Presentation is loading. Please wait.

Presentation is loading. Please wait.

Workshop 2 Tutor: William Yeoh School of Computer and Information Science Secure and High Integrity System (INFT 3002)

Published byDelilah Murphy Modified over 9 years ago

Similar presentations

Presentation on theme: "Workshop 2 Tutor: William Yeoh School of Computer and Information Science Secure and High Integrity System (INFT 3002)"— Presentation transcript:

1 Workshop 2 Tutor: William Yeoh gingsun.yeoh@UniSA.edu.au School of Computer and Information Science Secure and High Integrity System (INFT 3002)

2 Group project details Form a group of 3 by Wednesday (18 Sept) Report due on 7 November, 5pm (Friday) You must pass this assessment to pass the course 3000-5000 words You may decide the company’s name, location (not necessary Australia), etc.

3 Task: Your group is a small newly formed IT Security Consultancy and recently have been employed on your first case Abraham is a health administrator (MD) but he has no modern technical understanding of IT security issues. Abraham has had no problems with IT Security until very recently when the Hospital’s network was subject to a series of attacks. In the period of 3 days, the Hospital’s website was defaced, a serious virus infected the Hospital’s e-mail and large quantities of data were corrupted Abraham wonders why this is happening and he questions whether there is a link to his company’s partnership with a large Health Insurance Company. He is also concerned to find out who might be attacking his network and why. He is very anxious to grow his business and knows that he needs quickly to implement some security measures so as to pass an external audit (he has had nothing more than some proprietary and outdated anti-virus software until now).

4 Organisation Structure

5 The issues Abraham is asking for advice on are: 3. Does he need to implement some cryptographic protection of data? How? 1. What risks do you think he is facing as he gears up his business and how can he manage these risks? 2. How can he develop a suitable security policy (given the company structure above)? Supply a security policy as Appendix 1 (you may use all the resources in the Resources for Module 2 and adapt these as necessary) 4. What is a “trusted” system, why might he need one anyway, and can he implement this within her Windows NT network?

6 The issues Abraham is asking for advice on are: 5. How can he protect his network? Currently it is a simple LAN, some databases, a mail server and a web server but he wants to add some E-Commerce functionality very soon. What will happen when his staff use wireless enabled PDA’s for the collection of patient data? 6. Why might hackers be attacking his network; why would they be interested in his company? 7. Is there any legislation to help him if his network is hacked into again? 8. What kind of legal or ethical issues will he herself face if the data in his databases or files is lost or damaged?

7 Today’s task 3. Does he need to implement some cryptographic protection of data? How? 4. What is a “trusted” system, why might he need one anyway, and can he implement this within his Windows NT network?

8 Hints for: 3. Does he need to implement some cryptographic protection of data? How? This section evaluates the need of implementing data cryptography Considers what cryptography technology to be adopted How to implement them in this situation

9 Hints for: 3. Does he need to implement some cryptographic protection of data? How? Does he need to implement some cryptographic protection of data? The hospital stores sensitive information eg. Patient’s medical record, financial situation, personal details, payment history, credit card info, password, etc. By consolidating the business status with the current trends of attacks, what is the risk evaluation? ‘Is the risk of occurrence higher than the cost of implementing cryptographic protection?’

10 Hints for: 3. Does he need to implement some cryptographic protection of data? How? Some rationale to implement: Storing large amount of sensitive info of different nature in the IT system Current security level of network design & data management, security policy, staff awareness, etc Storage of backup media does not guarantee high security level to avoid data leakage

11 Hints for: 3. Does he need to implement some cryptographic protection of data? How? Connection to Internet using Dialup modem is insecure enough The rapid introduction of virus, trojan & malicious code produce high risk The website was defaced recently – shows security problem

12 Considers what cryptography technology to be adopted

13

14

15

16

17 How to implement them in this situation? Suggest a commercial product (eg. DES, Blowfish, RSA, Hybrid cryptosystem, etc) Internal or outsourcing Staff perspective Customers perspective Steps, etc

18 Hints: 4. What is a “trusted” system, why might he need one anyway, and can he implement this within her Windows NT network? What is a “trusted” system Why might he need one anyway Can he implement this within her Windows NT network?

19 Why might he need one anyway? User identification and authentication- to control the access rights. Mandatory & discretionary access control- to control the usage of objects Object reuse protection – to avoid malicious user claim a large amount of disk space & scavenge for sensitive data Complete mediation – checking all access including memory, outside ports & network

20 What is a “trusted” system? Trusted OS provides the basic security mechanism that allow a system to protect, distinguish & separate data. It began to receive NSA evaluation in 1984 Lower the security risk of implementing a system that processes classified data It implements security policies & accountability mechanism in an OS package

21 Why might he need one anyway? Audit –maintain a log of security-relevant events Audit log reduction- Allow logging of info in a reduced data size for consultation Trusted path – facilitate unmistakable communication in critical operations Intrusion detection- Intrusion of the system are detected

22 Can he implement this within his Windows NT network? Windows NT network acquires trusted OS features as: User identification and authentication can be set for all users & administrators Mandatory & discretionary access control are configurable for objects eg. Files & folders Object reuse protection as usable volume of disk for all users can be strictly controlled by Windows NT.

23 Complete mediation, Windows NT can check system resources including memory, port status & network connections Audit log is maintained by Windows NT Server. Log details can be checked by administrator easily Intrusion detection, Windows NT has no intrusion detection system, however this feature can be tackled by commercial firewall products. Windows NT network acquires trusted OS features as:

24 Configuring Windows NT network to implement Trusted OS: Updating Windows NT servers by patches and use latest NT version Enforces Windows NT Server password policy and establish consistent audit Limits usable server volume for users to enhance object reuse protection Avoids granting unnecessary privileges to users

25 Avoids running unnecessary services in servers Maintain audit trial records & perform checks on these records Install IDS in the network Configuring Windows NT network to implement Trusted OS:

26 Q &A Group Discussions

Download ppt "Workshop 2 Tutor: William Yeoh School of Computer and Information Science Secure and High Integrity System (INFT 3002)"

Similar presentations

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Computer Security set of slides 10 Dr Alexei Vernitski.

Computer Security set of slides 10 Dr Alexei Vernitski.
TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.

Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Information Security Policies and Standards

Information Security Policies and Standards
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
CYBER CRIME AND SECURITY TRENDS

CYBER CRIME AND SECURITY TRENDS
Network security policy: best practices

Network security policy: best practices
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.

Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Security Guidelines and Management

Security Guidelines and Management
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.

Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.

Similar presentations

Ads by Google