Chapter 1 COMPUTER AND NETWORK SECURITY PRINCIPLES.

Slides:



Advertisements
Similar presentations
Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
Advertisements

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Lecture 1: Overview modified from slides of Lawrie Brown.
The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.
Security Controls – What Works
Security+ Guide to Network Security Fundamentals
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Introducing Computer and Network Security
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Agenda  Introduce key concepts in information security from the practitioner’s viewpoint.  Discuss identifying and prioritizing information assets through.
SEC835 Database and Web application security Information Security Architecture.
Storage Security and Management: Security Framework
CHAPTER 3 Information Privacy and Security. CHAPTER OUTLINE  Ethical Issues in Information Systems  Threats to Information Security  Protecting Information.
PART THREE E-commerce in Action Norton University E-commerce in Action.
G53SEC Computer Security Introduction to G53SEC 1.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
Information Systems Security Computer System Life Cycle Security.
Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
BUSINESS B1 Information Security.
Defining Computer Security cybertechnology security can be thought of in terms of various counter measures: (i) unauthorized access to systems (ii) alteration.
Information Security Rabie A. Ramadan GUC, Cairo Room C Lecture 2.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
By Hafez Barghouthi. Agenda Today Attack. Security policy. Measuring Security. Standard. Assest. Vulnerability. Threat. Risk and Risk Mitigation.
Tutorial Chapter 5. 2 Question 1: What are some information technology tools that can affect privacy? How are these tools used to commit computer crimes?
Computer Security “Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware,
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Dimensions of E – Commerce Security
Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
ACM 511 Introduction to Computer Networks. Computer Networks.
SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,
1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.
Topic 5: Basic Security.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Chap1: Is there a Security Problem in Computing?.
Module 2: Designing Network Security
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)
Computer Security By Duncan Hall.
Firewalls Priyanka Verma & Jessica Wong. What is it? n A firewall is a collection of security measures designed to prevent unauthorised electronic access.
INTRODUCTION TO COMPUTER & NETWORK SECURITY INSTRUCTOR: DANIA ALOMAR.
Computer threats, Attacks and Assets upasana pandit T.E comp.
C OMPUTER THREATS, ATTACKS AND ASSETS DONE BY NISHANT NARVEKAR TE COMP
Module 7: Designing Security for Accounts and Services.
E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.
Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University
Information Systems Security
CS457 Introduction to Information Security Systems
Network Security Presented by: JAISURYA BANERJEA MBA, 2ND Semester.
Information Security, Theory and Practice.
ISSeG Integrated Site Security for Grids WP2 - Methodology
Compliance with hardening standards
Information Security Awareness
Chapter 5 Electronic Commerce | Security
Security in Networking
Chapter 5 Electronic Commerce | Security
INFORMATION SYSTEMS SECURITY and CONTROL
Cybersecurity Threat Assessment
Presentation transcript:

Chapter 1 COMPUTER AND NETWORK SECURITY PRINCIPLES

Content Importance of Computer and Network Security Underlying Computer and Network Security Concepts Threats and Countermeasures Policies and Standards

Importance of Computer and Network Security Computer security: involves implementing measures to secure a single computer (protecting the resources stored on that computer and protecting that computer from threats). Network security: involves protecting all the resources on a network from threats(computers on the network, network devices, network transmission media, and the data being transmitted across the network). Type of Attack: – Exposing Secrets – Causing System Failures – Social Engineering

Exposing Secrets Problems: – Hacker was discovered password on your device and then published your Personal data. – Hacker intercept data send across non secure internet protocols to attack their target(Buy merchandise on internet). – Badly protected servers at a target site. – Another potential risk is identity theft (name, social security number, bank account number, etc.) Solve Problem: – Using a complex password to protected your device. – Using a secure internet protocols such as HTTPS, and TSL.

Risks of using an e-commerce website

Causing System Failures Problem: Attackers use a variety of techniques to cause damage – Vulnerabilities in software that accepts user input, such as Internet browsers or software, can allow external parties to take control of a device. – Worms and viruses make use of overgenerous features or vulnerabilities to spread widely and overload networks and end systems with the traffic they generate. – A denial-of-service attack is one that prevents a server from performing its normal job.

Social Engineering A social engineering attack is one that involves people, not computers. How social engineering attacks work: – An attacker calls an employee on the phone claiming to be an administrator. The person asks for the user’s name and password so they can verify the user’s network settings. – An attacker who does not work for the company claims to be a temporary employee or contractor. The attacker is allowed access to a computer or worse, to the server room. – An attacker sifts through documents in the trash bin to discover employee names, organizational hierarchy, or even network configuration data. Protecting Social Engineering: – educating employees about unsafe practices

Underlying Computer and Network Security Concepts Key concepts underlying computer and network security include the following: – Confidentiality: prevention of unauthorized disclosure of information(Related store data on computer and transmit across network). – Integrity: prevention of unauthorized modification of information. – Availability: prevention of unauthorized withholding of information or resources. – Accountability: holding users accountable for their actions(users should be held responsible for their actions). – Nonrepudiation: The ability to ensure that someone cannot deny (i.e, repudiate) his or her actions(providing evidence about the fact that a message was delivered to a specific recipient).

