Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright, 2013-15 1. Copyright, 2013-15 2 Copyright, 2013-15 3.

Published byGriselda Montgomery Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright, 2013-15 1. Copyright, 2013-15 2 Copyright, 2013-15 3."— Presentation transcript:

1 Copyright, 2013-15 1

2 Copyright, 2013-15 2

3 Copyright, 2013-15 3

4 Copyright, 2013-15 4

5 Copyright, 2013-15 5 Neworked Information Systems This Series of Six Lectures 1.Application Architectures.1Master-Slave Architecture.2Client-Server Architecture Cloud Computing.3Peer-to-Peer (P2P) Architecture 2.Categories of Networked Application.1Mobile Computing.2Web 2.0 and Social Media 3. Networked Info Systems Security.1Security of Info and I.T..2Malware and Other Attacks.3Mobile Security

6 Copyright, 2013-15 6 COMP 2410 – Networked Information Systems SC1 – Security of Information and I.T. Roger Clarke Xamax Consultancy, Canberra Visiting Professor, A.N.U. and U.N.S.W. http://www.rogerclarke.com/II/NIS2410.html#L4 http://www.rogerclarke.com/II/NIS2410-4 {.ppt,.pdf} ANU RSCS, 1 April 2015

7 Copyright, 2013-15 7 The Notion of Security A condition in which harm does not arise despite the occurrence of threatening events A set of safeguards whose purpose is to achieve that condition

8 Copyright, 2013-15 8 Information Security Data Secrecy Prevent access by those who should not see it

9 Copyright, 2013-15 9 Information Security Data Secrecy Prevent access by those who should not see it Data Quality / Data Integrity Prevent inappropriate change and deletion Data Accessibility Enable access by those who should have it

10 Copyright, 2013-15 10 Information Security Data SecrecyConfidentiality Prevent access by those who should not see it Data Quality / Data... Integrity Prevent inappropriate change and deletion Data AccessibilityAvailability Enable access by those who should have it 'The CIA Model'

11 Copyright, 2013-15 11 IT Security Security of Service Fit Reliability Availability Accessibility Robustness Resilience Recoverability Integrity Maintainability Security of Investment Assets The Business http://www.rogerclarke.com/II/CCSA.html#RA

12 Copyright, 2013-15 12 2.The Conventional Security Model Threats act on Vulnerabilities and result in Harm Each Threatening Event is a Security Incident Safeguards are deployed to provide protection Countermeasures are used against Safeguards

13 Copyright, 2013-15 13 The Key Concepts A Threat is a circumstance that could result in Harm A Threatening Event is an instance of a generic Threat A Threat may be natural, accidental or intentional An intentional Threatening Event is an Attack A party that creates an Intentional Threat is an Attacker

14 Copyright, 2013-15 14 The Key Concepts A Threat is a circumstance that could result in Harm A Threatening Event is an instance of a generic Threat A Threat may be natural, accidental or intentional An intentional Threatening Event is an Attack A party that creates an Intentional Threat is an Attacker A Vulnerability is a susceptibility to a Threat Harm is any kind of deleterious consequence to an Asset A Safeguard is a measure to counter a Threat A Countermeasure is an action to circumvent a Safeguard

15 Copyright, 2013-15 15 http://www.rogerclarke.com/ EC/PBAR.html#App1 Conventional IT Security Model

16 Copyright, 2013-15 16 Categories of Threat Environmental Events (Acts of God or Nature) Accidents, caused by: Humans who are directly involved Other Humans Artefacts and their Designers Attacks, by: Humans who are directly involved Other Humans The Designers of Artefacts

17 Copyright, 2013-15 17 Situations in Which Threats Arise

18 Copyright, 2013-15 18 Situations in Which Threats Arise Computing and Comms Facilities, incl. Data Storage Software Data Transmission of: The Organisation Service Providers Users Others Physical Premises housing relevant facilities Supporting Infrastructure, incl. data cabling, telecomms infrastructure, electrical supplies, air- conditioning, fire protection systems Manual Processes, Content and Data Storage

19 Copyright, 2013-15 19 Intentional Threats / Attacks Physical Intrusion Social Engineering Confidence Tricks Phishing Masquerade Abuse of Privilege Hardware Software Data Electronic Intrusion Interception Cracking / ‘Hacking’ Bugs Trojans Backdoors Masquerade Distributed Denial of Service (DDOS) Infiltration by Software with a Payload By Outsiders & Insiders – Host/Server-side, User/Client-side

20 Copyright, 2013-15 20 Categories of Harm Data Loss, Alteration, Access or Replication Reputation or Confidence Loss Asset Value Loss Financial Loss Opportunity Cost Property Damage Personal Injury

