What does “secure” mean? Protecting Valuables

Slides:



Advertisements
Similar presentations
Advanced Networks and Computer Security Curt Carver & Jeff Humphries © 1999 Texas A&M University.
Advertisements

David Assee BBA, MCSE Florida International University
SECURITY EVALUATION OF AN ORGANIZATION TA Md Morshedul Islam.
The University of Adelaide, School of Computer Science
Is There a Security Problem in Computing? Network Security / G. Steffen1.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
CSA 223 network and web security Chapter one
Chapter 17 Controls and Security Measures
Security+ Guide to Network Security Fundamentals
Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.
1 An Overview of Computer Security computer security.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Introducing Computer and Network Security
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Chapter 1 Introduction to Security
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering.
Summary of Lecture 1 Security attack types: either by function or by the property being compromised Security mechanism – prevention, detection and reaction.
Factors to be taken into account when designing ICT Security Policies
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
CPSC 6126 Computer Security Information Assurance.
Topics in Information Security Prof. JoAnne Holliday Santa Clara University.
An Introduction to Information Assurance COEN 150 Spring 2007.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
General Awareness Training
Week 1 - Wednesday.  What did we talk about last time?  Course overview  Terminology  Threats  Vulnerabilities  Attacks  Controls  CIA.
Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Computer Security “Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware,
Security Architecture
29.1 Lecture 29 Security I Based on the Silberschatz & Galvin’s slides And Stallings’ slides.
What does secure mean? You have been assigned a task of finding a cloud provider who can provide a secure environment for the launch of a new web application.
10/17/20151 Computer Security Introduction. 10/17/20152 Introduction What is the goal of Computer Security? A first definition: To prevent or detect unauthorized.
Network security Network security. Look at the surroundings before you leap.
John Carpenter & lecture & Information Security 2008 Lecture 1: Subject Introduction and Security Fundamentals.
What security is about in general? Security is about protection of assets –D. Gollmann, Computer Security, Wiley Prevention –take measures that prevent.
Information Security What is Information Security?
SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,
1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Security Policies. Threats to security and integrity  Threats to information systems include  Human error –keying errors, program errors, operator errors,
Chap1: Is there a Security Problem in Computing?.
CSCE 548 Secure Software Development Security Operations.
Csci5233 computer security & integrity 1 An Overview of Computer Security.
Introduction to Security Dr. John P. Abraham Professor UTPA.
Computer Security By Duncan Hall.
Introduction to Computer Security
INTRODUCTION TO COMPUTER & NETWORK SECURITY INSTRUCTOR: DANIA ALOMAR.
Computer threats, Attacks and Assets upasana pandit T.E comp.
1 TMK 264: COMPUTER SECURITY CHAPTER ONE: AN OVERVIEW OF COMPUTER SECURITY.
Is There a Security Problem in Computing?
Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Information Technology Network and Security. Networking In the world of computers, networking is the practice of linking two or more computing devices.
Network security Vlasov Illia
Risk management.
Issues and Protections
Security
CS 450/650 Fundamentals of Integrated Computer Security
Security Shmuel Wimer prepared and instructed by
Cybersecurity: Threat Matrix
Security in Networking
Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek
INFORMATION SYSTEMS SECURITY and CONTROL
Security network management
Keselamatan Komputer (Computer Security)
Security in Computing, Fifth Edition
Mohammad Alauthman Computer Security Mohammad Alauthman
Cyber Security For Civil Engineering
Presentation transcript:

What does “secure” mean? Protecting Valuables A computer based system has three separate valuable component: Hardware, Software and Data Attacks When you test your system, one of your job is to imagine how the system could malfunction.

Threats, Vulnerability, and Control - Only legitimate users have access to the data. - We want our security system to make sure that no data are to be disclosed to unauthorized parties. In this way we can identify weakness in the system. -A vulnerability is a weakness in the security system (Ex: Particular system is vulnerable to unauthorized data manipulation because it does not verify a users identity before allowing data access) - A threat to a computing system is a set of circumstances that has the potential to cause loss or harm.

A human who exploits (make use of) a vulnerability commits an attack on the system. -”A threat is blocked by the control of vulnerability” Threat is of four kind 1. Interception (Unauthorized access, Wiretapping) 2. Interruption ( asset is lost, unavailable) 3. Modification (changes/alteration in to database/program file) 4. Fabrication ( insert spurious transaction, add record in to database) Note: Systems vulnerabilities are useful to set security Goals

Method, Opportunity and Motive (MOM) A malicious attacker must have three things: 1. Method: the skill, knowledge, tools to pull-off the attack. 2. Opportunity: the time and access to accomplish the task. 3. Motive: a reason to want to perform attack against the system

Chapter-1 Introduction Computer Security -when we talk about “computer security” we mean that we are addressing three very important aspects of computer related system. “Confidentiality, Integrity and availability” Confidentiality: ensures that computer related assets are accessed only by authorized parties. Integrity: means that the assets can be modified only by authorized parties or in authorized ways. Availability: means that assets are accessible to authorized parties at appropriate times. That means for legitimate users access should not be prevented.

Graphically relationship between Confidentiality, Integrity and availability is shown by

Computer Criminals Most computer criminals are ordinary computer professionals. Types are: Amateurs: are normal people and not career criminals, they observe a weakness in a security system that allows them to access cash or other valuables. Crackers: - are often University Students, attempt to access unauthorized computing facilities . - trying to log-in, just to see it can be done or not. - attacks for curiosity, personal gain, or self-satisfaction Career Criminals: - The Career computer criminals begin as a computer professionals who engage in computer crime. - good prospects and pay-off

Methods of Defense. -Computer crime is going to continue Methods of Defense -Computer crime is going to continue. - For this reason we must look carefully at controls for preserving C-I-A. Controls: -Physical security in early ages (Castle, fort, strong gate, heavy walls, etc.) -Today we use strong locks on the doors and burglar alarm to secure our valuables. Different controls available are: 1. Encryption (Scrambling): data is unintelligible to the outside observer. 2. Software Controls: Program must be secure enough to prevent outside attack.

Program control includes:. -Internal program control (e. g Program control includes: -Internal program control (e.g. Access limitation) - Operating system and Network control: ( e.g. to protect one user from another ) - Independent program control: (e.g. application program such as password checker, IDS, virus scanner,etc.) - Development control: Quality standards under which a program is designed, coded and tested. 3. Hardware Controls - Smart cards with Encryption - Locks or cables limiting access - Devices to verify users identity. - Firewalls, IDS, etc.

Policies and procedures: -sometimes we can rely upon agreed upon policies and procedures among users. (e.g. such as frequent changes of password ) - Training and administration follow immediately after establishment of policies. Effectiveness of controls: use control properly and effectively . 1. Awareness of problem: People should aware of the need of security. 2. Likelihood of use: Controls must be used and used properly- to be effective. 3. Overlapping controls: Several different controls may apply to address a single vulnerability. (Sometimes overlapping control is called as layered defense)