Presentation is loading. Please wait.

Presentation is loading. Please wait.

95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. 412-268-7611 Office Hours by Appointment Course website:

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. 412-268-7611 Office Hours by Appointment Course website:"— Presentation transcript:

1 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website: http://www.andrew.cmu.edu/course/95-752

2 95752:1-2 Course Covers Introduction/Definitions Physical security Access control Data security Operating system security Application security Network security

3 95752:1-3 Student Expectations Grading: –2 Homeworks –Midterm –Paper/project All submitted work is sole effort of student Students are interested in subject area Students have varied backgrounds

4 95752:1-4 Information Revolution Information Revolution as pervasive at the Industrial Revolution Impact is Political, Economic, and Social as well as Technical Information has an increasing intrinsic value Protection of critical information now a critical concern in Government, Business, Academia

5 95752:1-5 A Different Internet Armies may cease to march Businesses may be bankrupted Individuals may lose their social identity Threats not from novice teenagers, but purposeful military, political, and criminal organizations

6 95752:1-6 Computer Terms (1) Computer – A collection of the following: Central Processing Unit (CPU): Instruction- processing Memory(RAM) : Transient storage for data Disk: More permanent storage for data Monitor: Display device Printer: Hard copy production Network card: communication circuitry

7 95752:1-7 Computer Terms (2) Software: Instructions for a computer Operating System: interaction among components of computer Application software: common tasks (e.g., email, word processing, program construction, etc.) API/Libraries: Support for common tasks

8 95752:1-8 Vulnerability (2001) Out-of-the-box Linux PC hooked to Internet, not announced: [30 seconds] First service probes/scans detected [1 hour] First compromise attempts detected [12 hours] PC fully compromised: – Administrative access obtained – Event logging selectively disabled – System software modified to suit intruder – Attack software installed – PC actively probing for new hosts to intrude Clear the disk and try again!

9 95752:1-9 Why is Security Difficult Managers unaware of value of computing resources Damage to public image Legal definitions often vague or non- existent Legal prosecution is difficult Many subtle technical issues

10 95752:1-10 Objectives of Security Privacy – Information only available to authorized users Integrity – Information retains intended content and semantics Availability – Information retains access and presence Importance of these is shifting, depends on organization

11 95752:1-11 Security Terms Exposure - “actual harm or possible harm” Vulnerability - “weakness that may be exploited” Attack - “human originated perpetration” Threat - “potential for exposure” Control - “preventative measure”

12 95752:1-12 Classes of Threat Interception Modification Masquerade Interruption Most Security Problems Are People Related

13 95752:1-13 Software Security Concerns Theft Modification Deletion Misplacement

14 95752:1-14 Data Security Concerns Vector for attack Modification Disclosure Deletion “If you have a $50 head, buy a $50 helmet”

15 95752:1-15 Network Security Concerns Basis for Attack Publicity Theft of Service Theft of Information Network is only as strong as its weakest link Problems multiply with number of nodes

16 95752:1-16 Motivations to Violate Security Greed Ego Curiosity Revenge Competition Political/Idiological

17 95752:1-17 People and Computer Crime Most damage not due to attacks “Oops!” “What was that?” No clear profile of computer criminal Law and ethics may be unclear “Attempting to apply established law in the fast developing world of the Internet is somewhat like trying to board a moving bus” (Second Circuit, US Court of Appeals, 1997)

18 95752:1-18 Theory of Technology Law Jurisdiction: –subject matter – power to hear a type of case –Personal – power to enforce a judgment on a defendant Between states: Federal subject matter Within state: State/local subject matter Criminal or Civil –Privacy/obscenity covered now –intellectual property covered later

19 95752:1-19 Privacy Law Common law: –Person’s name or likeness –Intrusion –Disclosure –False light State/Local law: Most states have computer crime laws, varying content International law: patchy, varying content

20 95752:1-20 Federal Privacy Statutes ECPA (communication) Privacy Act of 1974 (Federal collection/use) Family Educational Rights & Privacy Act (school records) Fair Credit Reporting Act (credit information) Federal Cable Communications Privacy Act (cable subscriber info) Video Privacy Act (video rental information) HIPAA (health cared information) Sarbanes-Oxley Act (corporate accounting) Patriot Act (counter-terrorism) Plus state law in more the 40 states, and local laws

21 95752:1-21 Federal Obscenity Statues Miller tests (Miller v. California, 1973): –Average person applying contemporary community standards find appeals prurient interest –Sexual content –Lack of literary, artistic, political or scientific value Statues: –Communications Decency Act (struck down) –Child Online Protection Act (struck down) –Child Pornography Protection Act (struck down – virtual child porn; live children still protected)

22 95752:1-22 Indian Trust Funds Large, developing, case: Cobell vs. Norton –http://www.indiantrust.com/ Insecure handling of entrusted funds Legal Internet disruption Criminal contempt proceedings Judicial overstepping

