Download presentation
Presentation is loading. Please wait.
Published byJob Leslie Lyons Modified over 9 years ago
1
Security Mark A. Magumba
2
Definitions Security implies the minimization of threats and vulnerabilities A security threat is a harmful event or object that poses danger to the system Threats are measured according to their probability and impact Examples of threats include malware like viruses and trojans, hacking, man in the middle attacks
3
Vulnerabilities A vulnerability is a weakness that allows a threat to occur Examples of vulnerabilities – Weak passwords – Poor configuration – Poor security policies
4
The CIA model Security based on three pillars – Confidentiality Ensuring that there is no undue disclosure of information to unauthorized parties Involves measures like passwords, encryption, Intrusion Detection – Integrity Ensures there are no unauthorized changes to data and systems Involves measures like checksums, parity checking, logging and system auditing
5
The CIA model Availability – Is about ensuring that resources and data are available to authorized users when they need them
6
Risk Assessment It is important to do a risk assessment to determine what security measures to implement Security implementation can be expensive therefore priorities have to be made in order to protect the most critical systems For instance a common classification is as follows: – mission critical systems as level 1 (usually 5% of an organization’s systems), – systems that are required but not critical and can endure some amount of downtime as level 2 (usually 20% of an organization’s systems), – and a local Desktop computer as a Level 3 system (usually 75% of an organization’s systems) The more critical a system is the more security should be applied
7
Security Policy A security policy is a document that outlines how security will be implemented in an organization It helps to standardize security and set security goals upon which to evaluate organizational security
8
Security Standards Security standards are used to standardize security across organizations and solutions They describe the security capabilities of a given solution These security capabilities do not necessarily translate into actual security but describe the attainable level of security for a particular system For security conscious organizations IT products may be required to pass a certain security certification
9
Security Standards Information Technology Security Evaluation Criteria (ITSEC) is a European security standard Trusted Systems evaluation Criteria (TSEC) is an American Security standard developed by DoD Both standards are organized into levels A system may be said to be TSEC level B compliant which means it satisfies security functionality described in the TSEC’s standard level A
10
Practical elements of security Authentication – Involves parties proving they are who they claim to be and includes where you are authentication which is based on where a party is for instance systems that use source ip address to grant or revoke access What you have authentication which relies on what a user has for instance an access card What you are authentication which relies on some biological trait like finger print or voice recognition What you know authentication which relies on what you know for instance a password – Multifactor authentication which combines what you are, where you are, who you are and what you know to provide more complete authentication
11
Practical elements of security Authorization – Involves granting access to resources to authorized users and revoking it from unauthorized users – The level of authorization is defined in terms of permissions – Common permissions include read, write, execute – Authorization systems rely on access control lists
12
Practical elements of security Encryption – Is the transformation of human readable plain text to unreadable cypher text – It employs an encryption algorithm which uses an encryption key – To be rendered readable the cypher text must be decrypted using the algorithm and decryption key – Only the intended recipient may have the correct decryption key – Without it even if information fell into the wrong hands it would be of no use to them
13
Practical elements of security Auditing – Involves monitoring systems to ensure that security objectives are being met – Usually implemented through logging – Logging is the automatic recording of important system events – The depth and extent of logging depends on your system’s risk profile
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.