Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Mechanisms University of Sunderland CSEM02 Harry R. Erwin, PhD.

Published byShanon Heath Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Mechanisms University of Sunderland CSEM02 Harry R. Erwin, PhD."— Presentation transcript:

1 Security Mechanisms University of Sunderland CSEM02 Harry R. Erwin, PhD

2 Resources The Common Criteria The ‘Orange Book’ CCTool See the Multics paper.

3 Basic Rules of Security Concentrate valuable assets Defense in depth Coordinate all aspects of security –Software –Hardware –Physical –Procedural We will examine software security mechanisms first and then survey the other areas.

4 Definition A security mechanism is ‘a hardware or software component, system, or product that supports one or more security objectives.’ Another term that might be applied is a ‘security service.’ “The function of a security mechanism is to detect, prevent, or recover from a security attack (William Stallings).”

5 Typical Security Mechanisms Identification and Authentication Access Control Audit Firewalls Intrusion Detection Cryptography and Public Key Infrastructure (PKI) Virus Protection Object Reuse/Media Sanitizing Electronic Signatures

6 Identification and Authentication Identifies someone to the system. At least one of the following must be supplied: –Something known (user name and password) –Something owned (password token) –Some physical characteristic (fingerprint, retinal scan, voice scan) Authentication is ‘weak’ if only one is supplied. Two required for ‘strong’ authentication.

7 Access Control Based on what the user is authorized to do. ‘Discretionary access control (DAC)’ is where the document owner controls who has access to it. This is designed for benign environments. ‘Mandatory access control (MAC)’ defines a security level for documents and resources. A potential user or process has to have that level. Commercial organizations may go further—time of day, location, task being performed. Should be enforced by operating system kernel.

8 Audit Tracks who did what and when. Done right, can stand up in court as evidence. Usually must be turned on (selectively). May result in large audit files. Audit trails are extremely interesting to hackers—show what can and cannot be seen.

9 Firewalls Control access to protected assets. Workstation firewalls are the minimum. Bridge/router/switch firewalls should: –Control access to TCP/IP ports selectively. –Track outgoing as well as incoming packets. –Monitor packet contents if possible. SOAP “bypasses corporate firewalls.” (M$)

10 Intrusion Detection Must be based on documented policies for use of the system. Uses expertise. Can detect evidence of –Break-ins –Remote exploitation –Application-level exploitation Generates log files of great interest to hackers. Does not detect one-time events

11 Cryptography and Public Key Infrastructure (PKI) May support virtual private networks (VPNs) and closed user groups (CUGs) where information is sent using encrypted tunneling. Usually peer-to-peer. May support strong authentication. ssh, sftp, ssl, Kerberos, PGP, etc. Functional infrastructure required is extensive. Distribution of keys is extremely manpower- intensive and expensive. PKI allows the distribution of keys ‘in-band’ (over the network).

12 Virus Protection Viruses (and other malware) are the most serious vulnerability of modern computer systems. They are usually malicious. Many websites upload ‘malware’ when you visit them. Consider using adaware to detect these programs. Virus protection depends on: –Careful procedures for dealing with untrusted programs and data. –Programs to detect the ‘signatures’ of viruses that manage to penetrate the installation procedures.

13 Object Reuse/Media Sanitizing The random bits in memory or on the disk contain information. Most operating systems do not zero these bits when they reallocate resources. A secure operating system zeros memory and other resources before allocating them (and often when the resources are released).

14 Electronic Signatures Provide –Authentication –Data integrity –Non-repudiation The same legal status as a hand-written signature (Electronic Communications Act 2000)

15 Rules for Writing Secure Software Least privilege—limit access rights to those necessary for the function Economy—keep the design simple Complete mediation—check all accesses for authorization Open design—don’t hide your code! Separation of privilege—no single key for access Least common mechanism—isolate users Psychological acceptability—make security easy to use

16 Non-Software Security Mechanisms Physical Security Environmental Security Personnel Security Training and Security Awareness Guidance and Policy Documentation Configuration Management (based on Qinetiq recommendations, Spafford et al., 2003, are similar)

17 Physical Security To deny unauthorized access: –Perimeter defense –Building security –Inner protection of the office and server rooms –Workstation protection

18 Perimeter defense Defined security perimeter Controlled access points Pass system and visitor control Guards during quiet hours

19 Office Security Office layout and design Anonymity Location of support services Inventory sensitive assets

20 Workstation Security Control unauthorized access Removable media Peripherals protected Regular inspections to verify user configuration modification has not subverted security.

21 Environmental Security Natural disasters –Fire –Flood –Storm –Earthquake Utilities Communications Hardware failure

22 Personnel Security To ensure you can trust people with access to sensitive information and other assets. Tasks include: –Establishing identity –Verification of details –Credit checks –Maintenance of records

23 Training and Security Awareness Important vulnerabilities are to –Social engineering and –Non-malicious actions by insiders To mitigate these vulnerabilities, the most effective approach is a training program. –Trust your people, but –Make sure they understand these vulnerabilities and what they should do to mitigate them.

24 Guidance and Policy Documentation Provide: Administrator guidance documentation User guidance documentation Defined security policies Defined security procedures

25 Configuration Management It is difficult to secure a system whose configuration is not defined and managed. –User software and hardware modifications to workstations may occur. (e.g., personal modems) –Security may not be enabled. –Security may not be managed and configured. –Threats may not be addressed in a timely fashion. Keep track of your configuration!

26 Conclusions General Principles of Security: –Concentrate valuable assets –Defense in depth –Coordinate all aspects of security Software Hardware Physical Procedural

Download ppt "Security Mechanisms University of Sunderland CSEM02 Harry R. Erwin, PhD."

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Information Security Policies and Standards

Information Security Policies and Standards
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.

N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.

Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
Engineering Security Requirement

Engineering Security Requirement
Securing Information Systems

Securing Information Systems

Similar presentations

Ads by Google