23 95752:1-23 Three Security Disciplines Physical –Most common security discipline –Protect facilities and contents Plants, labs, stores, parking areas, loading areas, warehouses, offices, equipment, machines, tools, vehicles, products, materials Personnel –Protect employees, customers, guests Information –The rest of this course

24 95752:1-24 How Has It Changed? Physical Events Have Cyber Consequences Cyber Events Have Physical Consequences

25 95752:1-25 Why Physical Security? Not all threats are “cyber threats” Information one commodity that can be stolen without being “taken” Physically barring access is first line of defense Forces those concerned to prioritize! Physical Security can be a deterrent Security reviews force insights into value of what is being protected

26 95752:1-26 Layered Security Physical Barriers Fences Alarms Restricted Access Technology Physical Restrictions Air Gapping Removable Media Remote Storage Personnel Security Practices Limited Access Training Consequences/Deterrence

27 95752:1-27 Physical Barriers Hardened Facilities Fences Guards Alarms Locks Restricted Access Technologies –Biometrics –Coded Entry –Badging Signal Blocking (Faraday Cages)

28 95752:1-28 Outer Protective Layers Structure –Fencing, gates, other barriers Environment –Lighting, signs, alarms Purpose –Define property line and discourage trespassing –Provide distance from threats

29 95752:1-29 Middle Protective Layers Structure –Door controls, window controls –Ceiling penetration –Ventilation ducts –Elevator Penthouses Environment –Within defined perimeter, positive controls Purpose –Alert threat, segment protection zones

30 95752:1-30 Inner Protective Layers Several layers Structure –Door controls, biometrics –Signs, alarms, cctv –Safes, vaults Environment –Authorized personnel only Purpose –Establish controlled areas and rooms

31 95752:1-31 Other Barrier Issues Handling of trash or scrap Fire: –Temperature –Smoke Pollution: –CO –Radon Flood Earthquake

32 95752:1-32 Physical Restrictions Air Gapping Data Limits access to various security levels Requires conscious effort to violate Protects against inadvertent transmission Removable Media Removable Hard Drives Floppy Disks/CDs/ZIP Disks Remote Storage of Data Physically separate storage facility Use of Storage Media or Stand Alone computers Updating of Stored Data and regular inventory

33 95752:1-33 Personnel Security Practices Insider Threat the most serious Disgruntled employee Former employee Agent for hire Personnel Training Critical Element Most often overlooked Background checks Critical when access to information required Must be updated CIA/FBI embarrassed

34 95752:1-34 Activities or Events Publications, public releases, etc. Seminars, conventions or trade shows Survey or questionnaire Plant tours, “open house”, family visits Governmental actions: certification, investigation Construction and Repair

35 95752:1-35 NISPOM National Industrial Security Program Operating Manual Prescribes requirements, restrictions and other safeguards for information Protections for special classes of information: National Security Council provides overall policy direction Governs oversight and compliance for 20 government agencies

36 95752:1-36 Methods of Defense Overlapping controls –Authentication –Encryption –Integrity control –Firewalls –Network configuration –Application configuration –Policy

Download ppt "95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. 412-268-7611 Office Hours by Appointment Course website:"

Similar presentations

Chapter 1 - 1 ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.

Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
GCSE ICT Networks & Security..

GCSE ICT Networks & Security..
© 2006 Carnegie Mellon University95752-2:1 Physical Security.

© 2006 Carnegie Mellon University :1 Physical Security.
David Assee BBA, MCSE Florida International University

David Assee BBA, MCSE Florida International University
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.

Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
Mr C Johnston ICT Teacher

Mr C Johnston ICT Teacher
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL.

Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL.
PHYSICAL SECURITY Attacker. Physical Security Not all attacks on your organization's data come across the network. Many companies focus on an “iron-clad”

PHYSICAL SECURITY Attacker. Physical Security Not all attacks on your organization's data come across the network. Many companies focus on an “iron-clad”
Physical and Environmental Security Chapter 5 Part 1 Pages 427 to 456.

Physical and Environmental Security Chapter 5 Part 1 Pages 427 to 456.
EXAMINING CYBER/COMPUTER LAW BUSINESS LAW. EXPLAIN CYBER LAW AND THE VARIOUS TYPES OF CYBER CRIMES.

EXAMINING CYBER/COMPUTER LAW BUSINESS LAW. EXPLAIN CYBER LAW AND THE VARIOUS TYPES OF CYBER CRIMES.
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011 Physical (Environmental) Security.

Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011 Physical (Environmental) Security.
Information Security Policies and Standards

Information Security Policies and Standards
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
(c) 2006 Carnegie Mellon University95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. 412-268-7611 Office.

(c) 2006 Carnegie Mellon University95752: Introduction to Information Security Management Tim Shimeall, Ph.D Office.
Chapter 1 Introduction to Security

Chapter 1 Introduction to Security
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.

Similar presentations

Ads by Google