Man-in-the-middle attack(Integrity)

A denial-of-service attack (smurf attack)

Confidentiality and Integrity Requirements

Threats and Countermeasures Risk is the possibility that some incident or attack will cause damage to an organization’s network. Risk analysis: The process of identifying a risk and assessing its likelihood and impact. Within IT security, risk analysis is applied: – Comprehensively for all information assets of an enterprise. – Specifically for the IT infrastructure of an enterprise. – During the development of new products or systems

Assessing Assets, Vulnerabilities, and Threats to Calculate Risk Assets have to be identified and valued: – Hardware: laptops, desktops, servers, routers, PDAs, mobile phones, smart cards, and so on. – Software: applications, operating systems, database management systems, source code, object code, and so on. – Data and information: essential data for running and planning your business, design documents, digital content, data about your customers, data belonging to your customers (like credit card numbers), and so forth. – Reputation: the opinion held by your customers and the general public about your organization. Reputation can affect how likely a person is to place an order with you or provide you with information.

Assessing Assets, Vulnerabilities, and Threats to Calculate Risk Vulnerabilities: are weaknesses of a system that could be accidentally or intentionally exploited to damage assets. In an IT system, the following are typical vulnerabilities: – Accounts with system privileges where the default password, such as ‘MANAGER’, has not been changed. – Programs with unnecessary privileges. – Programs with known flaws. – Weak access control settings on resources, for example, granting everyone full control to a shared folder. – Weak firewall configurations that allow access to vulnerable services.

Assessing Assets, Vulnerabilities, and Threats to Calculate Risk Threats: are actions by adversaries who try to exploit vulnerabilities in order to damage assets. Microsoft’s STRIDE threat model for software security lists the following categories. – Spoofing identities: The attacker pretends to be somebody else. – Tampering with data: Security settings are changed to give the attacker more privileges. – Repudiation: A user denies having performed an action like mounting an attack or making a purchase. – Information disclosure: Information might lose its value if it is disclosed to the wrong parties (e.g., trade secrets); your organization might face penalties if it does not properly protect information (e.g., personal information about individuals). – Denial of service (DoS ): DoS attacks can make websites temporarily unavailable ; there have been stories in the press that businesses use such attacks to harm competitors. – Elevation of privilege: The term elevation of privilege refers to a user who gains more privileges on a computer system than he or she is entitled to.

Attack tree for obtaining another user’s password

Calculating Risk In quantitative risk analysis, expected losses are computed based on monetary values for the assets and probabilities for the likelihood of threats. In qualitative risk analysis, the following principles are used: – Assets can be rated on a scale of critical–very important–important–not important. – Criticality of vulnerabilities can be rated on a scale of has to be fixed immediately–has to be fixed soon–should be fixed–fix if convenient. – Threats can be rated on a scale of very likely–likely–unlikely–very unlikely. – A finer method of scaling could be provided for each variable, that is, numerical values from 1 to 10. Risk = Assets Vulnerabilities Threats Guidance has to be given on how to assign ratings: – Damage potential: relates to the values of the assets being affected. – Reproducibility: one aspect of how difficult it is to launch an attack; attacks that are easy to reproduce are a greater risk than attacks that only work in specific circumstances. – Exploitability: relates to the effort, expertise, and resources required to launch an attack. – Affected users: for software vendors, another important contributing factor to damage potential. – Discoverability: When will the attack be detected? In the most damaging case, you will never know that your system has been compromised. If you don’t know you’ve been attacked, then you don’t know to take steps to recover.

Example InventoryAndOrders” -Unpatched software is Medium=5 -Denial-of-service attack is Medium=5 -Database is Medium=5 Risk =5 x 5 x 5 =125 InventoryAndOrders” -Unpatched software is Medium=5 -Denial-of-service attack is Medium=5 -Database is Medium=5 Risk =5 x 5 x 5 =125

Policies and Standards A security policy is a document that defines the security goals of the business. Security management standards that specify certain security measures required to be taken by an organization exist for a number of different types of industries. ISO standard: – Establishment of organizational security policy: An enterprise must provide management direction and support on security matters. – Organizational security infrastructure: Responsibilities for security within an enterprise have to be properly organized. – Asset classification and control: To know what is worth protecting, and how much to spend on protection, an enterprise has to have a clear picture of its assets and of their value. – Physical and environmental security: Physical security measures (fences, locked doors, etc.) protect access to business premises or to sensitive areas (rooms) within a building. – Personnel security: An organization’s employees can be a source of insecurity. – Communications and operations management: The day-to-day management of IT systems and of business processes has to ensure that security is maintained. – Access control: Access control can apply to data, services, and computers. – Systems development and maintenance: Security issues should be considered when an IT system is being developed. – Business continuity planning: An organization must put measures in place so that it can cope with major failures or disasters. – Compliance: Organizations have to comply with legal, regulatory, and contractual obligations, as well as with standards and their own organizational security policy.