Presentation is loading. Please wait.

Presentation is loading. Please wait.

Author: Andy Reedftp://topsurf.co.uk/reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.

Published byAshley Thomas Modified over 9 years ago

Similar presentations

Presentation on theme: "Author: Andy Reedftp://topsurf.co.uk/reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security."— Presentation transcript:

1 Author: Andy Reedftp://topsurf.co.uk/reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security

2 Author: Andy Reedftp://topsurf.co.uk/reed Data Security Computer security is the protection of a company’s assets by ensuring the safe, uninterrupted operation of the system and the safeguarding of its computer, programs and data files. Pro. H J Highland. State University of New York

3 Author: Andy Reedftp://topsurf.co.uk/reed Areas for Discussion (Term 1) System Security Network Security Data Security Authentication Malware Security Controls Implementation levels Legal Issues

4 Author: Andy Reedftp://topsurf.co.uk/reed Is there a real need for security? The Internet and the networked system has become the focal point for a variety of criminal and/or malicious activity, such as: Malware i.e. Viruses, Worms, Trojan Horses Fraud, Theft, Malicious Damage Masquerading, Spoofing Espionage, Terrorism Obscenities, Profanities

5 Author: Andy Reedftp://topsurf.co.uk/reed Corporate security: what is needed? For many organisations there will be a number of security concerns, each of these with there own specific security requirements: Schools, Colleges and Universities Financial establishments Government offices Hospitals E-commerce Military installations

6 Author: Andy Reedftp://topsurf.co.uk/reed Common Threats Students records (Add, delete or improve exam grades) Confidential or personal information Payroll, accounts department Accidental damage of data Fire Flood Theft

7 Author: Andy Reedftp://topsurf.co.uk/reed Common Threats Medical records Historical records Sensitive military information Payment transactions Banking account information Physical assets Personnel

8 Author: Andy Reedftp://topsurf.co.uk/reed Data Security Security concerns and requirements can be measured in a number of different ways. Data Availability Personal accountability Data integrity Data or personal confidentiality

9 Author: Andy Reedftp://topsurf.co.uk/reed Confidentiality Prevention of unauthorised information disclosure. Data access must be restricted to only authorised Personnel who hold a valid ‘Need to know’. The seriousness of the disclosure is often dictated by whether it occurs to an unauthorised member of the same organisation or a total outsider.

10 Author: Andy Reedftp://topsurf.co.uk/reed Integrity This could refer to either the organisation, the system, the data or all. The user must have confidence that: The same information can be retrieved as was originally entered. Internal processes work as expected or claimed. May be compromised as a result of accidental error or malicious activity.

11 Author: Andy Reedftp://topsurf.co.uk/reed Availability Systems or data should be accessible and fit for purpose on demand by an authorised entity. Availability encompasses: The prevention of unauthorised withholding of information or resources. Safeguards against system failure. The seriousness of denial of service generally increases proportionally to the period of unavailability

12 Author: Andy Reedftp://topsurf.co.uk/reed Accountability The property that ensures that the actions of an entity may be traced uniquely to that entity. This may be encompassed by monitoring: System behaviour Staff activity What connotations can employee monitoring schemes have?

13 Author: Andy Reedftp://topsurf.co.uk/reed Terminology Asset Threat Vulnerability Physical Procedural or personnel policy. Logical / system / technical

14 Author: Andy Reedftp://topsurf.co.uk/reed Terminology (cont) Risk Countermeasure Impact Baseline security

15 Author: Andy Reedftp://topsurf.co.uk/reed Asset An asset is generally considered as an entity of value, such as: Data Financial: Stocks, shares or bonds Physical Personnel

16 Author: Andy Reedftp://topsurf.co.uk/reed Threat A threat is an unwanted deliberate, malicious or accidental act that may result in damage, depletion or harm to an asset: virus Flood Theft Fire

17 Author: Andy Reedftp://topsurf.co.uk/reed Vulnerability A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security. Weak password authentication Out of data antivirus External penetration Un-secure channels

18 Author: Andy Reedftp://topsurf.co.uk/reed Physical Security The risk to or risk from a physical entity. This could be to either data, hardware/software or personnel. measures that must be taken to prevent theft, vandalism, and other types of harm to the technology equipment Personal safety Lock, doors and secure rooms ID tags Infrared tag

19 Author: Andy Reedftp://topsurf.co.uk/reed Procedural Policy Procedural measures taken to prevent a disaster, such as safety inspections, fire drills, security awareness programs, timing of planned security actions. Enforce user policies (no post-its) Plan for disaster recovery Maintenance schemes for hardware and software

