Security Week 10 Lecture 1. Why do we need security? Identify and authenticate people wanting to use the system Prevent unauthorised persons from accessing.

Slides:

Advertisements

Similar presentations

Organizing Information Technology Resources

Advertisements

POSSIBLE THREATS TO DATA

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

Computer Science and Computer Engineering. parts of the computer.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility. Simplify authentication.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

FIT3105 Smart card based authentication and identity management Lecture 4.

Network Security Testing Techniques Presented By:- Sachin Vador.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Distributed Information Systems - The Client server model

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Factors to be taken into account when designing ICT Security Policies

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Client Server Security. Introduction Although client/server architecture is the most popular and widely used computing environment, it the most vulnerable.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Client Server Security DeSiaMorePowered by DeSiaMore1.

Threats to I.T Internet security By Cameron Mundy.

Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.

Prepared by:Nahed AlSalah Data Security 2 Unit 19.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.

UNIT 3C Security of Information. SECURITY OF INFORMATION Firms use passwords to prevent unauthorised access to computer files. They should be made up.

Security of Data. Key Ideas from syllabus Security of data Understand the importance of and the mechanisms for maintaining data security Understand the.

Stuart Cunningham - Computer Platforms COMPUTER PLATFORMS Computer & Network Security & User Support & Training Week 11.

BUS1MIS Management Information Systems Semester 1, 2012 Week 7 Lecture 1.

GCSE ICT Viruses, Security & Hacking. Introduction to Viruses – what is a virus? Computer virus definition - Malicious code of computer programming How.

Health & Social Care Apprenticeships & Diploma

Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,

Current Job Components Information Technology Department Network Systems Administration Telecommunications Database Design and Administration.

BUSINESS B1 Information Security.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Chapter 12 by Lisa Reeves Bertin Securing Information in a Network.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Today’s Lecture Covers < Chapter 6 - IS Security

Auditing Information Systems (AIS)

Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.

Information: Policy, Strategy and Systems Module Overview

G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.

John Carpenter & lecture & Information Security 2008 Lecture 1: Subject Introduction and Security Fundamentals.

McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved INFORMATION SECURITY SECTION 4.2.

UNIT 19 Data Security 2.

Network Security & Accounting

Cmpe 471: Personnel and Legal Issues. Personnel Crime is a human issue not a technological one Hiring On-going management Unauthorised access Redundancy.

ORGANIZING IT SERVICES AND PERSONNEL (PART 1) Lecture 7.

INTERNAL CONTROLS What are they? Why should I care?

Information Systems Unit 3.

Workshop 2 Tutor: William Yeoh School of Computer and Information Science Secure and High Integrity System (INFT 3002)

Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)

Computer Security By Duncan Hall.

 Face to face  Oral  Written  Visual  Electronic Communication in Administration 2.

Computer Networks. Computer Network ► A computer network is a group of computers that are linked together.

CPT 123 Internet Skills Class Notes Internet Security Session B.

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

Unit 32 – Networked Systems Security

Access Control for Security Management BY: CONNOR TYGER.

Syo-401 Question Answer. QUESTION 1 An achievement in providing worldwide Internet security was the signing of certificates associated with which of the.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.

INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.

Security in Networking

Security of People, Property and Information

County HIPAA Review All Rights Reserved 2002.

12 STEPS TO A GDPR AWARE NETWORK

Security of Data

Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Introduction to the PACS Security

Presentation transcript:

Security Week 10 Lecture 1

Why do we need security? Identify and authenticate people wanting to use the system Prevent unauthorised persons from accessing the system Stealing information Doing malicious damage Prevent authorised persons from Doing things they ought not Seeing data they ought not

Security in perspective Read the preface from Schneier’s book –it is on the web “Security is a chain; it's only as secure as the weakest link.” "Security is a process, not a product." “If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.”

Or Computer system security is NOT Network security and Network Security is not Cryptography

And Like Reliability and Performance Security starts in design and continues for the life of the system

Common misconceptions – The Economist - October 26 th 2002 Security can be fixed with technology Security can be left to the specialists Security is about virus outbreaks and malicious hackers Security is very boring This article is up on the web.