21 Copyright, 2013-15 21 IT and Data Security Safeguards The Physical Site Physical Access Control (locks, guards,...) Smoke Detectors, UPS,... Hardware Parity-checking, read-after-write Backup and Recovery Network Channel encryption Firewalls Intrusion Detection Software Authentication of data, of value, of (id)entity, and/or of attributes Access Control, Authorisations Liveware Human Procedures Control Totals, Reconciliations Organisation Respy/Authy, Separation of duties Legal Measures Duty Statements, Terms of Use, Contractual Commitments

22 Copyright, 2013-15 22 Summary of Key Terms Threat A circumstance that could result in Harm Vulnerability A susceptibility to a Threat Threatening Event An occurrence of a Threat Safeguard A measure to prevent, to enable detection or investigation of, or to mitigate Harm from, a Threatening Event Risk “The likelihood of Harm arising from a Threat” A measure of the likelihood and/or seriousness of Harm arising from a Threatening Event impinging on a Vulnerability and not being dealt with satisfactorily by the existing Safeguards

23 Copyright, 2013-15 23 3.Business Processes 1.Risk Assessment Identify and Prioritise the Residual Risks You Face 2.Risk Management Do something about them!!

24 Copyright, 2013-15 24 3.1 Risk Assessment cf. Analysis Define Objectives and Constraints Identify Stakeholders, Assets, Values, Harm Identify Threats, Vulnerabilities, and Threat-Vulnerability Combinations Consider Existing Safeguards Evaluate the Residual Risks Prioritise the Residual Risks

25 Copyright, 2013-15 25 3.2 Risk Management cf. Design and Implementation Define additional and adapted Safeguards that will address the Priority Risks Express a Plan to implement the Safeguards Implement the Plan Monitor the Implementation Audit the Implementation ISO 27005, NIST 800-30, DSD/ASD ISM

26 Copyright, 2013-15 26 Generic Risk Management Strategies Proactive Strategies Avoidance Deterrence Prevention Reactive Strategies Isolation Recovery Transference Insurance Non-Reactive Strategies Tolerance Abandonment Dignified Demise Graceless Degradation

27 Copyright, 2013-15 27 4. Security Safeguards External Security Internal Security Perimeter Security

28 Copyright, 2013-15 28 Key IT Security Safeguards Categories External Security Content Transmission Security ('Confidentiality') e.g. SSL/TLS Authentication of Sender, Recipient, Content e.g. Dig Sigs, SSL/TLS, Tunnelling, VPNs 'White Hat Hacking' Network-Based Intrusion Detection (ID)...

29 Copyright, 2013-15 29 Key IT Security Safeguards Categories External Security Content Transmission Security ('Confidentiality') e.g. SSL/TLS Authentication of Sender, Recipient, Content e.g. Dig Sigs, SSL/TLS, Tunnelling, VPNs 'White Hat Hacking' Network-Based Intrusion Detection (ID)... Perimeter Security Inspection and Filtering Traffic, i.e. 'Firewalls' Malcontent, Malware

30 Copyright, 2013-15 30 4. Security Safeguards External Security Internal Security Perimeter Security

31 Copyright, 2013-15 31 Key IT Security Safeguards Categories External Security Content Transmission Security ('Confidentiality') e.g. SSL/TLS Authentication of Sender, Recipient, Content e.g. Dig Sigs, SSL/TLS, Tunnelling, VPNs 'White Hat Hacking' Network-Based Intrusion Detection (ID)... Perimeter Security Inspection and Filtering Traffic, i.e. 'Firewalls' Malcontent, Malware Internal Security Access Control Vulnerability Inspection Intrusion (Threat) Detection Safeguard Testing Backup and Recovery, Business Continuity, Disaster Recovery

32 Copyright, 2013-15 32 Backup of What Data Assets? Personal Data incl. sensitive data: of an individual of family of other people Infrastructure Config Data (settings, parameters, scripts to support normal computing operations) Business-Related Content Identity Authenticators (passwords, passport and driver's licence details) Payment Authenticators (PINs, credit-card details) Financial Data Funds, e.g. bitcoin wallets http://www.rogerclarke.com/EC/PBAR.html#Tab2

33 Copyright, 2013-15 33 Harm to Values Associated with Data Accessibility Data Loss In Volatile Memory In Non-Volatile Memory Theft, Destruction, Malfunction Data Unavailability Inaccessibility Data Access Data Disclosure Data Interception Quality Low when collected Low at time of use, (Data Modification, Data Integrity Loss, Corruption) http://www.rogerclarke.com/EC/PBAR.html#Tab4

34 Copyright, 2013-15 34 Some Threat-Vulnerability Combinations You make changes to a file, and regret it, and want to get back to the earlier version Disk-Crash Data Hostage 'Cryptohack'...

