Presented by: Dr. Munam Ali Shah

Slides:

Advertisements

Similar presentations

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Advertisements

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Is There a Security Problem in Computing? Network Security / G. Steffen1.

1 Network Security Ola Flygt Växjö University

Lecture 1: Overview modified from slides of Lawrie Brown.

HACKER NOT CRACKER. HACKER IS  A person who enjoys exploring the details of programmable systems and how to stretch their capabilities  Most often programmers.

The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.

CSA 223 network and web security Chapter one

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 1 Introduction to Security.

Introducing Computer and Network Security

FIT3105 Security and Identity Management Lecture 1.

Chapter 1 Introduction to Security

Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

Lecture 11 Reliability and Security in IT infrastructure.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Security Awareness Challenges of Security No single simple solution to protecting computers and securing information Different types of attacks Difficulties.

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Author: Andy Reedftp://topsurf.co.uk/reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.

Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.

PART THREE E-commerce in Action Norton University E-commerce in Action.

CS 325: Software Engineering April 14, 2015 Software Security Security Requirements Software Security in the Life Cycle.

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

Information Security Rabie A. Ramadan GUC, Cairo Room C Lecture 2.

Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.

Anderson School of Management University of New Mexico.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #6 Forensics Services September 10, 2007.

Center of Excellence for IT at Bellevue College. Cyber security and information assurance refer to measures for protecting computer systems, networks,

The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.

Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks.

Network Security CSC332. Dr. Munam Ali Shah PhD: University of Bedfordshire MS: University of Surrey M.Sc: University of Peshawar Serving COMSATS since.

Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.

Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.

John Carpenter & lecture & Information Security 2008 Lecture 1: Subject Introduction and Security Fundamentals.

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.

Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.

IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

Chap1: Is there a Security Problem in Computing?.

Intro to Computer Security For COP3502, Intro to Computer Science Lecture 1 1.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

Computer Security By Duncan Hall.

INTRODUCTION TO COMPUTER & NETWORK SECURITY INSTRUCTOR: DANIA ALOMAR.

Web Security Introduction to Ethical Hacking, Ethics, and Legality.

C OMPUTER THREATS, ATTACKS AND ASSETS DONE BY NISHANT NARVEKAR TE COMP

E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University

By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

HACKING Submitted By: Ch. Leela Sasi, I M.C.A, Y11MC29011, CJJC P.G College.

CS457 Introduction to Information Security Systems

Insiders are Today’s Biggest Security Threat

Secure Software Confidentiality Integrity Data Security Authentication

Security Shmuel Wimer prepared and instructed by

Chapter 5 Electronic Commerce | Security

INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.

Answer the questions to reveal the blocks and guess the picture.

Year 10 ICT ECDL/ICDL IT Security.

Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek

Advanced Services Cyber Security 101 © ABB February, | Slide 1.

Chapter 5 Electronic Commerce | Security

Faculty of Science IT Department By Raz Dara MA.

Computer Security By: Muhammed Anwar.

Mohammad Alauthman Computer Security Mohammad Alauthman

Presentation transcript:

Presented by: Dr. Munam Ali Shah Network Security Lecture 2 Presented by: Dr. Munam Ali Shah

Summary of the previous lecture We discussed the security problem. Can you recall when a system is Secure. When resources are used and accessed as intended under all circumstances.

Summary of the previous lecture We also discussed security violation categories Breach of Confidentiality Unauthorized reading of data Breach of Integrity Unauthorized modification of data Breach of Availability Unauthorized destruction of data Theft of service Unauthorized use of resources Denial of Service (DoS) Prevention of legitimate use

Summary of the previous lecture We also discussed that Security must be deployed at following four levels effective: Physical Use of locks, safe rooms, restricting physical access Human Insider job, attacker preventing to be a genuine user Operating System Protection mechanisms such as passwords on accounts Privileged access etc. Network Attack coming form the other networks or Internet

Outlines We will discuss more on security with some examples and a case study Threat Modelling and Risk Assessment Security tradeoffs

Objectives To describe the threats and vulnerabilities in a computing environment. To understand and distinguish the tradeoffs between the security and the ease of use.

