Workshop 2 Tutor: William Yeoh School of Computer and Information Science Secure and High Integrity System (INFT 3002)

Slides:

Advertisements

Similar presentations

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.

Advertisements

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Computer Security set of slides 10 Dr Alexei Vernitski.

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.

7 Effective Habits when using the Internet Philip O’Kane 1.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Information Security Policies and Standards

System and Network Security Practices COEN 351 E-Commerce Security.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Stephen S. Yau CSE , Fall Security Strategies.

Installing and Configuring a Secure Web Server COEN 351 David Papay.

CYBER CRIME AND SECURITY TRENDS

Network security policy: best practices

Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.

Security Guidelines and Management

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.

Security. Introduction to Security Why do we need security? What happens if data is lost? –Wrong business decisions through lack of information –Long-term.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

GCSE ICT Viruses, Security & Hacking. Introduction to Viruses – what is a virus? Computer virus definition - Malicious code of computer programming How.

COEN 252 Computer Forensics

Information Systems Security Computer System Life Cycle Security.

©Kwan Sai Kit, All Rights Reserved Windows Small Business Server 2003 Features.

Workshop 1 Tutor: William Yeoh School of Computer and Information Science Secure and High Integrity System (INFT 3002)

Workshop 3 Tutor: William Yeoh

Chapter 5 – Designing Trusted Operating Systems  What makes an operating system “secure”? Or “trustworthy?  How are trusted systems designed, and which.

Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.

Module 14: Configuring Server Security Compliance

Chapter 13 Understanding E-Security. 2 OBJECTIVES What are security concerns (examples)? What are two types of threats (client/server) Virus – Computer.

Network problems Last week, we talked about 3 disadvantages of networks. What are they?

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

How can IT help you today?. Agenda Why Do You Care? What Are The Risks? What Can You Do? Questions? How can IT help you today? 2.

Chapter 2 Securing Network Server and User Workstations.

EECS 4482 Fall 2014 Session 8 Slides. IT Security Standards and Procedures An information security policy is at a corporate, high level and generally.

Module 11: Designing Security for Network Perimeters.

IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

Security fundamentals Topic 2 Establishing and maintaining baseline security.

Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Workshop 4 Tutor: William Yeoh School of Computer and Information Science Secure and High Integrity System (INFT 3002)

LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

Policies and Security for Internet Access

LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►

Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK

Information Systems CS-507 Lecture 32. Physical Intrusion The intruder could physically enter an organization to steal information system assets or carry.

Computer Security Sample security policy Dr Alexei Vernitski.

Chap5: Designing Trusted Operating Systems.  What makes an operating system “secure”? Or “trustworthy”?  How are trusted systems designed, and which.

By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

Backdoor Attacks.

Secure Software Confidentiality Integrity Data Security Authentication

Security in Networking

Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek

Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,

Unit 27: Network Operating Systems

PLANNING A SECURE BASELINE INSTALLATION

G061 - Network Security.

6. Application Software Security

Presentation transcript:

Workshop 2 Tutor: William Yeoh School of Computer and Information Science Secure and High Integrity System (INFT 3002)

Group project details Form a group of 3 by Wednesday (18 Sept) Report due on 7 November, 5pm (Friday) You must pass this assessment to pass the course words You may decide the company’s name, location (not necessary Australia), etc.

Task: Your group is a small newly formed IT Security Consultancy and recently have been employed on your first case Abraham is a health administrator (MD) but he has no modern technical understanding of IT security issues. Abraham has had no problems with IT Security until very recently when the Hospital’s network was subject to a series of attacks. In the period of 3 days, the Hospital’s website was defaced, a serious virus infected the Hospital’s and large quantities of data were corrupted Abraham wonders why this is happening and he questions whether there is a link to his company’s partnership with a large Health Insurance Company. He is also concerned to find out who might be attacking his network and why. He is very anxious to grow his business and knows that he needs quickly to implement some security measures so as to pass an external audit (he has had nothing more than some proprietary and outdated anti-virus software until now).