35 Copyright, 2013-15 35 Backup To Where? An internal storage-medium An external storage-medium Local Network Attached Storage (NAS) Remote storage-medium Stored locally / remotely Stored online / offline How often? Instant Frequent Occasional

36 Copyright, 2013-15 36 Backup Procedures 1.Single-File Backup 2.Periodic Full Backup 3.Incremental Multi-File Backup with Overwrite of Prior Versions 4.Incremental Multi-File Backup with Retention of Prior Versions 5.Mirror File Backup 6.Rotation of File Backups 7.Off-Site / 'Fire' Backup 8.Storage-Medium or Partition Backup 9.Write-Twice / Copy-On-Write 10.Archival 11.Spooling of Storage-Media 12.Spooling of Storage-Media Type http://www.rogerclarke.com/EC/PBAR.html#App3

37 Copyright, 2013-15 37 Threat-Vulnerability Relevant Backup Combinations Procedures Mistaken File Amendment, Deletion, or Overwrite Storage-Media Failure Malware or Hacking Attack denying access to the data 1.File-Versioning; or 4.Incremental File Backup & Retention of Old Versions 2.Full File Backup; or 3.Full plus Incrementals; or 8.Storage-Medium Backup Offline Storage & 2, 3 or 8

38 Copyright, 2013-15 38 Security of Information and I.T. Agenda 1.The Concept of Security 2.The Conventional Security Model 3.Business Processes 3.1 Risk Assessment 3.2 Risk Management 4.Security Safeguards 4.1 Backup and Recovery

39 Copyright, 2013-15 39 COMP 2410 – Networked Information Systems SC1 – Security of Information and I.T. Roger Clarke Xamax Consultancy, Canberra Visiting Professor, A.N.U. and U.N.S.W. http://www.rogerclarke.com/II/NIS2410.html#L4 http://www.rogerclarke.com/II/NIS2410-4 {.ppt,.pdf} ANU RSCS, 1 April 2015

40 Copyright, 2013-15 40 Drill-Down Slides

41 Copyright, 2013-15 41 Costs of Risk Mitigation Executive Time, for assessment, planning, control Consultancy Time, for assessment, design Operational Staff Time for: Training, Rehearsals, Incident Handling, Backups Computer Time for backups Storage costs for on-site and off-site (‘fire backup’) copies of software, data and log-files Transmission Costs for database replication Loss of Service to clients during backup time Redundant Capacity (Hardware, Networks) Contracted Support from a 'hot-site' / 'warm-site'

42 Copyright, 2013-15 42 4.1Access Control An Important Example of a Safeguard Protect System Resources against Unauthorised Access Provide convenient access to the right people, to relevant data and software capabilities, by providing User Accounts with Privileges and Restrictions Prevent access by the wrong people to data and software capabilities Person-Based, or Role-Based (RBAC)

43 Copyright, 2013-15 43 Access Control

44 Copyright, 2013-15 44 Threats to Passwords 1. Guessing 2. 'Brute Force' Guessing 3. Visual Observation 4. Electronic Observation 5. Interception 6. Phishing 7. Use of One Password for Multiple Accounts 8. Discovery of a Password Database 9. Compromise of the Password-Reset Process 10. Continued Use of a Compromised Password 11. Compromise of a Password Stored by a Service-Provider 12. Acquisition and Hacking of the Password-Hash File http://www.rogerclarke.com/II/Passwords.html

45 Copyright, 2013-15 45 Ways of Strengthening Access Control Channel Encryption, e.g. SSL/TLS, so that even if the password is intercepted, it is not ‘in clear’ Transmission of only a hash of the password Server-Side Storage of only a hash of the password One-Time Passwords

46 Copyright, 2013-15 46 Ways of Strengthening Access Control what you know password, 'shared secrets' what you have one-time password gadget, a digital signing key where you are your IP-address, device-ID what you are a biometric, e.g. fingerprint what you do time-signature of password- typing key-strikes who or what you are reputation, 'vouching' Channel Encryption, e.g. SSL/TLS, so that even if the password intercepted, it is not ‘in clear’ Transmission of only a hash of the password Server-Side Storage of only a hash of the password One-Time Passwords Multi-Factor Use Authentication:

Download ppt "Copyright, 2013-15 1. Copyright, 2013-15 2 Copyright, 2013-15 3."

Similar presentations

Chapter 1 - 1 ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.

Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
Computer Fraud Chapter 5.

Computer Fraud Chapter 5.
Computer Fraud Chapter 5.

Computer Fraud Chapter 5.
Copyright, 1995-2007 1 Can Mobile Payments be 'Secure Enough'? Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong.

Copyright, Can Mobile Payments be 'Secure Enough'? Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in eCommerce at Uni of Hong.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
Database Administration and Security Transparencies 1.

Database Administration and Security Transparencies 1.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.

Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Security Controls – What Works

Security Controls – What Works
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.

Similar presentations

Ads by Google