20 Author: Andy Reedftp://topsurf.co.uk/reed Risk The probability that a particular threat will accidentally trigger or intentionally exploit a particular information system vulnerability and the resulting impact if this should occur. Probability: P = probability A = event P(A) = The Number Of Ways Event A Can Occur The Total Number Of Possible Outcomes

21 Author: Andy Reedftp://topsurf.co.uk/reed Risk Assessment Cycle www.microsoft.conwww.microsoft.con Security Risk Management

22 Author: Andy Reedftp://topsurf.co.uk/reed Risk Assessment Risk assessment is an ongoing event throughout the organisations lifetime. Some steps in the risk assessment cycle are: Identify potential risks that could harm or hinder operational procedure, data or personnel Estimate the probability of such events occurring

23 Author: Andy Reedftp://topsurf.co.uk/reed Risk Assessment Estimating the most critical and sensitive assets and the potential financial loss, including recovery costs. Identify the most cost affective approach to implementing security procedures Develop an action plan for security proposals

24 Author: Andy Reedftp://topsurf.co.uk/reed Risk Assessment Implement security procedures Monitor the programme for effectiveness Identify potential risks that could harm or hinder operational procedure, data or personnel Continue the cycle

25 Author: Andy Reedftp://topsurf.co.uk/reed Countermeasure An action or restraint on the system designed to enhance security by reducing the risk of an attack, by reducing either the threat or the vulnerability. Password time outs Intrusion detection systems Enhancing security requirements to meet the threat P:P:P:P:P:P:P

26 Author: Andy Reedftp://topsurf.co.uk/reed Impact The resultant after effects of a successful security breach via a threat or vulnerability. The impact will almost certainly generate unwanted outcomes or consequences.

27 Author: Andy Reedftp://topsurf.co.uk/reed Consequences Financial Loss Embarrassment Breach of Commercial Confidentiality Breach of Personal Privacy Legal Liability Disruption to Activities Threat to Personal safety

28 Author: Andy Reedftp://topsurf.co.uk/reed Legal Issues It is important to have an understanding of legal issues relating to security. Setting stringent security policies without a basic understanding of the legal implications could prove costly. ICT and the Law covered in later lectures, but for now:

29 Author: Andy Reedftp://topsurf.co.uk/reed Table of UK Statutes Computer Misuse Act 1990 Contracts (Rights of Third Parties) Act 1999 Copyright, Designs and Patents Act 1988 Criminal Justice and Public Order Act 1994 Data protection Act 1998 Defamation Act 1996 Electronics Communications Act 2000 Obscene Publications Act 1964

30 Author: Andy Reedftp://topsurf.co.uk/reed Table of UK Statutes (cont) Protection of Children Act 1978 Sale of Goods Act 1979 Supply of Goods and Services Act 1982 Telecommunications Act 1994 Trade Descriptions Act 1968 Trade Marks Act 1994 Unfair Contract Terms Act 1977

31 Author: Andy Reedftp://topsurf.co.uk/reed Conclusion 100% security is not an achievable objective. Threats are real and present, addresses them. Security costs money, lack of security costs more Understand the legal standing of the organisation. Determine the appropriate level of security for the assets held.

32 Author: Andy Reedftp://topsurf.co.uk/reed Conclusions Risk assessment should be a cyclic progression 99.999% security is said to be considered desirable Organisations have a legal obligation to protect third party assets, data or employee confidentiality. Useful to understand how the Law fits in to the domain of ICT data security

Download ppt "Author: Andy Reedftp://topsurf.co.uk/reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security."

Similar presentations

Chapter 1 - 1 ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.

Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
1.8 Malpractice and Crime In this section you must be able to: Explain the consequences of malpractice and crime on information systems. Describe the possible.

1.8 Malpractice and Crime In this section you must be able to: Explain the consequences of malpractice and crime on information systems. Describe the possible.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Managing Information Systems Information Systems Security and Control Part 1 Dr. Stephania Loizidou Himona ACSC 345.

Managing Information Systems Information Systems Security and Control Part 1 Dr. Stephania Loizidou Himona ACSC 345.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Security Controls – What Works

Security Controls – What Works
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.

Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Factors to be taken into account when designing ICT Security Policies

Factors to be taken into account when designing ICT Security Policies
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Session 3 – Information Security Policies

Session 3 – Information Security Policies

Similar presentations

Ads by Google