Organisation Structure

The issues Abraham is asking for advice on are: 3. Does he need to implement some cryptographic protection of data? How? 1. What risks do you think he is facing as he gears up his business and how can he manage these risks? 2. How can he develop a suitable security policy (given the company structure above)? Supply a security policy as Appendix 1 (you may use all the resources in the Resources for Module 2 and adapt these as necessary) 4. What is a “trusted” system, why might he need one anyway, and can he implement this within her Windows NT network?

The issues Abraham is asking for advice on are: 5. How can he protect his network? Currently it is a simple LAN, some databases, a mail server and a web server but he wants to add some E-Commerce functionality very soon. What will happen when his staff use wireless enabled PDA’s for the collection of patient data? 6. Why might hackers be attacking his network; why would they be interested in his company? 7. Is there any legislation to help him if his network is hacked into again? 8. What kind of legal or ethical issues will he herself face if the data in his databases or files is lost or damaged?

Today’s task 3. Does he need to implement some cryptographic protection of data? How? 4. What is a “trusted” system, why might he need one anyway, and can he implement this within his Windows NT network?

Hints for: 3. Does he need to implement some cryptographic protection of data? How? This section evaluates the need of implementing data cryptography Considers what cryptography technology to be adopted How to implement them in this situation

Hints for: 3. Does he need to implement some cryptographic protection of data? How? Does he need to implement some cryptographic protection of data? The hospital stores sensitive information eg. Patient’s medical record, financial situation, personal details, payment history, credit card info, password, etc. By consolidating the business status with the current trends of attacks, what is the risk evaluation? ‘Is the risk of occurrence higher than the cost of implementing cryptographic protection?’

Hints for: 3. Does he need to implement some cryptographic protection of data? How? Some rationale to implement: Storing large amount of sensitive info of different nature in the IT system Current security level of network design & data management, security policy, staff awareness, etc Storage of backup media does not guarantee high security level to avoid data leakage

Hints for: 3. Does he need to implement some cryptographic protection of data? How? Connection to Internet using Dialup modem is insecure enough The rapid introduction of virus, trojan & malicious code produce high risk The website was defaced recently – shows security problem

Considers what cryptography technology to be adopted

How to implement them in this situation? Suggest a commercial product (eg. DES, Blowfish, RSA, Hybrid cryptosystem, etc) Internal or outsourcing Staff perspective Customers perspective Steps, etc

Hints: 4. What is a “trusted” system, why might he need one anyway, and can he implement this within her Windows NT network? What is a “trusted” system Why might he need one anyway Can he implement this within her Windows NT network?

Why might he need one anyway? User identification and authentication- to control the access rights. Mandatory & discretionary access control- to control the usage of objects Object reuse protection – to avoid malicious user claim a large amount of disk space & scavenge for sensitive data Complete mediation – checking all access including memory, outside ports & network

What is a “trusted” system? Trusted OS provides the basic security mechanism that allow a system to protect, distinguish & separate data. It began to receive NSA evaluation in 1984 Lower the security risk of implementing a system that processes classified data It implements security policies & accountability mechanism in an OS package

Why might he need one anyway? Audit –maintain a log of security-relevant events Audit log reduction- Allow logging of info in a reduced data size for consultation Trusted path – facilitate unmistakable communication in critical operations Intrusion detection- Intrusion of the system are detected

Can he implement this within his Windows NT network? Windows NT network acquires trusted OS features as: User identification and authentication can be set for all users & administrators Mandatory & discretionary access control are configurable for objects eg. Files & folders Object reuse protection as usable volume of disk for all users can be strictly controlled by Windows NT.

Complete mediation, Windows NT can check system resources including memory, port status & network connections Audit log is maintained by Windows NT Server. Log details can be checked by administrator easily Intrusion detection, Windows NT has no intrusion detection system, however this feature can be tackled by commercial firewall products. Windows NT network acquires trusted OS features as:

Configuring Windows NT network to implement Trusted OS: Updating Windows NT servers by patches and use latest NT version Enforces Windows NT Server password policy and establish consistent audit Limits usable server volume for users to enhance object reuse protection Avoids granting unnecessary privileges to users

Avoids running unnecessary services in servers Maintain audit trial records & perform checks on these records Install IDS in the network Configuring Windows NT network to implement Trusted OS:

Q &A Group Discussions