CSE Fall 2006 Auditing Auditing is a technique for determining security violations Auditing is a technique for determining security violations Logging is the recording of events or statistics to provide information about system use and performance Logging is the recording of events or statistics to provide information about system use and performance Auditing is the analysis of log records to present information about the system in a clear and understandable manner Auditing is the analysis of log records to present information about the system in a clear and understandable manner T1: ch21.1 T2: ch24.1

S.S. Yau 12CSE Fall 2006 Auditing (cont.) Generally, to support auditing, the automated information system generates logs that indicate: Generally, to support auditing, the automated information system generates logs that indicate: What happened What happened Who did it Who did it What went wrong What went wrong How far some information spreads How far some information spreads Who had access to some information Who had access to some information … … … …

S.S. Yau 13CSE Fall 2006 Auditing Systems An auditing system consists of three components: An auditing system consists of three components: The logger: collect data The logger: collect data The analyzer: analyze the collected data The analyzer: analyze the collected data The notifier: report the results of analysis The notifier: report the results of analysis T1: ch21.2 T2: ch24.2

S.S. Yau 14CSE Fall 2006 Auditing Systems (cont.) Logger : Logger : The type and quantity of information are decided by system or program configuration parameters The type and quantity of information are decided by system or program configuration parameters Information may be recorded in binary or human-readable form or transmit directly to an analysis system Information may be recorded in binary or human-readable form or transmit directly to an analysis system

S.S. Yau 15CSE Fall 2006 Auditing Systems (cont.) Logger (cont.) : Logger (cont.) : Examples of auditable events: Examples of auditable events: Login Login Logoff Logoff Operating system changes Operating system changes User-invoked operating system commands User-invoked operating system commands User-invoked applications User-invoked applications Read of data Read of data Creation of objects Creation of objects Network events Network events

S.S. Yau 16CSE Fall 2006 Auditing Systems (cont.) Analyzer: Analyzer: An analyzer takes a log as input and analyzes it. An analyzer takes a log as input and analyzes it. The results of analysis may lead to changes in the data being recorded, or detection of some events or problems, or both. The results of analysis may lead to changes in the data being recorded, or detection of some events or problems, or both. Example: Example: Audit analysis mechanism used by an intrusion detection system to detect attacks by analyzing log records Audit analysis mechanism used by an intrusion detection system to detect attacks by analyzing log records

S.S. Yau 17CSE Fall 2006 Auditing Systems (cont.) Notifier: Notifier: The notifier informs the analyst and other entities of the results of the audit. The notifier informs the analyst and other entities of the results of the audit. Actions may be taken in response to these results. Actions may be taken in response to these results. Example: Example: Consider a login system, in which three consecutive failed login attempts disable the user’s account. When a user’s failed login attempts reaches 3 times, audit system will invoke the notifier, which will report the problem to administer and disable the account. Consider a login system, in which three consecutive failed login attempts disable the user’s account. When a user’s failed login attempts reaches 3 times, audit system will invoke the notifier, which will report the problem to administer and disable the account.

S.S. Yau 18CSE Fall 2006 Audit Process Audits team Audits team Accountants + people who are fascinated in auditing Accountants + people who are fascinated in auditing Needed expertise varies Needed expertise varies CISA - Certified Information Systems Auditor CISA - Certified Information Systems Auditor CISM - Certified Information Systems Manager CISM - Certified Information Systems Manager Check (Information Systems Audit and Control Organization) for further information

S.S. Yau 19CSE Fall 2006 Steps of Audit Process 1. Planning Phase 2. Testing Phase 3. Reporting Phase

S.S. Yau 20CSE Fall 2006 Planning Phase Entry Meeting Entry Meeting Define Scope Define Scope Learn Controls Learn Controls Historical Incidents Historical Incidents Past Audits Past Audits Site Survey Site Survey Review Current IA Policies Review Current IA Policies Questionnaires Questionnaires Define Objectives Define Objectives Develop Audit Plan / Checklist Develop Audit Plan / Checklist

S.S. Yau 21CSE Fall 2006 Testing Phase Evaluate Audit Plan Evaluate Audit Plan What data will be collected What data will be collected How/when it will be collected How/when it will be collected Site employees’ involvement Site employees’ involvement Other relevant questions Other relevant questions Data Collection Data Collection Based on scope/objectives Based on scope/objectives Types of Data Types of Data Activities involving physical security Activities involving physical security Interview staff Interview staff Vulnerability assessments Vulnerability assessments Access control assessments Access control assessments

S.S. Yau 22CSE Fall 2006 Reporting Phase Exit Meeting - Short Report Exit Meeting - Short Report Immediate problems Immediate problems Questions & answer for site managers Questions & answer for site managers Preliminary findings Preliminary findings NOT able to give in depth information NOT able to give in depth information Long Report After Going Through Data Long Report After Going Through Data Objectives/scope Objectives/scope How data was collected How data was collected Summary of problems Summary of problems In depth description of problems In depth description of problems Glossary of terms Glossary of terms References References Any computer misuse or abuse should be reported and law enforcement may be involved if needed Any computer misuse or abuse should be reported and law enforcement may be involved if needed

S.S. Yau 23CSE Fall 2006 References M. Merkow, J. Breithaupt, Information Security: Principles and Practices, Prentice Hall, August 2005, ISBN M. Merkow, J. Breithaupt, Information Security: Principles and Practices, Prentice Hall, August 2005, ISBN Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2004, ISBN: Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2004, ISBN: Matt Bishop, Computer Security: Art and Science, Addison- Wesley, 2002, ISBN: Matt Bishop, Computer Security: Art and Science, Addison- Wesley, 2002, ISBN:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.