A case study Read the following incident and try to find which security breach/breaches occurred, and what can go wrong. "The U.S The Department of Energy (DOE) has confirmed a recent cyber incident that occurred at the end of July 2013 and resulted in the unauthorized disclosure of federal employee Personally Identifiable Information (PII). It is believed about 14,000 past and current DOE employees PII may have been affected, The incident included the compromise of 14 servers and 20 workstations. The data that was exposed includes names, date of births, blood types, Social Security Numbers, other government-issued identification numbers, and contact information. At the time, officials blamed Chinese hackers, but two weeks later a group calling itself Parastoo (a common girls name in Farsi) claimed they were behind the breach, posting data that was hacked from a DOE webserver. [http://www.csoonline.com/article/738230/u.s.-dept.-of-energy-reports-second-security-breach]

Another case study Read the following incident and try to find which security breach/breaches occurred, and what can go wrong. "In early February, a hotel franchise management company that manages 168 hotels in 21 states suffered a data breach that exposed hundreds of guests’ debit and credit cards information in 2013. White Lodging Services Corporation maintains hotel franchises for some of the top names in lodging such as Hilton, Marriott, Westin and Sheraton. Sources reported that the data breach centered mainly around the gift shops and restaurants within these hotels managed by White Lodging, not necessarily the front desk computers where guests pay for their rooms”. [http://www.forbes.com/sites/moneybuilder/2015/01/13/the-big-data-breaches-of-2014/]

Finding about the case studies There are hundreds and hundreds of security breaches accruing around us. All companies, organizations and individual needs to be vigilant. Security must be deployed at multiple levels

Security needs and objectives Authentication (who is the person, server, software etc.) Authorization (what is that person allowed to do) Privacy (controlling one’s personal information) Anonymity (remaining unidentified to others) Non-repudiation (user can’t deny having taken an action) Audit (having traces of actions in separate systems/places)

Safety vs. security Safety is about protecting from accidental risks road safety air travel safety Security is about mitigating risks of dangers caused by intentional, malicious actions homeland security airport and aircraft security information and computer security Easier to protect against accidental than malicious misuse

The Hackers Intruders (crackers) attempt to breach security A person who breaks in to the system and destruct data or steal sensitive information. Cracker/Intruder/Attacker Intruders (crackers) attempt to breach security Intention is not destruction

Historical hackers (prior to 2000) Profile: Male Between 14 and 34 years of age Computer addicted No Commercial Interest !!! Source: Raimund Genes

Threat, Vulnerability and Attack What can go wrong A weakness in the system which allows an attacker to reduce it usage. Attack When something really happen and the computer system has been compromised.

Hackers and Attackers are Evil-genius Hackers and attackers are not ordinary people They are expert level programmers They know most of the systems’ working and functionality They don’t create risks or vulnerability, they simply exploit it.

Why security is difficult to achieve? A system is as secure as its weakest element like in a chain Defender needs to protect against all possible attacks (currently known, and those yet to be discovered) Attacker chooses the time, place, method

Why security is difficult to achieve? Security in computer systems – even harder: great complexity dependency on the Operating System, File System, network, physical access etc. Software/system security is difficult to measure function a() is 30% more secure than function b() ? there are no security metrics How to test security? Deadline pressure Clients don’t demand security … and can’t sue a vendor

Threat Modeling and Risk Assessment Threat modeling: what threats will the system face? what could go wrong? how could the system be attacked and by whom? Risk assessment: how much to worry about them? calculate or estimate potential loss and its likelihood risk management – reduce both probability and consequences of a security breach

Summary of today’s lecture Today we discussed about who the hackers are and what is their motivation We also discussed the differences between vulnerability and attack. We continued our discussion on Threat Modelling and Risk Assessment We have seen that there are security tradeoffs. Too much security can be inconvenient. And lastly, we discussed about different security testing tools that can be used for penetration testing.

Next lecture topics We will discuss, the difference between Protection and Security\ How protection, detection and reaction can make our networks and systems more secure The concept of Firewalls will form part of next lecture.

The End