Access WAN Communications LAN Physical Data Where is the risk?

Another quote Mathematics (cryptography) are impeccable Computers are vincible Networks are lousy People are abysmal

Three key elements Prevention Detection Reaction

Security risks are within Most books concentrate on network security, but most DIS are of little interest to people outside Most security breaches are from within the organisation and by relatively technically illiterate people (one survey suggests 70% of attacks are from inside) They are people who want something they ought not have – like your medical records, your pay details, your exam marks – perhaps next month’s DIS exam!

Security is in the hands of: System architect Analysts & Programmers System administrator Database administrator Network manager Risk manager According 70% of security defects are due to flaws In software design.

Risk assessment Identify the risk before determining the solution We used to secure the perimeter, now there is no door to lock

Security starts with policies Hardware and software implement policies (the police and the law courts would be of little use without legislation) The policy statement will: State that security is important to the organisation Define the principles underlying the organisation’s security Define what constitutes acceptable use Give notice that security is monitored State what the procedure is when security is breached The aim is to make security everyone’s business

Publicity is important A policy is of little use if all staff do not know about it In some organisations new staff are required to read and sign the security policy Reminders are necessary It needs to be kept up to date It helps to have the odd public execution

Policies, Standards & Procedures Policy Password access is required to all key systems Standard defines how the policy is to be achieved Passwords are to be changed every 3 months Passwords must not be repeats of previous passwords Passwords will have a minimum of 6 characters Etc Procedure implements the standard A temporary password is allocated by personnel, as part of the user account creation process The temporary password has a currency of 1 week and must be changed by the user within that period etc

Access level Staff are grouped according to the rights and responsibilities they have on the system For example the policy on access to the HR system may be: Staff can view their own records Staff have access to the telephone and office/location list for all staff Staff can change own home contact and next of kin details Other staff details may only be changed by HR staff Managers have access to the records of staff reporting to them

This gives a matrix of rights Staff can see full list of staff but showing limited details Managers can see all details of staff they are responsible for Staff can change some details of own record HR can change all details Managers can change no details

We have three access levels Staff Managers HR people But we also need to know: The ID of the person accessing the system The staff that report to a manager The department a person is in

How do we implement this? Within the application because we know the functions of the system Within the database, users can be restricted Not allowed to use DBA functions May see some tables but not update them May be restricted to see or update a “view” of a table

What is a view? A view can be a subset of the records and/or a subset of the attributes of those records Example –Create view STAFF_LIST as –Select STAFF_RECORD where STAFF_ID is equal to USER_ID This view might be appropriate for staff looking at their own records

Identification & authentication Identification – “Who are you” Authentication – “Prove it” Its aim is to –Let authorised persons in –Keep unauthorised persons out –Keep a record of what happens

Authentication is based on Something you know – password Something you are – biometrics Something you have – card or token And often two of these –Your Mastercard & –PIN number

Authentication of the user The whole mechanism is dependent on a reliable authentication of the person accessing the system In most systems this is done by password But passwords can be easily misused KPMG auditor quoted as saying most passwords can be broken within 30 seconds Canadian police reckon the key to a person’s password is within 2 metres of his or her PC But we are asked to remember so many passwords and then change them every three months

People often give their password to others Usually because they need that person to do their job System should allow a person to give another a proxy to act on their behalf, but where they can use their own password People with high access levels have to be very careful

People who leave are sometimes a security risk A client list may be handy in their next job Restrict people to what they need to know Restrict physical access to servers, tape drives, back-up tapes etc Limit the quantity of data that can be listed – in pages of printout Restrict access to DBMS tools

There are other means of authentication Keyboards can accept swiped ID cards Tokens that generate random numbers in synch with the operating system Modems generate password or require call back Physical access via electronic key Thumb, voice or retina scan

Identity management systems Software that sits in front of an organisation’s applications Identifies and authenticates Determines users privileges One point of control, so that things don’t get missed Can be maintained by managers not technical staff.